import os import binascii import shutil import base64 #$HH1 = $HH2 = Injector VBNET #$HH3 = $A1 = HABARS = RAT #$HH5 = PowerShell #$HBar = Layer 5 directory = "input_sample_dir/" # obfuscated malware directory out_dir = "output_clean_dir/" #output directory def a6(data): idx = 0 binary_format = bytearray() for a in range(0, int(len(data)/2)): h = data[idx] idx += 1 h += data[idx] idx += 1 try: binary_format.append(int(h, 16)) except Exception as e: continue return binary_format def parse_hbar(hbar, ourdir): print(" HBAR Parsing ***********************************************************************") idx = 0 failed_hbar = 0 lfailed_hbar = list() for line in hbar.split('\n'): idx += 1 if len(line.strip()) == 0: continue line = line.strip() if line.startswith('[String]$HH1'): print(" [String]$HH1: " + line[0:100] + " ... " + line[len(line) - 30:]) line = line.split('=')[1].strip().split('.Replace')[0] line = line[1:len(line)-1] if line.rfind("<->", 0, len(line)) > 0: line = line.replace("<->", "0") else: failed_hbar += 1 lfailed_hbar.append(line) print(' Hbar $HH1:') print(" " + line[0:100] + " ... " + line[len(line) - 30:]) if len(line) % 2 != 0: line += "0" data = a6(line) fout = os.path.abspath(os.path.join(ourdir, "INJECTOR_HH1_" + str(idx))) if os.path.isfile(fout): os.remove(fout) f = open(fout, 'w+b') f.write(data) print(" File out: " + fout) elif line.startswith('$HH5'): line = line.split('=')[1].strip().replace('.Replace', '.replace') data = str(base64.b64decode(eval(line))) fout = os.path.abspath(os.path.join(ourdir, "Layer5PowerShell_" + str(idx))) if os.path.isfile(fout): os.remove(fout) f = open(fout, 'w') f.write(data) print(" HBAR end Parsing ***********************************************************************") return 0 def decode(): failed_hbards = 0 lfailed_hbards = list() failed_hbar = 0 lfailed_hbar = list() decoded = False idx = 0 for dirpath,_,filenames in os.walk(directory): for f in filenames: fpath = os.path.abspath(os.path.join(dirpath, f)) fout_dir = os.path.abspath(os.path.join(out_dir, f)) if os.path.isdir(fout_dir): shutil.rmtree(fout_dir) os.makedirs(fout_dir) print(f) lines = open(fpath, 'r').readlines() for line in lines: idx += 1 if len(line.strip()) == 0: continue line = line.strip() decoded = False print(" " + line[0:100] + " ... " + line[len(line) - 30:]) if line.startswith('$HBARS') or line.startswith('[String]$RSETDRYFTUYGIOJIPOK') : line = line.split('=')[1].strip().split('.Replace')[0] line = line[1:len(line)-1] if line.rfind("/\\", 0, len(line)) > 0: line = line.replace("/\\", "0") if line.rfind("%P%", 0, len(line)) > 0: line = line.replace("%P%", "") decoded = True elif line.rfind(":", 0, len(line)) > 0: line = line.replace(":", "0") decoded = True elif line.rfind("ubn", 0, len(line)) > 0: line = line.replace("ubn", "0") decoded = True elif line.rfind("<>", 0, len(line)) > 0: line = line.replace("<>", "0") decoded = True elif line.rfind("gib", 0, len(line)) > 0: line = line.replace("gib", "0") decoded = True elif line.startswith("4D5A"): decoded = True #asume no replace is required else: failed_hbards += 1 lfailed_hbards.append(line) print(' HBARS decoded: len: ' + str(len(line))) print(" " + line[0:100] + " ... " + line[len(line) - 30:]) if decoded: if len(line) % 2 != 0: line += "0" try: data = a6(line) except Exception as e: print("Error...A6") print(e) return -1 fout = os.path.abspath(os.path.join(fout_dir, "RAT_HBARS_" + str(idx))) if os.path.isfile(fout): os.remove(fout) f = open(fout, 'w+b') f.write(data) print(" File out: " + fout) elif line.startswith('$HBar'): #LAYER 5 line = line.split('=')[1].strip() line = line[1:len(line)-1].strip() if line.rfind("<>", 0, len(line)) > 0: line = line.replace("<>", "").strip() line = bytes.fromhex(line).decode('utf-8') elif line.rfind(":", 0, len(line)) > 0: try: line = line.replace(":", "").strip() if line.rfind("XMR", 0, len(line)) > 0: line = line.replace("XMR", "").strip() line1 = bytes.fromhex(line).decode('utf-8') except Exception: print(" Error Hbar: " + line[0:100] + " ... " + line[len(line) - 30:]) return elif line.rfind("<->", 0, len(line)) > 0: line = line.replace("<->", "").strip() line = bytes.fromhex(line).decode('utf-8') else: failed_hbar +=1 lfailed_hbar.append(line) if parse_hbar(line, fout_dir) == -1: print("Error...parse_hbar") return print("failed_hbards:" + str(failed_hbards)) print("failed_hbar:" + str(failed_hbar)) print("failed_hbards:") for line in lfailed_hbards: print(" " + line[0:100] + " ... " + line[len(line) - 30:]) print("failed_hbar:") for line in lfailed_hbar: print(" " + line[0:100] + " ... " + line[len(line) - 30:]) print("failed_hbards:" + str(failed_hbards)) print("failed_hbar:" + str(failed_hbar)) decode()