X-Junior · April 14, 2024 17:39
diff --git a/Latrodectus_String_Decryptor.py b/Latrodectus_String_Decryptor.py
 import struct , pefile , os , sys

 '''
 Author: Mohamed Ashraf (@X__Junior)

 tested samples:
 03e0ca10cbf06f45fefd102dc8e42665729d8891e047348dea7dcceb9b5559cc
 063d6865a097b0a674b3cfa483ef6e8d87bda0b46234dc916e8cb62ae14e1a69
 09a4a3eeb7d9ff6b2bcaf85f163b6efa43c3723373bf038edc25142335b4c5d7
 1bed9c089a3c1dd81a17834827129022f8cf417e86e6f9f15bd43ed3ac62e303
 204d74023d3a943128369831e2a5e18e90d940373481b38c70909575ed483d2d
 26d51dce0caeb68a9787923b3e3a61704ee3e0ca933c07ef6f2c266eae23610a
 2c6b753a8dd1cf1e286c1c8db9c42e20be341086006788cfda6a5ab36c3b83db
 326d297b441a40bb3f53bb55cb727e0fbed422470977ca167b1c919029be746b
 378b83dca8c8e59b61d88368995030f987baa6b2da1246a20b276a9a89400488
 3f22ede88af7e0c37c8ac521605540bc186ae10db639ee643cd7112e40f64806
 4b04d68c3fb64a945cc674a6153bef936cddf7562060ba0f6491823e65832df2
 53b0d542af077646bae5740f0b9423be9fb3c32e04623823e19f464c7290242f
 5bbc2e4991497b97eae9814dc29d7ee17a12cfabce2ed76d501da313a3f63ff5
 5edc39cbd89d3ba70a4737f823933af93f3c182134af8e34e0af9a316afaaca8
 72db19a5ccc7e378e72bd3cf8339280fc47f05b5ff65b1fb3893be6369a5c8bf
 8c064adc47d8b36363262d2d0299f8d688621e38678b84e038b04f6da24af115
 9470f972c6ce0d7c41e9d2caad45f0d9adf172336fe158e747cdd1b86a7514a9
 9e7fdc17150409d594eeed12705788fbc74b5c7f482a64d121395df781820f46
 9f5b35edb30ad89c8eb3cf177ff0514b357b4e454661b7911242633aa6899e56
 9fad77b6c9968ccf160a20fee17c3ea0d944e91eda9a3ea937027618e2f9e54e
 a0c4e90970c692d775067bf02dff5ea061afe0d6a0ccd4de93ffe582fd31ce49
 a547cff9991a713535e5c128a0711ca68acf9298cc2220c4ea0685d580f36811
 ac096895773aab31910cee9d9611fbf3fcf7b2ba76678237ecd676d350c91c9c
 b4885bb4b4d07c2fc343a50ddb3eaf7f4f22ffca4fc795797e71457d5660524f
 b6b4c61084bd6cb38cadf548a7463b5a053ee989bbf91dff0199338f8344f848
 b740a321546671ad7ebdf540189cbea05a2307b0033f2e17535c23bb38217a91
 bb7cb5aea4192a035376d380682716235fdb4809d06b63b63d6d6d1061a5c231
 ca15d149f53a51592c80c57e64de73e090777749422525d22b3b096a1ae75a4a
 d1e2e287c96c290e161c553d99a115e7d72f83f23c850621169a27cca936f51b
 d38643133189bc880af537a371087e2e34fa36e0f96fd19a42969d3bc72fe95b
 df3f2893b0493532e5a22903d3f4561152f1770f8614fe3ab2c00fb4fdaa9b74
 e4cd8ecb1ac4f1cd4230269de167e605c2ecfaf269569234a79b526820baf352
 e5aed4e2fdda9242d6a723ece8c6d7b2b2a3f1f82abcac66e1480b6794c23bfc
 e8263e35b92634d20e61a78c12bc95aab476381b5f03364d9fbb5d74b8fb2eb8
 ef5db8b473e279620207777c42ef9ad14adf8b100ceb20dc4f7e1bd5271ecd3c
 f03d30b1f691c64ddc8c044cfe5b7f2e41c997c032bbb40606fdbae010d3141d
 f186303dbd218f7aef0967090b2264d108f8656ca44958f8a4264d49304b1754
 f5548ccbb81261f03b643b0f5204b609430af6c8d40a50859768db941a99f713
 fc4932314471c91434fde050e85967de31701e0b391440c1c5f9aa5d6fde615d

 '''

 def prng2(seed):
    return seed + 1

 def decode_v2(s):
    (seed, l) = struct.unpack_from('<IH', s)
    l = (l ^ seed) & 0xffff
    if l > len(s):
        return('')
    temp = bytearray(s[6:6+l])
    for i in range(len(temp)):
        seed = prng2(seed)
        temp[i] = (temp[i] ^ seed) & 0xff
    return(temp)

 # shout-out to Jason Reaves : https://medium.com/walmartglobaltech/icedid-gets-loaded-af073b7b6d39
 def mask(a):
    return(a & 0xffffffff)

 def prng1(seed):
    temp = mask((seed + 0x2e59))
    temp2 = temp >> 1
    temp = mask(temp << 0x1f)
    temp |= temp2
    temp2 = temp >> 1
    temp = mask(temp << 0x1f)
    temp |= temp2
    temp2 = temp >> 2
    temp = mask(temp << 0x1e)
    temp |= temp2
    temp ^= 0x6387
    temp ^= 0x769a
    temp2 = mask(temp << 2)
    temp >>= 0x1e
    temp |= temp2
    temp2 = mask(temp << 1)
    temp >>= 0x1f
    temp |= temp2
    return(temp)

 def decode_v1(s):
    (seed, l) = struct.unpack_from('<IH', s)
    l = (l ^ seed) & 0xffff
    if l > len(s):
        return('')
    temp = bytearray(s[6:6+l])
    for i in range(len(temp)):
        seed = prng1(seed)
        temp[i] = (temp[i] ^ seed) & 0xff
    return(temp)



 def main():
    # Check if the correct number of arguments are provided
    if len(sys.argv) != 2:
        # python3 Latrodectus_String_Decryptor.py Latrodectus.dll
        print("Usage: python Latrodectus_String_Decryptor.py [filename]")
        exit()

    # Check if the file exists
    if not os.path.isfile(sys.argv[1]):
        print(f"The file {sys.argv[1]} does not exist.")
        exit()

    else:
        pe = pefile.PE(sys.argv[1])

        data_section = None
        text_section = None
        v1 = -1
        v2 = -1

        for section in pe.sections:
            if b'.data' in section.Name:
                data_section = section.get_data()
            if b'.text' in section.Name:
                text_section = section.get_data()

        v1 = text_section.find(bytes.fromhex("05592e0000894424088b442408d1e88b4c2408c1e11f"))
        v2 = text_section.find(bytes.fromhex("894c24088b442408ffc0c3"))

        if v1 == -1 and v2 == -1:
            print("The sample is not Latrodectus or it's a new variant")
            exit()

        if data_section is None:
            print("The file does not contain a .data section.")
            exit()

        else:
            enc_data = data_section.split(b'\x00')
            for data in enc_data:
                if len(data) > 6:
                    try:
                        if v1 != -1:
                            print(decode_v1(data).decode())
                        if v2 != -1:
                            print(decode_v2(data).decode())
                    except:
                        continue
 if __name__ == "__main__":
    main()
	import struct , pefile , os , sys

	'''
	Author: Mohamed Ashraf (@X__Junior)

	tested samples:
	03e0ca10cbf06f45fefd102dc8e42665729d8891e047348dea7dcceb9b5559cc
	063d6865a097b0a674b3cfa483ef6e8d87bda0b46234dc916e8cb62ae14e1a69
	09a4a3eeb7d9ff6b2bcaf85f163b6efa43c3723373bf038edc25142335b4c5d7
	1bed9c089a3c1dd81a17834827129022f8cf417e86e6f9f15bd43ed3ac62e303
	204d74023d3a943128369831e2a5e18e90d940373481b38c70909575ed483d2d
	26d51dce0caeb68a9787923b3e3a61704ee3e0ca933c07ef6f2c266eae23610a
	2c6b753a8dd1cf1e286c1c8db9c42e20be341086006788cfda6a5ab36c3b83db
	326d297b441a40bb3f53bb55cb727e0fbed422470977ca167b1c919029be746b
	378b83dca8c8e59b61d88368995030f987baa6b2da1246a20b276a9a89400488
	3f22ede88af7e0c37c8ac521605540bc186ae10db639ee643cd7112e40f64806
	4b04d68c3fb64a945cc674a6153bef936cddf7562060ba0f6491823e65832df2
	53b0d542af077646bae5740f0b9423be9fb3c32e04623823e19f464c7290242f
	5bbc2e4991497b97eae9814dc29d7ee17a12cfabce2ed76d501da313a3f63ff5
	5edc39cbd89d3ba70a4737f823933af93f3c182134af8e34e0af9a316afaaca8
	72db19a5ccc7e378e72bd3cf8339280fc47f05b5ff65b1fb3893be6369a5c8bf
	8c064adc47d8b36363262d2d0299f8d688621e38678b84e038b04f6da24af115
	9470f972c6ce0d7c41e9d2caad45f0d9adf172336fe158e747cdd1b86a7514a9
	9e7fdc17150409d594eeed12705788fbc74b5c7f482a64d121395df781820f46
	9f5b35edb30ad89c8eb3cf177ff0514b357b4e454661b7911242633aa6899e56
	9fad77b6c9968ccf160a20fee17c3ea0d944e91eda9a3ea937027618e2f9e54e
	a0c4e90970c692d775067bf02dff5ea061afe0d6a0ccd4de93ffe582fd31ce49
	a547cff9991a713535e5c128a0711ca68acf9298cc2220c4ea0685d580f36811
	ac096895773aab31910cee9d9611fbf3fcf7b2ba76678237ecd676d350c91c9c
	b4885bb4b4d07c2fc343a50ddb3eaf7f4f22ffca4fc795797e71457d5660524f
	b6b4c61084bd6cb38cadf548a7463b5a053ee989bbf91dff0199338f8344f848
	b740a321546671ad7ebdf540189cbea05a2307b0033f2e17535c23bb38217a91
	bb7cb5aea4192a035376d380682716235fdb4809d06b63b63d6d6d1061a5c231
	ca15d149f53a51592c80c57e64de73e090777749422525d22b3b096a1ae75a4a
	d1e2e287c96c290e161c553d99a115e7d72f83f23c850621169a27cca936f51b
	d38643133189bc880af537a371087e2e34fa36e0f96fd19a42969d3bc72fe95b
	df3f2893b0493532e5a22903d3f4561152f1770f8614fe3ab2c00fb4fdaa9b74
	e4cd8ecb1ac4f1cd4230269de167e605c2ecfaf269569234a79b526820baf352
	e5aed4e2fdda9242d6a723ece8c6d7b2b2a3f1f82abcac66e1480b6794c23bfc
	e8263e35b92634d20e61a78c12bc95aab476381b5f03364d9fbb5d74b8fb2eb8
	ef5db8b473e279620207777c42ef9ad14adf8b100ceb20dc4f7e1bd5271ecd3c
	f03d30b1f691c64ddc8c044cfe5b7f2e41c997c032bbb40606fdbae010d3141d
	f186303dbd218f7aef0967090b2264d108f8656ca44958f8a4264d49304b1754
	f5548ccbb81261f03b643b0f5204b609430af6c8d40a50859768db941a99f713
	fc4932314471c91434fde050e85967de31701e0b391440c1c5f9aa5d6fde615d

	'''

	def prng2(seed):
	return seed + 1

	def decode_v2(s):
	(seed, l) = struct.unpack_from('<IH', s)
	l = (l ^ seed) & 0xffff
	if l > len(s):
	return('')
	temp = bytearray(s[6:6+l])
	for i in range(len(temp)):
	seed = prng2(seed)
	temp[i] = (temp[i] ^ seed) & 0xff
	return(temp)

	# shout-out to Jason Reaves : https://medium.com/walmartglobaltech/icedid-gets-loaded-af073b7b6d39
	def mask(a):
	return(a & 0xffffffff)

	def prng1(seed):
	temp = mask((seed + 0x2e59))
	temp2 = temp >> 1
	temp = mask(temp << 0x1f)
	temp \|= temp2
	temp2 = temp >> 1
	temp = mask(temp << 0x1f)
	temp \|= temp2
	temp2 = temp >> 2
	temp = mask(temp << 0x1e)
	temp \|= temp2
	temp ^= 0x6387
	temp ^= 0x769a
	temp2 = mask(temp << 2)
	temp >>= 0x1e
	temp \|= temp2
	temp2 = mask(temp << 1)
	temp >>= 0x1f
	temp \|= temp2
	return(temp)

	def decode_v1(s):
	(seed, l) = struct.unpack_from('<IH', s)
	l = (l ^ seed) & 0xffff
	if l > len(s):
	return('')
	temp = bytearray(s[6:6+l])
	for i in range(len(temp)):
	seed = prng1(seed)
	temp[i] = (temp[i] ^ seed) & 0xff
	return(temp)



	def main():
	# Check if the correct number of arguments are provided
	if len(sys.argv) != 2:
	# python3 Latrodectus_String_Decryptor.py Latrodectus.dll
	print("Usage: python Latrodectus_String_Decryptor.py [filename]")
	exit()

	# Check if the file exists
	if not os.path.isfile(sys.argv[1]):
	print(f"The file {sys.argv[1]} does not exist.")
	exit()

	else:
	pe = pefile.PE(sys.argv[1])

	data_section = None
	text_section = None
	v1 = -1
	v2 = -1

	for section in pe.sections:
	if b'.data' in section.Name:
	data_section = section.get_data()
	if b'.text' in section.Name:
	text_section = section.get_data()

	v1 = text_section.find(bytes.fromhex("05592e0000894424088b442408d1e88b4c2408c1e11f"))
	v2 = text_section.find(bytes.fromhex("894c24088b442408ffc0c3"))

	if v1 == -1 and v2 == -1:
	print("The sample is not Latrodectus or it's a new variant")
	exit()

	if data_section is None:
	print("The file does not contain a .data section.")
	exit()

	else:
	enc_data = data_section.split(b'\x00')
	for data in enc_data:
	if len(data) > 6:
	try:
	if v1 != -1:
	print(decode_v1(data).decode())
	if v2 != -1:
	print(decode_v2(data).decode())
	except:
	continue
	if __name__ == "__main__":
	main()