analyzer.py

from __main__ import *

import binascii
import json
from collections import defaultdict
from extract_xor_key import get_api_xor_key, get_lib_xor_key
from decrypt_strings import find_encrypted_data_addr, decrypt_string
from extract_c2 import find_config_address, extract_c2


def is_der_format_rsa_key(b):
    return b[0] == 0x30 and b[2] == 0x02

def to_hex(l):
    return binascii.hexlify(bytearray(l))

def dump_to_json(dest):
    with open(dest, 'w') as f:
        json.dump(results, f, indent=4)


def main():

    # headless analyzer gets argument by this method
    args = getScriptArgs()

    if len(args) != 1:
        print('[!] Usage: analyzeHeadless ... analyzer.py [path-to-output-json]')
        return

    results = defaultdict(dict)

    try:
        # extract xor key
        lib_xor_key = get_lib_xor_key()
        if lib_xor_key:
            print('[*] XOR key for DLL: {}'.format(lib_xor_key))
            results['xor_key']['dll'] = lib_xor_key.getValue()

        api_xor_key = get_api_xor_key()
        if api_xor_key:
            print('[*] XOR key for API: {}'.format(api_xor_key))
            results['xor_key']['api'] =api_xor_key.getValue()

        # find RSA key
        for found in find_encrypted_data_addr():
            decrypted = decrypt_string(found.data_addr, raw=True)
            if is_der_format_rsa_key(decrypted):
                hex_rsa_key = to_hex(decrypted)
                print('[*] RSA key: {}'.format(hex_rsa_key))
                results['rsa_key'] = hex_rsa_key
        
        # extract c2 servers
        print('[*] c2 servers:')
        results['url'] = []
        for c2 in extract_c2():
            print(c2)
            results['url'].append(c2)
        
        # save the results into json
        with open(args[0], 'w') as f:
            json.dump(results, f, indent=4)
            print('[*] saved results at {}'.format(args[0]))

    except Exception as e:
        print('[!] {}'.format(e))


if __name__ == '__main__':
    main()