【APT】响尾蛇(SideWinder)Hta文件自动解密C2

前言

　　一个用于从SideWinder APT组织常用的hat文件中解密C2链接地址的Python脚本，示例代码对一些老的hat文件效果比较好，新的样本可能需要根据实际情况修改下，最初是用于对VT上命中的大量样本进行批量提取C2地址用的😂

示例代码

# -*- coding: utf-8

import base64
import re
import sys

def myXor(key, data):
    out = ""
    i = 0
    datalen = len(data)
    while i < datalen:
        for j in range(len(key)):
            tmp = ord(data[i]) ^ ord(key[j])
            out += chr(tmp)
            i += 1
            if i >= len(data):
                break
    return out

def myBase64Decode(key, string):
    #某些情况下会出问题：“asEqf170rcEU” -> “|abx|oeq” -> 正确结果应该是“|abx|oeq|”
    result = []
    string = string.strip("=")
    binstr = ""
    bin6list = []
    bin8list = []
    #key = "JXaYOjSNTet1dDrHsVlc0m5EknG7Ko6qibhFBuyzQUwxWCp4ZLf23gAvMR8PI9+/"

    for ch in string:
        bin6list.append("{:>06}".format(str(bin(key.index(ch)).replace("0b", ""))))

    binstr = "".join(bin6list)

    for i in range(0, len(binstr), 8):
        bin8list.append(binstr[i:i + 8])

    for item in range(len(bin8list) - 1):
        result.append(chr(int(bin8list[item], 2)))
    return "".join(result)

def myBase64Decode2(key, string):
    STANDARD_ALPHABET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
    CUSTOM_ALPHABET = key
    ENCODE_TRANS = str.maketrans(STANDARD_ALPHABET, CUSTOM_ALPHABET)
    DECODE_TRANS = str.maketrans(CUSTOM_ALPHABET, STANDARD_ALPHABET)
    return base64.b64decode(string.translate(DECODE_TRANS))

def myGetb64(data):
    b64 = re.search("var b64 = \"(.+)\";", data).group(1)
    return b64

def myGetkeeeeKey(data):
    keeee = re.search("var keeee = .+?\(\"(.+)\",", data).group(1)
    return keeee

def myGetkeeeeData(data):
    keeee = re.search("var keeee = .+\((.+)\)\);", data).group(1)
    keeee = keeee.replace("\"+\"", "")
    keeee = keeee.replace("\"", "")
    return keeee

def myGetkeeee(data):
    key = myGetkeeeeKey(data)
    str = myGetkeeeeData(data)
    keeee = bytes.decode(myBase64Decode2(b64, str))
    return myXor(key, keeee)

def myGetaUrl(data):
    url = re.search("var aUrl = .+?\((.+)\)\+x;", data).group(1)
    url = url.replace("\"+\"", "")
    url = url.replace("\"", "")
    return url

def myDecodeUrl(keeee, data):
    return myXor(keeee, data)

if __name__ == '__main__':

    if 1 >= len(sys.argv):
        print("输入文件路径参数后重试")
        exit(1)
    try:
        f = open(sys.argv[1], 'r')
        data = f.read()
        f.close()

        b64 = myGetb64(data).replace("=", "")
        keeee = myGetkeeee(data)
        encodeUrl = myGetaUrl(data)

        strurl = bytes.decode(myBase64Decode2(b64, encodeUrl))
        url = myDecodeUrl(keeee, strurl)
        print(url)
    except:
        print("文件不支持或其它错误:(")

感兴趣的小伙伴可以根据样本自己修改下😏

3e14d22a63775a59878a71d80ea17bfd
4dc475b2055b5a880cbd67526b0f6e3c
94ae178768482ead9b0c0612325a9eeb
354a7e51b5ae982ce24b588c12f34ae1
884e404b0d8b34e98f90809909171e90
1333fb41972e81a99ada7e2df5ba014f
69737cb11c6596298a5bf1958f5d1ad3
484214759657cc28daa61de086d526f2
ca90bf0bc5771caf82f991641b316562
f158bffa5f876619aa745e23a2800c9d