Created
September 9, 2022 21:30
-
-
Save usualsuspect/f12cae4c9d4ab06f037aa0d54dbaab76 to your computer and use it in GitHub Desktop.
KONNI blob decrypter
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # | |
| # Author: @jaydinbas | |
| # | |
| # Decrypt string blobs and files used by KONNI malware | |
| # | |
| # Reference sample: 158f5228225d9337083c323b45a63e70297ed9c8ecb8517dc1d8cb64f29acf5d | |
| # via https://twitter.com/ShadowChasing1/status/1568064494982823937 | |
| # | |
| # Malware uses manual implementation of AES256 in CTR mode. Payloads have 16 byte | |
| # prefix containing initial counter value | |
| # | |
| # AES256 key is SHA256(<service name>) where service name depends on the sample. | |
| # Reference file uses "authtokenmgt" as service name. | |
| # | |
| import sys | |
| from Cryptodome.Cipher import AES | |
| import hashlib | |
| if len(sys.argv) != 3: | |
| print("usage: %s <service name> <encrypted data file>" % sys.argv[0]) | |
| sys.exit(0) | |
| data = open(sys.argv[2],"rb").read() | |
| initial_counter = data[:16] | |
| data = data[16:] | |
| phrase = sys.argv[1].encode("utf16")[2:] #skip BOM | |
| key = hashlib.sha256(phrase).digest() | |
| cipher = AES.new(key=key,initial_value=initial_counter,mode=AES.MODE_CTR,nonce=b'') | |
| plain = cipher.decrypt(data) | |
| try: | |
| plain = plain.decode("utf16") | |
| print(plain) | |
| except: | |
| print(repr(plain)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment