From c435dc7075ad959613a7acd2f3097887c44ef31d Mon Sep 17 00:00:00 2001 From: unknown Date: Thu, 6 Feb 2020 22:47:58 +0000 Subject: [PATCH] Update Emotet parser with RSA keys for new payloads --- .../processing/parsers/mwcp/parsers/Emotet.py | 57 +++++++++++++------ 1 file changed, 41 insertions(+), 16 deletions(-) diff --git a/modules/processing/parsers/mwcp/parsers/Emotet.py b/modules/processing/parsers/mwcp/parsers/Emotet.py index b098e674e..72cb6237c 100644 --- a/modules/processing/parsers/mwcp/parsers/Emotet.py +++ b/modules/processing/parsers/mwcp/parsers/Emotet.py @@ -36,9 +36,10 @@ $snippet5 = {8B E5 5D C3 B8 ?? ?? ?? ?? A3 ?? ?? ?? ?? A3 ?? ?? ?? ?? 33 C0 21 05 ?? ?? ?? ?? A3 ?? ?? ?? ?? 39 05 ?? ?? ?? ?? 74 18 40 A3 ?? ?? ?? ?? 83 3C C5 ?? ?? ?? ?? 00 75 F0 51 E8 ?? ?? ?? ?? 59 C3} $snippet6 = {33 C0 21 05 ?? ?? ?? ?? A3 ?? ?? ?? ?? 39 05 ?? ?? ?? ?? 74 18 40 A3 ?? ?? ?? ?? 83 3C C5 ?? ?? ?? ?? 00 75 F0 51 E8 ?? ?? ?? ?? 59 C3} $snippet7 = {8B 48 ?? C7 [5-6] C7 40 ?? ?? ?? ?? ?? C7 ?? ?? 00 00 00 [0-1] 83 3C CD ?? ?? ?? ?? 00 74 0E 41 89 48 ?? 83 3C CD ?? ?? ?? ?? 00 75 F2} + $ref_rsa = {6A 00 6A 01 FF 76 ?? 8B 46 ?? FF D0 85 C0 74 ?? 8D 4D ?? E8 [4] 8D 45 ?? B9 [4] 8D 55 ?? 89 45 ?? E8} condition: //check for MZ Signature at offset 0 - uint16(0) == 0x5A4D and (($snippet1) and ($snippet2)) or ($snippet3) or ($snippet4) or ($snippet5) or ($snippet6) or ($snippet7) + uint16(0) == 0x5A4D and (($snippet1) and ($snippet2)) or ($snippet3) or ($snippet4) or ($snippet5) or ($snippet6) or ($snippet7) or ($ref_rsa) } ''' @@ -56,6 +57,13 @@ def yara_scan(raw_data, rule_name): addresses[item[1]] = item[0] return addresses +def xor_data(data, key): + l = len(key) + decoded = "" + for i in range(0, len(data)): + decoded += chr(ord(data[i]) ^ ord(key[i % l])) + return decoded + # This function is originally by Jason Reaves (@sysopfb), # suggested as an addition by @pollo290987. # A big thank you to both. @@ -114,16 +122,16 @@ def run(self): try: ip = struct.unpack('