This Repo will hold a collection of Python Scripts that will extract,decode and display the configuration settings from common rats.
Each of these decoders is running on http://malwareconfig.com and has additional features that are not included in the scripts.
If you wish to contribute please feel free to fork or email me on firstname.lastname@example.org
You can read more about the project on my blog at http://techanarchy.net/2014/04/rat-decoders/
These are the currently supported RATS:
- Albertino Advanced RAT
- Blue Banana
- Java Droppers
- Any Other Rats i can find.
All the decoders are written in Python 2.7 each decoder can run independently and each has their own requirements. For all existing decoders the only external modules required are:
PyCrypto for windows can be found on voidspace all others can be installed with pip or via git.
- Each Script comes with its own -h option use it :) Typical Usage is
root@Viper:~/RATDecoders# python DarkComet.py Usage: DarkComet.py inFile outConfig DarkComet Rat Config Extractor Options: --version show program's version number and exit -h, --help show this help message and exit
Some of the decoders have a recursive mode used with a
-r and a dir name
There are a couple of projects that make use of these decoders. If you wish to integrate these in to your own let me know and i will help where i can. If you use it and i missed you also let me know.
- There will be more decoders coming
- Finish the Recursive mode on several of the Decoders
Full credit where credit is due.
Malware.lu for the initial xtreme Rat Writeup - https://code.google.com/p/malware-lu/wiki/en_xtreme_RAT
Fireye for their Poison Ivy and Xtreme rat WriteUps (Even though they ignored my tweet and reply ) - http://www.fireeye.com/blog/technical/2014/02/xtremerat-nuisance-or-threat.html
Shawn Denbow and Jesse Herts for their paper here - http://www.matasano.com/research/PEST-CONTROL.pdf Saved me a lot of time