-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathzloader_pown.py
More file actions
195 lines (171 loc) · 5.79 KB
/
zloader_pown.py
File metadata and controls
195 lines (171 loc) · 5.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
import xlrd
import argparse
import operator
import re
import os
import yara
ZLOADER_YARA = """
rule Zloader
{
meta:
author = "Zloader dropper"
date = "2020-04-11"
credit = "Hash Miser <contact-yara@heat-miser.net>"
description = "Spot zloader xls droppers using super hidden sheet"
strings:
$zloader = { 53 68 65 65 74 31 85 00 12 00 ?? ?? ?? 00 02 01 0A 00 }
$header = { D0 CF 11 E0 A1 B1 1A E1 }
condition:
filesize < 5MB
and $header at 0
and $zloader
}
"""
class bcolors:
HEADER = '\033[95m'
OKBLUE = '\033[94m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
def check_sample(filename):
with open(filename, "rb") as f:
binary_content = f.read()
my_rule = yara.compile(source=ZLOADER_YARA)
matches = my_rule.match(data=binary_content)
return matches
def spot_junk(sheet):
values = {}
for j in range(sheet.ncols):
for line in sheet.col(j):
if line.value not in values.keys():
values[line.value] = 1
else:
values[line.value] += 1
size = sheet.ncols * sheet.nrows
results = []
for value, quantity in values.items():
if quantity > size / 4:
results.append(value)
return results
def check_type(sheet):
types2 = {}
junk = spot_junk(sheet)
for j in range(sheet.ncols):
c = sheet.col(j)
for line in c:
if line.ctype != 0 and line.value not in junk:
if line.ctype not in types2.keys():
types2[line.ctype] = 1
else:
types2[line.ctype] += 1
maxval = max(types2.items(), key=operator.itemgetter(1))[0]
return maxval
def manage_type_1(sheet, dump):
urls = []
values = {}
lines = []
for col in range(sheet.ncols):
res = ""
for index, line in enumerate(sheet.col(col)):
try:
if line.ctype != 1:
continue
if line.value not in values.keys():
values[line.value] = 1
else:
values[line.value] += 1
res += line.value
except:
continue
lines.append(res)
maxval = max(values.items(), key=operator.itemgetter(1))[0]
if not re.match("^[a-z0-9A-Z]+$", maxval):
maxval = ""
for line in lines:
line = line.replace(maxval, "")
if dump:
print(line)
urls += re.findall('http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+', line)
return urls
def calc_average_value(sheet):
vals = []
for j in range(sheet.ncols):
for line in sheet.col(j):
if line.ctype == 2:
vals.append(abs(int(line.value)))
return 2 * max(vals)
def manage_type_2(sheet, dump):
urls = []
average = calc_average_value(sheet)
for i in range(-average, average, +1):
lines = []
shifter_found = False
for j in range(sheet.ncols):
res = ""
for line in sheet.col(j):
if line.ctype == 2:
if line.value != "" and line.value - i >= 32 and line.value -i <= 126:
res += chr(int(line.value) - i)
if res:
lines.append(res)
urls_tmp = re.findall('http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+', res)
urls += urls_tmp
if urls_tmp:
shifter_found = True
if shifter_found and dump:
for line in lines:
print(line)
if shifter_found:
return urls
return urls
def extract_macros(filename, dump):
print(f"{bcolors.HEADER}## Extracting macros from {filename}{bcolors.ENDC}")
try:
wb = xlrd.open_workbook(filename)
except:
print(f"{bcolors.FAIL}!! ERROR: not a valid xls file{bcolors.ENDC}")
return []
for sheet in wb.sheets():
if sheet.visibility == 2:
typ = check_type(sheet)
if typ == 1:
return manage_type_1(sheet, dump)
elif typ == 2:
return manage_type_2(sheet, dump)
else:
print(f"{bcolors.FAIL}!! ERROR: unsupported file format{bcolors.ENDC}")
return []
if __name__ == '__main__':
PARSER = argparse.ArgumentParser(description='Tries to urls from zloader xls droppers')
PARSER.add_argument('-d', nargs='?', help="directory containing xls droppers")
PARSER.add_argument('-f', nargs='?', help="xls dropper")
PARSER.add_argument('--dump-macro', dest='dump', action='store_true', help="print full decoded macros")
ARGS = PARSER.parse_args()
if not ARGS.d and not ARGS.f:
PARSER.error(f"{bcolors.FAIL}Please provide at least one file or directory{bcolors.ENDC}")
if ARGS.f:
if check_sample(ARGS.f):
results = extract_macros(ARGS.f, ARGS.dump)
if results:
print(f"{bcolors.HEADER}## Payload delivery urls found:{bcolors.ENDC}")
for url in results:
print(url)
exit(0)
else:
print(f"{bcolors.FAIL}!! ERROR: not a Zloader sample{bcolors.ENDC}")
exit(1)
if ARGS.d:
urls = []
for root, d_names, f_names in os.walk(ARGS.d):
for f in f_names:
file = os.path.join(root, f)
if check_sample(file):
urls += extract_macros(file, ARGS.dump)
print(f"{bcolors.HEADER}Payload delivery urls found:{bcolors.ENDC}")
urls = list(dict.fromkeys(urls))
for url in urls:
print(url)
exit(0)