MalwareRETools/APT37/ROKRAT/ROKRATPSDecoder.py at main · 0x0v1/MalwareRETools · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# Script to quickly decode the powershell encoded commands in ROKRAT delivery files.
# It will allow the user to quickly see the decoded result, extract the payload delivery host and have the option to pull the payload from the host for further analysis.
# @0v1@infosec.exchange
# 0x0v1.com

import re
import requests
import zipfile
import os

def extract_hexadecimal_value(userinput):
    bulst = ""
    i = 0
    for i in range(0, len(userinput) - 2, 2):
        NTMO = userinput[i:i + 2]
        bulst += chr(int(NTMO, 16))

    return bulst

def extract_urls(text):
    pattern = r'https?://[^\s"]+'
    urls = re.findall(pattern, text)
    return urls

def download_payload(url):
    response = requests.get(url)
    if response.status_code == 200:
        return response.content
    else:
        print("\033[91mFailed to download the payload.\033[0m")
        return None

def zip_payload(payload, filename):
    with zipfile.ZipFile(filename, 'w', zipfile.ZIP_DEFLATED) as zip_file:
        zip_file.setpassword(b"infected")
        zip_file.writestr("payload.bin", payload)

if __name__ == "__main__":
    userinput = input("Enter the encoded command: ")

    value = extract_hexadecimal_value(userinput)

    print("\033[93mThe decoded command is:\033[0m")
    print(value)

    urls = extract_urls(value)

    if urls:
        print("\n\033[93mExtracted URLs:\033[0m")
        for idx, url in enumerate(urls, start=1):
            print(f"{idx}. {url}")

        choice = input("\n\033[96mDo you want to pull the payload? (yes/no):\033[0m ").strip().lower()

        if choice == 'yes':
            print("\n\033[91mWARNING: You are about to download the raw shellcode from the payload delivery URL.\033[0m")
            confirm = input("\033[96mDo you wish to continue? (yes/no):\033[0m ").strip().lower()
            if confirm == 'yes':
                for idx, url in enumerate(urls, start=1):
                    payload = download_payload(url)
                    if payload:
                        filename = f"payload_{idx}.zip"
                        zip_payload(payload, filename)
                        print(f"\033[92mPayload downloaded and zipped to {filename}.\033[0m")
                    else:
                        print("\033[91mFailed to download the payload.\033[0m")
            else:
                print("\033[91mDownload aborted.\033[0m")
        else:
            print("\033[91mDownload aborted.\033[0m")
    else:
        print("\n\033[93mNo URLs found in the value.\033[0m")