changelog 2015/11/8:
– Adzok Rat Config Extractor
__description__ = ‘Adzok Rat Config Extractor’
__author__ = ‘Kevin Breen http://techanarchy.net http://malwareconfig.com’
__version__ = ‘0.2’
__date__ = ‘2015/11/08’
Adzok Rat Config Extractor
Ratdecoders : a collection of Python Scripts that will extract and decode the configuration settings from common rats.
All File Rat Decoder
Here is a list of the currently supported RATS:
– Adwind
– Albertino Advanced RAT
– Arcom
– BlackNix
– BlackShades
– Blue Banana
– Bozok
– ClientMesh
– CyberGate
– DarkComet
– drakddoser
– DarkRat
– Graeme
– jRat
– LostDoor
– LuxNet
– njRat
– Pandora
– PoisionIvy
– Punisher
– SpyGate
– SmallNet
– Unrecom
– Vantom
– Vertex
– VirusRat
– xtreme
Upcoming RATS :
– NetWire
– Gh0st
– Plasma
– Any Other Rats i can find.
Requirements :
There are several modules that are required and each script is different, Please check the individual scripts. This list is a complete listing of all the Python Modules across all decoders
pefile – https://code.google.com/p/pefile/
pycrypto – https://pypi.python.org/pypi/pycrypto/2.6.1
pype32 – https://github.com/crackinglandia/pype32
ToDo :
There will be more decoders coming Finish the Recursive mode on several of the Decoders
Reference :
Malware.lu for the initial xtreme Rat Writeup – https://code.google.com/p/malware-lu/wiki/en_xtreme_RAT
Fireye for their Poison Ivy and Xtreme rat WriteUps (Even though they ignored my tweet and reply ) – http://www.fireeye.com/blog/technical/2014/02/xtremerat-nuisance-or-threat.html
Shawn Denbow and Jesse Herts for their paper here – http://www.matasano.com/research/PEST-CONTROL.pdf
Download : Master.zip | Clone Url | Our Post Before
Source : https://github.com/kevthehermit