code hacking, zen coding


Orbit Downloader PE DDoS Memory Module Configuration File Decryptor

Posted by aXs

PE is downloaded in memory during Orbit Downloader startup. This memory module will then fetch a crypted configuration file with targets to DDoS.

This short Python program will fetch this crypted configuration file from the source server and display its content.

# Orbit Downloader Memory Module PE Payload
# Configuration file decryption
# aXs -
# PE MD5: 809D5A4AF232F08F88D315B116E47828
# You need Python Request -

import requests
from urllib import unquote
from base64 import b64decode
from hashlib import md5

r = requests.get('')

key = md5('A!)$>da*b').hexdigest()

print "key=", key

cipher = b64decode(r.text)

step1 = ''

k = 0
for c in cipher:
    step1 += chr(ord(c) ^ ord(key[k % len((key))]))
    k += 1

step2 = ''
for (c1, c2) in zip(step1[0::2], step1[1::2]):
    step2 += chr(ord(c1) ^ ord(c2))

print unquote(step2)

Results at the time of this blog post:

key= b25fff66ef05849a1e69b02834fa1db5
plain= 2013-08-22 08-00-01