code hacking, zen coding

Orbit Downloader PE DDoS Memory Module Configuration File Decryptor

PE is downloaded in memory during Orbit Downloader startup. This memory module will then fetch a crypted configuration file with targets to DDoS.

This short Python program will fetch this crypted configuration file from the source server and display its content.

# Orbit Downloader Memory Module PE Payload
# Configuration file decryption
# aXs - http://codezen.fr
#
# PE MD5: 809D5A4AF232F08F88D315B116E47828
#
# You need Python Request - http://www.python-requests.org/

import requests
from urllib import unquote
from base64 import b64decode
from hashlib import md5

r = requests.get('http://obupdate.orbitdownloader.com/update/il.php')

key = md5('A!)$>da*b').hexdigest()

print "key=", key

cipher = b64decode(r.text)

step1 = ''

k = 0
for c in cipher:
    step1 += chr(ord(c) ^ ord(key[k % len((key))]))
    k += 1

step2 = ''
for (c1, c2) in zip(step1[0::2], step1[1::2]):
    step2 += chr(ord(c1) ^ ord(c2))

print unquote(step2)

Results at the time of this blog post:

key= b25fff66ef05849a1e69b02834fa1db5
plain= 2013-08-22 08-00-01
  210.73.221.182:8001=210.73.221.182
  210.73.221.181:8001=210.73.221.181
  yjmt.hoolaigames.com/ms/uc/login.jsp=180.153.235.172
  210.73.221.182:8001=210.73.221.182
  210.73.221.181:8001=210.73.221.181
  yjmt.hoolaigames.com/ms/uc/login.jsp=180.153.235.172
  210.73.221.182:8001=210.73.221.182
  210.73.221.181:8001=210.73.221.181
  yjmt.hoolaigames.com/ms/uc/login.jsp=180.153.235.172
  210.73.221.182:8001=210.73.221.182
  210.73.221.181:8001=210.73.221.181
  yjmt.hoolaigames.com/ms/uc/login.jsp=180.153.235.172
  210.73.221.182:8001=210.73.221.182
  210.73.221.181:8001=210.73.221.181
  yjmt.hoolaigames.com/ms/uc/login.jsp=180.153.235.172
  210.73.221.182:8001=210.73.221.182
  210.73.221.181:8001=210.73.221.181
  yjmt.hoolaigames.com/ms/uc/login.jsp=180.153.235.172
  210.73.221.182:8001=210.73.221.182
  210.73.221.181:8001=210.73.221.181
  yjmt.hoolaigames.com/ms/uc/login.jsp=180.153.235.172
  210.73.221.182:8001=210.73.221.182
  210.73.221.181:8001=210.73.221.181
  yjmt.hoolaigames.com/ms/uc/login.jsp=180.153.235.172
  210.73.221.182:8001=210.73.221.182
  210.73.221.181:8001=210.73.221.181
  yjmt.hoolaigames.com/ms/uc/login.jsp=180.153.235.172
  210.73.221.182:8001=210.73.221.182
  210.73.221.181:8001=210.73.221.181
  yjmt.hoolaigames.com/ms/uc/login.jsp=180.153.235.172

GitHub repository: https://github.com/fbaligant/orbit-ddos-module-decrypt

Share