code hacking, zen coding

Orbit Downloader PE DDoS Memory Module Configuration File Decryptor

PE is downloaded in memory during Orbit Downloader startup. This memory module will then fetch a crypted configuration file with targets to DDoS.

This short Python program will fetch this crypted configuration file from the source server and display its content.

# Orbit Downloader Memory Module PE Payload
# Configuration file decryption
# aXs -
# PE MD5: 809D5A4AF232F08F88D315B116E47828
# You need Python Request -

import requests
from urllib import unquote
from base64 import b64decode
from hashlib import md5

r = requests.get('')

key = md5('A!)$>da*b').hexdigest()

print "key=", key

cipher = b64decode(r.text)

step1 = ''

k = 0
for c in cipher:
    step1 += chr(ord(c) ^ ord(key[k % len((key))]))
    k += 1

step2 = ''
for (c1, c2) in zip(step1[0::2], step1[1::2]):
    step2 += chr(ord(c1) ^ ord(c2))

print unquote(step2)

Results at the time of this blog post:

key= b25fff66ef05849a1e69b02834fa1db5
plain= 2013-08-22 08-00-01

GitHub repository: