PE is downloaded in memory during Orbit Downloader startup. This memory module will then fetch a crypted configuration file with targets to DDoS.
This short Python program will fetch this crypted configuration file from the source server and display its content.
# Orbit Downloader Memory Module PE Payload
# Configuration file decryption
# aXs - http://codezen.fr
#
# PE MD5: 809D5A4AF232F08F88D315B116E47828
#
# You need Python Request - http://www.python-requests.org/
import requests
from urllib import unquote
from base64 import b64decode
from hashlib import md5
r = requests.get('http://obupdate.orbitdownloader.com/update/il.php')
key = md5('A!)$>da*b').hexdigest()
print "key=", key
cipher = b64decode(r.text)
step1 = ''
k = 0
for c in cipher:
step1 += chr(ord(c) ^ ord(key[k % len((key))]))
k += 1
step2 = ''
for (c1, c2) in zip(step1[0::2], step1[1::2]):
step2 += chr(ord(c1) ^ ord(c2))
print unquote(step2)
# Configuration file decryption
# aXs - http://codezen.fr
#
# PE MD5: 809D5A4AF232F08F88D315B116E47828
#
# You need Python Request - http://www.python-requests.org/
import requests
from urllib import unquote
from base64 import b64decode
from hashlib import md5
r = requests.get('http://obupdate.orbitdownloader.com/update/il.php')
key = md5('A!)$>da*b').hexdigest()
print "key=", key
cipher = b64decode(r.text)
step1 = ''
k = 0
for c in cipher:
step1 += chr(ord(c) ^ ord(key[k % len((key))]))
k += 1
step2 = ''
for (c1, c2) in zip(step1[0::2], step1[1::2]):
step2 += chr(ord(c1) ^ ord(c2))
print unquote(step2)
Results at the time of this blog post:
key= b25fff66ef05849a1e69b02834fa1db5
plain= 2013-08-22 08-00-01
210.73.221.182:8001=210.73.221.182
210.73.221.181:8001=210.73.221.181
yjmt.hoolaigames.com/ms/uc/login.jsp=180.153.235.172
210.73.221.182:8001=210.73.221.182
210.73.221.181:8001=210.73.221.181
yjmt.hoolaigames.com/ms/uc/login.jsp=180.153.235.172
210.73.221.182:8001=210.73.221.182
210.73.221.181:8001=210.73.221.181
yjmt.hoolaigames.com/ms/uc/login.jsp=180.153.235.172
210.73.221.182:8001=210.73.221.182
210.73.221.181:8001=210.73.221.181
yjmt.hoolaigames.com/ms/uc/login.jsp=180.153.235.172
210.73.221.182:8001=210.73.221.182
210.73.221.181:8001=210.73.221.181
yjmt.hoolaigames.com/ms/uc/login.jsp=180.153.235.172
210.73.221.182:8001=210.73.221.182
210.73.221.181:8001=210.73.221.181
yjmt.hoolaigames.com/ms/uc/login.jsp=180.153.235.172
210.73.221.182:8001=210.73.221.182
210.73.221.181:8001=210.73.221.181
yjmt.hoolaigames.com/ms/uc/login.jsp=180.153.235.172
210.73.221.182:8001=210.73.221.182
210.73.221.181:8001=210.73.221.181
yjmt.hoolaigames.com/ms/uc/login.jsp=180.153.235.172
210.73.221.182:8001=210.73.221.182
210.73.221.181:8001=210.73.221.181
yjmt.hoolaigames.com/ms/uc/login.jsp=180.153.235.172
210.73.221.182:8001=210.73.221.182
210.73.221.181:8001=210.73.221.181
yjmt.hoolaigames.com/ms/uc/login.jsp=180.153.235.172
plain= 2013-08-22 08-00-01
210.73.221.182:8001=210.73.221.182
210.73.221.181:8001=210.73.221.181
yjmt.hoolaigames.com/ms/uc/login.jsp=180.153.235.172
210.73.221.182:8001=210.73.221.182
210.73.221.181:8001=210.73.221.181
yjmt.hoolaigames.com/ms/uc/login.jsp=180.153.235.172
210.73.221.182:8001=210.73.221.182
210.73.221.181:8001=210.73.221.181
yjmt.hoolaigames.com/ms/uc/login.jsp=180.153.235.172
210.73.221.182:8001=210.73.221.182
210.73.221.181:8001=210.73.221.181
yjmt.hoolaigames.com/ms/uc/login.jsp=180.153.235.172
210.73.221.182:8001=210.73.221.182
210.73.221.181:8001=210.73.221.181
yjmt.hoolaigames.com/ms/uc/login.jsp=180.153.235.172
210.73.221.182:8001=210.73.221.182
210.73.221.181:8001=210.73.221.181
yjmt.hoolaigames.com/ms/uc/login.jsp=180.153.235.172
210.73.221.182:8001=210.73.221.182
210.73.221.181:8001=210.73.221.181
yjmt.hoolaigames.com/ms/uc/login.jsp=180.153.235.172
210.73.221.182:8001=210.73.221.182
210.73.221.181:8001=210.73.221.181
yjmt.hoolaigames.com/ms/uc/login.jsp=180.153.235.172
210.73.221.182:8001=210.73.221.182
210.73.221.181:8001=210.73.221.181
yjmt.hoolaigames.com/ms/uc/login.jsp=180.153.235.172
210.73.221.182:8001=210.73.221.182
210.73.221.181:8001=210.73.221.181
yjmt.hoolaigames.com/ms/uc/login.jsp=180.153.235.172
GitHub repository: https://github.com/fbaligant/orbit-ddos-module-decrypt
