import re
import binascii
import hashlib
from base64 import b64decode
from malwareconfig import crypto
from malwareconfig.common import Decoder
from malwareconfig.common import string_printable
# temp imports
import re
import zlib
import uuid
from struct import unpack
class Plasma(Decoder):
decoder_name = "Plasma"
decoder__version = 1
decoder_author = "@kevthehermit"
decoder_description = "Plasma decoder for 1.7 This is identical to LuminosityLink"
def __init__(self):
self.config = {}
def get_config(self):
'''
This is the main entry
:return:
'''
config_dict = {}
# Getting resource is tough so instead we grab the base64 string from the raw
file_data = self.file_info.file_data
re_pattern = b'[a-zA-Z0-9+/]{60,}={0,2}'
conf_string = re.findall(re_pattern, file_data)[0]
password = "IUWEEQWIOER$89^*(&@^$*&#@$HAFKJHDAKJSFHjd89379327AJHFD*&#($hajklshdf##*$&^(AAA"
# b64decode
conf_string = b64decode(conf_string)
# Derive Key
key_hash = hashlib.md5(password.encode('utf-8')).hexdigest()
aes_key = key_hash[:30] + key_hash + '00'
# Decrypt
decrypted = crypto.decrypt_aes(binascii.unhexlify(aes_key), conf_string)
string_list = decrypted.decode('utf-8').split('*')
config_dict = {}
config_dict["Domain"] = string_list[1]
config_dict["Port"] = string_list[2]
config_dict["Password"] = string_list[3]
config_dict["Install Name"] = string_list[4]
config_dict["Startup Name"] = string_list[5]
config_dict["Campaign ID"] = string_list[6]
config_dict["Backup Domain"] = string_list[7]
self.config = config_dict
