Decoding a Payload using GitHub Decoder Script

Tags: , , , ,



Abstract: I am analysing a pcap file, with live malware (for educational purposes), and using Wireshark – I managed to extract few objects from the HTTP stream and some executables.

During my Analysis, I found instances hinting Fiestka Exploit Kit used.

Having Googled a ton, I came across a GitHub Rep: https://github.com/0x3a/tools/blob/master/fiesta-payload-decrypter.py

What am I trying to achieve?

I am trying to run the python fiesta-payload-decrypter.py against the malicious executable (extracted from the pcap).

What have I done so far?

I’ve copied the code onto a plain text and saved it as malwaredecoder.py. – This script is saved in the same Folder (/Download/Investigation/) as the malware.exe that I want to run it against.

What’s the Problem?

Traceback (most recent call last):
      File "malwaredecoder.py", line 51, in <module>
        sys.exit(DecryptFiestaPyload(sys.argv[1], sys.argv[2]))
      File "malwaredecoder.py", line 27, in DecryptFiestaPyload
        fdata = open(inputfile, "rb").read()
    IOError: [Errno 2] No such file or directory: '-'

I am running this python script in Kali Linux, and any help would be much appreciated. Thank you.

Answer

The script expects two args… What are you passing it?

Looks like it expects the args to be files and it sees a -, (dash), as the input file.

https://github.com/0x3a/tools/blob/master/fiesta-payload-decrypter.py#L44 Here it looks like the first arg is the input file and second is the output file.

Try running it like this:

python malewaredecoder.py /Download/Investigation/fileImInvestigating.pcap /Download/Investigation/out.pcap

All that said, good luck, that script looks pretty old and was last modified in 2015.



Source: stackoverflow