njRat decoder python error

Question

njRat decoder python error

yampelo opened this issue 9 years ago · 8 comments

Hi,

I guess something was changed with pype32 but when you currently run the following code
'for s in m.netMetaDataStreams[dir_type].info'
it does not work beacuse m.netMetaDataStreams is a list an does not accept #US as a value, the whole function actually doesnt work because the list only contains strings which you cannot use .iteritems() on either.

Answer 1 · 2015-07-26T13:41:11.000Z

Thanks. Will fix today

Answer 2 · 2015-07-26T14:55:30.000Z

Fixed and tested all the affected decoders.

Testing using the latest version of pype33 - https://github.com/crackinglandia/pype32/

Re Open if you still have issues.
Thanks again

Answer 3 · 2015-07-26T16:31:43.000Z

Still doesn't work, like i mentioned in the post, since pype32 returns a string instead of a dictionary now an error shows up when you try to invoke .iteritems() on a string

Answer 4 · 2015-07-26T20:16:58.000Z

You need to make sure you are using the latest version of pype32 from the github not from pip.

root@GitHub:~/github/RatDecoders# python njRat.py /mnt/malware/samples/nJRat/0.5e/755a6569c762af20b907a75304b80777d5ea9344a7c3098cc8827cbf6a159d1e.exe
[+] Reading file
[+] Searching for Config
[+] Printing Config to screen
   [-] Key: Campaign ID  Value: HacKed
   [-] Key: Domain       Value: yesrko.no-ip.org
   [-] Key: Install Dir  Value: TEMP
   [-] Key: Install Flag         Value: False
   [-] Key: Install Name         Value: cccam.exe
   [-] Key: Network Separator    Value: |'|'|
   [-] Key: Port         Value: 1177
   [-] Key: Registry Value       Value: 78f1c16b3b757b15f1f9ff331c84aa12
   [-] Key: version      Value: 0.5.0E
[+] End of Config
root@GitHub:~/github/RatDecoders#

Answer 5 · 2015-07-27T06:44:00.000Z

Wierd, maybe my sample is incompatiable, im running pype32 version 0.1a4 which is the one that you from cloning the repository.

I get a "list index out of range" error now after reinstalling pype32

Answer 6 · 2015-09-09T18:43:21.000Z

@splinks make sure you're cloning the pype32 repo (or downloading the source as a zip in its current state) not grabbing that release version that is linked to from the README!

Answer 7 · 2015-09-10T00:21:55.000Z

To be clear... all that has to be done is the following:

git clone https://github.com/crackinglandia/pype32
cd pype32 ; python setup.py install

This has to be done until the pype32 guys update the release version and the version found via pip.

Answer 8 · 2015-10-28T19:34:46.000Z

Pip is now up to date closing this.