pythonerror-handlingdecodermalware-detectionkali-linux

Decoding a Payload using GitHub Decoder Script


Abstract: I am analysing a pcap file, with live malware (for educational purposes), and using Wireshark - I managed to extract few objects from the HTTP stream and some executables.

During my Analysis, I found instances hinting Fiestka Exploit Kit used.

Having Googled a ton, I came across a GitHub Rep: https://github.com/0x3a/tools/blob/master/fiesta-payload-decrypter.py

What am I trying to achieve?

I am trying to run the python fiesta-payload-decrypter.py against the malicious executable (extracted from the pcap).

What have I done so far?

I've copied the code onto a plain text and saved it as malwaredecoder.py. - This script is saved in the same Folder (/Download/Investigation/) as the malware.exe that I want to run it against.

What's the Problem?

Traceback (most recent call last):
      File "malwaredecoder.py", line 51, in <module>
        sys.exit(DecryptFiestaPyload(sys.argv[1], sys.argv[2]))
      File "malwaredecoder.py", line 27, in DecryptFiestaPyload
        fdata = open(inputfile, "rb").read()
    IOError: [Errno 2] No such file or directory: '-'

I am running this python script in Kali Linux, and any help would be much appreciated. Thank you.


Solution

  • The script expects two args... What are you passing it?

    Looks like it expects the args to be files and it sees a -, (dash), as the input file.

    https://github.com/0x3a/tools/blob/master/fiesta-payload-decrypter.py#L44 Here it looks like the first arg is the input file and second is the output file.

    Try running it like this:

    python malewaredecoder.py /Download/Investigation/fileImInvestigating.pcap /Download/Investigation/out.pcap
    

    All that said, good luck, that script looks pretty old and was last modified in 2015.