RATDecoders v1.0 - Python Decoders for Common Remote Access Trojans.

RATDecoders v1.0 – Python Decoders for Common Remote Access Trojans.

Latest Change v1.0:
+ pyRattyExtractor.py; Added C&C extractor for Ratty.
+ pyDendroid.py; updates to codes.
+ Create Framework rather than standalone scripts.ratdecoders

Ratdecoders : a collection of Python Scripts that will extract and decode the configuration settings from common rats.

File-RATDecoder

All File Rat Decoder

Here is a list of the currently supported RATS:
– Adwind
– Albertino Advanced RAT
– Arcom
– BlackNix
– BlackShades
– Blue Banana
– Bozok
– ClientMesh
– CyberGate
– DarkComet
– drakddoser
– DarkRat
– Graeme
– jRat
– LostDoor
– LuxNet
– njRat
– Pandora
– PoisionIvy
– Punisher
– SpyGate
– SmallNet
– Unrecom
– Vantom
– Vertex
– VirusRat
– xtreme

Upcoming RATS :
– NetWire
– Gh0st
– Plasma
– Any Other Rats i can find.

Requirements :
There are several modules that are required and each script is different, Please check the individual scripts. This list is a complete listing of all the Python Modules across all decoders

pefile – https://code.google.com/p/pefile/
pycrypto – https://pypi.python.org/pypi/pycrypto/2.6.1
pype32 – https://github.com/crackinglandia/pype32

ToDo :
There will be more decoders coming Finish the Recursive mode on several of the Decoders

Reference :
Malware.lu for the initial xtreme Rat Writeup – https://code.google.com/p/malware-lu/wiki/en_xtreme_RAT

Fireye for their Poison Ivy and Xtreme rat WriteUps (Even though they ignored my tweet and reply ) – http://www.fireeye.com/blog/technical/2014/02/xtremerat-nuisance-or-threat.html

Shawn Denbow and Jesse Herts for their paper here – http://www.matasano.com/research/PEST-CONTROL.pdf

Usage & Download from git:

Download : Master.zip  | Clone Url | Our Post Before
Source : https://github.com/kevthehermit