def icedid_photoloader()

in icedid/photoloader/icedid_photoloader.py [0:0]

• 18 lines of code
• 4 McCabe index (conditional complexity)

    def icedid_photoloader(self, p: ProcessMemory, match: YaraRuleMatch) -> Config | bool:
        conf: Config = {}
        info: Config = get_rule_metadata(match)

        obfuscationCode = match.elements["obfuscationCode"][0][2]
        xorCountValue = obfuscationCode[3]  # Getting this values dynamically because... you never know
        countValue = obfuscationCode[-1]
        pe_rep = PE(data=p)
        payload = self.extractPayload(pe_rep)
        decrypted = bytearray()
        for i in range(countValue):
            try:
                decrypted.append(payload[i + xorCountValue] ^ payload[i])
            except IndexError:
                pass

        c2 = asciiz(decrypted)
        if len(c2) > 0:
            conf[self.family] = [c2.decode("utf-8")]

        return conf | info