in icedid/peloader/icedid_peloader.py [0:0]
def ref_c2(self, p: ProcessMemory) -> dict | None:
file_contents = p.readp(0, p.length)
encrypted_config = self.find_encrypted_config(file_contents)
if encrypted_config is None:
log.error("unable to find encrypted buffer")
return
log.info("len of encrypted data: %s", len(encrypted_config))
decrypted = self.decrypt(encrypted_config)
entropy = self.entropy(decrypted)
log.info("decrypted data entropy: %s", entropy)
if entropy < 2:
conf = self.parse_config(decrypted)
if self.key:
conf["key"] = self.key
return conf