def ref_c2()

in hancitor/hancitor.py [0:0]

• 29 lines of code
• 7 McCabe index (conditional complexity)

    def ref_c2(self, p: ProcessMemory) -> dict | None:
        pe_rep = PE(data=p)
        raw_rc4_key = None
        crypted_data = None
        for section in pe_rep.sections:
            if b".data" in section.Name:
                section_data = section.get_data()
                raw_rc4_key = section_data[16:24]
                crypted_data = section_data[24 : 24 + 8192]
        if raw_rc4_key is None or crypted_data is None:
            log.error("unable to find .data section")
            return
        log.info("key: %s", malduck.enhex(raw_rc4_key).decode("utf-8"))
        flags = 0x280011
        key_length = int((flags >> 16) / 8)
        raw_hash = hashlib.sha1(raw_rc4_key).digest()[:key_length]
        log.info(
            "len of encrypted data: %s, decrypting with %s",
            len(crypted_data),
            malduck.enhex(raw_hash).decode("utf-8"),
        )
        decrypted = malduck.rc4(raw_hash, crypted_data)
        entropy = self.estimate_shannon_entropy(decrypted)
        log.info("decrypted data entropy: %s", entropy)
        if entropy < 1:
            conf = self.parse_config(decrypted)

            if raw_rc4_key:
                conf["rc4_key"] = malduck.enhex(raw_rc4_key).decode("utf-8")
            return conf