{
	"id": "1e5d0e8c-f1bb-49a8-ad59-a319e41831a4",
	"created_at": "2026-04-06T00:11:38.312315Z",
	"updated_at": "2026-04-10T03:21:28.154213Z",
	"deleted_at": null,
	"sha1_hash": "0996bc685dd3a037aa033c2e6d5d39178e137ecd",
	"title": "GitHub - WithSecureLabs/doublepulsar-c2-traffic-decryptor: A python2 script for processing a PCAP file to decrypt C2 traffic sent to DOUBLEPULSAR implant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 34299,
	"plain_text": "GitHub - WithSecureLabs/doublepulsar-c2-traffic-decryptor: A\r\npython2 script for processing a PCAP file to decrypt C2 traffic sent\r\nto DOUBLEPULSAR implant\r\nBy Luke Jennings\r\nArchived: 2026-04-05 16:41:56 UTC\r\nAuthor: Luke Jennings (luke.jennings@countercept.com - @jukelennings)\r\nCompany: Countercept (@countercept)\r\nWebsite: https://countercept.com\r\nA python2 script for decrypting the C2 traffic used by the DOUBLEPULSAR SMB implant from a PCAP file.\r\nThe encryption used is a simple 4-byte XOR, which you can often see being displayed in the command output\r\nfrom the FUZZBUNCH toolset. This makes use of the fact that a set of four contiguous zeros are present in the\r\nSESSION_SETUP parameters in the first non-ping packet, which reveals the XOR key directly and this is used to\r\ndecrypt all of the traffic.\r\nThis is an early release and relies on finding certain specific components in the network packets and has been\r\ntested with the DLL injection functionality. For best results, supply a PCAP file that has only one command within\r\nthe traffic.\r\nFor testing purposes, a PCAP file is contained within this repository that was captured using the DLL injection\r\ncommand to inject the standard windows DLL wininet.dll into a running calc.exe process on the target machine.\r\nThe decrypted output from running this script is also present in the repository and contains 4885 bytes of\r\nshellcode followed by a byte-for-byte copy of wininet.dll\r\nThis script has a dependency on the python-pcapng library. Example usage below:\r\nroot@kali:~# pip install python-pcapng\r\nroot@kali:~# python decrypt_doublepulsar_traffic.py --pcapng inject-dll-wininet-into-calc.pcapng --output\r\ndecrypted_data.bin\r\nSource: https://github.com/countercept/doublepulsar-c2-traffic-decryptor\r\nhttps://github.com/countercept/doublepulsar-c2-traffic-decryptor\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://github.com/countercept/doublepulsar-c2-traffic-decryptor"
	],
	"report_names": [
		"doublepulsar-c2-traffic-decryptor"
	],
	"threat_actors": [],
	"ts_created_at": 1775434298,
	"ts_updated_at": 1775791288,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0996bc685dd3a037aa033c2e6d5d39178e137ecd.pdf",
		"text": "https://archive.orkl.eu/0996bc685dd3a037aa033c2e6d5d39178e137ecd.txt",
		"img": "https://archive.orkl.eu/0996bc685dd3a037aa033c2e6d5d39178e137ecd.jpg"
	}
}