{
	"id": "90491304-90f7-476d-b88b-a6fc709e6c82",
	"created_at": "2026-04-06T00:09:53.702411Z",
	"updated_at": "2026-04-10T13:12:32.530401Z",
	"deleted_at": null,
	"sha1_hash": "201851e824457452fe526757a9816fb8d041c21f",
	"title": "Code to decrypt embedded driver in Daxin malware sample",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 35579,
	"plain_text": "Code to decrypt embedded driver in Daxin malware sample\r\nBy usualsuspect\r\nArchived: 2026-04-05 17:54:40 UTC\r\nCode to decrypt embedded driver in Daxin malware sample\r\n#!/usr/bin/env python3\r\n#\r\n# Algorithm used by Daxin to decrypt embedded driver\r\n# Uses slightly modified RC4 (see comment in rc4() below)\r\n#\r\n# Constants fitting for sample\r\n# b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427\r\n#\r\nimport hashlib\r\nimport struct\r\ndef gen_key(const1,const2):\r\n# hardcoded into function, might also change per sample\r\nkey_data = b\"\\x7C\\x4E\\xD0\\x68\\x20\\x4b\\x42\\xEB\\x08\\x4A\\xFE\\xA9\\xEB\\x50\\x30\\xa3\"\r\nd1 = struct.pack(\"\u003cI\",const1)\r\nd2 = struct.pack(\"\u003cI\",const2)\r\nkey_data = d1 + key_data + d2\r\nkey = hashlib.md5(key_data).digest()\r\nout = bytearray(struct.pack(\"\u003cI\",const1^const2) + key[4:])\r\nh = const1 ^ const2\r\nhttps://gist.github.com/usualsuspect/839fbc54e0d76bb2626329cd94274cd6\r\nPage 1 of 3\n\nfor i in range(16):\r\nif (i \u0026 1):\r\nk = ((h \u003c\u003c 11) \u0026 0xFFFFFFFF) ^ ((h \u003e\u003e 5) \u0026 0xFFFFFFFF)\r\nk ^= out[i]\r\nk ^= 0xFFFFFFFF # not\r\nelse:\r\nk = ((h \u003e\u003e 3) \u0026 0xFFFFFFFF) ^ ((h \u003c\u003c 7) \u0026 0xFFFFFFFF)\r\nk ^= out[i]\r\nh ^= k\r\nout = struct.pack(\"\u003cI\",h) + out[4:]\r\nreturn out\r\ndef rc4(data, key):\r\nx = 0\r\nbox = bytearray(range(256))\r\nfor i in range(256):\r\nx = (x + box[i] + key[i % len(key)]) % 256\r\nbox[i], box[x] = box[x], box[i]\r\ny = x # original RC4 sets both 0\r\nx = 0\r\nout = bytearray()\r\nfor char in data:\r\nx = (x + 1) % 256\r\ny = (y + box[x]) % 256\r\nbox[x], box[y] = box[y], box[x]\r\nout.append(char ^ box[(box[x] + box[y]) % 256])\r\nhttps://gist.github.com/usualsuspect/839fbc54e0d76bb2626329cd94274cd6\r\nPage 2 of 3\n\nreturn out\r\ndata = open(\"driver\",\"rb\").read()\r\nkey = gen_key(0x4373F262,0x21B33EE9)\r\nplain = rc4(data,key)\r\nopen(\"out\",\"wb\").write(plain)\r\nSource: https://gist.github.com/usualsuspect/839fbc54e0d76bb2626329cd94274cd6\r\nhttps://gist.github.com/usualsuspect/839fbc54e0d76bb2626329cd94274cd6\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://gist.github.com/usualsuspect/839fbc54e0d76bb2626329cd94274cd6"
	],
	"report_names": [
		"839fbc54e0d76bb2626329cd94274cd6"
	],
	"threat_actors": [],
	"ts_created_at": 1775434193,
	"ts_updated_at": 1775826752,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/201851e824457452fe526757a9816fb8d041c21f.pdf",
		"text": "https://archive.orkl.eu/201851e824457452fe526757a9816fb8d041c21f.txt",
		"img": "https://archive.orkl.eu/201851e824457452fe526757a9816fb8d041c21f.jpg"
	}
}