# TAFOF Unpacker **github.com/Tera0017/TAFOF-Unpacker** Tera0017 ### TA505 Unpacker is a python 2.7 script that is able to unpack statically, x86 and x64 TA505 packed samples. Currently malware spotted to be packed with that packer: GetandGoDll Silence (https://twitter.com/Vishnyak0v/status/1199620846823890944) TinyMet (https://twitter.com/darb0ng/status/1202823405747073024) Azorult (https://twitter.com/Vishnyak0v/status/1204312402306752513) KBMiner (https://www.botconf.eu/wp-content/uploads/2019/12/B2019- Eremin_Bot_with_rootkit.pdf) ... ## Usage ----- ``` $ python ta505_unpacker.py h ▄▄▄█████▓▄▄▄ █████▒█████ █████▒ █ ██ ███▄ █ ██▓███ ▄████▄ ██ ▄█▀██▀███ ▓ ██▒ ▓▒████▄ ▓██ ▒██▒ ██▓██ ▒ ██ ▓██▒██ ▀█ █▓██░ ██▒██▀ ▀█ ██▄█▒▓██ ▒ ██▒ ▒ ▓██░ ▒▒██ ▀█▄ ▒████ ▒██░ ██▒████ ░ ▓██ ▒██▓██ ▀█ ██▓██░ ██▓▒▓█ ▄▓███▄░▓██ ░▄█ ▒ ░ ▓██▓ ░░██▄▄▄▄██░▓█▒ ▒██ ██░▓█▒ ░ ▓▓█ ░██▓██▒ ▐▌██▒██▄█▓▒ ▒▓▓▄ ▄██▓██ █▄▒██▀▀█▄ ▒██▒ ░ ▓█ ▓██░▒█░ ░ ████▓▒░▒█░ ▒▒█████▓▒██░ ▓██▒██▒ ░ ▒ ▓███▀ ▒██▒ █░██▓ ▒██▒ ▒ ░░ ▒▒ ▓▒█░▒ ░ ░ ▒░▒░▒░ ▒ ░ ░▒▓▒ ▒ ▒░ ▒░ ▒ ▒▒▓▒░ ░ ░ ░▒ ▒ ▒ ▒▒ ▓░ ▒▓ ░▒▓░ ░ ▒ ▒▒ ░░ ░ ▒ ▒░ ░ ░░▒░ ░ ░░ ░░ ░ ▒░▒ ░ ░ ▒ ░ ░▒ ▒░ ░▒ ░ ▒░ ░ ░ ▒ ░ ░ ░ ░ ░ ▒ ░ ░ ░░░ ░ ░ ░ ░ ░░░ ░ ░ ░░ ░ ░░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ |-->TA505 Unpacker. usage: ta505_unpacker.py [-h] [-f FILE] [-x] [-u] TA505 Unpacker. optional arguments: -h, --help show this help message and exit -f FILE, --file FILE File to decrypt. -x, --xls Extract bin from XLS, default to False. -u, --upx UPX decryption to final payload, default to False. ### Example 1.1: GetandGoDLL from XLS file. ``` ----- ``` $ python ta505_unpacker.py uxf tafof_xls_getandgodll.xls ▄▄▄█████▓▄▄▄ █████▒█████ █████▒ █ ██ ███▄ █ ██▓███ ▄████▄ ██ ▄█▀██▀███ ▓ ██▒ ▓▒████▄ ▓██ ▒██▒ ██▓██ ▒ ██ ▓██▒██ ▀█ █▓██░ ██▒██▀ ▀█ ██▄█▒▓██ ▒ ██▒ ▒ ▓██░ ▒▒██ ▀█▄ ▒████ ▒██░ ██▒████ ░ ▓██ ▒██▓██ ▀█ ██▓██░ ██▓▒▓█ ▄▓███▄░▓██ ░▄█ ▒ ░ ▓██▓ ░░██▄▄▄▄██░▓█▒ ▒██ ██░▓█▒ ░ ▓▓█ ░██▓██▒ ▐▌██▒██▄█▓▒ ▒▓▓▄ ▄██▓██ █▄▒██▀▀█▄ ▒██▒ ░ ▓█ ▓██░▒█░ ░ ████▓▒░▒█░ ▒▒█████▓▒██░ ▓██▒██▒ ░ ▒ ▓███▀ ▒██▒ █░██▓ ▒██▒ ▒ ░░ ▒▒ ▓▒█░▒ ░ ░ ▒░▒░▒░ ▒ ░ ░▒▓▒ ▒ ▒░ ▒░ ▒ ▒▒▓▒░ ░ ░ ░▒ ▒ ▒ ▒▒ ▓░ ▒▓ ░▒▓░ ░ ▒ ▒▒ ░░ ░ ▒ ▒░ ░ ░░▒░ ░ ░░ ░░ ░ ▒░▒ ░ ░ ▒ ░ ░▒ ▒░ ░▒ ░ ▒░ ░ ░ ▒ ░ ░ ░ ░ ░ ▒ ░ ░ ░░░ ░ ░ ░ ░ ░░░ ░ ░ ░░ ░ ░░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ |-->TA505 Unpacker. |--> Extracting binaries from XLS. |--> Extracted TA505 binary from XLS: TA505_XLS_bin_x86_tafof_xls_getandgodll.xls.bin |--> Extracted TA505 binary from XLS: TA505_XLS_bin_x64_tafof_xls_getandgodll.xls.bin |--> Starting TA505 Unpacker |--> Loaded Packed Exe Data: TA505_XLS_bin_x86_tafof_xls_getandgodll.xls.bin |--> Encrypted Layer One size: 0X3C960 |--> Found Encrypted Code |--> Found XOR KEY: 0X79AA |--> Layer One encryption: rol_4 |--> Decrypted TA505 First Layer |--> Unpacked TA505: TA505_unpacker_TA505_XLS_bin_x86_tafof_xls_getandgodll.xls.bin |--> Unpacked TA505 UPX: TA505_UPX_unpacker_TA505_XLS_bin_x86_tafof_xls_getandgodll.xls.bin |--> Unpacked Successfully ``` ----- ### Example 1.2: GetandGoDLL from XLS file (updated version x86/x64). ``` $ python ta505_unpacker.py -uxf tafof_xls_getandgodll.xls ▄▄▄█████▓▄▄▄ █████▒█████ █████▒ █ ██ ███▄ █ ██▓███ ▄████▄ ██ ▄█▀██▀███ ▓ ██▒ ▓▒████▄ ▓██ ▒██▒ ██▓██ ▒ ██ ▓██▒██ ▀█ █▓██░ ██▒██▀ ▀█ ██▄█▒▓██ ▒ ██▒ ▒ ▓██░ ▒▒██ ▀█▄ ▒████ ▒██░ ██▒████ ░ ▓██ ▒██▓██ ▀█ ██▓██░ ██▓▒▓█ ▄▓███▄░▓██ ░▄█ ▒ ░ ▓██▓ ░░██▄▄▄▄██░▓█▒ ▒██ ██░▓█▒ ░ ▓▓█ ░██▓██▒ ▐▌██▒██▄█▓▒ ▒▓▓▄ ▄██▓██ █▄▒██▀▀█▄ ▒██▒ ░ ▓█ ▓██░▒█░ ░ ████▓▒░▒█░ ▒▒█████▓▒██░ ▓██▒██▒ ░ ▒ ▓███▀ ▒██▒ █░██▓ ▒██▒ ▒ ░░ ▒▒ ▓▒█░▒ ░ ░ ▒░▒░▒░ ▒ ░ ░▒▓▒ ▒ ▒░ ▒░ ▒ ▒▒▓▒░ ░ ░ ░▒ ▒ ▒ ▒▒ ▓░ ▒▓ ░▒▓░ ░ ▒ ▒▒ ░░ ░ ▒ ▒░ ░ ░░▒░ ░ ░░ ░░ ░ ▒░▒ ░ ░ ▒ ░ ░▒ ▒░ ░▒ ░ ▒░ ░ ░ ▒ ░ ░ ░ ░ ░ ▒ ░ ░ ░░░ ░ ░ ░ ░ ░░░ ░ ░ ░░ ░ ░░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ |--> TA505 Unpacker. |--> Extracting binaries from XLS. |--> Extracted TA505 binary from XLS: TAFOF_XLS_bin_x86_1_tafof_xls_getandgodll.xls.bin |--> Extracted TA505 binary from XLS: TAFOF_XLS_bin_x64_2_tafof_xls_getandgodll.xls.bin |--> Starting TA505 x86 Unpacker |--> Loaded Packed Exe Data: TAFOF_XLS_bin_x86_1_tafof_xls_getandgodll.xls.bin |--> Encrypted Layer One size: 0X3C960 |--> Found Encrypted Code |--> Found XOR KEY: 0X79AA |--> Layer One encryption: rol_4 |--> Decrypted TA505 First Layer |--> Unpacked TA505 x86: TAFOF_unpacker_TAFOF_XLS_bin_x86_1_tafof_xls_getandgodll.xls.bin |--> Unpacked TA505 UPX Layer 2: TAFOF_UPX2_unpacker_TAFOF_XLS_bin_x86_1_tafof_xls_getandgodll.xls.bin |--> Unpacked x86 Successfully |--> Starting TA505 x64 Unpacker |--> Unpacked TA505 UPX Layer 1: TAFOF_UPX1_unpacker_TAFOF_XLS_bin_x64_2_tafof_xls_getandgodll.xls.bin |--> Loaded Packed Exe Data: TAFOF_UPX1_unpacker_TAFOF_XLS_bin_x64_2_tafof_xls_getandgodll.xls.bin |--> Encrypted Layer One size: 0X34FB0 |--> Found Encrypted Code |--> Found XOR KEY: 0X7D74 |--> Layer One encryption: rol_7 |--> Decrypted TA505 First Layer |--> Unpacked TA505 x64: TAFOF_unpacker_TAFOF_UPX1_unpacker_TAFOF_XLS_bin_x64_2_tafof_xls_getandgodll.xls.bin |--> Unpacked x64 Successfully ``` ----- ### Example 2: Silence. ``` $ python ta505_unpacker.py -uf tafof_silence.bin ▄▄▄█████▓▄▄▄ █████▒█████ █████▒ █ ██ ███▄ █ ██▓███ ▄████▄ ██ ▄█▀██▀███ ▓ ██▒ ▓▒████▄ ▓██ ▒██▒ ██▓██ ▒ ██ ▓██▒██ ▀█ █▓██░ ██▒██▀ ▀█ ██▄█▒▓██ ▒ ██▒ ▒ ▓██░ ▒▒██ ▀█▄ ▒████ ▒██░ ██▒████ ░ ▓██ ▒██▓██ ▀█ ██▓██░ ██▓▒▓█ ▄▓███▄░▓██ ░▄█ ▒ ░ ▓██▓ ░░██▄▄▄▄██░▓█▒ ▒██ ██░▓█▒ ░ ▓▓█ ░██▓██▒ ▐▌██▒██▄█▓▒ ▒▓▓▄ ▄██▓██ █▄▒██▀▀█▄ ▒██▒ ░ ▓█ ▓██░▒█░ ░ ████▓▒░▒█░ ▒▒█████▓▒██░ ▓██▒██▒ ░ ▒ ▓███▀ ▒██▒ █░██▓ ▒██▒ ▒ ░░ ▒▒ ▓▒█░▒ ░ ░ ▒░▒░▒░ ▒ ░ ░▒▓▒ ▒ ▒░ ▒░ ▒ ▒▒▓▒░ ░ ░ ░▒ ▒ ▒ ▒▒ ▓░ ▒▓ ░▒▓░ ░ ▒ ▒▒ ░░ ░ ▒ ▒░ ░ ░░▒░ ░ ░░ ░░ ░ ▒░▒ ░ ░ ▒ ░ ░▒ ▒░ ░▒ ░ ▒░ ░ ░ ▒ ░ ░ ░ ░ ░ ▒ ░ ░ ░░░ ░ ░ ░ ░ ░░░ ░ ░ ░░ ░ ░░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ |-->TA505 Unpacker. |--> Starting TA505 Unpacker |--> Loaded Packed Exe Data: tafof_silence.bin |--> Encrypted Layer One size: 0X23280 |--> Found Encrypted Code |--> Found XOR KEY: 0X5EFE |--> Layer One encryption: rol_7 |--> Decrypted TA505 First Layer |--> Unpacked TA505: TA505_unpacker_tafof_silence.bin |--> Unpacked Successfully Requirements yara-python (latest tested version "4.0.1") pefile (latest tested version "2019.4.18") UPX ``` ----- ## Support ### In case some files are not working, please make sure its packed with TA505 packer, if yes please provide me the hash in a DM @Tera0017. Regards -----