# Deobfuscation ## CyberChef Decode and otherwise analyze data using this browser app. **Website**: \ **Author**: GCHQ\ **License**: Apache License 2.0: \ **Notes**: cyberchef\ **State File**: [remnux.tools.cyberchef](https://github.com/REMnux/salt-states/blob/master/remnux/tools/cyberchef.sls) ## Malchive Perform static analysis of various aspects of malicious code. **Website**: \ **Author**: The MITRE Corporation, \ **License**: Apache License 2.0: \ **Notes**: Malchive command-line tools start with the prefix `malutil-`. See [utilities documentation](https://github.com/MITRECND/malchive/wiki/Utilities) for details.\ **State File**: [remnux.python3-packages.malchive](https://github.com/REMnux/salt-states/blob/master/remnux/python3-packages/malchive.sls) ## Cobalt Strike Configuration Extractor (CSCE) and Parser Analyze Cobalt Strike beacons. **Website**: \ **Author**: Aon / Stroz Friedberg\ **License**: Apache License 2.0: \ **Notes**: csce, list-cs-settings\ **State File**: [remnux.python3-packages.csce](https://github.com/REMnux/salt-states/blob/master/remnux/python3-packages/csce.sls) ## xortool Analyze XOR-encoded data. **Website**: \ **Author**: Aleksei Hellman\ **License**: MIT License: \ **State File**: [remnux.python3-packages.xortool](https://github.com/REMnux/salt-states/blob/master/remnux/python3-packages/xortool.sls) ## DC3-MWCP Parsing configuration information from malware. **Website**: \ **Author**: Defense Cyber Crime Center - United States Government\ **License**: Some parts Public Domain, some MIT License: \ **Notes**: mwcp\ **State File**: [remnux.python3-packages.dc3-mwcp](https://github.com/REMnux/salt-states/blob/master/remnux/python3-packages/dc3-mwcp.sls) ## unicode Display Unicode character properties. **Website**: \ **Author**: Radovan Garabik\ **License**: GNU General Public License (GPL) v3: \ **State File**: [remnux.python3-packages.unicode](https://github.com/REMnux/salt-states/blob/master/remnux/python3-packages/unicode.sls) ## Chepy Decode and otherwise analyze data using this command-line tool and Python library. **Website**: \ **Author**: securisec: \ **License**: GNU General Public License (GPL) v3: \ **Notes**: chepy\ **State File**: [remnux.python3-packages.chepy](https://github.com/REMnux/salt-states/blob/master/remnux/python3-packages/chepy.sls) ## Balbuzard Extract and deobfuscate patterns from suspicious files. **Website**: \ **Author**: Philippe Lagadec / Corey Forman (digitalsleuth)\ **License**: Free, custom license: \ **Notes**: balbuzard, bbcrack, bbharvest, bbtrans\ **State File**: [remnux.python3-packages.balbuzard](https://github.com/REMnux/salt-states/blob/master/remnux/python3-packages/balbuzard.sls) ## NoMoreXOR.py Help guess a file's 256-byte XOR by using frequency analysis. **Website**: \ **Author**: Glenn P. Edwards Jr.\ **License**: Free, unknown license\ **State File**: [remnux.scripts.nomorexor](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/nomorexor.sls) ## unXOR Deobfuscate XOR'ed files. **Website**: \ **Author**: Thomas Chopitea\ **License**: Apache License 2.0: \ **State File**: [remnux.scripts.unxor](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/unxor.sls) ## brxor.py Bruteforce XOR'ed strings to find those that are English words. **Website**: \ **Author**: Alexander Hanel, Trenton Tait\ **License**: Free, unknown license\ **State File**: [remnux.scripts.brxor](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/brxor.sls) ## xorBruteForcer.py Bruteforce an XOR-encoded file. **Website**: \ **Author**: Jose Miguel Esparza\ **License**: Free, unknown license\ **State File**: [remnux.scripts.xorbruteforcer](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/xorbruteforcer.sls) ## strdeob.pl Locate and decode stack strings in executable files. **Website**: \ **Author**: TotalHash\ **License**: Free, unknown license\ **State File**: [remnux.scripts.strdeob](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/strdeob.sls) ## XORStrings Search for XOR encoded strings in a file. **Website**: \ **Author**: Didier Stevens\ **License**: Free, unknown license\ **State File**: [remnux.packages.xorstrings](https://github.com/REMnux/salt-states/blob/master/remnux/packages/xorstrings.sls) ## XORSearch Locate and decode strings obfuscated using common techniques. **Website**: \ **Author**: Didier Stevens: \ **License**: Public Domain\ **Notes**: xorsearch\ **State File**: [remnux.packages.xorsearch](https://github.com/REMnux/salt-states/blob/master/remnux/packages/xorsearch.sls) ## FLOSS Extract and deobfuscate strings from PE executables. **Website**: \ **Author**: Mandiant, Willi Ballenthin: , Moritz Raabe\ **License**: Apache License 2.0: \ **Notes**: floss\ **State File**: [remnux.packages.flare-floss](https://github.com/REMnux/salt-states/blob/master/remnux/packages/flare-floss.sls) ## ex\_pe\_xor.py Search an XOR'ed file for indications of executable binaries. **Website**: \ **Author**: Alexander Hanel\ **License**: Free, unknown license\ **State File**: [remnux.scripts.ex-pe-xor](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/ex-pe-xor.sls) ## cs-decrypt-metadata.py Decrypt Cobalt Strike metadata. **Website**: \ **Author**: Didier Stevens: \ **License**: Public Domain\ **State File**: [remnux.scripts.didier-stevens-scripts](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/didier-stevens-scripts.sls) ## base64dump.py Locate and decode strings encoded in Base64 and other common encodings. **Website**: \ **Author**: Didier Stevens: \ **License**: Public Domain\ **State File**: [remnux.scripts.didier-stevens-scripts](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/didier-stevens-scripts.sls) ## xor-kpa.py Implement a XOR known plaintext attack. **Website**: \ **Author**: Didier Stevens: \ **License**: Public Domain\ **State File**: [remnux.scripts.didier-stevens-scripts](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/didier-stevens-scripts.sls) ## cut-bytes.py Cut out a part of a data stream. **Website**: \ **Author**: Didier Stevens: \ **License**: Public Domain\ **State File**: [remnux.scripts.didier-stevens-scripts](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/didier-stevens-scripts.sls) ## format-bytes.py Decompose structured binary data with format strings. **Website**: \ **Author**: Didier Stevens: \ **License**: Public Domain\ **State File**: [remnux.scripts.didier-stevens-scripts](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/didier-stevens-scripts.sls) ## translate.py Translate bytes according to a Python expression. **Website**: \ **Author**: Didier Stevens: \ **License**: Public Domain\ **State File**: [remnux.scripts.didier-stevens-scripts](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/didier-stevens-scripts.sls) ## sets.py Perform set operations on lines or bytes in text files. **Website**: \ **Author**: Didier Stevens: \ **License**: Public Domain\ **State File**: [remnux.scripts.didier-stevens-scripts](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/didier-stevens-scripts.sls) ## 1768.py Analyze Cobalt Strike beacons. **Website**: \ **Author**: Didier Stevens: \ **License**: Public Domain\ **State File**: [remnux.scripts.didier-stevens-scripts](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/didier-stevens-scripts.sls) ## xorsearch.py Search for XOR, ROL, ROT, and SHIFT encoded strings with YARA and regex support. **Website**: \ **Author**: Didier Stevens: \ **License**: Public Domain\ **State File**: [remnux.scripts.didier-stevens-scripts](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/didier-stevens-scripts.sls) ## re-search.py Search files using regular expressions from a built-in library or custom patterns. **Website**: \ **Author**: Didier Stevens: \ **License**: Public Domain\ **State File**: [remnux.scripts.didier-stevens-scripts](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/didier-stevens-scripts.sls) ## hex-to-bin.py Convert hexadecimal text dumps to binary data. **Website**: \ **Author**: Didier Stevens: \ **License**: Public Domain\ **State File**: [remnux.scripts.didier-stevens-scripts](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/didier-stevens-scripts.sls) ## numbers-to-string.py Translate number sequences into ASCII characters. **Website**: \ **Author**: Didier Stevens: \ **License**: Public Domain\ **State File**: [remnux.scripts.didier-stevens-scripts](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/didier-stevens-scripts.sls) ## cs-analyze-processdump.py Analyze Cobalt Strike beacon process dumps to detect sleep mask encoding. **Website**: \ **Author**: Didier Stevens: \ **License**: Public Domain\ **State File**: [remnux.scripts.didier-stevens-scripts](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/didier-stevens-scripts.sls) ## cs-extract-key.py Extract AES and HMAC keys from Cobalt Strike beacon process memory. **Website**: \ **Author**: Didier Stevens: \ **License**: Public Domain\ **State File**: [remnux.scripts.didier-stevens-scripts](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/didier-stevens-scripts.sls)