# simple python script to search ips, hostnames, or domains for page titles
import argparse
from urllib.request import urlopen
from urllib.request import urlretrieve
import re
import sys
import os
#arguments
arguments = argparse.ArgumentParser("Search for websites, pass 1 file of hostnames, ips, or domains")
arguments.add_argument("-f", "--filepath", type=str, required=True, help="Path to list of hostnames, ips, or domains 1 per line")
settings = arguments.parse_args()
filepath = settings.filepath
with open(filepath) as fp:
theurl = fp.readline()
while theurl:
try:
theurl = 'http://' + theurl.strip()
html = urlopen(theurl, timeout=2)
val = html.read()
titles = re.findall(r'(?i)<title>(.*?)</title>',str(val))
if len(titles) > 0:
print("found '{0}' at '{1}'".format(titles[0], theurl))
theurl = 'https://' + theurl.strip()
html = urlopen(theurl, timeout=3)
val = html.read()
titles = re.findall(r'(?i)<title>(.*?)</title>',str(val))
if len(titles) > 0:
print("found '{0}' at '{1}'".format(titles[0], theurl))
except Exception as e:
moveon = 1
#print("failed '{0}' with '{1}'".format(theurl, str(e)))
theurl = fp.readline()
Thursday, February 28, 2019
Wednesday, February 20, 2019
Windows Process Tree Basics (Blue Team)
Great read by Pete here
https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
Just jotting some notes for myself below
SYSTEM
SYSTEM IDLE Process
- no visible parent
- should only ever be 1 of each
- in kernel mode ( created by NT OS Kernel )
- SYSTEM always has PID 4
- SYSTEM IDLE Process always has 1 threat per CPU
https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
Just jotting some notes for myself below
SYSTEM
SYSTEM IDLE Process
- no visible parent
- should only ever be 1 of each
- in kernel mode ( created by NT OS Kernel )
- SYSTEM always has PID 4
- SYSTEM IDLE Process always has 1 threat per CPU
SMSS.EXE
- parent is SYSTEM (PID 4)
- should only ever be 1 running
- runs from \system32\smss.exe
- 1st user mode process started by Kernel
- launches WINLOGON.EXE, WININIT.EXE, and CSRSS.EXE , then SMSS.EXE exits
WINLOGON.EXE
- no parent (because SMSS.EXE launches it and then SMSS.EXE exits)
- runs as NT AUTHORITY\SYSTEM
- runs from \system32\winlogon.exe
- may spawn child processes (alternate login devices such as biometric readers)
- launches USERINIT.EXE which runs logon scripts, connects to network, starts EXPLORER.EXE
WININIT.EXE
- no parent (because SMSS.EXE launches it and then SMSS.EXE exits)
- runs as NT AUTHORITY\SYSTEM
- runs from system32\wininit.exe
- launches SERVICES.EXE, LSASS.EXE, and LSM.EXE
- creates %windir%\temp
CSRSS.EXE
- no parent (because SMSS.EXE launches it and then SMSS.EXE exits)
- runs as NT AUTHORITY\SYSTEM
- runs from system32\csrss.exe
USERINIT.EXE
- parent is WINLOGON.EXE
- Runs logon scripts, connects to network, starts EXPLORER.EXE, then exits
EXPLORER.EXE
- no parent (because USERINIT.EXE launches it and then USERINIT.EXE exits)
- runs from \windows\explorer.exe
- no TCP/IP network connections
- normally launches most user processes as children
SERVICES.EXE
- parent is WININIT.EXE
- runs as NT AUTHORITY\SYSTEM
- runs from \system32\services.exe
- normally multiple children processes as SVCHOST.EXE for each service
LSASS.EXE
- parent is WININIT.EXE
- always only 1 LSASS.EXE
- should NEVER spawn child processes
- runs as NT AUTHORITY\SYSTEM
- runs from \system32\lsass.exe
LSM.EXE
- parent is WININIT.EXE
- should NEVER spawn child processes
- runs as NT AUTHORITY\SYSTEM
- runs from \system32\lsm.exe
SVCHOST.EXE
- parent is SERVICES.EXE
- runs from \system32\svchost.exe
- runas as 1 of these accounts (NT AUTHORITY\SYSTEM, LOCAL SERVICE, or NETWORK SERVICE)
- command line always looks like "SVCHOST.EXE -k [name]"
Monday, February 18, 2019
malware yara rules
/* ------------------------- ------ NanoCore ------------ --------------------------- */ rule NanoCoreByName { meta: author = "@neonprimetime" description = "NanoCore" strings: $string0 = "NanoCore Client" nocase $string1 = "NanoCore.Client" nocase $string2 = "NanoCoreBase" nocase $string5 = "NanoCoreSwiss" nocase $string6 = "NanoCoreStressTester" nocase condition: 1 of them } rule NanoCoreByKeyword { meta: author = "@neonprimetime" description = "NanoCore" strings: $string1 = "NanoBrowser" nocase $string2 = "NanoScript" nocase $string3 = "SurveillanceEx" nocase $string4 = "NanoCoreStressTester" nocase $string5 = "accident-investigation.aero" nocase $string6 = "KeyboardLogging" nocase condition: 3 of them } /* ------------------------- ------ Remcos RAT----------- --------------------------- */ rule RemcosRATByName { meta: author = "@neonprimetime" description = "Remcos RAT" strings: $string0 = "Software\\Remcos" nocase $string1 = "\\remcos\\" nocase $string2 = "REMCOS v" nocase $string4 = "Remcos_" nocase condition: 1 of them } rule RemcosRATByKeyword { meta: author = "@neonprimetime" description = "Remcos RAT" strings: $string1 = "Keylogger Started" nocase $string2 = "Connected to C&C" nocase $string3 = "Screenshots" nocase $string4 = "OpenCamera" nocase $string5 = "Uploading file to C&C" nocase $string6 = "Initializing connection to C&C" nocase $string7 = "cleared!]" nocase $string8 = "EnableLUA /t REG_DWORD /d 0" nocase $string9 = "RemWatchdog" nocase $string10 = "restarted by watchdog" nocase condition: 3 of them } /* ------------------------- ------ Revil/Sodinokibi Ransomware----------- --------------------------- */ rule RevilRansomwareByName { meta: author = "@neonprimetime" description = "Revil/Sodinokibi Ransomware" strings: $string1 = "Sodinokibi" nocase $string2 = "For google: Revil" nocase condition: any of them } rule RevilRansomwareByKeyword { meta: author = "@neonprimetime" description = "Revil/Sodinokibi Ransomware" strings: $string1 = "decryptor.top" nocase $string2 = "nbody" nocase $string3 = "bedbg" nocase condition: 3 of them } /* ------------------------- ------ NjRat ------------- --------------------------- */ rule NjRatByKeyword { meta: author = "@neonprimetime" description = "NjRat" strings: $string0 = "vitimas_" nocase $string1 = "|'|'||'|'|" nocase condition: 1 of them } /* ------------------------- ------ Lokibot ------------- --------------------------- */ rule LokibotByKeyword { meta: author = "@neonprimetime" description = "Lokibot" strings: $string0a = "five/fre.php" nocase $string0b = "Panel/five" nocase $string1 = "fre.php" nocase $string2 = "Yandex\\YandexBrowser" nocase $string3 = "\\Mozilla\\SeaMonkey\\profiles.ini" nocase $string4 = "POP3 Password" nocase $string5 = "Software\\SimonTatham\\PuTTY\\Sessions" nocase $string6 = "EasyFTP\\data" nocase $string7 = "aPLib v1.01" nocase $string8 = "wcx_ftp.ini" nocase condition: $string0a or $string0b or ($string1 and ($string2 or $string3 or $string4 or $string5 or $string6 or $string7 or $string8)) } /* ------------------------- ------ Revenge RAT ------------- --------------------------- */ rule RevengeRATByName { meta: author = "@neonprimetime" description = "Revenge RAT" strings: $string0 = "Revenge-RAT" nocase condition: 1 of them } rule RevengeRATByKeyword { meta: author = "@neonprimetime" description = "Revenge RAT" strings: $capture1 = "Start Capture" nocase $capture2 = "CaptureScreen" nocase $dotnet1 = ".NET" nocase $agent1 = "FirewallProduct" nocase $agent2 = "AntiVirusProduct" nocase $exfil1 = "USERDOMAIN=" nocase condition: $dotnet1 and ($capture1 or $capture2) and ($agent1 or $agent2) and $exfil1 } /* ------------------------- ------ BrushaLoader ------------- --------------------------- */ rule BrushaLoaderByKeyword { meta: author = "@neonprimetime" description = "BrushaLoader" strings: $vbe = ".shellexecute" nocase $xyzdomain = "xyz" nocase $google = "www.google.com" nocase condition: $vbe and $xyzdomain and $google } /* ------------------------- ------ Agent Tesla ------------- --------------------------- */ rule AgentTeslaByKeyword { meta: author = "@neonprimetime" description = "Agent Tesla" strings: $checkip1 = "checkip.aws" nocase $checkip2 = "checkip.amazon" nocase $smtpexfil1 = "smtp." nocase $smtpexfil2 = ":587" nocase $dotnet1 = ".net" nocase condition: ($checkip1 or $checkip2) and ($smtpexfil1 or $smtpexfil2) and $dotnet1 } /* ------------------------- ------ Trickbot ------------ --------------------------- */ rule TrickbotByKeyword { meta: author = "@neonprimetime" description = "Trickbot" strings: $string1 = "serialNumber=" nocase $string2 = "emailAddress=" nocase $string3 = "/snapshot/" nocase $string4 = "Login Data.bak" nocase $string5 = "Grab_Passwords_Chrome" nocase $string6 = "Dinkumware" nocase $string7 = "tablecredit_cards" nocase $string8 = "server_addresses" nocase condition: 3 of them } /* ------------------------- ------ Azorult ------------- --------------------------- */ rule AzorultByKeyword { meta: author = "@neonprimetime" description = "Azorult" strings: $string1 = "wallet.dat" nocase $string2 = "PasswordsList.txt" nocase $string3 = "timeout.exe" nocase $string4 = "Wscript.Shell" nocase $string5 = "dotbit.me" nocase condition: 3 of them } /* ------------------------- ------ Netwire ------------- --------------------------- */ rule NetwireByName { meta: author = "@neonprimetime" description = "Netwire" strings: $string1 = "SOFTWARE\\NetWire" nocase condition: 1 of them }/* -------------------------------------- Emotete by Keyword ------------------------------- */rule EmotetByKeyword{meta: author = "@neonprimetime"description = "Emotet Keyword"strings:$string1 = "acquiremailbox.exe" nocase $string2 = "fillmailbox.exe" nocase $string3 = "inboxmailbox.exe" nocase $string4 = "mailboxacquire.exe" nocase $string5 = "mailboxinbox.exe" nocase $string6 = "mailboxmailbox.exe" nocase $string7 = "manualmailbox.exe" nocase $string8 = "monthlymailbox.exe" nocase $string9 = "pdfmailbox.exe" nocase $string10 = "publishmailbox.exe" nocase $string11 = "deployinbox.exe" nocase $string12 = "inboxinbox.exe" nocase $string13 = "inboxnetsh.exe" nocase $string14 = "mailboxinbox.exe" nocase $string15 = "netshinbox.exe" nocase $string16 = "createatargets.exe" nocase $string17 = "ducktargets.exe" nocase $string18 = "restoretargets.exe" nocase $string19 = "sendtargets.exe" nocasecondition:1 of them}/* ------------------------- ------ Phoenix Keylogger ------------- --------------------------- */ rule PhoenixKeyloggerByName { meta: author = "@neonprimetime" description = "Phoenix Keylogger" strings: $string1 = "Phoenix Keylogger" nocase condition: 1 of them } /* ------------------------- ------ BetaBot ------------- --------------------------- */ rule BetaBotByKeyword { meta: author = "@neonprimetime" description = "BetaBot" strings: $string1 = "OnAsyncDestroy" nocase $string2 = "OnDestroySubject" nocase $string3 = "OnRemoveExisting" nocase $string4 = "ccnumber" nocase condition: all of them } /* ------------------------- ------ Generic Malware ------------- --------------------------- */ rule GenericDotNetFramework { meta: author = "@neonprimetime" description = "Generic .NET Framework detection" strings: $string1 = ".NETFramework" condition: 1 of them } rule GenericBitcoinStealer { meta: author = "@neonprimetime" description = "Generic Bitcoin Stealer" strings: $string1 = "wallet.dat" nocase $string2 = "\\wallets\\" nocase $string3 = "\\Electrum" nocase $string4 = "Coins\\" nocase $string5 = "\\bitcoin" nocase $string6 = "\\monero" nocase $string7 = "electrum.dat" nocase $string8 = "wallet_path" nocase condition: 1 of them } rule GenericUPXPacker { meta: author = "@neonprimetime" description = "Generic UpX packet" strings: $string1 = "UPX" nocase condition: 1 of them } rule GenericAutoItPacker { meta: author = "@neonprimetime" description = "Generic AutoItPacker" strings: $string1 = "AutoIt" nocase $string2 = "Auto-It" nocase condition: 1 of them } rule GenericCreditCardStealer { meta: author = "@neonprimetime" description = "Generic Credit Card Stealer" strings: $string1 = "ccnumber" nocase $string2 = "expirationmonth" nocase $string3 = "monthexpiration" nocase $string4 = "card_number" nocase $string5 = "securitycode=" nocase $string6 = "=amex" nocase $string7 = "=visa" nocase $string8 = "cardnumber" nocase condition: 1 of them } rule GenericWebTraffic { meta: author = "@neonprimetime" description = "Generic Web Traffic" strings: $string1 = "Server: lighttpd" nocase $string2 = "Host: %s" nocase $string3 = "POST %s" nocase $string4 = ".php" nocase condition: 1 of them } rule GenericNetworkTraffic { meta: author = "@neonprimetime" description = "Generic Network Traffic" strings: $string1 = /\..{2,3}\:\d+/ nocase condition: 1 of them } rule GenericScheduledTask { meta: author = "@neonprimetime" description = "Generic Scheduled Task" strings: $string1 = "schtasks" nocase condition: 1 of them } rule GenericDomainFlag { meta: author = "@neonprimetime" description = "Generic Domain Flag from AD" strings: $string1 = "/domain" nocase condition: 1 of them } rule GenericCreateFlag { meta: author = "@neonprimetime" description = "Generic Create Flag from AD" strings: $string1 = "/create" nocase condition: 1 of them } rule GenericAddFlag { meta: author = "@neonprimetime" description = "Generic Add Flag from AD" strings: $string1 = "/add" nocase condition: 1 of them } rule GenericSpamMailer { meta: author = "@neonprimetime" description = "Generic Spam Mailer" strings: $string1 = "SEND FROM:" nocase $string2 = ":587" nocase $string3 = "smtp." nocase condition: 1 of them } rule GenericIPLookup { meta: author = "@neonprimetime" description = "Generic IP Lookup" strings: $string1 = "checkip.amazonaws.com" nocase $string2 = "check-ip.aws." nocase$string3 = "ipecho.net" nocase condition: 1 of them } rule GenericWebcamAccess { meta: author = "@neonprimetime" description = "Generic Webcam Access" strings: $string1 = "webcam" nocase $string2 = "OpenCamera" nocase $string3 = "CloseCamera" nocase condition: 1 of them } rule GenericScreenCapture { meta: author = "@neonprimetime" description = "Generic Screen Capture" strings: $string1 = "CaptureScreen" nocase condition: 1 of them } rule GenericCredentialStealer { meta: author = "@neonprimetime" description = "Generic Credential Stealer" strings: $string1 = "Profiles\\Outlook" nocase $string2 = "Login Data" nocase $string3 = "encryptedPassword" nocase $string4 = "HTTP Password" nocase $string5 = "\\profiles.ini" nocase $string6 = "\\POP3 Password" nocase $string7 = "PuTTY\\Sessions" nocase $string8 = "EasyFTP\\data" nocase $string9 = "Ftplist.txt" nocase $string10 = "\\Login Data" nocase $string11 = "\\ws_ftp.ini" nocase $string13 = "\\accounts.ini" nocase $string14 = "\\accounts.dat" nocase $string15 = "CREATE TABLE logins" nocase $string16 = "CREATE INDEX logins_signon" nocase $string17 = "DecryptIePassword" nocase $string18 = "GetSavedPasswords" nocase $string19 = "\\Passwords\\" nocase $string20 = "WinSCP 2\\Sessions" nocase $string21 = "\\HTTP Password" nocase $string22 = "\\IMAP Password" nocase $string23 = "\\SMTP Password" nocase $string24 = "\\HTTP Password" nocase $string25 = "[passwords]" nocase $string26 = "login-form" nocase $string27 = "recentservers.xml" nocase $string28 = "type=passwords" nocase $string29 = "user-password" nocase $string30 = "PasswordsList.txt" nocase condition: 1 of them } rule GenericBrowserHistoryStealer { meta: author = "@neonprimetime" description = "Generic Browser History Stealer" strings: $string1 = "from urls" nocase $string2 = "from moz_places" nocase condition: 1 of them } rule GenericDataStealer { meta: author = "@neonprimetime" description = "Generic Data Stealer" strings: $string0 = "\\User Data" nocase $string1 = "360Chrome\\" nocase $string2 = "7Star\\" nocase $string3 = "Cyberfox\\" nocase $string4 = "Amigo\\" nocase $string5 = "Apple Computer\\" nocase $string6 = "BraveSoftware\\" nocase $string7 = "CatalinaGroup\\" nocase $string8 = "CentBrowser\\" nocase $string9 = "Chedot\\" nocase $string10 = "Chromium\\" nocase $string11 = "Claws-mail\\" nocase $string12 = "CocCoc\\" nocase $string13 = "Comodo\\" nocase $string14 = "Coowon\\" nocase $string15 = "CoreFTP\\" nocase $string16 = "Elements Browser\\" nocase $string17 = "Epic Privacy Browser\\" nocase $string18 = "falkon\\" nocase $string19 = "Fenrir Inc\\" nocase $string20 = "FileZilla\\" nocase $string21 = "Flock\\" nocase $string22 = "FTPGetter\\" nocase $string23 = "Google\\" nocase $string24 = "Ipswitch\\" nocase $string25 = "Iridium\\" nocase $string26 = "K-Meleon\\" nocase $string27 = "Kometa\\" nocase $string28 = "liebao\\" nocase $string29 = "MapleStudio\\" nocase $string31 = "Moonchild Productions\\" nocase $string32 = "Mozilla\\" nocase $string35 = "NETGATE Technologies\\" nocase $string36 = "Opera Mail\\" nocase $string37 = "Opera Software\\" nocase $string38 = "Orbitum\\" nocase $string39 = "Pocomail\\" nocase $string40 = "Postbox\\" nocase $string41 = "Psi\\" nocase $string42 = "Psi+\\" nocase $string43 = "QIP Surf\\" nocase $string45 = "SmartFTP\\" nocase $string46 = "Sputnik\\" nocase $string47 = "Tencent\\" nocase $string48 = "The Bat!" nocase $string49 = "Thunderbird\\" nocase $string50 = "Torch\\" nocase $string51 = "Trillian\\" nocase $string52 = "UCBrowser\\" nocase $string53 = "uCozMedia\\" nocase $string54 = "VirtualStore\\" nocase $string55 = "Vivaldi\\" nocase $string56 = "Waterfox\\" nocase $string57 = "Yandex\\" nocase $string58 = "keychain.plist" nocase $string59 = "GetSavedCookies" nocase $string60 = "wcx_ftp.ini" nocase $string61 = "Start Capture" nocase $string62 = "\\accounts.xml" nocase $string63 = "\\places.sqlite" nocase $string67 = "cookies.sqlite" nocase condition: 1 of them } rule GenericDeletesItself { meta: author = "@neonprimetime" description = "Generic Deletes Itself" strings: $string1 = "DEL /s" nocase $string2 = "cmd /c del" nocase $string3 = "deleteSelf" nocase $string4 = "/c del %s" nocase $string5 = "%del" nocase $string6 = "& del" nocase condition: 1 of them } rule GenericMaliciousCommand { meta: author = "@neonprimetime" description = "Generic Malicious Command" strings: $string1 = "CompSpec" nocase condition: 1 of them } rule GenericKeylogger { meta: author = "@neonprimetime" description = "Generic Keylogger" strings: $string1 = "Keylog" nocase $string2 = "KeyboardLogging" nocase $string3 = "[Enter]" nocase $string4 = "[Ctrl + C]" nocase $string5 = "[Ctrl + V]" nocase condition: 1 of them } rule GenericDelay { meta: author = "@neonprimetime" description = "Generic Delay" strings: $string1 = "ping 192" nocase $string2 = "ping 127" nocase condition: 1 of them } rule GenericSecurityToolDetection { meta: author = "@neonprimetime" description = "Generic Security Tool Detection" strings: $string1 = "FROM FirewallProduct" nocase $string2 = "from AntiVirusProduct" nocase condition: 1 of them }rule GenericDisableAntivirus{meta: author = "@neonprimetime" description = "Generic Disable AntiVirus" strings: $string1 = "DisableBehaviorMonitoring" nocase $string2 = "DisableOnAccessProtection" nocase$string3 = "DisableScanOnRealtime" nocase$string4 = "DisableRealtimeMonitoring" nocase$string5 = "DisableBlockAtFirstSeen" nocase$string6 = "DisableIOAVProtection" nocase$string7 = "DisableAntiSpyware" nocase$string8 = "DisableArchiveScanning" nocase$string9 = "DisableScriptScanning" nocase$string10 = "Set-MpPreference" nocase condition: 1 of them}rule GenericFirewallModification { meta: author = "@neonprimetime" description = "Generic Firewall Modifiction" strings: $string1 = "netsh advfirewall" nocase $string2 = "firewall add" nocase condition: 1 of them } rule GenericPHPPanel { meta: author = "@neonprimetime" description = "Generic PHP Panel" strings: $string1 = "/gate.php" nocase $string2 = "/fre.php" nocase condition: 1 of them } rule GenericBase64 { meta: author = "@neonprimetime" description = "Generic PHP Panel" strings: $string1 = /\=\=\r\n/ nocase condition: 1 of them } rule GenericDynamicDns { meta: author = "@neonprimetime" description = "Generic Dynamic DNS" strings: $string1 = ".duckdns.org" nocase condition: 1 of them } rule GenericVisualBasicScript { meta: author = "@neonprimetime" description = "Generic Visual Basic Script" strings: $string1 = ".shellexecute" nocase $string2 = "shell.application" nocase $string3 = "Wscript.Sleep" nocase $string4 = "ExecuteGlobal" nocase $string5 = "Shell.run" nocase $string6 = "Scripting.FileSystemObject" nocase $string7 = ":::const " nocase $string8 = "vbscontent" nocase $string9 = "Execute(" nocase $string10 = "ChrW(48) & ChrW(" nocase $string11 = "ChrW(48)&ChrW(" nocase condition: 1 of them } rule GenericHackerTerms { meta: author = "@neonprimetime" description = "Generic Hacker Terms" strings: $string1 = "payloadpath" nocase $string2 = "payloadexist" nocase condition: 1 of them } rule GenericAntiDebug { meta: author = "@neonprimetime" description = "Generic Anti Debug techniques" strings: $string1 = "CheckRemoteDebuggerPresent" nocase condition: 1 of them } rule GenericTor { meta: author = "@neonprimetime" description = "Generic Tor Dark Web" strings: $string1 = "torproject.org" nocase $string2 = ".onion" nocase $string3 = "TOR browser" nocase condition: 1 of them }rule GenericPasswordList { meta: author = "@neonprimetime" description = "Generic Password List" strings: $string1 = "peternorth" nocase $string2 = "motherfucker" nocase $string3 = "pimpdaddy" nocase$string4 = "ihavenopass" nocase $string5 = "fuckoff" nocase$string6 = "dickhead" nocase$string7 = "passw0rd" nocase$string8 = "changeme" nocasecondition: 1 of them }
rule GenericUserAgent
{
meta:
author = "@neonprimetime"
description = "Generic User Agents oddities"
strings:
$string1 = "User-Agent: curl" nocase
$string2 = "User-Agent: wget" nocase
condition:
1 of them
}
rule GenericWebServer
{
meta:
author = "@neonprimetime"
description = "Generic Web Server info"
strings:
$string1 = "nginx"
$string2 = "apache"
condition:
1 of them
}
Tuesday, February 12, 2019
#lokibot
#lokibot
------------------------------
2/19/2019
https://www.virustotal.com/#/file/da30b124c95eda90524716d0bd4b5af608f50fa52b126f1720c38933c916eb2e/detection
Email w/ attachment Document.exe
Compiler:
- Microsoft Visual Basic(6.0)[Native]
Running behavior: (RUN AS ADMINISTRATOR)
- starts a child process with same name
- dns lookup to ubochiomaswifts.cf (104.24.109.185, 104.24.108.185)
- http post to ubochiomaswifts.cf/eshi/fre.php , payload contains fuckav.ru, PC name, random Letters/Numbers at the end
- CreateFile api calls to login data folders (chrome, comodo, titan browser, etc.)
- CreateFile api calls to Web Data folders (chrome, comodo, titan browser, etc.)
- CreateFile api calls to FTP config files (MyFTP, EasyFTP, AbleFTP, FileZilla, WS_FTP, etc)
- CreateFile api calls to Email files (yMail, TrulyMail)
- CreateFile api calls to password managers (Enpass, RoboForm, 1Password)
------------------------------
2/19/2019
https://www.virustotal.com/#/file/0d1c8154f0454b6a4ee8312f935e8af95a0765368488bed6f68f8fe443350537/detection
Email w/ attachment TT Advice.exe
Compiler:
- Microsoft Visual Basic(6.0)[Native]
Running behavior: (RUN AS ADMINISTRATOR)
- starts a copy of itself
- dns lookup to www.cashoutsquad.com (47.254.177.121)
- http post to www.cashoutsquad.com/motivate/minds/more/fre.php , payload contains fuckav.ru, PC name, random Letters/Numbers at the end
- CreateFile api calls to login data folders (chrome, comodo, titan browser, etc.)
- CreateFile api calls to Web Data folders (chrome, comodo, titan browser, etc.)
- CreateFile api calls to FTP config files (MyFTP, EasyFTP, AbleFTP, FileZilla, WS_FTP, etc)
- CreateFile api calls to Email files (yMail, TrulyMail)
- CreateFile api calls to password managers (Enpass, RoboForm, 1Password)
------------------------------
2/12/2019
https://app.any.run/tasks/c72c5d4e-510e-4d5d-a863-502ecc3ea777
https://www.virustotal.com/#/file/57d57613ef46c879ca65a307b52625628b706601bf10cebad126d5bbcbbc9118/detection
hxxp://gemaco[.]com[.]ve/js/file/coc.exe
Compiler:
- Microsoft Visual Basic(6.0)[Native]
Running behavior: (RUN AS ADMINISTRATOR)
- starts a copy of itself, deletes original copy of itself, new copy of itself very small in memory, very low cpu usage for long time
- dns lookup to archanadiagnostics.com (172.96.12.126)
- http post to archanadiagnostics.com/css/coco/five/fre.php , payload contains fuckav.ru, PC name, random Letters/Numbers at the end
- CreateFile api calls to login data folders (chrome, comodo, titan browser, etc.)
- CreateFile api calls to Web Data folders (chrome, comodo, titan browser, etc.)
- CreateFile api calls to FTP config files (MyFTP, EasyFTP, AbleFTP, FileZilla, WS_FTP, etc)
- CreateFile api calls to Email files (yMail, TrulyMail)
- CreateFile api calls to password managers (Enpass, RoboForm, 1Password)
------------------------------
------------------------------
2/19/2019
https://www.virustotal.com/#/file/da30b124c95eda90524716d0bd4b5af608f50fa52b126f1720c38933c916eb2e/detection
Email w/ attachment Document.exe
Compiler:
- Microsoft Visual Basic(6.0)[Native]
Running behavior: (RUN AS ADMINISTRATOR)
- starts a child process with same name
- dns lookup to ubochiomaswifts.cf (104.24.109.185, 104.24.108.185)
- http post to ubochiomaswifts.cf/eshi/fre.php , payload contains fuckav.ru, PC name, random Letters/Numbers at the end
- CreateFile api calls to login data folders (chrome, comodo, titan browser, etc.)
- CreateFile api calls to Web Data folders (chrome, comodo, titan browser, etc.)
- CreateFile api calls to FTP config files (MyFTP, EasyFTP, AbleFTP, FileZilla, WS_FTP, etc)
- CreateFile api calls to Email files (yMail, TrulyMail)
- CreateFile api calls to password managers (Enpass, RoboForm, 1Password)
Memory strings while Running: ( https://pastebin.com/raw/zL04fvx5 )
- random obfuscated strings, many start with letter X, 10 chars long (Xje[jr_jaf, XjlZjd^j\f, etc.)
- strings related to Login & Web Data (chrome, titan browser, Mozilla, etc.)
- strings related to profile ini files (profiles.ini)
- strings related to FTP files
- Copyright Joergen Ibsen, aPLib v1.01, ibsensoftware.com
- the url ubochiomaswifts.cf/eshi/fre.php
- function names prefixed by "Crypt"
- strings related to Login & Web Data (chrome, titan browser, Mozilla, etc.)
- strings related to profile ini files (profiles.ini)
- strings related to FTP files
- Copyright Joergen Ibsen, aPLib v1.01, ibsensoftware.com
- the url ubochiomaswifts.cf/eshi/fre.php
- function names prefixed by "Crypt"
IDA Pro Behavior (RUN AS ADMINISTRATOR)
- 34F0000: The instruction at 0x34F0000 referenced memory at 0xE09092C9. The memory could not be written -> E09092C9 (exc.code c0000005, tid 968)
------------------------------
2/19/2019
https://www.virustotal.com/#/file/0d1c8154f0454b6a4ee8312f935e8af95a0765368488bed6f68f8fe443350537/detection
Email w/ attachment TT Advice.exe
Compiler:
- Microsoft Visual Basic(6.0)[Native]
Running behavior: (RUN AS ADMINISTRATOR)
- starts a copy of itself
- dns lookup to www.cashoutsquad.com (47.254.177.121)
- http post to www.cashoutsquad.com/motivate/minds/more/fre.php , payload contains fuckav.ru, PC name, random Letters/Numbers at the end
- CreateFile api calls to login data folders (chrome, comodo, titan browser, etc.)
- CreateFile api calls to Web Data folders (chrome, comodo, titan browser, etc.)
- CreateFile api calls to FTP config files (MyFTP, EasyFTP, AbleFTP, FileZilla, WS_FTP, etc)
- CreateFile api calls to Email files (yMail, TrulyMail)
- CreateFile api calls to password managers (Enpass, RoboForm, 1Password)
Memory strings while Running: ( https://pastebin.com/raw/RQUy268M )
- random obfuscated strings, many start with letter X, 10 chars long (Xje[jr_jaf, XjlZjd^j\f, etc.)
- strings related to Login & Web Data (chrome, titan browser, Mozilla, etc.)
- strings related to profile ini files (profiles.ini)
- strings related to FTP files
- Copyright Joergen Ibsen, aPLib v1.01, ibsensoftware.com
- the url awww.cashoutsquad.com/motivate/minds/more/fre.php
- function names prefixed by "Crypt"
- strings related to Login & Web Data (chrome, titan browser, Mozilla, etc.)
- strings related to profile ini files (profiles.ini)
- strings related to FTP files
- Copyright Joergen Ibsen, aPLib v1.01, ibsensoftware.com
- the url awww.cashoutsquad.com/motivate/minds/more/fre.php
- function names prefixed by "Crypt"
IDA Pro Behavior (RUN AS ADMINISTRATOR)
- 0: The instruction at 0x0 referenced memory at 0x0. The memory could not be executed -> 00000000 (exc.code c0000005, tid 676)
2/12/2019
https://app.any.run/tasks/c72c5d4e-510e-4d5d-a863-502ecc3ea777
https://www.virustotal.com/#/file/57d57613ef46c879ca65a307b52625628b706601bf10cebad126d5bbcbbc9118/detection
hxxp://gemaco[.]com[.]ve/js/file/coc.exe
Compiler:
- Microsoft Visual Basic(6.0)[Native]
Running behavior: (RUN AS ADMINISTRATOR)
- starts a copy of itself, deletes original copy of itself, new copy of itself very small in memory, very low cpu usage for long time
- dns lookup to archanadiagnostics.com (172.96.12.126)
- http post to archanadiagnostics.com/css/coco/five/fre.php , payload contains fuckav.ru, PC name, random Letters/Numbers at the end
- CreateFile api calls to login data folders (chrome, comodo, titan browser, etc.)
- CreateFile api calls to Web Data folders (chrome, comodo, titan browser, etc.)
- CreateFile api calls to FTP config files (MyFTP, EasyFTP, AbleFTP, FileZilla, WS_FTP, etc)
- CreateFile api calls to Email files (yMail, TrulyMail)
- CreateFile api calls to password managers (Enpass, RoboForm, 1Password)
Memory strings while Running:
- very small capture
- random obfuscated strings, many start with letter X, 10 chars long (Xje[jr_jaf, XjlZjd^j\f, etc.)
- strings related to Login & Web Data (chrome, titan browser, Mozilla, etc.)
- strings related to profile ini files (profiles.ini)
- strings related to FTP files
- Copyright Joergen Ibsen, aPLib v1.01, ibsensoftware.com
- the url archanadiagnostics.com/css/coco/five/fre.php
- lots of decimal number prefixed by Gu, Hu, Cu, etc.
- function names prefixed by "Crypt"
- random obfuscated strings, many start with letter X, 10 chars long (Xje[jr_jaf, XjlZjd^j\f, etc.)
- strings related to Login & Web Data (chrome, titan browser, Mozilla, etc.)
- strings related to profile ini files (profiles.ini)
- strings related to FTP files
- Copyright Joergen Ibsen, aPLib v1.01, ibsensoftware.com
- the url archanadiagnostics.com/css/coco/five/fre.php
- lots of decimal number prefixed by Gu, Hu, Cu, etc.
- function names prefixed by "Crypt"
IDA Pro Behavior (RUN AS ADMINISTRATOR)
- crashes with 755FC54F: Floating point inexact result (exc.code c000008f, tid 1228)
#trickbot
#trickbot
------------------------------
2/12/2019
https://app.any.run/tasks/c72c5d4e-510e-4d5d-a863-502ecc3ea777
https://www.virustotal.com/#/file/57d57613ef46c879ca65a307b52625628b706601bf10cebad126d5bbcbbc9118/detection
hxxp://85.143.220.1/sin.png
Compiler:
- Microsoft Visual Basic(6.0)[Native]
Running behavior: (RUN AS ADMINISTRATOR)
- saw child process of cmd and powershell
- saw child process with random name (tsjclbpt.exe) with child of svchost, then disappeared
- a few minutes later svchost.exe re-appeared with multiple child processes of the same name
- wrote copy of itself %appdata%\roaming\sysdefrag\tsjclbpt.exe
- wrote settings.ini in same folder with random strings in it
- wrote Data folder in same folder with pwgrab, systeminfo, injectdll files
- captured no dns or http network traffic
------------------------------
2/8/2019
https://app.any.run/tasks/b621b7ef-eeb0-4d87-93cb-36b8bebb8c5b
https://www.virustotal.com/#/file/41b6047c2edf7edcd565450ef04b92a5aa9b0a29cf35e0b2a3f27538d21559df/detection
Compiler:
- Microsoft Visual C/C++(-)[-]
Running behavior: (RUN AS ADMINISTRATOR)
- saw cmd launch powershell immediately after
- saw a new svchost.exe running temporarily then disappears
- popup saying windows defender was deleted
- a few minutes later svchost.exe starts up again with 1 child process also named svchost.exe
- wrote copy of itself to %appdata%\roaming\cleanmem\vasao.exe
- wrote settings.ini in same folder with random strings in it
- wrote Data folder in same folder with pwgrab, systeminfo, injectdll files
- captured no real dns or http network traffic except dns lookup to "ident.me" (176.58.123.25)
------------------------------
2/12/2019
https://app.any.run/tasks/c72c5d4e-510e-4d5d-a863-502ecc3ea777
https://www.virustotal.com/#/file/57d57613ef46c879ca65a307b52625628b706601bf10cebad126d5bbcbbc9118/detection
hxxp://85.143.220.1/sin.png
Compiler:
- Microsoft Visual Basic(6.0)[Native]
Running behavior: (RUN AS ADMINISTRATOR)
- saw child process of cmd and powershell
- saw child process with random name (tsjclbpt.exe) with child of svchost, then disappeared
- a few minutes later svchost.exe re-appeared with multiple child processes of the same name
- wrote copy of itself %appdata%\roaming\sysdefrag\tsjclbpt.exe
- wrote settings.ini in same folder with random strings in it
- wrote Data folder in same folder with pwgrab, systeminfo, injectdll files
- captured no dns or http network traffic
Memory strings while Running:
- closed too fast to capture initially but when svchost.exe re-opened captured one of it's children
--- strings that look like url params (serialNumber=, emailAddress=, ?456789:;<=, /snapshoot/)
--- a string for login data (\google\chrome\...\Login Data.bak , Grab_Passwords_Chrome, Outlook password)
--- repeated strings (WATAUAVAWH, @A_A^A]A\_)
--- strings of language/country (french-canadian, italian-swiss, spanish-honduras, etc.)
--- copyright string (P.J. Plauger, licensed by Dinkumware)
--- lots of functions that start with "Crypt"
--- lots of numerical decimal type numbers (1.2.840.113549.1.95, 1.3.6.1.5.5.7.2.2, etc.)
--- string that looks like pc info (sin6/PCNAME.RANDOMLETTERS/83/)
--- Numerous IP addresses in a row with various ports (190.146.112.216:8082, 97.87.127.198:80, etc.)
--- html / xml like tags (<dpost>, <handler>)
--- table names like (tablecredit_cards, server_addresses, card_metadata)
--- lists of encryption algorithms (AES-128-CBC, DES-EDE3-CBC, SSL_RSA, TLS_RSA, etc.)
--- strings that look like url params (serialNumber=, emailAddress=, ?456789:;<=, /snapshoot/)
--- a string for login data (\google\chrome\...\Login Data.bak , Grab_Passwords_Chrome, Outlook password)
--- repeated strings (WATAUAVAWH, @A_A^A]A\_)
--- strings of language/country (french-canadian, italian-swiss, spanish-honduras, etc.)
--- copyright string (P.J. Plauger, licensed by Dinkumware)
--- lots of functions that start with "Crypt"
--- lots of numerical decimal type numbers (1.2.840.113549.1.95, 1.3.6.1.5.5.7.2.2, etc.)
--- string that looks like pc info (sin6/PCNAME.RANDOMLETTERS/83/)
--- Numerous IP addresses in a row with various ports (190.146.112.216:8082, 97.87.127.198:80, etc.)
--- html / xml like tags (<dpost>, <handler>)
--- table names like (tablecredit_cards, server_addresses, card_metadata)
--- lists of encryption algorithms (AES-128-CBC, DES-EDE3-CBC, SSL_RSA, TLS_RSA, etc.)
IDA Pro Behavior (RUN AS ADMINISTRATOR)
- It ran successfully, i saw all the child processes spawned, etc then it exited with code 0
2/8/2019
https://app.any.run/tasks/b621b7ef-eeb0-4d87-93cb-36b8bebb8c5b
https://www.virustotal.com/#/file/41b6047c2edf7edcd565450ef04b92a5aa9b0a29cf35e0b2a3f27538d21559df/detection
Compiler:
- Microsoft Visual C/C++(-)[-]
Running behavior: (RUN AS ADMINISTRATOR)
- saw cmd launch powershell immediately after
- saw a new svchost.exe running temporarily then disappears
- popup saying windows defender was deleted
- a few minutes later svchost.exe starts up again with 1 child process also named svchost.exe
- wrote copy of itself to %appdata%\roaming\cleanmem\vasao.exe
- wrote settings.ini in same folder with random strings in it
- wrote Data folder in same folder with pwgrab, systeminfo, injectdll files
- captured no real dns or http network traffic except dns lookup to "ident.me" (176.58.123.25)
Memory strings while Running:
- closed too fast to get memory capture on 1st one, but grabbed svchost.exe child again
--- lots of functions that start with "Crypt"
--- lots of numerical decimal type numbers (1.2.840.113549.1.95, 1.3.6.1.5.5.7.2.2, etc.)
--- lots of functions that start with "Crypt"
--- lots of numerical decimal type numbers (1.2.840.113549.1.95, 1.3.6.1.5.5.7.2.2, etc.)
--- urls & ip (6lwyu54ybblfuex6.onion , 185.62.188.30:443)
--- Numerous IP addresses in a row with various ports ( 68.119.85.138:449, 103.47.169.27:449)
--- string that looks like pc info (sat36/PCNAME_RANDOMCHARACTERS/5/spk/)
--- tons of strings about Certificates from Verisign, GoDaddy, Symantec, etc.
--- repeated strings (WATAUAVAWH, @A_A^A]A\_)
IDA Pro Behavior (RUN AS ADMINISTRATOR)
- It ran successfully, i saw all the child processes spawned, etc then it exited with code 0
Monday, February 11, 2019
#azorult
#azorult
------------------------------
5/29/2019
https://app.any.run/tasks/0504a290-18be-4d18-ae00-e03d03b5ae4a/
https://www.virustotal.com/gui/file/ee45336a135108347af89122705d24b97c583ee2d18ec67152441f58a540f34a/detection
Running behavior: (RUN AS ADMINISTRATOR)
program crashed, did not seem to complete
Memory strings while running
0xdb136 (12): PVAULT_CRED8
0xdb4e5 (12): outlookDecrU
0xdc928 (84): Software\Martin Prikryl\WinSCP 2\Sessions\
0xdc99c (20): PortNumber
0xdd3a4 (26): \accounts.xml
0xdd6d4 (10): <password>
0xdd6e8 (11): </password>
0xdd778 (60): %APPDATA%\.purple\accounts.xml
0xddec0 (34): %TEMP%\curbuf.dat
0xe2874 (253): SELECT DATETIME(moz_historyvisits.visit_date/1000000, "unixepoch", "localtime"),moz_places.title,moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id ORDER By moz_historyvisits.visit_date DESC LIMIT 0, 10000
0xe32a8 (28): \places.sqlite
0xe4084 (16): Browsers\Cookies
0xe40ac (16): Browsers\History
0xe43fd (12): uFileFinderU
0xe4ea8 (30): %APPDATA%\Skype
0xe51d8 (40): Software\Valve\Steam
0xe522c (26): \Config\*.vdf
0xe5de4 (20): %APPDATA%\
0xe5e14 (20): \autoscan\
0xe5e48 (24): .address.txt
0xe8100 (20): https://dotbit.me/a/
0xe8600 (12): User-agent:
0xe8618 (51): Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
0xea1d4 (17): PasswordsList.txt
0xea258 (66): %appdata%\Telegram Desktop\tdata\
0xea360 (22): http://ip-api.com/json
0xea3d4 (10): System.txt
0xea450 (84): /c %WINDIR%\system32\timeout.exe 3 & del "
0xeb7c0 (30): http://77.222.55.225/index.php
2/11/2019
https://app.any.run/tasks/7323be7e-daad-4ac7-8500-b905f7dcfaba
https://www.virustotal.com/#/file/cd4f41d81ec1f3ac046df3193e1445994c8e4a6eaaf57748faef5ada77791bf2/detection
Compiler:
- Nullsoft Scriptable Install System(3.0)[zlib]
- Microsoft Linker(6.0)[EXE32,signed]
Running behavior: (RUN AS ADMINISTRATOR)
- launches a copy of itself, then disappears from task manager
- dns lookup 3124322.pw.md-in-82.webhostbox.net (43.225.55.117)
- POST to 3124322.pw.md-in-82.webhostbox.net/index.php, (sent data is short, has a bunch of &, and . in it)
- CreateFile api calls to Login data folders (FireFox, Waterfox, IceDragon, Chrome, Pale Moon, Yandex)
- CreateFile api calls to cookie data folders (Yandex, 360Browser, Opera, TorBro, CentBrowser)
- CreateFile api calls to WebData folders (Yandex, 360Browser, Opera, TorBro, CentBrowser)
- CreateFile api calls to bitcoin folders (wallet.dat, electrum.dat, Ethereum)
------------------------------
2/11/2019
https://app.any.run/tasks/6fad55c1-52c5-4dd3-89e0-7ac3a9117464
https://www.virustotal.com/#/file/ef0725492607f9f5adb086a67153f705531f98b91aec7f9d864c5fe04c7db0c1/detection
Compiler:
- Borland Delphi(2006)[-]
Running behavior: (RUN AS ADMINISTRATOR)
- i saw a task for cmd.exe launching timeout.exe, then exes closed in task manager
- original file was deleted
- POST to 23.227.206.245/Panel/index.php , sent data is short, has a bunch of /, (, >, and . in it)
- CreateFile api calls to Login data folders (FireFox, Waterfox, IceDragon, Chrome, Pale Moon, Yandex)
- CreateFile api calls to cookie data folders (Yandex, 360Browser, Opera, TorBro, CentBrowser)
- CreateFile api calls to WebData folders (Yandex, 360Browser, Opera, TorBro, CentBrowser)
- CreateFile api calls to bitcoin folders (wallet.dat, electrum.dat, Ethereum)
Memory strings while Running:
- wasn't running long enough to grab
IDA Pro Behavior (RUN AS ADMINISTRATOR)
- WinMain has GetCommandLineA, GetModuleHandleA, DialogBoxParamA, "Selected Process", "Count of GDI objects", "Count of USER object", etc.
- In WinMain, the DialogBoxParamA call shows this message, 73ED3C62: The instruction at 0x73ED3C62 referenced memory at 0x74. The memory could not be read -> 00000074 (exc.code c000005, tid 388)
------------------------------
2/5/2019
https://www.virustotal.com/#/file/5691a24d176090bc059f91f3d05d2e9e39ee071652b4c41dd85ffb8961cb8b03/community
hxxp://modexcommunications[.]eu/jeff/jeff.exe
Notes: I think this run failed because C2 host was taken down
Compiler:
- Borland Delphi(7)[-]
Running behavior: (RUN AS ADMINISTRATOR)
- writes jeffie[.exe to %appdata%\roaming\jefery
- dns lookup wp.icf-fx[.]kz (185.255.91[.]82:80)
- POST to /Panel/index[.]php
- then disappears off task manager
Memory strings while Running:
- very small file, not much in there
- network activity like (wp.icf-fx[.]kz , 185.255.91[.]82:80, /Panel/index[.]php )
- bunch of function names that all start with "Crypt"
- internet related function names (InternetOpenA, HttpSendRequestA, etc.)
- bunch of decimal numbers prefixed with "Gu, Du, Cu, FCu, Fu, ZGu"
IDA Pro Behavior (RUN AS ADMINISTRATOR)
- follow into @Sysinit@@InitExe, @System@@StartExe, @System@_16705
- loops in there for a while, with "call eax" that appears to subtract, i break on the exit from the loop, but instead IDA errors with "0: The instruction 0x0 referenced memory at 0x0. The memory could not be executed -> 00000000 (exc.code c0000006 tid 2748)"
------------------------------
1/23/2019
https://www.virustotal.com/#/file/8a8c2c4563a1f1cbd82f4f8aa5e43fb7adb83197b594bad2dd83dd8a7a2e4692/detection
https://app.any.run/tasks/09cb8551-a11b-4a51-974f-2c5a4cfcac79
hxxp://pioneerfitting[.]com/http/asok.exe
Compiler:
- Microsoft Visual Basic(6.0)[P-code]
Running behavior: (RUN AS ADMINISTRATOR)
- writes filename.exe & filename.vbs to %appdata%\local\temp\subfolder\
- filename.exe runs a copy of itself (hollowing?)
- POST to /trial/index.php (5.34.244.250:8080) , sent data is short, has a bunch of /, (, >, and . in it)
- %appdata%\local\temp\subfolder\filename.vbs added as autorun
- then disappears from task manager
Memory strings while Running:
- asok.exe & the parent filename.exe almost nothing in it of interest
- the copy of itself, child filename.exe, contains
--- network activity like (5.34.244.250:8080/trail.index.php)
--- bitcoin filenames like (wallet.dat, electrum.data, BitcoinCore, monero-core, Ethereum)
--- cred filenames like (accounts.xml, PasswordsList.txt, <password>, PVAULT_CRED8)
--- internet related function names (InternetOpenA, HttpSendRequestA, etc.)
--- vbs script code (WScript.Shell, Wscript.Sleep, Wscript.Quit, WshShell.RegWrite)
--- bunch of function names that all start with "Crypt"
--- bunch of decimal numbers prefixed with "Gu, Du, Cu, FCu, Fu, ZGu"
--- other software names like (Skype, Steam, Outlook, WinSCP)
--- urls (dotbit.me, ip-api.com)
--- commands (%windir%\system32\timeout.exe & del)
IDA Pro Behavior: (RUN AS ADMINISTRATOR)
- Inside ThunRtMain, a jmp if you step into goes into MSVBM60, a "call near ptr unk_7294AA4C2" throws error 755FC54F: Floating point inexact result (exc.code c000008f, tid 1008)
------------------------------
5/29/2019
https://app.any.run/tasks/0504a290-18be-4d18-ae00-e03d03b5ae4a/
https://www.virustotal.com/gui/file/ee45336a135108347af89122705d24b97c583ee2d18ec67152441f58a540f34a/detection
Running behavior: (RUN AS ADMINISTRATOR)
program crashed, did not seem to complete
Memory strings while running
0xdb136 (12): PVAULT_CRED8
0xdb4e5 (12): outlookDecrU
0xdc928 (84): Software\Martin Prikryl\WinSCP 2\Sessions\
0xdc99c (20): PortNumber
0xdd3a4 (26): \accounts.xml
0xdd6d4 (10): <password>
0xdd6e8 (11): </password>
0xdd778 (60): %APPDATA%\.purple\accounts.xml
0xddec0 (34): %TEMP%\curbuf.dat
0xe2874 (253): SELECT DATETIME(moz_historyvisits.visit_date/1000000, "unixepoch", "localtime"),moz_places.title,moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id ORDER By moz_historyvisits.visit_date DESC LIMIT 0, 10000
0xe32a8 (28): \places.sqlite
0xe4084 (16): Browsers\Cookies
0xe40ac (16): Browsers\History
0xe43fd (12): uFileFinderU
0xe4ea8 (30): %APPDATA%\Skype
0xe51d8 (40): Software\Valve\Steam
0xe522c (26): \Config\*.vdf
0xe5de4 (20): %APPDATA%\
0xe5e14 (20): \autoscan\
0xe5e48 (24): .address.txt
0xe8100 (20): https://dotbit.me/a/
0xe8600 (12): User-agent:
0xe8618 (51): Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
0xea1d4 (17): PasswordsList.txt
0xea258 (66): %appdata%\Telegram Desktop\tdata\
0xea360 (22): http://ip-api.com/json
0xea3d4 (10): System.txt
0xea450 (84): /c %WINDIR%\system32\timeout.exe 3 & del "
0xeb7c0 (30): http://77.222.55.225/index.php
2/11/2019
https://app.any.run/tasks/7323be7e-daad-4ac7-8500-b905f7dcfaba
https://www.virustotal.com/#/file/cd4f41d81ec1f3ac046df3193e1445994c8e4a6eaaf57748faef5ada77791bf2/detection
Compiler:
- Nullsoft Scriptable Install System(3.0)[zlib]
- Microsoft Linker(6.0)[EXE32,signed]
Running behavior: (RUN AS ADMINISTRATOR)
- launches a copy of itself, then disappears from task manager
- dns lookup 3124322.pw.md-in-82.webhostbox.net (43.225.55.117)
- POST to 3124322.pw.md-in-82.webhostbox.net/index.php, (sent data is short, has a bunch of &, and . in it)
- CreateFile api calls to Login data folders (FireFox, Waterfox, IceDragon, Chrome, Pale Moon, Yandex)
- CreateFile api calls to cookie data folders (Yandex, 360Browser, Opera, TorBro, CentBrowser)
- CreateFile api calls to WebData folders (Yandex, 360Browser, Opera, TorBro, CentBrowser)
- CreateFile api calls to bitcoin folders (wallet.dat, electrum.dat, Ethereum)
Memory strings while Running:
- original exe has Nullsoft Install System v3.0 and some actual C looking lines of code with kernel32::CreateFile, user32::wsprintf, ntdll::NtMapViewOfSection, kernel32::CloseHandle
- re-spawned exe had much more
--- Network activity like 3124322.pw.md-in-82.webhostbox.net/index.php, 43.225.55.117
--- bunch of function names that all start with "Crypt"
--- internet related function names (InternetOpenA, HttpSendRequestA, etc.)
--- bunch of decimal numbers prefixed with "Gu, Du, Cu, FCu, Fu, ZGu"
--- internet related function names (InternetOpenA, HttpSendRequestA, etc.)
--- bunch of decimal numbers prefixed with "Gu, Du, Cu, FCu, Fu, ZGu"
IDA Pro Behavior (RUN AS ADMINISTRATOR)
- start function had "Error writing temporary file", SetErrorMode, GetVersion, etc.
- While in IDA I see process launch a child of itself, then IDA closes with "process has exited (exit code 0)", so it appears everything in IDA ran good and did not kill itself or error out at all
2/11/2019
https://app.any.run/tasks/6fad55c1-52c5-4dd3-89e0-7ac3a9117464
https://www.virustotal.com/#/file/ef0725492607f9f5adb086a67153f705531f98b91aec7f9d864c5fe04c7db0c1/detection
Compiler:
- Borland Delphi(2006)[-]
Running behavior: (RUN AS ADMINISTRATOR)
- i saw a task for cmd.exe launching timeout.exe, then exes closed in task manager
- original file was deleted
- POST to 23.227.206.245/Panel/index.php , sent data is short, has a bunch of /, (, >, and . in it)
- CreateFile api calls to Login data folders (FireFox, Waterfox, IceDragon, Chrome, Pale Moon, Yandex)
- CreateFile api calls to cookie data folders (Yandex, 360Browser, Opera, TorBro, CentBrowser)
- CreateFile api calls to WebData folders (Yandex, 360Browser, Opera, TorBro, CentBrowser)
- CreateFile api calls to bitcoin folders (wallet.dat, electrum.dat, Ethereum)
Memory strings while Running:
- wasn't running long enough to grab
IDA Pro Behavior (RUN AS ADMINISTRATOR)
- WinMain has GetCommandLineA, GetModuleHandleA, DialogBoxParamA, "Selected Process", "Count of GDI objects", "Count of USER object", etc.
- In WinMain, the DialogBoxParamA call shows this message, 73ED3C62: The instruction at 0x73ED3C62 referenced memory at 0x74. The memory could not be read -> 00000074 (exc.code c000005, tid 388)
------------------------------
2/5/2019
https://www.virustotal.com/#/file/5691a24d176090bc059f91f3d05d2e9e39ee071652b4c41dd85ffb8961cb8b03/community
hxxp://modexcommunications[.]eu/jeff/jeff.exe
Notes: I think this run failed because C2 host was taken down
Compiler:
- Borland Delphi(7)[-]
Running behavior: (RUN AS ADMINISTRATOR)
- writes jeffie[.exe to %appdata%\roaming\jefery
- dns lookup wp.icf-fx[.]kz (185.255.91[.]82:80)
- POST to /Panel/index[.]php
- then disappears off task manager
Memory strings while Running:
- very small file, not much in there
- network activity like (wp.icf-fx[.]kz , 185.255.91[.]82:80, /Panel/index[.]php )
- bunch of function names that all start with "Crypt"
- internet related function names (InternetOpenA, HttpSendRequestA, etc.)
- bunch of decimal numbers prefixed with "Gu, Du, Cu, FCu, Fu, ZGu"
IDA Pro Behavior (RUN AS ADMINISTRATOR)
- follow into @Sysinit@@InitExe, @System@@StartExe, @System@_16705
- loops in there for a while, with "call eax" that appears to subtract, i break on the exit from the loop, but instead IDA errors with "0: The instruction 0x0 referenced memory at 0x0. The memory could not be executed -> 00000000 (exc.code c0000006 tid 2748)"
------------------------------
1/23/2019
https://www.virustotal.com/#/file/8a8c2c4563a1f1cbd82f4f8aa5e43fb7adb83197b594bad2dd83dd8a7a2e4692/detection
https://app.any.run/tasks/09cb8551-a11b-4a51-974f-2c5a4cfcac79
hxxp://pioneerfitting[.]com/http/asok.exe
Compiler:
- Microsoft Visual Basic(6.0)[P-code]
Running behavior: (RUN AS ADMINISTRATOR)
- writes filename.exe & filename.vbs to %appdata%\local\temp\subfolder\
- filename.exe runs a copy of itself (hollowing?)
- POST to /trial/index.php (5.34.244.250:8080) , sent data is short, has a bunch of /, (, >, and . in it)
- %appdata%\local\temp\subfolder\filename.vbs added as autorun
- then disappears from task manager
Memory strings while Running:
- asok.exe & the parent filename.exe almost nothing in it of interest
- the copy of itself, child filename.exe, contains
--- network activity like (5.34.244.250:8080/trail.index.php)
--- bitcoin filenames like (wallet.dat, electrum.data, BitcoinCore, monero-core, Ethereum)
--- cred filenames like (accounts.xml, PasswordsList.txt, <password>, PVAULT_CRED8)
--- internet related function names (InternetOpenA, HttpSendRequestA, etc.)
--- vbs script code (WScript.Shell, Wscript.Sleep, Wscript.Quit, WshShell.RegWrite)
--- bunch of function names that all start with "Crypt"
--- bunch of decimal numbers prefixed with "Gu, Du, Cu, FCu, Fu, ZGu"
--- other software names like (Skype, Steam, Outlook, WinSCP)
--- urls (dotbit.me, ip-api.com)
--- commands (%windir%\system32\timeout.exe & del)
IDA Pro Behavior: (RUN AS ADMINISTRATOR)
- Inside ThunRtMain, a jmp if you step into goes into MSVBM60, a "call near ptr unk_7294AA4C2" throws error 755FC54F: Floating point inexact result (exc.code c000008f, tid 1008)
Subscribe to:
Posts (Atom)