Thursday, February 28, 2019

simple python script to search ips, hostnames, or domains for page titles of websites

# simple python script to search ips, hostnames, or domains for page titles
import argparse
from urllib.request import urlopen
from urllib.request import urlretrieve
import re
import sys
import os

#arguments
arguments = argparse.ArgumentParser("Search for websites, pass 1 file of hostnames, ips, or domains")
arguments.add_argument("-f", "--filepath", type=str, required=True, help="Path to list of hostnames, ips, or domains 1 per line")
settings = arguments.parse_args()
filepath = settings.filepath

with open(filepath) as fp:
 theurl = fp.readline()
 while theurl:
  try:
   theurl = 'http://' + theurl.strip()
   html = urlopen(theurl, timeout=2)
   val = html.read()
   titles = re.findall(r'(?i)<title>(.*?)</title>',str(val))
   if len(titles) > 0:
    print("found '{0}' at '{1}'".format(titles[0], theurl))
   theurl = 'https://' + theurl.strip()
   html = urlopen(theurl, timeout=3)
   val = html.read()
   titles = re.findall(r'(?i)<title>(.*?)</title>',str(val))
   if len(titles) > 0:
    print("found '{0}' at '{1}'".format(titles[0], theurl))
  except Exception as e:
   moveon = 1
   #print("failed '{0}' with '{1}'".format(theurl, str(e)))
  theurl = fp.readline()

Wednesday, February 20, 2019

Windows Process Tree Basics (Blue Team)

Great read by Pete here

https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2

Just jotting some notes for myself below

SYSTEM
SYSTEM IDLE Process
- no visible parent
- should only ever be 1 of each
- in kernel mode ( created by NT OS Kernel )
- SYSTEM always has PID 4
- SYSTEM IDLE Process always has 1 threat per CPU

SMSS.EXE
- parent is SYSTEM (PID 4)
- should only ever be 1 running
- runs from \system32\smss.exe
- 1st user mode process started by Kernel
- launches WINLOGON.EXE, WININIT.EXE, and CSRSS.EXE , then SMSS.EXE exits

WINLOGON.EXE
- no parent (because SMSS.EXE launches it and then SMSS.EXE exits)
- runs as NT AUTHORITY\SYSTEM
- runs from \system32\winlogon.exe
- may spawn child processes (alternate login devices such as biometric readers)
- launches USERINIT.EXE which runs logon scripts, connects to network, starts EXPLORER.EXE

WININIT.EXE
- no parent (because SMSS.EXE launches it and then SMSS.EXE exits)
- runs as NT AUTHORITY\SYSTEM
- runs from system32\wininit.exe
- launches SERVICES.EXE, LSASS.EXE, and LSM.EXE
- creates %windir%\temp

CSRSS.EXE
- no parent (because SMSS.EXE launches it and then SMSS.EXE exits)
- runs as NT AUTHORITY\SYSTEM
- runs from system32\csrss.exe

USERINIT.EXE
- parent is WINLOGON.EXE
- Runs logon scripts, connects to network, starts EXPLORER.EXE, then exits

EXPLORER.EXE
- no parent (because USERINIT.EXE launches it and then USERINIT.EXE exits)
- runs from \windows\explorer.exe
- no TCP/IP network connections
- normally launches most user processes as children

SERVICES.EXE
- parent is WININIT.EXE
- runs as NT AUTHORITY\SYSTEM
- runs from \system32\services.exe
- normally multiple children processes as SVCHOST.EXE for each service

LSASS.EXE
- parent is WININIT.EXE
- always only 1 LSASS.EXE
- should NEVER spawn child processes
- runs as NT AUTHORITY\SYSTEM
- runs from \system32\lsass.exe

LSM.EXE
- parent is WININIT.EXE
- should NEVER spawn child processes
- runs as NT AUTHORITY\SYSTEM
- runs from \system32\lsm.exe

SVCHOST.EXE
- parent is SERVICES.EXE
- runs from \system32\svchost.exe
- runas as 1 of these accounts (NT AUTHORITY\SYSTEM, LOCAL SERVICE, or NETWORK SERVICE)
- command line always looks like "SVCHOST.EXE -k [name]"


Monday, February 18, 2019

malware yara rules

/* -------------------------
------ NanoCore ------------
--------------------------- */

rule NanoCoreByName
{
meta:
 author = "@neonprimetime"
 description = "NanoCore"
strings:
 $string0 = "NanoCore Client" nocase
 $string1 = "NanoCore.Client" nocase
 $string2 = "NanoCoreBase" nocase
 $string5 = "NanoCoreSwiss" nocase
 $string6 = "NanoCoreStressTester" nocase
condition:
 1 of them
}

rule NanoCoreByKeyword
{
meta:
 author = "@neonprimetime"
 description = "NanoCore"
strings:
 $string1 = "NanoBrowser" nocase
 $string2 = "NanoScript" nocase
 $string3 = "SurveillanceEx" nocase
 $string4 = "NanoCoreStressTester" nocase
 $string5 = "accident-investigation.aero" nocase
 $string6 = "KeyboardLogging" nocase
condition:
 3 of them
}

/* -------------------------
------ Remcos RAT-----------
--------------------------- */

rule RemcosRATByName
{
meta:
 author = "@neonprimetime"
 description = "Remcos RAT"
strings:
 $string0 = "Software\\Remcos" nocase
 $string1 = "\\remcos\\" nocase
 $string2 = "REMCOS v" nocase
 $string4 = "Remcos_" nocase
condition:
 1 of them
}

rule RemcosRATByKeyword
{
meta:
 author = "@neonprimetime"
 description = "Remcos RAT"
strings:
 $string1 = "Keylogger Started" nocase
 $string2 = "Connected to C&C" nocase
 $string3 = "Screenshots" nocase
 $string4 = "OpenCamera" nocase
 $string5 = "Uploading file to C&C" nocase
 $string6 = "Initializing connection to C&C" nocase
 $string7 = "cleared!]" nocase
 $string8 = "EnableLUA /t REG_DWORD /d 0" nocase
 $string9 = "RemWatchdog" nocase
 $string10 = "restarted by watchdog" nocase
condition:
 3 of them
}

/* -------------------------
------ Revil/Sodinokibi Ransomware-----------
--------------------------- */

rule RevilRansomwareByName
{
meta:
 author = "@neonprimetime"
 description = "Revil/Sodinokibi Ransomware"
strings:
 $string1 = "Sodinokibi" nocase
 $string2 = "For google: Revil" nocase
condition:
 any of them
}


rule RevilRansomwareByKeyword
{
meta:
 author = "@neonprimetime"
 description = "Revil/Sodinokibi Ransomware"
strings:
 $string1 = "decryptor.top" nocase
 $string2 = "nbody" nocase
 $string3 = "bedbg" nocase
condition:
 3 of them
}

/* -------------------------
------ NjRat -------------
--------------------------- */

rule NjRatByKeyword
{
meta:
 author = "@neonprimetime"
 description = "NjRat"
strings:

 $string0 = "vitimas_" nocase

$string1 = "|'|'||'|'|" nocase
condition:

 1 of them
}

/* -------------------------
------ Lokibot -------------
--------------------------- */

rule LokibotByKeyword
{
meta:
 author = "@neonprimetime"
 description = "Lokibot"
strings:
 $string0a = "five/fre.php" nocase
 $string0b = "Panel/five" nocase
 $string1 = "fre.php" nocase
 $string2 = "Yandex\\YandexBrowser" nocase
 $string3 = "\\Mozilla\\SeaMonkey\\profiles.ini" nocase
 $string4 = "POP3 Password" nocase
 $string5 = "Software\\SimonTatham\\PuTTY\\Sessions" nocase
 $string6 = "EasyFTP\\data" nocase
 $string7 = "aPLib v1.01" nocase
 $string8 = "wcx_ftp.ini" nocase
condition:
 $string0a or $string0b or ($string1 and ($string2 or $string3 or $string4 or $string5 or $string6 or $string7 or $string8))
}
/* -------------------------
------ Revenge RAT -------------
--------------------------- */

rule RevengeRATByName
{
meta:
 author = "@neonprimetime"
 description = "Revenge RAT"
strings:

 $string0 = "Revenge-RAT" nocase

condition:

 1 of them
}

rule RevengeRATByKeyword
{
meta:
 author = "@neonprimetime"
 description = "Revenge RAT"
strings:

 $capture1 = "Start Capture" nocase

 $capture2 = "CaptureScreen" nocase

 $dotnet1 = ".NET" nocase

 $agent1 = "FirewallProduct" nocase

 $agent2 = "AntiVirusProduct" nocase

 $exfil1 = "USERDOMAIN=" nocase

condition:

 $dotnet1 and ($capture1 or $capture2) and ($agent1 or $agent2) and $exfil1
}



/* -------------------------
------ BrushaLoader -------------
--------------------------- */

rule BrushaLoaderByKeyword
{
meta:
 author = "@neonprimetime"
 description = "BrushaLoader"
strings:
 $vbe = ".shellexecute" nocase
 $xyzdomain = "xyz" nocase
 $google = "www.google.com" nocase
condition:
 $vbe and $xyzdomain and $google
}


/* -------------------------
------ Agent Tesla -------------
--------------------------- */

rule AgentTeslaByKeyword
{
meta:
 author = "@neonprimetime"
 description = "Agent Tesla"
strings:
 $checkip1 = "checkip.aws" nocase
 $checkip2 = "checkip.amazon" nocase
 $smtpexfil1 = "smtp." nocase
 $smtpexfil2 = ":587" nocase
 $dotnet1 = ".net" nocase
condition:
 ($checkip1 or $checkip2) and ($smtpexfil1 or $smtpexfil2) and $dotnet1
}



/* -------------------------
------ Trickbot ------------
--------------------------- */

rule TrickbotByKeyword
{
meta:
 author = "@neonprimetime"
 description = "Trickbot"
strings:
 $string1 = "serialNumber=" nocase
 $string2 = "emailAddress=" nocase
 $string3 = "/snapshot/" nocase
 $string4 = "Login Data.bak" nocase
 $string5 = "Grab_Passwords_Chrome" nocase
 $string6 = "Dinkumware" nocase
 $string7 = "tablecredit_cards" nocase
 $string8 = "server_addresses" nocase
condition:
 3 of them
}


/* -------------------------
------ Azorult -------------
--------------------------- */

rule AzorultByKeyword
{
meta:
 author = "@neonprimetime"
 description = "Azorult"
strings:
 $string1 = "wallet.dat" nocase
 $string2 = "PasswordsList.txt" nocase
 $string3 = "timeout.exe" nocase
 $string4 = "Wscript.Shell" nocase
 $string5 = "dotbit.me" nocase
condition:
 3 of them
}
/* -------------------------
------ Netwire -------------
--------------------------- */

rule NetwireByName
{
meta:
 author = "@neonprimetime"
 description = "Netwire"
strings:
 $string1 = "SOFTWARE\\NetWire" nocase
condition:
 1 of them
}

/* ------------------------------
  -------- Emotete by Keyword -----
 -------------------------- */

rule EmotetByKeyword
{
 meta:
  author = "@neonprimetime"
  description = "Emotet Keyword"
 strings:
  $string1 = "acquiremailbox.exe" nocase
  $string2 = "fillmailbox.exe" nocase
  $string3 = "inboxmailbox.exe" nocase
  $string4 = "mailboxacquire.exe" nocase
  $string5 = "mailboxinbox.exe" nocase
  $string6 = "mailboxmailbox.exe" nocase
  $string7 = "manualmailbox.exe" nocase
  $string8 = "monthlymailbox.exe" nocase
  $string9 = "pdfmailbox.exe" nocase
  $string10 = "publishmailbox.exe" nocase
  $string11 = "deployinbox.exe" nocase
  $string12 = "inboxinbox.exe" nocase
  $string13 = "inboxnetsh.exe" nocase
  $string14 = "mailboxinbox.exe" nocase
  $string15 = "netshinbox.exe" nocase
  $string16 = "createatargets.exe" nocase
  $string17 = "ducktargets.exe" nocase
  $string18 = "restoretargets.exe" nocase
  $string19 = "sendtargets.exe" nocase
 condition:
   1 of them
}
/* -------------------------
------ Phoenix Keylogger -------------
--------------------------- */

rule PhoenixKeyloggerByName
{
meta:
 author = "@neonprimetime"
 description = "Phoenix Keylogger"
strings:
 $string1 = "Phoenix Keylogger" nocase
condition:
 1 of them
}



/* -------------------------
------ BetaBot -------------
--------------------------- */

rule BetaBotByKeyword
{
meta:
 author = "@neonprimetime"
 description = "BetaBot"
strings:
 $string1 = "OnAsyncDestroy" nocase

 $string2 = "OnDestroySubject" nocase

 $string3 = "OnRemoveExisting" nocase

 $string4 = "ccnumber" nocase
condition:
 all of them
}




/* -------------------------
------ Generic Malware -------------
--------------------------- */

rule GenericDotNetFramework

{

meta:
 author = "@neonprimetime"
 description = "Generic .NET Framework detection"


strings:

 $string1 = ".NETFramework"

condition:
 1 of them

}


rule GenericBitcoinStealer

{
meta:
 author = "@neonprimetime"
 description = "Generic Bitcoin Stealer"
strings:
 $string1 = "wallet.dat" nocase

 $string2 = "\\wallets\\" nocase

 $string3 = "\\Electrum" nocase

 $string4 = "Coins\\" nocase

 $string5 = "\\bitcoin" nocase

 $string6 = "\\monero" nocase

 $string7 = "electrum.dat" nocase

 $string8 = "wallet_path" nocase

condition:

 1 of them

}



rule GenericUPXPacker

{
meta:
 author = "@neonprimetime"
 description = "Generic UpX packet"
strings:
 $string1 = "UPX" nocase

condition:

 1 of them


}



rule GenericAutoItPacker

{
meta:
 author = "@neonprimetime"
 description = "Generic AutoItPacker"
strings:
 $string1 = "AutoIt" nocase

 $string2 = "Auto-It" nocase

condition:

 1 of them


}




rule GenericCreditCardStealer
{
meta:
 author = "@neonprimetime"
 description = "Generic Credit Card Stealer"
strings:
 $string1 = "ccnumber" nocase
 $string2 = "expirationmonth" nocase

 $string3 = "monthexpiration" nocase

 $string4 = "card_number" nocase

 $string5 = "securitycode=" nocase

 $string6 = "=amex" nocase

 $string7 = "=visa" nocase

 $string8 = "cardnumber" nocase

condition:
 1 of them
}

rule GenericWebTraffic
{
meta:
 author = "@neonprimetime"
 description = "Generic Web Traffic"
strings:
 $string1 = "Server: lighttpd" nocase
 $string2 = "Host: %s" nocase
 $string3 = "POST %s" nocase
 $string4 = ".php" nocase
condition:
 1 of them
}

rule GenericNetworkTraffic
{
meta:
 author = "@neonprimetime"
 description = "Generic Network Traffic"
strings:
 $string1 = /\..{2,3}\:\d+/ nocase
condition:

 1 of them
}


rule GenericScheduledTask
{
meta:
 author = "@neonprimetime"
 description = "Generic Scheduled Task"
strings:
 $string1 = "schtasks" nocase
condition:


 1 of them
}



rule GenericDomainFlag
{
meta:
 author = "@neonprimetime"
 description = "Generic Domain Flag from AD"
strings:
 $string1 = "/domain" nocase
condition:


 1 of them
}



rule GenericCreateFlag
{
meta:
 author = "@neonprimetime"
 description = "Generic Create Flag from AD"
strings:
 $string1 = "/create" nocase
condition:


 1 of them
}




rule GenericAddFlag
{
meta:
 author = "@neonprimetime"
 description = "Generic Add Flag from AD"
strings:
 $string1 = "/add" nocase
condition:


 1 of them
}






rule GenericSpamMailer
{
meta:
 author = "@neonprimetime"
 description = "Generic Spam Mailer"
strings:
 $string1 = "SEND FROM:" nocase
 $string2 = ":587" nocase
 $string3 = "smtp." nocase
condition:
 1 of them
}

rule GenericIPLookup
{
meta:
 author = "@neonprimetime"
 description = "Generic IP Lookup"
strings:
 $string1 = "checkip.amazonaws.com" nocase
 $string2 = "check-ip.aws." nocase
  $string3 = "ipecho.net" nocase
condition:
 1 of them
}

rule GenericWebcamAccess
{
meta:
 author = "@neonprimetime"
 description = "Generic Webcam Access"
strings:
 $string1 = "webcam" nocase
 $string2 = "OpenCamera" nocase
 $string3 = "CloseCamera" nocase
condition:
 1 of them
}
rule GenericScreenCapture
{
meta:
 author = "@neonprimetime"
 description = "Generic Screen Capture"
strings:
 $string1 = "CaptureScreen" nocase
condition:
 1 of them
}

rule GenericCredentialStealer
{
meta:
 author = "@neonprimetime"
 description = "Generic Credential Stealer"
strings:
 $string1 = "Profiles\\Outlook" nocase
 $string2 = "Login Data" nocase
 $string3 = "encryptedPassword" nocase
 $string4 = "HTTP Password" nocase
 $string5 = "\\profiles.ini" nocase
 $string6 = "\\POP3 Password" nocase
 $string7 = "PuTTY\\Sessions" nocase
 $string8 = "EasyFTP\\data" nocase
 $string9 = "Ftplist.txt" nocase
 $string10 = "\\Login Data" nocase
 $string11 = "\\ws_ftp.ini" nocase
 $string13 = "\\accounts.ini" nocase
 $string14 = "\\accounts.dat" nocase
 $string15 = "CREATE TABLE logins" nocase
 $string16 = "CREATE INDEX logins_signon" nocase
 $string17 = "DecryptIePassword" nocase
 $string18 = "GetSavedPasswords" nocase
 $string19 = "\\Passwords\\" nocase
 $string20 = "WinSCP 2\\Sessions" nocase
 $string21 = "\\HTTP Password" nocase
 $string22 = "\\IMAP Password" nocase
 $string23 = "\\SMTP Password" nocase
 $string24 = "\\HTTP Password" nocase
 $string25 = "[passwords]" nocase
 $string26 = "login-form" nocase
 $string27 = "recentservers.xml" nocase
 $string28 = "type=passwords" nocase
 $string29 = "user-password" nocase
 $string30 = "PasswordsList.txt" nocase
condition:


 1 of them
}
rule GenericBrowserHistoryStealer
{
meta:
 author = "@neonprimetime"
 description = "Generic Browser History Stealer"
strings:

 $string1 = "from urls" nocase

 $string2 = "from moz_places" nocase

condition:

 1 of them

}


rule GenericDataStealer
{
meta:
 author = "@neonprimetime"
 description = "Generic Data Stealer"
strings:
 $string0 = "\\User Data" nocase
 $string1 = "360Chrome\\" nocase
 $string2 = "7Star\\" nocase
 $string3 = "Cyberfox\\" nocase
 $string4 = "Amigo\\" nocase
 $string5 = "Apple Computer\\" nocase
 $string6 = "BraveSoftware\\" nocase
 $string7 = "CatalinaGroup\\" nocase
 $string8 = "CentBrowser\\" nocase
 $string9 = "Chedot\\" nocase
 $string10 = "Chromium\\" nocase
 $string11 = "Claws-mail\\" nocase
 $string12 = "CocCoc\\" nocase
 $string13 = "Comodo\\" nocase
 $string14 = "Coowon\\" nocase
 $string15 = "CoreFTP\\" nocase
 $string16 = "Elements Browser\\" nocase
 $string17 = "Epic Privacy Browser\\" nocase
 $string18 = "falkon\\" nocase
 $string19 = "Fenrir Inc\\" nocase
 $string20 = "FileZilla\\" nocase
 $string21 = "Flock\\" nocase
 $string22 = "FTPGetter\\" nocase
 $string23 = "Google\\" nocase
 $string24 = "Ipswitch\\" nocase
 $string25 = "Iridium\\" nocase
 $string26 = "K-Meleon\\" nocase
 $string27 = "Kometa\\" nocase
 $string28 = "liebao\\" nocase
 $string29 = "MapleStudio\\" nocase
 $string31 = "Moonchild Productions\\" nocase
 $string32 = "Mozilla\\" nocase
 $string35 = "NETGATE Technologies\\" nocase
 $string36 = "Opera Mail\\" nocase
 $string37 = "Opera Software\\" nocase
 $string38 = "Orbitum\\" nocase
 $string39 = "Pocomail\\" nocase
 $string40 = "Postbox\\" nocase
 $string41 = "Psi\\" nocase
 $string42 = "Psi+\\" nocase
 $string43 = "QIP Surf\\" nocase
 $string45 = "SmartFTP\\" nocase
 $string46 = "Sputnik\\" nocase
 $string47 = "Tencent\\" nocase
 $string48 = "The Bat!" nocase
 $string49 = "Thunderbird\\" nocase
 $string50 = "Torch\\" nocase
 $string51 = "Trillian\\" nocase
 $string52 = "UCBrowser\\" nocase
 $string53 = "uCozMedia\\" nocase
 $string54 = "VirtualStore\\" nocase
 $string55 = "Vivaldi\\" nocase
 $string56 = "Waterfox\\" nocase
 $string57 = "Yandex\\" nocase
 $string58 = "keychain.plist" nocase
 $string59 = "GetSavedCookies" nocase
 $string60 = "wcx_ftp.ini" nocase

$string61 = "Start Capture" nocase
 $string62 = "\\accounts.xml" nocase
 $string63 = "\\places.sqlite" nocase
 $string67 = "cookies.sqlite" nocase
condition:
 1 of them
}


rule GenericDeletesItself
{
meta:
 author = "@neonprimetime"
 description = "Generic Deletes Itself"
strings:
 $string1 = "DEL /s" nocase
 $string2 = "cmd /c del" nocase
 $string3 = "deleteSelf" nocase
 $string4 = "/c del %s" nocase
 $string5 = "%del" nocase
 $string6 = "& del" nocase
condition:


 1 of them
}




rule GenericMaliciousCommand
{
meta:
 author = "@neonprimetime"
 description = "Generic Malicious Command"
strings:
 $string1 = "CompSpec" nocase
condition:


 1 of them
}



rule GenericKeylogger
{
meta:
 author = "@neonprimetime"
 description = "Generic Keylogger"
strings:
 $string1 = "Keylog" nocase
 $string2 = "KeyboardLogging" nocase
 $string3 = "[Enter]" nocase
 $string4 = "[Ctrl + C]" nocase
 $string5 = "[Ctrl + V]" nocase
condition:
 1 of them
}



rule GenericDelay
{
meta:
 author = "@neonprimetime"
 description = "Generic Delay"
strings:
 $string1 = "ping 192" nocase
 $string2 = "ping 127" nocase
condition:
 1 of them
}
rule GenericSecurityToolDetection
{
meta:
 author = "@neonprimetime"
 description = "Generic Security Tool Detection"
strings:
 $string1 = "FROM FirewallProduct" nocase
 $string2 = "from AntiVirusProduct" nocase
condition:
 1 of them

}

rule GenericDisableAntivirus
{
meta:
 author = "@neonprimetime"
 description = "Generic Disable AntiVirus"
strings:
 $string1 = "DisableBehaviorMonitoring" nocase
 $string2 = "DisableOnAccessProtection" nocase
 $string3 = "DisableScanOnRealtime" nocase
 $string4 = "DisableRealtimeMonitoring" nocase
 $string5 = "DisableBlockAtFirstSeen" nocase
 $string6 = "DisableIOAVProtection" nocase
 $string7 = "DisableAntiSpyware" nocase
 $string8 = "DisableArchiveScanning" nocase
 $string9 = "DisableScriptScanning" nocase
 $string10 = "Set-MpPreference" nocase
condition:
 1 of them
}
rule GenericFirewallModification

{
meta:
 author = "@neonprimetime"
 description = "Generic Firewall Modifiction"
strings:
 $string1 = "netsh advfirewall" nocase
 $string2 = "firewall add" nocase
condition:
 1 of them

}


rule GenericPHPPanel
{
meta:
 author = "@neonprimetime"
 description = "Generic PHP Panel"
strings:

 $string1 = "/gate.php" nocase

 $string2 = "/fre.php" nocase

condition:

 1 of them

}

rule GenericBase64

{
meta:
 author = "@neonprimetime"
 description = "Generic PHP Panel"
strings:

 $string1 = /\=\=\r\n/ nocase

condition:

 1 of them

}



rule GenericDynamicDns


{
meta:
 author = "@neonprimetime"
 description = "Generic Dynamic DNS"
strings:

 $string1 = ".duckdns.org" nocase

condition:

 1 of them

}

rule GenericVisualBasicScript
{
meta:
 author = "@neonprimetime"
 description = "Generic Visual Basic Script"
strings:
 $string1 = ".shellexecute" nocase
 $string2 = "shell.application" nocase
 $string3 = "Wscript.Sleep" nocase
 $string4 = "ExecuteGlobal" nocase
 $string5 = "Shell.run" nocase
 $string6 = "Scripting.FileSystemObject" nocase
 $string7 = ":::const " nocase
 $string8 = "vbscontent" nocase
 $string9 = "Execute(" nocase
 $string10 = "ChrW(48) & ChrW(" nocase
 $string11 = "ChrW(48)&ChrW(" nocase
condition:
 1 of them
}

rule GenericHackerTerms
{

meta:
 author = "@neonprimetime"
 description = "Generic Hacker Terms"
strings:
 $string1 = "payloadpath" nocase
 $string2 = "payloadexist" nocase

condition:
 1 of them

}

rule GenericAntiDebug
{
meta:
 author = "@neonprimetime"
 description = "Generic Anti Debug techniques"
strings:
 $string1 = "CheckRemoteDebuggerPresent" nocase
condition:
 1 of them

}


rule GenericTor
{
meta:
 author = "@neonprimetime"
 description = "Generic Tor Dark Web"
strings:
 $string1 = "torproject.org" nocase
 $string2 = ".onion" nocase
 $string3 = "TOR browser" nocase
 
condition:
 1 of them

}


rule GenericPasswordList
{
meta:
 author = "@neonprimetime"
 description = "Generic Password List"
strings:
 $string1 = "peternorth" nocase
 $string2 = "motherfucker" nocase
 $string3 = "pimpdaddy" nocase
 $string4 = "ihavenopass" nocase
 $string5 = "fuckoff" nocase
 $string6 = "dickhead" nocase
 $string7 = "passw0rd" nocase
 $string8 = "changeme" nocase
condition: 1 of them }
rule GenericUserAgent
{
 meta:
  author = "@neonprimetime"
  description = "Generic User Agents oddities"
 strings:
  $string1 = "User-Agent: curl" nocase
  $string2 = "User-Agent: wget" nocase
 condition: 
  1 of them
}

rule GenericWebServer
{
 meta: 
  author = "@neonprimetime"
  description = "Generic Web Server info"
 strings: 
  $string1 = "nginx"
  $string2 = "apache"
 condition:
  1 of them
}

Tuesday, February 12, 2019

#lokibot

#lokibot

------------------------------
2/19/2019

https://www.virustotal.com/#/file/da30b124c95eda90524716d0bd4b5af608f50fa52b126f1720c38933c916eb2e/detection

Email w/ attachment Document.exe

Compiler:
- Microsoft Visual Basic(6.0)[Native]

Running behavior: (RUN AS ADMINISTRATOR)
- starts a child process with same name
- dns lookup to ubochiomaswifts.cf (104.24.109.185, 104.24.108.185)
- http post to ubochiomaswifts.cf/eshi/fre.php , payload contains fuckav.ru, PC name, random Letters/Numbers at the end
- CreateFile api calls to login data folders (chrome, comodo, titan browser, etc.)
- CreateFile api calls to Web Data folders (chrome, comodo, titan browser, etc.)
- CreateFile api calls to FTP config files (MyFTP, EasyFTP, AbleFTP, FileZilla, WS_FTP, etc)
- CreateFile api calls to Email files (yMail, TrulyMail)
- CreateFile api calls to password managers (Enpass, RoboForm, 1Password)

Memory strings while Running:  ( https://pastebin.com/raw/zL04fvx5  )
- random obfuscated strings, many start with letter X, 10 chars long (Xje[jr_jaf, XjlZjd^j\f, etc.)
- strings related to Login & Web Data (chrome, titan browser, Mozilla, etc.)
- strings related to profile ini files (profiles.ini)
- strings related to FTP files
- Copyright Joergen Ibsen, aPLib v1.01, ibsensoftware.com
- the url ubochiomaswifts.cf/eshi/fre.php
- function names prefixed by "Crypt"


IDA Pro Behavior (RUN AS ADMINISTRATOR)

- 34F0000: The instruction at 0x34F0000 referenced memory at 0xE09092C9. The memory could not be written -> E09092C9 (exc.code c0000005, tid 968)

------------------------------
2/19/2019

https://www.virustotal.com/#/file/0d1c8154f0454b6a4ee8312f935e8af95a0765368488bed6f68f8fe443350537/detection

Email w/ attachment TT Advice.exe

Compiler:
- Microsoft Visual Basic(6.0)[Native]

Running behavior: (RUN AS ADMINISTRATOR)
- starts a copy of itself
- dns lookup to www.cashoutsquad.com (47.254.177.121)
- http post to www.cashoutsquad.com/motivate/minds/more/fre.php , payload contains fuckav.ru, PC name, random Letters/Numbers at the end
- CreateFile api calls to login data folders (chrome, comodo, titan browser, etc.)
- CreateFile api calls to Web Data folders (chrome, comodo, titan browser, etc.)
- CreateFile api calls to FTP config files (MyFTP, EasyFTP, AbleFTP, FileZilla, WS_FTP, etc)
- CreateFile api calls to Email files (yMail, TrulyMail)
- CreateFile api calls to password managers (Enpass, RoboForm, 1Password)

Memory strings while Running:  ( https://pastebin.com/raw/RQUy268M )
- random obfuscated strings, many start with letter X, 10 chars long (Xje[jr_jaf, XjlZjd^j\f, etc.)
- strings related to Login & Web Data (chrome, titan browser, Mozilla, etc.)
- strings related to profile ini files (profiles.ini)
- strings related to FTP files
- Copyright Joergen Ibsen, aPLib v1.01, ibsensoftware.com
- the url awww.cashoutsquad.com/motivate/minds/more/fre.php
- function names prefixed by "Crypt"


IDA Pro Behavior (RUN AS ADMINISTRATOR)
- 0: The instruction at 0x0 referenced memory at 0x0. The memory could not be executed -> 00000000 (exc.code c0000005, tid 676)


------------------------------
2/12/2019

https://app.any.run/tasks/c72c5d4e-510e-4d5d-a863-502ecc3ea777
https://www.virustotal.com/#/file/57d57613ef46c879ca65a307b52625628b706601bf10cebad126d5bbcbbc9118/detection

hxxp://gemaco[.]com[.]ve/js/file/coc.exe

Compiler:
- Microsoft Visual Basic(6.0)[Native]

Running behavior: (RUN AS ADMINISTRATOR)
- starts a copy of itself, deletes original copy of itself, new copy of itself very small in memory, very low cpu usage for long time
- dns lookup to archanadiagnostics.com (172.96.12.126)
- http post to archanadiagnostics.com/css/coco/five/fre.php , payload contains fuckav.ru, PC name, random Letters/Numbers at the end
- CreateFile api calls to login data folders (chrome, comodo, titan browser, etc.)
- CreateFile api calls to Web Data folders (chrome, comodo, titan browser, etc.)
- CreateFile api calls to FTP config files (MyFTP, EasyFTP, AbleFTP, FileZilla, WS_FTP, etc)
- CreateFile api calls to Email files (yMail, TrulyMail)
- CreateFile api calls to password managers (Enpass, RoboForm, 1Password)

Memory strings while Running:
- very small capture
- random obfuscated strings, many start with letter X, 10 chars long (Xje[jr_jaf, XjlZjd^j\f, etc.)
- strings related to Login & Web Data (chrome, titan browser, Mozilla, etc.)
- strings related to profile ini files (profiles.ini)
- strings related to FTP files
- Copyright Joergen Ibsen, aPLib v1.01, ibsensoftware.com
- the url archanadiagnostics.com/css/coco/five/fre.php
- lots of decimal number prefixed by Gu, Hu, Cu, etc.
- function names prefixed by "Crypt"


IDA Pro Behavior (RUN AS ADMINISTRATOR)
- crashes with 755FC54F: Floating point inexact result (exc.code c000008f, tid 1228)

------------------------------

#trickbot

#trickbot
------------------------------
2/12/2019

https://app.any.run/tasks/c72c5d4e-510e-4d5d-a863-502ecc3ea777
https://www.virustotal.com/#/file/57d57613ef46c879ca65a307b52625628b706601bf10cebad126d5bbcbbc9118/detection

hxxp://85.143.220.1/sin.png

Compiler:
- Microsoft Visual Basic(6.0)[Native]

Running behavior: (RUN AS ADMINISTRATOR)
- saw child process of cmd and powershell
- saw child process with random name (tsjclbpt.exe) with child of svchost, then disappeared
- a few minutes later svchost.exe re-appeared with multiple child processes of the same name
- wrote copy of itself %appdata%\roaming\sysdefrag\tsjclbpt.exe
- wrote settings.ini in same folder with random strings in it
- wrote Data folder in same folder with pwgrab, systeminfo, injectdll files
- captured no dns or http network traffic


Memory strings while Running:
- closed too fast to capture initially but when svchost.exe re-opened captured one of it's children
--- strings that look like url params (serialNumber=, emailAddress=, ?456789:;<=, /snapshoot/)
--- a string for login data (\google\chrome\...\Login Data.bak , Grab_Passwords_Chrome, Outlook password)
--- repeated strings (WATAUAVAWH, @A_A^A]A\_)
--- strings of language/country (french-canadian, italian-swiss, spanish-honduras, etc.)
--- copyright string (P.J. Plauger, licensed by Dinkumware)
--- lots of functions that start with "Crypt"
--- lots of numerical decimal type numbers (1.2.840.113549.1.95, 1.3.6.1.5.5.7.2.2, etc.)
--- string that looks like pc info (sin6/PCNAME.RANDOMLETTERS/83/)
--- Numerous IP addresses in a row with various ports (190.146.112.216:8082, 97.87.127.198:80, etc.)
--- html / xml like tags (<dpost>, <handler>)
--- table names like (tablecredit_cards, server_addresses, card_metadata)
--- lists of encryption algorithms (AES-128-CBC, DES-EDE3-CBC, SSL_RSA, TLS_RSA, etc.)


IDA Pro Behavior (RUN AS ADMINISTRATOR)
- It ran successfully, i saw all the child processes spawned, etc then it exited with code 0

------------------------------
2/8/2019

https://app.any.run/tasks/b621b7ef-eeb0-4d87-93cb-36b8bebb8c5b
https://www.virustotal.com/#/file/41b6047c2edf7edcd565450ef04b92a5aa9b0a29cf35e0b2a3f27538d21559df/detection

Compiler:
- Microsoft Visual C/C++(-)[-]

Running behavior: (RUN AS ADMINISTRATOR)
- saw cmd launch powershell immediately after
- saw a new svchost.exe running temporarily then disappears
- popup saying windows defender was deleted
- a few minutes later svchost.exe starts up again with 1 child process also named svchost.exe
- wrote copy of itself to %appdata%\roaming\cleanmem\vasao.exe
- wrote settings.ini in same folder with random strings in it
- wrote Data folder in same folder with pwgrab, systeminfo, injectdll files

- captured no real dns or http network traffic except dns lookup to "ident.me" (176.58.123.25)




Memory strings while Running:
- closed too fast to get memory capture on 1st one, but grabbed svchost.exe child again
--- lots of functions that start with "Crypt"
--- lots of numerical decimal type numbers (1.2.840.113549.1.95, 1.3.6.1.5.5.7.2.2, etc.)
--- urls & ip (6lwyu54ybblfuex6.onion , 185.62.188.30:443)
--- Numerous IP addresses in a row with various ports ( 68.119.85.138:449, 103.47.169.27:449)
--- string that looks like pc info (sat36/PCNAME_RANDOMCHARACTERS/5/spk/)
--- tons of strings about Certificates from Verisign, GoDaddy, Symantec, etc.
--- repeated strings (WATAUAVAWH, @A_A^A]A\_)


IDA Pro Behavior (RUN AS ADMINISTRATOR)

- It ran successfully, i saw all the child processes spawned, etc then it exited with code 0

Monday, February 11, 2019

#azorult

#azorult
------------------------------
5/29/2019
https://app.any.run/tasks/0504a290-18be-4d18-ae00-e03d03b5ae4a/
https://www.virustotal.com/gui/file/ee45336a135108347af89122705d24b97c583ee2d18ec67152441f58a540f34a/detection

Running behavior: (RUN AS ADMINISTRATOR)
program crashed, did not seem to complete

Memory strings while running
0xdb136 (12): PVAULT_CRED8 
0xdb4e5 (12): outlookDecrU 
0xdc928 (84): Software\Martin Prikryl\WinSCP 2\Sessions\ 
0xdc99c (20): PortNumber 
0xdd3a4 (26): \accounts.xml 
0xdd6d4 (10): <password> 
0xdd6e8 (11): </password> 
0xdd778 (60): %APPDATA%\.purple\accounts.xml 
0xddec0 (34): %TEMP%\curbuf.dat 
0xe2874 (253): SELECT DATETIME(moz_historyvisits.visit_date/1000000, "unixepoch", "localtime"),moz_places.title,moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id ORDER By moz_historyvisits.visit_date DESC LIMIT 0, 10000 
0xe32a8 (28): \places.sqlite 
0xe4084 (16): Browsers\Cookies 
0xe40ac (16): Browsers\History 
0xe43fd (12): uFileFinderU 
0xe4ea8 (30): %APPDATA%\Skype 
0xe51d8 (40): Software\Valve\Steam 
0xe522c (26): \Config\*.vdf 
0xe5de4 (20): %APPDATA%\ 
0xe5e14 (20): \autoscan\ 
0xe5e48 (24): .address.txt 
0xe8100 (20): https://dotbit.me/a/ 
0xe8600 (12): User-agent: 
0xe8618 (51): Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 
0xea1d4 (17): PasswordsList.txt 
0xea258 (66): %appdata%\Telegram Desktop\tdata\ 
0xea360 (22): http://ip-api.com/json 
0xea3d4 (10): System.txt 
0xea450 (84): /c %WINDIR%\system32\timeout.exe 3 & del " 
0xeb7c0 (30): http://77.222.55.225/index.php



2/11/2019

https://app.any.run/tasks/7323be7e-daad-4ac7-8500-b905f7dcfaba
https://www.virustotal.com/#/file/cd4f41d81ec1f3ac046df3193e1445994c8e4a6eaaf57748faef5ada77791bf2/detection

Compiler:
- Nullsoft Scriptable Install System(3.0)[zlib]
- Microsoft Linker(6.0)[EXE32,signed]

Running behavior: (RUN AS ADMINISTRATOR)
- launches a copy of itself, then disappears from task manager
- dns lookup 3124322.pw.md-in-82.webhostbox.net (43.225.55.117)
- POST to 3124322.pw.md-in-82.webhostbox.net/index.php, (sent data is short, has a bunch of &, and . in it)
- CreateFile api calls to Login data folders (FireFox, Waterfox, IceDragon, Chrome, Pale Moon, Yandex)
- CreateFile api calls to cookie data folders (Yandex, 360Browser, Opera, TorBro, CentBrowser)
- CreateFile api calls to WebData folders (Yandex, 360Browser, Opera, TorBro, CentBrowser)
- CreateFile api calls to bitcoin folders (wallet.dat, electrum.dat, Ethereum)

Memory strings while Running:
- original exe has Nullsoft Install System v3.0 and some actual C looking lines of code with kernel32::CreateFile, user32::wsprintf, ntdll::NtMapViewOfSection, kernel32::CloseHandle
- re-spawned exe had much more
--- Network activity like 3124322.pw.md-in-82.webhostbox.net/index.php, 43.225.55.117
--- bunch of function names that all start with "Crypt"
--- internet related function names (InternetOpenA, HttpSendRequestA, etc.)
--- bunch of decimal numbers prefixed with "Gu, Du, Cu, FCu, Fu, ZGu"

IDA Pro Behavior (RUN AS ADMINISTRATOR)
- start function had "Error writing temporary file", SetErrorMode, GetVersion, etc.
- While in IDA I see process launch a child of itself, then IDA closes with "process has exited (exit code 0)", so it appears everything in IDA ran good and did not kill itself or error out at all

------------------------------
2/11/2019

https://app.any.run/tasks/6fad55c1-52c5-4dd3-89e0-7ac3a9117464
https://www.virustotal.com/#/file/ef0725492607f9f5adb086a67153f705531f98b91aec7f9d864c5fe04c7db0c1/detection

Compiler:
- Borland Delphi(2006)[-]

Running behavior: (RUN AS ADMINISTRATOR)
- i saw a task for cmd.exe launching timeout.exe, then exes closed in task manager
- original file was deleted
- POST to 23.227.206.245/Panel/index.php , sent data is short, has a bunch of /, (, >, and . in it)
- CreateFile api calls to Login data folders (FireFox, Waterfox, IceDragon, Chrome, Pale Moon, Yandex)
- CreateFile api calls to cookie data folders (Yandex, 360Browser, Opera, TorBro, CentBrowser)
- CreateFile api calls to WebData folders (Yandex, 360Browser, Opera, TorBro, CentBrowser)
- CreateFile api calls to bitcoin folders (wallet.dat, electrum.dat, Ethereum)

Memory strings while Running:
- wasn't running long enough to grab

IDA Pro Behavior (RUN AS ADMINISTRATOR)
- WinMain has GetCommandLineA, GetModuleHandleA, DialogBoxParamA, "Selected Process", "Count of GDI objects", "Count of USER object", etc.
- In WinMain, the DialogBoxParamA call shows this message, 73ED3C62: The instruction at 0x73ED3C62 referenced memory at 0x74. The memory could not be read -> 00000074 (exc.code c000005, tid 388)

------------------------------
2/5/2019

https://www.virustotal.com/#/file/5691a24d176090bc059f91f3d05d2e9e39ee071652b4c41dd85ffb8961cb8b03/community

hxxp://modexcommunications[.]eu/jeff/jeff.exe

Notes: I think this run failed because C2 host was taken down

Compiler:
Borland Delphi(7)[-]

Running behavior: (RUN AS ADMINISTRATOR)
- writes jeffie[.exe to %appdata%\roaming\jefery
- dns lookup wp.icf-fx[.]kz (185.255.91[.]82:80)
- POST to /Panel/index[.]php 
- then disappears off task manager

Memory strings while Running:
- very small file, not much in there
- network activity like (wp.icf-fx[.]kz , 185.255.91[.]82:80, /Panel/index[.]php   )
- bunch of function names that all start with "Crypt"
- internet related function names (InternetOpenA, HttpSendRequestA, etc.)
- bunch of decimal numbers prefixed with "Gu, Du, Cu, FCu, Fu, ZGu"

IDA Pro Behavior (RUN AS ADMINISTRATOR)
- follow into @Sysinit@@InitExe, @System@@StartExe, @System@_16705
- loops in there for a while, with "call eax" that appears to subtract, i break on the exit from the loop, but instead IDA errors with "0: The instruction 0x0 referenced memory at 0x0. The memory could not be executed -> 00000000 (exc.code c0000006 tid 2748)"


------------------------------
1/23/2019

https://www.virustotal.com/#/file/8a8c2c4563a1f1cbd82f4f8aa5e43fb7adb83197b594bad2dd83dd8a7a2e4692/detection
https://app.any.run/tasks/09cb8551-a11b-4a51-974f-2c5a4cfcac79

hxxp://pioneerfitting[.]com/http/asok.exe

Compiler:
- Microsoft Visual Basic(6.0)[P-code]

Running behavior: (RUN AS ADMINISTRATOR)
- writes filename.exe & filename.vbs to %appdata%\local\temp\subfolder\
- filename.exe runs a copy of itself (hollowing?)
- POST to /trial/index.php (5.34.244.250:8080) , sent data is short, has a bunch of /, (, >, and . in it)
- %appdata%\local\temp\subfolder\filename.vbs added as autorun
- then disappears from task manager

Memory strings while Running:
- asok.exe & the parent filename.exe almost nothing in it of interest
- the copy of itself, child filename.exe, contains
--- network activity like (5.34.244.250:8080/trail.index.php)
--- bitcoin filenames like (wallet.dat, electrum.data, BitcoinCore, monero-core, Ethereum)
--- cred filenames like (accounts.xml, PasswordsList.txt, <password>, PVAULT_CRED8)
--- internet related function names (InternetOpenA, HttpSendRequestA, etc.)
--- vbs script code (WScript.Shell, Wscript.Sleep, Wscript.Quit, WshShell.RegWrite)
--- bunch of function names that all start with "Crypt"
--- bunch of decimal numbers prefixed with "Gu, Du, Cu, FCu, Fu, ZGu"
--- other software names like (Skype, Steam, Outlook, WinSCP)
--- urls (dotbit.me, ip-api.com)
--- commands (%windir%\system32\timeout.exe & del)

IDA Pro Behavior: (RUN AS ADMINISTRATOR)
- Inside ThunRtMain, a jmp if you step into goes into MSVBM60, a "call near ptr unk_7294AA4C2" throws error 755FC54F: Floating point inexact result (exc.code c000008f, tid 1008)