Thursday, March 14, 2019

python syslog script

useful python syslog i found online
https://github.com/cloudpassage/splunk-halo-python/blob/master/remote_syslog.py

sample usage

syslog('Apr 23 07:36:52 10.2.108.181 EventName=[], SourceIP=[], SourcePort=[], DestinationIP=[], DestinationPort=[], UserName=[], SourceWorkstation=[], Url=[], FilePath=[], MD5=[], LogSource=[], MacAddress=[], LogSourceTime=[], Notes=[]', host='10.xx.xx.xx', facility=FACILITY['local0'], level=LEVEL['info'])

---------------

#!/usr/bin/python

"""
Python syslog client.

This code is placed in the public domain by the author.
Written by Christian Stigen Larsen.

This is especially neat for Windows users, who (I think) don't
get any syslog module in the default python installation.

See RFC3164 for more info -- http://tools.ietf.org/html/rfc3164

Note that if you intend to send messages to remote servers, their
syslogd must be started with -r to allow to receive UDP from
the network.
"""

import socket

# I'm a python novice, so I don't know of better ways to define enums

FACILITY = {
'kern': 0, 'user': 1, 'mail': 2, 'daemon': 3,
'auth': 4, 'syslog': 5, 'lpr': 6, 'news': 7,
'uucp': 8, 'cron': 9, 'authpriv': 10, 'ftp': 11,
'local0': 16, 'local1': 17, 'local2': 18, 'local3': 19,
'local4': 20, 'local5': 21, 'local6': 22, 'local7': 23,
}

LEVEL = {
'emerg': 0, 'alert':1, 'crit': 2, 'err': 3,
'warning': 4, 'notice': 5, 'info': 6, 'debug': 7
}

def syslog(message, level=LEVEL['notice'], facility=FACILITY['daemon'],
host='localhost', port=514):

"""
Send syslog UDP packet to given host and port.
"""

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
data = '<%d>%s' % (level + facility*8, message)
sock.sendto(data, (host, port))
sock.close()
Posted by at 1 comment:
Labels: ,

Friday, March 1, 2019

View Chrome Download and Url History Basics 101

download sqlite browser portable

https://sqlitebrowser.org/dl/

copy "history" database from chrome appdata

%appdata%\local\google\chrome\user data\default\history

"open database", select it

look at the 2 tables
- downloads
- urls
Posted by at No comments:
Labels: , ,

Thursday, February 28, 2019

simple python script to search ips, hostnames, or domains for page titles of websites

# simple python script to search ips, hostnames, or domains for page titles
import argparse
from urllib.request import urlopen
from urllib.request import urlretrieve
import re
import sys
import os

#arguments
arguments = argparse.ArgumentParser("Search for websites, pass 1 file of hostnames, ips, or domains")
arguments.add_argument("-f", "--filepath", type=str, required=True, help="Path to list of hostnames, ips, or domains 1 per line")
settings = arguments.parse_args()
filepath = settings.filepath

with open(filepath) as fp:
 theurl = fp.readline()
 while theurl:
  try:
   theurl = 'http://' + theurl.strip()
   html = urlopen(theurl, timeout=2)
   val = html.read()
   titles = re.findall(r'(?i)<title>(.*?)</title>',str(val))
   if len(titles) > 0:
    print("found '{0}' at '{1}'".format(titles[0], theurl))
   theurl = 'https://' + theurl.strip()
   html = urlopen(theurl, timeout=3)
   val = html.read()
   titles = re.findall(r'(?i)<title>(.*?)</title>',str(val))
   if len(titles) > 0:
    print("found '{0}' at '{1}'".format(titles[0], theurl))
  except Exception as e:
   moveon = 1
   #print("failed '{0}' with '{1}'".format(theurl, str(e)))
  theurl = fp.readline()
Posted by at No comments:

Wednesday, February 20, 2019

Windows Process Tree Basics (Blue Team)

Great read by Pete here

https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2

Just jotting some notes for myself below

SYSTEM
SYSTEM IDLE Process
- no visible parent
- should only ever be 1 of each
- in kernel mode ( created by NT OS Kernel )
- SYSTEM always has PID 4
- SYSTEM IDLE Process always has 1 threat per CPU

SMSS.EXE
- parent is SYSTEM (PID 4)
- should only ever be 1 running
- runs from \system32\smss.exe
- 1st user mode process started by Kernel
- launches WINLOGON.EXE, WININIT.EXE, and CSRSS.EXE , then SMSS.EXE exits

WINLOGON.EXE
- no parent (because SMSS.EXE launches it and then SMSS.EXE exits)
- runs as NT AUTHORITY\SYSTEM
- runs from \system32\winlogon.exe
- may spawn child processes (alternate login devices such as biometric readers)
- launches USERINIT.EXE which runs logon scripts, connects to network, starts EXPLORER.EXE

WININIT.EXE
- no parent (because SMSS.EXE launches it and then SMSS.EXE exits)
- runs as NT AUTHORITY\SYSTEM
- runs from system32\wininit.exe
- launches SERVICES.EXE, LSASS.EXE, and LSM.EXE
- creates %windir%\temp

CSRSS.EXE
- no parent (because SMSS.EXE launches it and then SMSS.EXE exits)
- runs as NT AUTHORITY\SYSTEM
- runs from system32\csrss.exe

USERINIT.EXE
- parent is WINLOGON.EXE
- Runs logon scripts, connects to network, starts EXPLORER.EXE, then exits

EXPLORER.EXE
- no parent (because USERINIT.EXE launches it and then USERINIT.EXE exits)
- runs from \windows\explorer.exe
- no TCP/IP network connections
- normally launches most user processes as children

SERVICES.EXE
- parent is WININIT.EXE
- runs as NT AUTHORITY\SYSTEM
- runs from \system32\services.exe
- normally multiple children processes as SVCHOST.EXE for each service

LSASS.EXE
- parent is WININIT.EXE
- always only 1 LSASS.EXE
- should NEVER spawn child processes
- runs as NT AUTHORITY\SYSTEM
- runs from \system32\lsass.exe

LSM.EXE
- parent is WININIT.EXE
- should NEVER spawn child processes
- runs as NT AUTHORITY\SYSTEM
- runs from \system32\lsm.exe

SVCHOST.EXE
- parent is SERVICES.EXE
- runs from \system32\svchost.exe
- runas as 1 of these accounts (NT AUTHORITY\SYSTEM, LOCAL SERVICE, or NETWORK SERVICE)
- command line always looks like "SVCHOST.EXE -k [name]"


Posted by at No comments:
Labels: , , , , , , , ,

Monday, February 18, 2019

malware yara rules 

/* -------------------------
------ NanoCore ------------
--------------------------- */

rule NanoCoreByName
{
meta:
 author = "@neonprimetime"
 description = "NanoCore"
strings:
 $string0 = "NanoCore Client" nocase
 $string1 = "NanoCore.Client" nocase
 $string2 = "NanoCoreBase" nocase
 $string5 = "NanoCoreSwiss" nocase
 $string6 = "NanoCoreStressTester" nocase
condition:
 1 of them
}

rule NanoCoreByKeyword
{
meta:
 author = "@neonprimetime"
 description = "NanoCore"
strings:
 $string1 = "NanoBrowser" nocase
 $string2 = "NanoScript" nocase
 $string3 = "SurveillanceEx" nocase
 $string4 = "NanoCoreStressTester" nocase
 $string5 = "accident-investigation.aero" nocase
 $string6 = "KeyboardLogging" nocase
condition:
 3 of them
}

/* -------------------------
------ Remcos RAT-----------
--------------------------- */

rule RemcosRATByName
{
meta:
 author = "@neonprimetime"
 description = "Remcos RAT"
strings:
 $string0 = "Software\\Remcos" nocase
 $string1 = "\\remcos\\" nocase
 $string2 = "REMCOS v" nocase
 $string4 = "Remcos_" nocase
condition:
 1 of them
}

rule RemcosRATByKeyword
{
meta:
 author = "@neonprimetime"
 description = "Remcos RAT"
strings:
 $string1 = "Keylogger Started" nocase
 $string2 = "Connected to C&C" nocase
 $string3 = "Screenshots" nocase
 $string4 = "OpenCamera" nocase
 $string5 = "Uploading file to C&C" nocase
 $string6 = "Initializing connection to C&C" nocase
 $string7 = "cleared!]" nocase
 $string8 = "EnableLUA /t REG_DWORD /d 0" nocase
 $string9 = "RemWatchdog" nocase
 $string10 = "restarted by watchdog" nocase
condition:
 3 of them
}

/* -------------------------
------ Revil/Sodinokibi Ransomware-----------
--------------------------- */

rule RevilRansomwareByName
{
meta:
 author = "@neonprimetime"
 description = "Revil/Sodinokibi Ransomware"
strings:
 $string1 = "Sodinokibi" nocase
 $string2 = "For google: Revil" nocase
condition:
 any of them
}


rule RevilRansomwareByKeyword
{
meta:
 author = "@neonprimetime"
 description = "Revil/Sodinokibi Ransomware"
strings:
 $string1 = "decryptor.top" nocase
 $string2 = "nbody" nocase
 $string3 = "bedbg" nocase
condition:
 3 of them
}

/* -------------------------
------ NjRat -------------
--------------------------- */

rule NjRatByKeyword
{
meta:
 author = "@neonprimetime"
 description = "NjRat"
strings:

 $string0 = "vitimas_" nocase

$string1 = "|'|'||'|'|" nocase
condition:

 1 of them
}

/* -------------------------
------ Lokibot -------------
--------------------------- */

rule LokibotByKeyword
{
meta:
 author = "@neonprimetime"
 description = "Lokibot"
strings:
 $string0a = "five/fre.php" nocase
 $string0b = "Panel/five" nocase
 $string1 = "fre.php" nocase
 $string2 = "Yandex\\YandexBrowser" nocase
 $string3 = "\\Mozilla\\SeaMonkey\\profiles.ini" nocase
 $string4 = "POP3 Password" nocase
 $string5 = "Software\\SimonTatham\\PuTTY\\Sessions" nocase
 $string6 = "EasyFTP\\data" nocase
 $string7 = "aPLib v1.01" nocase
 $string8 = "wcx_ftp.ini" nocase
condition:
 $string0a or $string0b or ($string1 and ($string2 or $string3 or $string4 or $string5 or $string6 or $string7 or $string8))
}
/* -------------------------
------ Revenge RAT -------------
--------------------------- */

rule RevengeRATByName
{
meta:
 author = "@neonprimetime"
 description = "Revenge RAT"
strings:

 $string0 = "Revenge-RAT" nocase

condition:

 1 of them
}

rule RevengeRATByKeyword
{
meta:
 author = "@neonprimetime"
 description = "Revenge RAT"
strings:

 $capture1 = "Start Capture" nocase

 $capture2 = "CaptureScreen" nocase

 $dotnet1 = ".NET" nocase

 $agent1 = "FirewallProduct" nocase

 $agent2 = "AntiVirusProduct" nocase

 $exfil1 = "USERDOMAIN=" nocase

condition:

 $dotnet1 and ($capture1 or $capture2) and ($agent1 or $agent2) and $exfil1
}



/* -------------------------
------ BrushaLoader -------------
--------------------------- */

rule BrushaLoaderByKeyword
{
meta:
 author = "@neonprimetime"
 description = "BrushaLoader"
strings:
 $vbe = ".shellexecute" nocase
 $xyzdomain = "xyz" nocase
 $google = "www.google.com" nocase
condition:
 $vbe and $xyzdomain and $google
}


/* -------------------------
------ Agent Tesla -------------
--------------------------- */

rule AgentTeslaByKeyword
{
meta:
 author = "@neonprimetime"
 description = "Agent Tesla"
strings:
 $checkip1 = "checkip.aws" nocase
 $checkip2 = "checkip.amazon" nocase
 $smtpexfil1 = "smtp." nocase
 $smtpexfil2 = ":587" nocase
 $dotnet1 = ".net" nocase
condition:
 ($checkip1 or $checkip2) and ($smtpexfil1 or $smtpexfil2) and $dotnet1
}



/* -------------------------
------ Trickbot ------------
--------------------------- */

rule TrickbotByKeyword
{
meta:
 author = "@neonprimetime"
 description = "Trickbot"
strings:
 $string1 = "serialNumber=" nocase
 $string2 = "emailAddress=" nocase
 $string3 = "/snapshot/" nocase
 $string4 = "Login Data.bak" nocase
 $string5 = "Grab_Passwords_Chrome" nocase
 $string6 = "Dinkumware" nocase
 $string7 = "tablecredit_cards" nocase
 $string8 = "server_addresses" nocase
condition:
 3 of them
}


/* -------------------------
------ Azorult -------------
--------------------------- */

rule AzorultByKeyword
{
meta:
 author = "@neonprimetime"
 description = "Azorult"
strings:
 $string1 = "wallet.dat" nocase
 $string2 = "PasswordsList.txt" nocase
 $string3 = "timeout.exe" nocase
 $string4 = "Wscript.Shell" nocase
 $string5 = "dotbit.me" nocase
condition:
 3 of them
}
/* -------------------------
------ Netwire -------------
--------------------------- */

rule NetwireByName
{
meta:
 author = "@neonprimetime"
 description = "Netwire"
strings:
 $string1 = "SOFTWARE\\NetWire" nocase
condition:
 1 of them
}




/* ------------------------------


  -------- Emotete by Keyword -----


 -------------------------- */




rule EmotetByKeyword


{


 meta:
  author = "@neonprimetime"


  description = "Emotet Keyword"


 strings:


  $string1 = "acquiremailbox.exe" nocase
  $string2 = "fillmailbox.exe" nocase
  $string3 = "inboxmailbox.exe" nocase
  $string4 = "mailboxacquire.exe" nocase
  $string5 = "mailboxinbox.exe" nocase
  $string6 = "mailboxmailbox.exe" nocase
  $string7 = "manualmailbox.exe" nocase
  $string8 = "monthlymailbox.exe" nocase
  $string9 = "pdfmailbox.exe" nocase
  $string10 = "publishmailbox.exe" nocase
  $string11 = "deployinbox.exe" nocase
  $string12 = "inboxinbox.exe" nocase
  $string13 = "inboxnetsh.exe" nocase
  $string14 = "mailboxinbox.exe" nocase
  $string15 = "netshinbox.exe" nocase
  $string16 = "createatargets.exe" nocase
  $string17 = "ducktargets.exe" nocase
  $string18 = "restoretargets.exe" nocase
  $string19 = "sendtargets.exe" nocase


 condition:



   1 of them


}


/* -------------------------
------ Phoenix Keylogger -------------
--------------------------- */

rule PhoenixKeyloggerByName
{
meta:
 author = "@neonprimetime"
 description = "Phoenix Keylogger"
strings:
 $string1 = "Phoenix Keylogger" nocase
condition:
 1 of them
}



/* -------------------------
------ BetaBot -------------
--------------------------- */

rule BetaBotByKeyword
{
meta:
 author = "@neonprimetime"
 description = "BetaBot"
strings:
 $string1 = "OnAsyncDestroy" nocase

 $string2 = "OnDestroySubject" nocase

 $string3 = "OnRemoveExisting" nocase

 $string4 = "ccnumber" nocase
condition:
 all of them
}




/* -------------------------
------ Generic Malware -------------
--------------------------- */

rule GenericDotNetFramework

{

meta:
 author = "@neonprimetime"
 description = "Generic .NET Framework detection"


strings:

 $string1 = ".NETFramework"

condition:
 1 of them

}


rule GenericBitcoinStealer

{
meta:
 author = "@neonprimetime"
 description = "Generic Bitcoin Stealer"
strings:
 $string1 = "wallet.dat" nocase

 $string2 = "\\wallets\\" nocase

 $string3 = "\\Electrum" nocase

 $string4 = "Coins\\" nocase

 $string5 = "\\bitcoin" nocase

 $string6 = "\\monero" nocase

 $string7 = "electrum.dat" nocase

 $string8 = "wallet_path" nocase

condition:

 1 of them

}



rule GenericUPXPacker

{
meta:
 author = "@neonprimetime"
 description = "Generic UpX packet"
strings:
 $string1 = "UPX" nocase

condition:

 1 of them


}



rule GenericAutoItPacker

{
meta:
 author = "@neonprimetime"
 description = "Generic AutoItPacker"
strings:
 $string1 = "AutoIt" nocase

 $string2 = "Auto-It" nocase

condition:

 1 of them


}




rule GenericCreditCardStealer
{
meta:
 author = "@neonprimetime"
 description = "Generic Credit Card Stealer"
strings:
 $string1 = "ccnumber" nocase
 $string2 = "expirationmonth" nocase

 $string3 = "monthexpiration" nocase

 $string4 = "card_number" nocase

 $string5 = "securitycode=" nocase

 $string6 = "=amex" nocase

 $string7 = "=visa" nocase

 $string8 = "cardnumber" nocase

condition:
 1 of them
}

rule GenericWebTraffic
{
meta:
 author = "@neonprimetime"
 description = "Generic Web Traffic"
strings:
 $string1 = "Server: lighttpd" nocase
 $string2 = "Host: %s" nocase
 $string3 = "POST %s" nocase
 $string4 = ".php" nocase
condition:
 1 of them
}

rule GenericNetworkTraffic
{
meta:
 author = "@neonprimetime"
 description = "Generic Network Traffic"
strings:
 $string1 = /\..{2,3}\:\d+/ nocase
condition:

 1 of them
}


rule GenericScheduledTask
{
meta:
 author = "@neonprimetime"
 description = "Generic Scheduled Task"
strings:
 $string1 = "schtasks" nocase
condition:


 1 of them
}



rule GenericDomainFlag
{
meta:
 author = "@neonprimetime"
 description = "Generic Domain Flag from AD"
strings:
 $string1 = "/domain" nocase
condition:


 1 of them
}



rule GenericCreateFlag
{
meta:
 author = "@neonprimetime"
 description = "Generic Create Flag from AD"
strings:
 $string1 = "/create" nocase
condition:


 1 of them
}




rule GenericAddFlag
{
meta:
 author = "@neonprimetime"
 description = "Generic Add Flag from AD"
strings:
 $string1 = "/add" nocase
condition:


 1 of them
}






rule GenericSpamMailer
{
meta:
 author = "@neonprimetime"
 description = "Generic Spam Mailer"
strings:
 $string1 = "SEND FROM:" nocase
 $string2 = ":587" nocase
 $string3 = "smtp." nocase
condition:
 1 of them
}

rule GenericIPLookup
{
meta:
 author = "@neonprimetime"
 description = "Generic IP Lookup"
strings:
 $string1 = "checkip.amazonaws.com" nocase
 $string2 = "check-ip.aws." nocase


  $string3 = "ipecho.net" nocase
condition:
 1 of them
}

rule GenericWebcamAccess
{
meta:
 author = "@neonprimetime"
 description = "Generic Webcam Access"
strings:
 $string1 = "webcam" nocase
 $string2 = "OpenCamera" nocase
 $string3 = "CloseCamera" nocase
condition:
 1 of them
}
rule GenericScreenCapture
{
meta:
 author = "@neonprimetime"
 description = "Generic Screen Capture"
strings:
 $string1 = "CaptureScreen" nocase
condition:
 1 of them
}

rule GenericCredentialStealer
{
meta:
 author = "@neonprimetime"
 description = "Generic Credential Stealer"
strings:
 $string1 = "Profiles\\Outlook" nocase
 $string2 = "Login Data" nocase
 $string3 = "encryptedPassword" nocase
 $string4 = "HTTP Password" nocase
 $string5 = "\\profiles.ini" nocase
 $string6 = "\\POP3 Password" nocase
 $string7 = "PuTTY\\Sessions" nocase
 $string8 = "EasyFTP\\data" nocase
 $string9 = "Ftplist.txt" nocase
 $string10 = "\\Login Data" nocase
 $string11 = "\\ws_ftp.ini" nocase
 $string13 = "\\accounts.ini" nocase
 $string14 = "\\accounts.dat" nocase
 $string15 = "CREATE TABLE logins" nocase
 $string16 = "CREATE INDEX logins_signon" nocase
 $string17 = "DecryptIePassword" nocase
 $string18 = "GetSavedPasswords" nocase
 $string19 = "\\Passwords\\" nocase
 $string20 = "WinSCP 2\\Sessions" nocase
 $string21 = "\\HTTP Password" nocase
 $string22 = "\\IMAP Password" nocase
 $string23 = "\\SMTP Password" nocase
 $string24 = "\\HTTP Password" nocase
 $string25 = "[passwords]" nocase
 $string26 = "login-form" nocase
 $string27 = "recentservers.xml" nocase
 $string28 = "type=passwords" nocase
 $string29 = "user-password" nocase
 $string30 = "PasswordsList.txt" nocase
condition:


 1 of them
}
rule GenericBrowserHistoryStealer
{
meta:
 author = "@neonprimetime"
 description = "Generic Browser History Stealer"
strings:

 $string1 = "from urls" nocase

 $string2 = "from moz_places" nocase

condition:

 1 of them

}


rule GenericDataStealer
{
meta:
 author = "@neonprimetime"
 description = "Generic Data Stealer"
strings:
 $string0 = "\\User Data" nocase
 $string1 = "360Chrome\\" nocase
 $string2 = "7Star\\" nocase
 $string3 = "Cyberfox\\" nocase
 $string4 = "Amigo\\" nocase
 $string5 = "Apple Computer\\" nocase
 $string6 = "BraveSoftware\\" nocase
 $string7 = "CatalinaGroup\\" nocase
 $string8 = "CentBrowser\\" nocase
 $string9 = "Chedot\\" nocase
 $string10 = "Chromium\\" nocase
 $string11 = "Claws-mail\\" nocase
 $string12 = "CocCoc\\" nocase
 $string13 = "Comodo\\" nocase
 $string14 = "Coowon\\" nocase
 $string15 = "CoreFTP\\" nocase
 $string16 = "Elements Browser\\" nocase
 $string17 = "Epic Privacy Browser\\" nocase
 $string18 = "falkon\\" nocase
 $string19 = "Fenrir Inc\\" nocase
 $string20 = "FileZilla\\" nocase
 $string21 = "Flock\\" nocase
 $string22 = "FTPGetter\\" nocase
 $string23 = "Google\\" nocase
 $string24 = "Ipswitch\\" nocase
 $string25 = "Iridium\\" nocase
 $string26 = "K-Meleon\\" nocase
 $string27 = "Kometa\\" nocase
 $string28 = "liebao\\" nocase
 $string29 = "MapleStudio\\" nocase
 $string31 = "Moonchild Productions\\" nocase
 $string32 = "Mozilla\\" nocase
 $string35 = "NETGATE Technologies\\" nocase
 $string36 = "Opera Mail\\" nocase
 $string37 = "Opera Software\\" nocase
 $string38 = "Orbitum\\" nocase
 $string39 = "Pocomail\\" nocase
 $string40 = "Postbox\\" nocase
 $string41 = "Psi\\" nocase
 $string42 = "Psi+\\" nocase
 $string43 = "QIP Surf\\" nocase
 $string45 = "SmartFTP\\" nocase
 $string46 = "Sputnik\\" nocase
 $string47 = "Tencent\\" nocase
 $string48 = "The Bat!" nocase
 $string49 = "Thunderbird\\" nocase
 $string50 = "Torch\\" nocase
 $string51 = "Trillian\\" nocase
 $string52 = "UCBrowser\\" nocase
 $string53 = "uCozMedia\\" nocase
 $string54 = "VirtualStore\\" nocase
 $string55 = "Vivaldi\\" nocase
 $string56 = "Waterfox\\" nocase
 $string57 = "Yandex\\" nocase
 $string58 = "keychain.plist" nocase
 $string59 = "GetSavedCookies" nocase
 $string60 = "wcx_ftp.ini" nocase

$string61 = "Start Capture" nocase
 $string62 = "\\accounts.xml" nocase
 $string63 = "\\places.sqlite" nocase
 $string67 = "cookies.sqlite" nocase
condition:
 1 of them
}


rule GenericDeletesItself
{
meta:
 author = "@neonprimetime"
 description = "Generic Deletes Itself"
strings:
 $string1 = "DEL /s" nocase
 $string2 = "cmd /c del" nocase
 $string3 = "deleteSelf" nocase
 $string4 = "/c del %s" nocase
 $string5 = "%del" nocase
 $string6 = "& del" nocase
condition:


 1 of them
}




rule GenericMaliciousCommand
{
meta:
 author = "@neonprimetime"
 description = "Generic Malicious Command"
strings:
 $string1 = "CompSpec" nocase
condition:


 1 of them
}



rule GenericKeylogger
{
meta:
 author = "@neonprimetime"
 description = "Generic Keylogger"
strings:
 $string1 = "Keylog" nocase
 $string2 = "KeyboardLogging" nocase
 $string3 = "[Enter]" nocase
 $string4 = "[Ctrl + C]" nocase
 $string5 = "[Ctrl + V]" nocase
condition:
 1 of them
}



rule GenericDelay
{
meta:
 author = "@neonprimetime"
 description = "Generic Delay"
strings:
 $string1 = "ping 192" nocase
 $string2 = "ping 127" nocase
condition:
 1 of them
}
rule GenericSecurityToolDetection
{
meta:
 author = "@neonprimetime"
 description = "Generic Security Tool Detection"
strings:
 $string1 = "FROM FirewallProduct" nocase
 $string2 = "from AntiVirusProduct" nocase
condition:
 1 of them

}




rule GenericDisableAntivirus


{

meta:
 author = "@neonprimetime"
 description = "Generic Disable AntiVirus"
strings:
 $string1 = "DisableBehaviorMonitoring" nocase
 $string2 = "DisableOnAccessProtection" nocase


 $string3 = "DisableScanOnRealtime" nocase


 $string4 = "DisableRealtimeMonitoring" nocase


 $string5 = "DisableBlockAtFirstSeen" nocase


 $string6 = "DisableIOAVProtection" nocase


 $string7 = "DisableAntiSpyware" nocase


 $string8 = "DisableArchiveScanning" nocase


 $string9 = "DisableScriptScanning" nocase


 $string10 = "Set-MpPreference" nocase
condition:
 1 of them


}


rule GenericFirewallModification

{
meta:
 author = "@neonprimetime"
 description = "Generic Firewall Modifiction"
strings:
 $string1 = "netsh advfirewall" nocase
 $string2 = "firewall add" nocase
condition:
 1 of them

}


rule GenericPHPPanel
{
meta:
 author = "@neonprimetime"
 description = "Generic PHP Panel"
strings:

 $string1 = "/gate.php" nocase

 $string2 = "/fre.php" nocase

condition:

 1 of them

}

rule GenericBase64

{
meta:
 author = "@neonprimetime"
 description = "Generic PHP Panel"
strings:

 $string1 = /\=\=\r\n/ nocase

condition:

 1 of them

}



rule GenericDynamicDns


{
meta:
 author = "@neonprimetime"
 description = "Generic Dynamic DNS"
strings:

 $string1 = ".duckdns.org" nocase

condition:

 1 of them

}

rule GenericVisualBasicScript
{
meta:
 author = "@neonprimetime"
 description = "Generic Visual Basic Script"
strings:
 $string1 = ".shellexecute" nocase
 $string2 = "shell.application" nocase
 $string3 = "Wscript.Sleep" nocase
 $string4 = "ExecuteGlobal" nocase
 $string5 = "Shell.run" nocase
 $string6 = "Scripting.FileSystemObject" nocase
 $string7 = ":::const " nocase
 $string8 = "vbscontent" nocase
 $string9 = "Execute(" nocase
 $string10 = "ChrW(48) & ChrW(" nocase
 $string11 = "ChrW(48)&ChrW(" nocase
condition:
 1 of them
}

rule GenericHackerTerms
{

meta:
 author = "@neonprimetime"
 description = "Generic Hacker Terms"
strings:
 $string1 = "payloadpath" nocase
 $string2 = "payloadexist" nocase

condition:
 1 of them

}

rule GenericAntiDebug
{
meta:
 author = "@neonprimetime"
 description = "Generic Anti Debug techniques"
strings:
 $string1 = "CheckRemoteDebuggerPresent" nocase
condition:
 1 of them

}


rule GenericTor
{
meta:
 author = "@neonprimetime"
 description = "Generic Tor Dark Web"
strings:
 $string1 = "torproject.org" nocase
 $string2 = ".onion" nocase
 $string3 = "TOR browser" nocase
 
condition:
 1 of them

}






rule GenericPasswordList
{
meta:
 author = "@neonprimetime"
 description = "Generic Password List"
strings:
 $string1 = "peternorth" nocase
 $string2 = "motherfucker" nocase
 $string3 = "pimpdaddy" nocase
 $string4 = "ihavenopass" nocase
 $string5 = "fuckoff" nocase


 $string6 = "dickhead" nocase


 $string7 = "passw0rd" nocase


 $string8 = "changeme" nocase

condition:
 1 of them

}





rule GenericUserAgent


{


 meta:


  author = "@neonprimetime"
  description = "Generic User Agents oddities"


 strings:
  $string1 = "User-Agent: curl" nocase


  $string2 = "User-Agent: wget" nocase


 condition: 


  1 of them


}






rule GenericWebServer


{


 meta: 


  author = "@neonprimetime"


  description = "Generic Web Server info"


 strings: 


  $string1 = "nginx"


  $string2 = "apache"


 condition:
  1 of them


}










Posted by



at





No comments:
  


















Labels:
,
,
,
,
,
,
,
,
,

















          

        

          

        

Tuesday, February 12, 2019


          

        









#lokibot










#lokibot



------------------------------

2/19/2019


https://www.virustotal.com/#/file/da30b124c95eda90524716d0bd4b5af608f50fa52b126f1720c38933c916eb2e/detection


Email w/ attachment Document.exe



Compiler: 

- Microsoft Visual Basic(6.0)[Native]


Running behavior: (RUN AS ADMINISTRATOR)

- starts a child process with same name

- dns lookup to ubochiomaswifts.cf (104.24.109.185, 104.24.108.185)

- http post to ubochiomaswifts.cf/eshi/fre.php , payload contains fuckav.ru, PC name, random Letters/Numbers at the end

- CreateFile api calls to login data folders (chrome, comodo, titan browser, etc.)

- CreateFile api calls to Web Data folders (chrome, comodo, titan browser, etc.)

- CreateFile api calls to FTP config files (MyFTP, EasyFTP, AbleFTP, FileZilla, WS_FTP, etc)

- CreateFile api calls to Email files (yMail, TrulyMail)

- CreateFile api calls to password managers (Enpass, RoboForm, 1Password)







Memory strings while Running:  ( https://pastebin.com/raw/zL04fvx5  )



- random obfuscated strings, many start with letter X, 10 chars long (Xje[jr_jaf, XjlZjd^j\f, etc.)

- strings related to Login & Web Data (chrome, titan browser, Mozilla, etc.)

- strings related to profile ini files (profiles.ini)

- strings related to FTP files

- Copyright Joergen Ibsen, aPLib v1.01, ibsensoftware.com

- the url ubochiomaswifts.cf/eshi/fre.php

- function names prefixed by "Crypt"









IDA Pro Behavior (RUN AS ADMINISTRATOR)





- 34F0000: The instruction at 0x34F0000 referenced memory at 0xE09092C9. The memory could not be written -> E09092C9 (exc.code c0000005, tid 968)



------------------------------

2/19/2019


https://www.virustotal.com/#/file/0d1c8154f0454b6a4ee8312f935e8af95a0765368488bed6f68f8fe443350537/detection



Email w/ attachment TT Advice.exe



Compiler: 

- Microsoft Visual Basic(6.0)[Native]


Running behavior: (RUN AS ADMINISTRATOR)

- starts a copy of itself

- dns lookup to www.cashoutsquad.com (47.254.177.121)

- http post to www.cashoutsquad.com/motivate/minds/more/fre.php , payload contains fuckav.ru, PC name, random Letters/Numbers at the end

- CreateFile api calls to login data folders (chrome, comodo, titan browser, etc.)

- CreateFile api calls to Web Data folders (chrome, comodo, titan browser, etc.)

- CreateFile api calls to FTP config files (MyFTP, EasyFTP, AbleFTP, FileZilla, WS_FTP, etc)

- CreateFile api calls to Email files (yMail, TrulyMail)

- CreateFile api calls to password managers (Enpass, RoboForm, 1Password)







Memory strings while Running:  ( https://pastebin.com/raw/RQUy268M )



- random obfuscated strings, many start with letter X, 10 chars long (Xje[jr_jaf, XjlZjd^j\f, etc.)

- strings related to Login & Web Data (chrome, titan browser, Mozilla, etc.)

- strings related to profile ini files (profiles.ini)

- strings related to FTP files

- Copyright Joergen Ibsen, aPLib v1.01, ibsensoftware.com

- the url awww.cashoutsquad.com/motivate/minds/more/fre.php

- function names prefixed by "Crypt"









IDA Pro Behavior (RUN AS ADMINISTRATOR)



- 0: The instruction at 0x0 referenced memory at 0x0. The memory could not be executed -> 00000000 (exc.code c0000005, tid 676)







------------------------------

2/12/2019


https://app.any.run/tasks/c72c5d4e-510e-4d5d-a863-502ecc3ea777

https://www.virustotal.com/#/file/57d57613ef46c879ca65a307b52625628b706601bf10cebad126d5bbcbbc9118/detection


hxxp://gemaco[.]com[.]ve/js/file/coc.exe


Compiler: 

- Microsoft Visual Basic(6.0)[Native]


Running behavior: (RUN AS ADMINISTRATOR)

- starts a copy of itself, deletes original copy of itself, new copy of itself very small in memory, very low cpu usage for long time

- dns lookup to archanadiagnostics.com (172.96.12.126)

- http post to archanadiagnostics.com/css/coco/five/fre.php , payload contains fuckav.ru, PC name, random Letters/Numbers at the end

- CreateFile api calls to login data folders (chrome, comodo, titan browser, etc.)

- CreateFile api calls to Web Data folders (chrome, comodo, titan browser, etc.)

- CreateFile api calls to FTP config files (MyFTP, EasyFTP, AbleFTP, FileZilla, WS_FTP, etc)

- CreateFile api calls to Email files (yMail, TrulyMail)

- CreateFile api calls to password managers (Enpass, RoboForm, 1Password)







Memory strings while Running:



- very small capture

- random obfuscated strings, many start with letter X, 10 chars long (Xje[jr_jaf, XjlZjd^j\f, etc.)

- strings related to Login & Web Data (chrome, titan browser, Mozilla, etc.)

- strings related to profile ini files (profiles.ini)

- strings related to FTP files

- Copyright Joergen Ibsen, aPLib v1.01, ibsensoftware.com

- the url archanadiagnostics.com/css/coco/five/fre.php

- lots of decimal number prefixed by Gu, Hu, Cu, etc.

- function names prefixed by "Crypt"









IDA Pro Behavior (RUN AS ADMINISTRATOR)



- crashes with 755FC54F: Floating point inexact result (exc.code c000008f, tid 1228)





------------------------------












Posted by



at





No comments:
  


















Labels:

























#trickbot










#trickbot

------------------------------

2/12/2019


https://app.any.run/tasks/c72c5d4e-510e-4d5d-a863-502ecc3ea777

https://www.virustotal.com/#/file/57d57613ef46c879ca65a307b52625628b706601bf10cebad126d5bbcbbc9118/detection



hxxp://85.143.220.1/sin.png


Compiler: 

- Microsoft Visual Basic(6.0)[Native]


Running behavior: (RUN AS ADMINISTRATOR)

- saw child process of cmd and powershell

- saw child process with random name (tsjclbpt.exe) with child of svchost, then disappeared

- a few minutes later svchost.exe re-appeared with multiple child processes of the same name

- wrote copy of itself %appdata%\roaming\sysdefrag\tsjclbpt.exe

- wrote settings.ini in same folder with random strings in it

- wrote Data folder in same folder with pwgrab, systeminfo, injectdll files

- captured no dns or http network traffic









Memory strings while Running:



- closed too fast to capture initially but when svchost.exe re-opened captured one of it's children

--- strings that look like url params (serialNumber=, emailAddress=, ?456789:;<=, /snapshoot/)

--- a string for login data (\google\chrome\...\Login Data.bak , Grab_Passwords_Chrome, Outlook password)

--- repeated strings (WATAUAVAWH, @A_A^A]A\_)

--- strings of language/country (french-canadian, italian-swiss, spanish-honduras, etc.)

--- copyright string (P.J. Plauger, licensed by Dinkumware)

--- lots of functions that start with "Crypt"

--- lots of numerical decimal type numbers (1.2.840.113549.1.95, 1.3.6.1.5.5.7.2.2, etc.)

--- string that looks like pc info (sin6/PCNAME.RANDOMLETTERS/83/)

--- Numerous IP addresses in a row with various ports (190.146.112.216:8082, 97.87.127.198:80, etc.)

--- html / xml like tags (<dpost>, <handler>)

--- table names like (tablecredit_cards, server_addresses, card_metadata)

--- lists of encryption algorithms (AES-128-CBC, DES-EDE3-CBC, SSL_RSA, TLS_RSA, etc.)









IDA Pro Behavior (RUN AS ADMINISTRATOR)



- It ran successfully, i saw all the child processes spawned, etc then it exited with code 0





------------------------------

2/8/2019


https://app.any.run/tasks/b621b7ef-eeb0-4d87-93cb-36b8bebb8c5b

https://www.virustotal.com/#/file/41b6047c2edf7edcd565450ef04b92a5aa9b0a29cf35e0b2a3f27538d21559df/detection



Compiler: 

- Microsoft Visual C/C++(-)[-]


Running behavior: (RUN AS ADMINISTRATOR)

- saw cmd launch powershell immediately after

- saw a new svchost.exe running temporarily then disappears

- popup saying windows defender was deleted

- a few minutes later svchost.exe starts up again with 1 child process also named svchost.exe

- wrote copy of itself to %appdata%\roaming\cleanmem\vasao.exe

- wrote settings.ini in same folder with random strings in it

- wrote Data folder in same folder with pwgrab, systeminfo, injectdll files



- captured no real dns or http network traffic except dns lookup to "ident.me" (176.58.123.25)

















Memory strings while Running:



- closed too fast to get memory capture on 1st one, but grabbed svchost.exe child again

--- lots of functions that start with "Crypt"

--- lots of numerical decimal type numbers (1.2.840.113549.1.95, 1.3.6.1.5.5.7.2.2, etc.)



--- urls & ip (6lwyu54ybblfuex6.onion , 185.62.188.30:443)



--- Numerous IP addresses in a row with various ports ( 68.119.85.138:449, 103.47.169.27:449)



--- string that looks like pc info (sat36/PCNAME_RANDOMCHARACTERS/5/spk/)



--- tons of strings about Certificates from Verisign, GoDaddy, Symantec, etc.



--- repeated strings (WATAUAVAWH, @A_A^A]A\_)









IDA Pro Behavior (RUN AS ADMINISTRATOR)





- It ran successfully, i saw all the child processes spawned, etc then it exited with code 0










Posted by



at





No comments:
  


















Labels:

















        

      









Subscribe to:
Posts (Atom)