├── LICENSE
├── PlugX
    ├── PlugX_GULP
    │   ├── plugx_gulp.py
    │   ├── plugx_gulp_cfg_dec.py
    │   ├── plugx_versions.txt
    │   └── x64dbg_extract_payload.py
    ├── PlugX_THOR
    │   ├── plugx_thor.py
    │   ├── plugx_thor_cfg_dec.py
    │   └── x64dbg_extract_payload.py
    └── PlugX_XV
    │   ├── lznt1dec.py
    │   ├── plugx_xv.py
    │   ├── plugx_xv_cfg_dec.py
    │   ├── plugx_xv_cfg_parse.py
    │   ├── plugx_xv_keylog_dec.py
    │   ├── plugx_xv_versions.txt
    │   └── x64dbg_extract_payload.py
├── PoisonIvy
    └── parse_cfg.py
├── RCSession
    ├── RCSession.yar
    ├── rcsession_cfg_decrypt.py
    └── rcsession_keylog_dec.py
└── README.md


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2022 Andrey Zhdanov
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/PlugX/PlugX_GULP/plugx_gulp.py:
--------------------------------------------------------------------------------
 1 | import struct
 2 | 
 3 | 
 4 | def decrypt(data):
 5 |     dec_data = b''
 6 |     data_len = len(data)
 7 |     n1, = struct.unpack_from('<L', data, 0)
 8 |     n2 = n1
 9 |     n3 = n1
10 |     n4 = n1
11 |     for i in range(data_len):
12 |         n1 = (n1 + (n1 >> 3) - 0x11111111) & 0xFFFFFFFF
13 |         n2 = (n2 + (n2 >> 5) - 0x22222222) & 0xFFFFFFFF
14 |         n3 = (n3 + (0x33333333 - (n3 << 7))) & 0xFFFFFFFF
15 |         n4 = (n4 + (0x44444444 - (n4 << 9))) & 0xFFFFFFFF
16 |         b = (data[i] ^ (n2 + n1 + n3 + n4)) & 0xFF
17 |         dec_data += bytes([b])
18 |     return dec_data
19 | 
20 | 
21 | if __name__ == '__main__':
22 |     import sys
23 |     import io
24 | 
25 |     if len(sys.argv) != 2:
26 |         print('Usage: '+ sys.argv[0] + ' filename')
27 |         sys.exit(0)
28 | 
29 |     file_name = sys.argv[1]
30 |     with io.open(file_name, 'rb') as f:
31 |         data = f.read()
32 | 
33 |     dec_data = decrypt(data)
34 | 
35 |     new_file_name = file_name + '.dec'
36 |     with io.open(new_file_name, 'wb') as f:
37 |         f.write(dec_data)
38 | 
39 |     print('Done!')
40 | 


--------------------------------------------------------------------------------
/PlugX/PlugX_GULP/plugx_gulp_cfg_dec.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import io
 3 | import plugx_gulp
 4 | 
 5 | 
 6 | if len(sys.argv) != 2:
 7 |     print('Usage: '+ sys.argv[0] + ' filename')
 8 |     sys.exit(0)
 9 | 
10 | file_name = sys.argv[1]
11 | 
12 | with io.open(file_name, 'rb') as f:
13 |     data = f.read()
14 | 
15 | dec_data = plugx_gulp.decrypt(data)
16 | 
17 | new_file_name = file_name + '.dec'
18 | with io.open(new_file_name, 'wb') as f:
19 |     f.write(dec_data)
20 | 
21 | print('Done!')
22 | 


--------------------------------------------------------------------------------
/PlugX/PlugX_GULP/plugx_versions.txt:
--------------------------------------------------------------------------------
 1 | GULP
 2 | ----
 3 | SHFolder.dll/SHFolder.dll.shf
 4 | MAPI32.dll/OutlookBar.Doc
 5 | NvSmartMax.dll/boot.ldr
 6 | NSLS.dll/msimain17.sdb
 7 | McUtil.dll/McUtil.dll.url
 8 | WINMM.dll/sep_NE.slf
 9 | PNIPCN.dll/PipSEC
10 | ?/qbcore.dll.url
11 | NvSmartMax.dll/HRB.bmp
12 | HID.dll/HID.dllx
13 | 
14 | XXXX
15 | ----
16 | McUtil.dll/McUtil.dll.url
17 | 
18 | IP
19 | --
20 | NvSmartMax.dll/boot.ldr
21 | 
22 | msvsct.exe/msvsct.ini
23 | 


--------------------------------------------------------------------------------
/PlugX/PlugX_GULP/x64dbg_extract_payload.py:
--------------------------------------------------------------------------------
  1 | import io
  2 | import os
  3 | from x64dbgpy.pluginsdk import *
  4 | 
  5 | 
  6 | def x64dbg_save_data(dest_dir, file_name, addr, size):
  7 |     """Save data to file"""
  8 | 
  9 |     # Read data
 10 |     read_bytes = bytearray(size)
 11 |     result, read_size = x64dbg.Memory_Read(addr, read_bytes, size)
 12 | 
 13 |     # Save data to file
 14 |     with io.open(os.path.join(dest_dir, file_name), 'wb') as f:
 15 |         f.write(read_bytes[:read_size])
 16 | 
 17 | 
 18 | def x64dbg_run_to_addr(addr):
 19 |     """Run to specifed address"""
 20 | 
 21 |     x64dbg.SetHardwareBreakpoint(addr, x64dbg.HardwareExecute)
 22 |     x64dbg.Run()
 23 |     x64dbg.DeleteHardwareBreakpoint(addr)
 24 | 
 25 | 
 26 | def x64dbg_get_ep_addr(mod_addr):
 27 |     """Get PE module entry point address"""
 28 | 
 29 |     nt_hdr_addr = mod_addr + x64dbg.ReadDword(mod_addr + 0x3C)
 30 | 
 31 |     num_sections = x64dbg.ReadWord(nt_hdr_addr + 6)
 32 |     ep_rva = x64dbg.ReadDword(nt_hdr_addr + 0x28)
 33 |     opt_hdr_size = x64dbg.ReadWord(nt_hdr_addr + 0x14)
 34 |     nt_hdr_size = 4 + 0x14 + opt_hdr_size
 35 |     section_hdr_addr = nt_hdr_addr + nt_hdr_size
 36 | 
 37 |     for i in range(num_sections):
 38 | 
 39 |         s_vsize = x64dbg.ReadWord(section_hdr_addr + 8)
 40 |         s_rva = x64dbg.ReadWord(section_hdr_addr + 12)
 41 |         s_psize = x64dbg.ReadWord(section_hdr_addr + 16)
 42 |         s_pos = x64dbg.ReadWord(section_hdr_addr + 20)
 43 | 
 44 |         if (s_pos != 0) and (ep_rva >= s_rva):
 45 |             offset = ep_rva - s_rva
 46 |             if (offset < min(s_vsize, s_psize)):
 47 |                 return (mod_addr + s_pos + offset)
 48 | 
 49 |         section_hdr_addr += 0x28
 50 | 
 51 |     return 0
 52 | 
 53 | 
 54 | #
 55 | # Main
 56 | #
 57 | 
 58 | dest_dir = os.path.abspath(os.path.dirname(__file__))
 59 | 
 60 | x64dbg.Run()
 61 | 
 62 | # Break on RtlDecompressBuffer
 63 | addr = ResolveLabel('RtlDecompressBuffer')
 64 | if addr == 0:
 65 |     raise Exception('Failed to resolve RtlDecompressBuffer.')
 66 | x64dbg_run_to_addr(addr)
 67 | 
 68 | addr = x64dbg.GetESP()
 69 | 
 70 | # Check COMPRESSION_FORMAT_LZNT1
 71 | if x64dbg.ReadDword(addr + 4) != 2:
 72 |     raise Exception('Invalid compression format.')
 73 | 
 74 | # Save payload
 75 | payload_addr = x64dbg.ReadPtr(addr + 8)
 76 | payload_size = x64dbg.ReadPtr(addr + 12)
 77 | print('Payload address: %08X' % payload_addr)
 78 | print('Payload size: %d' % payload_size)
 79 | x64dbg.StepOut()
 80 | x64dbg_save_data(dest_dir, 'payload.dll_', payload_addr, payload_size)
 81 | 
 82 | # Get payload entry point address
 83 | ep_addr = x64dbg_get_ep_addr(payload_addr)
 84 | if ep_addr == 0:
 85 |     raise Exception('Couldn\'t get payload entry point address.')
 86 | print('Payload entry point address: %08X' % ep_addr)
 87 | 
 88 | # Write int 3 to payload entry point
 89 | x64dbg.WriteByte(ep_addr, 0xCC)
 90 | 
 91 | x64dbg.Run()
 92 | 
 93 | addr = x64dbg.GetESP()
 94 | payload_base = x64dbg.ReadPtr(addr + 4)
 95 | print('Payload base address: %08X' % payload_base)
 96 | 
 97 | # PlugX payload signature
 98 | plugx_sign = x64dbg.ReadDword(payload_base)
 99 | print('Payload signature: %08X' % plugx_sign)
100 | 
101 | # Shellcode
102 | shellcode_addr = x64dbg.ReadPtr(payload_base + 4)
103 | shellcode_size = x64dbg.ReadPtr(payload_base + 8)
104 | print('Shellcode address: %08X' % shellcode_addr)
105 | print('Shellcode size: %d' % shellcode_size)
106 | x64dbg_save_data(dest_dir, 'shellcode.bin', shellcode_addr, shellcode_size)
107 | 
108 | # Packed payload
109 | packed_payload_addr = x64dbg.ReadPtr(payload_base + 0xC)
110 | packed_payload_size = x64dbg.ReadPtr(payload_base + 0x10)
111 | print('Packed payload address: %08X' % packed_payload_addr)
112 | print('Packed payload size: %d' % packed_payload_size)
113 | x64dbg_save_data(dest_dir, 'payload.pak',
114 |                  packed_payload_addr, packed_payload_size)
115 | 
116 | # Configuration data
117 | cfg_addr = x64dbg.ReadPtr(payload_base + 0x14)
118 | cfg_size = x64dbg.ReadPtr(payload_base + 0x18)
119 | print('Config address: %08X' % cfg_addr)
120 | print('Config size: %d' % cfg_size)
121 | x64dbg_save_data(dest_dir, 'config.enc', cfg_addr, cfg_size)
122 | 


--------------------------------------------------------------------------------
/PlugX/PlugX_THOR/plugx_thor.py:
--------------------------------------------------------------------------------
 1 | import struct
 2 | 
 3 | 
 4 | def decrypt1(data):
 5 | 
 6 |     dec_data = b''
 7 | 
 8 |     n1, = struct.unpack_from('<L', data, 0)
 9 |     n2 = n1
10 |     n3 = n1
11 |     n4 = n1
12 | 
13 |     for i in range(len(data)):
14 |         n1 = (n1 + (n1 >> 3) - 0x56565656) & 0xFFFFFFFF
15 |         n2 = (n2 + (n2 >> 5) - 0x36363636) & 0xFFFFFFFF
16 |         n3 = (n3 - (n3 << 7) + 0x57575757) & 0xFFFFFFFF
17 |         n4 = (n4 - (n4 << 9) - 0x76767677) & 0xFFFFFFFF
18 |         b = (data[i] ^ (n1 + n2 + n3 + n4)) & 0xFF
19 |         dec_data += bytes([b])
20 | 
21 |     return dec_data
22 | 
23 | 
24 | def decrypt2(data, start_pos=16):
25 | 
26 |     dec_data = b''
27 | 
28 |     n1, = struct.unpack_from('<L', data, 0)
29 |     n2 = n1
30 |     n3 = n1
31 |     n4 = n1
32 | 
33 |     for i in range(start_pos, len(data)):
34 |         n1 = (n1 + (n1 >> 3) - 0x66666666) & 0xFFFFFFFF
35 |         n2 = (n2 + (n2 >> 5) + 0x76767677) & 0xFFFFFFFF
36 |         n3 = (n3 - (n3 << 7) + 0x67676767) & 0xFFFFFFFF
37 |         n4 = (n4 - (n4 << 9) - 0x66666667) & 0xFFFFFFFF
38 |         b = (data[i] ^ (n1 + n2 + n3 + n4)) & 0xFF
39 |         dec_data += bytes([b])
40 | 
41 |     return dec_data
42 | 
43 | 
44 | if __name__ == '__main__':
45 |     import sys
46 |     import io
47 | 
48 |     if len(sys.argv) != 2:
49 |         print('Usage: '+ sys.argv[0] + ' filename')
50 |         sys.exit(0)
51 | 
52 |     file_name = sys.argv[1]
53 |     with io.open(file_name, 'rb') as f:
54 |         data = f.read()
55 | 
56 |     dec_data = decrypt(data)
57 | 
58 |     new_file_name = file_name + '.dec'
59 |     with io.open(new_file_name, 'wb') as f:
60 |         f.write(dec_data)
61 | 
62 |     print('Done!')
63 | 


--------------------------------------------------------------------------------
/PlugX/PlugX_THOR/plugx_thor_cfg_dec.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import io
 3 | import plugx_thor
 4 | 
 5 | 
 6 | if len(sys.argv) != 2:
 7 |     print('Usage: '+ sys.argv[0] + ' filename')
 8 |     sys.exit(0)
 9 | 
10 | file_name = sys.argv[1]
11 | 
12 | with io.open(file_name, 'rb') as f:
13 |     data = f.read()
14 | 
15 | dec_data = plugx_thor.decrypt1(data)
16 | 
17 | new_file_name = file_name + '.dec'
18 | with io.open(new_file_name, 'wb') as f:
19 |     f.write(dec_data)
20 | 
21 | print('Done!')
22 | 


--------------------------------------------------------------------------------
/PlugX/PlugX_THOR/x64dbg_extract_payload.py:
--------------------------------------------------------------------------------
  1 | import io
  2 | import os
  3 | from x64dbgpy.pluginsdk import *
  4 | 
  5 | 
  6 | def x64dbg_save_data(dest_dir, file_name, addr, size):
  7 |     """Save data to file"""
  8 | 
  9 |     # Read data
 10 |     read_bytes = bytearray(size)
 11 |     result, read_size = x64dbg.Memory_Read(addr, read_bytes, size)
 12 | 
 13 |     # Save data to file
 14 |     with io.open(os.path.join(dest_dir, file_name), 'wb') as f:
 15 |         f.write(read_bytes[:read_size])
 16 | 
 17 | 
 18 | def x64dbg_run_to_addr(addr):
 19 |     """Run to specifed address"""
 20 | 
 21 |     x64dbg.SetHardwareBreakpoint(addr, x64dbg.HardwareExecute)
 22 |     x64dbg.Run()
 23 |     x64dbg.DeleteHardwareBreakpoint(addr)
 24 | 
 25 | 
 26 | def x64dbg_get_ep_addr(mod_addr):
 27 |     """Get PE module entry point address"""
 28 | 
 29 |     nt_hdr_addr = mod_addr + x64dbg.ReadDword(mod_addr + 0x3C)
 30 | 
 31 |     num_sections = x64dbg.ReadWord(nt_hdr_addr + 6)
 32 |     ep_rva = x64dbg.ReadDword(nt_hdr_addr + 0x28)
 33 |     opt_hdr_size = x64dbg.ReadWord(nt_hdr_addr + 0x14)
 34 |     nt_hdr_size = 4 + 0x14 + opt_hdr_size
 35 |     section_hdr_addr = nt_hdr_addr + nt_hdr_size
 36 | 
 37 |     for i in range(num_sections):
 38 | 
 39 |         s_vsize = x64dbg.ReadWord(section_hdr_addr + 8)
 40 |         s_rva = x64dbg.ReadWord(section_hdr_addr + 12)
 41 |         s_psize = x64dbg.ReadWord(section_hdr_addr + 16)
 42 |         s_pos = x64dbg.ReadWord(section_hdr_addr + 20)
 43 | 
 44 |         if (s_pos != 0) and (ep_rva >= s_rva):
 45 |             offset = ep_rva - s_rva
 46 |             if (offset < min(s_vsize, s_psize)):
 47 |                 return (mod_addr + s_pos + offset)
 48 | 
 49 |         section_hdr_addr += 0x28
 50 | 
 51 |     return 0
 52 | 
 53 | 
 54 | #
 55 | # Main
 56 | #
 57 | 
 58 | dest_dir = os.path.abspath(os.path.dirname(__file__))
 59 | 
 60 | x64dbg.Run()
 61 | 
 62 | # Break on RtlDecompressBuffer
 63 | addr = ResolveLabel('RtlDecompressBuffer')
 64 | if addr == 0:
 65 |     raise Exception('Failed to resolve RtlDecompressBuffer.')
 66 | x64dbg_run_to_addr(addr)
 67 | 
 68 | addr = x64dbg.GetESP()
 69 | 
 70 | # Check COMPRESSION_FORMAT_LZNT1
 71 | if x64dbg.ReadDword(addr + 4) != 2:
 72 |     raise Exception('Invalid compression format.')
 73 | 
 74 | # Save payload
 75 | payload_addr = x64dbg.ReadPtr(addr + 8)
 76 | payload_size = x64dbg.ReadDword(addr + 12)
 77 | print('Payload address: %08X' % payload_addr)
 78 | print('Payload size: %d' % payload_size)
 79 | x64dbg.StepOut()
 80 | x64dbg_save_data(dest_dir, 'payload.dll_', payload_addr, payload_size)
 81 | 
 82 | # Get payload entry point address
 83 | ep_addr = x64dbg_get_ep_addr(payload_addr)
 84 | if ep_addr == 0:
 85 |     raise Exception('Couldn\'t get payload entry point address.')
 86 | print('Payload entry point address: %08X' % ep_addr)
 87 | 
 88 | # Write int 3 to payload entry point
 89 | x64dbg.WriteByte(ep_addr, 0xCC)
 90 | 
 91 | x64dbg.Run()
 92 | 
 93 | addr = x64dbg.GetESP()
 94 | payload_base = x64dbg.ReadPtr(addr + 4)
 95 | print('Payload base address: %08X' % payload_base)
 96 | 
 97 | # PlugX payload signature
 98 | plugx_sign = x64dbg.ReadDword(payload_base)
 99 | print('Payload signature: %08X' % plugx_sign)
100 | 
101 | # Shellcode
102 | shellcode_addr = x64dbg.ReadPtr(payload_base + 4)
103 | shellcode_size = x64dbg.ReadDword(payload_base + 8)
104 | print('Shellcode address: %08X' % shellcode_addr)
105 | print('Shellcode size: %d' % shellcode_size)
106 | x64dbg_save_data(dest_dir, 'shellcode.bin', shellcode_addr, shellcode_size)
107 | 
108 | # Packed payload
109 | packed_payload_addr = x64dbg.ReadPtr(payload_base + 0xC)
110 | packed_payload_size = x64dbg.ReadDword(payload_base + 0x10)
111 | print('Packed payload address: %08X' % packed_payload_addr)
112 | print('Packed payload size: %d' % packed_payload_size)
113 | x64dbg_save_data(dest_dir, 'payload.pak',
114 |                  packed_payload_addr, packed_payload_size)
115 | 
116 | # Configuration data
117 | cfg_addr = x64dbg.ReadPtr(payload_base + 0x14)
118 | cfg_size = x64dbg.ReadDword(payload_base + 0x18)
119 | print('Config address: %08X' % cfg_addr)
120 | print('Config size: %d' % cfg_size)
121 | x64dbg_save_data(dest_dir, 'config.enc', cfg_addr, cfg_size)
122 | 


--------------------------------------------------------------------------------
/PlugX/PlugX_XV/lznt1dec.py:
--------------------------------------------------------------------------------
 1 | import struct
 2 | 
 3 | 
 4 | def decompress(data):
 5 |     """LZNT1 decompression"""
 6 | 
 7 |     dec_data = bytearray()
 8 |     data_len = len(data)
 9 |     written = 0
10 |     i = 0
11 |     while (i < data_len):
12 |         chunk_hdr, = struct.unpack_from('<H', data, i)
13 |         if (((chunk_hdr >> 8) & 0x70) != 0x30):
14 |             break
15 |         chunk_len = (chunk_hdr & 0x0FFF) + 1
16 |         i += 2
17 |         if (((chunk_hdr >> 8) & 0x80) != 0):
18 |             chunk_written = 0
19 |             next_threshold = 16
20 |             split = 12
21 |             tag_bit = 0
22 |             j = 0
23 |             while (j < chunk_len):
24 |                 if (tag_bit == 0):
25 |                     tag = data[i + j]
26 |                     j += 1
27 |                 if ((tag & 1) != 0):
28 |                     while (chunk_written > next_threshold):
29 |                         split -= 1
30 |                         next_threshold <<= 1
31 |                     n, = struct.unpack_from('<H', data, i + j)
32 |                     j += 2
33 |                     copy_len = (n & ((1 << split) - 1)) + 3
34 |                     copy_from = written - ((n >> split) + 1)
35 |                     for k in range(copy_len):
36 |                         dec_data.append(dec_data[copy_from + k])
37 |                         chunk_written += 1
38 |                         written += 1
39 |                 else:
40 |                     dec_data.append(data[i + j])
41 |                     j += 1
42 |                     chunk_written += 1
43 |                     written += 1
44 |                 tag >>= 1
45 |                 tag_bit = (tag_bit + 1) & 7
46 |         else:
47 |             for j in range(chunk_len):
48 |                 dec_data.append(data[i + j])
49 |                 written += 1
50 |         i += chunk_len
51 |     return bytes(dec_data)
52 | 
53 | 
54 | if __name__ == '__main__':
55 |     import sys
56 |     import io
57 | 
58 |     if len(sys.argv) != 2:
59 |         print('Usage: '+ sys.argv[0] + ' filename')
60 |         sys.exit(0)
61 | 
62 |     file_name = sys.argv[1]
63 |     with io.open(file_name, 'rb') as f:
64 |         data = f.read()
65 | 
66 |     dec_data = decompress(data)
67 | 
68 |     new_file_name = file_name + '.dec'
69 |     with io.open(new_file_name, 'wb') as f:
70 |         f.write(dec_data)
71 | 
72 |     print('Done!')
73 | 


--------------------------------------------------------------------------------
/PlugX/PlugX_XV/plugx_xv.py:
--------------------------------------------------------------------------------
  1 | import struct
  2 | import lznt1dec
  3 | 
  4 | 
  5 | def decrypt1(data, n_add, start_pos):
  6 |     """PlugX XV decrypt data universal function (variant 1)"""
  7 | 
  8 |     dec_data = b''
  9 | 
 10 |     n, = struct.unpack_from('<L', data, 0)
 11 | 
 12 |     for i in range(start_pos, len(data)):
 13 |         n = ((n << 7) - (n >> 3) + (i - start_pos) + n_add) & 0xFFFFFFFF
 14 |         b = (data[i] ^ (n >> 24) ^ (n >> 16) ^ (n >> 8) ^ n) & 0xFF
 15 |         dec_data += bytes([b])
 16 | 
 17 |     return dec_data
 18 | 
 19 | 
 20 | convolute_dword = lambda n: (((n - (n >> 8)) ^ (n >> 16)) - (n >> 24)) & 0xFF
 21 | 
 22 | 
 23 | def decrypt2(data, n1_xor, n2_xor, n1_add, n2_sub):
 24 |     """PlugX XV decrypt data universal function (variant 2)"""
 25 | 
 26 |     dec_data = b''
 27 | 
 28 |     n, = struct.unpack_from('<L', data, 0)
 29 |     if n1_xor == 0:
 30 |         n1 = n
 31 |         n2 = n2_xor
 32 |     else:
 33 |         n1 = n ^ n1_xor
 34 |         n2 = n ^ n2_xor
 35 | 
 36 |     for i in range(4, len(data)):
 37 |         n1 = (n1 + n1_add) & 0xFFFFFFFF
 38 |         n2 = (n2 - n2_sub) & 0xFFFFFFFF
 39 |         b = data[i] ^ convolute_dword(convolute_dword(n1) ^ n2)
 40 |         dec_data += bytes([b])
 41 | 
 42 |     return dec_data
 43 | 
 44 | 
 45 | PLUGX_XV_DECRYPT_SETTINGS = {
 46 |     # (type, constants)
 47 | 
 48 |     # Version: 20130524
 49 |     # RasTls.dll/RasTls.dll.msc
 50 |     # Version: 20130810
 51 |     # AShldRes.dll/AShldRes.DLL.asr
 52 |     # ushata.dll/ushata.dll.avp
 53 |     20130524: ( 0, 0x713A8FC1 ),
 54 | 
 55 |     # Version: 20140307
 56 |     # SetupEngine.dll/System.bin
 57 |     20140307: ( 0, 0x20140307 ),
 58 | 
 59 |     # Version: 20140428
 60 |     # ushata.dll/ushata.door.open
 61 |     # McAltLib.dll/mcs.cvt
 62 |     20140428: ( 0, 0x20140428 ),
 63 | 
 64 |     # Version: 20140509
 65 |     # splash_screen.dll/splash_screen.dyload
 66 |     20140509: ( 0, 0x20140509 ),
 67 | 
 68 |     # Version: 20140609
 69 |     # mcutil.dll/mcutil.dll.bbc
 70 |     # aross.dll/kor_boot.ttf
 71 |     # aross.dll/wintask.log
 72 |     # aross.dll/aross.pig
 73 |     # Winssec.exe/Winssec.cfg
 74 |     # winkit.exe/winkit.cfg
 75 |     # lscsvr.exe/lscsvr.cfg
 76 |     # wrap.exe/setting.ini
 77 |     # unitsvc.exe/unitsvc.cfg
 78 |     # rnapp.exe/rnapp.cfg
 79 |     # Csrsec.exe/Csrsec.cfg
 80 |     20140609: ( 1, ( 0, 0x20140609, 0x0C34F, 0x7525 ) ),
 81 | 
 82 |     # Version: 20140613
 83 |     # dbghelp.dll/moic.exe.dat
 84 |     # dbghelp.dll/winhlp32.exe.dat
 85 |     # McUtil.dll/McUtil.dll.mc
 86 |     # RasTls.dll/set.conf
 87 |     # msi.dll/msi.dll.mov
 88 |     20140613: ( 1, ( 0, 0x20140613, 0x0C34F, 0x7525 ) ),
 89 | 
 90 |     # Version: 20140719
 91 |     # splash_screen.dll/splash_screen.dll.sky
 92 |     # aross.dll/aross.pig
 93 |     # symerr.exe/ccL110U.dll
 94 |     # po_x64.dll
 95 |     # lsm.exe
 96 |     # dwm.exe
 97 |     # depends.exe
 98 |     20140719: ( 1, ( 0x13352AF, 0x0A7, 0x6FD, 0x305B ) ),
 99 | 
100 |     # Version: 20140818
101 |     # mcutil.dll/mcf.ep
102 |     20140818: ( 1, ( 0x1335312, 0x47, 0x2CF, 0x1EDD ) ),
103 | 
104 |     # Version: 20141028
105 |     # fslapi.dll/fslapi.dll.gui
106 |     20141028: ( 1, ( 0x13353E4, 0x139, 0x655, 0x6697 ) ),
107 |                                                     
108 |     # Version: 20141216
109 |     # ssMUIDLL.dll/ssMUIDLL.dll.conf
110 |     20141216: ( 1, ( 0xEF, 0xA3D, 0x5347, 0x13354A0 ) ),
111 | 
112 |     # Version: 20150108
113 |     # SXLOC.dll/SXLOC.ZAP
114 |     20150108: ( 1, ( 0x133775C, 0x38F, 0xB5D, 0x6157 ) ),
115 | 
116 |     # Version: 20150202
117 |     # scansts.dll/QuickHeal
118 |     20150202: ( 1, ( 0x13377BA, 0x1B1, 0x10F1, 0x70C3 ) ),
119 | 
120 |     # Version: 20150416
121 |     # rapi.dll/rapi.dll.rap
122 |     20150416: ( 1, ( 0x1337890, 0x5BF1, 0x5BF3, 0x5BFD ) ),
123 | }
124 | 
125 | 
126 | def decrypt_data(ver, data):
127 |     """PlugX XV decrypt data"""
128 | 
129 |     decrypt_settings = PLUGX_XV_DECRYPT_SETTINGS.get(ver)
130 |     if decrypt_settings is None:
131 |         raise ValueError('Unknown PlugX XV version')
132 | 
133 |     if decrypt_settings[0] == 0:
134 |         return decrypt1(data, decrypt_settings[1], 4)
135 | 
136 |     return decrypt2(data, *decrypt_settings[1])
137 | 
138 | 
139 | def decrypt_cfg(ver, data, size_present=True):
140 |     """
141 |     PlugX XV decrypt configuration data
142 |     For type=1:
143 |     size_present=False (if PlugX XV saved the configuration data to a file)
144 |     """
145 | 
146 |     decrypt_settings = PLUGX_XV_DECRYPT_SETTINGS.get(ver)
147 |     if decrypt_settings is None:
148 |         raise ValueError('Unknown PlugX XV version')
149 | 
150 |     if decrypt_settings[0] == 0:
151 |         return decrypt1(data, decrypt_settings[1], 0)
152 | 
153 |     if size_present:
154 |         size, = struct.unpack_from('<L', data, 0)
155 |         enc_data = data[4 : 4 + size]
156 |     else:
157 |         enc_data = data
158 |     dec_data = decrypt2(enc_data, *decrypt_settings[1])
159 |     return lznt1dec.decompress(dec_data[4:])
160 | 
161 | 
162 | if __name__ == '__main__':
163 |     import sys
164 |     import io
165 | 
166 |     if len(sys.argv) != 3:
167 |         print('Usage: '+ sys.argv[0] + ' version filename')
168 |         exit(0)
169 | 
170 |     ver = int(sys.argv[1])
171 |     file_name = sys.argv[2]
172 | 
173 |     with io.open(file_name, 'rb') as f:
174 |         data = f.read()
175 | 
176 |     dec_data = decrypt_data(ver, data)
177 | 
178 |     new_file_name = file_name + '.dec'
179 |     with io.open(new_file_name, 'wb') as f:
180 |         f.write(dec_data)
181 | 
182 |     print('Done!')
183 | 


--------------------------------------------------------------------------------
/PlugX/PlugX_XV/plugx_xv_cfg_dec.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import io
 3 | import struct
 4 | import plugx_xv
 5 | 
 6 | 
 7 | if len(sys.argv) != 3:
 8 |     print('Usage: '+ sys.argv[0] + ' version filename')
 9 |     exit(0)
10 | 
11 | ver = int(sys.argv[1])
12 | file_name = sys.argv[2]
13 | 
14 | with io.open(file_name, 'rb') as f:
15 |     data = f.read()
16 | 
17 | # size_present=False (if PlugX XV saved the configuration data to a file)
18 | cfg_data = plugx_xv.decrypt_cfg(ver, data, True)
19 | 
20 | new_file_name = file_name + '.dec'
21 | with io.open(new_file_name, 'wb') as f:
22 |     f.write(cfg_data)
23 | 
24 | print('Done!')
25 | 


--------------------------------------------------------------------------------
/PlugX/PlugX_XV/plugx_xv_cfg_parse.py:
--------------------------------------------------------------------------------
  1 | import sys
  2 | import io
  3 | import struct
  4 | from collections import namedtuple
  5 | 
  6 | 
  7 | C2C_ENTRY_SIZE = 0x44
  8 | URL_ENTRY_SIZE = 0x80
  9 | PROXY_ENTRY_SIZE = 0xC4
 10 | PROXY_NUM_ENTRIES = 4
 11 | STR_VALUE_SIZE = 512
 12 | 
 13 | cfg_parse_params = namedtuple('cfg_parse_params',
 14 | [
 15 |     'c2c_pos',
 16 |     'c2c_num_entries',
 17 |     'url_num_entries',
 18 |     'num_target_processes',
 19 |     'num_uacbypass_processes',
 20 |     'screenshot_present'
 21 | ])
 22 | 
 23 | CFG_PARSE_CASES = {
 24 |     7448 : cfg_parse_params(c2c_pos = 0x2EC,
 25 |                             c2c_num_entries = 4,
 26 |                             url_num_entries = 4,
 27 |                             num_target_processes = 1,
 28 |                             num_uacbypass_processes = 0,
 29 |                             screenshot_present = False),
 30 |     9536 : cfg_parse_params(c2c_pos = 0x2EC,
 31 |                             c2c_num_entries = 4,
 32 |                             url_num_entries = 4,
 33 |                             num_target_processes = 4,
 34 |                             num_uacbypass_processes = 0,
 35 |                             screenshot_present = True),
 36 |     11608 : cfg_parse_params(c2c_pos = 0x2EC,
 37 |                              c2c_num_entries = 4,
 38 |                              url_num_entries = 4,
 39 |                              num_target_processes = 4,
 40 |                              num_uacbypass_processes = 4,
 41 |                              screenshot_present = True),
 42 |     13988 : cfg_parse_params(c2c_pos = 0x2E0,
 43 |                              c2c_num_entries = 16,
 44 |                              url_num_entries = 16,
 45 |                              num_target_processes = 4,
 46 |                              num_uacbypass_processes = 4,
 47 |                              screenshot_present = True)
 48 | }
 49 | 
 50 | 
 51 | def rtrim(s):
 52 |     ln = s.find('\0')
 53 |     if (ln == -1):
 54 |         return s
 55 |     return s[:ln]
 56 | 
 57 | 
 58 | def read_wide_str_and_convert(data, pos, size):
 59 |     s = data[pos : pos + size]
 60 |     return rtrim(s.decode('utf-16'))
 61 | 
 62 | 
 63 | def get_reg_root_key_name(hkey):
 64 |     if (hkey == 0x80000000):
 65 |         return "HKCR"
 66 |     elif (hkey == 0x80000001):
 67 |         return "HKCU"
 68 |     elif (hkey == 0x80000002):
 69 |         return "HKLM"
 70 |     elif (hkey == 0x80000003):
 71 |         return "HKU"
 72 |     elif (hkey == 0x80000005):
 73 |         return "HKCC"
 74 |     else:
 75 |         return hex(hkey)
 76 | 
 77 | 
 78 | def print_c2c_str(data, pos, index):
 79 |     net_type, port = struct.unpack_from("<HH", data, pos)
 80 |     addr = rtrim(data[pos + 4 : pos + 4 + 0x40].decode())
 81 |     if (len(addr) == 0):
 82 |         print('C&C[' + str(index) + ']:')
 83 |     else:
 84 |         print('C&C[{:d}]: ({:d}) "{}:{:d}"'.format(index, net_type, addr, port))
 85 | 
 86 | 
 87 | def print_url_str(data, pos, index):
 88 |     url = rtrim(data[pos : pos + URL_ENTRY_SIZE].decode())
 89 |     if (len(url) == 0):
 90 |         print('URL[' + str(index) + ']:')
 91 |     else:
 92 |         print('URL[{:d}]: "{}"'.format(index, url))
 93 | 
 94 | 
 95 | def print_proxy_params(data, pos, index):
 96 |     proxy_type, port = struct.unpack_from("<HH", data, pos)
 97 |     addr = rtrim(data[pos + 4 : pos + 0x44].decode())
 98 |     user = rtrim(data[pos + 0x44 : pos + 0x84].decode())
 99 |     pwd = rtrim(data[pos + 0x84 : pos + 0xC4].decode())
100 |     if (len(addr) == 0):
101 |         print('Proxy[' + str(index) + ']:')
102 |     else:
103 |         print('Proxy[{:d}]: ({:d}) "{}:{:d}" User: "{}" Password: "{}"'.format(index,
104 |                                                                                proxy_type,
105 |                                                                                addr,
106 |                                                                                port,
107 |                                                                                user,
108 |                                                                                pwd))
109 | 
110 | 
111 | def print_cfg_str_val(data, pos, name):
112 |     s = read_wide_str_and_convert(data, pos, STR_VALUE_SIZE)
113 |     print(name + ': "' + s + '"')
114 | 
115 | 
116 | def print_cfg_dword_val(data, pos, name):
117 |     val, = struct.unpack_from("<L", data, pos)
118 |     print(name + ': ' + str(val))
119 | 
120 | 
121 | if len(sys.argv) != 2:
122 |     print('Usage: '+ sys.argv[0] + ' filename')
123 |     sys.exit(0)
124 | 
125 | file_name = sys.argv[1]
126 | 
127 | with io.open(file_name, 'rb') as f:
128 |     data = f.read()
129 | 
130 | parse_params = CFG_PARSE_CASES.get(len(data))
131 | if (parse_params is None):
132 |     print('Error: Unsupported PlugX configuration file.')
133 |     sys.exit(0)
134 | 
135 | pos = parse_params.c2c_pos
136 | 
137 | for i in range(parse_params.c2c_num_entries):
138 |     print_c2c_str(data, pos + i * C2C_ENTRY_SIZE, i)
139 | pos += parse_params.c2c_num_entries * C2C_ENTRY_SIZE
140 | 
141 | for i in range(parse_params.url_num_entries):
142 |     print_url_str(data, pos + i * URL_ENTRY_SIZE, i)
143 | pos += parse_params.url_num_entries * URL_ENTRY_SIZE
144 | 
145 | for i in range(PROXY_NUM_ENTRIES):
146 |     print_proxy_params(data, pos + i * PROXY_ENTRY_SIZE, i)
147 | pos += PROXY_NUM_ENTRIES * PROXY_ENTRY_SIZE
148 | 
149 | print_cfg_dword_val(data, pos, 'Persistence')
150 | pos += 4
151 | print_cfg_str_val(data, pos, 'Install path')
152 | pos += STR_VALUE_SIZE
153 | print_cfg_str_val(data, pos, 'Service name')
154 | pos += STR_VALUE_SIZE
155 | print_cfg_str_val(data, pos, 'Service display name')
156 | pos += STR_VALUE_SIZE
157 | print_cfg_str_val(data, pos, 'Service description')
158 | pos += STR_VALUE_SIZE
159 | hkey, = struct.unpack_from("<L", data, pos)
160 | print('Autorun reg key: ' + get_reg_root_key_name(hkey))
161 | pos += 4
162 | print_cfg_str_val(data, pos, 'Autorun reg key path')
163 | pos += STR_VALUE_SIZE
164 | print_cfg_str_val(data, pos, 'Autorun reg value name')
165 | pos += STR_VALUE_SIZE
166 | 
167 | if (parse_params.num_target_processes > 0):
168 |     print_cfg_dword_val(data, pos, 'Process injection')
169 |     pos += 4
170 |     for i in range(parse_params.num_target_processes):
171 |         print_cfg_str_val(data, pos, 'Target process[' + str(i) + ']')
172 |         pos += STR_VALUE_SIZE
173 | if (parse_params.num_uacbypass_processes > 0):
174 |     print_cfg_dword_val(data, pos, 'UAC Bypass process injection')
175 |     pos += 4
176 |     for i in range(parse_params.num_uacbypass_processes):
177 |         print_cfg_str_val(data, pos, 'UAC Bypass target process[' + str(i) + ']')
178 |         pos += STR_VALUE_SIZE
179 | 
180 | print_cfg_str_val(data, pos, 'Actor Id')
181 | pos += STR_VALUE_SIZE
182 | print_cfg_str_val(data, pos, 'Target Id')
183 | pos += STR_VALUE_SIZE
184 | print_cfg_str_val(data, pos, 'Mutex name')
185 | pos += STR_VALUE_SIZE
186 | 
187 | if parse_params.screenshot_present:
188 |     print_cfg_dword_val(data, pos, 'Screenshots')
189 |     pos += 4
190 |     print_cfg_dword_val(data, pos, 'Screenshot frequency (secs)')
191 |     pos += 4
192 |     print_cfg_dword_val(data, pos, 'Screenshot zoom')
193 |     pos += 4
194 |     print_cfg_dword_val(data, pos, 'Screenshot color bits')
195 |     pos += 4
196 |     print_cfg_dword_val(data, pos, 'Screenshot quality')
197 |     pos += 4
198 |     print_cfg_dword_val(data, pos, 'Screenshot remain days')
199 |     pos += 4
200 |     print_cfg_str_val(data, pos, 'Sckreenshot save directory')
201 |     pos += STR_VALUE_SIZE
202 | 


--------------------------------------------------------------------------------
/PlugX/PlugX_XV/plugx_xv_keylog_dec.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import io
 3 | import struct
 4 | import plugx_xv
 5 | 
 6 | 
 7 | if len(sys.argv) != 3:
 8 |     print('Usage: '+ sys.argv[0] + ' version filename')
 9 |     exit(0)
10 | 
11 | ver = int(sys.argv[1])
12 | file_name = sys.argv[2]
13 | 
14 | with io.open(file_name, 'rb') as f:
15 |     data = f.read()
16 | 
17 | dec_data = b''
18 | i = 0
19 | while (i < len(data)):
20 |     size, = struct.unpack_from('<L', data, i)
21 |     i += 4
22 |     if (size != 0):
23 |         dec_entry = plugx_xv.decrypt_data(ver, data[i : i + size])
24 |         dec_data += dec_entry + b'\x0D\x00\x0A\x00'
25 |         i += size
26 | 
27 | new_file_name = file_name + '.dec'
28 | with io.open(new_file_name, 'wb') as f:
29 |     f.write(dec_data)
30 | 
31 | print('Done!')
32 | 


--------------------------------------------------------------------------------
/PlugX/PlugX_XV/plugx_xv_versions.txt:
--------------------------------------------------------------------------------
 1 | 20130524
 2 | --------
 3 | RasTls.dll/RasTls.dll.msc
 4 | 
 5 | 20130810
 6 | --------
 7 | AShldRes.dll/AShldRes.DLL.asr
 8 | ushata.dll/ushata.dll.avp
 9 | 
10 | 20140307
11 | --------
12 | SetupEngine.dll/System.bin
13 | 
14 | 20140428
15 | --------
16 | ushata.dll/ushata.door.open
17 | McAltLib.dll/mcs.cvt
18 | 
19 | 20140509
20 | --------
21 | splash_screen.dll/splash_screen.dyload
22 | 
23 | 20140609
24 | --------
25 | mcutil.dll/mcutil.dll.bbc
26 | aross.dll/kor_boot.ttf
27 | aross.dll/wintask.log
28 | aross.dll/aross.pig
29 | Winssec.exe/Winssec.cfg
30 | winkit.exe/winkit.cfg
31 | lscsvr.exe/lscsvr.cfg
32 | wrap.exe/setting.ini
33 | unitsvc.exe/unitsvc.cfg
34 | rnapp.exe/rnapp.cfg
35 | Csrsec.exe/Csrsec.cfg
36 | 
37 | 20140613
38 | --------
39 | dbghelp.dll/moic.exe.dat
40 | dbghelp.dll/winhlp32.exe.dat
41 | McUtil.dll/McUtil.dll.mc
42 | RasTls.dll/set.conf
43 | msi.dll/msi.dll.mov
44 | 
45 | 20140719
46 | --------
47 | splash_screen.dll/splash_screen.dll.sky
48 | aross.dll/aross.pig
49 | symerr.exe/ccL110U.dll
50 | po_x64.dll
51 | lsm.exe
52 | dwm.exe
53 | depends.exe
54 | 
55 | 20140818
56 | --------
57 | mcutil.dll/mcf.ep
58 | 
59 | 20141028
60 | --------
61 | fslapi.dll/fslapi.dll.gui
62 | 
63 | 20141216
64 | --------
65 | ssMUIDLL.dll/ssMUIDLL.dll.conf
66 | 
67 | 20150108
68 | --------
69 | SXLOC.dll/SXLOC.ZAP
70 | 
71 | 20150202
72 | --------
73 | scansts.dll/QuickHeal
74 | 
75 | 20150416
76 | --------
77 | rapi.dll/rapi.dll.rap
78 | 


--------------------------------------------------------------------------------
/PlugX/PlugX_XV/x64dbg_extract_payload.py:
--------------------------------------------------------------------------------
  1 | import io
  2 | import os
  3 | from x64dbgpy.pluginsdk import *
  4 | 
  5 | 
  6 | def x64dbg_save_data(dest_dir, file_name, addr, size):
  7 |     """Save data to file"""
  8 | 
  9 |     # Read data
 10 |     read_bytes = bytearray(size)
 11 |     result, read_size = x64dbg.Memory_Read(addr, read_bytes, size)
 12 | 
 13 |     # Save data to file
 14 |     with io.open(os.path.join(dest_dir, file_name), 'wb') as f:
 15 |         f.write(read_bytes[:read_size])
 16 | 
 17 | 
 18 | def x64dbg_run_to_addr(addr):
 19 |     """Run to specifed address"""
 20 | 
 21 |     x64dbg.SetHardwareBreakpoint(addr, x64dbg.HardwareExecute)
 22 |     x64dbg.Run()
 23 |     x64dbg.DeleteHardwareBreakpoint(addr)
 24 | 
 25 | 
 26 | def x64dbg_get_ep_addr(mod_addr):
 27 |     """Get PE module entry point address"""
 28 | 
 29 |     nt_hdr_addr = mod_addr + x64dbg.ReadDword(mod_addr + 0x3C)
 30 | 
 31 |     num_sections = x64dbg.ReadWord(nt_hdr_addr + 6)
 32 |     ep_rva = x64dbg.ReadDword(nt_hdr_addr + 0x28)
 33 |     opt_hdr_size = x64dbg.ReadWord(nt_hdr_addr + 0x14)
 34 |     nt_hdr_size = 4 + 0x14 + opt_hdr_size
 35 |     section_hdr_addr = nt_hdr_addr + nt_hdr_size
 36 | 
 37 |     for i in range(num_sections):
 38 | 
 39 |         s_vsize = x64dbg.ReadWord(section_hdr_addr + 8)
 40 |         s_rva = x64dbg.ReadWord(section_hdr_addr + 12)
 41 |         s_psize = x64dbg.ReadWord(section_hdr_addr + 16)
 42 |         s_pos = x64dbg.ReadWord(section_hdr_addr + 20)
 43 | 
 44 |         if (s_pos != 0) and (ep_rva >= s_rva):
 45 |             offset = ep_rva - s_rva
 46 |             if (offset < min(s_vsize, s_psize)):
 47 |                 return (mod_addr + s_pos + offset)
 48 | 
 49 |         section_hdr_addr += 0x28
 50 | 
 51 |     return 0
 52 | 
 53 | 
 54 | #
 55 | # Main
 56 | #
 57 | 
 58 | dest_dir = os.path.abspath(os.path.dirname(__file__))
 59 | 
 60 | x64dbg.Run()
 61 | 
 62 | # Break on RtlDecompressBuffer
 63 | addr = ResolveLabel('RtlDecompressBuffer')
 64 | if addr == 0:
 65 |     raise Exception('Failed to resolve RtlDecompressBuffer.')
 66 | x64dbg_run_to_addr(addr)
 67 | 
 68 | addr = x64dbg.GetESP()
 69 | 
 70 | # Check COMPRESSION_FORMAT_LZNT1
 71 | if x64dbg.ReadDword(addr + 4) != 2:
 72 |     raise Exception('Invalid compression format.')
 73 | 
 74 | # Save payload
 75 | payload_addr = x64dbg.ReadPtr(addr + 8)
 76 | payload_size = x64dbg.ReadPtr(addr + 12)
 77 | print('Payload address: %08X' % payload_addr)
 78 | print('Payload size: %d' % payload_size)
 79 | x64dbg.StepOut()
 80 | x64dbg_save_data(dest_dir, 'payload.dll_', payload_addr, payload_size)
 81 | 
 82 | # Get payload entry point address
 83 | ep_addr = x64dbg_get_ep_addr(payload_addr)
 84 | if ep_addr == 0:
 85 |     raise Exception('Couldn\'t get payload entry point address.')
 86 | print('Payload entry point address: %08X' % ep_addr)
 87 | 
 88 | # Write int 3 to payload entry point
 89 | x64dbg.WriteByte(ep_addr, 0xCC)
 90 | 
 91 | x64dbg.Run()
 92 | 
 93 | addr = x64dbg.GetESP()
 94 | payload_base = x64dbg.ReadPtr(addr + 4)
 95 | print('Payload base address: %08X' % payload_base)
 96 | 
 97 | # PlugX payload signature
 98 | plugx_sign = x64dbg.ReadDword(payload_base)
 99 | print('Payload signature: %08X' % plugx_sign)
100 | 
101 | # Payload params
102 | payload_param_addr = x64dbg.ReadPtr(addr + 12)
103 | print('Payload param address: %08X' % payload_param_addr)
104 | 
105 | # Shellcode
106 | shellcode_addr = x64dbg.ReadPtr(payload_param_addr)
107 | shellcode_size = x64dbg.ReadPtr(payload_param_addr + 4)
108 | print('Shellcode address: %08X' % shellcode_addr)
109 | print('Shellcode size: %d' % shellcode_size)
110 | x64dbg_save_data(dest_dir, 'shellcode.bin', shellcode_addr, shellcode_size)
111 | 
112 | # Packed payload
113 | packed_payload_addr = x64dbg.ReadPtr(payload_param_addr + 8)
114 | packed_payload_size = x64dbg.ReadPtr(payload_param_addr + 0xC)
115 | print('Packed payload address: %08X' % packed_payload_addr)
116 | print('Packed payload size: %d' % packed_payload_size)
117 | x64dbg_save_data(dest_dir, 'payload.pak',
118 |                  packed_payload_addr, packed_payload_size)
119 | 
120 | # Configuration data
121 | cfg_addr = x64dbg.ReadPtr(payload_param_addr + 0x10)
122 | cfg_size = x64dbg.ReadPtr(payload_param_addr + 0x14)
123 | print('Config address: %08X' % cfg_addr)
124 | print('Config size: %d' % cfg_size)
125 | x64dbg_save_data(dest_dir, 'config.enc', cfg_addr, cfg_size)
126 | 


--------------------------------------------------------------------------------
/PoisonIvy/parse_cfg.py:
--------------------------------------------------------------------------------
  1 | import sys
  2 | import io
  3 | import struct
  4 | 
  5 | 
  6 | CFG_FIELD_UNKNOWN = 0
  7 | CFG_FIELD_STRING = 1
  8 | CFG_FIELD_NUMBER = 2
  9 | CFG_FIELD_CONN_INFO = 3
 10 | 
 11 | CFG_FIELD_TYPE_LIST = {
 12 |     0x0145: ('Encryption key', CFG_FIELD_STRING),
 13 |     0x018C: ('C&C max index', CFG_FIELD_NUMBER),
 14 |     0x0190: ('C&C', CFG_FIELD_CONN_INFO),
 15 |     0x02C1: ('Proxy max index', CFG_FIELD_NUMBER),
 16 |     0x02C5: ('Proxy', CFG_FIELD_CONN_INFO),
 17 |     0x03FB: ('Mutex name', CFG_FIELD_STRING),
 18 |     0x040F: ('Active Setup reg value name', CFG_FIELD_STRING),
 19 |     0x0418: ('Default browser path reg key', CFG_FIELD_STRING),
 20 |     0x0456: ('Active Setup reg key', CFG_FIELD_STRING),
 21 |     0x0AFA: ('Campaign Id', CFG_FIELD_STRING),
 22 |     0x0BF9: ('Group Id', CFG_FIELD_STRING),
 23 |     0x0D09: ('HKLM/HKCU autorun reg key flag', CFG_FIELD_NUMBER),
 24 |     0x0E12: ('Autorun reg value name', CFG_FIELD_STRING),
 25 |     0xEB00: ('Unknown_EB00', CFG_FIELD_STRING),
 26 |     0xEC00: ('Unknown_EC00', CFG_FIELD_STRING),
 27 |     0xED00: ('Unknown_ED00', CFG_FIELD_STRING),
 28 |     0xEF7C: ('Unknown_EF7C', CFG_FIELD_NUMBER),
 29 |     0xEF8C: ('Unknown_EF8C', CFG_FIELD_NUMBER),
 30 |     0xEF90: ('Unknown_EF90', CFG_FIELD_NUMBER),
 31 |     0xEF94: ('Unknown_EF94', CFG_FIELD_NUMBER),
 32 |     0xEFF8: ('Unknown_EFF8', CFG_FIELD_NUMBER),
 33 |     0xEFFC: ('Unknown_EFFC', CFG_FIELD_NUMBER)
 34 | }
 35 | 
 36 | 
 37 | GET_CFG_DATA_CODE = b'\xE8\0\0\0\0'
 38 | 
 39 | 
 40 | def extract_cfg_data(data):
 41 |     pos = 0
 42 |     while True:
 43 |         # call $+5
 44 |         pos = data.find(GET_CFG_DATA_CODE, pos)
 45 |         if (pos < 0):
 46 |             break
 47 |         pos += len(GET_CFG_DATA_CODE)
 48 |         # pop esi
 49 |         if ((data[pos] & 0xF0) != 0x50):
 50 |             continue
 51 |         # add esi, cfg_rel_offset
 52 |         if ((data[pos + 1] == 0x81) and ((data[pos + 2] & 0xF0) == 0xC0)):
 53 |             cfg_rel_ofs, = struct.unpack_from('<L', data, pos + 3)
 54 |             if (pos + cfg_rel_ofs) < len(data):
 55 |                 return data[pos + cfg_rel_ofs:]
 56 |     return None
 57 | 
 58 | def print_cfg_field(fld_id, fld_len, fld_val):
 59 |     fld_type_entry = CFG_FIELD_TYPE_LIST.get(fld_id)
 60 |     if (fld_type_entry is None):
 61 |         print('Unknown field id (%04X).' % fld_id)
 62 |         return
 63 | 
 64 |     if (fld_type_entry[1] == CFG_FIELD_STRING):        
 65 |         print('%s: \"%s\"' % (fld_type_entry[0], fld_val.decode()))
 66 | 
 67 |     elif (fld_type_entry[1] == CFG_FIELD_NUMBER):
 68 |         t = None
 69 |         if (fld_len == 1):
 70 |             t = 'B'
 71 |         elif (fld_len == 2):
 72 |             t = 'H'
 73 |         elif (fld_len == 4):
 74 |             t = 'L'
 75 |         elif (fld_len == 8):
 76 |             t = 'Q'
 77 |         if (t is not None):
 78 |             val_num, = struct.unpack('<' + t, fld_val)
 79 |             fld_fmt = '%s: %0' + str(fld_len << 1) + 'X'
 80 |             print(fld_fmt % (fld_type_entry[0], val_num))
 81 |         else:  
 82 |             print('Invalid field \"%s\" data size (%d).' %
 83 |                       (fld_type_entry[0], fld_len))
 84 | 
 85 |     elif (fld_type_entry[1] == CFG_FIELD_CONN_INFO):
 86 |         pos = 0
 87 |         c2c_num = 0
 88 |         while (pos < len(fld_val)):
 89 |             c2c_addr_len = fld_val[pos]
 90 |             pos += 1
 91 |             c2c_addr = fld_val[pos : pos + c2c_addr_len].decode()
 92 |             pos += c2c_addr_len
 93 |             c2c_type = fld_val[pos]
 94 |             pos += 1
 95 |             c2c_port, = struct.unpack_from('<H', fld_val, pos)
 96 |             pos += 2
 97 |             print('%s[%d]: (%d) \"%s:%d\"' %
 98 |                       (fld_type_entry[0], c2c_num, c2c_type, c2c_addr, c2c_port))
 99 |             c2c_num += 1
100 | 
101 |     elif (fld_type_entry[1] == CFG_FIELD_UNKNOWN):
102 |         print('%s: ? (%d bytes)' % (fld_type_entry[0], fld_len))
103 | 
104 | 
105 | if len(sys.argv) != 2:
106 |     print('Usage: '+ sys.argv[0] + ' filename')
107 |     sys.exit(0)
108 | 
109 | file_name = sys.argv[1]
110 | 
111 | with io.open(file_name, 'rb') as f:
112 |     data = f.read()
113 | 
114 | cfg_data = extract_cfg_data(data)
115 | 
116 | del data
117 | 
118 | if (cfg_data is None):
119 |     raise Exception('Configuration data not found.')
120 | 
121 | new_file_name = file_name + '.cfg'
122 | with io.open(new_file_name, 'wb') as f:
123 |     f.write(cfg_data)
124 | 
125 | pos = 0
126 | while (pos < len(cfg_data)):
127 |     fld_id, fld_len = struct.unpack_from('<2H', cfg_data, pos)
128 |     if (fld_id == 0):
129 |         pos += 2
130 |         break
131 | 
132 |     pos += 4
133 |     print_cfg_field(fld_id, fld_len, cfg_data[pos : pos + fld_len])
134 |     pos += fld_len
135 | 


--------------------------------------------------------------------------------
/RCSession/RCSession.yar:
--------------------------------------------------------------------------------
 1 | /*
 2 | RCSession
 3 | */
 4 | 
 5 | rule RCSession_Payload
 6 | {
 7 |     meta:
 8 |         author = "rivitna"
 9 |         family = "RCSession"
10 |         description = "RCSession payload"
11 |         severity = 10
12 |         score = 100
13 | 
14 |     strings:
15 |         $a0 = ".?AVCNet@@" ascii
16 |         $a1 = ".?AVCNetHttp@@" ascii
17 |         $a2 = ".?AVCNetPipe@@" ascii
18 |         $a3 = ".?AVCNetTcp@@" ascii
19 |         $a4 = ".?AVCNetUdp@@" ascii
20 |         $a5 = ".?AVCFileManager@@" ascii
21 |         $a6 = ".?AVCPlugin@@" ascii
22 |         $a7 = ".?AVCKeyLog@@" ascii
23 |         $a8 = ".?AVCPortMap@@" ascii
24 |         $a9 = ".?AVCScreen@@" ascii
25 |         $a10 = ".?AVCShell@@" ascii
26 |         $a11 = ".?AVCTelnet@@" ascii
27 |         $a12 = "\x00Software\\Clients\\Profile" wide
28 |         $a13 = "\x00XBEE\x00" wide
29 | 
30 |         $x0 = { 83 E8 00 74 19 48 74 0F 48 74 05 6B C9 09 EB 15 8B C1
31 |                 C1 E8 02 EB 03 8D 04 09 2B C8 EB 07 8B C1 C1 E8 04 03 C8 }
32 | 
33 |     condition:
34 |         ((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and
35 |         (
36 |             (5 of ($a*)) or
37 |             (1 of ($x*))
38 |         )
39 | }
40 | 


--------------------------------------------------------------------------------
/RCSession/rcsession_cfg_decrypt.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import io
 3 | import struct
 4 | 
 5 | 
 6 | CFG_SEED_POS = 0x80
 7 | 
 8 | 
 9 | def decrypt(data, seed):
10 |     """RCSession decrypt function"""
11 | 
12 |     dec_data = b''
13 |     n = seed
14 | 
15 |     for i, b in enumerate(data):
16 |         m = i & 3
17 |         if (m == 0):
18 |             n += (n >> 4)
19 |         elif (m == 1):
20 |             n -= 2 * n
21 |         elif (m == 2):
22 |             n -= (n >> 2)
23 |         else:
24 |             n *= 9
25 |         n &= 0xFFFFFFFF
26 |         dec_data += bytes([b ^ (n & 0xFF)])
27 | 
28 |     return dec_data
29 | 
30 | 
31 | if len(sys.argv) != 2:
32 |     print('Usage: '+ sys.argv[0] + ' filename')
33 |     exit(0)
34 | 
35 | filename = sys.argv[1]
36 | 
37 | with io.open(filename, 'rb') as f:
38 |     data = f.read()
39 | 
40 | seed, = struct.unpack_from("<L", data, CFG_SEED_POS)
41 | dec_data = decrypt(data, seed)
42 | 
43 | new_filename = filename + '.dec'
44 | with io.open(new_filename, 'wb') as f:
45 |     f.write(dec_data)
46 | 
47 | print('Done!')
48 | 


--------------------------------------------------------------------------------
/RCSession/rcsession_keylog_dec.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import io
 3 | 
 4 | 
 5 | def decrypt(data):
 6 | 
 7 |     dec_data = b''
 8 |     for b in data:
 9 |         dec_data += bytes([(((b - 0x61) ^ 0x61) + 0x61) & 0xFF])
10 |     return dec_data
11 | 
12 | 
13 | if len(sys.argv) != 2:
14 |     print('Usage: '+ sys.argv[0] + ' filename')
15 |     exit(0)
16 | 
17 | filename = sys.argv[1]
18 | 
19 | with io.open(filename, 'rb') as f:
20 |     data = f.read()
21 | 
22 | dec_data = decrypt(data)
23 | 
24 | new_filename = filename + '.dec'
25 | with io.open(new_filename, 'wb') as f:
26 |     f.write(dec_data)
27 | 
28 | print('Done!')
29 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # YARA rules, programs for APT malware:
2 | 
3 | PlugX  
4 | Poison Ivy  
5 | RCSession  
6 | 


--------------------------------------------------------------------------------