├── .gitignore ├── README.md ├── turla_carbon ├── a6efd027b121347201a3de769389e6dd_Config.txt ├── apt_RU_Turla_Carbon_Dropper.yar ├── Carbon_decrypt_config.py ├── apt_RU_Turla_Carbon_CommunicationLibrary.yar ├── apt_RU_Turla_Carbon_Orchestrator.yar ├── apt_RU_Turla_Carbon_ServiceDLL.yar └── README.md └── blackmatter ├── hashes.txt ├── dict.txt ├── output.txt ├── BlackMatter_hash.py ├── cracked.json └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | .gitignore 2 | .gitattributes 3 | .DS_Store 4 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Malware Analysis 2 | In this repo you can find some scripts, Yara rules and other files developed during malware investigations. 3 | -------------------------------------------------------------------------------- /turla_carbon/a6efd027b121347201a3de769389e6dd_Config.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sisoma2/malware_analysis/HEAD/turla_carbon/a6efd027b121347201a3de769389e6dd_Config.txt -------------------------------------------------------------------------------- /turla_carbon/apt_RU_Turla_Carbon_Dropper.yar: -------------------------------------------------------------------------------- 1 | rule apt_RU_Turla_Carbon_Dropper : apt { 2 | 3 | meta: 4 | author = "@sisoma2" 5 | date = "27/08/2020" 6 | desc = "Detects the Turla Carbon Dropper" 7 | hash = "a6efd027b121347201a3de769389e6dd" 8 | hash = "F45574C4CC4AED2DD1B23027434E9B06" 9 | version = "0.1" 10 | 11 | strings: 12 | $strgrp1_1 = "viIta" nocase wide ascii 13 | $strgrp1_2 = "S-1-16-12288" nocase wide ascii 14 | $strgrp1_3 = "S:(ML;;NW;;;S-1-16-0)" nocase wide ascii 15 | $strgrp1_4 = "A;OICIID;GA" nocase wide ascii 16 | 17 | $strgrp2_1 = "Virtual Private Network Routing Service" nocase wide ascii 18 | $strgrp2_2 = "Health Key and Certificate Management Service" nocase wide ascii 19 | $strgrp2_3 = "System Restore Service" nocase wide ascii 20 | $strgrp2_4 = "Alerter" nocase wide ascii 21 | 22 | $code_x64 = { B9 00 20 00 00 FF 15 [4] 48 89 [1-6] 48 8D [1-6] 48 89 [1-6] 41 B9 00 20 00 00 4C 8B [1-6] 33 D? 48 8B [1-6] FF 15 [4] 85 C0 75 ?? FF 15 } 23 | $code_x86 = { 68 00 20 00 00 FF 15 [4] 83 C4 ?? 89 [1-6] 8D [1-6] 5? 68 00 20 00 00 8B [1-6] 5? 6A 00 8B [1-6] 5? FF 15 [4] 85 C0 75 ?? FF 15 } 24 | 25 | condition: 26 | filesize < 1MB 27 | and 1 of ($code*) 28 | and any of ($strgrp1_*) 29 | and any of ($strgrp2_*) 30 | } -------------------------------------------------------------------------------- /turla_carbon/Carbon_decrypt_config.py: -------------------------------------------------------------------------------- 1 | from Crypto.Cipher import CAST 2 | import sys 3 | import argparse 4 | 5 | 6 | def main(): 7 | 8 | parser = argparse.ArgumentParser(formatter_class=argparse.RawTextHelpFormatter) 9 | parser.add_argument("-e", "--encrypt", help="encrypt carbon file", required=False) 10 | parser.add_argument("-d", "--decrypt", help="decrypt carbon file", required=False) 11 | 12 | try: 13 | args = parser.parse_args() 14 | except IOError as e: 15 | parser.error(e) 16 | return 0 17 | 18 | if len(sys.argv) != 3: 19 | parser.print_help() 20 | return 0 21 | 22 | key = b"\x12\x34\x56\x78\x9A\xBC\xDE\xF0\xFE\xFC\xBA\x98\x76\x54\x32\x10" 23 | iv = b"\x12\x34\x56\x78\x9A\xBC\xDE\xF0" 24 | 25 | cipher = CAST.new(key, CAST.MODE_OFB, iv) 26 | 27 | if args.encrypt: 28 | plaintext = open(args.encrypt, "rb").read() 29 | while len(plaintext) % 8 != 0: 30 | plaintext += b"\x00" 31 | data = cipher.encrypt(plaintext) 32 | open(args.encrypt + "_encrypted", "wb").write(data) 33 | else: 34 | ciphertext = open(args.decrypt, "rb").read() 35 | while len(ciphertext) % 8 != 0: 36 | ciphertext += b"\x00" 37 | data = cipher.decrypt(ciphertext) 38 | open(args.decrypt + "_decrypted", "wb").write(data) 39 | 40 | if __name__ == "__main__": 41 | main() -------------------------------------------------------------------------------- /turla_carbon/apt_RU_Turla_Carbon_CommunicationLibrary.yar: -------------------------------------------------------------------------------- 1 | rule apt_RU_Turla_Carbon_CommunicationLibrary : apt { 2 | 3 | meta: 4 | author = "@sisoma2" 5 | date = "27/08/2020" 6 | desc = "Detects the Turla Carbon Comms Library" 7 | hash = "0868a27ef0aa512cbae82f4251767f4b" 8 | hash = "e5a90e7e63ededbdd5ee13219bc93fce" 9 | version = "0.1" 10 | 11 | strings: 12 | $strgrp1_1 = "backet sorting ..." nocase wide ascii 13 | $strgrp1_2 = "/javascript/view.php" nocase wide ascii 14 | $strgrp1_3 = "Proxy task %d obj %s ACTIVE fail robj %s" nocase wide ascii 15 | 16 | $strgrp2_1 = "check_lastconnect" nocase wide ascii 17 | $strgrp2_2 = "lastsuccon" nocase wide ascii 18 | $strgrp2_3 = "rendezvous_point" nocase wide ascii 19 | $strgrp2_4 = "configlastsend" nocase wide ascii 20 | $strgrp2_5 = "DestinationDirs" nocase wide ascii 21 | $strgrp2_6 = "*.inf" nocase wide ascii 22 | 23 | $strgrp3_1 = /W\|(0|1|-1)\|%d\|%s:%s\|.{1,50}\n/ nocase wide ascii 24 | $strgrp3_2 = /(W|P).{1,10}\|%s:%s\|%d\|%d\|\n/ nocase wide ascii 25 | $strgrp3_3 = "%s: http://%s%s" nocase wide ascii 26 | $strgrp3_4 = /(TS|ST|CR|PV|TP|SL|WP|IA|RP)\|%d\|\n/ nocase wide ascii 27 | 28 | condition: 29 | filesize < 200KB 30 | and 1 of ($strgrp1_*) 31 | and 2 of ($strgrp2_*) 32 | and 3 of ($strgrp3_*) 33 | } -------------------------------------------------------------------------------- /turla_carbon/apt_RU_Turla_Carbon_Orchestrator.yar: -------------------------------------------------------------------------------- 1 | rule apt_RU_Turla_Carbon_Orchestrator : apt { 2 | 3 | meta: 4 | author = "@sisoma2" 5 | date = "27/08/2020" 6 | desc = "Detects the Turla Carbon Orchestrator" 7 | hash = "750ed2ff73374bac96aa389f1450469e" 8 | hash = "3b10f20729d79ca3a92510674ff037c2" 9 | version = "0.1" 10 | 11 | strings: 12 | $strgrp1_1 = "backet sorting ..." nocase wide ascii 13 | $strgrp1_2 = "Proxy task %d for obj %s ACTIVE fail robj=%s" nocase wide ascii 14 | $strgrp1_3 = "SYSTEM\\CurrentControlSet\\Control\\LSA" nocase wide ascii 15 | $strgrp1_4 = "SYSTEM\\CurrentControlSet\\Services\\lanmanserver\\parameters" nocase wide ascii 16 | 17 | $strgrp2_1 = "DestinationDirs" nocase wide ascii 18 | $strgrp2_2 = "*.inf" nocase wide ascii 19 | $strgrp2_3 = "A;OICIID;GA" nocase wide ascii 20 | $strgrp2_4 = "run_task_system" nocase wide ascii 21 | $strgrp2_5 = "frag_size=32768" nocase wide ascii 22 | $strgrp2_6 = "frag.tcp" nocase wide ascii 23 | 24 | $strgrp3_1 = /W\|-2\|%d\|%s\|.{1,50}\n/ nocase wide ascii 25 | $strgrp3_2 = /(L|S|A|P|INJ)\|-1\|.{1,50}\n/ nocase wide ascii 26 | $strgrp3_3 = /AS_(G|CUR_USER|USER):.{1,50}\(\):%d\n/ nocase wide ascii 27 | 28 | condition: 29 | filesize < 300KB 30 | and 2 of ($strgrp1_*) 31 | and 3 of ($strgrp2_*) 32 | and any of ($strgrp3_*) 33 | } -------------------------------------------------------------------------------- /turla_carbon/apt_RU_Turla_Carbon_ServiceDLL.yar: -------------------------------------------------------------------------------- 1 | rule apt_RU_Turla_Carbon_ServiceDLL : apt { 2 | 3 | meta: 4 | author = "@sisoma2" 5 | date = "27/08/2020" 6 | desc = "Detects the Turla Carbon Service DLL" 7 | hash = "67e400d026e50f18599b2beeda2c565d" 8 | hash = "35f4f185e3d827fd02ee76a54ed9827a" 9 | version = "0.1" 10 | 11 | strings: 12 | $strgrp_1 = "OnDemandStart" nocase wide ascii 13 | $strgrp_2 = "OnDemandStop" nocase wide ascii 14 | $strgrp_3 = "*.inf" nocase wide ascii 15 | $strgrp_4 = "DestinationDirs" nocase wide ascii 16 | 17 | 18 | $code_x86_1 = { 68 00 08 00 00 C7 [1-6] FF D? 68 00 08 00 00 8B [1-6] FF D? 83 C4 ?? 8B [1-6] 85 ?? 0F 84 [4] 85 ?? 0F 84 [4] 68 00 08 00 00 6A 00 5? E8 [4] 68 00 08 00 00 6A 00 5? E8 } 19 | $code_x86_2 = { 68 08 02 00 00 8D [1-6] 5? 68 [4] FF 15 [4] 85 C0 0F 84 [4] 0F B7 [1-6] 5? 8D [1-6] 5? 8D [1-6] 5? FF 15 [4] 83 C4 ?? 6A 28 8D [1-6] 5? 8D [1-6] 5? 8D [1-6] 5? 8D [1-6] 5? 68 08 02 00 00 8D [1-6] 5? 8D [1-6] 5? FF 15 } 20 | 21 | $code_x64 = { 41 B8 08 02 00 00 48 8D [1-6] 48 8D [1-6] FF 15 [4] 85 C0 75 ?? 33 C? E9 [4] 0F B7 [1-6] 44 8B [1-6] 48 8D [1-6] 48 8D [1-6] FF 15 [4] C7 [1-10] 48 8D [1-6] 48 89 [1-6] 48 8D [1-6] 48 89 [1-6] 48 8D [1-6] 48 89 [1-6] 4C 8D [1-6] 41 B8 08 02 00 00 48 8D [1-6] 48 8D [1-6] FF 15 } 22 | 23 | condition: 24 | filesize < 30KB 25 | and 1 of ($code*) 26 | and any of ($strgrp_*) 27 | } -------------------------------------------------------------------------------- /blackmatter/hashes.txt: -------------------------------------------------------------------------------- 1 | # Extensions 2 | 0xAF16C593 3 | 0xDF981B00 4 | 0x64E29771 5 | 0xDD481CC0 6 | 0xDB581B80 7 | 0xCD281E00 8 | 0xC9101840 9 | 0xE99018C0 10 | 0xC7A01840 11 | 0xCBB01C80 12 | 0xE7801D00 13 | 0xDD801CC0 14 | 0xE3301C80 15 | 0xDD181CC0 16 | 0xD57818C0 17 | 0xD9C81940 18 | 0xE1C018C0 19 | 0x4ABA94F1 20 | 0x4AE29631 21 | 0xE3101900 22 | 0xF1C01C00 23 | 0xD3801B00 24 | 0xC99EAB80 25 | 0xE7681BC0 26 | 0xCB601B00 27 | 0x4A6BB7DB 28 | 0xDD201BC0 29 | 0xE1881CC0 30 | 0xD59818C0 31 | 0xD3081D00 32 | 0xC7701A40 33 | 0xC9201B40 34 | 0xC5481B80 35 | 0x67B00E00 36 | 0xE15ED8C0 37 | 0xC9901D40 38 | 0xD5C01900 39 | 0xE9981E40 40 | 0xC9681BC0 41 | 0xA1FCCBFE 42 | 0xE9981A00 43 | 0xDB301900 44 | 0xCD2E9B7A 45 | 0xDD081C00 46 | 0x4CCA7837 47 | 0xE9601C00 48 | 0xC9601C00 49 | 0xC5B01900 50 | 0xD56018C0 51 | 0xDDA81CC0 52 | 0xDD301900 53 | 0xDF301900 54 | 0xCD101900 55 | 0xDD101900 56 | 0x49164931 57 | 58 | # Filenames 59 | 0x82D2A252 60 | 0x86CCAA15 61 | 0xDB975937 62 | 0xFCC8AB56 63 | 0xC8CEF7D1 64 | 0x3907099B 65 | 0xC23AA6F5 66 | 0x846BEC00 67 | 0xF00CAE96 68 | 0xCBE2AA35 69 | 0x85AA57E4 70 | 71 | # Paths 72 | 0xAE018EAE 73 | 0x6B66F975 74 | 0x26687E35 75 | 0xA6F2D1A7 76 | 0x030A212D 77 | 0xDCCAB8DD 78 | 0xAB086595 79 | 0x36004E4E 80 | 0x267078F5 81 | 0x5CDE3A7B 82 | 0xB7EA3892 83 | 0xE3426CD7 84 | 0xEF3A37B3 85 | 0xBA22623B 86 | 0x4C4B25D4 87 | 0x2E75E394 88 | 0xE1A63BC0 89 | 0x8CF281CD 90 | 0x52CB0B38 91 | 0x5366E694 92 | 0xC6CE6958 93 | 0x07F07935 94 | 0xCD1B589B 95 | 96 | # Hardcoded hash in binary 97 | 0x3EB272E6 98 | 0xE3426CD7 99 | 0xB7E02438 100 | 0xFE9E7C10 101 | 0xD4AAEBB2 102 | 0x12018C0 103 | 0xEB9F5C34 104 | 0xEB869D00 105 | 106 | # Arguments 107 | 0x45471D17 108 | 0x452F4997 109 | 0x45678B17 110 | -------------------------------------------------------------------------------- /turla_carbon/README.md: -------------------------------------------------------------------------------- 1 | # Turla Carbon System 2 | 3 | The Carbon System or Project Cobra is a malware framework developed by the actors identified as Turla. It's a sophisticated backdoor used to steal sensitive information from high valuable targets like diplomats or foreign affairs ministries. 4 | 5 | ## IOCs 6 | 7 | ### Samples 8 | 9 | #### Carbon Dropper 10 | 11 | ``` 12 | a6efd027b121347201a3de769389e6dd 13 | ``` 14 | 15 | #### Carbon Service 16 | 17 | ``` 18 | 957930597221ab6e0ff4fd7c6f2ee1cc 19 | ``` 20 | 21 | #### Carbon Orchestrator 22 | 23 | ```` 24 | 3b10f20729d79ca3a92510674ff037c2 25 | 78cadb0a538105f2fdcb42f9956e49b5 26 | ```` 27 | 28 | #### Carbon Comms x86 29 | 30 | ``` 31 | c9c819991d4e6476e8f0307beed080b7 32 | 1a2372b990a7ff7efd991707d52a13e6 33 | 0868a27ef0aa512cbae82f4251767f4b 34 | ``` 35 | 36 | #### Carbon Comms x64 37 | 38 | ``` 39 | e5a90e7e63ededbdd5ee13219bc93fce 40 | 7ec8a9641d7342d1a471ebcd98e28b62 41 | efcfff316e9cf183ca1cd619968cd11c 42 | ``` 43 | 44 | ### C&C 45 | 46 | - `www.berlinguas[.]com:443:/wp-content/languages/index.php` 47 | 48 | - `www.balletmaniacs[.]com:443:/wp-includes/fonts/icons/` 49 | 50 | - `pastebin[.]com:443:/raw/5qXBPmAZ` 51 | 52 | ## Content 53 | 54 | [Carbon_decrypt_config.py](Carbon_decrypt_config.py) 55 | 56 | ​ ESET Python script to extract encrypted configuration from Carbon 57 | 58 | [a6efd027b121347201a3de769389e6dd_Config.txt](a6efd027b121347201a3de769389e6dd_Config.txt) 59 | 60 | ​ Carbon configuration file extracted from the dropper with hash `a6efd027b121347201a3de769389e6dd` 61 | 62 | ## Yara Rules 63 | 64 | [apt_RU_Turla_Carbon_Dropper.yar](apt_RU_Turla_Carbon_Dropper.yar) 65 | 66 | ​ YARA Rule to detect the Carbon dropper 67 | 68 | [apt_RU_Turla_Carbon_ServiceDLL.yar](apt_RU_Turla_Carbon_ServiceDLL.yar) 69 | 70 | ​ YARA Rule to detect the Carbon Service DLL 71 | 72 | [apt_RU_Turla_Carbon_CommunicationLibrary.yar](apt_RU_Turla_Carbon_CommunicationLibrary.yar) 73 | 74 | ​ YARA Rule to detect the Carbon Comms Library 75 | 76 | [apt_RU_Turla_Carbon_Orchestrator.yar](apt_RU_Turla_Carbon_Orchestrator.yar) 77 | 78 | ​ YARA Rule to detect the Carbon Orchestrator 79 | -------------------------------------------------------------------------------- /blackmatter/dict.txt: -------------------------------------------------------------------------------- 1 | # Paths 2 | $recycle.bin 3 | config.msi 4 | $windows.~bt 5 | $windows.~ws 6 | windows 7 | appdata 8 | application data 9 | boot 10 | google 11 | mozilla 12 | program files 13 | program files (x86) 14 | programdata 15 | system volume information 16 | tor browser 17 | windows.old 18 | intel 19 | msocache 20 | perflogs 21 | x64dbg 22 | public 23 | all users 24 | default 25 | backup 26 | 27 | # Files 28 | autorun.inf 29 | boot.ini 30 | bootfont.bin 31 | bootsect.bak 32 | desktop.ini 33 | iconcache.db 34 | ntldr 35 | ntuser.dat 36 | ntuser.dat.log 37 | ntuser.ini 38 | thumbs.db 39 | 40 | # Extensions 41 | 386 42 | adv 43 | ani 44 | bat 45 | bin 46 | cab 47 | cmd 48 | com 49 | cpl 50 | cur 51 | deskthemepack 52 | diagcab 53 | diagcfg 54 | diagpkg 55 | dll 56 | drv 57 | exe 58 | hlp 59 | icl 60 | icns 61 | ico 62 | ics 63 | idx 64 | ldf 65 | lnk 66 | mod 67 | mpa 68 | msc 69 | msp 70 | msstyles 71 | msu 72 | nls 73 | nomedia 74 | ocx 75 | prf 76 | ps1 77 | rom 78 | rtp 79 | scr 80 | shs 81 | spl 82 | sys 83 | theme 84 | themepack 85 | wpx 86 | lock 87 | key 88 | hta 89 | msi 90 | pdb 91 | mdf 92 | ndf 93 | edb 94 | mdb 95 | accdb 96 | 97 | # Processes 98 | vmcompute.exe 99 | vmms.exe 100 | vmwp.exe 101 | svchost.exe 102 | TeamViewer.exe 103 | explorer.exe 104 | svchost.exe 105 | sql 106 | oracle 107 | ocssd 108 | dbsnmp 109 | synctime 110 | agntsvc 111 | isqlplussvc 112 | xfssvccon 113 | mydesktopservice 114 | ocautoupds 115 | encsvc 116 | firefox 117 | tbirdconfig 118 | mydesktopqos 119 | ocomm 120 | dbeng50 121 | sqbcoreservice 122 | excel 123 | infopath 124 | msaccess 125 | mspub 126 | onenote 127 | outlook 128 | powerpnt 129 | steam 130 | thebat 131 | thunderbird 132 | visio 133 | winword 134 | wordpad 135 | notepad 136 | runonce.exe 137 | 138 | # Services 139 | sqlite 140 | vss 141 | sql 142 | svc$ 143 | memtas 144 | mepocs 145 | sophos 146 | veeam 147 | backup 148 | GxVss 149 | GxBlr 150 | GxFWD 151 | GxCVD 152 | GxCIMgr 153 | 154 | # Arguments 155 | -path 156 | -safe 157 | -wall 158 | 159 | # Network shares 160 | admin$ 161 | c$ 162 | 163 | # C2 URL 164 | http 165 | https -------------------------------------------------------------------------------- /blackmatter/output.txt: -------------------------------------------------------------------------------- 1 | [*] Trying to crack 98 hashes... 2 | [+] Cracked hash 0xc5b01900 = adv 3 | [+] Cracked hash 0xd4aaebb2 = admin$ 4 | [+] Cracked hash 0xdd801cc0 = msp 5 | [+] Cracked hash 0xdd181cc0 = msc 6 | [+] Cracked hash 0xc9201b40 = cmd 7 | [+] Cracked hash 0xcbb01c80 = drv 8 | [+] Cracked hash 0x64e29771 = diagpkg 9 | [+] Cracked hash 0x3907099b = boot.ini 10 | [+] Cracked hash 0xd3081d00 = hta 11 | [+] Cracked hash 0xdd081c00 = mpa 12 | [+] Cracked hash 0xe1a63bc0 = boot 13 | [+] Cracked hash 0xe7801d00 = rtp 14 | [+] Cracked hash 0xcd281e00 = exe 15 | [+] Cracked hash 0x7f07935 = windows.old 16 | [+] Cracked hash 0xfe9e7c10 = runonce.exe 17 | [+] Cracked hash 0xdb301900 = ldf 18 | [+] Cracked hash 0xc6ce6958 = appdata 19 | [+] Cracked hash 0xa1fccbfe = deskthemepack 20 | [+] Cracked hash 0xdd301900 = mdf 21 | [+] Cracked hash 0xe9601c00 = spl 22 | [+] Cracked hash 0xe3426cd7 = windows 23 | [+] Cracked hash 0xd57818c0 = ico 24 | [+] Cracked hash 0xdb975937 = ntldr 25 | [+] Cracked hash 0x267078f5 = $windows.~bt 26 | [+] Cracked hash 0x85aa57e4 = ntuser.dat.log 27 | [+] Cracked hash 0xdd101900 = mdb 28 | [+] Cracked hash 0x86ccaa15 = autorun.inf 29 | [+] Cracked hash 0xfcc8ab56 = bootsect.bak 30 | [+] Cracked hash 0xd9c81940 = key 31 | [+] Cracked hash 0xc5481b80 = ani 32 | [+] Cracked hash 0x26687e35 = $windows.~ws 33 | [+] Cracked hash 0x4ae29631 = diagcfg 34 | [+] Cracked hash 0xc9601c00 = cpl 35 | [+] Cracked hash 0xdd481cc0 = msi 36 | [+] Cracked hash 0x5366e694 = perflogs 37 | [+] Cracked hash 0xf1c01c00 = wpx 38 | [+] Cracked hash 0x2e75e394 = programdata 39 | [+] Cracked hash 0xc7a01840 = bat 40 | [+] Cracked hash 0x4c4b25d4 = tor browser 41 | [+] Cracked hash 0xba22623b = all users 42 | [+] Cracked hash 0xe9981a00 = shs 43 | [+] Cracked hash 0xb7ea3892 = msocache 44 | [+] Cracked hash 0xc9901d40 = cur 45 | [+] Cracked hash 0xe1881cc0 = ps1 46 | [+] Cracked hash 0xa6f2d1a7 = application data 47 | [+] Cracked hash 0xc23aa6f5 = ntuser.dat 48 | [+] Cracked hash 0xd59818c0 = ics 49 | [+] Cracked hash 0xe9981e40 = sys 50 | [+] Cracked hash 0xc9101840 = cab 51 | [+] Cracked hash 0xc8cef7d1 = thumbs.db 52 | [+] Cracked hash 0xcd101900 = edb 53 | [+] Cracked hash 0x4aba94f1 = diagcab 54 | [+] Cracked hash 0x5cde3a7b = public 55 | [+] Cracked hash 0xdf981b00 = nls 56 | [+] Cracked hash 0xdda81cc0 = msu 57 | [+] Cracked hash 0xd5c01900 = idx 58 | [+] Cracked hash 0xdf301900 = ndf 59 | [+] Cracked hash 0xef3a37b3 = default 60 | [+] Cracked hash 0x4cca7837 = nomedia 61 | [+] Cracked hash 0x12018c0 = c$ 62 | [+] Cracked hash 0xe99018c0 = scr 63 | [+] Cracked hash 0xc7701a40 = bin 64 | [+] Cracked hash 0xe7681bc0 = rom 65 | [+] Cracked hash 0x45678b17 = -wall 66 | [+] Cracked hash 0xe1c018c0 = ocx 67 | [+] Cracked hash 0xaf16c593 = themepack 68 | [+] Cracked hash 0x49164931 = accdb 69 | [+] Cracked hash 0xd56018c0 = icl 70 | [+] Cracked hash 0x45471d17 = -path 71 | [+] Cracked hash 0x8cf281cd = config.msi 72 | [+] Cracked hash 0xc99eab80 = icns 73 | [+] Cracked hash 0xd3801b00 = hlp 74 | [+] Cracked hash 0xcbe2aa35 = ntuser.ini 75 | [+] Cracked hash 0xcb601b00 = dll 76 | [+] Cracked hash 0xeb9f5c34 = https 77 | [+] Cracked hash 0x846bec00 = iconcache.db 78 | [+] Cracked hash 0xdb581b80 = lnk 79 | [+] Cracked hash 0xe3101900 = pdb 80 | [+] Cracked hash 0x30a212d = $recycle.bin 81 | [+] Cracked hash 0x452f4997 = -safe 82 | [+] Cracked hash 0x36004e4e = program files 83 | [+] Cracked hash 0x67b00e00 = 386 84 | [+] Cracked hash 0x52cb0b38 = google 85 | [+] Cracked hash 0xe3301c80 = prf 86 | [+] Cracked hash 0xab086595 = program files (x86) 87 | [+] Cracked hash 0xdd201bc0 = mod 88 | [+] Cracked hash 0xeb869d00 = http 89 | [+] Cracked hash 0xdccab8dd = mozilla 90 | [+] Cracked hash 0x3eb272e6 = explorer.exe 91 | [+] Cracked hash 0xf00cae96 = bootfont.bin 92 | [+] Cracked hash 0xc9681bc0 = com 93 | [+] Cracked hash 0x4a6bb7db = msstyles 94 | [+] Cracked hash 0xe15ed8c0 = lock 95 | [+] Cracked hash 0xae018eae = system volume information 96 | [+] Cracked hash 0x82d2a252 = desktop.ini 97 | [+] Cracked hash 0x6b66f975 = intel 98 | [+] Cracked hash 0xb7e02438 = svchost.exe 99 | [+] Cracked hash 0xcd2e9b7a = theme 100 | [+] Total hashes cracked: 98 -------------------------------------------------------------------------------- /blackmatter/BlackMatter_hash.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | import json 3 | 4 | def create_hash_table(dict_file): 5 | hash_table = {} 6 | 7 | lines = dict_file.read().splitlines() 8 | dict_file.close() 9 | 10 | # Filter empty, repeated and comment lines from dict 11 | str_list = list(filter(None, lines)) 12 | str_list = list(filter(lambda x: not x.startswith('# '), str_list)) 13 | str_list = list(set(str_list)) 14 | 15 | for string in str_list: 16 | hash_value = ror13Seed(string, 0) 17 | hash_table[hex(hash_value)] = string 18 | 19 | return hash_table 20 | 21 | def get_target_hashes(hashes_file): 22 | hashes = hashes_file.read().splitlines() 23 | hashes_file.close() 24 | 25 | # Filter empty, repeated and comment lines from dict 26 | hashes = list(filter(None, hashes)) 27 | hashes = list(filter(lambda x: not x.startswith('#'), hashes)) 28 | hashes = list(set(hashes)) 29 | 30 | # Convert string to integer 31 | hashes = list(map(lambda i:int(i, 16), hashes)) 32 | 33 | return hashes 34 | 35 | def crack_hashes_with_dict(dict_file, hashes_file): 36 | hash_table = create_hash_table(dict_file) 37 | target_hashes = get_target_hashes(hashes_file) 38 | cracked_hashes = {} 39 | 40 | print(f'[*] Trying to crack {len(target_hashes)} hashes...') 41 | 42 | for hash in target_hashes: 43 | if hash in hash_table: 44 | print(f'[+] Cracked hash {hash:#02x} = {hash_table[hash]}') 45 | cracked_hashes[f'{hash:#02x}'] = hash_table[hash] 46 | 47 | else: 48 | print(f'[-] Couldn\'t crack hash {hash:#02x}') 49 | 50 | return cracked_hashes 51 | 52 | def ror13Seed(inString, seed): 53 | ror = lambda val, r_bits, max_bits: \ 54 | ((val & (2**max_bits-1)) >> r_bits%max_bits) | \ 55 | (val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1)) 56 | 57 | for i in inString + "\x00": 58 | seed = ror(seed, 13, 32) + ord(i) 59 | 60 | return seed 61 | 62 | def calc_api_hash(api_name, module_name): 63 | module_hash = ror13Seed(module_name, 0) 64 | api_hash = ror13Seed(api_name, module_hash) 65 | 66 | return module_hash, api_hash 67 | 68 | 69 | def main(): 70 | parser = argparse.ArgumentParser(description='Calculate or crack BlackMatter hashes based on dictionary') 71 | parser.add_argument('-m', '--module_name', help='Module name to calculate hash') 72 | parser.add_argument('-a', '--api_name', help='Api name to calculate hash') 73 | parser.add_argument('-s', '--string', help='String to calculate hash') 74 | parser.add_argument('-d', '--dictionary', help='Dictionary file where to read strings', type=argparse.FileType('r', encoding='UTF-8')) 75 | parser.add_argument('-t', '--target_hashes', help='Target hashes to crack', type=argparse.FileType('r', encoding='UTF-8')) 76 | parser.add_argument('-o', '--output_file', help='Filename to dump the cracked hashes in JSON format', type=argparse.FileType('w', encoding='UTF-8')) 77 | args = parser.parse_args() 78 | 79 | if args.api_name and args.module_name: 80 | module_hash, api_hash = calc_api_hash(args.api_name, args.module_name) 81 | print(f'{args.module_name} hash = 0x{module_hash:02x}') 82 | print(f'{args.api_name} = 0x{api_hash:02x}') 83 | return 84 | 85 | if args.string: 86 | out_hash = ror13Seed(args.string, 0) 87 | print(f'{args.string} = 0x{out_hash:02x}') 88 | return 89 | 90 | if args.dictionary and args.target_hashes: 91 | cracked_hashes = crack_hashes_with_dict(args.dictionary, args.target_hashes) 92 | print(f'[+] Total hashes cracked: {len(cracked_hashes)}') 93 | 94 | if args.output_file: 95 | json.dump(cracked_hashes, args.output_file, indent=4) 96 | 97 | return 98 | 99 | if args.dictionary and args.output_file: 100 | hash_table = create_hash_table(args.dictionary) 101 | json.dump(hash_table, args.output_file, indent=4) 102 | print(f'File {args.output_file.name} containing hash dictionary created succesfully!') 103 | return 104 | 105 | parser.print_help() 106 | 107 | if __name__ == "__main__": 108 | main() -------------------------------------------------------------------------------- /blackmatter/cracked.json: -------------------------------------------------------------------------------- 1 | { 2 | "0xc9e76a92": "synctime", 3 | "0x350ee996": "sqbcoreservice", 4 | "0x45a5f154": "thunderbird", 5 | "0x1f74b2c2": "GxCIMgr", 6 | "0xab086595": "program files (x86)", 7 | "0xdd481cc0": "msi", 8 | "0xc7701a40": "bin", 9 | "0xdf301900": "ndf", 10 | "0xdb645841": "mydesktopqos", 11 | "0xd3801b00": "hlp", 12 | "0xdd081c00": "mpa", 13 | "0xd9c81940": "key", 14 | "0x4d6f587a": "steam", 15 | "0xeb869d00": "http", 16 | "0x31461a5c": "xfssvccon", 17 | "0xdf981b00": "nls", 18 | "0xbac47bbf": "vmcompute.exe", 19 | "0xe4e2763a": "notepad", 20 | "0xc9681bc0": "com", 21 | "0x452f4997": "-safe", 22 | "0xed2748c0": "svc$", 23 | "0x556b1bf8": "sophos", 24 | "0xc9201b40": "cmd", 25 | "0x4a6bb7db": "msstyles", 26 | "0xeb9f5c34": "https", 27 | "0xcd6e687b": "veeam", 28 | "0xe4e26759": "wordpad", 29 | "0xae018eae": "system volume information", 30 | "0xe3301c80": "prf", 31 | "0xe9981a00": "shs", 32 | "0x86728ff4": "ocautoupds", 33 | "0xd59818c0": "ics", 34 | "0x86ccaa15": "autorun.inf", 35 | "0x8cf281cd": "config.msi", 36 | "0xe332e9da": "outlook", 37 | "0x635318f3": "mepocs", 38 | "0x45678b17": "-wall", 39 | "0x846bec00": "iconcache.db", 40 | "0xcbe2aa35": "ntuser.ini", 41 | "0x62e70b13": "onenote", 42 | "0x4aba94f1": "diagcab", 43 | "0x4ae29631": "diagcfg", 44 | "0x2f9f9ce4": "GxVss", 45 | "0xd4aaebb2": "admin$", 46 | "0xbc225b52": "msaccess", 47 | "0x3eb272e6": "explorer.exe", 48 | "0xdd181cc0": "msc", 49 | "0xd16a78b9": "firefox", 50 | "0x616e4b78": "ocomm", 51 | "0xafdf2af8": "infopath", 52 | "0xe71dab3f": "TeamViewer.exe", 53 | "0xfcc8ab56": "bootsect.bak", 54 | "0xe2cb9b97": "winword", 55 | "0xf1c01c00": "wpx", 56 | "0xc9766874": "thebat", 57 | "0x82795a4": "GxCVD", 58 | "0xeab24db7": "encsvc", 59 | "0xb7ea3892": "msocache", 60 | "0xb7e02438": "svchost.exe", 61 | "0xcb601b00": "dll", 62 | "0x56fadd39": "sqlite", 63 | "0xe9601c00": "spl", 64 | "0x45070bd9": "vmwp.exe", 65 | "0x9a8b96b6": "mydesktopservice", 66 | "0xc9901d40": "cur", 67 | "0xc99eab80": "icns", 68 | "0xdb581b80": "lnk", 69 | "0x85aa57e4": "ntuser.dat.log", 70 | "0xd56018c0": "icl", 71 | "0x12018c0": "c$", 72 | "0xef3a37b3": "default", 73 | "0xeabb69d7": "agntsvc", 74 | "0x82d2a252": "desktop.ini", 75 | "0xdd301900": "mdf", 76 | "0x510ef9f3": "dbeng50", 77 | "0x6d52e873": "memtas", 78 | "0x69264cf8": "ocssd", 79 | "0x26687e35": "$windows.~ws", 80 | "0xc6ce6958": "appdata", 81 | "0x52cb0b38": "google", 82 | "0xe9601c40": "sql", 83 | "0xe99018c0": "scr", 84 | "0xc5481b80": "ani", 85 | "0x49679973": "excel", 86 | "0xdccab8dd": "mozilla", 87 | "0xdd801cc0": "msp", 88 | "0x43b64f11": "tbirdconfig", 89 | "0xe9981e40": "sys", 90 | "0xd57818c0": "ico", 91 | "0xdb301900": "ldf", 92 | "0xe1174b71": "dbsnmp", 93 | "0xaf16c593": "themepack", 94 | "0xf00cae96": "bootfont.bin", 95 | "0xd5834993": "powerpnt", 96 | "0xe15ed8c0": "lock", 97 | "0xe7801d00": "rtp", 98 | "0x97a4e3d8": "isqlplussvc", 99 | "0xcd281e00": "exe", 100 | "0xcbb01c80": "drv", 101 | "0x2e75e394": "programdata", 102 | "0xc7a01840": "bat", 103 | "0xd3081d00": "hta", 104 | "0xe1881cc0": "ps1", 105 | "0xcd1b589b": "x64dbg", 106 | "0xc9101840": "cab", 107 | "0xa1fccbfe": "deskthemepack", 108 | "0x5b0e4d71": "backup", 109 | "0x267078f5": "$windows.~bt", 110 | "0x3907099b": "boot.ini", 111 | "0x45471d17": "-path", 112 | "0x63174d77": "mspub", 113 | "0xa6f2d1a7": "application data", 114 | "0xe97eaa7b": "visio", 115 | "0x36004e4e": "program files", 116 | "0x5366e694": "perflogs", 117 | "0xe2795e4": "GxFWD", 118 | "0xc5b01900": "adv", 119 | "0xc9601c00": "cpl", 120 | "0xdda81cc0": "msu", 121 | "0xe7681bc0": "rom", 122 | "0x4c4b25d4": "tor browser", 123 | "0x4cca7837": "nomedia", 124 | "0xdd201bc0": "mod", 125 | "0xcd101900": "edb", 126 | "0xe1a63bc0": "boot", 127 | "0xcaea2b39": "oracle", 128 | "0xd5c01900": "idx", 129 | "0xe3426cd7": "windows", 130 | "0x67b00e00": "386", 131 | "0xcd2e9b7a": "theme", 132 | "0xfe9e7c10": "runonce.exe", 133 | "0xdb975937": "ntldr", 134 | "0xc4df0bda": "vmms.exe", 135 | "0x6b66f975": "intel", 136 | "0xba22623b": "all users", 137 | "0xc23aa6f5": "ntuser.dat", 138 | "0x7979b24": "GxBlr", 139 | "0xef981cc0": "vss", 140 | "0x5cde3a7b": "public", 141 | "0x49164931": "accdb", 142 | "0x7f07935": "windows.old", 143 | "0xc8cef7d1": "thumbs.db", 144 | "0xdd101900": "mdb", 145 | "0xe3101900": "pdb", 146 | "0x64e29771": "diagpkg", 147 | "0xe1c018c0": "ocx", 148 | "0x30a212d": "$recycle.bin" 149 | } -------------------------------------------------------------------------------- /blackmatter/README.md: -------------------------------------------------------------------------------- 1 | # BlackMatter 2 | In this repo you can find a small tool called `BlackMatter_hash.py` to recover the hashes hardcoded in different samples of the BlackMatter ransomware. 3 | 4 | ## Usage 5 | 6 | In order to work it needs a file with the hashes each one in a different line and the dictionary with the processes to bruteforce with the same format. 7 | 8 | ``` 9 | python BlackMatter_hash.py -d HASHES_FILE -t DICTIONARY_FILE -o OUTPUT_FILE 10 | python BlackMatter_hash.py -m MODULE_NAME -a API_NAME 11 | python BlackMatter_hash.py -s STRING 12 | ``` 13 | 14 | ### File Format 15 | 16 | The script will calculate the hash of every string in the dictionary file. 17 | 18 | Hashes can be prepend with 0x or not and they have to be in hexadecimal. 19 | 20 | Lines starting with '#' will be ignored. 21 | 22 | ``` 23 | # Hashes file example 24 | 0xE99018C0 25 | 4c4b25d4 26 | 27 | # Dict file example 28 | $recycle.bin 29 | ``` 30 | 31 | ## Example 32 | 33 | ``` 34 | python BlackMatter_hash.py -d dict.txt -t hashes.txt -o cracked.json 35 | [*] Trying to crack 98 hashes... 36 | [+] Cracked hash 0xc5b01900 = adv 37 | [+] Cracked hash 0xd4aaebb2 = admin$ 38 | [+] Cracked hash 0xdd801cc0 = msp 39 | [+] Cracked hash 0xdd181cc0 = msc 40 | [+] Cracked hash 0xc9201b40 = cmd 41 | [+] Cracked hash 0xcbb01c80 = drv 42 | [+] Cracked hash 0x64e29771 = diagpkg 43 | [+] Cracked hash 0x3907099b = boot.ini 44 | [+] Cracked hash 0xd3081d00 = hta 45 | [+] Cracked hash 0xdd081c00 = mpa 46 | [+] Cracked hash 0xe1a63bc0 = boot 47 | [+] Cracked hash 0xe7801d00 = rtp 48 | [+] Cracked hash 0xcd281e00 = exe 49 | [+] Cracked hash 0x7f07935 = windows.old 50 | [+] Cracked hash 0xfe9e7c10 = runonce.exe 51 | [+] Cracked hash 0xdb301900 = ldf 52 | [+] Cracked hash 0xc6ce6958 = appdata 53 | [+] Cracked hash 0xa1fccbfe = deskthemepack 54 | [+] Cracked hash 0xdd301900 = mdf 55 | [+] Cracked hash 0xe9601c00 = spl 56 | [+] Cracked hash 0xe3426cd7 = windows 57 | [+] Cracked hash 0xd57818c0 = ico 58 | [+] Cracked hash 0xdb975937 = ntldr 59 | [+] Cracked hash 0x267078f5 = $windows.~bt 60 | [+] Cracked hash 0x85aa57e4 = ntuser.dat.log 61 | [+] Cracked hash 0xdd101900 = mdb 62 | [+] Cracked hash 0x86ccaa15 = autorun.inf 63 | [+] Cracked hash 0xfcc8ab56 = bootsect.bak 64 | [+] Cracked hash 0xd9c81940 = key 65 | [+] Cracked hash 0xc5481b80 = ani 66 | [+] Cracked hash 0x26687e35 = $windows.~ws 67 | [+] Cracked hash 0x4ae29631 = diagcfg 68 | [+] Cracked hash 0xc9601c00 = cpl 69 | [+] Cracked hash 0xdd481cc0 = msi 70 | [+] Cracked hash 0x5366e694 = perflogs 71 | [+] Cracked hash 0xf1c01c00 = wpx 72 | [+] Cracked hash 0x2e75e394 = programdata 73 | [+] Cracked hash 0xc7a01840 = bat 74 | [+] Cracked hash 0x4c4b25d4 = tor browser 75 | [+] Cracked hash 0xba22623b = all users 76 | [+] Cracked hash 0xe9981a00 = shs 77 | [+] Cracked hash 0xb7ea3892 = msocache 78 | [+] Cracked hash 0xc9901d40 = cur 79 | [+] Cracked hash 0xe1881cc0 = ps1 80 | [+] Cracked hash 0xa6f2d1a7 = application data 81 | [+] Cracked hash 0xc23aa6f5 = ntuser.dat 82 | [+] Cracked hash 0xd59818c0 = ics 83 | [+] Cracked hash 0xe9981e40 = sys 84 | [+] Cracked hash 0xc9101840 = cab 85 | [+] Cracked hash 0xc8cef7d1 = thumbs.db 86 | [+] Cracked hash 0xcd101900 = edb 87 | [+] Cracked hash 0x4aba94f1 = diagcab 88 | [+] Cracked hash 0x5cde3a7b = public 89 | [+] Cracked hash 0xdf981b00 = nls 90 | [+] Cracked hash 0xdda81cc0 = msu 91 | [+] Cracked hash 0xd5c01900 = idx 92 | [+] Cracked hash 0xdf301900 = ndf 93 | [+] Cracked hash 0xef3a37b3 = default 94 | [+] Cracked hash 0x4cca7837 = nomedia 95 | [+] Cracked hash 0x12018c0 = c$ 96 | [+] Cracked hash 0xe99018c0 = scr 97 | [+] Cracked hash 0xc7701a40 = bin 98 | [+] Cracked hash 0xe7681bc0 = rom 99 | [+] Cracked hash 0x45678b17 = -wall 100 | [+] Cracked hash 0xe1c018c0 = ocx 101 | [+] Cracked hash 0xaf16c593 = themepack 102 | [+] Cracked hash 0x49164931 = accdb 103 | [+] Cracked hash 0xd56018c0 = icl 104 | [+] Cracked hash 0x45471d17 = -path 105 | [+] Cracked hash 0x8cf281cd = config.msi 106 | [+] Cracked hash 0xc99eab80 = icns 107 | [+] Cracked hash 0xd3801b00 = hlp 108 | [+] Cracked hash 0xcbe2aa35 = ntuser.ini 109 | [+] Cracked hash 0xcb601b00 = dll 110 | [+] Cracked hash 0xeb9f5c34 = https 111 | [+] Cracked hash 0x846bec00 = iconcache.db 112 | [+] Cracked hash 0xdb581b80 = lnk 113 | [+] Cracked hash 0xe3101900 = pdb 114 | [+] Cracked hash 0x30a212d = $recycle.bin 115 | [+] Cracked hash 0x452f4997 = -safe 116 | [+] Cracked hash 0x36004e4e = program files 117 | [+] Cracked hash 0x67b00e00 = 386 118 | [+] Cracked hash 0x52cb0b38 = google 119 | [+] Cracked hash 0xe3301c80 = prf 120 | [+] Cracked hash 0xab086595 = program files (x86) 121 | [+] Cracked hash 0xdd201bc0 = mod 122 | [+] Cracked hash 0xeb869d00 = http 123 | [+] Cracked hash 0xdccab8dd = mozilla 124 | [+] Cracked hash 0x3eb272e6 = explorer.exe 125 | [+] Cracked hash 0xf00cae96 = bootfont.bin 126 | [+] Cracked hash 0xc9681bc0 = com 127 | [+] Cracked hash 0x4a6bb7db = msstyles 128 | [+] Cracked hash 0xe15ed8c0 = lock 129 | [+] Cracked hash 0xae018eae = system volume information 130 | [+] Cracked hash 0x82d2a252 = desktop.ini 131 | [+] Cracked hash 0x6b66f975 = intel 132 | [+] Cracked hash 0xb7e02438 = svchost.exe 133 | [+] Cracked hash 0xcd2e9b7a = theme 134 | [+] Total hashes cracked: 98 135 | ``` 136 | 137 | ## IOCs 138 | 139 | ### Samples 140 | 141 | ``` 142 | 2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009 143 | 7f6dd0ca03f04b64024e86a72a6d7cfab6abccc2173b85896fc4b431990a5984 144 | 22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6 145 | c6e2ef30a86baa670590bd21acf5b91822117e0cbe6060060bc5fe0182dace99 146 | daed41395ba663bef2c52e3d1723ac46253a9008b582bb8d9da9cb0044991720 147 | ``` 148 | 149 | ### C&C 150 | 151 | ``` 152 | mojobiden[.]com 153 | paymenthacks[.]com 154 | ``` 155 | 156 | --------------------------------------------------------------------------------