├── .gitignore ├── README.md ├── crylock ├── README.md ├── crylock_20210706.yar └── crylock_hashes.csv ├── darkgate ├── extractor.py └── yara-rule-builder.py ├── defray777 └── vatet_loader.yar ├── flubot ├── README.md ├── flubot.yar ├── hashes.csv ├── teabot.yar └── teabot_extractor.py ├── hacktools └── hacktools.yar ├── icedid ├── LICENSE ├── README.md ├── compute_botid_and_regkeys.py ├── decrypt_strings_ida.py ├── icedid_20210507.yar └── icedid_hashes.csv ├── plugx └── plugx_mustang_panda.yar ├── raspberry_robin ├── domains.txt ├── hashes.txt └── ips.txt └── systembc ├── extract_systembc.py └── systembc.yara /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | pip-wheel-metadata/ 24 | share/python-wheels/ 25 | *.egg-info/ 26 | .installed.cfg 27 | *.egg 28 | MANIFEST 29 | 30 | # PyInstaller 31 | # Usually these files are written by a python script from a template 32 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 33 | *.manifest 34 | *.spec 35 | 36 | # Installer logs 37 | pip-log.txt 38 | pip-delete-this-directory.txt 39 | 40 | # Unit test / coverage reports 41 | htmlcov/ 42 | .tox/ 43 | .nox/ 44 | .coverage 45 | .coverage.* 46 | .cache 47 | nosetests.xml 48 | coverage.xml 49 | *.cover 50 | *.py,cover 51 | .hypothesis/ 52 | .pytest_cache/ 53 | 54 | # Translations 55 | *.mo 56 | *.pot 57 | 58 | # Django stuff: 59 | *.log 60 | local_settings.py 61 | db.sqlite3 62 | db.sqlite3-journal 63 | 64 | # Flask stuff: 65 | instance/ 66 | .webassets-cache 67 | 68 | # Scrapy stuff: 69 | .scrapy 70 | 71 | # Sphinx documentation 72 | docs/_build/ 73 | 74 | # PyBuilder 75 | target/ 76 | 77 | # Jupyter Notebook 78 | .ipynb_checkpoints 79 | 80 | # IPython 81 | profile_default/ 82 | ipython_config.py 83 | 84 | # pyenv 85 | .python-version 86 | 87 | # pipenv 88 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 89 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 90 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 91 | # install all needed dependencies. 92 | #Pipfile.lock 93 | 94 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow 95 | __pypackages__/ 96 | 97 | # Celery stuff 98 | celerybeat-schedule 99 | celerybeat.pid 100 | 101 | # SageMath parsed files 102 | *.sage.py 103 | 104 | # Environments 105 | .env 106 | .venv 107 | env/ 108 | venv/ 109 | ENV/ 110 | env.bak/ 111 | venv.bak/ 112 | 113 | # Spyder project settings 114 | .spyderproject 115 | .spyproject 116 | 117 | # Rope project settings 118 | .ropeproject 119 | 120 | # mkdocs documentation 121 | /site 122 | 123 | # mypy 124 | .mypy_cache/ 125 | .dmypy.json 126 | dmypy.json 127 | 128 | # Pyre type checker 129 | .pyre/ 130 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Telekom Security Malware Analysis Repository 2 | 3 | This repository comprises scripts, signatures, and additional IOCs of our blog posts at the [telekom.com blog](https://www.telekom.com/en/blog) as well as of our [Twitter account](https://twitter.com/DTCERT). 4 | 5 | - 2021-05-17: [Let’s set ice on fire: Hunting and detecting IcedID infections](https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240) ([IcedID](https://github.com/telekom-security/malware_analysis/tree/main/icedid)) 6 | - 2021-07-14: [LOCKDATA Auction – Another leak marketplace showing the recent shift of ransomware operators](https://www.telekom.com/en/blog/group/article/lockdata-auction-631300) ([CryLock](https://github.com/telekom-security/malware_analysis/tree/main/crylock)) 7 | - 2021-09-14: [Flubot's Smishing Campaigns under the Microscope](https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368) ([Flubot/Teabot](https://github.com/telekom-security/malware_analysis/tree/main/flubot)) 8 | - 2021-10-29: [#YARA rule for hunting XOR encrypted #PlugX / #Korplug payloads](https://twitter.com/DTCERT/status/1454022175254618114?s=20)([PlugX](https://github.com/telekom-security/malware_analysis/tree/main/plugx)) 9 | - 2022-01-14: [#100DaysOfYara Detect Hacktools that modify RDP settings](https://twitter.com/DTCERT/status/1481925582019571712?s=20) ([Hacktools](https://github.com/telekom-security/malware_analysis/tree/main/hacktools)) 10 | - 2022-03-11: [SystemBC YARA rule and extractor](https://twitter.com/DTCERT/status/1502214236268900354) ([SystemBC](https://github.com/telekom-security/malware_analysis/tree/main/systembc)) 11 | - 2022-03-18: [#100DaysOfYara Detect Vatet Loader in backedoored Rufus](https://twitter.com/DTCERT/status/1504778715913408512)([Defray777])(https://github.com/telekom-security/malware_analysis/tree/main/defray777) 12 | - 2022-09-02: [Raspberry Robin](https://twitter.com/DTCERT/status/1565664874633564162)([IOCs](https://github.com/telekom-security/malware_analysis/tree/main/raspberry_robin)) 13 | -------------------------------------------------------------------------------- /crylock/README.md: -------------------------------------------------------------------------------- 1 | # crylock_analysis 2 | 3 | This repository contains analysis scripts, YARA rules, and additional IoCs related to the blog post [LOCKDATA Auction – Another leak marketplace showing the recent shift of ransomware operators](https://www.telekom.com/en/blog/group/article/lockdata-auction-631300). 4 | 5 | - `crylock_20210706.yar`: several YARA rules to detect CryLock binaries and ransom notes 6 | - `crylock_hashes.csv`: list of hashes that match the rules from `crylock_20210706.yar` as well as the rule `RAN_CryLock_Oct_2020_1` found in [https://github.com/StrangerealIntel/DailyIOC](https://github.com/StrangerealIntel/DailyIOC/blob/master/2020-10-15/Crylock/RAN_CryLock_Oct_2020_1.yar). Note that `CryLock_Search_Keys` and `CryLock_Search_Keys_Zip` are not real rules but just convenience tags to list samples. 7 | -------------------------------------------------------------------------------- /crylock/crylock_20210706.yar: -------------------------------------------------------------------------------- 1 | rule Crylock_binary { 2 | meta: 3 | description = "Detects CryLock ransomware v2.3.0.0" 4 | author = "Thomas Barabosch, Telekom Security" 5 | reference = "TBA" 6 | date = "2021-06-28" 7 | strings: 8 | $s1 = "how_to_decrypt.hta" ascii 9 | $s2 = "UAC annoy and ask admin rights" ascii 10 | $s3 = "<%UNDECRYPT_DATETIME%>" ascii 11 | $s4 = "<%RESERVE_CONTACT%>" ascii 12 | $s5 = "<%MAIN_CONTACT%>" ascii 13 | $s6 = "<%HID%>" ascii 14 | $s7 = "Get local IPs list" ascii 15 | $s8 = "Get password hash" ascii 16 | $s9 = "END PROCESSES KILL LIST" ascii 17 | $s10 = "CIS zone detected" ascii 18 | $s11 = "Launch encryption threads..." ascii 19 | $s12 = "FastBlackRabbit" ascii 20 | $s13 = "Preliminary password hash calculation" ascii 21 | $s14 = "Encrypted:" ascii 22 | condition: 23 | uint16(0) == 0x5a4d 24 | and filesize > 150KB 25 | and filesize < 1MB 26 | and 8 of ($s*) 27 | } 28 | 29 | rule Crylock_hta { 30 | meta: 31 | description = "Detects CryLock ransomware how_to_decrypt.hta ransom note" 32 | author = "Thomas Barabosch, Telekom Security" 33 | reference = "TBA" 34 | date = "2021-06-28" 35 | strings: 36 | $s1 = "var main_contact =" ascii 37 | $s2 = "var max_discount =" ascii 38 | $s3 = "CryLock" ascii 39 | $s4 = "var discount_date = new Date(" ascii 40 | $s5 = "var main_contact =" ascii 41 | $s6 = "var hid = " ascii 42 | $s7 = "var second_contact = " ascii 43 | $s8 = "document.getElementById('main_contact').innerHTML = main_contact;" ascii 44 | $s9 = "document.getElementById('second_contact').innerHTML = second_contact;" ascii 45 | $s10 = "document.getElementById('hid').innerHTML = hid;" ascii 46 | $s11 = "be able to decrypt your files. Contact us" ascii 47 | $s12 = "Attention! This important information for you" ascii 48 | $s13 = "higher will become the decryption key price" ascii 49 | $s14 = "Before payment, we can decrypt three files for free." ascii 50 | condition: 51 | filesize < 100KB 52 | and 8 of ($s*) 53 | } 54 | -------------------------------------------------------------------------------- /crylock/crylock_hashes.csv: -------------------------------------------------------------------------------- 1 | Crylock, 1c2975dd464d014502a46ba6383943c7de4635e3664011653217dc424d53f8fe 2 | Crylock, 4721ca6f9ae9a8b8ff14f4192dc5b8324d3240c1e69c090da2453626b944fddf 3 | Crylock, 642f2a522839cd364d541c4be28dae3f69ff2d0d8ea4e81c205a393b5aa07329 4 | Crylock, 6bc21092f49a473b0fd4d1e1a77ce5d7e97e961334764b606b7014710fb75466 5 | Crylock, 806646c2f0b6954633d97fecc19c8c5be46bb2ed7211b29f62c97f3de8404c10 6 | Crylock, 94a0b08d785e8f2d109dc5e34e1d9c1e8985a278bf3c11bc7a28a8f0b48b95d7 7 | Crylock, c95a1e69c436f8441838500169d2e7c4fe409ef3a9435d65e4f7afcf78a3efb2 8 | Crylock_hta, 177df15dda07f6757d6c49ec541b04442e8bcf5fe212e3250203e3509b5859ad 9 | Crylock_hta, 29e50270b7b49c904e098af08642dc77f1e8c188bf17e394fb6e34b19c6806e3 10 | Crylock_hta, 2c94631e902331f9d50372f802ad40c470d72ee61d512d8104a90f3d3ad60de2 11 | Crylock_hta, 3f5e37daede95ce8627214b098859df202810cfda0d49032424827c986aac2d7 12 | Crylock_hta, 4128e47fc6ad5f73aa150126d6d7d7cc5dc34a7868e10e7bcfae8ee85de3048d 13 | Crylock_hta, 4fa7f7c84f16854ce433070fe955b4b84de9b026bb4e0daa8d269766f0da8e99 14 | Crylock_hta, 52731dfc77f97aa91a4f4d50d3139041cb0b7a1134cdfbcca0b0d47c9c26a6ce 15 | Crylock_hta, 61fb9484c65cd0a17227f5985e85715ef4b931ceae5fdef0a9c9c6f5c9926561 16 | Crylock_hta, 6e874443af13b5b403ddaf3ccf44501f83d42cdf137528ec93df81fd35557097 17 | Crylock_hta, 6f90f4c7a28a615725e9fef028e193ca2975c29f136cfa1542028b567d600363 18 | Crylock_hta, 7e95db4dd92065c0b40990a5c657d0ac63e36ac0e21a32fae722bdc8d2a9b601 19 | Crylock_hta, 920ab53cd18571605b40ad786e9cbafd896cd3cbfec9bd9b2580d2a1f09b05b9 20 | Crylock_hta, a107bcdb97a93f26dd07db3f82b8cecf1eb8a6d372b0d2eed45dcc5ca8c2e45d 21 | Crylock_hta, a3a50580680c16cfec468573698a57966817e01d877da90868d5be570794e870 22 | Crylock_hta, a4e09188f72d79f1d62815f52d0a817687e9e5911fa2d855f325de0fdf0e7f83 23 | Crylock_hta, cb8b0572fff358624785e886de619a472eca7df4b90ad846e1960a7f2915e84c 24 | Crylock_hta, d6de3f3a1cbd9acef2fb25a65ad230d31588e65b9fcee66284b3e1a9939c78d3 25 | Crylock_hta, daa02c4b05af30cdc78871a4514caa013199826d69d5b27f13e6b3d475dda079 26 | Crylock_hta, df3d071918bf0498484e42403cf224cadf1df42a38b1fdfcee77d2901b605129 27 | Crylock_hta, e1271aed849eed7bcd5a847ba8332a7e90591ea810e7fab9748ffb7cc591a22a 28 | Crylock_hta, f8f26d20ed6aaf927e5cd84f029a1fbeaeda39d0188d61842fdb42bd2db2d773 29 | Crylock_hta, fbc20b3516f4c55a8ffd9316c3735c695e2d3219b18b02a5ba33bc1dc9aab7a6 30 | Crylock_hta, fe895e01b33517d395e48a1c56df28b7dc6a3c196b4a186a03d69fe4dbcfa333 31 | RAN_CryLock_Oct_2020_1, 44e594632e78515062e3902ca2f96e34aa35d7fce8801844da0688200366852e 32 | RAN_CryLock_Oct_2020_1, 81ab47474ad3de617c3d3bad2f38220fe8223dbb7e1a52ed3b2c9ad011a15644 33 | RAN_CryLock_Oct_2020_1, 8bd51f80484f98f2d71eb14c0f2084a97ee72d4cd6e51630106f682659a1f6b9 34 | RAN_CryLock_Oct_2020_1, add97b9f3a31ea9378c27967afd5a887ebdb369582179e92a7f62cb2188a7165 35 | RAN_CryLock_Oct_2020_1, d7ae3a2696e390b57c67a22cef9555656243682a19e2b941455030f40d6ffe94 36 | RAN_CryLock_Oct_2020_1, e001f6a5b2d4d2659b010fb5825eb4383e8f415861a244329bc70cfcd18da507 37 | CryLock_Search_Keys, 66772c2608d0114b7d45410462c5d1d77da791541dab8955f727b515a599ed75 38 | CryLock_Search_Keys_Zip, 217a4316fc00317a6b6bce3f1e21dba7701b7a83d0993019ebdf3185ab86ddb9 -------------------------------------------------------------------------------- /darkgate/extractor.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | import base64 3 | import binascii 4 | import json 5 | import logging 6 | import magic 7 | import re 8 | import subprocess 9 | import tempfile 10 | import zlib 11 | 12 | CONFIG_ALPHABET_SPACER = bytes.fromhex("FF FF FF FF 40 00 00 00") 13 | CONFIG_ALPHABET_REGEX = re.compile( 14 | CONFIG_ALPHABET_SPACER 15 | + rb"([^\0]{64})\0{4}" 16 | + CONFIG_ALPHABET_SPACER 17 | + rb"([^\0]{64})\0{4}" 18 | ) 19 | PE_START_BYTES = bytes.fromhex("4D5A50000200000004000F00FFFF00") 20 | AU3_MAGIC_BYTES = b"AU3!EA06" 21 | PE_CHARACTERISTIC_STRING = b"__padoru__" 22 | REGEX_CONFIG_CANDIDATES = rb"[A-Za-z0-9+/=]{10,}" 23 | 24 | 25 | # ===================================================================== 26 | # Custom base64 decoding as implemented by rivitna: 27 | # https://github.com/rivitna/Malware2/blob/main/DarkGate/dg_dec_data.py 28 | def base64_decode_block(block, encode_table): 29 | if len(block) < 2: 30 | raise ValueError("Base64 decode error.") 31 | n = 0 32 | for i in range(4): 33 | n <<= 6 34 | if i < len(block): 35 | b = encode_table.find(block[i]) 36 | if b < 0: 37 | raise ValueError("Base64 invalid char (%02X)." % block[i]) 38 | n |= b 39 | 40 | dec_block = bytes([(n >> 16) & 0xFF, (n >> 8) & 0xFF]) 41 | if len(block) >= 4: 42 | dec_block += bytes([n & 0xFF]) 43 | 44 | return dec_block 45 | 46 | 47 | def base64_decode(data, encode_table): 48 | dec_data = b"" 49 | for block in (data[i : i + 4] for i in range(0, len(data), 4)): 50 | dec_data += base64_decode_block(block, encode_table) 51 | 52 | return dec_data 53 | 54 | 55 | # ===================================================================== 56 | 57 | 58 | class DarkGateUnpacker: 59 | def __init__(self, payload: bytes): 60 | self.payload = payload 61 | 62 | def unpack(self) -> bytes: 63 | raise NotImplementedError("Must be implemented by child class.") 64 | 65 | 66 | class DarkGateAU3Unpacker(DarkGateUnpacker): 67 | def _decrypt_payload(self, payload: bytes, xor_key: int) -> bytes: 68 | decoded = base64.b64decode(payload) 69 | decrypted = bytes(b ^ xor_key for b in decoded) 70 | return decrypted 71 | 72 | def _unpack_au3_payload_legacy(self) -> bytes: 73 | try: 74 | splitted = self.payload.split(b"|") 75 | xor_key = "a" + splitted[1][1:9].decode() 76 | final_xor_key = len(xor_key) 77 | for char in xor_key: 78 | final_xor_key ^= ord(char) 79 | final_xor_key = ~final_xor_key 80 | final_xor_key &= 255 81 | payload = self._decrypt_payload(splitted[2], final_xor_key) 82 | return payload 83 | except UnicodeDecodeError: 84 | return None 85 | except binascii.Error: 86 | return None 87 | 88 | def _unpack_au3_payload_new(self) -> bytes: 89 | try: 90 | splitted = self.payload.split(b"|") 91 | key = splitted[1] 92 | sorted_key = bytes(sorted(key)) 93 | if ( 94 | len(splitted[1]) != 64 95 | or sorted_key 96 | != b"+0123456789=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 97 | ): 98 | logging.info("No usable custom base64 alphabet found in AU3 file.") 99 | return None 100 | else: 101 | logging.info(f"AU3 file uses custom base64 alphabet: {key.decode()}") 102 | return base64_decode(splitted[2], key) 103 | except binascii.Error: 104 | return None 105 | 106 | def _check_result(self, result: bytes) -> bool: 107 | return result.startswith(PE_START_BYTES) and PE_CHARACTERISTIC_STRING in result 108 | 109 | def unpack(self) -> bytes: 110 | payload = self._unpack_au3_payload_legacy() 111 | if payload and self._check_result(payload): 112 | return payload 113 | 114 | payload = self._unpack_au3_payload_new() 115 | if payload and self._check_result(payload): 116 | return payload 117 | 118 | return None 119 | 120 | 121 | class DarkGateMSIUnpacker(DarkGateUnpacker): 122 | def unpack(self) -> bytes: 123 | with tempfile.NamedTemporaryFile("wb") as f: 124 | f.write(self.payload) 125 | f.flush() 126 | try: 127 | bin_7z = subprocess.check_output(["which", "7z"]).decode().strip() 128 | return subprocess.check_output( 129 | [bin_7z, "e", "-so", f.name, "Binary.bz.WrappedSetupProgram"] 130 | ) 131 | 132 | except subprocess.CalledProcessError: 133 | logging.error("Unpacking of MSI file failed") 134 | return None 135 | 136 | 137 | class DarkGateCABUnpacker(DarkGateUnpacker): 138 | def unpack(self) -> bytes: 139 | with tempfile.NamedTemporaryFile("wb") as f: 140 | f.write(self.payload) 141 | f.flush() 142 | try: 143 | bin_7z = subprocess.check_output(["which", "7z"]).decode().strip() 144 | return subprocess.check_output( 145 | f'{bin_7z} e -so {f.name} "*.au3"', shell=True 146 | ) 147 | except subprocess.CalledProcessError: 148 | logging.error("Unpacking of CAB file failed") 149 | return None 150 | 151 | 152 | class DarkGateRecursiveUnpacker(DarkGateUnpacker): 153 | def unpack(self) -> bytes: 154 | continue_unpacking = True 155 | while continue_unpacking: 156 | mime_type = magic.from_buffer(self.payload, mime=True) 157 | if "application/x-msi" in mime_type: 158 | logging.info(f"Found MSI payload. Trying to unpack.") 159 | self.payload = DarkGateMSIUnpacker(self.payload).unpack() 160 | continue_unpacking = self.payload is not None 161 | elif "application/vnd.ms-cab-compressed" in mime_type: 162 | logging.info(f"Found CAB payload. Trying to unpack.") 163 | self.payload = DarkGateCABUnpacker(self.payload).unpack() 164 | continue_unpacking = self.payload is not None 165 | elif "text/plain" in mime_type and AU3_MAGIC_BYTES in self.payload: 166 | logging.info(f"Found AU3 payload. Trying to unpack.") 167 | self.payload = DarkGateAU3Unpacker(self.payload).unpack() 168 | continue_unpacking = self.payload is not None 169 | elif ( 170 | "application/vnd.microsoft.portable-executable" in mime_type 171 | and self.payload.startswith(PE_START_BYTES) 172 | ): 173 | logging.info(f"Found PE file. Unpacking finished") 174 | return self.payload 175 | else: 176 | continue_unpacking = False 177 | return None 178 | 179 | 180 | class DarkGateConfigExtractor: 181 | def __init__(self, payload: bytes): 182 | self.payload = payload 183 | self.result = {} 184 | self.config_flag_mapping = { 185 | "0": "c2_port", 186 | "1": "startup_persistence", 187 | "2": "rootkit", 188 | "3": "anti_vm", 189 | "4": "min_disk", 190 | "5": "check_disk", 191 | "6": "anti_analysis", 192 | "7": "min_ram", 193 | "8": "check_ram", 194 | "9": "check_xeon", 195 | "10": "internal_mutex", 196 | "11": "crypter_rawstub", 197 | "12": "crypter_dll", 198 | "13": "crypter_au3", 199 | "15": "crypto_key", 200 | "16": "c2_ping_interval", 201 | "17": "anti_debug", 202 | "23": "username", 203 | } 204 | 205 | def _get_config_alphabets(self) -> tuple[bytes]: 206 | config_alphabet_match = CONFIG_ALPHABET_REGEX.search(self.payload) 207 | if config_alphabet_match: 208 | logging.info( 209 | f"Custom base64 alphabets for configuration extraction found: {config_alphabet_match.groups()}" 210 | ) 211 | return config_alphabet_match.groups() 212 | else: 213 | logging.info( 214 | "Could not find the custom base64 alphabets for configuration extraction." 215 | ) 216 | return None, None 217 | 218 | def _decode_strings(self, alphabet: bytes): 219 | result = [] 220 | string_candidates = re.findall( 221 | rb"[" + re.escape(bytes(sorted(alphabet))) + rb"]{5,}", self.payload 222 | ) 223 | for s in string_candidates: 224 | try: 225 | # Try to decode each string candidate with each alphabet candidate 226 | decoded = base64_decode(s, alphabet).decode() 227 | decoded_length = len(decoded) 228 | ascii_length = len(decoded.encode("ascii", "ignore")) 229 | # Rather simple check to sort out garbage strings 230 | if decoded_length == ascii_length: 231 | result.append(decoded) 232 | except UnicodeDecodeError: 233 | pass 234 | except ValueError: 235 | pass 236 | self.result["strings"] = result 237 | 238 | def _parse_config_value(self, value: str) -> bool | int | str: 239 | if value == "No": 240 | return False 241 | elif value == "Yes": 242 | return True 243 | elif value.isnumeric(): 244 | return int(value) 245 | else: 246 | return value 247 | 248 | def _parse_config_string(self, value: str): 249 | for item in re.findall(r"(\d+)=(\w+)", value): 250 | if item[0] in self.config_flag_mapping: 251 | self.result[ 252 | self.config_flag_mapping[item[0]] 253 | ] = self._parse_config_value(item[1]) 254 | else: 255 | self.result[f"flag_{item[0]}"] = self._parse_config_value(item[1]) 256 | 257 | def _parse_c2_string(self, value: str): 258 | split_string = value.strip("\0").strip().split("|") 259 | if len(split_string) > 1: 260 | split_string.remove("") 261 | self.result["c2_servers"] = split_string 262 | 263 | def _decode_config(self, alphabet: bytes): 264 | for match in re.findall(REGEX_CONFIG_CANDIDATES, self.payload): 265 | try: 266 | decoded = base64_decode(match, alphabet) 267 | if re.match(rb"^https?:\/\/", decoded): 268 | self._parse_c2_string(decoded.decode()) 269 | continue 270 | elif b"1=Yes" in decoded or b"1=No" in decoded: 271 | self._parse_config_string(decoded.decode()) 272 | continue 273 | else: 274 | inflated = zlib.decompress(decoded).decode() 275 | if "1=Yes" in inflated or "1=No" in inflated: 276 | self._parse_config_string(inflated) 277 | except zlib.error: 278 | pass 279 | except ValueError: 280 | pass 281 | 282 | def extract(self) -> dict: 283 | string_alphabet, config_alphabet = self._get_config_alphabets() 284 | if string_alphabet: 285 | self._decode_strings(string_alphabet) 286 | if config_alphabet: 287 | self._decode_config(config_alphabet) 288 | return self.result 289 | 290 | 291 | if __name__ == "__main__": 292 | parser = argparse.ArgumentParser() 293 | parser.add_argument("file") 294 | parser.add_argument( 295 | "-s", 296 | "--strings", 297 | required=False, 298 | action="store_true", 299 | help="Output decrypted strings", 300 | ) 301 | parser.add_argument( 302 | "-d", 303 | "--debug", 304 | required=False, 305 | action="store_true", 306 | help="Provide debug log output", 307 | ) 308 | args = parser.parse_args() 309 | if args.debug: 310 | level = logging.INFO 311 | else: 312 | level = logging.ERROR 313 | logging.basicConfig(format="[%(levelname)s] %(message)s", level=level) 314 | logging.info("Starting Telekom Security DarkGate Extractor") 315 | with open(args.file, "rb") as f: 316 | result = DarkGateRecursiveUnpacker(f.read()).unpack() 317 | if result: 318 | config_result = DarkGateConfigExtractor(result).extract() 319 | if config_result: 320 | if not args.strings: 321 | config_result.pop("strings") 322 | print(json.dumps(config_result, sort_keys=True, indent=4)) 323 | else: 324 | logging.error("Failed to extract configuration.") 325 | else: 326 | logging.error("Could not find any usable payload.") 327 | -------------------------------------------------------------------------------- /darkgate/yara-rule-builder.py: -------------------------------------------------------------------------------- 1 | import base64 2 | 3 | print("""rule DarkGateAU3EmbeddedPEFile 4 | { 5 | strings:""") 6 | 7 | for xor_key in range(256): 8 | encoded = bytes(b ^ xor_key for b in bytes.fromhex("4D5A50000200000004000F00FFFF00")) 9 | b64 = base64.b64encode(encoded) 10 | print(f" $x{xor_key} = \"{b64.decode()}\"") 11 | 12 | print(""" $au3 = "AU3!EA06" 13 | 14 | condition: 15 | $au3 and 1 of ($x*) 16 | }""") 17 | 18 | -------------------------------------------------------------------------------- /defray777/vatet_loader.yar: -------------------------------------------------------------------------------- 1 | rule Vatet_Loader_Rufus_Backdoor : defray777 2 | { 3 | meta: 4 | author = "Thomas Barabosch, Deutsche Telekom Security" 5 | twitter = "https://twitter.com/DTCERT" 6 | date = "2022-03-18" 7 | description = "Detects backdoored Rufus with Vatet Loader of Defray777" 8 | reference1 = "https://github.com/pbatard/rufus" 9 | reference2 = "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777" 10 | sharing = "TLP:WHITE" 11 | hash_1 = "c9c1caae50459896a15dce30eaca91e49e875207054d98e32e16a3e203446569" 12 | hash_2 = "0cb8fc89541969304f3bf806e938452b36348bdd0280fc8f4e9221993e745334" 13 | in_memory = "False" 14 | strings: 15 | /* 16 | 0x4d0714 660FF8C1 psubb xmm0, xmm1 17 | 0x4d0718 660FEFC2 pxor xmm0, xmm2 18 | 0x4d071c 660FF8C1 psubb xmm0, xmm1 19 | */ 20 | $payload_decryption = { 66 0F F8 C1 66 0F EF C2 66 0F F8 C1 } 21 | $mz = "MZ" ascii 22 | $rufus = "https://rufus.ie/" ascii 23 | condition: 24 | $mz at 0 25 | and $payload_decryption 26 | and $rufus 27 | } 28 | -------------------------------------------------------------------------------- /flubot/README.md: -------------------------------------------------------------------------------- 1 | # Flubot / Teabot 2 | 3 | This repository contains analysis scripts, YARA rules, and additional IoCs related to the blog post [Flubot's Smishing Campaigns under the Microscope](https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368). 4 | 5 | - `hashes.csv`: list of hashes of Flubot and Teabot as distributed by the Flubot botnet 6 | - `flubot.yar`: YARA rules to detect unpacked Flubot samples 7 | - `teabot.yar`: YARA rules to detect unpacked Teabot samples 8 | - `teabot_extractor.py`: extracts IOCs from unpacked Teabot samples 9 | -------------------------------------------------------------------------------- /flubot/flubot.yar: -------------------------------------------------------------------------------- 1 | rule android_flubot { 2 | meta: 3 | author = "Thomas Barabosch, Telekom Security" 4 | version = "20210720" 5 | description = "matches on dumped, decrypted V/DEX files of Flubot version > 4.2" 6 | sample = "37be18494cd03ea70a1fdd6270cef6e3" 7 | 8 | strings: 9 | $dex = "dex" 10 | $vdex = "vdex" 11 | $s1 = "LAYOUT_MANAGER_CONSTRUCTOR_SIGNATURE" 12 | $s2 = "java/net/HttpURLConnection;" 13 | $s3 = "java/security/spec/X509EncodedKeySpec;" 14 | $s4 = "MANUFACTURER" 15 | 16 | condition: 17 | ($dex at 0 or $vdex at 0) 18 | and 3 of ($s*) 19 | } 20 | -------------------------------------------------------------------------------- /flubot/hashes.csv: -------------------------------------------------------------------------------- 1 | 026abbabc7e1ecdfa116e5bc2cd9e9f9c17cf71b469d7a1c8d735bf2c31ff7b1 2 | 046314eb5923ce92c4dd22086c4a20c2a2773203227c6fbeabf77cf0c24bbc57 3 | 05266f18612466f947302db5b20ba9929043d3896370d38a89150bc911aad4b3 4 | 07313c8851c279c3216bc850c44a6643f7b600c78afaf45a1f466f675f97ebd3 5 | 087f2597d7baec74d1514e1dddfaa4a22b171836856b4112bd46b1883cd830b3 6 | 0a8376f04aae72697f1a88024161df0775f674b64d1de3fec4ff872e398ccd2c 7 | 0c687b1201b9c7c674f8681a5ee7fa6a71d4fdea1f33f213079582b52fb7c0f2 8 | 0c884136b8a4d334182f38ce6700dfb144f27fa5625ad2c0c147927a59ff873c 9 | 0cdb206d931374e1d4e6d9d642cd3a61efd9ffa9558499f0c130fad4ec912017 10 | 0fb4139504fb2eb18b2dfae51057baff9de6329522db1faff4be1b299a7378f0 11 | 102cc46d2f65bcb47158ad2ac24c97a3d776b48d3b9c20f1db0e5baab85a1d5b 12 | 10c3fa203e6fa2a6da234a3e9f2b2ccfb82ab67682c380f8bf31b724fae8cb8f 13 | 1268494c2b17f2ca1a5a54e6f9d1a93134656c1be03d53edaf14bafe906adb0c 14 | 1296085fed5c19ff96e1b91c494f7fbebade1771c1d0f0830cd8f8668c037878 15 | 131657e4ca2019ecf8b7f4bde4394dc0a2125900622018e814de8d600c653f6d 16 | 16a342d3122635d5009fd9ee92979bd5e4f12347741cdf1d0764f732881873d5 17 | 170b369a5e5fa0a38d1b6c2067902b2bd8d76d0f09426c2b26e5635aefd51517 18 | 1ac46167b3e72d359a6b07a5aac17e51f6666ad90790fe6535b02f2081a429fe 19 | 1b5099177300f3cf061ed003753e8d1a0d6b2255296cd18e0ceb8543ea309fb0 20 | 1b5bc0a6a94bc093f4917e3f49249060199c6895abef21153ae630cfbf13da5b 21 | 1b789d9141273518f507a0d057fa922b853e53d25072b5dcee1c0f4c10661b4a 22 | 1e2fff30ca3feb1d0773c6b07e63d561a2b49df0427f52a1ff46c17ffe12217a 23 | 1e8e4b04085ae1948170aceb7be523d466947c86b8ba54113764fb023018a02b 24 | 1f969d1ff09a3f56dfcb769e96a70e124c1aaaea953dde8f7eeaed30e3386d97 25 | 2122c8ad93ba7c68dd3b71edeab7e62bf2cdddee3519e20a5039c07a2ff852a8 26 | 2397e5f759a8781a0ca6edf96ed53481a50906b179234453b9223901bf2698f0 27 | 23d27e3e9717d6795cf9c7e63c10e9fa71685df7d4e17463cee61fcf5e2a4d98 28 | 24052a0bc4341d83bed86c3031c6a1d8dc5916e8d274dba1b645a85c64daa992 29 | 25b41f00a0a402e18f75883bd2d7df432b51073eb21fda5383804e55c0ae271a 30 | 2a243282e47363f515a0bd02bc8b8941cd4a4da6318b1f6a5cdaafd7425c6c0b 31 | 2b786302ac5f43f8c48500c660185a20378e0746fabe17185fc12be38665a66e 32 | 2bf4a52957c46916ad42b227a9fbc68f663874dd7ab4665a2412221529c71986 33 | 2c594b98346f81570438af53bacc5da088aa7f0e6f7a40e1a4767a6b4d294d67 34 | 2d11192c7dc55d1cb3127cf8f6eb3d03a3d384db94d4cb4c5b54081cfe04fed1 35 | 2d71e96d578d0594baf1e3cb5eea3963e6228f097c7d58a5b081c8716290314a 36 | 2d7dbc1a54c91817dc19dd9bf31e8c5c4e8e8918a0a4770193c65a1cd5203e6c 37 | 2df471c6c8c697255b5c01cee1f1c29701fb047c38eab0e0554c7095b873e265 38 | 2e43062d0e753c21b62d1fc029947fe8ab916be2492fd2d0464b24a427712b34 39 | 2ec71b774240d640b6bdd48080742b833ce14fcaad7549902d189af84189149f 40 | 2ec9d0511bf1998d5b024dc0ccf572759fe2818c0a262d7b8879737e17def9ee 41 | 315fbcd7efd373c21fa03a482b9979e546fb1af12f2a610fae614921183f74ce 42 | 319e119d6822fbd0dffddd3bd56291226960d5d4148f42fd6ed26ca276908977 43 | 31fda4d5e396349f26392c6e3598c9a57189d929303d9eed224390fb44b7a8c6 44 | 32cac2ffe7a53c446a91360f26fda41e0b75536689387bf2bc402ee8f143b862 45 | 3323c9e2c8aa7c0843a682a19698887b459e3aa1f1b04b3b565d23eced193b53 46 | 332c87f55ef4c8a06939f163d347b3b172f26767207c36de0fa91686b87870db 47 | 34005c490ac12d099e7f9c89f6d9e8a2ecc3cf510f63be4eea2c0a313a539e53 48 | 345486653132f462d157d8d51deadb0a46982facbade8df42700bbbb75c8f66b 49 | 34e21b6d4a008cd287bc137dff728f3ac79f74dd833f109ecdc351d679cb8b44 50 | 361aaa115df47a8a6419e8a989e8ec79ad3c3a2bace05bf906b879e7bee465b7 51 | 364ce8a4e48441226ac15a5c889712c5c5741f6e5a633f40be25aea85d147e4a 52 | 37389a513cf26d21326fa37bf160a63c6aad0fa1c4202c40f4b5bcdb300e9b19 53 | 3922aae748c4102a6c0194606c8138d18bc4632f4fbeb6e9b89aae98612dd95f 54 | 40ec0bf0f919d33f2eca9a005eeed484ae8004426bd9c1108642666bbc8e3c19 55 | 4241bef38fa974576626714bbea5a75c091e28c2745fc4379078e48bf7885e38 56 | 42bf2ab62b804f58bc3a1bd25158905b8a13a91ce1125f2c112c5cb2f1c0377c 57 | 452c6ab9b21070adfe70c21cc350c06ab4796d13690c4472a551d9f671fa61ab 58 | 4668c53a8db03c9476404cc54c67b6ee364058147cd31faf89acd5999b507d8c 59 | 4674e4df8dfab31e61e8ec7d99d01bd3c60ef62a9829aa0b53f398757ef9d5e0 60 | 475801c75a0db0f72ea44bca8a46ae42fcc1cc9e92f42436d73629422d7d7b62 61 | 47ce59a2594b3da70938636814ec0b4f37cdc9764f4786767f13b448f376987d 62 | 47fbce9bcd358e831bc0c5301e5ff9907a9491992958bbfe3b029b464cdc1a27 63 | 48857e7e8ed9f652f53e108e12e6907d4a9703091f6763046db51f11406ce360 64 | 48d8e17488bd0fdde9bc52d591a25ccb567f3f9e8d0622a88935ad0aabaf709d 65 | 494e709ad1a7fd17322fd12c262ee0b6b5f7a747eb1a0a4c3b5758578c7519ac 66 | 49c4d7f480f2850da73e167bb1e1cbcd368929c4ecf54d64b95ab2567b0d7f50 67 | 4a01754fc9b50399e88029e5c2603a49e4b069e8646e993e47488a615d05e1da 68 | 4ab9c4cc01810b16d118bfd42d239ec992a77c9dc33b00f90bc021c3fe5dfd99 69 | 4d6eb7da7d8198e09dd47e573fa929859030c253b9630cff79183c9b779a75b4 70 | 4f7d13f070cc9f60673647251a676f4ac41ed6bc0645800bb5b2c09f1571c0f7 71 | 512f45cdbe7ab55efad6532306bbc2738c2ee2a51204f2a067d24c763c997fcf 72 | 53056aad79e665c08fc2c6a3a252a7178fe89aa6de9b573e213d7fff37fe218f 73 | 53721f5f5eb05250b7d7e599983dc34d2ea2061e8032d4be8fcf9693452757a3 74 | 544ce3fe61313cff9b52eb3ff6b2afa9b8fee45987e93875d8a393390c3ca95e 75 | 54529bf0ae1059083fe6c597e339c58abe2f34a0f294f97ba54ea8d9860320e8 76 | 55526655e9ef296dd01e7a27939c068d698f91038db027f7277a9d3687f8151b 77 | 56316ff23015b37ee60b7559419656ab3240c47a1bea43415b2ba71b65adb28b 78 | 56de750e82896ec68be63913ff2f9cc8a139343e29160da93136db341396a964 79 | 5702ddea1d3d38b1888aac65465e26c5ffc43c526faa8284957e87340c672884 80 | 583c0c0f5bfb9820a52ae34550aa5080223d9a877da0ad0f66b78fd31e016dda 81 | 590a14804553ad7819bc8c564597dd4dd19e926a4d0a5ebcee6aaaaf2cb5441d 82 | 5a448cc5b3b8aa5c7630c48b16aac13c865e11cf6beb32ec2f73f180b7ca5883 83 | 5ad31a076de1acfbd5496e9b6085d7a172c354d5439cc9414ff352ba7eff2133 84 | 5ae2a7089e6c87d6c3e75634f62ad6ccc07246f9cef3c55131f76f807c827df2 85 | 5af0e1b76102d340fa2eb6c737c56a920669cf97e4af8392f49bbca8578984c7 86 | 5b99baa3d8ae56a95a3026e67e144fabe4e7805626dbbd8d3bf1869ac95705f0 87 | 5c97c6e2e7a620029b4ee6c3ab195aeb9a9180f3f679bedc2a7d71db098d578b 88 | 5cf53a930b2cca2dfad3524bbf48092328350445c8d6db7b98677461107442e8 89 | 5ddade4582171e6bdefbcc4dbbbe092b4804607d8475810bf5361cf2817f78d9 90 | 5eff15b163c38a867f6e7a813d31d83ec24ce6a66ba33033d8cbf784bb91b4ee 91 | 61a7e9c5a677de6fad6001a5d2531e7d809745c87c4ae96c12615cac1e511673 92 | 642b7176d21b6769cf5bf0ddee83fda9ef4a067299f3491109395b4393979872 93 | 643c488bda596720b7b41a3f6933d7bc626ce4da4395897e1a385ddb6aab0de6 94 | 64f3fa40c4ec7d34653c246223c206bf0331b9fb703ded9e7a718c02d43d2bf3 95 | 65306a9970d16ade88f941dba9af0e5c90a92eb3436d4bc112e5604142c6351d 96 | 666298211239b956df8f76a2e39fc2291bb48975e0df9d91c24bb8e4c8e0133a 97 | 67d580a27642789664f448b01fc9295da090d1a6f256cc83f5d059fa9050b723 98 | 6c29517e97a154b395b60ab6612a24cf55c7fb587d3cfba048f92ad14de458ef 99 | 6cf99a3fe69367abfb134edce8e1a9c84eb39bf76df3aa374ba66888b12d0f04 100 | 6f7bc4d69ef9f24a8a36537b399d272b80832bdbc09a15598ee03c71e6a1f86d 101 | 75f6420fd4c1b5899460bd09153dd0140fdfada06e076143ac5ea6d57b1598fb 102 | 76b6a21704a613e365f4d72bbdddadb9dea3d81116aba0e0f4a8b328202c473e 103 | 779035bdc414ea34569f9ec3bf6c0af604a7d0efa8133ce973d691f23bb6dd02 104 | 77b8ae7e38c8a14c8feba02494605b5752fc69dd0b674e90a35766852397eb0f 105 | 78cc8a4105ae8c4182f59847d31f11ae2024dc53314279afe679b58033e40aeb 106 | 7915a7a80dabd4d6507ad14db2dad3d2f31935d4ce3ac1efd61b28d4190c276f 107 | 7963722d42c2cb1cc1e088e33d2601ed4e153febcdc24aba2ad00b4341572ff8 108 | 79ac2f07681e9c40066066649eb48e8289bd059a19483b2aad1247cfd8c552df 109 | 7c011ce55be44f14411ae1d94ce4de3c00848c6884fd63d0beab5743dbd75f7a 110 | 7c05583e31bbaa3426f6d8f0dba15b144045376e98900858f2a074bd34bbe3cd 111 | 7db05d71f5d16c7d938ed2e631d9ef85b74e248c6b1c761c5d4e2d464f4d7f5f 112 | 7def45160947f208c1ef9d41631df67ca6caecf9c20493276d94c4120c5f0a81 113 | 7e6515ffc001ded719fb9b0075e590d8a0d7a8a3a7f5c2e634651eab995ed797 114 | 8146e743bdeccfe6f7fd6d446bdfc684ad22b25f239462ac47f64ed0866abac6 115 | 819a4399b7183996401e5f8ade385dec9a5432f706843dedfa0caa95f65680ef 116 | 81ced8659c26875c6a9bdcedcf0daa5bf385261b8ceb9c98a33f6d5898daced1 117 | 83c3f67c98f47914f5d61ee6c62a737f94384dcab9f27d504dd18f2eab18a0a8 118 | 83db1d61f0aeb5fe39d5fc490654fe22332853ce39cb2bdc0de2469c0a82ca47 119 | 866eda733efba0842e0ce6c923c8afb426365fdf518e6a95107cb91bd76fca80 120 | 87317e1ac9a16608d4f97fe2337fd1d790f2ffcf831f0c2e442ef0b91d88dabc 121 | 87a83b0e4258653b87dd086a2d4e06ca71e527ed17483a1e36c966d1f5de4a83 122 | 8873b1251c7d9665f557024720ea7bf9ba652ba3278ec27cf7d056b396cad45e 123 | 8a4d2cf1906d24f00696b4050404a49645a60b396da68c084fa3276886e9fc3b 124 | 8aa364420a9286459cf65d10c62135a73fbd97529100f8cf5463dade39cd113d 125 | 8caad327f29e6482c0a794c3a3bfc74d70d02987b9b1a57b2c4a537d1775efdd 126 | 8cbfe82df6e92c2541dc8eddc611b6d47c7be4c1f346e084ccb15a2922da7e5a 127 | 8fefe68bf6fb237a00bb1c0e53ab4fa8decc8c9f336b32adc53c34b69aad298f 128 | 9424044cee4feca0808a0337cffbd5f521d890d7e63b878c7854b2616277c533 129 | 942c366d9f0c18d918789ca73af1e71f6cc42d9c8c252d826579f34f955fcff3 130 | 95b9ec937769c76c4516ba21ec6e8b685c6304bb4ee849396cf50039257fc2c5 131 | 9622bca8b7916de812002ea6af84d248185c51380f6fbd4f5bd877a52668332e 132 | 9650fe9543758c143c28855ce6e7c2c2a0895de63b17c04df451e2c192ec8097 133 | 98501ae9ba511d1adade90ed4ce3cd4b707f9a38cb727c3659c706a745cbbdbe 134 | 9893c3556be4038442890ac6320daa9e8f7ea4d5a7ed7c9effc5e5b34f46eb8d 135 | 9976c7cc2b9bd6d10b66eff2d49478752914433e8c5cee4797525ae46a7a1134 136 | 9ad5036a35be6a2fc313f91d84ba1fd8889226f52c0bdf4dfe2f5181aebfee68 137 | a18eb053b3a4043348017c9647ee4b2ff4ddcfe515ad96cd1964731900298075 138 | a1fabd7e2e4a03f4b4f0303b3efaacee91e4eab1f9492a1fa3a5c663a5cd03b5 139 | a3953a902ba6dd604f6da33c0dfb88fd504dfbc8e1d0bb23ba6ee9f77190b567 140 | a406fdc38815beedda8647baf11b1620c4c6dd122147d561fe8c08f78c3f4eb4 141 | a40e95c33722d2709cb07e8e1353e382e1ad214c89d419e08900cd7471992807 142 | a42b473d1fb70cd620d5f28026af5276abbabf7d79be6b7cad000eae3ecc5b23 143 | a4dd9423d70c68991678b86a79d1283804b5478cbdf797ca5d598e3f5921686b 144 | a5ac70869123aaaf221e87f8b4d4f89fe42186bde6a348c62a943a66f48695b0 145 | a7206c975d0e664db109d25f8eb26929a6fdd2770a32ee5f3b3c90f2f8933553 146 | a772535ed89caf1b3b016fae2b6e3c000d11b0ee5af97a66bccfc6c3d431fe4c 147 | a89f87f0d7baf4ec52f62eb65ce1b9b4630c6566e2df30f3ab371fa208cd241f 148 | a9692d2c90b414e00091c2b60f54392b214bc38a21f6a663853b1f121a8a860b 149 | ac793b361b95a4c5b8572f682bddf4497327c1dd565950838ac540ef59e57ca3 150 | ad0a43bcb7c6ae5f90c2dda0ab003aede92c7d79c4f1bc044466681c737eaf6a 151 | adc1cfb6b6fd8c7ce2b6cc4325f73dc0bf017567f1a35ec48de2c8e8caef0a91 152 | b2426ed3f2e41f3bfb04f18e470fc5337111ed58bf59b8073baa2477a376f0ef 153 | b26689bb0b94f5bd99b97174524684dc6f710add61606f03ad9eafdf187091d9 154 | b3d53c7eb0932852d615a93efb4673dde7d642730e8cb3246e68798f2e84e282 155 | b98c09affccf4325e1d6aeaa112d3a7de70b9b789d512efd614ae2d80afdfa87 156 | bbe57983ac30d953f8edef7f52919b986b29c2c54a4947a2357d1485d1257529 157 | bce03f7f9938e5122d9873a49c07578de6b76bb1f15cc1fd2aab62fd0df01062 158 | bd599137a992e67da2f75bfeb2d28d8a5e8713e86471054e891ba07b9ae53c08 159 | bd889272696244e9baa8322d6b7151873a121518969f3986020b623be4ccf0c1 160 | be14dc65cb8a3e9347292baa47ba5d63699326422676d6d78d75a4d9410cf0e9 161 | bf2370029e23dcd6138c34459e928c1a52d41e45cf6a9d2b04e010b25f1d09ed 162 | c1a3c335cd10c2dd20089673da5ae379f4b3e6b060766a6ab2021e0d110c31d6 163 | c225b978b9a37529737a1b0d90bf6cfcfe15114e1641f913ea9f25a7bed29da4 164 | c38220a424bc6cfa279897e52f1cc4a93fb5b0166757f527caca54c45763a879 165 | c6e8d505deb02e732283bbde2f313363cbb7d471d496b4bc8a6c560ec9c7c980 166 | c7040260331cadec8f02e3aade1de492280b0801a4afe0d14c9c3463b901a82d 167 | c7ef89fbc8b3925e25ffeb9b8a9c858c1fb0ac953d5c260f2012cafaf9d63146 168 | c896ef95c8e88a638b3d1009df1c2113ccb40cc4f4f4ca6a80e37f5de9512fab 169 | c8bc9fb459a566a0d85f129b5589f0f65cbea746c597c67519db06cf967e8fb7 170 | c90f78d980755ebfe3fbbb7412857fd855ccfd811fbb412e454b131db2a01c57 171 | c9bdad6e1fe02eb92f12228404ff175ff89f99580ffcad5aa5e3118eac611371 172 | c9f54823b4a63a93a5fbf3ced64e7a587a160ca43b9e8fefa2dcb94a6910ba72 173 | cc81b4972c938d19a9f75d94aa38476bc843880e0fe26c27feb9fbfda7d3049f 174 | cce5fc101870ba7aaf184ba53f01bad874f09e08f4bb9c4fe2b01328cecfa418 175 | cd15acf767fd484c10fd89f3a74ae1b98f0e53e1dda9a37d6a992942a240f7ee 176 | cda1e618f1f4568fd9c99f782b23743d8123fca7a5e5efe12aff1ab8bdb7314f 177 | ced8819f6a4312a3e223af4574b97faeed8a0179f99754a1c58ce089103eb630 178 | cf6605fc3ec64039144aa868087274927c6678ac6fc16889f6cf94edafa3df1b 179 | d0ef193425eed59dbc3ab1cb4743d7db65d020f39ce2b3fe5a3696a094c8c7b3 180 | d34c1fb113e2cbd51fbfd2006964cddf613675952c6d171818285e5aaff2c195 181 | d4418dc2079f342ecba366894cb2e821959dc596111cc6b0206ae84bc2b966d2 182 | d48e84408a6b0d41465ceea29c35392dbbd5ee784e5366ec890f712ac08388c8 183 | d6e6f1667b595d365d77b9cadbfa62947bc69749286e76a9ff4a267467ce3036 184 | d72603c35bca3a95fad9ecfce3910f85d19a551d6208b155f7c15154f5cc70c3 185 | d776361380485da4e20735e9ffd1f4d1663c715b35ab2d67e14461cb8545d053 186 | d7c9f2604a82ba8f48af640c891271bd7baf49b978e43f9ec45bec84394f7816 187 | d8b9b202e072b8810d3f3baf726354cc5c2ca1a6f65a4ba0b2b8372a97e1d549 188 | db315613b2ff2d507ba4a58d1d975e3608770bb0ab5d0bc7d46f40fbd8b3f879 189 | dcae059b367e63d3b46c2914240546a97d5681cad350169025f91978a915ed11 190 | dd2e5cff6b2b79a73204deabf116108fc4a710236f5afca23aa1c8f1f488aa9f 191 | de0e356168d833e35c5b76b2fb9aa30edd1c8f04accbf2baeddfd7cb7366a299 192 | df7c9d3f021680d8783768333feed2ed5f420943b02852983ee4360d009f974a 193 | df9e4d5df355720092bcbd3aba08c4684281667ed8f78576f1a24fe542da858c 194 | e0047e50dc93416b38a5fb8ad804a7635d83ac7764c190167ec64d0a41e316d8 195 | e210359454247feab14dcfebd6b48a6c94941d5499f1f602c504602ca67e48ab 196 | e86808b3cf20576b4a146ffe472032a71dec2265e4ed42420973769c2e72ed8e 197 | e8a43c5e38057691c26245e78fcf8f2b23e744f728011f4736c78e41386a6c2e 198 | e9e423a6a6782fc943ec86174566f647e6b05a009f339323756e50acd19bc501 199 | ec4431b4167924c0e6c49d534c80e50b1703540ff5cdaa6c04c84106c1c4bb78 200 | eeb03fcee489aa844a4b4ec2d968774226b6cfbb9d48f48bb768841c4184ff18 201 | efee244f9a705ff50001e48fb5a7b0c305166bfc6ca958d5247debe4ca355e51 202 | f0bb291f879f655be581b31e4765863d57242617974b76febd454edb55bb1f07 203 | f1ba253daa0e0a40f3c52d6110beba72269c76ce8edc412fe1dd42d58dd7351f 204 | f1cd5f3dee75964f1e015279c8bfdac524cc182301fdaf5bbacc8f53bbba575c 205 | f1ed129959743a986f15ab66ce4a3ff21254af56b329da31bb5e004e65dc1927 206 | f2061bf6ae1812c9696cc6767693167f2f70ffcd186aa1153debdddb0a8df47c 207 | f221e0a73ac6e3099d39f3e5dfb552f0ed9f94d975119b0b5e8d96ede6415539 208 | f4b75b5662413612a488823fa322c4026693bdded10c086e812f85e060ef3f97 209 | f4e08eb00b3ed95a28793fbd3cee058dbf14e12ac7650c10079ec452489f7700 210 | f6e75cde8816b8c04cdfcfc4f980045f5001ba530f703ab7000f46299b759fa7 211 | f7279b7a17f79975727b4de727db23dd2bca1b82ab2273d7b95a669a2bac0048 212 | fac0baad36155ccd2e9c2fe2f421d2b3ef6a1ba80410bbc864dfe67290e856ac 213 | fb45f15598f987fab3eb961ebd389d95d36e63fe44e48a78e095d14e4bbb6b0f 214 | fb58c52cc609118104eb190de3a71172c32f2939d9f31dc5e98df1577230e549 215 | fc45b5f85cee56830a9f7e3001dca42026a9691445afa8f429b57203fc47a1b2 216 | fc476eb7aa42930efd37c4cb1b4fa91d7e7eda025c238da9d0517b6397167fa3 217 | fc870aa6c7e9e73b311e492fb8692ae08ca7c14ef3732867db6d839ee66458a7 218 | fd5571d521f394301a767ff4b7ee346310dc7c6bc874d5079244f85935088d7c 219 | fe05d8e7150361f1c154fbdd7ef5254226c16f0bb39b02d66626274ec4b9ba4d 220 | -------------------------------------------------------------------------------- /flubot/teabot.yar: -------------------------------------------------------------------------------- 1 | rule android_teabot { 2 | meta: 3 | author = "Thomas Barabosch, Telekom Security" 4 | version = "20210819" 5 | description = "matches on dumped, decrypted V/DEX files of Teabot" 6 | sample = "37be18494cd03ea70a1fdd6270cef6e3" 7 | 8 | strings: 9 | $dex = "dex" 10 | $vdex = "vdex" 11 | $s1 = "ERR 404: Unsupported device" 12 | $s2 = "Opening inject" 13 | $s3 = "Prevented samsung power off" 14 | $s4 = "com.huawei.appmarket" 15 | $s5 = "kill_bot" 16 | $s6 = "kloger:" 17 | $s7 = "logged_sms" 18 | $s8 = "xiaomi_autostart" 19 | 20 | condition: 21 | ($dex at 0 or $vdex at 0) 22 | and 6 of ($s*) 23 | } 24 | -------------------------------------------------------------------------------- /flubot/teabot_extractor.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import hashlib 3 | import json 4 | 5 | from androguard.misc import AnalyzeDex 6 | 7 | BLACKLIST_URLS = ['https://www.googleapis.com/auth/games', 8 | 'https://plus.google.com/' 9 | ] 10 | 11 | 12 | def store_config(config, sample_path): 13 | if sample_path.endswith('classes.dex'): 14 | sample_path = sample_path.replace('classes.dex', 'teabot_config.json') 15 | else: 16 | sample_path = sample_path + '_teabot_config.json' 17 | 18 | with open(sample_path, 'w') as fp: 19 | json.dump(config, fp) 20 | 21 | 22 | def is_blacklisted_url(s): 23 | for d in BLACKLIST_URLS: 24 | if d == s: 25 | return True 26 | return False 27 | 28 | 29 | def get_sha256(dex_file): 30 | sha256_hash = hashlib.sha256() 31 | with open(dex_file, "rb") as f: 32 | for byte_block in iter(lambda: f.read(4096), b""): 33 | sha256_hash.update(byte_block) 34 | return sha256_hash.hexdigest() 35 | 36 | 37 | def extract(dex_file): 38 | print("Extracting config...") 39 | hash_sha256 = get_sha256(dex_file) 40 | config = {"sha256": hash_sha256} 41 | 42 | print('Analyzing Dex...') 43 | h, d_dalvik, dx_analysis = AnalyzeDex(dex_file) 44 | all_strings = [x.get_value() for x in dx_analysis.find_strings()] 45 | print(f'Found {len(all_strings)} strings.') 46 | 47 | if 'kill_bot' not in all_strings: 48 | print('Not Teabot, aborting') 49 | return {} 50 | 51 | cc_urls = [] 52 | for s in all_strings: 53 | if s.startswith('http') and not is_blacklisted_url(s): 54 | print(f'Found possible CC URL: {s}') 55 | cc_urls.append(str(s)) 56 | 57 | if cc_urls: 58 | config['cc_urls'] = cc_urls 59 | 60 | return config 61 | 62 | 63 | sample = sys.argv[1] 64 | config = extract(sample) 65 | if config: 66 | print(config) 67 | store_config(config, sample) 68 | -------------------------------------------------------------------------------- /hacktools/hacktools.yar: -------------------------------------------------------------------------------- 1 | rule rdp_enable_multiple_sessions: capability hacktool 2 | { 3 | meta: 4 | author = "Thomas Barabosch, Deutsche Telekom Security" 5 | description = "Enable RDP/Multiple User Sessions" 6 | date = "2022-01-14" 7 | reference = "https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-localsessionmanager-fdenytsconnections" 8 | reference2 = "https://serverfault.com/questions/822503/enable-rdp-for-multiple-sessions-command-line-option" 9 | strings: 10 | $a = "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" ascii wide 11 | $b = "fDenyTSConnections" ascii wide 12 | $c = "fSingleSessionPerUser" ascii wide 13 | condition: 14 | ($a and $b) or ($a and $c) 15 | } 16 | 17 | rule rdp_change_port_number: capability hacktool 18 | { 19 | meta: 20 | author = "Thomas Barabosch, Deutsche Telekom Security" 21 | description = "Change RDP port number" 22 | date = "2022-01-14" 23 | reference = "https://helgeklein.com/blog/programmatically-determining-terminal-server-mode-on-windows-server-2008/" 24 | strings: 25 | $a = "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp" ascii wide 26 | $b = "PortNumber" 27 | condition: 28 | all of them 29 | } 30 | 31 | rule allow_rdp_session_without_password: capability hacktool 32 | { 33 | meta: 34 | author = "Thomas Barabosch, Deutsche Telekom Security" 35 | description = "Remote Desktop Connection without password, e.g. seen in SDBBot / TA505" 36 | date = "2022-01-14" 37 | reference = "https://www.speedguide.net/faq/how-to-connect-using-remote-desktop-without-a-password-435" 38 | strings: 39 | $a = "LimitBlankPasswordUse" ascii wide 40 | condition: 41 | $a 42 | } 43 | 44 | rule get_windows_proxy_configuration: capability hacktool 45 | { 46 | meta: 47 | author = "Thomas Barabosch, Deutsche Telekom Security" 48 | description = "Queries Windows Registry for proxy configuration" 49 | date = "2022-01-14" 50 | reference = "https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-ie-clientnetworkprotocolimplementation-hklmproxyserver" 51 | strings: 52 | $a = "Software\\Microsoft\\Windows\\Currentversion\\Internet Settings" ascii wide 53 | $b = "ProxyEnable" ascii wide 54 | $c = "ProxyServer" ascii wide 55 | condition: 56 | all of them 57 | } 58 | 59 | rule cn_utf8_windows_terminal: capability hacktool 60 | { 61 | meta: 62 | author = "Thomas Barabosch, Deutsche Telekom Security" 63 | description = "This is a (dirty) hack to display UTF-8 on Windows command prompt." 64 | date = "2022-01-14" 65 | reference = "https://dev.to/mattn/please-stop-hack-chcp-65001-27db" 66 | reference2 = "https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf" 67 | strings: 68 | $a = " chcp 65001 " ascii wide 69 | condition: 70 | $a 71 | } 72 | 73 | rule potential_termserv_dll_replacement: capability hacktool 74 | { 75 | meta: 76 | author = "Thomas Barabosch, Deutsche Telekom Security" 77 | description = "May replace termserv.dll to allow for multiple RDP sessions" 78 | date = "2022-01-14" 79 | reference = "https://www.mysysadmintips.com/windows/clients/545-multiple-rdp-remote-desktop-sessions-in-windows-10" 80 | strings: 81 | $a = "termsrv.dll" ascii wide 82 | condition: 83 | $a 84 | } 85 | -------------------------------------------------------------------------------- /icedid/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 Deutsche Telekom Security GmbH 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /icedid/README.md: -------------------------------------------------------------------------------- 1 | # icedid_analysis 2 | This repository contains analysis scripts, YARA rules, and additional IoCs related to the blog post [Let’s set ice on fire: Hunting and detecting IcedID infections](https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240). 3 | 4 | - `icedid_20210507.yar`: several YARA rules to detect (binary) components of IcedID's infection chain 5 | - `decrypt_strings_ida.py`: example implementation of core string decryption of 2021 IcedID samples using IDAPython / IDA Pro 7.6 6 | - `compute_botid_and_regkeys.py`: computes bot ID and account-specific registry keys for IcedID's global storage 7 | - `icedid_hashes.csv`: list of hashes that match the rules from `icedid_20210507.yar` 8 | -------------------------------------------------------------------------------- /icedid/compute_botid_and_regkeys.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | import hashlib 3 | import struct 4 | from malduck.bits import ror 5 | 6 | 7 | def change_endian_of_str(s): 8 | if len(s) == 8: 9 | return s[6:] + s[4:6] + s[2:4] + s[:2] 10 | elif len(s) == 12: 11 | return s[2:4] + s[:2] + s[10:] + s[8:10] + s[6:8] + s[4:6] 12 | else: 13 | return s[2:] + s[:2] 14 | 15 | 16 | def build_reg_key_guid(h): 17 | # {%0.8X-%0.4X-%0.4X-%0.4X-%0.4X%0.8X} 18 | return '{' + f'{change_endian_of_str(h[:8])}-{change_endian_of_str(h[8:12])}-{change_endian_of_str(h[12:16])}-{change_endian_of_str(h[16:20])}-{change_endian_of_str(h[20:])}' + '}' 19 | 20 | 21 | def compute_registry_key(key_name, bot_id): 22 | temp_key = 0x0 23 | for c in key_name: 24 | temp_key = (ord(c) + ror(temp_key, 0xD)) & 0xFFFFFFFF 25 | 26 | xored_bot_id = temp_key ^ bot_id 27 | 28 | md5 = hashlib.md5(key_name.encode()) 29 | md5.update(struct.pack("I", xored_bot_id)) 30 | hashed_key_name = md5.hexdigest().upper() 31 | final_reg_key = build_reg_key_guid(hashed_key_name) 32 | return final_reg_key 33 | 34 | 35 | def fnv32a(string): 36 | hval = 0x811c9dc5 37 | fnv_32_prime = 0x01000193 38 | uint32_max = 2 ** 32 39 | for s in string: 40 | hval = hval ^ ord(s) 41 | hval = (hval * fnv_32_prime) % uint32_max 42 | return hval 43 | 44 | 45 | def compute_bot_id(sid, second_value): 46 | tmp = fnv32a(sid) ^ 0x87EA50BD 47 | bot_id = struct.unpack(">I", struct.pack(">I", tmp))[0] 48 | bot_id_negated = ~tmp + (1 << 32) 49 | return bot_id, bot_id_negated 50 | 51 | 52 | def parse_args(): 53 | parser = argparse.ArgumentParser() 54 | parser.add_argument("SID", 55 | help="SID of local account, e.g. S-1-5-21-1984500107-304187221-49949575") 56 | args = parser.parse_args() 57 | return args 58 | 59 | 60 | def main(): 61 | args = parse_args() 62 | second_value = b'\x91\x06\x2d\x3c' 63 | bot_id = compute_bot_id(args.sid, second_value) 64 | print(f'The bot id for SID {args.sid} is {hex(bot_id[0])} and {hex(bot_id[1])} (negated)') 65 | 66 | # hardcoded in binary, future update maybe required 67 | REGISTRY_KEYS = ["{0ccac395-7d1d-4641-913a-7558812ddea2}", 68 | "{d65f4087-1de4-4175-bbc8-f27a1d070723}", 69 | "{e3f38493-f850-4c6e-a48e-1b5c1f4dd35f}"] 70 | 71 | for k in REGISTRY_KEYS: 72 | print(k, '=>', compute_registry_key(k, bot_id[1])) 73 | 74 | 75 | if __name__ == '__main__': 76 | main() 77 | -------------------------------------------------------------------------------- /icedid/decrypt_strings_ida.py: -------------------------------------------------------------------------------- 1 | import struct 2 | 3 | from malduck import xor 4 | from malduck.bits import rol, ror 5 | 6 | import ida_bytes 7 | 8 | 9 | def generate_round_key(seed): 10 | # .text:0000000180015B00 decrypt_string_shifting proc near ; CODE XREF: decrypt_string+65↑p 11 | # .text:0000000180015B00 ; sub_18000A56C+117↑p ... 12 | # .text:0000000180015B00 lea eax, [rcx+2E59h] 13 | # .text:0000000180015B06 ror eax, 1 14 | # .text:0000000180015B08 ror eax, 1 15 | # .text:0000000180015B0A ror eax, 2 16 | # .text:0000000180015B0D xor eax, 151Dh 17 | # .text:0000000180015B12 rol eax, 2 18 | # .text:0000000180015B15 rol eax, 1 19 | # .text:0000000180015B17 retn 20 | # .text:0000000180015B17 decrypt_string_shifting endp 21 | eax = seed + 0x2E59 22 | eax = ror(eax, 1) 23 | eax = ror(eax, 1) 24 | eax = ror(eax, 2) 25 | eax = struct.unpack("I", xor(struct.pack("I", eax)[0:2], struct.pack("H", 0x151D)) + struct.pack("I", eax)[2:4])[0] 26 | eax = rol(eax, 2) 27 | eax = rol(eax, 1) 28 | return eax 29 | 30 | 31 | def decrypt_string(offset): 32 | b = ida_bytes.get_bytes(offset, 0x200) 33 | str_size = struct.unpack("H", xor(b[4:6], b[0:2]))[0] 34 | xor_key_index = 6 35 | decrypted_string = "" 36 | 37 | seed = ida_bytes.get_dword(offset) 38 | for current_offset in range(str_size): 39 | seed = generate_round_key(seed) 40 | current_dec_chr = b[xor_key_index] ^ (seed & 0xFF) 41 | xor_key_index += 1 42 | decrypted_string += chr(current_dec_chr) 43 | return decrypted_string 44 | 45 | 46 | # This is an example script that implements the core decryption 47 | # algorithm of current IcedID samples. 48 | print(decrypt_string(0x1800208B8)) 49 | -------------------------------------------------------------------------------- /icedid/icedid_20210507.yar: -------------------------------------------------------------------------------- 1 | rule fake_gzip_bokbot_202104 2 | { 3 | meta: 4 | author = "Thomas Barabosch, Telekom Security" 5 | date = "2021-04-20" 6 | description = "fake gzip provided by CC" 7 | strings: 8 | $gzip = {1f 8b 08 08 00 00 00 00 00 00 75 70 64 61 74 65} 9 | condition: 10 | $gzip at 0 11 | } 12 | 13 | 14 | rule win_iceid_gzip_ldr_202104 { 15 | meta: 16 | author = "Thomas Barabosch, Telekom Security" 17 | date = "2021-04-12" 18 | description = "2021 initial Bokbot / Icedid loader for fake GZIP payloads" 19 | strings: 20 | $internal_name = "loader_dll_64.dll" fullword 21 | 22 | $string0 = "_gat=" wide 23 | $string1 = "_ga=" wide 24 | $string2 = "_gid=" wide 25 | $string3 = "_u=" wide 26 | $string4 = "_io=" wide 27 | $string5 = "GetAdaptersInfo" fullword 28 | $string6 = "WINHTTP.dll" fullword 29 | $string7 = "DllRegisterServer" fullword 30 | $string8 = "PluginInit" fullword 31 | $string9 = "POST" wide fullword 32 | $string10 = "aws.amazon.com" wide fullword 33 | condition: 34 | uint16(0) == 0x5a4d and 35 | filesize < 5000KB and 36 | ( $internal_name or all of ($s*) ) 37 | or all of them 38 | } 39 | 40 | rule win_iceid_core_ldr_202104 { 41 | meta: 42 | author = "Thomas Barabosch, Telekom Security" 43 | date = "2021-04-13" 44 | description = "2021 loader for Bokbot / Icedid core (license.dat)" 45 | strings: 46 | $internal_name = "sadl_64.dll" fullword 47 | 48 | $string0 = "GetCommandLineA" fullword 49 | $string1 = "LoadLibraryA" fullword 50 | $string2 = "ProgramData" fullword 51 | $string3 = "SHLWAPI.dll" fullword 52 | $string4 = "SHGetFolderPathA" fullword 53 | $string5 = "DllRegisterServer" fullword 54 | $string6 = "update" fullword 55 | $string7 = "SHELL32.dll" fullword 56 | $string8 = "CreateThread" fullword 57 | condition: 58 | uint16(0) == 0x5a4d and 59 | filesize < 5000KB and 60 | ( $internal_name and 5 of them ) 61 | or all of them 62 | } 63 | 64 | rule win_iceid_core_202104 { 65 | meta: 66 | author = "Thomas Barabosch, Telekom Security" 67 | date = "2021-04-12" 68 | description = "2021 Bokbot / Icedid core" 69 | strings: 70 | $internal_name = "fixed_loader64.dll" fullword 71 | 72 | $string0 = "mail_vault" wide fullword 73 | $string1 = "ie_reg" wide fullword 74 | $string2 = "outlook" wide fullword 75 | $string3 = "user_num" wide fullword 76 | $string4 = "cred" wide fullword 77 | $string5 = "Authorization: Basic" fullword 78 | $string6 = "VaultOpenVault" fullword 79 | $string7 = "sqlite3_free" fullword 80 | $string8 = "cookie.tar" fullword 81 | $string9 = "DllRegisterServer" fullword 82 | $string10 = "PT0S" wide 83 | condition: 84 | uint16(0) == 0x5a4d and 85 | filesize < 5000KB and 86 | ( $internal_name or all of ($s*) ) 87 | or all of them 88 | } 89 | -------------------------------------------------------------------------------- /icedid/icedid_hashes.csv: -------------------------------------------------------------------------------- 1 | fake_gzip_bokbot_202104, 1c1cfc1a591923c8d6de2bf11072c50e1f45ec56dcc5996dae22b5812715338e 2 | fake_gzip_bokbot_202104, 3049dd8e68561d2582413fa899184ee2d373cb4aff8522b943ddb594698ecdca 3 | fake_gzip_bokbot_202104, 3d1b525ec2ee887bbc387654f6ff6d88e41540b789ea124ce51fb5565e2b8830 4 | fake_gzip_bokbot_202104, 4a16934a0f9ed955209363ce28d458f5f35001dd08b5d8d9b6107a89cf974987 5 | fake_gzip_bokbot_202104, 7ed5f451dffde9f38425c92900ccc2ecb46f3f1aa2645451a1c38f7278da18d6 6 | fake_gzip_bokbot_202104, 91cf231431ef2cc4defc4f1ad3d149c665acc317c4a89e0188f32df259b63cef 7 | fake_gzip_bokbot_202104, a20aa44c39c838a4084a5260450334c2a5d094bdc7d8d0da5eb85bb35b7917c6 8 | fake_gzip_bokbot_202104, c8ca58a0025a7ab633a35fe6e98943c9053ca49b18de55f8b57c8ea7c88e8eb0 9 | fake_gzip_bokbot_202104, f90ddca891da06aece3acf7e63070b4cb7d2c5acc0e52ad73b23ae795befd237 10 | fake_gzip_bokbot_202104, fd21b0c2b3d993cad363f5f68306d46cf06c81af324ec6db79fce49225209650 11 | win_iceid_gzip_ldr_202104, 02f481473dd9ad62738530eb89a3148dde67fdd9bbcc1d8f76138f362d0dadaf 12 | win_iceid_gzip_ldr_202104, 08b8d6ac8d2730db28376e60c0554ef9ce49bfc0cedf685c25fc983f835c6a20 13 | win_iceid_gzip_ldr_202104, 0cf3f34cc5124a74b0cac393b7e7afe307933852a153363d48394d595c5af85f 14 | win_iceid_gzip_ldr_202104, 12b0c054d81fc31e992a95b43926c1aaa759304d25981169c89c5ad657456ff7 15 | win_iceid_gzip_ldr_202104, 14fa116c352ce2322b33e6d038d3a5a0dbee160734d51e1746116139df696209 16 | win_iceid_gzip_ldr_202104, 166cea1761e6b4670a84a1b774e15217cd1b751de27a8c8215adcc6c522d4e3f 17 | win_iceid_gzip_ldr_202104, 194e51acedd4023df2a6c7fd9fd8f7910f1347e85dc61a4052915a002f797290 18 | win_iceid_gzip_ldr_202104, 19cd3f40017c48e9852b79e297c7bbafa87c4020c33e7b6a6fc769dfbe965f2d 19 | win_iceid_gzip_ldr_202104, 1ad161628f05b5dd90209f95b3081e92ed1f92c7b52267fae60d1e646516cf34 20 | win_iceid_gzip_ldr_202104, 1ba983d6eae52057fc30293a7f9c7db85ed2888ef7786b3e6704ed422831d024 21 | win_iceid_gzip_ldr_202104, 27879a3f0713aeaf921a6fe18a7a287c86e4a8aa92bd21f4b204b1bbf9ecd03a 22 | win_iceid_gzip_ldr_202104, 2a378c4d4badf2f2cafdbd02d6facc5596c15de8ebde6a8e18d5f6f93cd3d6a3 23 | win_iceid_gzip_ldr_202104, 3dc3678b2affcae25751a13c8d9cb4c741d04a130d989e416810862bb7bb2251 24 | win_iceid_gzip_ldr_202104, 50883bf80b3a6f357f112caf09b0be461a23f5c0c38810548fdc08345606e4fb 25 | win_iceid_gzip_ldr_202104, 50d9a3055e3260d51df8eca46c955b2cbf197830960df04cc9737bb34ab2395c 26 | win_iceid_gzip_ldr_202104, 512bf1fbe3f70f927e8dd96c36aba66a0278ab1e2c35d8452c5229f64e5a2ded 27 | win_iceid_gzip_ldr_202104, 66050a629a11e637841d5fe8a967bf383f59283d7df3897ade3aabfa5b62d984 28 | win_iceid_gzip_ldr_202104, 7459e88626a90b52c3392a14734d00a5238edbf13c61907f39326df2d4c3f922 29 | win_iceid_gzip_ldr_202104, 78d1e981d0bbab1ba77ce030cdf8dda1a73ae1f86dd2e3fff1bf0f9ceb03482e 30 | win_iceid_gzip_ldr_202104, 7d5b21b66c42342b549da82ee665ec25f8feb86d9645ddb97eab8687491bd43f 31 | win_iceid_gzip_ldr_202104, 8286462829309c3b7c759d9f924c092f321c57ddbe35bf5683891032f3792d10 32 | win_iceid_gzip_ldr_202104, 8546fadd4beefeb13d1e3e338933fcfdad22f5bd0ca545504a07ecbde404b758 33 | win_iceid_gzip_ldr_202104, 89045a2f280f7b515542d67911f4f247cf2d2c032d3fa148c6afb8010f5dfb26 34 | win_iceid_gzip_ldr_202104, 8ba1e5eee3a0264e8ff37c37e28f7d37d02ec4fe7ba21a1c643e0d978289888c 35 | win_iceid_gzip_ldr_202104, 9324339e67c823c03c341b8e82da4fe0812f30d048c912123843456e452859eb 36 | win_iceid_gzip_ldr_202104, b267b4e8c07669d786603338f61d1db9b6aea67e54e50d40c800963f7c054e9b 37 | win_iceid_gzip_ldr_202104, b2e12b7a8bd7a8a3eac900d5410ac1a0c0eef7fb54863bd9e0fb6417841e29db 38 | win_iceid_gzip_ldr_202104, b439dba49bbfb1abfad780b8f7a76bf13105b89d506522f01986d0e4202ddb2c 39 | win_iceid_gzip_ldr_202104, b7623a9e1ef71dc167d64fcb8c6cc3140387e255c8ea5b088f363502d64741bb 40 | win_iceid_gzip_ldr_202104, bbd624494360e61ef69c945cd81fc4c168b43385d8f238773cf841eb18e21fdc 41 | win_iceid_gzip_ldr_202104, c335351be995d99cd1980392ea620e187f786d3a7bba31ffc6e6f27689b11a95 42 | win_iceid_gzip_ldr_202104, c9385387cd3c85c17d093f4d7e5ae5850316aa09c66beaef620b946bb159e563 43 | win_iceid_gzip_ldr_202104, c986329a0c07b43db84de9551bde7d7e12faf7af61fd09c1ea2d70344b5120bc 44 | win_iceid_gzip_ldr_202104, cc9c6154dcc1b64c6eea577f48f7611064e82a9dc03817a2adb936286d604a7f 45 | win_iceid_gzip_ldr_202104, d00bfb0c585d842113b85d03a479c632a2c76a23ad1121cf6e55f573ce1fbd11 46 | win_iceid_gzip_ldr_202104, db999c0d62d4fc529d560c578ae1a73ac12d02f4cb3ae89795e12e847b691613 47 | win_iceid_gzip_ldr_202104, fad1544e9907cf6ececb0cd9b7dea61e8e7b695cf214af012d8ecad891973879 48 | win_iceid_gzip_ldr_202104, fceccdeff5ec46186dfaf138f3aaf3d0e26b2f845b6345b3f19bca2130d951b5 49 | win_iceid_gzip_ldr_202104, fe4e4be9e24350dff811410ed7e0d87d14b3f3595b7fd1ea7f4be23dc04d6904 50 | win_iceid_main_202104, 21b1a635db2723266af4b46539f67253171399830102167c607c6dbf83d6d41c 51 | win_iceid_main_202104, 229b4330fcb185781ded70e6c1206fd12475dc6e113b97bf7e78bf8a230cc318 52 | win_iceid_main_202104, 5dcbb03420e7d6224c4a4e6ac3993d08548cbedf43385988832eb9ae281abf31 53 | win_iceid_main_202104, 66b6a55b67c0201a02dbdc4a2ef3c3f2d57aaadbbefa61c1bcdb59b96fb86743 54 | win_iceid_main_202104, 6cb407bedcc0fb43c5593985a704c9a51066a853eb1b5f2a037d04144185d849 55 | win_iceid_main_202104, af0ac4120929fe98f90d419f3f4ee4a987d021946d070b6c55196b05a14cd1e6 56 | win_iceid_main_202104, b41073e0e1359485456fda28b5157e13af3889a9ee2710d7c6975d36ecc61905 57 | win_iceid_main_202104, b7190de447a0310bfa97789d26a0a8ee2fed2851934bcc3f2806eddbd28bcac0 58 | win_iceid_main_202104, d45b3f9d93171c29a51f9c8011cd61aa44fcb474d59a0b68181bb690dbbf2ef5 59 | win_iceid_main_202104, d5d5958e21d6fb51e8afa634dda92e7ea3b208108348f8ff8fa8ec7c4fc2df8b 60 | win_iceid_main_202104, de92f36de5436bf92381ac9774fe7c9ad169e70757ffcbc5b453515a06d740c9 61 | win_iceid_main_ldr_202104, 0699184d4a3898a38c8bb31b782bb0125d8dba00d587e11a58b0dc0b5ceaa9cd 62 | win_iceid_main_ldr_202104, 083bce0f0881318063812bd997886b79403b198cc770788dea2f32b6eb4a42ff 63 | win_iceid_main_ldr_202104, 0be8d10ce9fbcbb4e33b71ceec1ba116f361c37f710d32f653c55719da2ccf5f 64 | win_iceid_main_ldr_202104, 1539e7dbf80a7bc4e5a453fe977ee5884c151986a2983958ec0c5f4e0d948f4f 65 | win_iceid_main_ldr_202104, 178081cade2e91a235537e12eaa02f673c3f1e9032881d81b74dd65530ec0bb3 66 | win_iceid_main_ldr_202104, 1ff89548a9276710535977ca303d1172c3c23fdc0ac1e21628a5d1593ad99781 67 | win_iceid_main_ldr_202104, 275ee779844c74c5c7e6d81fdb2e239acb5cdaaae6a049b3352adce09314c3c8 68 | win_iceid_main_ldr_202104, 27dee6f82918479ee2ee60a214bcef0bc9cd9a24193cd9b6281752fa0ff728cb 69 | win_iceid_main_ldr_202104, 28465e697071f60f2745437ce6bf7be4a7815cbb0c15f730fc64592c8e71a3ef 70 | win_iceid_main_ldr_202104, 29dd16e8dc3c855562172aebb910e8e56e5c25eacd5ba3e4f310bc6a00520d75 71 | win_iceid_main_ldr_202104, 2b390d828ad9c35230fa0ef90baa958d3d16620d9313bf20f55ca2c7052a3ea8 72 | win_iceid_main_ldr_202104, 2c72cbe7352624c48e2b915b6cea3c5438cd202a28daecb27aded30edefc63c5 73 | win_iceid_main_ldr_202104, 2cc01933d2a4542821a1400e5ddd61bd8678d4ee0933817d6abbbd08c5e9b74c 74 | win_iceid_main_ldr_202104, 2dd48da60505a9eab7327d98da1b4f18297af4d90fdce43373e858c3ae98c067 75 | win_iceid_main_ldr_202104, 30e435d5e62fe4d2f2134aef71f2ca293dcdfb469ead2bb91934186daba202b5 76 | win_iceid_main_ldr_202104, 34b17ada8e494fa31ed79c9ebcf0111224fb0a69231a427ae84562f5627c4d8b 77 | win_iceid_main_ldr_202104, 386eacdb0859abd2cc0701234928076b65f638c973996b7aadea0f11e3551509 78 | win_iceid_main_ldr_202104, 42fa313831b18f9db44dcbcbff32cea051310b7fa41d41166deee76c2a3d7eae 79 | win_iceid_main_ldr_202104, 453ce66c651aab2725bc2efe67cbba63c001d118672eaa784230f618455af788 80 | win_iceid_main_ldr_202104, 45ecbaabd892c487855fe8be621ce01072af532e801886a9dbc93195526d28f2 81 | win_iceid_main_ldr_202104, 48532db641ed61a1e144de0a390081afc0fd791a9c3aef758dd214f78c468157 82 | win_iceid_main_ldr_202104, 49be4934e3fcb3778714e2f17abd418579ddad206b90c77327a46710e54e5f37 83 | win_iceid_main_ldr_202104, 544b6465c811149090e5e0d69aac4bfb993f7e78fe9f4bcf492b6eaf3d730b9f 84 | win_iceid_main_ldr_202104, 5a432e52b1e530cc35cd01dd190621093f3326bcba77083aebacc5a4a42471f9 85 | win_iceid_main_ldr_202104, 61d3cf7cb176fc25bd005c2dc941d31407bbced9c4dabb6bd66bb2baaaf4e027 86 | win_iceid_main_ldr_202104, 64053208c58e0ca4f7a4b493436e62438b3f0f5ed96d3e9192419ae60b0a1b99 87 | win_iceid_main_ldr_202104, 6770199312a47a728c9e331844108334c69e364544aa336cb514bd20dd6a118f 88 | win_iceid_main_ldr_202104, 6a4dd0fb5ab2fce8fbfb98d7848d1c1934c4464418e5cc97da6a3f1c774c5a7a 89 | win_iceid_main_ldr_202104, 7051f30a6b9c7826f017faf69fe52c6e28c71af1ef5e1dbaae9c6f8a885019a7 90 | win_iceid_main_ldr_202104, 732afcba370f7e9730623aa6e8eb0d36c7d33bc0e49eed03785cdc2a9989fa48 91 | win_iceid_main_ldr_202104, 734be88aa4b7595a91b3dbda90c73856599764d31b20b00d0ac4ddffbe699214 92 | win_iceid_main_ldr_202104, 735c6b7461b12b012290b82a437a001456d6d518ae651321428bc8fcb799558f 93 | win_iceid_main_ldr_202104, 7501eb216d02bbe90e357cfd46b0066ba7fa7e2b37b2c6904c5a9ca225a9f1ac 94 | win_iceid_main_ldr_202104, 798e6729b55c3229a714958027601ad53667b4248081a41e0c98f93b18bd3056 95 | win_iceid_main_ldr_202104, 8301c177db142c3062ed9e7fe6fe2b519d4d184770d9c0689417f5ae4619c4d1 96 | win_iceid_main_ldr_202104, 8a1a1f6f0c146ea5ea8b7007c45c0b411f832b6524517b7e1c7a170429c526fd 97 | win_iceid_main_ldr_202104, 8e79254a4a6384dbdc57c3520ce9c93694d4ce1f07251187039afaf134c1c48f 98 | win_iceid_main_ldr_202104, 8f0aff5920d87c5e9b489b39564e9c5aedd2fb47e4a995d85ae5024baa89d661 99 | win_iceid_main_ldr_202104, 92a9833857288910df920d075dd9bc4d922d52af207d5952184a65237ecd65bf 100 | win_iceid_main_ldr_202104, 97f80c347f8a8813704d76d5b351b4a1b986821a1c44ed95ad4e0c4c93f6ab6e 101 | win_iceid_main_ldr_202104, 98e4ef2e7ece8065b46d67c6a5b40751be8966d26badc9293fccd60bf4d2a61e 102 | win_iceid_main_ldr_202104, 99ad193049c03f300ae8c485e017f53371b96306c3a077842896a65cc687c855 103 | win_iceid_main_ldr_202104, 9bb1533b996d15fcf577db9458a9454bd7115f3f7b60ada6f2869aff8cab1e86 104 | win_iceid_main_ldr_202104, 9bc81912dedb0f050afc6fc6e3b6bef565eec74a628ba32d63d19411d2ce6974 105 | win_iceid_main_ldr_202104, 9d623286d001eaf2a31b8c91e38b003fbdff5e7cd8bbde29bc69c19308611e50 106 | win_iceid_main_ldr_202104, 9d9d42372abdff2febedec520d191a28e7310c48fc5c68d7ee2419d6881b259e 107 | win_iceid_main_ldr_202104, 9eddf7052f14acb641788471fb1343714c0351544b6d52d1ade67e6cd7109075 108 | win_iceid_main_ldr_202104, a6907cbe8bf2d46cfabe8635c1863dec72b4d4a318dc8e0e52a6ca7deb69d8de 109 | win_iceid_main_ldr_202104, a6975ae6fd4f3b07a7af4cc7c5f8a49aa0249ed3f11013c8487f484e6bb59b36 110 | win_iceid_main_ldr_202104, a954753d17d4a285b3a9a262f21b93b80f0625956baa1dbf9a19e90b46432920 111 | win_iceid_main_ldr_202104, ad435db375665d157aed16ba8b51735b65ac6aee86864da78408b44c9d85093b 112 | win_iceid_main_ldr_202104, b8002a96e4dd9e64c61ba0ddefa9cac0aa6693f143a29a4ca1da23b9d0ee7c08 113 | win_iceid_main_ldr_202104, b86d0a12eb72af0690a6293e6a2815161aec4c6837c8f9c93effcd4e249759ee 114 | win_iceid_main_ldr_202104, c04101f36a7d1498379ff6abb2218a2730ad896908e525cd3664ea5cc4a56a18 115 | win_iceid_main_ldr_202104, c28896df6bb0a0cc60bead05c37c8ecc9d93ef5e04853e75f0be8e170eb6208c 116 | win_iceid_main_ldr_202104, c64aa3ceb9bd50620c4a5ba59d117eb9be6a2dff8bfdabcd1611562d5d2c8b67 117 | win_iceid_main_ldr_202104, cccc59bb80ee4003e60632ef75835efe3a5ef2cdf762f6da95f5610f0647d3c1 118 | win_iceid_main_ldr_202104, ceb2884e438fe809559820acb52eb09298b4dfddf222e9b4f550476537c5c3d4 119 | win_iceid_main_ldr_202104, d1506428276269e333d30752ddd3300c6f102e39144b890b0864d7a5ab9acf74 120 | win_iceid_main_ldr_202104, d68afdb539f23b0b2d9d631a1279d0a2d276e0e79fd5398f76c550acf78f5f6e 121 | win_iceid_main_ldr_202104, d958b83ddb4cdaca115b0edf9c91ff38e0729d2030fc789df0dfc53c54ce2309 122 | win_iceid_main_ldr_202104, d98b0869dff3ee90dc4d0eed08a7de08209ec3e2c99cd72f9175380647dcb530 123 | win_iceid_main_ldr_202104, df42fbff0dc3b8f7609d139c8d469c96177aee08463927db9b97c179f3f15cdb 124 | win_iceid_main_ldr_202104, e0215f25932d9c0023fa7d1138805e124ec77ecd1175caa7791f4b8b42570c04 125 | win_iceid_main_ldr_202104, e3033a82b2089affd064d474437530c3c9ec8c0fd0155771961adb69ab89a1c4 126 | win_iceid_main_ldr_202104, e338189c2f00398717fcac0bcd0e82eafe351ea0fc4b9072db9d415ed031aa59 127 | win_iceid_main_ldr_202104, e5a0e4fd89fdc22a36fddc5f3cff31e08317c5bd1287c715a45433c35741ad7d 128 | win_iceid_main_ldr_202104, e5e7fae9b40723fd9ed18f4e776b2cdb8a873c694e07fe5b3dd8312b227152d5 129 | win_iceid_main_ldr_202104, e6a942d6dbda4afe76d962d2a70dad618b38e20c57df4c53f5a514cf645391ac 130 | win_iceid_main_ldr_202104, ef7d068c6d07e49381a24fe2e4f9da3c1fbb0ac5cc6523adc55eb53ce1a785e8 131 | win_iceid_main_ldr_202104, f2481cf56b15a38f7d2d95c5067b60c2b9a65b65381b357d964d6f752c974d6a 132 | win_iceid_main_ldr_202104, fb5e215048521c92d3308ddd378c0bed02aa04e1f67aa28660d2c4b3f600ba67 133 | -------------------------------------------------------------------------------- /plugx/plugx_mustang_panda.yar: -------------------------------------------------------------------------------- 1 | import "math" 2 | 3 | rule win_plugx_encrypted_hunting { 4 | meta: 5 | description = "Detects encrypted PlugX payloads" 6 | author = "Thomas Barabosch, Telekom Security" 7 | date = "2021-10-29" 8 | hash1 = "6b8081606762a2a9b88e356c9e3669771ac8bb6aaf905050b9ecd0b490aa2466" 9 | hash2 = "8ec409c1537e3030405bc8f8353d2605d1e88f1b245554383682f3aa8b5100ec" 10 | hash3 = "acfd58369c0a7dbc866ad4ca9cb0fe69d017587af88297f1eaf62a9a8b1b74b4" 11 | hash4 = "27ea939f41712a8655dc2dc0bce7d32a85e73a341e52b811b109befc043e762a" 12 | hash5 = "8889d2b18fb368fbfc16f622fcc20df1b9e522c2bada0195f9a812867f6bad91" 13 | hash6 = "d8882948a7fe4b16fb4b7c16427fbdcf0f0ab8ff3c4bac34f69b0a7d4718183e" 14 | further_reading = "https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.120.9861&rep=rep1&type=pdf" 15 | condition: 16 | 17 | math.in_range(math.mean(0, 16), 70.0, 110.0) // there is an ascii string at beginning (== xor key) 18 | and math.in_range(math.mean(filesize-8, 8), 70.0, 110.0) // the end of the file reflects the xor key since usually (000000...) 19 | and math.in_range(math.mean(0x300, 256), 70.0, 110.0) // before (unencrypted) .text section there are usually many zeros. These reflect the xor key in the encrypted version. 20 | and math.in_range(math.mean(0x30, 16), 70.0, 110.0) // since there are many zeros in the PE header, these bytes will have the value of the xor key in the encrypted version. 21 | 22 | and math.in_range(math.entropy(0, 8), 2.0, 4.0) // ensure that the file does not start with zero bytes and hopefully an ASCII key 23 | and math.in_range(math.entropy(0, 1000), 4.0, 6.0) // check if key repeats due to zero bytes in PE header 24 | and math.in_range(math.entropy(filesize - 32, 32), 2.0, 4.5) // check if key repeats due to zero bytes at the file end 25 | 26 | and math.entropy(0x410, 176) > 5.0 // entropy of encrypted .TEXT section should be still above 5.0 (see further_reading) 27 | and math.mean(0x3d0, 48) > 10 // assume that before text section there are no zero bytes in the encrypted version 28 | 29 | and filesize > 70KB 30 | and filesize < 250KB // check if size is in range for plugx 31 | 32 | and ((math.mean(8, 1) == 0) 33 | or (math.mean(9, 1) == 0) 34 | or (math.mean(10, 1) == 0) 35 | or (math.mean(11, 1) == 0) 36 | or (math.mean(12, 1) == 0) 37 | or (math.mean(13, 1) == 0) 38 | or (math.mean(14, 1) == 0) 39 | or (math.mean(15, 1) == 0)) // ensure there is a zero terminator of the key somewhere at the beginning, allow key length 9 - 16 bytes. 40 | } 41 | -------------------------------------------------------------------------------- /raspberry_robin/domains.txt: -------------------------------------------------------------------------------- 1 | 0dz.me 2 | 0e.si 3 | 0t.yt 4 | 0v.wf 5 | 0w.pm 6 | 0x9.biz 7 | 13j.me 8 | 1h3.me 9 | 1j.pm 10 | 1j4.xyz 11 | 1k4.xyz 12 | 2j4.xyz 13 | 2yd.eu 14 | 3e.pm 15 | 3h.wf 16 | 3h1.xyz 17 | 4j1.xyz 18 | 4j5.xyz 19 | 4k1.xyz 20 | 4kx.xyz 21 | 4m.wf 22 | 4q.pm 23 | 4s3.me 24 | 4w.rs 25 | 5j8.xyz 26 | 5jb.me 27 | 5kj.xyz 28 | 5kx.me 29 | 5qw.pw 30 | 5s.pm 31 | 66j.me 32 | 6id.xyz 33 | 6j2.xyz 34 | 6w.re 35 | 6wr9.com 36 | 6xj.xyz 37 | 6y.re 38 | 7yfb.com 39 | 8t.pm 40 | aij.hk 41 | as3.biz 42 | b3vv.com 43 | b8x.org 44 | b9.pm 45 | bpyo.in 46 | c0.wf 47 | c4z.pl 48 | c7.ic 49 | c7.lc 50 | dj2.biz 51 | doem.re 52 | e9.wf 53 | egso.net 54 | ej3.xyz 55 | ejk.bz 56 | euya.cn 57 | f0.tel 58 | fxb.tw 59 | fz.ms 60 | g4.tel 61 | g4.wf 62 | glnj.nl 63 | gz3.nl 64 | i49.xyz 65 | i4x.xyz 66 | i6n.xyz 67 | iz.gy 68 | j1n.me 69 | j2.gy 70 | j4r.xyz 71 | j4z.co 72 | j4z.xyz 73 | j5m.biz 74 | j5n.xyz 75 | j68.info 76 | j8.si 77 | jjl.one 78 | jzm.pw 79 | k5j.one 80 | k5m.co 81 | k5x.xyz 82 | k6c.org 83 | k6j.me 84 | k6j.pw 85 | kglo.link 86 | kj1.xyz 87 | kjaj.top 88 | kr4.xyz 89 | krrz.pm 90 | l5k.xyz 91 | l9b.org 92 | lgf.pw 93 | lwip.re 94 | m0.wf 95 | m5n.biz 96 | mirw.wf 97 | mn1.biz 98 | mwgq.net 99 | mz3.biz 100 | mzjc.is 101 | n3.wf 102 | n5.ms 103 | n54.me 104 | n5k.me 105 | nt3.xyz 106 | nz4.xyz 107 | nzm.one 108 | oj8.eu 109 | omzk.org 110 | p3.ms 111 | p9.tel 112 | pjz.one 113 | q2.rs 114 | qmpo.art 115 | r0.pm 116 | r4e.pl 117 | r6.nz 118 | ri7.biz 119 | rx3.xyz 120 | s8.cx 121 | skqv.eu 122 | t7.nz 123 | tz6.org 124 | u0.pm 125 | ue2.eu 126 | uoej.net 127 | uqw.futbol 128 | uz3.me 129 | v0.cx 130 | vn6.co 131 | w4.wf 132 | w6.nz 133 | wak.rocks 134 | xjam.hk 135 | xz4.biz 136 | y3x.biz 137 | yuiw.xyz 138 | z7s.org 139 | zbs.is 140 | zk.qa 141 | zk4.me 142 | zk5.co 143 | -------------------------------------------------------------------------------- /raspberry_robin/hashes.txt: -------------------------------------------------------------------------------- 1 | 01d13023055420ee95f79cafeee9e78f1579de3cbaab4a29227d28b16421be65 2 | 076fef803408e653fbd5641e9f5a680da3f534c55d1029f3ba8d4689e43de601 3 | 0d25743cdd5bb3b64ba87821caabc2c2990edff5d09c5a259917436fb995154c 4 | 1eb48fce25c89f9a7e90ef0dfd395b5fdd9535765a647599b0e0fd7dfde48b02 5 | 23b808a462f1f4172cbb6a77dbbdf257f6abb4cbef652c651bc204af0b2e6b14 6 | 253b88c1f8938affd796b5fe0738c4c8171cf39dc17d32aceed1456ea4bee0ad 7 | 27bd56bf6ddd9d87eb4bb2c1bf4b03932fcfe6a7c295e60ace78cc75a99ea48d 8 | 2c10b80dc69e531b618aa3553ee9079989468a03d4be5b3cea9421d9b082411b 9 | 35e7bf4fe22fe9d7adbe51e95ea4d2d7302ff3bf6a9b46bd663521031d23f5e1 10 | 49e51b5d6c0e030f2688759c9495fab9533b368122dc7a3369fbac208ee8b630 11 | 4d8787ef65b0e2729ac4ef8d00d66c397ca09694a4e5472130ed45ca9c4aa8e1 12 | 70e2c193de153a89cc834b5404d4c1135058dfd92f9a4dd592f97db6ed27fa65 13 | 717b23df402315ce0788352a7e4c8b61e25163e5cd0a523bd61128991f361aa3 14 | 7440caa335e40b476c6434e1b7201ad969ed6d2841a123eed59fbf3c924e1be4 15 | 77ae3f47aef1cca9ff5092843c937bc380f045acf4566d1d1895df185770169b 16 | 7b58bf90ee3c6bcb87d0751cdbf7d333949d8d4b07ddba1d3c9a7c72f93040f1 17 | 7be13446f9e63a6ae8aab7b31a1452503b9204e37511d65798b0d67d59c541fa 18 | 87eca6d43c76d34e7662d7cacc378009643c236ef2109cf8e25e838fd0e4bb39 19 | 8e269abd3c6fe8bbe6351f7e731716df739db4895feafba7778f5b31960d97b3 20 | 8f11dae7b19967c59a566063b42e6f787a260159f1066b6333a3ee02e258cdfc 21 | 8fc5d90692749e690dacaf0564b419aca6ec8015b835ddeba0a14a1fa9b30633 22 | 9ce8eb379cc9a2f0ae11859880b18c7ec343270035a6c01b37c045d51c50face 23 | a482e13d1fbd3b6b305a6a73b9d2d8632b58d756736cfd08d38a758ec00606ca 24 | aa5eea31237867d9a3a65a1eafec3efb4c00a75fc917277168682af1462801b8 25 | ab7cfcefcd7440c9894fb3b9ff2639d17d00f265b60d43f181ffd24b0911f659 26 | ada0b05b322ca036484955974b5a2e5093f5de6ffd904b39fef9d0f155f31c62 27 | b80e8b7dc4fb11f035b465acf16bdf4c950272774f53521210907cc4056ffb96 28 | bb303c2d9012a9d89ac6c00048b92ee506b3e81538698502c060b144c9371b21 29 | bdf4a67918249dc3477bbe1a47a74176922480ac5c5e73710d07cf6f904bedb6 30 | c39ba83fb6f6caa313801fb254fb64de4e0df64ea6edaa0702ec7d1347b5fd38 31 | dfca77c93631f5f28d253a16e2a678bb7ec31f76eab6372236f3a6182e5c4214 32 | e00a6bd1a9f4b47a7d7caeaa8a5c0210506338f369c16078d852a24d907d6088 33 | e1ca135b9c925a9b05ccd0c610f79288e2939ba0f452261d41d636e01927b9a7 34 | e455a74b85be6bd26557fe3dcc3eeaf85e0ee64dcbbbadf28e2b9da5632f921c 35 | f2aa687f5fb052c2265e9e1acc959f60b1af036a7724521d811b82f09fc8349b 36 | faa63e99ba00f8a6ca9c917d637cf00615394216bbf12cb40638a2cd88a69204 37 | fcf26ed52c680c38f05d4f3815ef0a5e4eac75a937015ba1d2c8c8b0692daec3 38 | fd162d6dcdb5d135099ab9a45cea11ab57277bf214a84cde7aec425cd3ca87e3 39 | ff600b48ef4f27441dcbfb377195a17fbfa8f3ac707378a1a0e2739ec86fb2ed 40 | -------------------------------------------------------------------------------- /raspberry_robin/ips.txt: -------------------------------------------------------------------------------- 1 | 1.163.239.22 2 | 1.175.125.217 3 | 1.175.137.191 4 | 1.175.153.226 5 | 1.175.74.58 6 | 101.109.242.118 7 | 101.109.242.88 8 | 119.237.136.30 9 | 121.171.184.22 10 | 122.213.27.148 11 | 125.191.5.20 12 | 179.60.150.120 13 | 31.17.3.210 14 | 58.136.1.101 15 | 58.136.239.28 16 | 61.244.156.107 17 | 67.171.80.255 18 | 70.124.238.72 19 | 77.183.5.151 20 | 77.191.244.198 21 | 78.55.212.34 22 | 79.19.192.68 23 | 79.21.111.16 24 | 79.26.16.93 25 | 79.46.2.104 26 | 82.125.202.251 27 | 82.53.94.232 28 | 84.3.114.216 29 | 89.14.204.241 30 | 94.11.86.46 31 | 94.5.200.190 32 | -------------------------------------------------------------------------------- /systembc/extract_systembc.py: -------------------------------------------------------------------------------- 1 | # Author: Thomas Barabosch, Deutsche Telekom Security 2 | # Date: 2022-03-11 3 | # Sharing: TLP:WHITE 4 | # https://twitter.com/DTCERT 5 | # https://github.com/telekom-security/malware_analysis 6 | # 7 | # Find unpacked samples on VirusTotal with this VT Intelligence Query: 8 | # 'content:"BEGINDATA" tag:peexe size:30KB-' 9 | 10 | import json 11 | import re 12 | import sys 13 | 14 | 15 | def store_config(config, sample_path): 16 | sample_path = sample_path + '_systembc_config.json' 17 | 18 | with open(sample_path, 'w') as fp: 19 | json.dump(config, fp) 20 | 21 | 22 | def extract_ascii_strings(data, min_len=4): 23 | # taken from https://github.com/kevthehermit/RATDecoders/blob/master/malwareconfig/fileparser.py 24 | string_list = [] 25 | regexp = b'[%s]{%d,}' % (b" !\"#\$%&\'\(\)\*\+,-\./0123456789:;<=>\?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\]\^_`abcdefghijklmnopqrstuvwxyz\{\|\}\\\~\t", min_len) 26 | pattern = re.compile(regexp) 27 | for s in pattern.finditer(data): 28 | string_list.append(s.group().decode()) 29 | return string_list 30 | 31 | 32 | def parse_strings(file_data): 33 | ports = [] 34 | hosts = [] 35 | tor = [] 36 | for s in extract_ascii_strings(file_data): 37 | if 'PORT' in s: 38 | tmp = s.split(':')[1].strip() 39 | if tmp: 40 | ports.append(int(tmp)) 41 | elif 'HOST' in s: 42 | tmp = s.split(':')[1].strip() 43 | if tmp: 44 | hosts.append(tmp) 45 | elif 'TOR' in s: 46 | tmp = s.split(':')[1].strip() 47 | if tmp: 48 | tor.append(tmp) 49 | return hosts, ports, tor 50 | 51 | 52 | def extract(sample_path): 53 | with open(sample_path, 'rb') as f: 54 | file_data = f.read() 55 | hosts, ports, tor = parse_strings(file_data) 56 | 57 | if hosts or ports or tor: 58 | config = {} 59 | if ports: 60 | config['ports'] = ports 61 | if hosts: 62 | config['hosts'] = hosts 63 | if tor: 64 | config['tor'] = tor 65 | return config 66 | return None 67 | 68 | 69 | def main(): 70 | if len(sys.argv) != 2: 71 | print('Usage: extract_systembc.py PATH_TO_SAMPLE') 72 | sys.exit(1) 73 | 74 | sample_path = sys.argv[1] 75 | config = extract(sample_path) 76 | if config: 77 | print(f'Extracted config: {config}') 78 | store_config(config, sample_path) 79 | else: 80 | print('Could not extract config.') 81 | 82 | 83 | if __name__ == '__main__': 84 | main() 85 | -------------------------------------------------------------------------------- /systembc/systembc.yara: -------------------------------------------------------------------------------- 1 | rule win_systembc_20220311 { 2 | meta: 3 | author = "Thomas Barabosch, Deutsche Telekom Security" 4 | twitter = "https://twitter.com/DTCERT" 5 | description = "Detects unpacked SystemBC module" 6 | date = "20220311" 7 | sharing = "TLP:WHITE" 8 | malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc" 9 | reference_1 = "https://twitter.com/Cryptolaemus1/status/1502069552246575105" 10 | reference_2 = "https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6" 11 | hash_1 = "c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5" 12 | in_memory = "True" 13 | strings: 14 | $sx1 = "-WindowStyle Hidden -ep bypass -file" ascii 15 | $sx2 = "BEGINDATA" ascii 16 | $sx3 = "GET %s HTTP/1.0" ascii 17 | /* 18 | $s1 = "TOR:" ascii 19 | $s2 = "PORT1:" ascii 20 | $s3 = "HOST1:" ascii 21 | */ 22 | $s5 = "User-Agent:" ascii 23 | /* $s6 = "powershell" ascii */ 24 | $s8 = "ALLUSERSPROFILE" ascii 25 | condition: 26 | ( uint16(0) == 0x5a4d and filesize < 30KB and 2 of ($sx*) ) or all of them 27 | } 28 | --------------------------------------------------------------------------------