2018.01.29.VERMIN_Quasar_RAT_and_Custom_Malware_Used_In_Ukraine
This commit is contained in:
parent
a6c6c6fbcf
commit
cb5ed6540a
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,158 @@
|
|||
#!/usr/local/bin/python
|
||||
|
||||
__author__ = "Juan C Cortes"
|
||||
__version__ = "1.0"
|
||||
__email__ = "jcortes@paloaltonetworks.com"
|
||||
|
||||
from random import randint
|
||||
import zlib
|
||||
import binascii
|
||||
import sys
|
||||
import logging
|
||||
import hashlib
|
||||
import argparse
|
||||
import os
|
||||
import struct
|
||||
from tabulate import tabulate
|
||||
from Crypto import Random
|
||||
from Crypto.Cipher import AES
|
||||
|
||||
def parse_arguments():
|
||||
"""Argument Parser"""
|
||||
parser = argparse.ArgumentParser(
|
||||
usage="Decrypt strings for VerminRAT")
|
||||
parser.add_argument(
|
||||
"-v",
|
||||
"--verbosity",
|
||||
action="store_true",
|
||||
dest="vverbose",
|
||||
help="Print debugging information")
|
||||
parser.add_argument(
|
||||
"-o",
|
||||
"--output",
|
||||
dest="output_file",
|
||||
type=str,
|
||||
help="Output results file")
|
||||
parser.add_argument(
|
||||
"input",
|
||||
type=str,
|
||||
action='store',
|
||||
help="Input file of newline separated strings or single string")
|
||||
parser.add_argument(
|
||||
"-b",
|
||||
"--blob",
|
||||
action='store_true',
|
||||
help="Param use for decrypting blobs of data instead of strings. Blob is autosave to 'blob.out'")
|
||||
return parser
|
||||
|
||||
def write_out(output_list, headers, output_file=False):
|
||||
"""
|
||||
Pretty outputs list
|
||||
:param output_list: List to output
|
||||
"""
|
||||
print tabulate(output_list, headers, tablefmt="simple")
|
||||
print ""
|
||||
if output_file:
|
||||
with open(output_file, "ab") as file:
|
||||
file.write(tabulate(output_list, headers, tablefmt="simple"))
|
||||
file.write("\n\n")
|
||||
|
||||
def generateArray():
|
||||
abyte = bytearray(6)
|
||||
for i in range(0,6):
|
||||
abyte[i] = randint(0, 0x7FFFFFFF) % 7
|
||||
|
||||
return abyte;
|
||||
|
||||
def parseEncrypteStr(encryptStr):
|
||||
try:
|
||||
decoded = encryptStr.decode('base64')
|
||||
hardcoded_crc32 = decoded[-4:]
|
||||
parsedEncrypted = decoded[16:-4]
|
||||
iv = decoded[:16]
|
||||
return hardcoded_crc32,parsedEncrypted,iv
|
||||
except Exception as e:
|
||||
print e
|
||||
|
||||
def bruteForceCRC32Value(valuecrc32):
|
||||
while (True):
|
||||
arry = generateArray()
|
||||
crc32 = binascii.crc32(arry)
|
||||
crc32 = crc32 % (1 << 32)
|
||||
if crc32 == valuecrc32:
|
||||
return(arry)
|
||||
|
||||
def decryptStr(str,key,iv):
|
||||
aes = AES.new(key, AES.MODE_CBC, iv)
|
||||
blob = aes.decrypt(str)
|
||||
return blob
|
||||
|
||||
def parsePlainText(str):
|
||||
char = ""
|
||||
for i in str:
|
||||
if 0x20 <= ord(i) <= 0x127:
|
||||
char += i
|
||||
else:
|
||||
continue
|
||||
return char
|
||||
|
||||
def parseUnicde(str):
|
||||
try:
|
||||
uni = ""
|
||||
for i in range(0,len(str)/2):
|
||||
uni += str[i]
|
||||
return uni.decode('utf16')
|
||||
except Exception as e:
|
||||
print e
|
||||
|
||||
def main():
|
||||
"""Main Method"""
|
||||
args = parse_arguments().parse_args()
|
||||
strs = []
|
||||
|
||||
if args.vverbose:
|
||||
logging.basicConfig(
|
||||
level=logging.DEBUG,
|
||||
format=' %(asctime)s - %(levelname)s - %(message)s')
|
||||
|
||||
if args.blob and os.path.exists(args.input) != True:
|
||||
b = args.input
|
||||
crc32Hardcode, encryptedStr, iv = parseEncrypteStr(b)
|
||||
crc32Hardcode = bytearray(crc32Hardcode)
|
||||
crc32Hardcode = struct.unpack('<I', crc32Hardcode)[0]
|
||||
bruteArray = bruteForceCRC32Value(crc32Hardcode)
|
||||
m = hashlib.md5()
|
||||
m.update(bruteArray)
|
||||
key = m.digest()
|
||||
plain = decryptStr(encryptedStr, key, iv)
|
||||
with open('blob.out', "wb") as file:
|
||||
file.write(plain)
|
||||
|
||||
|
||||
if os.path.exists(args.input) != True:
|
||||
strs.append(args.input)
|
||||
|
||||
else:
|
||||
with open(args.input, "rb") as open_file:
|
||||
for line in open_file:
|
||||
hash = line.rstrip()
|
||||
strs.append(hash)
|
||||
|
||||
for s in strs:
|
||||
|
||||
crc32Hardcode,encryptedStr,iv = parseEncrypteStr(s)
|
||||
crc32Hardcode = bytearray(crc32Hardcode)
|
||||
crc32Hardcode = struct.unpack('<I', crc32Hardcode)[0]
|
||||
bruteArray = bruteForceCRC32Value(crc32Hardcode)
|
||||
m = hashlib.md5()
|
||||
m.update(bruteArray)
|
||||
key = m.digest()
|
||||
plain = decryptStr(encryptedStr,key,iv)
|
||||
parsestr = parsePlainText(plain)
|
||||
unistr = parseUnicde(plain)
|
||||
headers = ["ASCII","UNICODE"]
|
||||
outputlist = [[parsestr,unistr]]
|
||||
write_out(outputlist, headers, args.output_file)
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
|
@ -0,0 +1,33 @@
|
|||
0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6
|
||||
154ef5037e5de49a6e3c48ea7221a02a5df33c34420a586cbff6a46dc5026a91
|
||||
24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18
|
||||
250cf8b44fc3ae86b467dd3a1c261a6c3d1645a8a21addfe7f2e2241ff8b79fc
|
||||
4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da
|
||||
92295b38daa4e44b9d257e56c5b271bbbf6a620312dc58e48e56473427170aa1
|
||||
9ea00514c4ae9519a8938924b02826cfafeb75fc70f16c422aeadb8317a146c1
|
||||
a3c84c5f8d981653a2a391d29f32c8127fba8f0ab7da8815330a228205c99ba6
|
||||
7b08b0d4d68ebf5238eaa8a40f815b83de372e345eb22cc3d50a4bb1869db78e
|
||||
f75861216f5716b0227733e6a093776f693361626efebe37618935b9c6e1bdfd
|
||||
51b0bb172c6e5eaa8e333fbf2451ae27094991b6330025374b9082ae8cd879cf
|
||||
46ae101a8dc8bf434d2c599aaabfb72a0843d21e2150a6c745c0c4a771c09da3
|
||||
488db27f3d619b3067d95515a356997ea8e840c65daa2799bdd473dce93362f2
|
||||
5a05d2171e6aeb5edd9d39c7f46cd3bf0e2ee3ee803431a58a9945a56ce935f6
|
||||
6f4e20e421451c3d8490067f8424d7efbcc5edeb82f80bb5562c76d4adfb0181
|
||||
9a81cffe79057d8d307910143efd1455f956f2de2c7cc8fb07a7c17000913d59
|
||||
c84afdd28fa0923a09f6dd3af1e3821cdb07862b2796fa004cd3229bc6129cbe
|
||||
6cf63ae829984a47aca93f8a1261afe5a06930f04fab6f86f6f7f9631fde59ec
|
||||
aa982fe7d28bbf55865047b16334efbe3fcb6bae06e5ed9cab544f1c8d307317
|
||||
2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef
|
||||
677edb1a0a86c8bd0df150f2d9c5c3bc1d20d255b6f7944c4adcff3c45df4851
|
||||
74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d
|
||||
e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7
|
||||
eb48a31f8f81635d24f343a09247284149884bd713d3bc1c0b9c936bca8bafd7
|
||||
15c52b01d2b9294e2dd4d9711cde99e10f11cd188e0d1e4fa9db78f9805626c3
|
||||
31a1419d9121f55859ecf2d01f07da38bd37bb11d0ed9544a35d5d69472c358e
|
||||
5586fb423aff39a02cddf5e456a83a8301afe9ed78ecbc8de2cd852bc0cd498f
|
||||
5ee12dd028f5f8c2c0eb76f28c2ce273423998b36f3fc20c9e291f39825601f9
|
||||
eb48a31f8f81635d24f343a09247284149884bd713d3bc1c0b9c936bca8bafd7
|
||||
98073a58101dda103ea03bbd4b3554491d227f52ec01c245c3782e63c0fdbc07
|
||||
c5647603337a4e9bfbb2259c0aec7fa9868c87ded2ab74e9d233bdb2a3bb163e
|
||||
eb46b8978619a72f4b0d3ea8961dde527f8e27e89701ccd6e5643c33b103d901
|
||||
abd05a20b8aa21d58ee01a02ae804a0546fbf6811d71559423b6b5afdfbe7e64
|
|
@ -13,6 +13,7 @@ Please fire issue to me if any lost APT/Malware events/campaigns.
|
|||
|
||||
|
||||
## 2018
|
||||
* Jan 29 - [[Palo Alto Networks] VERMIN: Quasar RAT and Custom Malware Used In Ukraine](https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/) | [Local](../../blob/master/2018/2018.01.29.VERMIN_Quasar_RAT_and_Custom_Malware_Used_In_Ukraine)
|
||||
* Jan 25 - [[Palo Alto Networks] OilRig uses RGDoor IIS Backdoor on Targets in the Middle East](https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/) | [Local](../../blob/master/2018/2018.01.25.oilrig_Middle_East)
|
||||
* Jan 18 - [[NCSC] Turla group update Neuron malware](https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20Neuron%20Malware%20Update.pdf) | [Local](../../blob/master/2018/2018.01.18.Turla_group_update_Neuron_malware)
|
||||
* Jan 16 - [[Kaspersky] Skygofree: Following in the footsteps of HackingTeam](https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/) | [Local](../../blob/master/2018/2018.01.16.skygofree)
|
||||
|
|
Loading…
Reference in New Issue