Mirrors
/
ioc-collection
mirror of https://github.com/avast/ioc
6
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add files via upload

This commit is contained in:
avast-ti 2022-10-05 16:13:04 +02:00 committed by GitHub
parent 64c5de5bd6
commit 43fbdfe7ce
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 88 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
Manjusaka/Manjusaka.yar
View File

@ -26,6 +26,10 @@ rule manjusaka_framework_go_build_id
hash = "ff20333d38f7affbfde5b85d704ee20cd60b519cb57c70e0cf5ac1f65acf91a6" // ELF v03 unpacked
hash = "3581d99feb874f65f53866751b7874c106b5ce65a523972ef6a736844209043c" // MZ v03 upx
hash = "6082bf26bcc07bf299a88eaa0272022418b12156cd987adfdff9fa1517afcf3d" // MZ v03 unpacked
hash = "14dfb43a1782b0b8d93c3d67d63b6c786b0a223bc50c3ec68106bd18d43652a4" // ELF v04 upx
hash = "4a0f47132867c12a6d009e43812729a1bb41f4eb83472ac352fc5b20fe937bef" // ELF v04 unpacked
hash = "bb1b7d506559c783ed747da461f58ea5256ba0a083768ae6aa1a2325017c4387" // ELF v05 upx
hash = "bd0e09e9ee4db74ada6433f00024a543f799046c15f635216ca4ae5e1f0c42e2" // ELF v05 unpacked
strings:
// ELF v01
$h01 = { 47 6F 00 00 57 79 5F 76 69 62 44 5A 76 32 77 6D 35 62 4C 32 71 73 6A 4A 2F 34 50 4D 56 79 4D 39 39 76 61 76 58 68 7A 65 5A 34 6C 76 2D 2F 4E 59 6C 5F 4B 6D 75 53 45 62 53 4E 4A 6B 39 45 61 52 74 31 2F 2D 45 4D 50 57 64 6A 73 30 4E 6C 37 73 79 67 41 41 74 65 54 00 }
@ -45,6 +49,14 @@ rule manjusaka_framework_go_build_id
$h08 = { 47 6F 20 62 FF FF FF FF 75 69 6C 64 20 49 44 3A 20 22 65 72 52 47 4F 4A 56 48 65 38 37 58 67 6D 79 4F 56 77 48 44 2F 42 FB FF FF FF 70 78 56 76 70 79 44 58 74 4C 64 64 79 57 46 64 38 4E 39 2F 6F 59 77 64 70 73 6D 46 45 }
// MZ v03 upx
$h09 = { 47 6F 20 62 75 69 6C 64 20 49 44 3A 20 22 65 72 52 47 4F 4A 56 48 65 38 37 58 67 6D 79 4F 56 77 48 44 2F 42 70 78 56 76 70 79 44 58 74 4C 64 64 79 57 46 64 38 4E 39 2F 6F 59 77 64 70 73 6D 46 45 44 58 39 32 58 4A 55 52 4C 55 7A 2F 62 62 58 59 38 43 76 6B 44 4D 72 69 42 33 32 64 49 36 53 58 }
// ELF v04 unpacked
$h10 = { 47 6F 00 00 47 6E 42 4B 6F 63 4C 77 76 57 5A 6E 43 5F 55 6D 49 72 2D 72 2F 36 50 2D 4F 7A 46 62 51 37 39 6F 59 79 79 61 44 52 48 56 34 2F 38 74 6D 46 77 78 63 53 64 63 63 6D 70 66 73 5A 63 33 68 62 2F 77 34 2D 36 49 52 50 70 75 42 66 75 61 68 7A 50 63 4C 35 32 00 }
// ELF v04 upx
$h11 = { 47 6F 06 FF FF FF FF 6E 42 4B 6F 63 4C 77 76 57 5A 6E 43 5F 55 6D 49 72 2D 72 2F 36 50 2D 4F 7A 46 62 51 37 39 6F FF FF 6F FF 59 79 79 61 44 52 48 56 DC 38 74 6D 46 77 78 63 53 64 63 63 6D 70 66 73 5A 63 33 68 62 }
// ELF v05 unpacked
$h12 = { 47 6F 00 00 4E 50 57 41 64 50 62 57 6D 6E 58 72 30 61 36 67 44 37 4B 7A 2F 54 74 6E 59 64 4F 79 43 6A 76 63 43 51 75 5A 39 47 69 44 72 2F 46 43 6D 4F 69 38 41 30 36 36 52 50 43 36 53 4F 57 76 61 4D 2F 43 70 57 37 4F 30 73 38 61 51 32 42 46 56 64 66 65 62 54 4A 00 }
// ELF v05 upx
$h13 = { 47 6F 06 FF FF FF 7F 4E 50 57 41 64 50 62 57 6D 6E 58 72 30 61 36 67 44 37 4B 7A 2F 54 74 6E 59 64 4F 79 43 6A 76 FF FF FF FF 63 43 51 75 5A 39 47 69 44 72 2F 46 43 6D 4F 69 38 41 30 36 36 52 50 43 36 53 4F 57 76 61 4D 2F }
condition:
any of them
}
@ -61,6 +73,8 @@ rule manjusaka_payload_encoded_hexstring
$s02 = "1f8b08000000000000ff94dd09982355d9fffd62d89a45880a181621804240c10888718328a8ed864144a3029d66ba67d2cc4c4fecee8180a85114f3284b4096b00d619380085111f3284a"
// ELF v03
$s03 = "1f8b08000000000000ff94dd0b982355b5fffde21eee011503a204440d201001317a148278890a1804348ad269667a260d3d33b1bb19820246bc10914bb80811618c80108f084110232204"
// ELF v04
$s04 = "1f8b08000000000000ff94dd07981bd5d9fffdb131208a41b4075123ba280101c6112d88d04468a22b01b25abc6b6bf17aadecae4140008540103582001110401483e8a28b2e4a4074d197"
// MZ v01
$s11 = "1f8b08000000000000ffecbd09784cd7ff077c26c924631977828958c284694d5092da12eb8448ce302108a248628ba82d65862025e924b8aeabdaeaa2abb6bfaebad74f83fe4804a1d5d6"
// MZ v02
@ -69,6 +83,8 @@ rule manjusaka_payload_encoded_hexstring
$s13 = "1f8b08000000000000ffecbd7b7854d5d928be7632496620710d4874522e9991ad4e94627641491425031378b7ae1150046a1168a1237ca2419801542e893b53b3d8eeafb4b5777b8eb5fd"
// MZ v03
$s14 = "1f8b08000000000000ffecbd7b7854d5d530be4f32496620710f9ae8a45c3223479d28d51c414934960c4c601ddd23a811a845a0858e50d120cc002a97c49369b3399e96b6dacb5bfb7dbe"
// MZ v04
$s15 = "1f8b08000000000000ffecbd79785445d6305eb7934e3a90e676846887451abc68c7b5e33293284b37e924a7e506a222a022c45119501c23744b1c194ce6764b2a97abcc88233a3aaee38a"
condition:
(EXE or ELF) and (
any of ($s0*) and
@ -84,6 +100,9 @@ rule manjusaka_payload_elf
hash = "0063e5007566e0a7e8bfd73c4628c6d140b332df4f9afbb0adcf0c832dd54c2b" // 01, v02
hash = "76eb9af0e2f620016d63d38ddb86f0f3f8f598b54146ad14e6af3d8f347dd365" // v03 (dev)
hash = "0a5174b5181fcd6827d9c4a83e9f0423838cbb5a6b23d012c3ae414b31c8b0da" // v03
hash = "63e7f6fa89faa88b346d0cceddf2ef2e3ebf5d5828aa0087663c227422041db7" // v04
hash = "400855b63b8452221869630c58b7ab03373dabf77c0f10df635e746c13f98ea9" // v05
hash = "4eb337c12f0e0ee73b3209bed4b819719c4af9f63f3e81dbc3bbf06212450f1c" // v05
strings:
$s01 = "proc/meminfo/proc/uptime/etc/os-releaseVERSION_ID=NAME=DISTRIB_ID"
$s02 = "/root/.cargo/registry/src/mirrors.ustc.edu.cn"
@ -92,6 +111,8 @@ rule manjusaka_payload_elf
$s11 = "./protos/cs.rstargetpidAgentsagentAgentUpdatesleepenckeysysinfoConfigPluginExecPluginLoadReqCwd"
$s12 = "ReqScreenH"
$s13 = "manjusakahttp:"
$s14 = "pluginexecpluginloadreqcwdreqcmd"
$s15 = "/NPSC2/npc/libs/"
condition:
ELF and
(
@ -109,10 +130,17 @@ rule manjusaka_payload_mz
hash = "cd0c75638724c0529cc9e7ca0a91d2f5d7221ef2a87b65ded2bc1603736e3b5d" // v02
hash = "d5918611b1837308d0c6d19bff4b81b00d4f6a30c1240c00a9e0a9b08dde1412" // v03 (dev)
hash = "2b174d417a4e43fd6759c64512faa88f4504e8f14f08fd5348fff51058c9958f" // v03
hash = "377bacba69d2bec770599ab21a202b574b92fb431fc35bbdf39080025d6cf2d6" //v04
hash = "86c633467ba7981d3946a63184dbfabce587b571f761b3eb1e3e43f6b1df6f2c" //v05
hash = "51857882d1202e72c0cf18ff21de773c2a31ee68ff28385f968478401c5ab4bb" //v05
hash = "e07aa10f19574a856a4ac389a3ded96f2d78f41f939935dd678811bd12b5bd03" //v05
hash = "9e7144540430d97de38a2adcef16ad43e23c91281462b135fcc56cafc2f34160" //v05
strings:
$s01 = ".\\protos\\cs.rstargetintranethostnameplatformpidAgentsstatusagentinternetupdateatAgentUpdate"
$s02 = "PluginExecPluginLoadReqCwdcmdReqCmd"
$s03 = "Users\\Administrator.WIN7-2021OVWRCZ\\.cargo"
$s04 = "Users\\runneradmin\\.cargo"
$s05 = "windows\\c.rsNtReadFile"
$s11 = "src\\mirrors.ustc.edu.cn-"
$s12 = "CodeProject\\hw_src\\NPSC2\\npc\\target\\release\\deps\\npc.pdb"
$s13 = "@@@manjusaka"
@ -121,6 +149,9 @@ rule manjusaka_payload_mz
$s16 = "name=key=clearWIFI"
$s17 = "cmd.exe/c"
$s18 = "Accept-Languagezh-CN,zh;q=0.9,en;q=0.8Accept-Encodinggzip"
$s19 = "library\\std\\src\\sys_common\\wtf8.rs"
$s110 = "plug_getpass_nps.dll"
$s111 = "plug_test_nps.dll"
condition:
EXE and
(
@ -128,4 +159,3 @@ rule manjusaka_payload_mz
3 of ($s1*)
)
}

23
Manjusaka/README.md
View File

@ -2,9 +2,7 @@
Manjusaka is web based imitation of the Cobalt Strike framework.
More info: <a href="https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html" target="_blank">Talos blogpost</a>
More info: <https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html>
<br/>
Manjusaka github: <https://github.com/YDHCUI/manjusaka>
@ -24,7 +22,7 @@ Each data blob start with header:
```
1F 8B 08 00 00 00 00 00 00 FF
```
The last two hardcoded data blobs a EXE and ELF binaries.
Up to v04 the last two hardcoded data blobs are EXE and ELF binaries, since v05 all EXE and ELF binaries are stored inside plugins folder.
#### Payloads unpacking example:
1. Parse payload data blobs and remove header (20 chars)
@ -57,6 +55,8 @@ y0MW5jt0EkawUK5kkl12/Zh446aeMzbHG7OsVOfqu/m_XtCR229uKgZbQeD5Ct/fxfGJGaYN1_6nNv2X
0306BSKBqnqKtMQqgSXM/hLj4wvVVJLyBCaJB_8M0/stfbGsFZXgNkPwZKLqRe/MIFhigzePSeV5d_RmfC5 - ELF v03 (dev)
654gijPAUkEazJpjD9NU/gDuHF1xfdp91Sf6SYQHX/vsnn7ekg0TKXWiOScF0D/Sam0sQmfyCaDC8qCfYx5 - ELF v03
erRGOJVHe87XgmyOVwHD/BpxVvpyDXtLddyWFd8N9/oYwdpsmFEDX92XJURLUz/bbXY8CvkDMriB32dI6SX - EXE v03
GnBKocLwvWZnC_UmIr-r/6P-OzFbQ79oYyyaDRHV4/8tmFwxcSdccmpfsZc3hb/w4-6IRPpuBfuahzPcL52 - ELF v04
NPWAdPbWmnXr0a6gD7Kz/TtnYdOyCjvcCQuZ9GiDr/FCmOi8A066RPC6SOWvaM/CpW7O0s8aQ2BFVdfebTJ - ELF v05
```
## Binaries PDB
@ -86,16 +86,29 @@ fb5835f42d5611804aaa044150a20b13dcf595d91314ebef8cf6810407d85c64 - ELF v03 upx
ff20333d38f7affbfde5b85d704ee20cd60b519cb57c70e0cf5ac1f65acf91a6 - ELF v03 unpacked
3581d99feb874f65f53866751b7874c106b5ce65a523972ef6a736844209043c - EXE v03 upx
6082bf26bcc07bf299a88eaa0272022418b12156cd987adfdff9fa1517afcf3d - EXE v03 unpacked
14dfb43a1782b0b8d93c3d67d63b6c786b0a223bc50c3ec68106bd18d43652a4 - ELF v04 upx
4a0f47132867c12a6d009e43812729a1bb41f4eb83472ac352fc5b20fe937bef - ELF v04 unpacked
bb1b7d506559c783ed747da461f58ea5256ba0a083768ae6aa1a2325017c4387 - ELF v05 upx
bd0e09e9ee4db74ada6433f00024a543f799046c15f635216ca4ae5e1f0c42e2 - ELF v05 unpacked
```
#### Hardcoded payload Rust binaries
```
0063e5007566e0a7e8bfd73c4628c6d140b332df4f9afbb0adcf0c832dd54c2b - ELF v01, v02
d5918611b1837308d0c6d19bff4b81b00d4f6a30c1240c00a9e0a9b08dde1412 - ELF v03 (dev)
0a5174b5181fcd6827d9c4a83e9f0423838cbb5a6b23d012c3ae414b31c8b0da - ELF v03
63e7f6fa89faa88b346d0cceddf2ef2e3ebf5d5828aa0087663c227422041db7 - ELF v04
4eb337c12f0e0ee73b3209bed4b819719c4af9f63f3e81dbc3bbf06212450f1c - ELF v05
400855b63b8452221869630c58b7ab03373dabf77c0f10df635e746c13f98ea9 - ELF v05
443abf66039c6686b50e5091ac218810798a21884aa6bc0d5b6dd8782b0311a8 - ELF v05
6839180bc3a2404e629c108d7e8c8548caf9f8249bbbf658b47c00a15a64758f - EXE v01
cd0c75638724c0529cc9e7ca0a91d2f5d7221ef2a87b65ded2bc1603736e3b5d - EXE v02
76eb9af0e2f620016d63d38ddb86f0f3f8f598b54146ad14e6af3d8f347dd365 - EXE v03 (dev)
2b174d417a4e43fd6759c64512faa88f4504e8f14f08fd5348fff51058c9958f - EXE v03
377bacba69d2bec770599ab21a202b574b92fb431fc35bbdf39080025d6cf2d6 - EXE v04
51857882d1202e72c0cf18ff21de773c2a31ee68ff28385f968478401c5ab4bb - EXE v05
86c633467ba7981d3946a63184dbfabce587b571f761b3eb1e3e43f6b1df6f2c - EXE v05
e07aa10f19574a856a4ac389a3ded96f2d78f41f939935dd678811bd12b5bd03 - EXE v05
9e7144540430d97de38a2adcef16ad43e23c91281462b135fcc56cafc2f34160 - EXE v05
```
#### ITW payload Rust binaries
```
@ -142,4 +155,4 @@ https[:]//profile-counter[.]glitch[.]me/DaxiaMM-new/count.svg
```
#codeby 道长且阻
#email @ydhcui/QQ664284092
```
```

13
Manjusaka/samples.md5
View File

@ -5,6 +5,8 @@
871f9c9f9bed3c0ebb08fac44f5f06f4
fc6464148e82ca8801435f6957edadd5
464d0d7be5dd1335b8ea44b12f3bc634
b383301e8f268f136db187e171b39391
9fbe413dc0c086842046e0f8ba69c3e0
5cd9015f5db31fa51ea9423e57d9b309
05e9d600f23a3c6cc5aa99720372cac8
ed9288aeee7fb7acb17cff243ca242bb
@ -12,3 +14,14 @@ ed9288aeee7fb7acb17cff243ca242bb
78163ebb6965ce09c2ba36b95467509b
9f50f0361340d9b935bde6c50a14ef5f
55b1b0fc08aea1122721d94f0f656563
0638c76c3ec7a61276fd7ea021e5caa1
ff6ff324e0e6b7d8eb06437a5b09b43b
f7ee7ea32056cbf6ed4eaddbb5e300fa
18a27cb9b4baabb24b1da754cb7321bc
7f5a0bc29e0d0a175ae8dc5a740e9f26
dfc0b29af2c12931a6b7a25337a1bc84
5883c2e2cb979b08e43d595750c7975e
a3c4d13f7a33a3b5aaf8f19fbfe359f4
575654497be48b04412dad649e69bd3a
31103df61815b5c520e3d16651461791
10ade051d46bd6f7e271daf25fb9d9b1

13
Manjusaka/samples.sha1
View File

@ -5,6 +5,8 @@ e5ff490605564232b9759671f78272fa377168ab
d277633cd0051cc454398b359f1f5a0fef22bcd3
39f5a060cf181766a06e201970e62f4e143c01b8
63972a7dde00be973012cdf14f7e80548488a550
2f6d8947489086d2abd1f97bff0e82599433cd0e
6e6fc12e902ce982405c7e1ddeb0178b9ba9ba80
4a6a5eded2e90feac034330fcfa6837cbdbf726f
01e4dba6c3e5493ca385281ec37e753285217a71
803a5905269a20530cf2e7a730ba271e8e7bdfff
@ -12,3 +14,14 @@ d277633cd0051cc454398b359f1f5a0fef22bcd3
c3b3c7264d667da46ca02fd33b40dbac5d6ef466
1fe2066cdf46cc60501e213a6d1eaa11786ca042
ae301087aba3b64f2f50612cf565c04ef53d3af8
28d757a94bce4e9a311d0169ff4dd4bb3e36a62f
a67ff6e5ed9888c3aa6f8d7d28d5d2e86c4acd5e
7cdc3adc8aaaf964f3f3771f50037eedc50bc7db
4f7c540c82af56f5f3d8930eae7b52e6124bb057
4c05fa680dd6506a9eb1c205faf1e25c458a2955
dbfa10af58e184cdfdc36ff140cfb2ed66483491
4c93eb4cdbba121e3d2c799546b655b13480bb41
55aa3a49bf49920508b981dea01455f442ccd4e6
fce3a27b1228ce0ed20e7c6d39966c51c288113e
bf370b2f4ee1a95c4394f6cf684ef4fccc98ce87
631fe373a4c24bc10885b0aa3b2c75b7714a8467

13
Manjusaka/samples.sha256
View File

@ -5,6 +5,8 @@
90b6a021b4f2e478204998ea4c5f32155a7348be4afb620999fa708b4a9a30ab
a8b8d237e71d4abe959aff4517863d9f570bba1646ec4e79209ec29dda64552f
ecbe098ed675526a2c22aaf79fe8c1462fb4c68eb0061218f70fadbeb33eeced
4eb337c12f0e0ee73b3209bed4b819719c4af9f63f3e81dbc3bbf06212450f1c
14dfb43a1782b0b8d93c3d67d63b6c786b0a223bc50c3ec68106bd18d43652a4
b5c366d782426bad4ba880dc908669ff785420dea02067b12e2261dd1988f34a
107b094031094cbb1f081d85ec2799c3450dce32e254bda2fd1bb32edb449aa4
955e9bbcdf1cb230c5f079a08995f510a3b96224545e04c1b1f9889d57dd33c1
@ -12,3 +14,14 @@ f275ca5129399a521c8cd9754b1133ecd2debcfafc928c01df6bd438522c564a
637f3080526d7d0ad5eb41bf9331fb51aaafd30f2895c00a44ad905154f76d70
fb5835f42d5611804aaa044150a20b13dcf595d91314ebef8cf6810407d85c64
ff20333d38f7affbfde5b85d704ee20cd60b519cb57c70e0cf5ac1f65acf91a6
4a0f47132867c12a6d009e43812729a1bb41f4eb83472ac352fc5b20fe937bef
bb1b7d506559c783ed747da461f58ea5256ba0a083768ae6aa1a2325017c4387
bd0e09e9ee4db74ada6433f00024a543f799046c15f635216ca4ae5e1f0c42e2
51857882d1202e72c0cf18ff21de773c2a31ee68ff28385f968478401c5ab4bb
86c633467ba7981d3946a63184dbfabce587b571f761b3eb1e3e43f6b1df6f2c
400855b63b8452221869630c58b7ab03373dabf77c0f10df635e746c13f98ea9
63e7f6fa89faa88b346d0cceddf2ef2e3ebf5d5828aa0087663c227422041db7
377bacba69d2bec770599ab21a202b574b92fb431fc35bbdf39080025d6cf2d6
e07aa10f19574a856a4ac389a3ded96f2d78f41f939935dd678811bd12b5bd03
9e7144540430d97de38a2adcef16ad43e23c91281462b135fcc56cafc2f34160
443abf66039c6686b50e5091ac218810798a21884aa6bc0d5b6dd8782b0311a8