From 4a94e73e423366d5305bbda6b54da6e268386cca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20Kalo=C4=8D?= Date: Fri, 5 Mar 2021 08:53:09 +0100 Subject: [PATCH] added ioc --- OnionCrypter/README.md | 19 +++++++++ OnionCrypter/extras/README.md | 10 +++++ OnionCrypter/extras/extract_event_names.py | 48 ++++++++++++++++++++++ OnionCrypter/samples.sha256 | 8 ++++ 4 files changed, 85 insertions(+) create mode 100644 OnionCrypter/README.md create mode 100644 OnionCrypter/extras/README.md create mode 100644 OnionCrypter/extras/extract_event_names.py create mode 100644 OnionCrypter/samples.sha256 diff --git a/OnionCrypter/README.md b/OnionCrypter/README.md new file mode 100644 index 0000000..11a4018 --- /dev/null +++ b/OnionCrypter/README.md @@ -0,0 +1,19 @@ +# IoC for OnionCrypter + +Malware analysis and more technical information at + +### Table of Contents +* [Samples (SHA-256)](#samples-sha-256) +* [Events](#Events) + +## Samples (SHA-256) +#### OnionCrypter binary and related files +``` +260003293D1785571FEF5A2CF54E89B7AF0C1FBD5B970D2285F21BFC65E2981C +05AAB2F7D5D432CBEB970BC5471B3FAE1E45F23E0933CC673BE923F7609F53AE +17C2E36EE4387365AC00A84E91B59CE4D31D3BA04624902512810B7797A2356B +81C479BF71196724055F1AF30CA05C9162B7D32E7B3363B7F93D1AAF0161E760 +8B85A4D9DF1140D25F11914EC4E429C505BD97551EDE19197D2B795C44770AFE +75E692519607C2E58A3E4F5606D17262D4387D8EEA92FAB9C11C64C4A6035FBC +846DCC9BCDC5C6103B2979FF93F4E1789B63827413B2FE56B1362129DF069DAF +``` \ No newline at end of file diff --git a/OnionCrypter/extras/README.md b/OnionCrypter/extras/README.md new file mode 100644 index 0000000..d4d0fda --- /dev/null +++ b/OnionCrypter/extras/README.md @@ -0,0 +1,10 @@ +# Script for extraction of event names from sample + +This [script](#extract_event_names) can be used for extracting event names from samples of the OnionCrypter. It is IDAPython script which dumps found event names in `ndjson` format to a result file given as argument. + +Script can be run from console with following command: +``` +> ida.exe -A -S"path_to_script/script.py \"output_file\"" path_to_sample +``` + +In a case of scanning multiple samples it is recommended to create other script which will be using command above to automate scanning. diff --git a/OnionCrypter/extras/extract_event_names.py b/OnionCrypter/extras/extract_event_names.py new file mode 100644 index 0000000..73b440a --- /dev/null +++ b/OnionCrypter/extras/extract_event_names.py @@ -0,0 +1,48 @@ +import idautils +import idc + +def find_event_names(): + event_names = [] + #get address value of named address + offset_name = 'CreateEventA' + named_addr = ida_name.get_name_ea(BADADDR, offset_name) + + #get all unique xrefs to found named address + xref_lst = [] + for xref in idautils.XrefsTo(named_addr): + if xref.frm not in xref_lst: + xref_lst.append(xref.frm) + + #get addresses where arguments of called function are pushed + for xref in xref_lst: + args = idaapi.get_arg_addrs(xref) + + if idc.get_operand_type(args[3], 0) == idaapi.o_imm: + # select last argument and read string to which it points + op_val = idc.get_operand_value(args[3], 0) + event_name = get_strlit_contents(op_val) + if event_name != None : + event_name = event_name.decode('ascii') + event_names.append(event_name) + + return event_names + +def store_results(event_names, result_file): + with open(result_file, 'a') as f: + sample_name = get_input_file_path().split("\\") + sample_name = sample_name[-1].split('.')[0] + + event_names = [ f'"{x}"' for x in event_names] + out_ndjson = f'{{"{sample_name}" : [{", ".join(event_names)}]}}\n' + f.write(out_ndjson) + +def main(): + if len(idc.ARGV) < 1: + return + + ida_auto.auto_wait() + event_names = find_event_names() + store_results(event_names, idc.ARGV[1]) + ida_pro.qexit(0) + +main() diff --git a/OnionCrypter/samples.sha256 b/OnionCrypter/samples.sha256 new file mode 100644 index 0000000..0383556 --- /dev/null +++ b/OnionCrypter/samples.sha256 @@ -0,0 +1,8 @@ +260003293D1785571FEF5A2CF54E89B7AF0C1FBD5B970D2285F21BFC65E2981C +05AAB2F7D5D432CBEB970BC5471B3FAE1E45F23E0933CC673BE923F7609F53AE +17C2E36EE4387365AC00A84E91B59CE4D31D3BA04624902512810B7797A2356B +81C479BF71196724055F1AF30CA05C9162B7D32E7B3363B7F93D1AAF0161E760 +8B85A4D9DF1140D25F11914EC4E429C505BD97551EDE19197D2B795C44770AFE +75E692519607C2E58A3E4F5606D17262D4387D8EEA92FAB9C11C64C4A6035FBC +846DCC9BCDC5C6103B2979FF93F4E1789B63827413B2FE56B1362129DF069DAF +909A94BCB5C0354D85B8BDB64D4EE49093CCA070653F73B99C201136B72CB94A