mirror of
https://github.com/avast/ioc
synced 2024-06-20 13:58:34 +00:00
added ioc
This commit is contained in:
parent
946520ad06
commit
4a94e73e42
19
OnionCrypter/README.md
Normal file
19
OnionCrypter/README.md
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
# IoC for OnionCrypter
|
||||||
|
|
||||||
|
Malware analysis and more technical information at <https://decoded.avast.io/onion-crypter>
|
||||||
|
|
||||||
|
### Table of Contents
|
||||||
|
* [Samples (SHA-256)](#samples-sha-256)
|
||||||
|
* [Events](#Events)
|
||||||
|
|
||||||
|
## Samples (SHA-256)
|
||||||
|
#### OnionCrypter binary and related files
|
||||||
|
```
|
||||||
|
260003293D1785571FEF5A2CF54E89B7AF0C1FBD5B970D2285F21BFC65E2981C
|
||||||
|
05AAB2F7D5D432CBEB970BC5471B3FAE1E45F23E0933CC673BE923F7609F53AE
|
||||||
|
17C2E36EE4387365AC00A84E91B59CE4D31D3BA04624902512810B7797A2356B
|
||||||
|
81C479BF71196724055F1AF30CA05C9162B7D32E7B3363B7F93D1AAF0161E760
|
||||||
|
8B85A4D9DF1140D25F11914EC4E429C505BD97551EDE19197D2B795C44770AFE
|
||||||
|
75E692519607C2E58A3E4F5606D17262D4387D8EEA92FAB9C11C64C4A6035FBC
|
||||||
|
846DCC9BCDC5C6103B2979FF93F4E1789B63827413B2FE56B1362129DF069DAF
|
||||||
|
```
|
10
OnionCrypter/extras/README.md
Normal file
10
OnionCrypter/extras/README.md
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
# Script for extraction of event names from sample
|
||||||
|
|
||||||
|
This [script](#extract_event_names) can be used for extracting event names from samples of the OnionCrypter. It is IDAPython script which dumps found event names in `ndjson` format to a result file given as argument.
|
||||||
|
|
||||||
|
Script can be run from console with following command:
|
||||||
|
```
|
||||||
|
> ida.exe -A -S"path_to_script/script.py \"output_file\"" path_to_sample
|
||||||
|
```
|
||||||
|
|
||||||
|
In a case of scanning multiple samples it is recommended to create other script which will be using command above to automate scanning.
|
48
OnionCrypter/extras/extract_event_names.py
Normal file
48
OnionCrypter/extras/extract_event_names.py
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
import idautils
|
||||||
|
import idc
|
||||||
|
|
||||||
|
def find_event_names():
|
||||||
|
event_names = []
|
||||||
|
#get address value of named address
|
||||||
|
offset_name = 'CreateEventA'
|
||||||
|
named_addr = ida_name.get_name_ea(BADADDR, offset_name)
|
||||||
|
|
||||||
|
#get all unique xrefs to found named address
|
||||||
|
xref_lst = []
|
||||||
|
for xref in idautils.XrefsTo(named_addr):
|
||||||
|
if xref.frm not in xref_lst:
|
||||||
|
xref_lst.append(xref.frm)
|
||||||
|
|
||||||
|
#get addresses where arguments of called function are pushed
|
||||||
|
for xref in xref_lst:
|
||||||
|
args = idaapi.get_arg_addrs(xref)
|
||||||
|
|
||||||
|
if idc.get_operand_type(args[3], 0) == idaapi.o_imm:
|
||||||
|
# select last argument and read string to which it points
|
||||||
|
op_val = idc.get_operand_value(args[3], 0)
|
||||||
|
event_name = get_strlit_contents(op_val)
|
||||||
|
if event_name != None :
|
||||||
|
event_name = event_name.decode('ascii')
|
||||||
|
event_names.append(event_name)
|
||||||
|
|
||||||
|
return event_names
|
||||||
|
|
||||||
|
def store_results(event_names, result_file):
|
||||||
|
with open(result_file, 'a') as f:
|
||||||
|
sample_name = get_input_file_path().split("\\")
|
||||||
|
sample_name = sample_name[-1].split('.')[0]
|
||||||
|
|
||||||
|
event_names = [ f'"{x}"' for x in event_names]
|
||||||
|
out_ndjson = f'{{"{sample_name}" : [{", ".join(event_names)}]}}\n'
|
||||||
|
f.write(out_ndjson)
|
||||||
|
|
||||||
|
def main():
|
||||||
|
if len(idc.ARGV) < 1:
|
||||||
|
return
|
||||||
|
|
||||||
|
ida_auto.auto_wait()
|
||||||
|
event_names = find_event_names()
|
||||||
|
store_results(event_names, idc.ARGV[1])
|
||||||
|
ida_pro.qexit(0)
|
||||||
|
|
||||||
|
main()
|
8
OnionCrypter/samples.sha256
Normal file
8
OnionCrypter/samples.sha256
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
260003293D1785571FEF5A2CF54E89B7AF0C1FBD5B970D2285F21BFC65E2981C
|
||||||
|
05AAB2F7D5D432CBEB970BC5471B3FAE1E45F23E0933CC673BE923F7609F53AE
|
||||||
|
17C2E36EE4387365AC00A84E91B59CE4D31D3BA04624902512810B7797A2356B
|
||||||
|
81C479BF71196724055F1AF30CA05C9162B7D32E7B3363B7F93D1AAF0161E760
|
||||||
|
8B85A4D9DF1140D25F11914EC4E429C505BD97551EDE19197D2B795C44770AFE
|
||||||
|
75E692519607C2E58A3E4F5606D17262D4387D8EEA92FAB9C11C64C4A6035FBC
|
||||||
|
846DCC9BCDC5C6103B2979FF93F4E1789B63827413B2FE56B1362129DF069DAF
|
||||||
|
909A94BCB5C0354D85B8BDB64D4EE49093CCA070653F73B99C201136B72CB94A
|
Loading…
Reference in New Issue
Block a user