From 89bf211228a25c1ebc3e3a88036c4118dd2659c2 Mon Sep 17 00:00:00 2001 From: avast-ti <53548140+avast-ti@users.noreply.github.com> Date: Fri, 19 Aug 2022 15:59:31 +0200 Subject: [PATCH] Add files via upload --- Manjusaka/Manjusaka.yar | 131 ++++++++++++++++++++++++++++++++++++ Manjusaka/README.md | 142 ++++++++++++++++++++++++++++++++++++++++ Manjusaka/rip.py | 67 +++++++++++++++++++ 3 files changed, 340 insertions(+) create mode 100644 Manjusaka/Manjusaka.yar create mode 100644 Manjusaka/README.md create mode 100644 Manjusaka/rip.py diff --git a/Manjusaka/Manjusaka.yar b/Manjusaka/Manjusaka.yar new file mode 100644 index 0000000..e81db54 --- /dev/null +++ b/Manjusaka/Manjusaka.yar @@ -0,0 +1,131 @@ +private rule ELF +{ + strings: + $h01 = { 7F 45 4C 46 (01|02) (01|02) 01 } + condition: + $h01 at 0 +} + +private rule EXE +{ + condition: + uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 +} + +rule manjusaka_framework_go_build_id +{ + meta: + author = "Avast Threat Intel Team" + source = "https://github.com/avast/ioc" + hash = "955e9bbcdf1cb230c5f079a08995f510a3b96224545e04c1b1f9889d57dd33c1" // ELF v01 + hash = "f275ca5129399a521c8cd9754b1133ecd2debcfafc928c01df6bd438522c564a" // ELF v02 upx + hash = "637f3080526d7d0ad5eb41bf9331fb51aaafd30f2895c00a44ad905154f76d70" // ELF v02 unpacked + hash = "b5c366d782426bad4ba880dc908669ff785420dea02067b12e2261dd1988f34a" // ELF v03 (dev) upx + hash = "107b094031094cbb1f081d85ec2799c3450dce32e254bda2fd1bb32edb449aa4" // ELF v03 (dev) unpacked + hash = "fb5835f42d5611804aaa044150a20b13dcf595d91314ebef8cf6810407d85c64" // ELF v03 upx + hash = "ff20333d38f7affbfde5b85d704ee20cd60b519cb57c70e0cf5ac1f65acf91a6" // ELF v03 unpacked + hash = "3581d99feb874f65f53866751b7874c106b5ce65a523972ef6a736844209043c" // MZ v03 upx + hash = "6082bf26bcc07bf299a88eaa0272022418b12156cd987adfdff9fa1517afcf3d" // MZ v03 unpacked + strings: + // ELF v01 + $h01 = { 47 6F 00 00 57 79 5F 76 69 62 44 5A 76 32 77 6D 35 62 4C 32 71 73 6A 4A 2F 34 50 4D 56 79 4D 39 39 76 61 76 58 68 7A 65 5A 34 6C 76 2D 2F 4E 59 6C 5F 4B 6D 75 53 45 62 53 4E 4A 6B 39 45 61 52 74 31 2F 2D 45 4D 50 57 64 6A 73 30 4E 6C 37 73 79 67 41 41 74 65 54 00 } + // ELF v02 unpacked + $h02 = { 47 6F 00 00 79 30 4D 57 35 6A 74 30 45 6B 61 77 55 4B 35 6B 6B 6C 31 32 2F 5A 68 34 34 36 61 65 4D 7A 62 48 47 37 4F 73 56 4F 66 71 75 2F 6D 5F 58 74 43 52 32 32 39 75 4B 67 5A 62 51 65 44 35 43 74 2F 66 78 66 47 4A 47 61 59 4E 31 5F 36 6E 4E 76 32 58 5A 53 62 00 } + // ELF v02 upx + $h03 = { 47 6F 06 FF FF FF 7F 79 30 4D 57 35 6A 74 30 45 6B 61 77 55 4B 35 6B 6B 6C 31 32 2F 5A 68 34 34 36 61 65 4D 7A 62 FF FF FF FF 48 47 37 4F 73 56 4F 66 71 75 2F 6D 5F 58 74 43 52 32 32 39 75 4B 67 5A 62 51 65 44 35 43 74 2F } + // ELF v03 (dev) unpacked + $h04 = { 47 6F 00 00 30 33 30 36 42 53 4B 42 71 6E 71 4B 74 4D 51 71 67 53 58 4D 2F 68 4C 6A 34 77 76 56 56 4A 4C 79 42 43 61 4A 42 5F 38 4D 30 2F 73 74 66 62 47 73 46 5A 58 67 4E 6B 50 77 5A 4B 4C 71 52 65 2F 4D 49 46 68 69 67 7A 65 50 53 65 56 35 64 5F 52 6D 66 43 35 00 } + // ELF v03 (dev) upx + $h05 = { 47 6F 06 FF FF FF 7F 30 33 30 36 42 53 4B 42 71 6E 71 4B 74 4D 51 71 67 53 58 4D 2F 68 4C 6A 34 77 76 56 56 4A 4C FF FF FF FF 79 42 43 61 4A 42 5F 38 4D 30 2F 73 74 66 62 47 73 46 5A 58 67 4E 6B 50 77 5A 4B 4C 71 52 65 } + // ELF v03 unpacked + $h06 = { 47 6F 00 00 36 35 34 67 69 6A 50 41 55 6B 45 61 7A 4A 70 6A 44 39 4E 55 2F 67 44 75 48 46 31 78 66 64 70 39 31 53 66 36 53 59 51 48 58 2F 76 73 6E 6E 37 65 6B 67 30 54 4B 58 57 69 4F 53 63 46 30 44 2F 53 61 6D 30 73 51 6D 66 79 43 61 44 43 38 71 43 66 59 78 35 00 } + // ELF v03 upx + $h07 = { 47 6F 06 FF ED FF 7F 36 35 34 67 69 6A 50 41 55 6B 45 61 7A 4A 70 6A 44 39 68 2F 67 44 75 48 46 31 78 66 FF FF FF FF 64 70 39 31 53 66 36 53 59 51 48 58 2F 76 73 6E 6E 37 65 6B 67 30 54 4B 58 57 69 4F 53 63 46 30 } + // MZ v03 unpacked + $h08 = { 47 6F 20 62 FF FF FF FF 75 69 6C 64 20 49 44 3A 20 22 65 72 52 47 4F 4A 56 48 65 38 37 58 67 6D 79 4F 56 77 48 44 2F 42 FB FF FF FF 70 78 56 76 70 79 44 58 74 4C 64 64 79 57 46 64 38 4E 39 2F 6F 59 77 64 70 73 6D 46 45 } + // MZ v03 upx + $h09 = { 47 6F 20 62 75 69 6C 64 20 49 44 3A 20 22 65 72 52 47 4F 4A 56 48 65 38 37 58 67 6D 79 4F 56 77 48 44 2F 42 70 78 56 76 70 79 44 58 74 4C 64 64 79 57 46 64 38 4E 39 2F 6F 59 77 64 70 73 6D 46 45 44 58 39 32 58 4A 55 52 4C 55 7A 2F 62 62 58 59 38 43 76 6B 44 4D 72 69 42 33 32 64 49 36 53 58 } + condition: + any of them +} + +rule manjusaka_payload_encoded_hexstring +{ + meta: + author = "Avast Threat Intel Team" + source = "https://github.com/avast/ioc" + strings: + // ELF v01 and v02 + $s01 = "1f8b08000000000000ff7cdd099c1ae5fd3ff031e620c6038d5aea493df18a24c688372626c1180d468d78d465b34b96357be0ee2612354ab5553caa68ad454d158f2a566b51ab454d2dde" + // ELF v03 (dev) + $s02 = "1f8b08000000000000ff94dd09982355d9fffd62d89a45880a181621804240c10888718328a8ed864144a3029d66ba67d2cc4c4fecee8180a85114f3284b4096b00d619380085111f3284a" + // ELF v03 + $s03 = "1f8b08000000000000ff94dd0b982355b5fffde21eee011503a204440d201001317a148278890a1804348ad269667a260d3d33b1bb19820246bc10914bb80811618c80108f084110232204" + // MZ v01 + $s11 = "1f8b08000000000000ffecbd09784cd7ff077c26c924631977828958c284694d5092da12eb8448ce302108a248628ba82d65862025e924b8aeabdaeaa2abb6bfaebad74f83fe4804a1d5d6" + // MZ v02 + $s12 = "1f8b08000000000000ffecbd097414c5faff5d9d7502849e400209201974c4441113371240c8842cd5d00361070502224bdc403203a82c8993d1146d2b7ac5e5ba5cdcb9aea85c36176612" + // MZ v03 (dev) + $s13 = "1f8b08000000000000ffecbd7b7854d5d928be7632496620710d4874522e9991ad4e94627641491425031378b7ae1150046a1168a1237ca2419801542e893b53b3d8eeafb4b5777b8eb5fd" + // MZ v03 + $s14 = "1f8b08000000000000ffecbd7b7854d5d530be4f32496620710f9ae8a45c3223479d28d51c414934960c4c601ddd23a811a845a0858e50d120cc002a97c49369b3399e96b6dacb5bfb7dbe" + condition: + (EXE or ELF) and ( + any of ($s0*) and + any of ($s1*) + ) +} + +rule manjusaka_payload_elf +{ + meta: + author = "Avast Threat Intel Team" + source = "https://github.com/avast/ioc" + hash = "0063e5007566e0a7e8bfd73c4628c6d140b332df4f9afbb0adcf0c832dd54c2b" // 01, v02 + hash = "76eb9af0e2f620016d63d38ddb86f0f3f8f598b54146ad14e6af3d8f347dd365" // v03 (dev) + hash = "0a5174b5181fcd6827d9c4a83e9f0423838cbb5a6b23d012c3ae414b31c8b0da" // v03 + strings: + $s01 = "proc/meminfo/proc/uptime/etc/os-releaseVERSION_ID=NAME=DISTRIB_ID" + $s02 = "/root/.cargo/registry/src/mirrors.ustc.edu.cn" + $s03 = "cmdlineexecwdassertion failed" + $s04 = "/etc/passwd/root/" + $s11 = "./protos/cs.rstargetpidAgentsagentAgentUpdatesleepenckeysysinfoConfigPluginExecPluginLoadReqCwd" + $s12 = "ReqScreenH" + $s13 = "manjusakahttp:" + condition: + ELF and + ( + all of ($s0*) and + any of ($s1*) + ) +} + +rule manjusaka_payload_mz +{ + meta: + author = "Avast Threat Intel Team" + source = "https://github.com/avast/ioc" + hash = "6839180bc3a2404e629c108d7e8c8548caf9f8249bbbf658b47c00a15a64758f" // v01 + hash = "cd0c75638724c0529cc9e7ca0a91d2f5d7221ef2a87b65ded2bc1603736e3b5d" // v02 + hash = "d5918611b1837308d0c6d19bff4b81b00d4f6a30c1240c00a9e0a9b08dde1412" // v03 (dev) + hash = "2b174d417a4e43fd6759c64512faa88f4504e8f14f08fd5348fff51058c9958f" // v03 + strings: + $s01 = ".\\protos\\cs.rstargetintranethostnameplatformpidAgentsstatusagentinternetupdateatAgentUpdate" + $s02 = "PluginExecPluginLoadReqCwdcmdReqCmd" + $s03 = "Users\\Administrator.WIN7-2021OVWRCZ\\.cargo" + $s11 = "src\\mirrors.ustc.edu.cn-" + $s12 = "CodeProject\\hw_src\\NPSC2\\npc\\target\\release\\deps\\npc.pdb" + $s13 = "@@@manjusaka" + $s14 = "***manjusakahttp://" + $s15 = "SELECT signon_realm, username_value, password_value FROM loginsnetshwlanshowprofile" + $s16 = "name=key=clearWIFI" + $s17 = "cmd.exe/c" + $s18 = "Accept-Languagezh-CN,zh;q=0.9,en;q=0.8Accept-Encodinggzip" + condition: + EXE and + ( + 2 of ($s0*) or + 3 of ($s1*) + ) +} + diff --git a/Manjusaka/README.md b/Manjusaka/README.md new file mode 100644 index 0000000..a2aeeaa --- /dev/null +++ b/Manjusaka/README.md @@ -0,0 +1,142 @@ +# IoC for Manjusaka + +Manjusaka is web based imitation of the Cobalt Strike framework. + +More info: +Manjusaka github: + +### Table of Contents +* [Framework content unpacking](#framework-content-unpacking) +* [Framework Go build IDs](#framework-go-build-ids) +* [Binaries PDB](#binaries-pdb) +* [Yara rule](#yara-rules) +* [Samples (SHA-256)](#samples-sha-256) +* [Network indicators](#network-indicators) +* [OSINT data](#osint-data) + +## Framework content unpacking +Payloads, binaries, and other hardcoded framework components are compressed (raw deflated) and encoded as hex strings.  + +Each data blob start with header: +``` +1F 8B 08 00 00 00 00 00 00 FF +``` +The last two hardcoded data blobs a EXE and ELF binaries. + +#### Payloads unpacking example: +1. Parse payload data blobs and remove header (20 chars) +```python + r = re.compile(b'1f8b08000000000000ff[0-9a-f]{1024,}?') + data_blobs = re.finditer(r, buff) + payloads = list(data_blobs)[-2:] + + payload_1_start = payloads[0].start() + payload_1_end = payloads[1].start() + payload_1_buff = buff[payload_1_start+20:payload_1_end] + + payload_2_start = payload_1_end + payload_2_end = re.search(b'[0-9a-f]{4}?\x00', buff[payload_2_start:]).start() + 4 + payload_2_start + payload_2_buff = buff[payload_2_start+20:payload_2_end] +``` +2. Decode and decompress payload +```python + raw_data = binascii.unhexlify(payload_1_buff) + data = zlib.decompressobj(wbits=-15) # -15 = no headers and trailers + decompressed_data = data.decompress(raw_data) + decompressed_data += data.flush() +``` +You can also use our [rip.py script](rip.py). + +## Framework Go build IDs +``` +Wy_vibDZv2wm5bL2qsjJ/4PMVyM99vavXhzeZ4lv-/NYl_KmuSEbSNJk9EaRt1/-EMPWdjs0Nl7sygAAteT - ELF v01 +y0MW5jt0EkawUK5kkl12/Zh446aeMzbHG7OsVOfqu/m_XtCR229uKgZbQeD5Ct/fxfGJGaYN1_6nNv2XZSb - ELF v02 +0306BSKBqnqKtMQqgSXM/hLj4wvVVJLyBCaJB_8M0/stfbGsFZXgNkPwZKLqRe/MIFhigzePSeV5d_RmfC5 - ELF v03 (dev) +654gijPAUkEazJpjD9NU/gDuHF1xfdp91Sf6SYQHX/vsnn7ekg0TKXWiOScF0D/Sam0sQmfyCaDC8qCfYx5 - ELF v03 +erRGOJVHe87XgmyOVwHD/BpxVvpyDXtLddyWFd8N9/oYwdpsmFEDX92XJURLUz/bbXY8CvkDMriB32dI6SX - EXE v03 +``` + +## Binaries PDB +``` +Z:\Code\NPSC2\npc\target\release\deps\npc.pdb +D:\CodeProject\hw_src\NPSC2\npc\target\release\deps\npc.pdb +``` + +## Yara rules +``` +manjusaka_framework_go_build_id +manjusaka_payload_encoded_hexstring +manjusaka_payload_elf +manjusaka_payload_mz +``` +You can download whole ruleset [here](Manjusaka.yar). + +## Samples (SHA-256) +#### Framework GoLang binaries +``` +955e9bbcdf1cb230c5f079a08995f510a3b96224545e04c1b1f9889d57dd33c1 - ELF v01 +f275ca5129399a521c8cd9754b1133ecd2debcfafc928c01df6bd438522c564a - ELF v02 upx +637f3080526d7d0ad5eb41bf9331fb51aaafd30f2895c00a44ad905154f76d70 - ELF v02 unpacked +b5c366d782426bad4ba880dc908669ff785420dea02067b12e2261dd1988f34a - ELF v03 (dev) upx +107b094031094cbb1f081d85ec2799c3450dce32e254bda2fd1bb32edb449aa4 - ELF v03 (dev) unpacked +fb5835f42d5611804aaa044150a20b13dcf595d91314ebef8cf6810407d85c64 - ELF v03 upx +ff20333d38f7affbfde5b85d704ee20cd60b519cb57c70e0cf5ac1f65acf91a6 - ELF v03 unpacked +3581d99feb874f65f53866751b7874c106b5ce65a523972ef6a736844209043c - EXE v03 upx +6082bf26bcc07bf299a88eaa0272022418b12156cd987adfdff9fa1517afcf3d - EXE v03 unpacked +``` +#### Hardcoded payload Rust binaries +``` +0063e5007566e0a7e8bfd73c4628c6d140b332df4f9afbb0adcf0c832dd54c2b - ELF v01, v02 +d5918611b1837308d0c6d19bff4b81b00d4f6a30c1240c00a9e0a9b08dde1412 - ELF v03 (dev) +0a5174b5181fcd6827d9c4a83e9f0423838cbb5a6b23d012c3ae414b31c8b0da - ELF v03 +6839180bc3a2404e629c108d7e8c8548caf9f8249bbbf658b47c00a15a64758f - EXE v01 +cd0c75638724c0529cc9e7ca0a91d2f5d7221ef2a87b65ded2bc1603736e3b5d - EXE v02 +76eb9af0e2f620016d63d38ddb86f0f3f8f598b54146ad14e6af3d8f347dd365 - EXE v03 (dev) +2b174d417a4e43fd6759c64512faa88f4504e8f14f08fd5348fff51058c9958f - EXE v03 +``` +#### ITW payload Rust binaries +``` +056bff638627d46576a3cecc3d5ea6388938ed4cb30204332cd10ac1fb826663 +399abe81210b5b81e0984892eee173d6eeb99001e8cd5d377f6801d092bdef68 +3a3c0731cbf0b4c02d8cd40a660cf81f475fee6e0caa85943c1de6ad184c8c31 +8e9ecd282655f0afbdb6bd562832ae6db108166022eb43ede31c9d7aacbcc0d8 +90b6a021b4f2e478204998ea4c5f32155a7348be4afb620999fa708b4a9a30ab +a8b8d237e71d4abe959aff4517863d9f570bba1646ec4e79209ec29dda64552f +ecbe098ed675526a2c22aaf79fe8c1462fb4c68eb0061218f70fadbeb33eeced +``` + +## Network indicators +#### C2 IPs +``` +45[.]137.117.219 +39[.]104.90.45 +95[.]179.151.49 +71[.]115.193.247:9000 +119[.]28.101.125 +104[.]225.234.200 +``` +#### User Agents +``` +Mozilla/5.0 (Windows NT 8.0; WOW64; rv:40.0) Gecko +Mozilla/5.0 (Windows NT 8.0; WOW64; rv:58.0) Gecko/20120102 Firefox/58.0 +Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko +``` + +## OSINT data +#### Binaries +``` +C:\Users\Administrator.WIN7-2021OVWRCZ\.cargo\registry\src\mirrors.ustc.edu.cn- +C:\Users\root\.cargo\registry\src\mirrors.ustc.edu.cn- +/root/.cargo/registry/src/mirrors.ustc.edu.cn- +``` +#### Github +``` +h5[.]qianxin[.]com +https[:]//weixin[.]qq[.]com/g/AQYAAEoVSAjZ35xwIeusxAmY6Qm2wKXvvjp6Ed7stK2OrUIl-a6Czezgc4QYv6GS +https[:]//profile-counter[.]glitch[.]me/DaxiaMM-new/count.svg +``` +#### Framework author +``` +#codeby 道长且阻 +#email @ydhcui/QQ664284092 +``` \ No newline at end of file diff --git a/Manjusaka/rip.py b/Manjusaka/rip.py new file mode 100644 index 0000000..78304a1 --- /dev/null +++ b/Manjusaka/rip.py @@ -0,0 +1,67 @@ +import re +import zlib +import binascii +import sys + +def inflate(buff): + data = zlib.decompressobj(wbits=-15) # -15 = no headers and trailers + try: + decompressed_data = data.decompress(buff) + decompressed_data += data.flush() + return decompressed_data + except: + print('Inflate error..') + sys.exit() + +def raw_hex(data): + try: + return binascii.unhexlify(data) + except: + print('Hexstring data error..') + sys.exit() + +def decode_payload(buff): + payload_type = 'ELF' + decoded = inflate(raw_hex(buff)) + if decoded.startswith(b'MZ'): + payload_type = 'EXE' + o_name = 'payload_' + payload_type + '_decoded.bin' + o = open(o_name,'wb') + o.write(decoded) + o.close() + print(o_name+ ' saved.') + + +def main(): + if len(sys.argv) < 2: + print('usage: rip.py path_to_framework_file') + sys.exit() + try: + f = open(sys.argv[1],'rb') + except Exception as e: + print(e) + sys.exit() + else: + buff = f.read() + f.close() + + r = re.compile(b'1f8b08000000000000ff[0-9a-f]{1024,}?') + items = re.finditer(r, buff) + payloads = list(items)[-2:] + + if len(payloads) < 2: + print('Payloads not found..') + sys.exit() + + payload_1_start = payloads[0].start() + payload_1_end = payloads[1].start() + payload_1_buff = buff[payload_1_start+20:payload_1_end] + decode_payload(payload_1_buff) + + payload_2_start = payload_1_end + payload_2_end = re.search(b'[0-9a-f]{4}?\x00', buff[payload_2_start:]).start() + 4 + payload_2_start + payload_2_buff = buff[payload_2_start+20:payload_2_end] + decode_payload(payload_2_buff) + +if __name__ == "__main__": + main()