Removed redundat content

Meh-part-2/Meh/README.md

@@ -1,46 +0,0 @@
-# IoC for Meh
-
-Malware analysis and more technical information at <https://decoded.avast.io/janrubin/complex-obfuscation-meh/>
-
-
-### Table of Contents
-* [Samples (SHA-256)](#samples-sha-256)
-* [File names](#file-names)
-* [Network indicators](#network-indicators)
-
-
-## Samples (SHA-256)
-#### Meh binary and related files
-```
-94c2479d0a222ebdce04c02f0b0e58ec433b62299c9a537a31090bb75a33a06e - Initial AutoIt script
-43bfa7e8b83b54b18b6b48365008b2588a15ccebb3db57b2b9311f257e81f34c - Stage 1 - Dropper
-34684e4c46d237bfd8964d3bb1fae8a7d04faa6562d8a41d0523796f2e80a2a6 - Stage 2 - Shellcode
-2256801ef5bfe8743c548a580fefe6822c87b1d3105ffb593cbaef0f806344c5 - Stage 3 - Shellcode 2
-657ea4bf4e591d48ee4aaa2233e870eb99a17435968652e31fc9f33bbb2fe282 - Stage 4 - Meh stager
-66de6f71f268a76358f88dc882fad2d2eaaec273b4d946ed930b8b7571f778a8 - pe.bin
-75949175f00eb365a94266b5da285ec3f6c46dadfd8db48ef0d3c4f079ac6d30 - base.au3
-1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48 - autoit.exe
-
-
-```
-
-## File names
-```
-C:\testintel2\pe.bin
-C:\testintel2\base.au3
-C:\testintel2\autoit.exe
-C:\testintel2\a.txt
-C:\programdata\intel\wireless
-```
-
-## Network indicators
-#### Downloader urls
-```
-http://83[.]171.237.233/s2/pe.bin
-http://83[.]171.237.233/s2/base.au3
-http://83[.]171.237.233/s2/autoit.exe
-```
-#### C&C servers
-```
-http://83[.]171.237.233
-```

Meh-part-2/Meh/extras/decryptor_pe_bin.py

@@ -1,45 +0,0 @@
-import os
-import base64
-import sys
-
-if len(sys.argv) != 2:
-    print("[!] Wrong number of parameters! A path to the pe.bin file expected.")
-    exit(1)
-
-path = sys.argv[1]
-if not os.path.exists(path):
-    print("[!] The file path provided does not exist!")
-    exit(1)
-
-file_contents = ''
-with open(path, "r") as f:
-    file_contents = f.read()
-
-# Parse the base64 and obtain the xor key
-parsed = file_contents.split('|')
-if len(parsed) < 3:
-    print("Provided file does not have the correct format.")
-    exit(1)
-
-xor_key = bytearray(parsed[1][:-1], "utf-8")
-xor_key[0] = 0x61  # 'a'
-
-file_contents_pe = parsed[2]
-
-# Decode base64 content
-file_contents_pe = base64.b64decode(file_contents_pe)
-
-# Derive the one byte key
-key = len(xor_key)
-for i in range(0, len(xor_key)):
-     key = xor_key[i] ^ key
-
-result = b''
-key = key ^ 255
-for i in range(0, len(file_contents_pe)):
-    result += bytes([file_contents_pe[i] ^ key])
-
-with open("decrypted_pe_bin.dat", "bw") as f:
-    f.write(result)
-
-exit(0)

Meh-part-2/Meh/network.txt

@@ -1,3 +0,0 @@
-http://83[.]171.237.233/s2/pe.bin
-http://83[.]171.237.233/s2/base.au3
-http://83[.]171.237.233/s2/autoit.exe

Meh-part-2/Meh/samples.md5

@@ -1,8 +0,0 @@
-78f4c24acadb525350f1dea85b0c912d
-5df16cdec3f27e282d34fe7782a82ee2
-0b521eafc64af1dd989dc57ff9cedbcd
-367eec86ba9748a4843477208aef917d
-b2d765cb5bdd0b318998578e87db05bb
-7118c1cd6b4285514ce58e716c74b602
-5467498dbeadb76902c58a0acdbaa244
-3f58a517f1f4796225137e7659ad2adb

Meh-part-2/Meh/samples.sha1

@@ -1,8 +0,0 @@
-09e0cf3281580088bf45f216949b07a11269f118
-f994eeac9d500e36852932b8db03f450df1a6a48
-836e69e6bf7684d21ee79887d6b7d60c141b3501
-3558ecc726ab94a02f953e30b0ef9a4bc5b96c6e
-91041776507eda04af808cf632c10ef74ef0cbca
-055df2afa96b6f92ad5ec203d0163c5f306be949
-e4ea91aa629042881c0792ada31933a756cf1154
-e264ba0e9987b0ad0812e5dd4dd3075531cfe269

Meh-part-2/Meh/samples.sha256

@@ -1,8 +0,0 @@
-94c2479d0a222ebdce04c02f0b0e58ec433b62299c9a537a31090bb75a33a06e
-43bfa7e8b83b54b18b6b48365008b2588a15ccebb3db57b2b9311f257e81f34c
-34684e4c46d237bfd8964d3bb1fae8a7d04faa6562d8a41d0523796f2e80a2a6
-2256801ef5bfe8743c548a580fefe6822c87b1d3105ffb593cbaef0f806344c5
-657ea4bf4e591d48ee4aaa2233e870eb99a17435968652e31fc9f33bbb2fe282
-66de6f71f268a76358f88dc882fad2d2eaaec273b4d946ed930b8b7571f778a8
-75949175f00eb365a94266b5da285ec3f6c46dadfd8db48ef0d3c4f079ac6d30
-1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48