mirror of https://github.com/avast/ioc
Removed redundat content
This commit is contained in:
parent
af5d3e0f1a
commit
d6c6e7d420
|
@ -1,46 +0,0 @@
|
|||
# IoC for Meh
|
||||
|
||||
Malware analysis and more technical information at <https://decoded.avast.io/janrubin/complex-obfuscation-meh/>
|
||||
|
||||
|
||||
### Table of Contents
|
||||
* [Samples (SHA-256)](#samples-sha-256)
|
||||
* [File names](#file-names)
|
||||
* [Network indicators](#network-indicators)
|
||||
|
||||
|
||||
## Samples (SHA-256)
|
||||
#### Meh binary and related files
|
||||
```
|
||||
94c2479d0a222ebdce04c02f0b0e58ec433b62299c9a537a31090bb75a33a06e - Initial AutoIt script
|
||||
43bfa7e8b83b54b18b6b48365008b2588a15ccebb3db57b2b9311f257e81f34c - Stage 1 - Dropper
|
||||
34684e4c46d237bfd8964d3bb1fae8a7d04faa6562d8a41d0523796f2e80a2a6 - Stage 2 - Shellcode
|
||||
2256801ef5bfe8743c548a580fefe6822c87b1d3105ffb593cbaef0f806344c5 - Stage 3 - Shellcode 2
|
||||
657ea4bf4e591d48ee4aaa2233e870eb99a17435968652e31fc9f33bbb2fe282 - Stage 4 - Meh stager
|
||||
66de6f71f268a76358f88dc882fad2d2eaaec273b4d946ed930b8b7571f778a8 - pe.bin
|
||||
75949175f00eb365a94266b5da285ec3f6c46dadfd8db48ef0d3c4f079ac6d30 - base.au3
|
||||
1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48 - autoit.exe
|
||||
|
||||
|
||||
```
|
||||
|
||||
## File names
|
||||
```
|
||||
C:\testintel2\pe.bin
|
||||
C:\testintel2\base.au3
|
||||
C:\testintel2\autoit.exe
|
||||
C:\testintel2\a.txt
|
||||
C:\programdata\intel\wireless
|
||||
```
|
||||
|
||||
## Network indicators
|
||||
#### Downloader urls
|
||||
```
|
||||
http://83[.]171.237.233/s2/pe.bin
|
||||
http://83[.]171.237.233/s2/base.au3
|
||||
http://83[.]171.237.233/s2/autoit.exe
|
||||
```
|
||||
#### C&C servers
|
||||
```
|
||||
http://83[.]171.237.233
|
||||
```
|
|
@ -1,45 +0,0 @@
|
|||
import os
|
||||
import base64
|
||||
import sys
|
||||
|
||||
if len(sys.argv) != 2:
|
||||
print("[!] Wrong number of parameters! A path to the pe.bin file expected.")
|
||||
exit(1)
|
||||
|
||||
path = sys.argv[1]
|
||||
if not os.path.exists(path):
|
||||
print("[!] The file path provided does not exist!")
|
||||
exit(1)
|
||||
|
||||
file_contents = ''
|
||||
with open(path, "r") as f:
|
||||
file_contents = f.read()
|
||||
|
||||
# Parse the base64 and obtain the xor key
|
||||
parsed = file_contents.split('|')
|
||||
if len(parsed) < 3:
|
||||
print("Provided file does not have the correct format.")
|
||||
exit(1)
|
||||
|
||||
xor_key = bytearray(parsed[1][:-1], "utf-8")
|
||||
xor_key[0] = 0x61 # 'a'
|
||||
|
||||
file_contents_pe = parsed[2]
|
||||
|
||||
# Decode base64 content
|
||||
file_contents_pe = base64.b64decode(file_contents_pe)
|
||||
|
||||
# Derive the one byte key
|
||||
key = len(xor_key)
|
||||
for i in range(0, len(xor_key)):
|
||||
key = xor_key[i] ^ key
|
||||
|
||||
result = b''
|
||||
key = key ^ 255
|
||||
for i in range(0, len(file_contents_pe)):
|
||||
result += bytes([file_contents_pe[i] ^ key])
|
||||
|
||||
with open("decrypted_pe_bin.dat", "bw") as f:
|
||||
f.write(result)
|
||||
|
||||
exit(0)
|
|
@ -1,3 +0,0 @@
|
|||
http://83[.]171.237.233/s2/pe.bin
|
||||
http://83[.]171.237.233/s2/base.au3
|
||||
http://83[.]171.237.233/s2/autoit.exe
|
|
@ -1,8 +0,0 @@
|
|||
78f4c24acadb525350f1dea85b0c912d
|
||||
5df16cdec3f27e282d34fe7782a82ee2
|
||||
0b521eafc64af1dd989dc57ff9cedbcd
|
||||
367eec86ba9748a4843477208aef917d
|
||||
b2d765cb5bdd0b318998578e87db05bb
|
||||
7118c1cd6b4285514ce58e716c74b602
|
||||
5467498dbeadb76902c58a0acdbaa244
|
||||
3f58a517f1f4796225137e7659ad2adb
|
|
@ -1,8 +0,0 @@
|
|||
09e0cf3281580088bf45f216949b07a11269f118
|
||||
f994eeac9d500e36852932b8db03f450df1a6a48
|
||||
836e69e6bf7684d21ee79887d6b7d60c141b3501
|
||||
3558ecc726ab94a02f953e30b0ef9a4bc5b96c6e
|
||||
91041776507eda04af808cf632c10ef74ef0cbca
|
||||
055df2afa96b6f92ad5ec203d0163c5f306be949
|
||||
e4ea91aa629042881c0792ada31933a756cf1154
|
||||
e264ba0e9987b0ad0812e5dd4dd3075531cfe269
|
|
@ -1,8 +0,0 @@
|
|||
94c2479d0a222ebdce04c02f0b0e58ec433b62299c9a537a31090bb75a33a06e
|
||||
43bfa7e8b83b54b18b6b48365008b2588a15ccebb3db57b2b9311f257e81f34c
|
||||
34684e4c46d237bfd8964d3bb1fae8a7d04faa6562d8a41d0523796f2e80a2a6
|
||||
2256801ef5bfe8743c548a580fefe6822c87b1d3105ffb593cbaef0f806344c5
|
||||
657ea4bf4e591d48ee4aaa2233e870eb99a17435968652e31fc9f33bbb2fe282
|
||||
66de6f71f268a76358f88dc882fad2d2eaaec273b4d946ed930b8b7571f778a8
|
||||
75949175f00eb365a94266b5da285ec3f6c46dadfd8db48ef0d3c4f079ac6d30
|
||||
1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48
|
Loading…
Reference in New Issue