mirror of
https://github.com/avast/ioc
synced 2024-06-27 09:18:37 +00:00
commit
e301d491d9
46
Meh-part-2/Meh/README.md
Normal file
46
Meh-part-2/Meh/README.md
Normal file
@ -0,0 +1,46 @@
|
||||
# IoC for Meh
|
||||
|
||||
Malware analysis and more technical information at <https://decoded.avast.io/janrubin/complex-obfuscation-meh/>
|
||||
|
||||
|
||||
### Table of Contents
|
||||
* [Samples (SHA-256)](#samples-sha-256)
|
||||
* [File names](#file-names)
|
||||
* [Network indicators](#network-indicators)
|
||||
|
||||
|
||||
## Samples (SHA-256)
|
||||
#### Meh binary and related files
|
||||
```
|
||||
94c2479d0a222ebdce04c02f0b0e58ec433b62299c9a537a31090bb75a33a06e - Initial AutoIt script
|
||||
43bfa7e8b83b54b18b6b48365008b2588a15ccebb3db57b2b9311f257e81f34c - Stage 1 - Dropper
|
||||
34684e4c46d237bfd8964d3bb1fae8a7d04faa6562d8a41d0523796f2e80a2a6 - Stage 2 - Shellcode
|
||||
2256801ef5bfe8743c548a580fefe6822c87b1d3105ffb593cbaef0f806344c5 - Stage 3 - Shellcode 2
|
||||
657ea4bf4e591d48ee4aaa2233e870eb99a17435968652e31fc9f33bbb2fe282 - Stage 4 - Meh stager
|
||||
66de6f71f268a76358f88dc882fad2d2eaaec273b4d946ed930b8b7571f778a8 - pe.bin
|
||||
75949175f00eb365a94266b5da285ec3f6c46dadfd8db48ef0d3c4f079ac6d30 - base.au3
|
||||
1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48 - autoit.exe
|
||||
|
||||
|
||||
```
|
||||
|
||||
## File names
|
||||
```
|
||||
C:\testintel2\pe.bin
|
||||
C:\testintel2\base.au3
|
||||
C:\testintel2\autoit.exe
|
||||
C:\testintel2\a.txt
|
||||
C:\programdata\intel\wireless
|
||||
```
|
||||
|
||||
## Network indicators
|
||||
#### Downloader urls
|
||||
```
|
||||
http://83[.]171.237.233/s2/pe.bin
|
||||
http://83[.]171.237.233/s2/base.au3
|
||||
http://83[.]171.237.233/s2/autoit.exe
|
||||
```
|
||||
#### C&C servers
|
||||
```
|
||||
http://83[.]171.237.233
|
||||
```
|
45
Meh-part-2/Meh/extras/decryptor_pe_bin.py
Normal file
45
Meh-part-2/Meh/extras/decryptor_pe_bin.py
Normal file
@ -0,0 +1,45 @@
|
||||
import os
|
||||
import base64
|
||||
import sys
|
||||
|
||||
if len(sys.argv) != 2:
|
||||
print("[!] Wrong number of parameters! A path to the pe.bin file expected.")
|
||||
exit(1)
|
||||
|
||||
path = sys.argv[1]
|
||||
if not os.path.exists(path):
|
||||
print("[!] The file path provided does not exist!")
|
||||
exit(1)
|
||||
|
||||
file_contents = ''
|
||||
with open(path, "r") as f:
|
||||
file_contents = f.read()
|
||||
|
||||
# Parse the base64 and obtain the xor key
|
||||
parsed = file_contents.split('|')
|
||||
if len(parsed) < 3:
|
||||
print("Provided file does not have the correct format.")
|
||||
exit(1)
|
||||
|
||||
xor_key = bytearray(parsed[1][:-1], "utf-8")
|
||||
xor_key[0] = 0x61 # 'a'
|
||||
|
||||
file_contents_pe = parsed[2]
|
||||
|
||||
# Decode base64 content
|
||||
file_contents_pe = base64.b64decode(file_contents_pe)
|
||||
|
||||
# Derive the one byte key
|
||||
key = len(xor_key)
|
||||
for i in range(0, len(xor_key)):
|
||||
key = xor_key[i] ^ key
|
||||
|
||||
result = b''
|
||||
key = key ^ 255
|
||||
for i in range(0, len(file_contents_pe)):
|
||||
result += bytes([file_contents_pe[i] ^ key])
|
||||
|
||||
with open("decrypted_pe_bin.dat", "bw") as f:
|
||||
f.write(result)
|
||||
|
||||
exit(0)
|
3
Meh-part-2/Meh/network.txt
Normal file
3
Meh-part-2/Meh/network.txt
Normal file
@ -0,0 +1,3 @@
|
||||
http://83[.]171.237.233/s2/pe.bin
|
||||
http://83[.]171.237.233/s2/base.au3
|
||||
http://83[.]171.237.233/s2/autoit.exe
|
8
Meh-part-2/Meh/samples.md5
Normal file
8
Meh-part-2/Meh/samples.md5
Normal file
@ -0,0 +1,8 @@
|
||||
78f4c24acadb525350f1dea85b0c912d
|
||||
5df16cdec3f27e282d34fe7782a82ee2
|
||||
0b521eafc64af1dd989dc57ff9cedbcd
|
||||
367eec86ba9748a4843477208aef917d
|
||||
b2d765cb5bdd0b318998578e87db05bb
|
||||
7118c1cd6b4285514ce58e716c74b602
|
||||
5467498dbeadb76902c58a0acdbaa244
|
||||
3f58a517f1f4796225137e7659ad2adb
|
8
Meh-part-2/Meh/samples.sha1
Normal file
8
Meh-part-2/Meh/samples.sha1
Normal file
@ -0,0 +1,8 @@
|
||||
09e0cf3281580088bf45f216949b07a11269f118
|
||||
f994eeac9d500e36852932b8db03f450df1a6a48
|
||||
836e69e6bf7684d21ee79887d6b7d60c141b3501
|
||||
3558ecc726ab94a02f953e30b0ef9a4bc5b96c6e
|
||||
91041776507eda04af808cf632c10ef74ef0cbca
|
||||
055df2afa96b6f92ad5ec203d0163c5f306be949
|
||||
e4ea91aa629042881c0792ada31933a756cf1154
|
||||
e264ba0e9987b0ad0812e5dd4dd3075531cfe269
|
8
Meh-part-2/Meh/samples.sha256
Normal file
8
Meh-part-2/Meh/samples.sha256
Normal file
@ -0,0 +1,8 @@
|
||||
94c2479d0a222ebdce04c02f0b0e58ec433b62299c9a537a31090bb75a33a06e
|
||||
43bfa7e8b83b54b18b6b48365008b2588a15ccebb3db57b2b9311f257e81f34c
|
||||
34684e4c46d237bfd8964d3bb1fae8a7d04faa6562d8a41d0523796f2e80a2a6
|
||||
2256801ef5bfe8743c548a580fefe6822c87b1d3105ffb593cbaef0f806344c5
|
||||
657ea4bf4e591d48ee4aaa2233e870eb99a17435968652e31fc9f33bbb2fe282
|
||||
66de6f71f268a76358f88dc882fad2d2eaaec273b4d946ed930b8b7571f778a8
|
||||
75949175f00eb365a94266b5da285ec3f6c46dadfd8db48ef0d3c4f079ac6d30
|
||||
1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48
|
48
Meh-part-2/README.md
Normal file
48
Meh-part-2/README.md
Normal file
@ -0,0 +1,48 @@
|
||||
# IoC for Meh part 2
|
||||
|
||||
Malware analysis and more technical information at <https://decoded.avast.io/janrubin/meh-2-2/>
|
||||
|
||||
The technical analysis of the first part of the blogpost series can be found at <https://decoded.avast.io/janrubin/complex-obfuscation-meh/>
|
||||
IoCs of the first part of the blogpost series can be found at <https://github.com/avast/ioc/tree/master/Meh>
|
||||
|
||||
### Table of Contents
|
||||
* [Samples (SHA-256)](#samples-sha-256)
|
||||
* [File names](#file-names)
|
||||
* [Network indicators](#network-indicators)
|
||||
|
||||
|
||||
## Samples (SHA-256)
|
||||
#### Meh binary and related files
|
||||
```
|
||||
94c2479d0a222ebdce04c02f0b0e58ec433b62299c9a537a31090bb75a33a06e - Initial AutoIt script
|
||||
43bfa7e8b83b54b18b6b48365008b2588a15ccebb3db57b2b9311f257e81f34c - Stage 1 - Dropper
|
||||
34684e4c46d237bfd8964d3bb1fae8a7d04faa6562d8a41d0523796f2e80a2a6 - Stage 2 - Shellcode
|
||||
2256801ef5bfe8743c548a580fefe6822c87b1d3105ffb593cbaef0f806344c5 - Stage 3 - Shellcode 2
|
||||
657ea4bf4e591d48ee4aaa2233e870eb99a17435968652e31fc9f33bbb2fe282 - Stage 4 - Meh stager
|
||||
66de6f71f268a76358f88dc882fad2d2eaaec273b4d946ed930b8b7571f778a8 - pe.bin
|
||||
75949175f00eb365a94266b5da285ec3f6c46dadfd8db48ef0d3c4f079ac6d30 - base.au3
|
||||
1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48 - autoit.exe
|
||||
1f13024724491b4b083dfead60931dcacabd70e5bd674c41a83a02410dea070d - Meh password stealer
|
||||
3c1e5930d35815097435268fab724a6ed1bc347dd97cd20eb05f645a25eb692b - cpux64.bin
|
||||
57b6fa7cbc98b752da6002e1b877a0e1d83f453f9227044b0b96bf28b0131195 - cpux86.bin
|
||||
722502b7302fd6bae93c57212fcafad2767c5f869e37bd00487b946f76251c8d - cpux64.bin unpacked
|
||||
e96403de3807ccb740f9ca6cade9ebd85696485590f51a4eb1c308de9875dfaa - cpux86.bin unpacked
|
||||
```
|
||||
|
||||
## File names
|
||||
```
|
||||
C:\ProgramData\Intel\Wireless\
|
||||
C:\Users\<user>\AppData\Local\Temp\test.txt
|
||||
C:\Users\<user>\AppData\Local\Temp\torrent.txt
|
||||
```
|
||||
|
||||
## Network indicators
|
||||
#### C&C servers
|
||||
```
|
||||
http[:]//193-22-92-35.intesre.com
|
||||
http[:]//0.le4net00.net
|
||||
http[:]//83.171.237.231
|
||||
http[:]//deploy.static.blazingtechnologies.io
|
||||
http[:]//0.weathdata.nu
|
||||
http[:]//124.red-79-152-243.dynamicip.fina-tdl.io
|
||||
```
|
64
Meh-part-2/extras/decrypt_strings_IDAPython.py
Normal file
64
Meh-part-2/extras/decrypt_strings_IDAPython.py
Normal file
@ -0,0 +1,64 @@
|
||||
__author__ = "Jan Rubin, Avast Software"
|
||||
|
||||
from base64 import b64decode
|
||||
from functools import reduce
|
||||
from typing import Optional
|
||||
|
||||
|
||||
def decrypt(encoded_text: bytes, key_material: bytes) -> bytes:
|
||||
ciphertext = b64decode(encoded_text)
|
||||
key = reduce(lambda x, y: x ^ y, key_material) # XOR all bytes of the key
|
||||
key ^= len(key_material)
|
||||
|
||||
plaintext = bytes([key ^ 255 ^ byte for byte in ciphertext])
|
||||
return plaintext
|
||||
|
||||
|
||||
def find_key(offset: int) -> Optional[bytes]:
|
||||
for i in range(32): # scan next 32 bytes for the decryption function
|
||||
offset += 1
|
||||
if print_operand(offset, 0) != "sub_448F58":
|
||||
continue
|
||||
|
||||
string_offset = get_operand_value(offset - 0x5, 1)
|
||||
string = get_strlit_contents(string_offset)
|
||||
|
||||
return string
|
||||
|
||||
|
||||
def process_string(offset: int, ciphertext: bytes, key_material: bytes) -> int:
|
||||
decrypted = decrypt(ciphertext, key_material)
|
||||
try:
|
||||
set_cmt(offset, str(decrypted), False)
|
||||
return 1
|
||||
except Exception as error:
|
||||
print(f"[!] Could not resolve address {offset}, error: {error}")
|
||||
return 0
|
||||
|
||||
|
||||
def find_strings(base: int, end: int):
|
||||
ea = base
|
||||
count = 0
|
||||
while ea <= end:
|
||||
ea = idc.next_addr(ea)
|
||||
if not print_operand(ea, 0) == "sub_443DDC":
|
||||
continue
|
||||
|
||||
addr_key = get_operand_value(ea - 0x5, 1)
|
||||
ciphertext = get_strlit_contents(addr_key)
|
||||
key_material = find_key(ea)
|
||||
|
||||
if key_material == None or ciphertext == None:
|
||||
ea = idc.next_addr(ea)
|
||||
continue
|
||||
|
||||
count += process_string(ea, ciphertext, key_material)
|
||||
|
||||
if count > 0:
|
||||
print(f"[+] Successfully decrypted {count} strings")
|
||||
else:
|
||||
print("[-] Could not decrypt strings. See errors above.")
|
||||
|
||||
|
||||
print("Start decrypt")
|
||||
find_strings(base=0x00401000, end=0x0044f000)
|
11
Meh-part-2/network.txt
Normal file
11
Meh-part-2/network.txt
Normal file
@ -0,0 +1,11 @@
|
||||
http[:]//193-22-92-35.intesre.com
|
||||
http[:]//0.le4net00.net
|
||||
http[:]//83.171.237.231
|
||||
http[:]//deploy.static.blazingtechnologies.io
|
||||
http[:]//0.weathdata.nu
|
||||
http[:]//124.red-79-152-243.dynamicip.fina-tdl.io/s/cpux64.bin
|
||||
http[:]//124.red-79-152-243.dynamicip.fina-tdl.io/s/cpux86.bin
|
||||
http[:]//www.mejortorrentt.net/ips/download_torrent.php
|
||||
http[:]//mejortorrent1.net/downloads/download_torrent.php
|
||||
http[:]//grantorrent.eu/download/download_torrent.php
|
||||
http[:]//www.divxtotal.la/downloads/download_torrent.php
|
13
Meh-part-2/samples.md5
Normal file
13
Meh-part-2/samples.md5
Normal file
@ -0,0 +1,13 @@
|
||||
78f4c24acadb525350f1dea85b0c912d
|
||||
5df16cdec3f27e282d34fe7782a82ee2
|
||||
0b521eafc64af1dd989dc57ff9cedbcd
|
||||
367eec86ba9748a4843477208aef917d
|
||||
b2d765cb5bdd0b318998578e87db05bb
|
||||
7118c1cd6b4285514ce58e716c74b602
|
||||
5467498dbeadb76902c58a0acdbaa244
|
||||
3f58a517f1f4796225137e7659ad2adb
|
||||
6d8582b7f7e41fbf33167973a299b531
|
||||
14c035d77a366b43d397a4992866f288
|
||||
3a2f0775856f4771a696a79c508a6148
|
||||
f0901dfb8250cbadbff8c993982ae155
|
||||
e5ff52ba79d505b9bf97484733013f6c
|
13
Meh-part-2/samples.sha1
Normal file
13
Meh-part-2/samples.sha1
Normal file
@ -0,0 +1,13 @@
|
||||
09e0cf3281580088bf45f216949b07a11269f118
|
||||
f994eeac9d500e36852932b8db03f450df1a6a48
|
||||
836e69e6bf7684d21ee79887d6b7d60c141b3501
|
||||
3558ecc726ab94a02f953e30b0ef9a4bc5b96c6e
|
||||
91041776507eda04af808cf632c10ef74ef0cbca
|
||||
055df2afa96b6f92ad5ec203d0163c5f306be949
|
||||
e4ea91aa629042881c0792ada31933a756cf1154
|
||||
e264ba0e9987b0ad0812e5dd4dd3075531cfe269
|
||||
c8e3de52c1757667e26b46c70af6a0bc33adcf8b
|
||||
c5834456a9ea9b431d93b16941cb54872d53882d
|
||||
4ff350886382965dcacae1b1fea1faad224fe5b8
|
||||
943b1b802953a2d89a38cd9edf369daad05cd5ab
|
||||
30f5b43cd60afa486b2df4cb7cdfbbc9b21be7ff
|
13
Meh-part-2/samples.sha256
Normal file
13
Meh-part-2/samples.sha256
Normal file
@ -0,0 +1,13 @@
|
||||
94c2479d0a222ebdce04c02f0b0e58ec433b62299c9a537a31090bb75a33a06e
|
||||
43bfa7e8b83b54b18b6b48365008b2588a15ccebb3db57b2b9311f257e81f34c
|
||||
34684e4c46d237bfd8964d3bb1fae8a7d04faa6562d8a41d0523796f2e80a2a6
|
||||
2256801ef5bfe8743c548a580fefe6822c87b1d3105ffb593cbaef0f806344c5
|
||||
657ea4bf4e591d48ee4aaa2233e870eb99a17435968652e31fc9f33bbb2fe282
|
||||
66de6f71f268a76358f88dc882fad2d2eaaec273b4d946ed930b8b7571f778a8
|
||||
75949175f00eb365a94266b5da285ec3f6c46dadfd8db48ef0d3c4f079ac6d30
|
||||
1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48
|
||||
1f13024724491b4b083dfead60931dcacabd70e5bd674c41a83a02410dea070d
|
||||
3c1e5930d35815097435268fab724a6ed1bc347dd97cd20eb05f645a25eb692b
|
||||
57b6fa7cbc98b752da6002e1b877a0e1d83f453f9227044b0b96bf28b0131195
|
||||
722502b7302fd6bae93c57212fcafad2767c5f869e37bd00487b946f76251c8d
|
||||
e96403de3807ccb740f9ca6cade9ebd85696485590f51a4eb1c308de9875dfaa
|
@ -10,7 +10,7 @@ Malware analysis and more technical information at <https://decoded.avast.io/jan
|
||||
|
||||
|
||||
## Samples (SHA-256)
|
||||
#### CoViper binary and related files
|
||||
#### Meh binary and related files
|
||||
```
|
||||
94c2479d0a222ebdce04c02f0b0e58ec433b62299c9a537a31090bb75a33a06e - Initial AutoIt script
|
||||
43bfa7e8b83b54b18b6b48365008b2588a15ccebb3db57b2b9311f257e81f34c - Stage 1 - Dropper
|
||||
|
Loading…
Reference in New Issue
Block a user