Merge pull request #14 from janrubin/master

Meh part 2
2024-06-27 09:18:37 +00:00 · 2020-11-12 11:43:37 +01:00 · 2020-11-12 11:43:37 +01:00 · e301d491d9
commit e301d491d9
parent 752ffde884 af5d3e0f1a
13 changed files with 281 additions and 1 deletions
--- a/Meh-part-2/Meh/README.md
+++ b/Meh-part-2/Meh/README.md
@ -0,0 +1,46 @@
+# IoC for Meh
+
+Malware analysis and more technical information at <https://decoded.avast.io/janrubin/complex-obfuscation-meh/>
+
+
+### Table of Contents
+* [Samples (SHA-256)](#samples-sha-256)
+* [File names](#file-names)
+* [Network indicators](#network-indicators)
+
+
+## Samples (SHA-256)
+#### Meh binary and related files
+```
+94c2479d0a222ebdce04c02f0b0e58ec433b62299c9a537a31090bb75a33a06e - Initial AutoIt script
+43bfa7e8b83b54b18b6b48365008b2588a15ccebb3db57b2b9311f257e81f34c - Stage 1 - Dropper
+34684e4c46d237bfd8964d3bb1fae8a7d04faa6562d8a41d0523796f2e80a2a6 - Stage 2 - Shellcode
+2256801ef5bfe8743c548a580fefe6822c87b1d3105ffb593cbaef0f806344c5 - Stage 3 - Shellcode 2
+657ea4bf4e591d48ee4aaa2233e870eb99a17435968652e31fc9f33bbb2fe282 - Stage 4 - Meh stager
+66de6f71f268a76358f88dc882fad2d2eaaec273b4d946ed930b8b7571f778a8 - pe.bin
+75949175f00eb365a94266b5da285ec3f6c46dadfd8db48ef0d3c4f079ac6d30 - base.au3
+1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48 - autoit.exe
+
+
+```
+
+## File names
+```
+C:\testintel2\pe.bin
+C:\testintel2\base.au3
+C:\testintel2\autoit.exe
+C:\testintel2\a.txt
+C:\programdata\intel\wireless
+```
+
+## Network indicators
+#### Downloader urls
+```
+http://83[.]171.237.233/s2/pe.bin
+http://83[.]171.237.233/s2/base.au3
+http://83[.]171.237.233/s2/autoit.exe
+```
+#### C&C servers
+```
+http://83[.]171.237.233
+```
--- a/Meh-part-2/Meh/extras/decryptor_pe_bin.py
+++ b/Meh-part-2/Meh/extras/decryptor_pe_bin.py
@ -0,0 +1,45 @@
+import os
+import base64
+import sys
+
+if len(sys.argv) != 2:
+    print("[!] Wrong number of parameters! A path to the pe.bin file expected.")
+    exit(1)
+
+path = sys.argv[1]
+if not os.path.exists(path):
+    print("[!] The file path provided does not exist!")
+    exit(1)
+
+file_contents = ''
+with open(path, "r") as f:
+    file_contents = f.read()
+
+# Parse the base64 and obtain the xor key
+parsed = file_contents.split('|')
+if len(parsed) < 3:
+    print("Provided file does not have the correct format.")
+    exit(1)
+
+xor_key = bytearray(parsed[1][:-1], "utf-8")
+xor_key[0] = 0x61  # 'a'
+
+file_contents_pe = parsed[2]
+
+# Decode base64 content
+file_contents_pe = base64.b64decode(file_contents_pe)
+
+# Derive the one byte key
+key = len(xor_key)
+for i in range(0, len(xor_key)):
+     key = xor_key[i] ^ key
+
+result = b''
+key = key ^ 255
+for i in range(0, len(file_contents_pe)):
+    result += bytes([file_contents_pe[i] ^ key])
+
+with open("decrypted_pe_bin.dat", "bw") as f:
+    f.write(result)
+
+exit(0)
--- a/Meh-part-2/Meh/network.txt
+++ b/Meh-part-2/Meh/network.txt
@ -0,0 +1,3 @@
+http://83[.]171.237.233/s2/pe.bin
+http://83[.]171.237.233/s2/base.au3
+http://83[.]171.237.233/s2/autoit.exe
--- a/Meh-part-2/Meh/samples.md5
+++ b/Meh-part-2/Meh/samples.md5
@ -0,0 +1,8 @@
+78f4c24acadb525350f1dea85b0c912d
+5df16cdec3f27e282d34fe7782a82ee2
+0b521eafc64af1dd989dc57ff9cedbcd
+367eec86ba9748a4843477208aef917d
+b2d765cb5bdd0b318998578e87db05bb
+7118c1cd6b4285514ce58e716c74b602
+5467498dbeadb76902c58a0acdbaa244
+3f58a517f1f4796225137e7659ad2adb
--- a/Meh-part-2/Meh/samples.sha1
+++ b/Meh-part-2/Meh/samples.sha1
@ -0,0 +1,8 @@
+09e0cf3281580088bf45f216949b07a11269f118
+f994eeac9d500e36852932b8db03f450df1a6a48
+836e69e6bf7684d21ee79887d6b7d60c141b3501
+3558ecc726ab94a02f953e30b0ef9a4bc5b96c6e
+91041776507eda04af808cf632c10ef74ef0cbca
+055df2afa96b6f92ad5ec203d0163c5f306be949
+e4ea91aa629042881c0792ada31933a756cf1154
+e264ba0e9987b0ad0812e5dd4dd3075531cfe269
--- a/Meh-part-2/Meh/samples.sha256
+++ b/Meh-part-2/Meh/samples.sha256
@ -0,0 +1,8 @@
+94c2479d0a222ebdce04c02f0b0e58ec433b62299c9a537a31090bb75a33a06e
+43bfa7e8b83b54b18b6b48365008b2588a15ccebb3db57b2b9311f257e81f34c
+34684e4c46d237bfd8964d3bb1fae8a7d04faa6562d8a41d0523796f2e80a2a6
+2256801ef5bfe8743c548a580fefe6822c87b1d3105ffb593cbaef0f806344c5
+657ea4bf4e591d48ee4aaa2233e870eb99a17435968652e31fc9f33bbb2fe282
+66de6f71f268a76358f88dc882fad2d2eaaec273b4d946ed930b8b7571f778a8
+75949175f00eb365a94266b5da285ec3f6c46dadfd8db48ef0d3c4f079ac6d30
+1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48
--- a/Meh-part-2/README.md
+++ b/Meh-part-2/README.md
@ -0,0 +1,48 @@
+# IoC for Meh part 2
+
+Malware analysis and more technical information at <https://decoded.avast.io/janrubin/meh-2-2/>
+
+The technical analysis of the first part of the blogpost series can be found at <https://decoded.avast.io/janrubin/complex-obfuscation-meh/>
+IoCs of the first part of the blogpost series can be found at <https://github.com/avast/ioc/tree/master/Meh>
+
+### Table of Contents
+* [Samples (SHA-256)](#samples-sha-256)
+* [File names](#file-names)
+* [Network indicators](#network-indicators)
+
+
+## Samples (SHA-256)
+#### Meh binary and related files
+```
+94c2479d0a222ebdce04c02f0b0e58ec433b62299c9a537a31090bb75a33a06e - Initial AutoIt script
+43bfa7e8b83b54b18b6b48365008b2588a15ccebb3db57b2b9311f257e81f34c - Stage 1 - Dropper
+34684e4c46d237bfd8964d3bb1fae8a7d04faa6562d8a41d0523796f2e80a2a6 - Stage 2 - Shellcode
+2256801ef5bfe8743c548a580fefe6822c87b1d3105ffb593cbaef0f806344c5 - Stage 3 - Shellcode 2
+657ea4bf4e591d48ee4aaa2233e870eb99a17435968652e31fc9f33bbb2fe282 - Stage 4 - Meh stager
+66de6f71f268a76358f88dc882fad2d2eaaec273b4d946ed930b8b7571f778a8 - pe.bin
+75949175f00eb365a94266b5da285ec3f6c46dadfd8db48ef0d3c4f079ac6d30 - base.au3
+1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48 - autoit.exe
+1f13024724491b4b083dfead60931dcacabd70e5bd674c41a83a02410dea070d - Meh password stealer
+3c1e5930d35815097435268fab724a6ed1bc347dd97cd20eb05f645a25eb692b - cpux64.bin
+57b6fa7cbc98b752da6002e1b877a0e1d83f453f9227044b0b96bf28b0131195 - cpux86.bin
+722502b7302fd6bae93c57212fcafad2767c5f869e37bd00487b946f76251c8d - cpux64.bin unpacked
+e96403de3807ccb740f9ca6cade9ebd85696485590f51a4eb1c308de9875dfaa - cpux86.bin unpacked
+```
+
+## File names
+```
+C:\ProgramData\Intel\Wireless\
+C:\Users\<user>\AppData\Local\Temp\test.txt
+C:\Users\<user>\AppData\Local\Temp\torrent.txt
+```
+
+## Network indicators
+#### C&C servers
+```
+http[:]//193-22-92-35.intesre.com
+http[:]//0.le4net00.net
+http[:]//83.171.237.231
+http[:]//deploy.static.blazingtechnologies.io
+http[:]//0.weathdata.nu
+http[:]//124.red-79-152-243.dynamicip.fina-tdl.io
+```
--- a/Meh-part-2/extras/decrypt_strings_IDAPython.py
+++ b/Meh-part-2/extras/decrypt_strings_IDAPython.py
@ -0,0 +1,64 @@
+__author__ = "Jan Rubin, Avast Software"
+
+from base64 import b64decode
+from functools import reduce
+from typing import Optional
+
+
+def decrypt(encoded_text: bytes, key_material: bytes) -> bytes:
+    ciphertext = b64decode(encoded_text)
+    key = reduce(lambda x, y: x ^ y, key_material)  # XOR all bytes of the key
+    key ^= len(key_material)
+    
+    plaintext = bytes([key ^ 255 ^ byte for byte in ciphertext])
+    return plaintext
+
+
+def find_key(offset: int) -> Optional[bytes]:
+    for i in range(32):  # scan next 32 bytes for the decryption function
+        offset += 1
+        if print_operand(offset, 0) != "sub_448F58":
+            continue
+        
+        string_offset = get_operand_value(offset - 0x5, 1)
+        string = get_strlit_contents(string_offset)
+        
+        return string
+
+
+def process_string(offset: int, ciphertext: bytes, key_material: bytes) -> int:
+    decrypted = decrypt(ciphertext, key_material)
+    try:
+        set_cmt(offset, str(decrypted), False)
+        return 1
+    except Exception as error:
+        print(f"[!] Could not resolve address {offset}, error: {error}")
+        return 0
+
+
+def find_strings(base: int, end: int):
+    ea = base
+    count = 0
+    while ea <= end:
+        ea = idc.next_addr(ea)
+        if not print_operand(ea, 0) == "sub_443DDC":
+            continue
+        
+        addr_key = get_operand_value(ea - 0x5, 1)
+        ciphertext = get_strlit_contents(addr_key)
+        key_material = find_key(ea)
+
+        if key_material == None or ciphertext == None:
+            ea = idc.next_addr(ea)
+            continue
+
+        count += process_string(ea, ciphertext, key_material)
+
+    if count > 0:
+        print(f"[+] Successfully decrypted {count} strings")
+    else:
+        print("[-] Could not decrypt strings. See errors above.")
+
+
+print("Start decrypt")
+find_strings(base=0x00401000, end=0x0044f000)
--- a/Meh-part-2/network.txt
+++ b/Meh-part-2/network.txt
@ -0,0 +1,11 @@
+http[:]//193-22-92-35.intesre.com
+http[:]//0.le4net00.net
+http[:]//83.171.237.231
+http[:]//deploy.static.blazingtechnologies.io
+http[:]//0.weathdata.nu
+http[:]//124.red-79-152-243.dynamicip.fina-tdl.io/s/cpux64.bin
+http[:]//124.red-79-152-243.dynamicip.fina-tdl.io/s/cpux86.bin
+http[:]//www.mejortorrentt.net/ips/download_torrent.php
+http[:]//mejortorrent1.net/downloads/download_torrent.php
+http[:]//grantorrent.eu/download/download_torrent.php
+http[:]//www.divxtotal.la/downloads/download_torrent.php
--- a/Meh-part-2/samples.md5
+++ b/Meh-part-2/samples.md5
@ -0,0 +1,13 @@
+78f4c24acadb525350f1dea85b0c912d
+5df16cdec3f27e282d34fe7782a82ee2
+0b521eafc64af1dd989dc57ff9cedbcd
+367eec86ba9748a4843477208aef917d
+b2d765cb5bdd0b318998578e87db05bb
+7118c1cd6b4285514ce58e716c74b602
+5467498dbeadb76902c58a0acdbaa244
+3f58a517f1f4796225137e7659ad2adb
+6d8582b7f7e41fbf33167973a299b531
+14c035d77a366b43d397a4992866f288
+3a2f0775856f4771a696a79c508a6148
+f0901dfb8250cbadbff8c993982ae155
+e5ff52ba79d505b9bf97484733013f6c
--- a/Meh-part-2/samples.sha1
+++ b/Meh-part-2/samples.sha1
@ -0,0 +1,13 @@
+09e0cf3281580088bf45f216949b07a11269f118
+f994eeac9d500e36852932b8db03f450df1a6a48
+836e69e6bf7684d21ee79887d6b7d60c141b3501
+3558ecc726ab94a02f953e30b0ef9a4bc5b96c6e
+91041776507eda04af808cf632c10ef74ef0cbca
+055df2afa96b6f92ad5ec203d0163c5f306be949
+e4ea91aa629042881c0792ada31933a756cf1154
+e264ba0e9987b0ad0812e5dd4dd3075531cfe269
+c8e3de52c1757667e26b46c70af6a0bc33adcf8b
+c5834456a9ea9b431d93b16941cb54872d53882d
+4ff350886382965dcacae1b1fea1faad224fe5b8
+943b1b802953a2d89a38cd9edf369daad05cd5ab
+30f5b43cd60afa486b2df4cb7cdfbbc9b21be7ff
--- a/Meh-part-2/samples.sha256
+++ b/Meh-part-2/samples.sha256
@ -0,0 +1,13 @@
+94c2479d0a222ebdce04c02f0b0e58ec433b62299c9a537a31090bb75a33a06e
+43bfa7e8b83b54b18b6b48365008b2588a15ccebb3db57b2b9311f257e81f34c
+34684e4c46d237bfd8964d3bb1fae8a7d04faa6562d8a41d0523796f2e80a2a6
+2256801ef5bfe8743c548a580fefe6822c87b1d3105ffb593cbaef0f806344c5
+657ea4bf4e591d48ee4aaa2233e870eb99a17435968652e31fc9f33bbb2fe282
+66de6f71f268a76358f88dc882fad2d2eaaec273b4d946ed930b8b7571f778a8
+75949175f00eb365a94266b5da285ec3f6c46dadfd8db48ef0d3c4f079ac6d30
+1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48
+1f13024724491b4b083dfead60931dcacabd70e5bd674c41a83a02410dea070d
+3c1e5930d35815097435268fab724a6ed1bc347dd97cd20eb05f645a25eb692b
+57b6fa7cbc98b752da6002e1b877a0e1d83f453f9227044b0b96bf28b0131195
+722502b7302fd6bae93c57212fcafad2767c5f869e37bd00487b946f76251c8d
+e96403de3807ccb740f9ca6cade9ebd85696485590f51a4eb1c308de9875dfaa
--- a/Meh/README.md
+++ b/Meh/README.md
@ -10,7 +10,7 @@ Malware analysis and more technical information at <https://decoded.avast.io/jan


 ## Samples (SHA-256)
-#### CoViper binary and related files
+#### Meh binary and related files
 ```
 94c2479d0a222ebdce04c02f0b0e58ec433b62299c9a537a31090bb75a33a06e - Initial AutoIt script
 43bfa7e8b83b54b18b6b48365008b2588a15ccebb3db57b2b9311f257e81f34c - Stage 1 - Dropper