diff --git a/Meh/README.md b/Meh/README.md new file mode 100644 index 0000000..d28a2fa --- /dev/null +++ b/Meh/README.md @@ -0,0 +1,46 @@ +# IoC for Meh + +Malware analysis and more technical informations at + + +### Table of Contents +* [Samples (SHA-256)](#samples-sha-256) +* [File names](#file-names) +* [Network indicators](#network-indicators) + + +## Samples (SHA-256) +#### CoViper binary and related files +``` +94c2479d0a222ebdce04c02f0b0e58ec433b62299c9a537a31090bb75a33a06e - Initial AutoIt script +43bfa7e8b83b54b18b6b48365008b2588a15ccebb3db57b2b9311f257e81f34c - Stage 1 - Dropper +34684e4c46d237bfd8964d3bb1fae8a7d04faa6562d8a41d0523796f2e80a2a6 - Stage 2 - Shellcode +2256801ef5bfe8743c548a580fefe6822c87b1d3105ffb593cbaef0f806344c5 - Stage 3 - Shellcode 2 +657ea4bf4e591d48ee4aaa2233e870eb99a17435968652e31fc9f33bbb2fe282 - Stage 4 - Meh stager +66de6f71f268a76358f88dc882fad2d2eaaec273b4d946ed930b8b7571f778a8 - pe.bin +75949175f00eb365a94266b5da285ec3f6c46dadfd8db48ef0d3c4f079ac6d30 - base.au3 +1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48 - autoit.exe + + +``` + +## File names +``` +C:\testintel2\pe.bin +C:\testintel2\base.au3 +C:\testintel2\autoit.exe +C:\testintel2\a.txt +C:\programdata\intel\wireless +``` + +## Network indicators +#### Downloader urls +``` +http://83[.]171.237.233/s2/pe.bin +http://83[.]171.237.233/s2/base.au3 +http://83[.]171.237.233/s2/autoit.exe +``` +#### C&C servers +``` +http://83[.]171.237.233 +``` diff --git a/Meh/extras/decryptor_pe_bin.py b/Meh/extras/decryptor_pe_bin.py new file mode 100644 index 0000000..1d3e605 --- /dev/null +++ b/Meh/extras/decryptor_pe_bin.py @@ -0,0 +1,45 @@ +import os +import base64 +import sys + +if len(sys.argv) != 2: + print("[!] Wrong number of parameters! A path to the pe.bin file expected.") + exit(1) + +path = sys.argv[1] +if not os.path.exists(path): + print("[!] The file path provided does not exist!") + exit(1) + +file_contents = '' +with open(path, "r") as f: + file_contents = f.read() + +# Parse the base64 and obtain the xor key +parsed = file_contents.split('|') +if len(parsed) < 3: + print("Provided file does not have the correct format.") + exit(1) + +xor_key = bytearray(parsed[1][:-1], "utf-8") +xor_key[0] = 0x61 # 'a' + +file_contents_pe = parsed[2] + +# Decode base64 content +file_contents_pe = base64.b64decode(file_contents_pe) + +# Derive the one byte key +key = len(xor_key) +for i in range(0, len(xor_key)): + key = xor_key[i] ^ key + +result = b'' +key = key ^ 255 +for i in range(0, len(file_contents_pe)): + result += bytes([file_contents_pe[i] ^ key]) + +with open("decrypted_pe_bin.dat", "bw") as f: + f.write(result) + +exit(0) diff --git a/Meh/network.txt b/Meh/network.txt new file mode 100644 index 0000000..2d7c9f1 --- /dev/null +++ b/Meh/network.txt @@ -0,0 +1,3 @@ +http://83[.]171.237.233/s2/pe.bin +http://83[.]171.237.233/s2/base.au3 +http://83[.]171.237.233/s2/autoit.exe diff --git a/Meh/samples.md5 b/Meh/samples.md5 new file mode 100644 index 0000000..d86a913 --- /dev/null +++ b/Meh/samples.md5 @@ -0,0 +1,8 @@ +78f4c24acadb525350f1dea85b0c912d +5df16cdec3f27e282d34fe7782a82ee2 +0b521eafc64af1dd989dc57ff9cedbcd +367eec86ba9748a4843477208aef917d +b2d765cb5bdd0b318998578e87db05bb +7118c1cd6b4285514ce58e716c74b602 +5467498dbeadb76902c58a0acdbaa244 +3f58a517f1f4796225137e7659ad2adb diff --git a/Meh/samples.sha1 b/Meh/samples.sha1 new file mode 100644 index 0000000..b8f2346 --- /dev/null +++ b/Meh/samples.sha1 @@ -0,0 +1,8 @@ +09e0cf3281580088bf45f216949b07a11269f118 +f994eeac9d500e36852932b8db03f450df1a6a48 +836e69e6bf7684d21ee79887d6b7d60c141b3501 +3558ecc726ab94a02f953e30b0ef9a4bc5b96c6e +91041776507eda04af808cf632c10ef74ef0cbca +055df2afa96b6f92ad5ec203d0163c5f306be949 +e4ea91aa629042881c0792ada31933a756cf1154 +e264ba0e9987b0ad0812e5dd4dd3075531cfe269 diff --git a/Meh/samples.sha256 b/Meh/samples.sha256 new file mode 100644 index 0000000..aad07c0 --- /dev/null +++ b/Meh/samples.sha256 @@ -0,0 +1,8 @@ +94c2479d0a222ebdce04c02f0b0e58ec433b62299c9a537a31090bb75a33a06e +43bfa7e8b83b54b18b6b48365008b2588a15ccebb3db57b2b9311f257e81f34c +34684e4c46d237bfd8964d3bb1fae8a7d04faa6562d8a41d0523796f2e80a2a6 +2256801ef5bfe8743c548a580fefe6822c87b1d3105ffb593cbaef0f806344c5 +657ea4bf4e591d48ee4aaa2233e870eb99a17435968652e31fc9f33bbb2fe282 +66de6f71f268a76358f88dc882fad2d2eaaec273b4d946ed930b8b7571f778a8 +75949175f00eb365a94266b5da285ec3f6c46dadfd8db48ef0d3c4f079ac6d30 +1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48