This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Related campaign - https://twitter.com/1ZRR4H/status/1725609793216291100 | |
*************************************** | |
* no keywords path this time :( * | |
* /postal.php - for C2 port * | |
*************************************** | |
orionprimexgold1.ddns.net | |
orionprimexgold2.ddnsking.com | |
orionprimexgold3.3utilities.com |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
*************************************** | |
* no keywords path this time :( * | |
* /postal.php - for C2 port * | |
*************************************** | |
alpha123.serveblog.net | |
tango89.myvnc.com | |
zulu567.onthewifi.com | |
echo456.redirectme.net | |
foxtrot234.freedynamicdns.net |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
import zipfile | |
from io import BytesIO | |
''' | |
Assumptions: | |
1. The first const appreance will be the number used for strings decryption. | |
2. The first few lines after the const will have the decryption function in it. | |
3. The retrieved payload from the C2 is zip archive. | |
''' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
leon@ppk.com.mx | |
marthacesareo@grupokaypa.com | |
constanciaf4@dolcevita.com.mx | |
facturacion@dolcevita.com.mx | |
laura.rodriguez@dolcevitavallarta.com | |
pagos@dolcevita.com.mx | |
aflores@eving.com.mx | |
refacciones.irapuato@altopro.com.mx | |
alg@chalumex.com.mx | |
dgv@chalumex.com.mx |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
*************************************** | |
* /kepler186f.txt - for keywords * | |
* /16Psyche.txt - for C2 port * | |
*************************************** | |
orionprimexgold1.ddns.net | |
orionprimexgold2.ddnsking.com | |
orionprimexgold3.3utilities.com | |
orionprimexgold4.bounceme.net | |
orionprimexgold5.freedynamicdns.net |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from hashlib import md5 | |
from malduck import aes | |
keyString = input("[!] Enter key: ") | |
md5Key = md5(keyString.encode()).hexdigest() | |
print(f'[*] The key for the encryption will be {md5Key}') | |
encryptedString = input("[!] Enter hexvalue encrypted data: ") | |
decryptedData = aes.ecb.decrypt(bytes.fromhex(md5Key), bytes.fromhex(encryptedString)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
LIST = 'zLAxuU0kQKf3sWE7ePRO2imyg9GSpVoYC6rhlX48ZHnvjJDBNFtMd1I5acwbqT+=' # Replace list used for config decoding | |
DATA = '' # Replace with the encrypted data from the network traffic | |
ID = '' # Replace with the ID from the network traffic | |
def decShiftFunc(arg1, arg2, arg3, arg4): | |
final = b'' | |
tmp = (arg1 & 0x3F) * 4 | |
final += bytes([((arg2 & 0x30) >> 4) + tmp]) | |
tmp = (arg2 & 0xF) * 16 | |
final += bytes([((arg3 & 0x3C) >> 2) + tmp]) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AUTO_IT_PATH = 'pay.au3' #Change to the AutoIT script path. | |
FINAL_PAYLOAD_PATH = 'final2.bin' #Change to output path. | |
def decShiftFunc(arg1, arg2, arg3, arg4): | |
final = b'' | |
tmp = (arg1 & 0x3F) * 4 | |
final += bytes([((arg2 & 0x30) >> 4) + tmp]) | |
tmp = (arg2 & 0xF) * 16 | |
final += bytes([((arg3 & 0x3C) >> 2) + tmp]) | |
final += bytes([(arg4 & 0x3F) + ((arg3 & 0x03) << 6)]) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
''' | |
Tested on the sample (Sha256): | |
70e303792d1699fc53b9b3251faf7fc66a070a981972ab64783a1a368e4c96f8 | |
''' | |
import re | |
from base64 import b64decode | |
pattern = r'(\$\(\[Text\.Encoding\].*FromBase64String(\(.*\'\))\)\))' | |
file_handle = open('metamorfo_stage.ps1', 'r').readlines() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import malduck, base64 | |
stringsArr = ["l6PjPku2W0NahCbd36HRrMt3OvjY3svw1l1VAr63795ZSuvoliYrT76jhbTr4DE8", "4WRsAYF5K2xRj+RDB0sKxkw/o2ydLwGi6hIsHroFCdSiRcRHYtZnvb0vCwvSX/gZZm0XrYdyIRihnH0golgTnw==", "kmzDkgXFNZdRuTuEfEqezXxHNC1Rwm0b4ue46PIMCepKi1QIqIq7E2+SGtocFtO8", "6R8tAX5y2sTw3n3BbYUlkjyTeUc5Ofw54meqCSi4mH+9ZYfEB2131KxLGdN69eJK", "Jr6UMUJ0YhXKRkEIpLCp24bTPyxnJWdtVXhOC7+0AyWQWTSPZjyonsULOO2ZOWF/", "xGJJoWLWFMxSxoB8htqGOmYX/TMOIA7Bzko0YYF5Y9EhBvslJyDCKS/rwfro++UP", "SC2owWo4MmTJBghMVtfnpRbs8+qH52p4DmwW3eIP6czxHpW5sHkepVpqH6Gbrahj", "ZfRqRkS4CHiLOSm7xkYtAOZnOtCJ0PUrE0LtPXqgMk3caiFq5kvaQaEnMn9JJVK2", "NEbscDY49aJvF7kL06jKIDFb9jj1YlLzMyWZMl544mrTzoKm+lGEDBWdryGyQrHR", "ojKSz0v47RFdKwl9S6O1zHupe7ZenfrEAR/9rgOrwHwmYNOslKo3MjFCDs9DPNuY","Y4HSgrFfpnLhMfKBVsjyPZD0QPwUKKbg6dWnoqwo5G8E2KM+5S+UyNU/P8conXK4", "EDZYNxVIULdr5D3RKLvWJwjhhmvR8xT4v0KfwrYiSwA54E+o1hpLK2Wk0BIQbwEb", "I0gpZ9ePYvBLfpMhjUvizL3CYp5lh1y9AnM30RW7o0zh4qjMMq0Q/bxLWkR7B7e5", "oR9rs61M+SrQkpnQ21S5AnRhHz3eyDk8Sti9cABB8/gkAfaAEWRg/DY9kOcJDuHv", "Y2U8u7XAzFi |
NewerOlder