Alexander Rausch GitMirar

## 2ed3e37608e65be8b6e8c59f8c93240bd0efe9a60c08c21f4889c00eb6082d74-decoded-strings.md

      
              1 file
            
          
              1 fork
            
          
              0 comments
            
          
              3 stars
            
          
                W3ndige
                / 2ed3e37608e65be8b6e8c59f8c93240bd0efe9a60c08c21f4889c00eb6082d74-decoded-strings.md
            
            
              Created
              May 7, 2020 08:51
            
          
    Strings decoded from the newer version of #EKANS ransomware.
import re
import sys
import pefile
import struct
import binascii

  
## IOCs
#Source Blog Post
https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a
---

#Yara Rules
---
rule WinntiLinux_Dropper : azazel_fork
{
    meta:
        desc = "Detection of Linux variant of Winnti"

## cobaltstrike_sa.txt
Windows version:
	reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion

Users who have authed to the system:
	ls C:\Users\

System env variables:
	reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment

Saved outbound RDP connections:

## install_m2crypto.txt
$> brew install openssl
$> brew install swig
$> env LDFLAGS="-L$(brew --prefix openssl)/lib" \
CFLAGS="-I$(brew --prefix openssl)/include" \
SWIG_FEATURES="-cpperraswarn -includeall -I$(brew --prefix openssl)/include" \
pip install m2crypto

## twoStrings.sh
#!/bin/bash
(strings -a -td "$@" | sed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 A \2/' ; strings -a -td -el "$@" | sed  's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 W \2/') | sort -n
	#Source Blog Post
	https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a
	---

	#Yara Rules
	---
	rule WinntiLinux_Dropper : azazel_fork
	{
	meta:
	desc = "Detection of Linux variant of Winnti"
	Windows version:
	reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion

	Users who have authed to the system:
	ls C:\Users\

	System env variables:
	reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment

	Saved outbound RDP connections:
	$> brew install openssl
	$> brew install swig
	$> env LDFLAGS="-L$(brew --prefix openssl)/lib" \
	CFLAGS="-I$(brew --prefix openssl)/include" \
	SWIG_FEATURES="-cpperraswarn -includeall -I$(brew --prefix openssl)/include" \
	pip install m2crypto
	#!/bin/bash
	(strings -a -td "$@" \| sed 's/^\(\s[0-9][0-9]\) \(.\)$/\1 A \2/' ; strings -a -td -el "$@" \| sed 's/^\(\s[0-9][0-9]\) \(.\)$/\1 W \2/') \| sort -n