Skip to content

Instantly share code, notes, and snippets.

@hasherezade

hasherezade/bot_logs.csv Secret

Last active Nov 27, 2019
Embed
What would you like to do?
String decoder for Iced ID
We can make this file beautiful and searchable if this error is corrected: Illegal quoting in line 16.
190cc,[INFO] bot.bc.socks > sock=%p host=%s
19110,[ERROR] bot.dg.pass.chrome > sqlite exec_1 status=%u
19234,[INFO] bot.inj.replace.range > replaced=%s
19268,[INFO] bot.bc.data.start > new_ip=%s
19298,[INFO] bot.inj.config > apc id=%u size=%u
192f8,[INFO] bot.inj.api > form send=%s url=%s
19354,[INFO] bot.url.gethost > host=%s
193c8,[ERROR] bot.dg.pass.chrome > uncrypt gle=%u
1939c,[INFO] bot.bc.socks > new sock=%p
19480,[INFO] bot.dg.sqlite > use internal
19640,[INFO] bot.install > alredy
19608,[INFO] bot.bc.data.start > close old connect
195b8,[ERROR] bot.shed > IAction_QueryInterface(IExecAction)=%0.8X
19584,[INFO] bot.inj.grab.full > grabbed
19558,[ERROR] bot.gate.query > internal
1951c,[ERROR] bot.dg.cookie.chrome > copy("%s", "%s") gle=%u
194b0,[INFO] bot.gate.alive > reply
197c0,[ERROR] bot.proxy.cert.manager.get_raw > CertSetCertificateContextProperty() gle=%u
1978c,[ERROR] bot.install > copy("%s", "%s")=%u
196ac,[ERROR] bot.gate.queue.add > merge/pack
19920,[INFO] bot.inj.grab.regexp > grabbed
198b0,[ERROR] bot.proxy.cert.manager.get_raw > CertCreateCertificateContext(size=%u head=%0.8X%0.8X) gle=%u
19abc,[INFO] bot.cmd > var del param=%s
19a90,[ERROR] bot.url.get > clone host
19a60,[INFO] bot.cmd > run shellcode param=%s
19a0c,[INFO] bot.proxy.cert.manager.init > find_ca=%p gle=%u
199e8,[INFO] bot.init > alive=%u
1ac20,[ERROR] bot.url.get > clone urlpath
19de4,[ERROR] bot.dg.sqlite > save size=%u gle=%u name=%s
19db8,[INFO] bot.cmd > dlexec param=%s
19cd0,[ERROR] bot.bc.data.session > read cmd or reconnect cmd
19c98,[INFO] bot.inj.config > set apc id=%u size=%u
19c58,[INFO] bot.bc.data.session > vnc cmd id=%0.8X key=%0.8X
19bec,[INFO] bot.cmd > file get param=%s
19bb0,[INFO] bot.cmd > set alive timeout param=%s
We can make this file beautiful and searchable if this error is corrected: Any value after quoted field isn't allowed in line 54.
1d1c0,SyncServer%SMailOutgoing
19700,kb%u.exe
1a7a4,kb%u.dll
1b470,cert9.db
1d098,cert8.db
1b1b4,key3.db
1d304,key4.db
1d6f8,logins.json
1d5d0,"SELECT host, path, isSecure, expiry, name, value FROM moz_cookies"
1be88,Firefox/cookies-%u.txt
1ac20,"[ERROR] bot.url.get > clone urlpath"
1d400,"C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=(c) 2006 VeriSign, Inc. - For authorized use only; CN=VeriSign Class 3 Public Primary Certification Authority - G5"
1c5cc,"SeShutdownPrivilege"
1a17c,"c:\ProgramData"
19e90,"Content-Type: application/octet-stream"
1a104,"Content-Type: application/x-www-form-urlencoded"
1a16c,"%0.8X%s"
1a29c,"text/plain"
1ad30,"text/javascript"
1d014,"\User Data\Default\Cookies"
1a2d8,"Google\Chrome SxS"
1d250,"Xpom"
1b09c,"Yandex\YandexBrowser"
1bf58,"Comodo\Dragon"
1bcdc,"Amigo"
184a8,"Orbitum"
1cf10,"Bromium"
19e30,"%u.%u.%u.%u.%u.%u"
19e20,"Superbird"
19de4,"[ERROR] bot.dg.sqlite > save size=%u gle=%u name=%s
"
19db8,"[INFO] bot.cmd > dlexec param=%s
"
19cd0,"[ERROR] bot.bc.data.session > read cmd or reconnect cmd
"
19c98,"[INFO] bot.inj.config > set apc id=%u size=%u
"
19c58,"[INFO] bot.bc.data.session > vnc cmd id=%0.8X key=%0.8X
"
19c2c,"1HTTP Server URL"
19bec,"[INFO] bot.cmd > file get param=%s
"
19bb0,"[INFO] bot.cmd > set alive timeout param=%s
"
19b84,"1NNTP User Name"
19b54,"\Mozilla\Firefox\Profiles\"
19b1c,"[ERROR] bot.bc.data.start > create work thread
"
19ae8,"Software\Microsoft\Windows\CurrentVersion\Run"
19abc,"[INFO] bot.cmd > var del param=%s
"
19a90,"[ERROR] bot.url.get > clone host
"
19a60,"[INFO] bot.cmd > run shellcode param=%s
"
19a0c,"[INFO] bot.proxy.cert.manager.init > find_ca=%p gle=%u
"
199e8,"[INFO] bot.init > alive=%u
"
199c8,"Epic Privacy Browser"
199b0,"uCozMedia\Uran"
19950,"POP3 Password"
19920,"[INFO] bot.inj.grab.regexp > grabbed
"
198b0,"[ERROR] bot.proxy.cert.manager.get_raw > CertCreateCertificateContext(size=%u head=%0.8X%0.8X) gle=%u
"
19820,"GET %s HTTP/1.1 Host: %s
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Version: 13
Sec-WebSocket-Key: %s
"
197c0,"[ERROR] bot.proxy.cert.manager.get_raw > CertSetCertificateContextProperty() gle=%u
"
1978c,"[ERROR] bot.install > copy("%s", "%s")=%u
"
19718,"SELECT origin_url,username_value,length(password_value),password_value FROM logins WHERE username_value <> ''"
196dc,"Elements Browser"
196ac,"[ERROR] bot.gate.queue.add > merge/pack
"
19688,"3POP3 Password"
19664,"3IMAP Password"
19640,"[INFO] bot.install > alredy
"
19608,"[INFO] bot.bc.data.start > close old connect
"
195b8,"[ERROR] bot.shed > IAction_QueryInterface(IExecAction)=%0.8X
"
19584,"[INFO] bot.inj.grab.full > grabbed
"
19558,"[ERROR] bot.gate.query > internal
"
1951c,"[ERROR] bot.dg.cookie.chrome > copy(%s, %s) gle=%u
"
194b0,"[INFO] bot.gate.alive > reply
--------------
%s
---------------
"
19480,"[INFO] bot.dg.sqlite > use internal
"
19440,"3HTTPMail Password"
193fc,"[%0.2u:%0.2u:%0.2u] %u| "
193c8,"[ERROR] bot.dg.pass.chrome > uncrypt gle=%u
"
1939c,"[INFO] bot.bc.socks > new sock=%p
"
19354,"[INFO] bot.url.gethost > host=%s
"
19338,"1IMAP User"
192f8,"[INFO] bot.inj.api > form send=%s url=%s
"
192d4,"\User Data\Default\Web Data"
19298,"[INFO] bot.inj.config > apc id=%u size=%u
"
19268,"[INFO] bot.bc.data.start > new_ip=%s
"
19234,"[INFO] bot.inj.replace.range > replaced=%s
"
191c8,"Software\Microsoft\ActiveSync\Partners"
191a8,"
Upgrade: websocket
"
19168,"[ERROR] bot.shed > ITaskDefinition_get_Actions=%0.8X
"
19150,"c:\Users\Public\"
19110,"[ERROR] bot.dg.pass.chrome > sqlite exec_1 status=%u
"
190fc,"X-WebKit-CSP"
190cc,"[INFO] bot.bc.socks > sock=%p host=%s
"
19098,"content-security-policy"
1b83c,"cookies.sqlite"
1bfac,"[WARN] bot.gate.alive > reply very big
"
188f0,"[INFO] bot.gate.alive > query status=%u
"
1ada0,"[INFO] bot.gate.alive > GET data
--------------
%s
---------------
"
1a960,"[INFO] bot.gate.alive > start
"
1a680,"[ERROR] bot.bc.main.session > read frame err=%0.8X gle=%u
"
1d4b0,"[ERROR] bot.bc.main.session > unknown frame type=%u
"
1c7cc,"[INFO] bot.bc.main.session > set_ip ip=%s
"
1d62c,"[WARN] bot.bc.main.session > set_ip size=%u
"
1a380,"[INFO] bot.bc.main.session > ping cmd
"
1d5a0,"[INFO] bot.bc.main.session > pong cmd
"
1aa74,"[INFO] bot.bc.main.session > fast cmd size=%u
"
19ec0,"[WARN] bot.bc.main.session > unknown cmd=%u
"
1c76c,"[INFO] bot.init > proxy=%u
"
1b1c8,"[INFO] bot.init > core init ver=%u pid=%s id=%s ldr_ver=%u
"
55a18,""
55a08,""
556ac,""
184fc,"MachineGuid"
1ce6c,"SOFTWARE\Microsoft\Cryptography"
1bb94,"[INFO] bot.init > hooker=%u
"
1d70c,"[INFO] bot.init > bc=%u
"
18ad4,"Software\Classes\CLSID\"
1c3bc,"[INFO] bot.init > install=%u
"
1978c,"[ERROR] bot.install > copy("%s", "%s")=%u
"
1b3a8,"[ERROR] bot.install > add task
"
19ae8,"Software\Microsoft\Windows\CurrentVersion\Run"
1a7e4,"[ERROR] bot.install > add reg gle=%u
"
18cb8,"[INFO] bot.cmd > desk link
"
18cdc,"[INFO] bot.cmd > update urllist param=%s
"
1ab50,"[INFO] bot.cmd > update sys config param=%s
"
1c604,"[INFO] bot.cmd > update main config param=%s
"
1bf30,"[INFO] bot.cmd > alive force
"
19bb0,"[INFO] bot.cmd > set alive timeout param=%s
"
1b518,"[INFO] bot.cmd > get log
"
1bc20,"[INFO] bot.cmd > set log filter param=%s
"
1a418,"[INFO] bot.cmd > var set param=%s
"
18520,"[INFO] bot.cmd > var get param=%s
"
1afec,"[ERROR] bot.gate.queue.add > add
"
19abc,"[INFO] bot.cmd > var del param=%s
"
1ac78,"[INFO] bot.cmd > get process list
"
1a6c4,"[INFO] bot.cmd > sysinfo
"
19db8,"[INFO] bot.cmd > dlexec param=%s
"
19a90,"[ERROR] bot.url.get > clone host
"
1a8c8,"[INFO] bot.url.get > url=%s://%s:%u%s
"
1c414,"[INFO] bot.url.get > item=%u list=%u
"
1ce44,"[INFO] bot.cmd > exec param=%s
"
1a6e8,"[INFO] bot.cmd > run cli param=%s
"
1b0c0,"[INFO] bot.cmd > file search param=%s
"
19bec,"[INFO] bot.cmd > file get param=%s
"
1a05c,"[INFO] bot.cmd > dump pass
"
1a3b0,"[INFO] bot.cmd > update loader param=%s
"
183ac,"[INFO] bot.cmd > update pack param=%s
"
1854c,"[INFO] bot.cmd.update > type=%u status=%u
"
1a9d0,"[INFO] bot.cmd > reboot
"
18920,"[WARN] bot.init > alredy run
"
1aa10,"{%0.8X-%0.4X-%0.4X-%0.4X-%0.4X%0.8X}"
1a458,"[INFO] bot.gate.queue > send type=%u subtype=%u flag=%u size=%u
"
1d228,"[ERROR] bot.gate.queue > send
"
1a08c,"[INFO] bot.init.proxy > status=%u
"
1a2b0,"[INFO] bot.proxy.init > port=%u
"
1aec4,"/data3.php?%08X%08X"
1c3e4,"[ERROR] bot.bc.main.connect > get host
"
1c658,"[INFO] bot.cmd.exec > cmd=%u param=%s
"
1bc54,"[WARN] bot.cmd.exec > status=false cmd=%u
"
1b280,"[INFO] bot.bc.data.session > ping cmd timeout=%u
"
1b170,"[INFO] bot.bc.data.session > socks cmd id=%0.8X key=%0.8X
"
19c58,"[INFO] bot.bc.data.session > vnc cmd id=%0.8X key=%0.8X
"
1d11c,"[ERROR] bot.bc.vnc > inject gle=%u
"
189a8,"[INFO] bot.bc.vnc > inject ok pid=%u
"
1a35c,"svchost.exe"
1d2c0,"[ERROR] bot.bc.vnc > create process gle=%u
"
1a77c,"[INFO] bot.cmd > dump cookie
"
19a0c,"[INFO] bot.proxy.cert.manager.init > find_ca=%p gle=%u
"
1f060,"%0.8X.tmp"
1b424,"[ERROR] bot.proxy.cert.manager.init > add to db gle=%u
"
19234,"[INFO] bot.inj.replace.range > replaced=%s
"
1c920,"[INFO] bot.inj.replace.text > replaced=%s
"
1d150,"[INFO] bot.inj.replace.full > replaced=%s
"
1c4dc,"[INFO] bot.inj.replace.regexp > replaced=%s
"
1a23c,"[INFO] bot.inj.replace.check > url=%s
"
1b330,"[INFO] bot.inj.grab.check > url=%s
"
18c3c,"[INFO] bot.inj.grab.keyword > grabbed
"
1c79c,"Transfer-Encoding"
1cbe8,"Content-Length"
// String decoder for IceID
// works with the sample:
// 6aeb27d50512dbad7e529ffedb0ac153
#include <stdio.h>
#include <windows.h>
#include <peconv.h>
#define DEC_STR_OFFSET 0x068D0
size_t v_size = 0;
BYTE *malware = NULL;
BYTE *(__cdecl *decode_string)(BYTE *a1, BYTE *a2) = NULL;
int decode_at_offset(DWORD string_offset)
{
BYTE* enc_str = (BYTE*)((ULONG_PTR)malware + string_offset);
if (!peconv::validate_ptr(malware, v_size, enc_str, sizeof(WORD))) {
std::cout << "Invalid offset!\n";
return -1;
}
BYTE out_buf[0x1000] = { 0 };
if (!decode_string) {
return -2;
}
if (!decode_string(enc_str, out_buf)) {
return -3;
}
std::cout << std::hex << string_offset << ",";
if (strlen((char*)out_buf) == 1) {
std::wcout << "\"" << (wchar_t*)out_buf << "\"\n";
}
else {
std::cout << "\"" << (char*)out_buf << "\"\n";
}
return 0;
}
int main(int argc, char *argv[])
{
if (argc < 3) {
std::cerr << "Args: <path to the malware><encrypted string offset:hex>" << std::endl;
system("pause");
return 0;
}
DWORD string_offset = 0;// Example offsets from this sample: 0x1B2E8, 0x1D5D0
if (sscanf(argv[2], "%X", &string_offset) == 0) {
sscanf(argv[2], "%#X", &string_offset);
}
LPCSTR mal_path = argv[1];
//std::cout << "Reading module from: " << mal_path << std::endl;
malware = peconv::load_pe_executable(mal_path, v_size);
if (!malware) {
//system("pause");
return -1;
}
//std::cout << "malware loaded!\n";
decode_string = (BYTE * (__cdecl *)(BYTE *, BYTE *)) ((ULONG_PTR) malware + DEC_STR_OFFSET);
int res = decode_at_offset(string_offset);
peconv::free_pe_buffer(malware);
return res;
}
@hasherezade

This comment has been minimized.

Copy link
Owner Author

@hasherezade hasherezade commented Nov 26, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment