Skip to content

Instantly share code, notes, and snippets.

@hasherezade

hasherezade/bot_logs.csv Secret

Last active November 27, 2019 01:13
Show Gist options
  • Save hasherezade/3f1db9cf4629cf6afc09d5ff039fc541 to your computer and use it in GitHub Desktop.
Save hasherezade/3f1db9cf4629cf6afc09d5ff039fc541 to your computer and use it in GitHub Desktop.
Download ZIP
String decoder for Iced ID
Raw
bot_logs.csv
We can make this file beautiful and searchable if this error is corrected: Illegal quoting in line 16.
190cc,[INFO] bot.bc.socks > sock=%p host=%s
19110,[ERROR] bot.dg.pass.chrome > sqlite exec_1 status=%u
19234,[INFO] bot.inj.replace.range > replaced=%s
19268,[INFO] bot.bc.data.start > new_ip=%s
19298,[INFO] bot.inj.config > apc id=%u size=%u
192f8,[INFO] bot.inj.api > form send=%s url=%s
19354,[INFO] bot.url.gethost > host=%s
193c8,[ERROR] bot.dg.pass.chrome > uncrypt gle=%u
1939c,[INFO] bot.bc.socks > new sock=%p
19480,[INFO] bot.dg.sqlite > use internal
19640,[INFO] bot.install > alredy
19608,[INFO] bot.bc.data.start > close old connect
195b8,[ERROR] bot.shed > IAction_QueryInterface(IExecAction)=%0.8X
19584,[INFO] bot.inj.grab.full > grabbed
19558,[ERROR] bot.gate.query > internal
1951c,[ERROR] bot.dg.cookie.chrome > copy("%s", "%s") gle=%u
194b0,[INFO] bot.gate.alive > reply
197c0,[ERROR] bot.proxy.cert.manager.get_raw > CertSetCertificateContextProperty() gle=%u
1978c,[ERROR] bot.install > copy("%s", "%s")=%u
196ac,[ERROR] bot.gate.queue.add > merge/pack
19920,[INFO] bot.inj.grab.regexp > grabbed
198b0,[ERROR] bot.proxy.cert.manager.get_raw > CertCreateCertificateContext(size=%u head=%0.8X%0.8X) gle=%u
19abc,[INFO] bot.cmd > var del param=%s
19a90,[ERROR] bot.url.get > clone host
19a60,[INFO] bot.cmd > run shellcode param=%s
19a0c,[INFO] bot.proxy.cert.manager.init > find_ca=%p gle=%u
199e8,[INFO] bot.init > alive=%u
1ac20,[ERROR] bot.url.get > clone urlpath
19de4,[ERROR] bot.dg.sqlite > save size=%u gle=%u name=%s
19db8,[INFO] bot.cmd > dlexec param=%s
19cd0,[ERROR] bot.bc.data.session > read cmd or reconnect cmd
19c98,[INFO] bot.inj.config > set apc id=%u size=%u
19c58,[INFO] bot.bc.data.session > vnc cmd id=%0.8X key=%0.8X
19bec,[INFO] bot.cmd > file get param=%s
19bb0,[INFO] bot.cmd > set alive timeout param=%s
Raw
decoded.csv
We can make this file beautiful and searchable if this error is corrected: Any value after quoted field isn't allowed in line 54.
1d1c0,SyncServer%SMailOutgoing
19700,kb%u.exe
1a7a4,kb%u.dll
1b470,cert9.db
1d098,cert8.db
1b1b4,key3.db
1d304,key4.db
1d6f8,logins.json
1d5d0,"SELECT host, path, isSecure, expiry, name, value FROM moz_cookies"
1be88,Firefox/cookies-%u.txt
1ac20,"[ERROR] bot.url.get > clone urlpath"
1d400,"C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=(c) 2006 VeriSign, Inc. - For authorized use only; CN=VeriSign Class 3 Public Primary Certification Authority - G5"
1c5cc,"SeShutdownPrivilege"
1a17c,"c:\ProgramData"
19e90,"Content-Type: application/octet-stream"
1a104,"Content-Type: application/x-www-form-urlencoded"
1a16c,"%0.8X%s"
1a29c,"text/plain"
1ad30,"text/javascript"
1d014,"\User Data\Default\Cookies"
1a2d8,"Google\Chrome SxS"
1d250,"Xpom"
1b09c,"Yandex\YandexBrowser"
1bf58,"Comodo\Dragon"
1bcdc,"Amigo"
184a8,"Orbitum"
1cf10,"Bromium"
19e30,"%u.%u.%u.%u.%u.%u"
19e20,"Superbird"
19de4,"[ERROR] bot.dg.sqlite > save size=%u gle=%u name=%s
"
19db8,"[INFO] bot.cmd > dlexec param=%s
"
19cd0,"[ERROR] bot.bc.data.session > read cmd or reconnect cmd
"
19c98,"[INFO] bot.inj.config > set apc id=%u size=%u
"
19c58,"[INFO] bot.bc.data.session > vnc cmd id=%0.8X key=%0.8X
"
19c2c,"1HTTP Server URL"
19bec,"[INFO] bot.cmd > file get param=%s
"
19bb0,"[INFO] bot.cmd > set alive timeout param=%s
"
19b84,"1NNTP User Name"
19b54,"\Mozilla\Firefox\Profiles\"
19b1c,"[ERROR] bot.bc.data.start > create work thread
"
19ae8,"Software\Microsoft\Windows\CurrentVersion\Run"
19abc,"[INFO] bot.cmd > var del param=%s
"
19a90,"[ERROR] bot.url.get > clone host
"
19a60,"[INFO] bot.cmd > run shellcode param=%s
"
19a0c,"[INFO] bot.proxy.cert.manager.init > find_ca=%p gle=%u
"
199e8,"[INFO] bot.init > alive=%u
"
199c8,"Epic Privacy Browser"
199b0,"uCozMedia\Uran"
19950,"POP3 Password"
19920,"[INFO] bot.inj.grab.regexp > grabbed
"
198b0,"[ERROR] bot.proxy.cert.manager.get_raw > CertCreateCertificateContext(size=%u head=%0.8X%0.8X) gle=%u
"
19820,"GET %s HTTP/1.1 Host: %s
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Version: 13
Sec-WebSocket-Key: %s
"
197c0,"[ERROR] bot.proxy.cert.manager.get_raw > CertSetCertificateContextProperty() gle=%u
"
1978c,"[ERROR] bot.install > copy("%s", "%s")=%u
"
19718,"SELECT origin_url,username_value,length(password_value),password_value FROM logins WHERE username_value <> ''"
196dc,"Elements Browser"
196ac,"[ERROR] bot.gate.queue.add > merge/pack
"
19688,"3POP3 Password"
19664,"3IMAP Password"
19640,"[INFO] bot.install > alredy
"
19608,"[INFO] bot.bc.data.start > close old connect
"
195b8,"[ERROR] bot.shed > IAction_QueryInterface(IExecAction)=%0.8X
"
19584,"[INFO] bot.inj.grab.full > grabbed
"
19558,"[ERROR] bot.gate.query > internal
"
1951c,"[ERROR] bot.dg.cookie.chrome > copy(%s, %s) gle=%u
"
194b0,"[INFO] bot.gate.alive > reply
--------------
%s
---------------
"
19480,"[INFO] bot.dg.sqlite > use internal
"
19440,"3HTTPMail Password"
193fc,"[%0.2u:%0.2u:%0.2u] %u| "
193c8,"[ERROR] bot.dg.pass.chrome > uncrypt gle=%u
"
1939c,"[INFO] bot.bc.socks > new sock=%p
"
19354,"[INFO] bot.url.gethost > host=%s
"
19338,"1IMAP User"
192f8,"[INFO] bot.inj.api > form send=%s url=%s
"
192d4,"\User Data\Default\Web Data"
19298,"[INFO] bot.inj.config > apc id=%u size=%u
"
19268,"[INFO] bot.bc.data.start > new_ip=%s
"
19234,"[INFO] bot.inj.replace.range > replaced=%s
"
191c8,"Software\Microsoft\ActiveSync\Partners"
191a8,"
Upgrade: websocket
"
19168,"[ERROR] bot.shed > ITaskDefinition_get_Actions=%0.8X
"
19150,"c:\Users\Public\"
19110,"[ERROR] bot.dg.pass.chrome > sqlite exec_1 status=%u
"
190fc,"X-WebKit-CSP"
190cc,"[INFO] bot.bc.socks > sock=%p host=%s
"
19098,"content-security-policy"
1b83c,"cookies.sqlite"
1bfac,"[WARN] bot.gate.alive > reply very big
"
188f0,"[INFO] bot.gate.alive > query status=%u
"
1ada0,"[INFO] bot.gate.alive > GET data
--------------
%s
---------------
"
1a960,"[INFO] bot.gate.alive > start
"
1a680,"[ERROR] bot.bc.main.session > read frame err=%0.8X gle=%u
"
1d4b0,"[ERROR] bot.bc.main.session > unknown frame type=%u
"
1c7cc,"[INFO] bot.bc.main.session > set_ip ip=%s
"
1d62c,"[WARN] bot.bc.main.session > set_ip size=%u
"
1a380,"[INFO] bot.bc.main.session > ping cmd
"
1d5a0,"[INFO] bot.bc.main.session > pong cmd
"
1aa74,"[INFO] bot.bc.main.session > fast cmd size=%u
"
19ec0,"[WARN] bot.bc.main.session > unknown cmd=%u
"
1c76c,"[INFO] bot.init > proxy=%u
"
1b1c8,"[INFO] bot.init > core init ver=%u pid=%s id=%s ldr_ver=%u
"
55a18,""
55a08,""
556ac,""
184fc,"MachineGuid"
1ce6c,"SOFTWARE\Microsoft\Cryptography"
1bb94,"[INFO] bot.init > hooker=%u
"
1d70c,"[INFO] bot.init > bc=%u
"
18ad4,"Software\Classes\CLSID\"
1c3bc,"[INFO] bot.init > install=%u
"
1978c,"[ERROR] bot.install > copy("%s", "%s")=%u
"
1b3a8,"[ERROR] bot.install > add task
"
19ae8,"Software\Microsoft\Windows\CurrentVersion\Run"
1a7e4,"[ERROR] bot.install > add reg gle=%u
"
18cb8,"[INFO] bot.cmd > desk link
"
18cdc,"[INFO] bot.cmd > update urllist param=%s
"
1ab50,"[INFO] bot.cmd > update sys config param=%s
"
1c604,"[INFO] bot.cmd > update main config param=%s
"
1bf30,"[INFO] bot.cmd > alive force
"
19bb0,"[INFO] bot.cmd > set alive timeout param=%s
"
1b518,"[INFO] bot.cmd > get log
"
1bc20,"[INFO] bot.cmd > set log filter param=%s
"
1a418,"[INFO] bot.cmd > var set param=%s
"
18520,"[INFO] bot.cmd > var get param=%s
"
1afec,"[ERROR] bot.gate.queue.add > add
"
19abc,"[INFO] bot.cmd > var del param=%s
"
1ac78,"[INFO] bot.cmd > get process list
"
1a6c4,"[INFO] bot.cmd > sysinfo
"
19db8,"[INFO] bot.cmd > dlexec param=%s
"
19a90,"[ERROR] bot.url.get > clone host
"
1a8c8,"[INFO] bot.url.get > url=%s://%s:%u%s
"
1c414,"[INFO] bot.url.get > item=%u list=%u
"
1ce44,"[INFO] bot.cmd > exec param=%s
"
1a6e8,"[INFO] bot.cmd > run cli param=%s
"
1b0c0,"[INFO] bot.cmd > file search param=%s
"
19bec,"[INFO] bot.cmd > file get param=%s
"
1a05c,"[INFO] bot.cmd > dump pass
"
1a3b0,"[INFO] bot.cmd > update loader param=%s
"
183ac,"[INFO] bot.cmd > update pack param=%s
"
1854c,"[INFO] bot.cmd.update > type=%u status=%u
"
1a9d0,"[INFO] bot.cmd > reboot
"
18920,"[WARN] bot.init > alredy run
"
1aa10,"{%0.8X-%0.4X-%0.4X-%0.4X-%0.4X%0.8X}"
1a458,"[INFO] bot.gate.queue > send type=%u subtype=%u flag=%u size=%u
"
1d228,"[ERROR] bot.gate.queue > send
"
1a08c,"[INFO] bot.init.proxy > status=%u
"
1a2b0,"[INFO] bot.proxy.init > port=%u
"
1aec4,"/data3.php?%08X%08X"
1c3e4,"[ERROR] bot.bc.main.connect > get host
"
1c658,"[INFO] bot.cmd.exec > cmd=%u param=%s
"
1bc54,"[WARN] bot.cmd.exec > status=false cmd=%u
"
1b280,"[INFO] bot.bc.data.session > ping cmd timeout=%u
"
1b170,"[INFO] bot.bc.data.session > socks cmd id=%0.8X key=%0.8X
"
19c58,"[INFO] bot.bc.data.session > vnc cmd id=%0.8X key=%0.8X
"
1d11c,"[ERROR] bot.bc.vnc > inject gle=%u
"
189a8,"[INFO] bot.bc.vnc > inject ok pid=%u
"
1a35c,"svchost.exe"
1d2c0,"[ERROR] bot.bc.vnc > create process gle=%u
"
1a77c,"[INFO] bot.cmd > dump cookie
"
19a0c,"[INFO] bot.proxy.cert.manager.init > find_ca=%p gle=%u
"
1f060,"%0.8X.tmp"
1b424,"[ERROR] bot.proxy.cert.manager.init > add to db gle=%u
"
19234,"[INFO] bot.inj.replace.range > replaced=%s
"
1c920,"[INFO] bot.inj.replace.text > replaced=%s
"
1d150,"[INFO] bot.inj.replace.full > replaced=%s
"
1c4dc,"[INFO] bot.inj.replace.regexp > replaced=%s
"
1a23c,"[INFO] bot.inj.replace.check > url=%s
"
1b330,"[INFO] bot.inj.grab.check > url=%s
"
18c3c,"[INFO] bot.inj.grab.keyword > grabbed
"
1c79c,"Transfer-Encoding"
1cbe8,"Content-Length"
Raw
ice_str.cpp
// String decoder for IceID
// works with the sample:
// 6aeb27d50512dbad7e529ffedb0ac153
#include <stdio.h>
#include <windows.h>
#include <peconv.h>
#define DEC_STR_OFFSET 0x068D0
size_t v_size = 0;
BYTE *malware = NULL;
BYTE *(__cdecl *decode_string)(BYTE *a1, BYTE *a2) = NULL;
int decode_at_offset(DWORD string_offset)
{
BYTE* enc_str = (BYTE*)((ULONG_PTR)malware + string_offset);
if (!peconv::validate_ptr(malware, v_size, enc_str, sizeof(WORD))) {
std::cout << "Invalid offset!\n";
return -1;
}
BYTE out_buf[0x1000] = { 0 };
if (!decode_string) {
return -2;
}
if (!decode_string(enc_str, out_buf)) {
return -3;
}
std::cout << std::hex << string_offset << ",";
if (strlen((char*)out_buf) == 1) {
std::wcout << "\"" << (wchar_t*)out_buf << "\"\n";
}
else {
std::cout << "\"" << (char*)out_buf << "\"\n";
}
return 0;
}
int main(int argc, char *argv[])
{
if (argc < 3) {
std::cerr << "Args: <path to the malware><encrypted string offset:hex>" << std::endl;
system("pause");
return 0;
}
DWORD string_offset = 0;// Example offsets from this sample: 0x1B2E8, 0x1D5D0
if (sscanf(argv[2], "%X", &string_offset) == 0) {
sscanf(argv[2], "%#X", &string_offset);
}
LPCSTR mal_path = argv[1];
//std::cout << "Reading module from: " << mal_path << std::endl;
malware = peconv::load_pe_executable(mal_path, v_size);
if (!malware) {
//system("pause");
return -1;
}
//std::cout << "malware loaded!\n";
decode_string = (BYTE * (__cdecl *)(BYTE *, BYTE *)) ((ULONG_PTR) malware + DEC_STR_OFFSET);
int res = decode_at_offset(string_offset);
peconv::free_pe_buffer(malware);
return res;
}
@hasherezade
Copy link
Author

hasherezade commented Nov 26, 2019
edited
Loading

Decoder for the IcedID strings, based on LibPeConv library.
Using sample:
https://www.virustotal.com/gui/file/a5dcfe4896abc176108748289e5a6a85a3ed8528a7c5bf1dafe6f2f6bf826192/detection

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment