Pierre Le Bourhis lbpierre

## clsid-identifier.py
import sys
import struct

CLSID = {
    "IMediaEventEx": "56a868c0-0ad4-11ce-b03a-0020af0ba770,",
    "INetworkCostManager": "dcb00008-570f-4a9b-8d69-199fdba5723b",
    "INetworkConnectionCost": "dcb0000a-570f-4a9b-8d69-199fdba5723b",
    "INetworkCostManagerEvents": "dcb00009-570f-4a9b-8d69-199fdba5723b",
    "IEnumNetworks": "dcb00003-570f-4a9b-8d69-199fdba5723b",
    "IEnumNetworkConnections": "dcb00006-570f-4a9b-8d69-199fdba5723b",

## pikabot-network-decrypt.py
# Hexdump viewer
def hexdump(data: bytes, length: int = 16) -> None:
    def is_printable(b):
        return 0x20 <= b < 0x7f

    def to_printable(b):
        if is_printable(b):
            return f'\033[34m{chr(b)}\033[0m'
        else:
            return f'\033[31m.\033[0m'

## pikabot-s2-next-stage-execution.c
void execute_next_stage()
{
  _IMAGE_DOS_HEADER *decompressed_buffer; // edi
  IMAGE_NT_HEADERS *lfanew; // esi
  _IMAGE_NT_HEADERS *v2; // esi
  _BYTE *v3; // ebx
  char *v4; // ebx
  int v5; // ebx
  int Heap; // [esp+C8h] [ebp-C8h]
  int i; // [esp+100h] [ebp-90h]

## SW2_SyscallList_hex.dmp
00000000f90100001719a606d06607001f3fa801e06607001e1db13ef06607006dc1ac9700670700c1ee3e8410670700340d98322067070027ff8235306707008ef8d80040670700be8278e250670700071ccc4460670700e7188913706707001a1fb02080670700b25b283c90670700b18c0b92a06707001b344cefb0670700113b9d12c06707001b3aa70ad06707002ed4fbaae06707003398c9edf0670700ef5799a900680700b95aa8bd10680700b42f2121206807009cb0ea5f306807007e78d35b40680700c62ed4c550680700c0d041c5606807008139947e90680700169dcdf3a068070095990786b0680700ecda52edc0680700b77c2270d0680700180572e0e06807004ae3b99cf0680700129898ac00690700b1c82aaf1069070087a91483206907000819882f30690700e36cc9e2406907007e78ad5f506907008cbab828606907007528e14e706907002ddeb2d680690700f115ac36906907007fe9abb5a0690700047e9f51b0690700525cce46c0690700e350ae6fd06907005dec9fb6e0690700c9c8bc0af06907000cf194fb006a070014ef8eee106a0700b19d1483206a07007dd02ff4306a07002c40bb2a406a0700a1983398506a070007308f16606a07009683069d706a0700102cba24806a0700f8921586906a07006ad2b798a06a070067b2de86b06a07007e4eb962c06a0700541b8c3ed06a0700

## SelfAU3-deobfusct.py
import re
from itertools import filterfalse
from collections import Counter
from typing import List, Tuple, Set

reg_DENIS = re.compile(r"(dennis\(\")([0-9\]\"]{1,})(,)([0-9]{1,})([\/])([0-9]{1,})([\)])")
reg_INT_VAR = re.compile(r"(\$)(?P<name>[a-zA-Z0-9]{1,})( )=( )([0-9]{1,})")


def dennis(string, diff):

## tcp_server.py
import os
import sys
import time
import struct
import logging
import socket
import select
import argparse
import platform
from itertools import zip_longest

## diceloader-extractor.py
import sys
import pefile
from typing import List


def get_data_section_virtualAddress(pe: pefile.PE) -> int:
    """Return the .data section of a PE file."""

    data_va: int = 0

## ReflectiveDLLInjection.h
#define DLL_QUERY_HMODULE		6

#define DEREF( name )*(UINT_PTR *)(name)
#define DEREF_64( name )*(DWORD64 *)(name)
#define DEREF_32( name )*(DWORD *)(name)
#define DEREF_16( name )*(WORD *)(name)
#define DEREF_8( name )*(BYTE *)(name)


#define DLLEXPORT   __declspec( dllexport )

## darkgate-doc-action-id.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                lbpierre
                / darkgate-doc-action-id.md
            
            
              Created
              November 16, 2023 15:40
            
              
                DarkGate C2 communication action ID description
              
          
Action Id
Description


1052
search and delete log files


1053
self update (and remove traces of the update, rmdir /s /q c:\temp && del /q /f %temp%*.au30)


1060
delete shadow copies (c vssadmin delete shadows /for=c: /all /quiet)


1072
kill rar process and remove traces of rar archive


1096
ntdll used to execute payload in memory as notepad.exe


1099
Spoof parent PID to execute a cmd.exe


1100
APC injection via NtTestAlert


1101
APC injection via NtTestAlert


## AV_checked.txt
ByteFence
C:\Program Files (x86)\Avira
C:\Program Files (x86)\F-Secu
C:\Program Files (x86)\IObit
C:\Program Files (x86)\Sophos
C:\Program Files\Malwarebytes
C:\Program Files\Quick Heal
C:\ProgramData\Emsisoft
C:\ProgramData\Kaspersky Lab
Comodo
	import sys
	import struct

	CLSID = {
	"IMediaEventEx": "56a868c0-0ad4-11ce-b03a-0020af0ba770,",
	"INetworkCostManager": "dcb00008-570f-4a9b-8d69-199fdba5723b",
	"INetworkConnectionCost": "dcb0000a-570f-4a9b-8d69-199fdba5723b",
	"INetworkCostManagerEvents": "dcb00009-570f-4a9b-8d69-199fdba5723b",
	"IEnumNetworks": "dcb00003-570f-4a9b-8d69-199fdba5723b",
	"IEnumNetworkConnections": "dcb00006-570f-4a9b-8d69-199fdba5723b",
	# Hexdump viewer
	def hexdump(data: bytes, length: int = 16) -> None:
	def is_printable(b):
	return 0x20 <= b < 0x7f

	def to_printable(b):
	if is_printable(b):
	return f'\033[34m{chr(b)}\033[0m'
	else:
	return f'\033[31m.\033[0m'
	void execute_next_stage()
	{
	_IMAGE_DOS_HEADER *decompressed_buffer; // edi
	IMAGE_NT_HEADERS *lfanew; // esi
	_IMAGE_NT_HEADERS *v2; // esi
	_BYTE *v3; // ebx
	char *v4; // ebx
	int v5; // ebx
	int Heap; // [esp+C8h] [ebp-C8h]
	int i; // [esp+100h] [ebp-90h]
	import re
	from itertools import filterfalse
	from collections import Counter
	from typing import List, Tuple, Set

	reg_DENIS = re.compile(r"(dennis\(\")([0-9\]\"]{1,})(,)([0-9]{1,})([\/])([0-9]{1,})([\)])")
	reg_INT_VAR = re.compile(r"(\$)(?P<name>[a-zA-Z0-9]{1,})( )=( )([0-9]{1,})")


	def dennis(string, diff):
	import os
	import sys
	import time
	import struct
	import logging
	import socket
	import select
	import argparse
	import platform
	from itertools import zip_longest
	import sys
	import pefile
	from typing import List


	def get_data_section_virtualAddress(pe: pefile.PE) -> int:
	"""Return the .data section of a PE file."""

	data_va: int = 0
	#define DLL_QUERY_HMODULE 6

	#define DEREF( name )(UINT_PTR )(name)
	#define DEREF_64( name )(DWORD64 )(name)
	#define DEREF_32( name )(DWORD )(name)
	#define DEREF_16( name )(WORD )(name)
	#define DEREF_8( name )(BYTE )(name)


	#define DLLEXPORT __declspec( dllexport )
Action Id	Description
1052	search and delete log files
1053	self update (and remove traces of the update, rmdir /s /q c:\temp && del /q /f %temp%*.au30)
1060	delete shadow copies (c vssadmin delete shadows /for=c: /all /quiet)
1072	kill rar process and remove traces of rar archive
1096	ntdll used to execute payload in memory as notepad.exe
1099	Spoof parent PID to execute a cmd.exe
1100	APC injection via NtTestAlert
1101	APC injection via NtTestAlert
	ByteFence
	C:\Program Files (x86)\Avira
	C:\Program Files (x86)\F-Secu
	C:\Program Files (x86)\IObit
	C:\Program Files (x86)\Sophos
	C:\Program Files\Malwarebytes
	C:\Program Files\Quick Heal
	C:\ProgramData\Emsisoft
	C:\ProgramData\Kaspersky Lab
	Comodo