This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
╭─msm@mercury /home/msm/21576/dumps | |
╰─$ rip ./500.400000.58880.recovered.exe | |
[+][anal] Loaded modules: dridex, teslacrypt, spora, netwire, tinba_dga, cryptomix, kronos, reactor, hancitor, chthonic, nymaim, citadel, cryptoshield, torrentlocker, madlocker, emotet, bunitu, smokeloader, pony, andromeda, gootkit, cryptowall, zeus, bublik, panda, sendsafe, ruckguv, dyre, locky, vmzeus, shifu, sage, tofsee, cerber, odinaff, kovter, vawtrak, kbot, isfb, zloader, necurs, trickbot, h1n1, torment, slave, kins, tinba | |
Potential malware family dected: ['tofsee'] | |
malware data: | |
{ | |
"other": [ | |
"MSConfig", | |
"svchost.exe", |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
----------DOS_HEADER---------- | |
[IMAGE_DOS_HEADER] | |
0x0 0x0 e_magic: 0x5A4D | |
0x2 0x2 e_cblp: 0x7EA | |
0x4 0x4 e_cp: 0xC000 | |
0x6 0x6 e_crlc: 0x8C07 | |
0x8 0x8 e_cparhdr: 0x8EC8 | |
0xA 0xA e_minalloc: 0x8ED8 | |
0xC 0xC e_maxalloc: 0x8EC0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import diaphora | |
import difflib | |
class Diaphora: | |
def show_pseudo_diff(self, item): | |
cur = self.db_cursor() | |
sql = """select * | |
from ( | |
select prototype, pseudocode, name, 1 | |
from functions |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"binary": "65e561e3300832315a31f29858a8107a", | |
"template_32bit_2": "%windir%\\system32\\rundll32.exe; -%!rndl_0_0_2_1_3% %!rndl_0_0_2_3_8%.dll", | |
"urls": [ | |
"http://osbjsguans.com/xgkoa/index.php", | |
"http://gendedopn.com/xgkoa/index.php" | |
], | |
"public_key": { | |
"e": 65537, | |
"n": "11113205665845436812651904385750414999552913569403314469251258315749133996891461405161790020758234842248099801092820912358831516131541192465714139003657213" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"binary": "65e561e3300832315a31f29858a8107a", | |
"template_32bit_2": "%windir%\\system32\\rundll32.exe; -%!rndl_0_0_2_1_3% %!rndl_0_0_2_3_8%.dll", | |
"urls": [ | |
"http://osbjsguans.com/xgkoa/index.php", | |
"http://gendedopn.com/xgkoa/index.php" | |
], | |
"public_key": { | |
"e": 65537, | |
"n": "11113205665845436812651904385750414999552913569403314469251258315749133996891461405161790020758234842248099801092820912358831516131541192465714139003657213" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import socket, struct, binascii, random, hashlib | |
import time, os, errno, glob | |
import pprint | |
import libs.tofsee.parse as parse | |
import libs.tofsee.decompress as decompress | |
import libs.tofsee.parse_mail as parse_mail | |
import libs.log as log | |
from libs.remote import HTTPBot |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
if hash == self.CFG_URL: # '48c2026b': | |
parsed['urls'] += [{'url': append_http(x)} for x in filter(None, map(get_domainc, raw.split(';')))] | |
elif hash == self.CFG_DGA_HASH: # 'd9aea02a': | |
parsed['dga_hash'] = [uint32(h) for h in chunks(raw, 4)] | |
elif hash == self.CFG_DOMAINS: # '095d4b1d': | |
parsed['domains'] += map(lambda x: {'cnc': x}, filter(None, map(get_domainc, raw.split(';')))) | |
elif hash == self.CFG_ENC_KEY: # '510be622': | |
parsed['encryption_key'] = raw | |
... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def parse_static_config(blob): | |
i = 0 | |
while i < len(blob): | |
chunk_type = blob[i:i+4] # chunk type, also called "hash" or "chunk hash" in this article | |
chunk_len = from_uint32(blob[i+4:i+8]) | |
chunk_content = blob[i+8:i+8+chunk_len] | |
process_chunk(chunk_type, chunk_content) # this function should process every type of chunk | |
i += 8 + chunk_len |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
struct chunk { | |
uint32_t type; | |
uint32_t length; | |
char data[chunk_length]; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def nymaim_config_crypt(self, mem, ndx): | |
"""decrypt final config (read keys and length and decrypt raw data)""" | |
key0 = mem.dword(ndx) | |
key1 = mem.dword(ndx+4) | |
len = mem.dword(ndx+8) | |
raw = mem.read(ndx + 12, len) | |
prev_chr = 0 | |
result = '' | |
for i, c in enumerate(raw): |