Skip to content

Instantly share code, notes, and snippets.

@sysopfb

sysopfb/s.md

Created October 19, 2021 20:31
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save sysopfb/608d1f3d94e5d0ccdaf71018a7ad3d17 to your computer and use it in GitHub Desktop.
Save sysopfb/608d1f3d94e5d0ccdaf71018a7ad3d17 to your computer and use it in GitHub Desktop.
Download ZIP
FlawedGrace partial strings
Raw
s.md

New samples: https://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant

Ascii strings are double XORd, one hardcoded key 0x40 bytes and one single byte

 -nm
TestStarter.exe
TestService.exe
explorer.exe
winlogon.exe
lsass.exe
notepad.exe
explorer.exe
Software
powershell.exe
-sf
-wf
-ss
powershell.exe
rundll32.exe
-em
%s_%i
%s_%i
%s_%i
\REGISTRY\MACHINE
\??\
Local\%s
Global\%s
er0ewjflk3qrhj81
-nm
bitdefender
sophos
windows
symantec
norton
trend
SeShutdownPrivilege
wtsapi32.dll
WTSEnumerateSessionsExW
wtsapi32.dll
WTSFreeMemoryExW
SoftwareSASGeneration
\Software\Microsoft\Windows\CurrentVersion\Policies\System
wmsgapi.dll
WmsgSendMessage
-cs
-cs
Software\Classes\CLSID
%s\%s
cd
\InprocServer32
cd
cd
cd
cd
\InprocServer32
ntdll.dll
RtlInitUnicodeString
RtlEqualString
RtlGetVersion
RtlDeleteRegistryValue
RtlCompareUnicodeString
RtlGetNtVersionNumbers
RtlGetCompressionWorkSpaceSize
RtlCompressBuffer
RtlDecompressBuffer
RtlCompareString
RtlAnsiStringToUnicodeString
RtlUnicodeStringToAnsiString
RtlRandomEx
RtlCreateUserThread
NtCreateKey
NtFlushKey
NtClose
NtOpenKey
NtRenameKey
NtEnumerateKey
NtEnumerateValueKey
NtDeleteKey
NtSetValueKey
NtQueryValueKey
NtCreateFile
NtOpenFile
NtQueryInformationFile
NtReadFile
NtWriteFile
NtFlushBuffersFile
NtSetInformationFile
NtQueryDirectoryFile
NtDeviceIoControlFile
NtQuerySystemInformation
NtSetInformationProcess
NtQueryInformationProcess
NtTerminateProcess
NtDuplicateObject
NtAllocateVirtualMemory
NtOpenProcess
NtFreeVirtualMemory
NtCreateThreadEx
NtProtectVirtualMemory
NtWriteVirtualMemory
NtReadVirtualMemory
LdrFindResource_U
LdrAccessResource
NtOpenThread
NtResumeThread
NtQueueApcThreadEx
Global\%s
SeDebugPrivilege
%s\diag
SeDebugPrivilege
SeDebugPrivilege
ntdll.dll
kernel32.dll
advapi32.dll
user32.dll
shell32.dll
ole32.dll
wtsapi32.dll
psapi.dll
ws2_32.dll
shlwapi.dll
userenv.dll
netapi32.dll
version.dll
gdi32.dll
oleaut32.dll
crypt32.dll
LdrFindResource_U
LdrAccessResource
RtlInitUnicodeString
RtlGetVersion
RtlDeleteRegistryValue
RtlCompareUnicodeString
RtlGetNtVersionNumbers
RtlGetCompressionWorkSpaceSize
RtlCompressBuffer
RtlDecompressBuffer
RtlCompareString
RtlAnsiStringToUnicodeString
RtlUnicodeStringToAnsiString
RtlRandomEx
RtlCreateUserThread
RtlUnicodeStringToInteger
RtlEqualString
NtCreateKey
NtFlushKey
NtClose
NtOpenKey
NtRenameKey
NtEnumerateKey
NtEnumerateValueKey
NtDeleteKey
NtSetValueKey
NtQueryValueKey
NtCreateFile
NtOpenFile
NtQueryInformationFile
NtReadFile
NtWriteFile
NtFlushBuffersFile
NtSetInformationFile
NtQueryDirectoryFile
NtDeviceIoControlFile
NtQuerySystemInformation
NtSetInformationProcess
NtQueryInformationProcess
NtTerminateProcess
NtDuplicateObject
NtAllocateVirtualMemory
NtOpenProcess
NtFreeVirtualMemory
NtCreateEvent
NtLoadDriver
NtQueueApcThreadEx
NtOpenThread
NtResumeThread
NtMapViewOfSection
NtOpenSection
_wcsicmp
_snprintf
_snwprintf
NtProtectVirtualMemory
NtWriteVirtualMemory
NtReadVirtualMemory
NtCreateThreadEx
Wow64EnableWow64FsRedirection
Wow64DisableWow64FsRedirection
CreateRemoteThreadEx
IsWow64Process
HeapFree
Sleep
CloseHandle
CreateThread
GetCurrentProcessId
GetProcessHeap
TerminateProcess
GetSystemDirectoryW
ResumeThread
ExitProcess
CreateProcessW
GetSystemTimeAsFileTime
GetProcAddress
GetModuleHandleW
HeapAlloc
OpenProcess
GetLastError
CreateFileW
GetCurrentProcess
MultiByteToWideChar
WideCharToMultiByte
CompareStringA
CompareStringW
WriteFile
SetFilePointerEx
FindClose
VirtualProtect
GetCurrentThreadId
VirtualQuery
FlushFileBuffers
GetStringTypeW
GetFileType
GetStdHandle
GetACP
SetConsoleCtrlHandler
VirtualFree
WaitForMultipleObjects
TerminateThread
WTSGetActiveConsoleSessionId
GetConsoleWindow
GetTickCount
LocalFree
GetFullPathNameW
SetEvent
ResetEvent
WaitForSingleObject
CreateEventW
OpenEventW
VirtualAlloc
GetCommandLineW
FreeLibrary
LoadLibraryW
GetWindowsDirectoryW
GetVolumeInformationW
GetComputerNameA
CreateDirectoryW
GetModuleFileNameW
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
LoadLibraryExW
OutputDebugStringA
VirtualFreeEx
ReleaseMutex
CreateMutexW
MapViewOfFile
UnmapViewOfFile
CreateFileMappingW
OpenFileMappingW
GetSystemTime
GetLocalTime
OpenMutexW
GetModuleFileNameA
GetModuleHandleExW
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
SetLastError
LCMapStringW
FindFirstFileExA
FindNextFileA
IsValidCodePage
GetOEMCP
GetCPInfo
GetCommandLineA
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetStdHandle
HeapSize
GetConsoleCP
GetConsoleMode
WriteConsoleW
ProcessIdToSessionId
InterlockedFlushSList
RtlUnwindEx
GetStartupInfoW
IsDebuggerPresent
InitializeSListHead
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
QueryPerformanceCounter
HeapReAlloc
RaiseException
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
WaitForSingleObjectEx
EncodePointer
ReleaseSemaphore
GetSystemInfo
SetThreadIdealProcessor
CreateSemaphoreW
GetModuleHandleA
GetNativeSystemInfo
OutputDebugStringW
RtlPcToFileHeader
DuplicateHandle
GetExitCodeProcess
SetHandleInformation
CreatePipe
PeekNamedPipe
DeviceIoControl
GetFirmwareEnvironmentVariableW
GetComputerNameW
GetLocaleInfoW
Thread32First
Thread32Next
SuspendThread
GetThreadContext
RegCloseKey
RegDeleteValueW
RegFlushKey
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
ConvertStringSecurityDescriptorToSecurityDescriptorW
CheckTokenMembership
LookupPrivilegeValueW
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
FreeSid
AllocateAndInitializeSid
EqualSid
AdjustTokenPrivileges
GetTokenInformation
OpenProcessToken
InitiateSystemShutdownW
RegDeleteTreeW
RegDeleteKeyW
RegCreateKeyExW
RegOpenCurrentUser
ConvertSidToStringSidW
RegisterServiceCtrlHandlerExW
SetServiceStatus
StartServiceCtrlDispatcherW
CreateProcessAsUserW
GetUserNameW
MessageBoxW
MessageBoxA
ShowWindow
GetSystemMetrics
wsprintfW
ReleaseDC
GetDC
IsCharAlphaA
SendMessageA
PostMessageA
GetWindowTextA
EnumWindows
CommandLineToArgvW
SHFileOperationW
SHGetFolderPathW
CoCreateGuid
CoSetProxyBlanket
CoInitializeSecurity
CoInitializeEx
CoCreateInstance
CoUninitialize
WTSFreeMemory
WTSEnumerateSessionsW
WTSQueryUserToken
GetModuleFileNameExW
StrStrIW
CreateEnvironmentBlock
DestroyEnvironmentBlock
NetApiBufferFree
NetWkstaGetInfo
GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW
GetDeviceCaps
CryptBinaryToStringA
%s%.08X%s%.04X%s%.04X%s%.04X%s%.02X%.02X%.02X%.02X%.02X%.02X%s
%s%.08x%s%.04x%s%.04x%s%.04x%s%.02x%.02x%.02x%.02x%.02x%.02x%s
%s%.08X%s%.04X%s%.04X%s%.04X%s%.02X%.02X%.02X%.02X%.02X%.02X%s
%s%.08x%s%.04x%s%.04x%s%.04x%s%.02x%.02x%.02x%.02x%.02x%.02x%s
root\SecurityCenter2
WQL
SELECT
displayName
Windows
D:P(A;OICI;GA;;;SY)(A;OICI;GA;;;BA)(A;OICI;GWGR;;;IU)
%s\%s
Global
Local
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment