sysopfb

## certs.txt
NOTE: HTTP SSL keys are all in PEM format (base64 encoded)

#From PEM format to DER
openssl x509 -in $1.crt -out $1.der -outform DER
#From DER format to PEM
openssl x509 -in $1.der -inform DER -out $1.pem -outform PEM

#Transforming RSA key to DER format
openssl rsa -in oberon.key -inform PEM -out oberon_key.der -outform DER

## v5.proto
syntax="proto2";

message regrequest {
	required int32 command = 1;
	required string botId = 2;
	required fixed32 osVersion = 3;
	required fixed32 crc32 = 4;
	required string procList = 5;
	required string mailClient = 6;
	required string unknown = 7;

## gist:92887be2b46659bb929fba28de7206eb
spcialsuivre.tk
majeurproduire.tk
alimentairimaginer.tk
humaincrire.tk
suivantarriver.tk
purraliser.tk
completexprimer.tk
localcontenir.tk
faibleremettre.tk
diverseffectuer.tk

## common_lib_hashes.h
enum COMMON_LIBS {
	LIB_ROUTETAB = 0xefae77e3,
	LIB_STOBJECT = 0xac6b1426,
	LIB_MPRDDM = 0xd60496e1,
	LIB_RASDLG = 0xd15380e4,
	LIB_PNGFILT = 0x9b38a0bc,
	LIB_NETAPI32 = 0x4681476c,
	LIB_ITSS = 0x31ac798,
	LIB_WMADMOD = 0x7a30b1f4,
	LIB_WMADMOE = 0x47509844,

## RE_Notes
Fast travel:

VirtualProtect on text section before xor decoding next layer

next layer resolves dependencies and then virtualallocs before main code begins


Detection notes:
single byte xor of bytecode is incredibly easy to signature on

## tls.go
// Copyright 2009 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

// Package tls partially implements TLS 1.2, as specified in RFC 5246,
// and TLS 1.3, as specified in RFC 8446.
//
// TLS 1.3 is available only on an opt-in basis in Go 1.12. To enable
// it, set the GODEBUG environment variable (comma-separated key=value
// options) such that it includes "tls13=1". To enable it from within

## m.py
from z3 import *


x = BitVec('x',32)
y = BitVec('y',16)
s = Solver()
s.add(x * ZeroExt(16,y) == 0x7B5658DB)
s.add(ZeroExt(16,x) * ZeroExt(32, y) > 0x7B5658DB)

vals=[]

## 8713179977a3ac6f2f55d5b566628ea3.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                sysopfb
                / 8713179977a3ac6f2f55d5b566628ea3.md
            
            
              Last active
              January 11, 2020 19:34
            
              
                8713179977a3ac6f2f55d5b566628ea3 notes on traffic
              
          
    >>> a = "0c0d9d01000074030000789c9d934d4f02410c865fffc91e3ca8c9c27eb02ccb519460221135c60b17022b625408207ec4c493ffdb67ca488c091ecca4dd4ee77d3b6da7bba348bb3a50a2022b564d39df887d032bc79b283544ec757563154802b6b0fdb72f51856f1dbefbba581543d50cb163fa4a973ad68542f5d432cf40233d68a247db5d9b35d254cf5a28208f902c121de25f1a2255c60d29675dbcce53c37e4152eece585d75f4e6b30ab467b936c8638dca2da7fd4de64e3ecfcf3fd6bd884c42eb48685504d69b26ba613af259e478ebec52df956ddcd45819ba860ef48eb893cb0d2bb62a63cfcdecbc3096d319b738e499662ae98debcf184c681d9868a839dd5a20377428a083533ca34d6d6d30f7300378033a5d123300bf82796bcc25ef54d29bd267d7d6138c7bac198c2528c768a1fbbfdea78fbc5a8492c8ee9dfa7f46eee9444716ad60adeb8afc59c73316ccc8854ea9dee16ef12cc9a3c9f455b9d3ad8a55b222ea1c7b08efc166b3a23b90e32df1927fc7fb9ebabaff2b229ba1dcfc6f5437841bdbdf92f85988fcf4fd5ccef305148275f30b"
>>> b = binascii.unhexlify(a)
>>> struct.unpack_from('<HII', b)
(3340, 413, 884)
>>> len(b)
414
>>> c = zlib.decompress(b[10:])
>>> len(c)
884


## .NET with windbg and sos
Use x86 windbg with 32 bit malware and x64 with 64 bit else you'll get errors loading the correct files with sos


Talos has some stuff to get started with https://blog.talosintelligence.com/2017/07/unravelling-net-with-help-of-windbg.html

Load up the .NET exe into windbg
sxe ld clr
sxe ld clrjit

g

## beacons.txt
 Pivot from config at https://twitter.com/VK_Intel/status/1260296104672886790

 {
   C2_CHUNK_POST: 0
   C2_POSTREQ: [('_HEADER', 0, 'Content-Type: application/octet-stream'), ('BUILD', ('PARAMETER', 'id'))]
   C2_RECOVER:
   C2_REQUEST: [('BUILD', ('BASE64', 'HEADER', 'Cookie'))]
   C2_VERB_GET: GET
   C2_VERB_POST: POST
   CRYPTO_sCHEME: 1
	NOTE: HTTP SSL keys are all in PEM format (base64 encoded)

	#From PEM format to DER
	openssl x509 -in $1.crt -out $1.der -outform DER
	#From DER format to PEM
	openssl x509 -in $1.der -inform DER -out $1.pem -outform PEM

	#Transforming RSA key to DER format
	openssl rsa -in oberon.key -inform PEM -out oberon_key.der -outform DER
	syntax="proto2";

	message regrequest {
	required int32 command = 1;
	required string botId = 2;
	required fixed32 osVersion = 3;
	required fixed32 crc32 = 4;
	required string procList = 5;
	required string mailClient = 6;
	required string unknown = 7;
	spcialsuivre.tk
	majeurproduire.tk
	alimentairimaginer.tk
	humaincrire.tk
	suivantarriver.tk
	purraliser.tk
	completexprimer.tk
	localcontenir.tk
	faibleremettre.tk
	diverseffectuer.tk
	enum COMMON_LIBS {
	LIB_ROUTETAB = 0xefae77e3,
	LIB_STOBJECT = 0xac6b1426,
	LIB_MPRDDM = 0xd60496e1,
	LIB_RASDLG = 0xd15380e4,
	LIB_PNGFILT = 0x9b38a0bc,
	LIB_NETAPI32 = 0x4681476c,
	LIB_ITSS = 0x31ac798,
	LIB_WMADMOD = 0x7a30b1f4,
	LIB_WMADMOE = 0x47509844,
	Fast travel:

	VirtualProtect on text section before xor decoding next layer

	next layer resolves dependencies and then virtualallocs before main code begins


	Detection notes:
	single byte xor of bytecode is incredibly easy to signature on
	// Copyright 2009 The Go Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style
	// license that can be found in the LICENSE file.

	// Package tls partially implements TLS 1.2, as specified in RFC 5246,
	// and TLS 1.3, as specified in RFC 8446.
	//
	// TLS 1.3 is available only on an opt-in basis in Go 1.12. To enable
	// it, set the GODEBUG environment variable (comma-separated key=value
	// options) such that it includes "tls13=1". To enable it from within
	from z3 import *


	x = BitVec('x',32)
	y = BitVec('y',16)
	s = Solver()
	s.add(x * ZeroExt(16,y) == 0x7B5658DB)
	s.add(ZeroExt(16,x) * ZeroExt(32, y) > 0x7B5658DB)

	vals=[]
	Use x86 windbg with 32 bit malware and x64 with 64 bit else you'll get errors loading the correct files with sos


	Talos has some stuff to get started with https://blog.talosintelligence.com/2017/07/unravelling-net-with-help-of-windbg.html

	Load up the .NET exe into windbg
	sxe ld clr
	sxe ld clrjit

	g
	Pivot from config at https://twitter.com/VK_Intel/status/1260296104672886790

	{
	C2_CHUNK_POST: 0
	C2_POSTREQ: [('_HEADER', 0, 'Content-Type: application/octet-stream'), ('BUILD', ('PARAMETER', 'id'))]
	C2_RECOVER:
	C2_REQUEST: [('BUILD', ('BASE64', 'HEADER', 'Cookie'))]
	C2_VERB_GET: GET
	C2_VERB_POST: POST
	CRYPTO_sCHEME: 1