def generateIOC(md5, confDict):
# Create the list for File Artefacts
fileIOC = []
fileIOC.append(('is','FileItem','FileItem/FileName','string',confDict["InstallName"]))
fileIOC.append(('contains','FileItem','FileItem/FilePath','string',confDict["InstallPath"]))
fileIOC.append(('is','FileItem','FileItem/Md5sum','md5',md5))
fileIOC.append(('is','ProcessItem','ProcessItem/HandleList/Handle/Name','string',confDict["Mutex"]))
# Create the list for Registry Artefacts
regIOC = []
regIOC.append(('contains','RegistryItem','RegistryItem/Path','string','HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'))
regIOC.append(('is','RegistryItem','RegistryItem/Value','string',confDict["ActiveXKey"]))
regIOC.append(('contains','RegistryItem','RegistryItem/Path','string','HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run'))
regIOC.append(('is','RegistryItem','RegistryItem/Value','string',confDict["HKLMValue"]))
# add each list to our master list
items = []
items.append(fileIOC)
items.append(regIOC)
domList = []
domains = confDict["Domains"].split("|")
for x in domains:
domain = x.split(":")[0]
domList.append(domain)
database.insertDomain(md5, domList)
for domain in domList:
if domain != '':
items.append([("contains", "Network", "Network/DNS", "string", domain)])
IOC = createIOC.main(items, 'PoisonIvy', md5)
database.insertIOC(md5, IOC)
def run(md5, data):
dict = {}
config = data.split("abccba")
if len(config) > 5:
dict["Domain"] = config[1]
dict["Port"] = config[2]
dict["Campaign Name"] = config[3]
dict["Copy StartUp"] = config[4]
dict["StartUp Name"] = config[5]
dict["Add To Registry"] = config[6]
dict["Registry Key"] = config[7]
dict["Melt + Inject SVCHost"] = config[8]
dict["Anti Kill Process"] = config[9]
dict["USB Spread"] = config[10]
dict["Kill AVG 2012-2013"] = config[11]
dict["Kill Process Hacker"] = config[12]
dict["Kill Process Explorer"] = config[13]
dict["Kill NO-IP"] = config[14]
dict["Block Virus Total"] = config[15]
dict["Block Virus Scan"] = config[16]
dict["HideProcess"] = config[17]
snortRule(md5, dict)
createIOC(md5, dict)
database.insertDomain(md5, [dict["Domain"]])
return dict
def run(md5, data):
dict = {}
config = data.split("abccba")
if len(config) > 5:
dict["Domain"] = config[1]
dict["Port"] = config[2]
dict["Campaign Name"] = config[3]
dict["Copy StartUp"] = config[4]
dict["StartUp Name"] = config[5]
dict["Add To Registry"] = config[6]
dict["Registry Key"] = config[7]
dict["Melt + Inject SVCHost"] = config[8]
dict["Anti Kill Process"] = config[9]
dict["USB Spread"] = config[10]
dict["Kill AVG 2012-2013"] = config[11]
dict["Kill Process Hacker"] = config[12]
dict["Kill Process Explorer"] = config[13]
dict["Kill NO-IP"] = config[14]
dict["Block Virus Total"] = config[15]
dict["Block Virus Scan"] = config[16]
dict["HideProcess"] = config[17]
snortRule(md5, dict)
createIOC(md5, dict)
database.insertDomain(md5, [dict["Domain"]])
return dict
def run(md5, data):
config_dict = {}
config = data.split("abccba")
if len(config) > 5:
config_dict = {
"Domain": config[1],
"Port": config[2],
"Campaign Name": config[3],
"Copy StartUp": config[4],
"StartUp Name": config[5],
"Add To Registry": config[6],
"Registry Key": config[7],
"Melt + Inject SVCHost": config[8],
"Anti Kill Process": config[9],
"USB Spread": config[10],
"Kill AVG 2012-2013": config[11],
"Kill Process Hacker": config[12],
"Kill Process Explorer": config[13],
"Kill NO-IP": config[14],
"Block Virus Total": config[15],
"Block Virus Scan": config[16],
"HideProcess": config[17],
}
snortRule(md5, config_dict)
createIOC(md5, config_dict)
database.insertDomain(md5, [config_dict["Domain"]])
return config_dict
def run(md5, data):
raw_config = get_config(data)
# lets Process this and format the config
config_dict = parse_config(raw_config)
if len(config_dict["Domain"]) > 0:
snortRule(md5, config_dict)
generateIOC(md5, config_dict)
database.insertDomain(md5, [config_dict["Domain"]])
return config_dict
def run(md5, data):
raw_config = get_config(data)
# lets Process this and format the config
config_dict = parse_config(raw_config)
if len(config_dict["Domain"]) > 0:
snortRule(md5, config_dict)
generateIOC(md5, config_dict)
database.insertDomain(md5, [config_dict["Domain"]])
return config_dict
def run(md5, rawData):
rawconfig = rawData.split("abccba")
if len(rawconfig) > 1:
log.info("Running Abccba")
conf = oldversions(rawconfig)
else:
log.info("Running pype32")
pe = pype32.PE(data=rawData)
rawConfig = getStream(pe)
conf = parseConfig(rawConfig)
if not conf:
return None
database.insertDomain(md5, [conf["Domain"]])
return conf
def run(md5, rawData):
rawconfig = rawData.split("abccba")
if len(rawconfig) > 1:
print "Running Abccba"
conf = oldversions(rawconfig)
else:
print "Running pype32"
pe = pype32.PE(data=rawData)
rawConfig = getStream(pe)
conf = parseConfig(rawConfig)
if not conf:
return None
database.insertDomain(md5, [conf["Domain"]])
return conf
def run(md5, data):
print("[+] Extracting Data from Jar")
enckey, conf = get_parts(data)
if enckey is None:
return
print(f"[+] Decoding Config with Key: {enckey.encode().hex()}")
if len(enckey) == 16:
# Newer versions use a base64 encoded config.dat
# this is not a great test but should work 99% of the time
decrypt_func = new_aes if "==" in conf else old_aes
raw_config = decrypt_func(conf, enckey)
elif len(enckey) == 32:
raw_config = old_des(conf, enckey)
config_dict = parse_config(raw_config, enckey)
snortRule(md5, config_dict)
database.insertDomain(md5, [config_dict["Domain"]])
return config_dict
def run(md5, data):
print "[+] Extracting Data from Jar"
enckey, conf = get_parts(data)
if enckey == None:
return
print "[+] Decoding Config with Key: {0}".format(enckey.encode('hex'))
if len(enckey) == 16:
# Newer versions use a base64 encoded config.dat
if '==' in conf: # this is not a great test but should work 99% of the time
b64_check = True
else:
b64_check = False
if b64_check:
raw_config = new_aes(conf, enckey)
else:
raw_config = old_aes(conf, enckey)
if len(enckey) == 32:
raw_config = old_des(conf, enckey)
config_dict = parse_config(raw_config, enckey)
snortRule(md5, config_dict)
database.insertDomain(md5, [config_dict["Domain"]])
return config_dict
def run(md5, data):
print("[+] Extracting Data from Jar")
enckey, conf = get_parts(data)
if enckey == None:
return
print("[+] Decoding Config with Key: {0}".format(enckey.encode('hex')))
if len(enckey) == 16:
# Newer versions use a base64 encoded config.dat
if '==' in conf: # this is not a great test but should work 99% of the time
b64_check = True
else:
b64_check = False
if b64_check:
raw_config = new_aes(conf, enckey)
else:
raw_config = old_aes(conf, enckey)
if len(enckey) == 32:
raw_config = old_des(conf, enckey)
config_dict = parse_config(raw_config, enckey)
snortRule(md5, config_dict)
database.insertDomain(md5, [config_dict["Domain"]])
return config_dict
def generateIOC(md5, confDict):
# Create the list for File Artefacts
fileIOC = []
fileIOC.append(('is', 'FileItem', 'FileItem/FileName', 'string',
confDict["InstallName"]))
fileIOC.append(('contains', 'FileItem', 'FileItem/FilePath', 'string',
confDict["InstallPath"]))
fileIOC.append(('is', 'FileItem', 'FileItem/Md5sum', 'md5', md5))
fileIOC.append(('is', 'ProcessItem', 'ProcessItem/HandleList/Handle/Name',
'string', confDict["Mutex"]))
# Create the list for Registry Artefacts
regIOC = []
regIOC.append((
'contains', 'RegistryItem', 'RegistryItem/Path', 'string',
'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'
))
regIOC.append(('is', 'RegistryItem', 'RegistryItem/Value', 'string',
confDict["ActiveXKey"]))
regIOC.append(
('contains', 'RegistryItem', 'RegistryItem/Path', 'string',
'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run'))
regIOC.append(('is', 'RegistryItem', 'RegistryItem/Value', 'string',
confDict["HKLMValue"]))
# add each list to our master list
items = []
items.append(fileIOC)
items.append(regIOC)
domList = []
domains = confDict["Domains"].split("|")
for x in domains:
domain = x.split(":")[0]
domList.append(domain)
database.insertDomain(md5, domList)
for domain in domList:
if domain != '':
items.append([("contains", "Network", "Network/DNS", "string",
domain)])
IOC = createIOC.main(items, 'PoisonIvy', md5)
database.insertIOC(md5, IOC)
