def get_bot_information(self, file_data): results = {} encrypted_section = file_data.rfind("\x44\x6d\x47\x00") if encrypted_section == -1: pe = PE(data=file_data) for x in xrange(len(pe.sections)): for s in data_strings(pe.get_data(pe.sections[x].VirtualAddress), 8, charset=ascii_uppercase + ascii_lowercase + digits + punctuation): if s.startswith("http://") and s != "http://": if "c2s" not in results: results["c2s"] = [] results["c2s"].append({"c2_uri": s}) else: encrypted_section += 4 encryption_key = None pe = PE(data=file_data) for s in data_strings(pe.get_data(pe.sections[3].VirtualAddress), 7): # the last string encryption_key = s if encryption_key is not None: rc4 = RC4(encryption_key) decrypted = "".join([chr(rc4.next() ^ ord(c)) for c in file_data[encrypted_section:]]) for s in data_strings(decrypted, 8, charset=ascii_uppercase + ascii_lowercase + digits + punctuation): if s.startswith("http://") and s != "http://": if "c2s" not in results: results["c2s"] = [] results["c2s"].append({"c2_uri": s}) return results
def get_bot_information(self, file_data): results = {} config = data.split("abccba") if len(config) > 5: dict["Domain"] = config[1] dict["Port"] = config[2] dict["Campaign Name"] = config[3] dict["Copy StartUp"] = config[4] dict["StartUp Name"] = config[5] dict["Add To Registry"] = config[6] dict["Registry Key"] = config[7] dict["Melt + Inject SVCHost"] = config[8] dict["Anti Kill Process"] = config[9] dict["USB Spread"] = config[10] dict["Kill AVG 2012-2013"] = config[11] dict["Kill Process Hacker"] = config[12] dict["Kill Process Explorer"] = config[13] dict["Kill NO-IP"] = config[14] dict["Block Virus Total"] = config[15] dict["Block Virus Scan"] = config[16] dict["HideProcess"] = config[17] return dict gate = None server = None for s in data_strings(file_data): if s.find(".php") != -1: if s[0] != "/": s = "/" + s gate = s if is_ip_or_domain(s): server = s if server is not None and gate is not None: results["c2_uri"] = "%s%s" % (server, gate) return results
def get_bot_information(self, file_data): BEACONC2 = re.compile('[a-zA-Z0-9\.]{4,255},\/[a-zA-Z09\-\.\_\~\:\/\?\#\[\]@\!\$\&\'\(\)\*\+\,\;\=]{1,}') results = {} pe = pefile.PE(data=file_data) dotdata = '' for section in pe.sections: if section.Name == '.data\x00\x00\x00': dotdata = section.get_data() frame = bytearray() for byte in dotdata: decimal = ord(byte) newbyte = cobaltbeacon._xor(decimal) frame.append(newbyte) strings = [i for i in data_strings(str(frame), 1)] strings = strings[0:] results['c2s'] = [] for string in strings: if BEACONC2.search(string): parts = string.split(',') g = len(parts) if g > 1: while g > 0: path = parts[g-1] host = parts[g-2] if is_ip_or_domain(host): results['c2s'].append({"c2_uri": "http://{0}{1}".format(host,path)}) g-=2 return results
def get_bot_information(self, file_data): results = {} c2s = set() ip = None path = None next_is_path = False start_checking = False for s in data_strings(file_data, 1): if s == "C:\\swi.txt": start_checking = True if start_checking and path is None: if next_is_path: if s.startswith("http://"): ip = None path = None next_is_path = False continue path = s next_is_path = False elif is_ip_or_domain(s) and ip is None: ip = s next_is_path = True if ip is not None and path is not None: results['c2_uri'] = "http://{0}{1}".format(ip, path) return results
def get_bot_information(self, file_data): results = {} encrypted_section = file_data.rfind("\x44\x6d\x47\x00") if encrypted_section == -1: pe = PE(data=file_data) for x in xrange(len(pe.sections)): for s in data_strings(pe.get_data( pe.sections[x].VirtualAddress), 8, charset=ascii_uppercase + ascii_lowercase + digits + punctuation): if s.startswith("http://") and s != "http://": if "c2s" not in results: results["c2s"] = [] results["c2s"].append({"c2_uri": s}) else: encrypted_section += 4 encryption_key = None pe = PE(data=file_data) for s in data_strings(pe.get_data(pe.sections[3].VirtualAddress), 7): # the last string encryption_key = s if encryption_key is not None: rc4 = RC4(encryption_key) decrypted = "".join([ chr(rc4.next() ^ ord(c)) for c in file_data[encrypted_section:] ]) for s in data_strings(decrypted, 8, charset=ascii_uppercase + ascii_lowercase + digits + punctuation): if s.startswith("http://") and s != "http://": if "c2s" not in results: results["c2s"] = [] results["c2s"].append({"c2_uri": s}) return results
def get_bot_information(self, file_data): results = {} gate = None server = None for s in data_strings(file_data): if s.find(".php") != -1: if s[0] != "/": s = "/" + s gate = s if dexter.is_ip_or_domain(s): server = s if server is not None and gate is not None: results["c2_uri"] = "%s%s" % (server, gate) return results
def get_bot_information(self, file_data): results = {} gate = None server = None for s in data_strings(file_data): if s.find(".php") != -1: if s[0] != "/": s = "/" + s gate = s if is_ip_or_domain(s): server = s if server is not None and gate is not None: results["c2_uri"] = "%s%s" % (server, gate) return results
def get_bot_information(self, file_data): results = {} uri_path = None domain = None for s in data_strings(file_data): if is_ip_or_domain(s): domain = s if ".php?" in s: uri_path = s if domain is not None and uri_path is not None: results["c2_uri"] = "{0}{1}".format(domain, uri_path) return results
def get_bot_information(self, file_data): results = {} host = None path = None for f in data_strings(file_data): for s in f.split("\n"): s = s.strip() if s.startswith("Host:"): host = s[6:] if s.startswith("GET "): path = s[4:][:-9] if host is not None and path is not None: results["c2_uri"] = "{0}{1}".format(host, path) return results
def get_bot_information(self, file_data): results = {} for s in data_strings(file_data, charset=ascii_lowercase + ascii_uppercase + digits + "=+/^@*"): if s[:len("YXBvS0")] == "YXBvS0": c = madness_pro.parse_madness_pro_config(s) for key in c: results[key] = unicode(c[key], errors='ignore') else: try: ret = madness_pro.bdecode(s) if match(r'^\d\.\d\d$', ret) is not None: results["version"] = ret except: pass return results
def get_bot_information(self, file_data): results = {} gate = None server = None for s in data_strings(file_data): if s.find("run.php") != -1: gate = s if s.startswith("http://") and len(s) > len("http://"): domain = s[7:] if domain.find('/') != -1: domain = domain[:domain.find('/')] if is_ip_or_domain(domain): server = s if match(r'^\d\.\d\.\d$', s) is not None: results["version"] = s if server is not None and gate is not None: results["c2_uri"] = "%s%s" % (server, gate) return results
def get_bot_information(self, file_data): results = {} gate = None server = None for s in data_strings(file_data): if s.find("run.php") != -1: gate = s if s.startswith("http://") and len(s) > len("http://"): domain = s[7:] if domain.find('/') != -1: domain = domain[:domain.find('/')] if herpes.is_ip_or_domain(domain): server = s if match(r'^\d\.\d\.\d$', s) is not None: results["version"] = s if server is not None and gate is not None: results["c2_uri"] = "%s%s" % (server, gate) return results
def get_bot_information(self, file_data): URL_REGEX = re.compile( '(http|https|ftp|cifs|smb)\:\/\/[a-zA-Z0-9\/\.\~\-]+', re.IGNORECASE) results = {} frame = bytearray() for byte in file_data: decimal = ord(byte) newbyte = waketagat._xor(decimal) frame.append(newbyte) strings = [i for i in data_strings(str(frame), 1)] strings = strings[0:] results['c2s'] = [] for string in strings: if URL_REGEX.search(string): results['c2s'].append({"c2_uri": "{0}".format(string)}) return results
def get_bot_information(self, file_data): results = {} for s in data_strings(file_data): if r'<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">' in s: s = s[:s.find( r'<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">' )] config = [] c = "" index = 0 for x in s: c += x index += 1 if index % 4 == 0 and (c.endswith("P") or c.endswith("PA") or c.endswith("PAD")): for suff in ["P", "PA", "PAD"]: if c.endswith(suff): c = c[:-len(suff)] break config.append(c) c = "" if len(c) > 0: config.append(c) if len(config) == 7: results['drop_location'] = config[0] results['cmd_get_interval'] = int(config[1]) results['http_port'] = int(config[2]) results['refresh_interval'] = int(config[3]) results['mutex'] = config[4] results['http_path'] = config[5] results['server'] = config[6] if results['server'].startswith("http://"): results['server'] = results['server'][len('http://'):] if results['server'].endswith("/"): results['server'] = results['server'][:-1] results['c2_uri'] = "http://{0}:{1}{2}".format( results['server'], results['http_port'], results['http_path']) return results return results
def get_bot_information(self, file_data): results = {} start_search_address = file_data.find("\x90" * 8) + 8 xor_key = struct.unpack("<I", file_data[start_search_address:][:4])[0] ^ 0x8be58955 data = file_data[start_search_address:] decrypted = "" while len(data) > 4: d = struct.unpack("<I", data[:4])[0] data = data[4:] decrypted += struct.pack("<I", d ^ xor_key) for s in data_strings(decrypted): if is_ip_or_domain(s): results['c2_uri'] = s return results
def get_bot_information(self, file_data): results = {} uri_paths = None domains = None for s in data_strings(file_data): if is_ip_or_domain(s): if domains is None: domains = set() domains.add(s) if s.endswith(".php"): if uri_paths is None: uri_paths = set() uri_paths.add(s) if domains is not None and uri_paths is not None: results["c2s"] = [] for d in domains: for p in uri_paths: results["c2s"].append({"c2_uri": "{0}{1}".format(d, p)}) return results
def get_bot_information(self, file_data): results = {} uri_paths = None domains = None for s in data_strings(file_data): if is_ip_or_domain(s): if domains is None: domains = set() domains.add(s) if s[0] == "/" and len([i for i in s if i == "/"]) > 1: if uri_paths is None: uri_paths = set() uri_paths.add(s) if domains is not None and uri_paths is not None: results["c2s"] = [] for d in domains: for p in uri_paths: results["c2s"].append({"c2_uri": "{0}{1}".format(d, p)}) return results
def get_bot_information(self, file_data): results = {} for s in data_strings(file_data, 154, "0123456789abcdefABCDEF"): if (len(s) % 2) == 1: s = s[:-1] ret = self.decrypt_configuration(s) if ret is not None and len(ret) > 15: results["ip"] = ret[1] results["control_port"] = ret[2] results["transfer_port"] = ret[3] try: ret[4].decode("utf-8") results["bot_name"] = ret[4] except UnicodeDecodeError: results["bot_name"] = "h" + ret[4].encode("hex") results["file_name"] = ret[5] results["install_folder"] = ret[6] results["registry_persistence"] = ret[7] results["active_setup_persistence_name"] = ret[8] results["mutex_name"] = ret[14] results["c2_uri"] = "{0}:{1}".format(results["ip"], results["control_port"]) return results
def get_bot_information(self, file_data): results = {} uri = None uris = [] all_uris = [] for s in data_strings(file_data): if s.startswith("http://") and len(s) > len("http://"): domain = s[7:] if domain.find('/') != -1: domain = domain[:domain.find('/')] if is_ip_or_domain(domain): all_uris.append(s) if s.endswith(".php"): uri = s uris.append(s) if uri is not None and len(uris) > 0: if "c2s" not in results: results["c2s"] = [] for i in uris: results["c2s"].append({"c2_uri": i}) results["all_uris"] = list(set(all_uris)) return results
def get_bot_information(self, file_data): results = {} for s in data_strings(file_data): if r'<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">' in s: s = s[: s.find(r'<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">')] config = [] c = "" index = 0 for x in s: c += x index += 1 if index % 4 == 0 and (c.endswith("P") or c.endswith("PA") or c.endswith("PAD")): for suff in ["P", "PA", "PAD"]: if c.endswith(suff): c = c[: -len(suff)] break config.append(c) c = "" if len(c) > 0: config.append(c) if len(config) == 7: results["drop_location"] = config[0] results["cmd_get_interval"] = int(config[1]) results["http_port"] = int(config[2]) results["refresh_interval"] = int(config[3]) results["mutex"] = config[4] results["http_path"] = config[5] results["server"] = config[6] if results["server"].startswith("http://"): results["server"] = results["server"][len("http://") :] if results["server"].endswith("/"): results["server"] = results["server"][:-1] results["c2_uri"] = "http://{0}:{1}{2}".format( results["server"], results["http_port"], results["http_path"] ) return results return results
def get_bot_information(self, file_data): results = {} uri = None password = None for s in data_strings( file_data, charset= "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwx yz0123456789+/=" ): try: line = b64decode(s) if len(line) == 0: continue valid = True for c in line: if c not in printable: valid = False if not valid: continue if line.lower().startswith( "https://") or line.lower().startswith("http://"): uri = line continue if uri is not None: password = line break except TypeError: continue if uri is not None: results["c2_uri"] = uri if password is not None: try: password.decode("utf8") results["password"] = password except UnicodeDecodeError: results["password"] = "******" + password.encode("hex") return results
def get_bot_information(self, file_data): results = {} gate = None server = None pe = PE(data=file_data) for x in xrange(len(pe.sections)): for s in data_strings(pe.get_data(pe.sections[x].VirtualAddress)): if s.find(".php") != -1: if s[0] != "/": s = "/" + s if gate is None: gate = set() gate.add(s) if is_ip_or_domain(s): if server is None: server = set() server.add(s) if server is not None and gate is not None: results["c2s"] = [] for ip in server: for p in gate: uri = "%s%s" % (ip, p) results["c2s"].append({"c2_uri": uri}) return results