def get_bot_information(self, file_data):
results = {}
encrypted_section = file_data.rfind("\x44\x6d\x47\x00")
if encrypted_section == -1:
pe = PE(data=file_data)
for x in xrange(len(pe.sections)):
for s in data_strings(pe.get_data(pe.sections[x].VirtualAddress), 8, charset=ascii_uppercase + ascii_lowercase + digits + punctuation):
if s.startswith("http://") and s != "http://":
if "c2s" not in results:
results["c2s"] = []
results["c2s"].append({"c2_uri": s})
else:
encrypted_section += 4
encryption_key = None
pe = PE(data=file_data)
for s in data_strings(pe.get_data(pe.sections[3].VirtualAddress), 7):
# the last string
encryption_key = s
if encryption_key is not None:
rc4 = RC4(encryption_key)
decrypted = "".join([chr(rc4.next() ^ ord(c)) for c in file_data[encrypted_section:]])
for s in data_strings(decrypted, 8, charset=ascii_uppercase + ascii_lowercase + digits + punctuation):
if s.startswith("http://") and s != "http://":
if "c2s" not in results:
results["c2s"] = []
results["c2s"].append({"c2_uri": s})
return results
def get_bot_information(self, file_data):
results = {}
config = data.split("abccba")
if len(config) > 5:
dict["Domain"] = config[1]
dict["Port"] = config[2]
dict["Campaign Name"] = config[3]
dict["Copy StartUp"] = config[4]
dict["StartUp Name"] = config[5]
dict["Add To Registry"] = config[6]
dict["Registry Key"] = config[7]
dict["Melt + Inject SVCHost"] = config[8]
dict["Anti Kill Process"] = config[9]
dict["USB Spread"] = config[10]
dict["Kill AVG 2012-2013"] = config[11]
dict["Kill Process Hacker"] = config[12]
dict["Kill Process Explorer"] = config[13]
dict["Kill NO-IP"] = config[14]
dict["Block Virus Total"] = config[15]
dict["Block Virus Scan"] = config[16]
dict["HideProcess"] = config[17]
return dict
gate = None
server = None
for s in data_strings(file_data):
if s.find(".php") != -1:
if s[0] != "/":
s = "/" + s
gate = s
if is_ip_or_domain(s):
server = s
if server is not None and gate is not None:
results["c2_uri"] = "%s%s" % (server, gate)
return results
def get_bot_information(self, file_data):
BEACONC2 = re.compile('[a-zA-Z0-9\.]{4,255},\/[a-zA-Z09\-\.\_\~\:\/\?\#\[\]@\!\$\&\'\(\)\*\+\,\;\=]{1,}')
results = {}
pe = pefile.PE(data=file_data)
dotdata = ''
for section in pe.sections:
if section.Name == '.data\x00\x00\x00':
dotdata = section.get_data()
frame = bytearray()
for byte in dotdata:
decimal = ord(byte)
newbyte = cobaltbeacon._xor(decimal)
frame.append(newbyte)
strings = [i for i in data_strings(str(frame), 1)]
strings = strings[0:]
results['c2s'] = []
for string in strings:
if BEACONC2.search(string):
parts = string.split(',')
g = len(parts)
if g > 1:
while g > 0:
path = parts[g-1]
host = parts[g-2]
if is_ip_or_domain(host):
results['c2s'].append({"c2_uri": "http://{0}{1}".format(host,path)})
g-=2
return results
def get_bot_information(self, file_data):
results = {}
c2s = set()
ip = None
path = None
next_is_path = False
start_checking = False
for s in data_strings(file_data, 1):
if s == "C:\\swi.txt":
start_checking = True
if start_checking and path is None:
if next_is_path:
if s.startswith("http://"):
ip = None
path = None
next_is_path = False
continue
path = s
next_is_path = False
elif is_ip_or_domain(s) and ip is None:
ip = s
next_is_path = True
if ip is not None and path is not None:
results['c2_uri'] = "http://{0}{1}".format(ip, path)
return results
def get_bot_information(self, file_data):
results = {}
encrypted_section = file_data.rfind("\x44\x6d\x47\x00")
if encrypted_section == -1:
pe = PE(data=file_data)
for x in xrange(len(pe.sections)):
for s in data_strings(pe.get_data(
pe.sections[x].VirtualAddress),
8,
charset=ascii_uppercase +
ascii_lowercase + digits + punctuation):
if s.startswith("http://") and s != "http://":
if "c2s" not in results:
results["c2s"] = []
results["c2s"].append({"c2_uri": s})
else:
encrypted_section += 4
encryption_key = None
pe = PE(data=file_data)
for s in data_strings(pe.get_data(pe.sections[3].VirtualAddress),
7):
# the last string
encryption_key = s
if encryption_key is not None:
rc4 = RC4(encryption_key)
decrypted = "".join([
chr(rc4.next() ^ ord(c))
for c in file_data[encrypted_section:]
])
for s in data_strings(decrypted,
8,
charset=ascii_uppercase +
ascii_lowercase + digits + punctuation):
if s.startswith("http://") and s != "http://":
if "c2s" not in results:
results["c2s"] = []
results["c2s"].append({"c2_uri": s})
return results
def get_bot_information(self, file_data):
results = {}
gate = None
server = None
for s in data_strings(file_data):
if s.find(".php") != -1:
if s[0] != "/":
s = "/" + s
gate = s
if dexter.is_ip_or_domain(s):
server = s
if server is not None and gate is not None:
results["c2_uri"] = "%s%s" % (server, gate)
return results
def get_bot_information(self, file_data):
results = {}
gate = None
server = None
for s in data_strings(file_data):
if s.find(".php") != -1:
if s[0] != "/":
s = "/" + s
gate = s
if is_ip_or_domain(s):
server = s
if server is not None and gate is not None:
results["c2_uri"] = "%s%s" % (server, gate)
return results
def get_bot_information(self, file_data):
results = {}
uri_path = None
domain = None
for s in data_strings(file_data):
if is_ip_or_domain(s):
domain = s
if ".php?" in s:
uri_path = s
if domain is not None and uri_path is not None:
results["c2_uri"] = "{0}{1}".format(domain, uri_path)
return results
def get_bot_information(self, file_data):
results = {}
host = None
path = None
for f in data_strings(file_data):
for s in f.split("\n"):
s = s.strip()
if s.startswith("Host:"):
host = s[6:]
if s.startswith("GET "):
path = s[4:][:-9]
if host is not None and path is not None:
results["c2_uri"] = "{0}{1}".format(host, path)
return results
def get_bot_information(self, file_data):
results = {}
for s in data_strings(file_data, charset=ascii_lowercase + ascii_uppercase + digits + "=+/^@*"):
if s[:len("YXBvS0")] == "YXBvS0":
c = madness_pro.parse_madness_pro_config(s)
for key in c:
results[key] = unicode(c[key], errors='ignore')
else:
try:
ret = madness_pro.bdecode(s)
if match(r'^\d\.\d\d$', ret) is not None:
results["version"] = ret
except:
pass
return results
def get_bot_information(self, file_data):
results = {}
for s in data_strings(file_data,
charset=ascii_lowercase + ascii_uppercase +
digits + "=+/^@*"):
if s[:len("YXBvS0")] == "YXBvS0":
c = madness_pro.parse_madness_pro_config(s)
for key in c:
results[key] = unicode(c[key], errors='ignore')
else:
try:
ret = madness_pro.bdecode(s)
if match(r'^\d\.\d\d$', ret) is not None:
results["version"] = ret
except:
pass
return results
def get_bot_information(self, file_data):
results = {}
gate = None
server = None
for s in data_strings(file_data):
if s.find("run.php") != -1:
gate = s
if s.startswith("http://") and len(s) > len("http://"):
domain = s[7:]
if domain.find('/') != -1:
domain = domain[:domain.find('/')]
if is_ip_or_domain(domain):
server = s
if match(r'^\d\.\d\.\d$', s) is not None:
results["version"] = s
if server is not None and gate is not None:
results["c2_uri"] = "%s%s" % (server, gate)
return results
def get_bot_information(self, file_data):
results = {}
gate = None
server = None
for s in data_strings(file_data):
if s.find("run.php") != -1:
gate = s
if s.startswith("http://") and len(s) > len("http://"):
domain = s[7:]
if domain.find('/') != -1:
domain = domain[:domain.find('/')]
if herpes.is_ip_or_domain(domain):
server = s
if match(r'^\d\.\d\.\d$', s) is not None:
results["version"] = s
if server is not None and gate is not None:
results["c2_uri"] = "%s%s" % (server, gate)
return results
def get_bot_information(self, file_data):
URL_REGEX = re.compile(
'(http|https|ftp|cifs|smb)\:\/\/[a-zA-Z0-9\/\.\~\-]+',
re.IGNORECASE)
results = {}
frame = bytearray()
for byte in file_data:
decimal = ord(byte)
newbyte = waketagat._xor(decimal)
frame.append(newbyte)
strings = [i for i in data_strings(str(frame), 1)]
strings = strings[0:]
results['c2s'] = []
for string in strings:
if URL_REGEX.search(string):
results['c2s'].append({"c2_uri": "{0}".format(string)})
return results
def get_bot_information(self, file_data):
results = {}
for s in data_strings(file_data):
if r'<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">' in s:
s = s[:s.find(
r'<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">'
)]
config = []
c = ""
index = 0
for x in s:
c += x
index += 1
if index % 4 == 0 and (c.endswith("P") or c.endswith("PA")
or c.endswith("PAD")):
for suff in ["P", "PA", "PAD"]:
if c.endswith(suff):
c = c[:-len(suff)]
break
config.append(c)
c = ""
if len(c) > 0:
config.append(c)
if len(config) == 7:
results['drop_location'] = config[0]
results['cmd_get_interval'] = int(config[1])
results['http_port'] = int(config[2])
results['refresh_interval'] = int(config[3])
results['mutex'] = config[4]
results['http_path'] = config[5]
results['server'] = config[6]
if results['server'].startswith("http://"):
results['server'] = results['server'][len('http://'):]
if results['server'].endswith("/"):
results['server'] = results['server'][:-1]
results['c2_uri'] = "http://{0}:{1}{2}".format(
results['server'], results['http_port'],
results['http_path'])
return results
return results
def get_bot_information(self, file_data):
results = {}
start_search_address = file_data.find("\x90" * 8) + 8
xor_key = struct.unpack("<I", file_data[start_search_address:][:4])[0] ^ 0x8be58955
data = file_data[start_search_address:]
decrypted = ""
while len(data) > 4:
d = struct.unpack("<I", data[:4])[0]
data = data[4:]
decrypted += struct.pack("<I", d ^ xor_key)
for s in data_strings(decrypted):
if is_ip_or_domain(s):
results['c2_uri'] = s
return results
def get_bot_information(self, file_data):
results = {}
uri_paths = None
domains = None
for s in data_strings(file_data):
if is_ip_or_domain(s):
if domains is None:
domains = set()
domains.add(s)
if s.endswith(".php"):
if uri_paths is None:
uri_paths = set()
uri_paths.add(s)
if domains is not None and uri_paths is not None:
results["c2s"] = []
for d in domains:
for p in uri_paths:
results["c2s"].append({"c2_uri": "{0}{1}".format(d, p)})
return results
def get_bot_information(self, file_data):
results = {}
uri_paths = None
domains = None
for s in data_strings(file_data):
if is_ip_or_domain(s):
if domains is None:
domains = set()
domains.add(s)
if s[0] == "/" and len([i for i in s if i == "/"]) > 1:
if uri_paths is None:
uri_paths = set()
uri_paths.add(s)
if domains is not None and uri_paths is not None:
results["c2s"] = []
for d in domains:
for p in uri_paths:
results["c2s"].append({"c2_uri": "{0}{1}".format(d, p)})
return results
def get_bot_information(self, file_data):
results = {}
for s in data_strings(file_data, 154, "0123456789abcdefABCDEF"):
if (len(s) % 2) == 1:
s = s[:-1]
ret = self.decrypt_configuration(s)
if ret is not None and len(ret) > 15:
results["ip"] = ret[1]
results["control_port"] = ret[2]
results["transfer_port"] = ret[3]
try:
ret[4].decode("utf-8")
results["bot_name"] = ret[4]
except UnicodeDecodeError:
results["bot_name"] = "h" + ret[4].encode("hex")
results["file_name"] = ret[5]
results["install_folder"] = ret[6]
results["registry_persistence"] = ret[7]
results["active_setup_persistence_name"] = ret[8]
results["mutex_name"] = ret[14]
results["c2_uri"] = "{0}:{1}".format(results["ip"], results["control_port"])
return results
def get_bot_information(self, file_data):
results = {}
uri = None
uris = []
all_uris = []
for s in data_strings(file_data):
if s.startswith("http://") and len(s) > len("http://"):
domain = s[7:]
if domain.find('/') != -1:
domain = domain[:domain.find('/')]
if is_ip_or_domain(domain):
all_uris.append(s)
if s.endswith(".php"):
uri = s
uris.append(s)
if uri is not None and len(uris) > 0:
if "c2s" not in results:
results["c2s"] = []
for i in uris:
results["c2s"].append({"c2_uri": i})
results["all_uris"] = list(set(all_uris))
return results
def get_bot_information(self, file_data):
results = {}
uri = None
uris = []
all_uris = []
for s in data_strings(file_data):
if s.startswith("http://") and len(s) > len("http://"):
domain = s[7:]
if domain.find('/') != -1:
domain = domain[:domain.find('/')]
if is_ip_or_domain(domain):
all_uris.append(s)
if s.endswith(".php"):
uri = s
uris.append(s)
if uri is not None and len(uris) > 0:
if "c2s" not in results:
results["c2s"] = []
for i in uris:
results["c2s"].append({"c2_uri": i})
results["all_uris"] = list(set(all_uris))
return results
def get_bot_information(self, file_data):
results = {}
for s in data_strings(file_data):
if r'<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">' in s:
s = s[: s.find(r'<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">')]
config = []
c = ""
index = 0
for x in s:
c += x
index += 1
if index % 4 == 0 and (c.endswith("P") or c.endswith("PA") or c.endswith("PAD")):
for suff in ["P", "PA", "PAD"]:
if c.endswith(suff):
c = c[: -len(suff)]
break
config.append(c)
c = ""
if len(c) > 0:
config.append(c)
if len(config) == 7:
results["drop_location"] = config[0]
results["cmd_get_interval"] = int(config[1])
results["http_port"] = int(config[2])
results["refresh_interval"] = int(config[3])
results["mutex"] = config[4]
results["http_path"] = config[5]
results["server"] = config[6]
if results["server"].startswith("http://"):
results["server"] = results["server"][len("http://") :]
if results["server"].endswith("/"):
results["server"] = results["server"][:-1]
results["c2_uri"] = "http://{0}:{1}{2}".format(
results["server"], results["http_port"], results["http_path"]
)
return results
return results
def get_bot_information(self, file_data):
results = {}
for s in data_strings(file_data, 154, "0123456789abcdefABCDEF"):
if (len(s) % 2) == 1:
s = s[:-1]
ret = self.decrypt_configuration(s)
if ret is not None and len(ret) > 15:
results["ip"] = ret[1]
results["control_port"] = ret[2]
results["transfer_port"] = ret[3]
try:
ret[4].decode("utf-8")
results["bot_name"] = ret[4]
except UnicodeDecodeError:
results["bot_name"] = "h" + ret[4].encode("hex")
results["file_name"] = ret[5]
results["install_folder"] = ret[6]
results["registry_persistence"] = ret[7]
results["active_setup_persistence_name"] = ret[8]
results["mutex_name"] = ret[14]
results["c2_uri"] = "{0}:{1}".format(results["ip"],
results["control_port"])
return results
def get_bot_information(self, file_data):
results = {}
uri = None
password = None
for s in data_strings(
file_data,
charset=
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwx yz0123456789+/="
):
try:
line = b64decode(s)
if len(line) == 0:
continue
valid = True
for c in line:
if c not in printable:
valid = False
if not valid:
continue
if line.lower().startswith(
"https://") or line.lower().startswith("http://"):
uri = line
continue
if uri is not None:
password = line
break
except TypeError:
continue
if uri is not None:
results["c2_uri"] = uri
if password is not None:
try:
password.decode("utf8")
results["password"] = password
except UnicodeDecodeError:
results["password"] = "******" + password.encode("hex")
return results
def get_bot_information(self, file_data):
results = {}
gate = None
server = None
pe = PE(data=file_data)
for x in xrange(len(pe.sections)):
for s in data_strings(pe.get_data(pe.sections[x].VirtualAddress)):
if s.find(".php") != -1:
if s[0] != "/":
s = "/" + s
if gate is None:
gate = set()
gate.add(s)
if is_ip_or_domain(s):
if server is None:
server = set()
server.add(s)
if server is not None and gate is not None:
results["c2s"] = []
for ip in server:
for p in gate:
uri = "%s%s" % (ip, p)
results["c2s"].append({"c2_uri": uri})
return results
def get_bot_information(self, file_data):
results = {}
gate = None
server = None
pe = PE(data=file_data)
for x in xrange(len(pe.sections)):
for s in data_strings(pe.get_data(pe.sections[x].VirtualAddress)):
if s.find(".php") != -1:
if s[0] != "/":
s = "/" + s
if gate is None:
gate = set()
gate.add(s)
if is_ip_or_domain(s):
if server is None:
server = set()
server.add(s)
if server is not None and gate is not None:
results["c2s"] = []
for ip in server:
for p in gate:
uri = "%s%s" % (ip, p)
results["c2s"].append({"c2_uri": uri})
return results
