def generateIOC(md5, confDict): # Create the list for File Artefacts fileIOC = [] fileIOC.append(('is','FileItem','FileItem/FileName','string',confDict["InstallName"])) fileIOC.append(('contains','FileItem','FileItem/FilePath','string',confDict["InstallPath"])) fileIOC.append(('is','FileItem','FileItem/Md5sum','md5',md5)) fileIOC.append(('is','ProcessItem','ProcessItem/HandleList/Handle/Name','string',confDict["Mutex"])) # Create the list for Registry Artefacts regIOC = [] regIOC.append(('contains','RegistryItem','RegistryItem/Path','string','HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components')) regIOC.append(('is','RegistryItem','RegistryItem/Value','string',confDict["ActiveXKey"])) regIOC.append(('contains','RegistryItem','RegistryItem/Path','string','HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run')) regIOC.append(('is','RegistryItem','RegistryItem/Value','string',confDict["HKLMValue"])) # add each list to our master list items = [] items.append(fileIOC) items.append(regIOC) domList = [] domains = confDict["Domains"].split("|") for x in domains: domain = x.split(":")[0] domList.append(domain) database.insertDomain(md5, domList) for domain in domList: if domain != '': items.append([("contains", "Network", "Network/DNS", "string", domain)]) IOC = createIOC.main(items, 'PoisonIvy', md5) database.insertIOC(md5, IOC)
def run(md5, data): dict = {} config = data.split("abccba") if len(config) > 5: dict["Domain"] = config[1] dict["Port"] = config[2] dict["Campaign Name"] = config[3] dict["Copy StartUp"] = config[4] dict["StartUp Name"] = config[5] dict["Add To Registry"] = config[6] dict["Registry Key"] = config[7] dict["Melt + Inject SVCHost"] = config[8] dict["Anti Kill Process"] = config[9] dict["USB Spread"] = config[10] dict["Kill AVG 2012-2013"] = config[11] dict["Kill Process Hacker"] = config[12] dict["Kill Process Explorer"] = config[13] dict["Kill NO-IP"] = config[14] dict["Block Virus Total"] = config[15] dict["Block Virus Scan"] = config[16] dict["HideProcess"] = config[17] snortRule(md5, dict) createIOC(md5, dict) database.insertDomain(md5, [dict["Domain"]]) return dict
def run(md5, data): config_dict = {} config = data.split("abccba") if len(config) > 5: config_dict = { "Domain": config[1], "Port": config[2], "Campaign Name": config[3], "Copy StartUp": config[4], "StartUp Name": config[5], "Add To Registry": config[6], "Registry Key": config[7], "Melt + Inject SVCHost": config[8], "Anti Kill Process": config[9], "USB Spread": config[10], "Kill AVG 2012-2013": config[11], "Kill Process Hacker": config[12], "Kill Process Explorer": config[13], "Kill NO-IP": config[14], "Block Virus Total": config[15], "Block Virus Scan": config[16], "HideProcess": config[17], } snortRule(md5, config_dict) createIOC(md5, config_dict) database.insertDomain(md5, [config_dict["Domain"]]) return config_dict
def run(md5, data): raw_config = get_config(data) # lets Process this and format the config config_dict = parse_config(raw_config) if len(config_dict["Domain"]) > 0: snortRule(md5, config_dict) generateIOC(md5, config_dict) database.insertDomain(md5, [config_dict["Domain"]]) return config_dict
def run(md5, rawData): rawconfig = rawData.split("abccba") if len(rawconfig) > 1: log.info("Running Abccba") conf = oldversions(rawconfig) else: log.info("Running pype32") pe = pype32.PE(data=rawData) rawConfig = getStream(pe) conf = parseConfig(rawConfig) if not conf: return None database.insertDomain(md5, [conf["Domain"]]) return conf
def run(md5, rawData): rawconfig = rawData.split("abccba") if len(rawconfig) > 1: print "Running Abccba" conf = oldversions(rawconfig) else: print "Running pype32" pe = pype32.PE(data=rawData) rawConfig = getStream(pe) conf = parseConfig(rawConfig) if not conf: return None database.insertDomain(md5, [conf["Domain"]]) return conf
def run(md5, data): print("[+] Extracting Data from Jar") enckey, conf = get_parts(data) if enckey is None: return print(f"[+] Decoding Config with Key: {enckey.encode().hex()}") if len(enckey) == 16: # Newer versions use a base64 encoded config.dat # this is not a great test but should work 99% of the time decrypt_func = new_aes if "==" in conf else old_aes raw_config = decrypt_func(conf, enckey) elif len(enckey) == 32: raw_config = old_des(conf, enckey) config_dict = parse_config(raw_config, enckey) snortRule(md5, config_dict) database.insertDomain(md5, [config_dict["Domain"]]) return config_dict
def run(md5, data): print "[+] Extracting Data from Jar" enckey, conf = get_parts(data) if enckey == None: return print "[+] Decoding Config with Key: {0}".format(enckey.encode('hex')) if len(enckey) == 16: # Newer versions use a base64 encoded config.dat if '==' in conf: # this is not a great test but should work 99% of the time b64_check = True else: b64_check = False if b64_check: raw_config = new_aes(conf, enckey) else: raw_config = old_aes(conf, enckey) if len(enckey) == 32: raw_config = old_des(conf, enckey) config_dict = parse_config(raw_config, enckey) snortRule(md5, config_dict) database.insertDomain(md5, [config_dict["Domain"]]) return config_dict
def run(md5, data): print("[+] Extracting Data from Jar") enckey, conf = get_parts(data) if enckey == None: return print("[+] Decoding Config with Key: {0}".format(enckey.encode('hex'))) if len(enckey) == 16: # Newer versions use a base64 encoded config.dat if '==' in conf: # this is not a great test but should work 99% of the time b64_check = True else: b64_check = False if b64_check: raw_config = new_aes(conf, enckey) else: raw_config = old_aes(conf, enckey) if len(enckey) == 32: raw_config = old_des(conf, enckey) config_dict = parse_config(raw_config, enckey) snortRule(md5, config_dict) database.insertDomain(md5, [config_dict["Domain"]]) return config_dict
def generateIOC(md5, confDict): # Create the list for File Artefacts fileIOC = [] fileIOC.append(('is', 'FileItem', 'FileItem/FileName', 'string', confDict["InstallName"])) fileIOC.append(('contains', 'FileItem', 'FileItem/FilePath', 'string', confDict["InstallPath"])) fileIOC.append(('is', 'FileItem', 'FileItem/Md5sum', 'md5', md5)) fileIOC.append(('is', 'ProcessItem', 'ProcessItem/HandleList/Handle/Name', 'string', confDict["Mutex"])) # Create the list for Registry Artefacts regIOC = [] regIOC.append(( 'contains', 'RegistryItem', 'RegistryItem/Path', 'string', 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components' )) regIOC.append(('is', 'RegistryItem', 'RegistryItem/Value', 'string', confDict["ActiveXKey"])) regIOC.append( ('contains', 'RegistryItem', 'RegistryItem/Path', 'string', 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run')) regIOC.append(('is', 'RegistryItem', 'RegistryItem/Value', 'string', confDict["HKLMValue"])) # add each list to our master list items = [] items.append(fileIOC) items.append(regIOC) domList = [] domains = confDict["Domains"].split("|") for x in domains: domain = x.split(":")[0] domList.append(domain) database.insertDomain(md5, domList) for domain in domList: if domain != '': items.append([("contains", "Network", "Network/DNS", "string", domain)]) IOC = createIOC.main(items, 'PoisonIvy', md5) database.insertIOC(md5, IOC)