def get_bot_information(self, file_data): results = {} wide_strings = [i for i in data_strings_wide(file_data, 1)] start_index = 0 wide_strings = wide_strings[start_index:] potential_domains = [] for d in wide_strings: if d.endswith(',') and len(d) > 4: h = [] h = d[:-1].strip().split(',') for j in h: if is_ip_or_domain(j): potential_domains.append(j) potential_ports = [] for p in wide_strings: if p.endswith(',') and len(p) > 2: t = [] t = p[:-1].strip().split(',') for u in t: if Revenge._is_number(u): potential_ports.append(u) # potential_ports = [int(p) for p in wide_strings if Revenge._is_number(p)] extra_domains = ["winlogon.com", "Microsoft.com"] for d in extra_domains: if d in potential_domains: potential_domains.remove(d) if len(potential_ports) > 1: potential_ports = [p for p in potential_ports if p > 10] #print potential_ports #print potential_domains # todo have less shitty extraction method if len(potential_domains) > 0 and len(potential_ports) > 0: if len(potential_domains) == 1 and len(potential_ports) == 1: if potential_domains[0].endswith(":" + str(potential_ports[0])): results['c2_uri'] = "tcp://{0}".format( potential_domains[0]) else: results['c2_uri'] = "tcp://{0}:{1}".format( potential_domains[0], potential_ports[0]) else: results['c2s'] = [] i = 0 while i < len(potential_domains): results['c2s'].append({ "c2_uri": "tcp://{0}:{1}".format(potential_domains[i], potential_ports[i]) }) i += 1 return results
def get_bot_information(self, file_data): results = {} wide_strings = [i for i in data_strings_wide(file_data)] for x in xrange(len(wide_strings)): s = wide_strings[x] if is_ip_or_domain(s): ip = s port = int(wide_strings[x + 1]) results['c2_uri'] = "tcp://{0}:{1}".format(ip, port) break return results
def get_bot_information(self, file_data): results = {} c2s = set() for s in data_strings_wide(file_data): if s.startswith("http://") and s != "http://": c2s.add(s) for c2 in c2s: if "c2s" not in results: results["c2s"] = [] results["c2s"].append({"c2_uri": c2}) return results
def get_bot_information(self, file_data): C2_TCP_REGEX = re.compile('tcp://[a-z0-9_\-\.]+:[0-9]{1,5}', re.IGNORECASE) C2_HTTP_REGEX = re.compile('(http|https)://[a-z0-9_\-\.]+:[0-9]{1,5}/[a-z0-9_-]+/', re.IGNORECASE) results = {} wide_strings = [i for i in data_strings_wide(file_data, 1)] for wide_string in wide_strings: if C2_TCP_REGEX.match(wide_string): results['c2_uri'] = wide_string return results elif C2_HTTP_REGEX.match(wide_string): results['c2_uri'] = wide_string return results return results
def get_bot_information(self, file_data): BASE64_HTTP_REGEX = re.compile('aHR[A-Za-z0-9/]{10,}[\=]{0,2}') results = {} wide_strings = [i for i in data_strings_wide(file_data, 1)] start_index = 0 wide_strings = wide_strings[start_index:] c2urls = [d for d in wide_strings if BASE64_HTTP_REGEX.match(d)] if len(c2urls) > 0: for a in c2urls: results['c2_uri'] = "{0}".format(base64.b64decode(a)) return results
def get_bot_information(self, file_data): results = {} gate = None for s in data_strings_wide(file_data, charset=lowercase + uppercase + punctuation + digits): if s.endswith(".php"): if gate is None: gate = set() gate.add(s) if gate is not None: results["c2s"] = [] for p in gate: results["c2s"].append({"c2_uri": p}) return results
def get_bot_information(self, file_data): results = {} wide_strings = [i for i in data_strings_wide(file_data, 1)] start_index = 0 wide_strings = wide_strings[start_index:] for i in range(0, len(wide_strings)): if wide_strings[i] == "_ENABLE_PROFILING": for j in range(1, 12): if is_ip_or_domain(wide_strings[i + j]): results['c2_uri'] = wide_strings[i + j] return results return results
def get_bot_information(self, file_data): BASE64_REGEX = re.compile('[A-Za-z0-9/]{10,}[\=]{0,2}') results = {} wide_strings = [i for i in data_strings_wide(file_data, 1)] start_index = 0 wide_strings = wide_strings[start_index:] c2s = [d for d in wide_strings if BASE64_REGEX.match(d)] for a in c2s: try: decstr = base64.b64decode(a).decode('ascii') if is_ip_or_domain(decstr): results['c2_uri'] = "tcp://{0}".format(decstr) except: pass return results
def get_bot_information(self, file_data): results = {} pe = pefile.PE(data=file_data) dottext = '' for section in pe.sections: if section.Name == '.text\x00\x00\x00': dottext = section.get_data() wide_strings = [i for i in data_strings_wide(dottext, 1)] potential_domains = [d for d in wide_strings if is_ip_or_domain(d)] extra_hosts = ['1.1.1.1'] for d in potential_domains: if d in extra_hosts: potential_domains.remove(d) if len(potential_domains) > 0: for d in potential_domains: results['c2_uri'] = "tcp://{0}".format(d) return results
def get_bot_information(self, file_data): results = {} results['c2s'] = [] wide_strings = [i for i in data_strings_wide(file_data, 1)] for a in wide_strings: if len(a) > 6: try: decrypted = AgentTesla.stringdecrypt(a).strip( '\n\r\t\x03\x04\x07\x08\x0a\x0b\x0c\x0d\x0e\x0f\x10') # if is_ip_or_domain(decrypted): # results['c2s'].append({"c2_uri": "tcp://{0}".format(decrypted)}) if re.match('[^@]+@[^@]+\.[^@]+', decrypted): results['c2s'].append( {"c2_uri": "email://{0}".format(decrypted)}) except: pass return results
def get_bot_information(self, file_data): # todo Pimp this out with https://github.com/kevthehermit/RATDecoders/blob/master/njRat.py results = {} wide_strings = [i for i in data_strings_wide(file_data, 1)] #if "[endof]" not in wide_strings: # return results #wide_strings = wide_strings[:wide_strings.index("[endof]")] start_index = 0 for x in xrange(len(wide_strings)): if wide_strings[x].startswith( "0." ) or "netsh firewall add allowedprogram" in wide_strings[x]: start_index = x break wide_strings = wide_strings[start_index:] potential_domains = [d for d in wide_strings if is_ip_or_domain(d)] potential_ports = [int(p) for p in wide_strings if njRat._is_number(p)] extra_domains = ["winlogon.com", "Microsoft.com"] for d in extra_domains: if d in potential_domains: potential_domains.remove(d) if len(potential_ports) > 1: potential_ports = [p for p in potential_ports if p > 10] #print potential_ports #print potential_domains # todo have less shitty extraction method if len(potential_domains) > 0 and len(potential_ports) > 0: if potential_domains[0].endswith(":" + str(potential_ports[0])): results['c2_uri'] = "tcp://{0}".format(potential_domains[0]) else: results['c2_uri'] = "tcp://{0}:{1}".format( potential_domains[0], potential_ports[0]) #else: # print "SHIT {0} {1}".format(potential_domains, potential_ports) return results
def get_bot_information(self, file_data): # todo Pimp this out with https://github.com/kevthehermit/RATDecoders/blob/master/njRat.py results = {} wide_strings = [i for i in data_strings_wide(file_data, 1)] #if "[endof]" not in wide_strings: # return results #wide_strings = wide_strings[:wide_strings.index("[endof]")] start_index = 0 for x in xrange(len(wide_strings)): if wide_strings[x].startswith("0.") or "netsh firewall add allowedprogram" in wide_strings[x]: start_index = x break wide_strings = wide_strings[start_index:] potential_domains = [d for d in wide_strings if is_ip_or_domain(d)] potential_ports = [int(p) for p in wide_strings if njRat._is_number(p)] extra_domains = ["winlogon.com", "Microsoft.com"] for d in extra_domains: if d in potential_domains: potential_domains.remove(d) if len(potential_ports) > 1: potential_ports = [p for p in potential_ports if p > 10] #print potential_ports #print potential_domains # todo have less shitty extraction method if len(potential_domains) > 0 and len(potential_ports) > 0: if potential_domains[0].endswith(":" + str(potential_ports[0])): results['c2_uri'] = "tcp://{0}".format(potential_domains[0]) else: results['c2_uri'] = "tcp://{0}:{1}".format(potential_domains[0], potential_ports[0]) #else: # print "SHIT {0} {1}".format(potential_domains, potential_ports) return results