def get_bot_information(self, file_data):
results = {}
wide_strings = [i for i in data_strings_wide(file_data, 1)]
start_index = 0
wide_strings = wide_strings[start_index:]
potential_domains = []
for d in wide_strings:
if d.endswith(',') and len(d) > 4:
h = []
h = d[:-1].strip().split(',')
for j in h:
if is_ip_or_domain(j):
potential_domains.append(j)
potential_ports = []
for p in wide_strings:
if p.endswith(',') and len(p) > 2:
t = []
t = p[:-1].strip().split(',')
for u in t:
if Revenge._is_number(u):
potential_ports.append(u)
# potential_ports = [int(p) for p in wide_strings if Revenge._is_number(p)]
extra_domains = ["winlogon.com", "Microsoft.com"]
for d in extra_domains:
if d in potential_domains:
potential_domains.remove(d)
if len(potential_ports) > 1:
potential_ports = [p for p in potential_ports if p > 10]
#print potential_ports
#print potential_domains
# todo have less shitty extraction method
if len(potential_domains) > 0 and len(potential_ports) > 0:
if len(potential_domains) == 1 and len(potential_ports) == 1:
if potential_domains[0].endswith(":" +
str(potential_ports[0])):
results['c2_uri'] = "tcp://{0}".format(
potential_domains[0])
else:
results['c2_uri'] = "tcp://{0}:{1}".format(
potential_domains[0], potential_ports[0])
else:
results['c2s'] = []
i = 0
while i < len(potential_domains):
results['c2s'].append({
"c2_uri":
"tcp://{0}:{1}".format(potential_domains[i],
potential_ports[i])
})
i += 1
return results
def get_bot_information(self, file_data):
results = {}
wide_strings = [i for i in data_strings_wide(file_data)]
for x in xrange(len(wide_strings)):
s = wide_strings[x]
if is_ip_or_domain(s):
ip = s
port = int(wide_strings[x + 1])
results['c2_uri'] = "tcp://{0}:{1}".format(ip, port)
break
return results
def get_bot_information(self, file_data):
results = {}
c2s = set()
for s in data_strings_wide(file_data):
if s.startswith("http://") and s != "http://":
c2s.add(s)
for c2 in c2s:
if "c2s" not in results:
results["c2s"] = []
results["c2s"].append({"c2_uri": c2})
return results
def get_bot_information(self, file_data):
results = {}
wide_strings = [i for i in data_strings_wide(file_data)]
for x in xrange(len(wide_strings)):
s = wide_strings[x]
if is_ip_or_domain(s):
ip = s
port = int(wide_strings[x + 1])
results['c2_uri'] = "tcp://{0}:{1}".format(ip, port)
break
return results
def get_bot_information(self, file_data):
results = {}
c2s = set()
for s in data_strings_wide(file_data):
if s.startswith("http://") and s != "http://":
c2s.add(s)
for c2 in c2s:
if "c2s" not in results:
results["c2s"] = []
results["c2s"].append({"c2_uri": c2})
return results
def get_bot_information(self, file_data):
C2_TCP_REGEX = re.compile('tcp://[a-z0-9_\-\.]+:[0-9]{1,5}', re.IGNORECASE)
C2_HTTP_REGEX = re.compile('(http|https)://[a-z0-9_\-\.]+:[0-9]{1,5}/[a-z0-9_-]+/', re.IGNORECASE)
results = {}
wide_strings = [i for i in data_strings_wide(file_data, 1)]
for wide_string in wide_strings:
if C2_TCP_REGEX.match(wide_string):
results['c2_uri'] = wide_string
return results
elif C2_HTTP_REGEX.match(wide_string):
results['c2_uri'] = wide_string
return results
return results
def get_bot_information(self, file_data):
BASE64_HTTP_REGEX = re.compile('aHR[A-Za-z0-9/]{10,}[\=]{0,2}')
results = {}
wide_strings = [i for i in data_strings_wide(file_data, 1)]
start_index = 0
wide_strings = wide_strings[start_index:]
c2urls = [d for d in wide_strings if BASE64_HTTP_REGEX.match(d)]
if len(c2urls) > 0:
for a in c2urls:
results['c2_uri'] = "{0}".format(base64.b64decode(a))
return results
def get_bot_information(self, file_data):
results = {}
gate = None
for s in data_strings_wide(file_data, charset=lowercase + uppercase + punctuation + digits):
if s.endswith(".php"):
if gate is None:
gate = set()
gate.add(s)
if gate is not None:
results["c2s"] = []
for p in gate:
results["c2s"].append({"c2_uri": p})
return results
def get_bot_information(self, file_data):
results = {}
wide_strings = [i for i in data_strings_wide(file_data, 1)]
start_index = 0
wide_strings = wide_strings[start_index:]
for i in range(0, len(wide_strings)):
if wide_strings[i] == "_ENABLE_PROFILING":
for j in range(1, 12):
if is_ip_or_domain(wide_strings[i + j]):
results['c2_uri'] = wide_strings[i + j]
return results
return results
def get_bot_information(self, file_data):
results = {}
gate = None
for s in data_strings_wide(file_data,
charset=lowercase + uppercase +
punctuation + digits):
if s.endswith(".php"):
if gate is None:
gate = set()
gate.add(s)
if gate is not None:
results["c2s"] = []
for p in gate:
results["c2s"].append({"c2_uri": p})
return results
def get_bot_information(self, file_data):
BASE64_REGEX = re.compile('[A-Za-z0-9/]{10,}[\=]{0,2}')
results = {}
wide_strings = [i for i in data_strings_wide(file_data, 1)]
start_index = 0
wide_strings = wide_strings[start_index:]
c2s = [d for d in wide_strings if BASE64_REGEX.match(d)]
for a in c2s:
try:
decstr = base64.b64decode(a).decode('ascii')
if is_ip_or_domain(decstr):
results['c2_uri'] = "tcp://{0}".format(decstr)
except:
pass
return results
def get_bot_information(self, file_data):
results = {}
pe = pefile.PE(data=file_data)
dottext = ''
for section in pe.sections:
if section.Name == '.text\x00\x00\x00':
dottext = section.get_data()
wide_strings = [i for i in data_strings_wide(dottext, 1)]
potential_domains = [d for d in wide_strings if is_ip_or_domain(d)]
extra_hosts = ['1.1.1.1']
for d in potential_domains:
if d in extra_hosts:
potential_domains.remove(d)
if len(potential_domains) > 0:
for d in potential_domains:
results['c2_uri'] = "tcp://{0}".format(d)
return results
def get_bot_information(self, file_data):
results = {}
results['c2s'] = []
wide_strings = [i for i in data_strings_wide(file_data, 1)]
for a in wide_strings:
if len(a) > 6:
try:
decrypted = AgentTesla.stringdecrypt(a).strip(
'\n\r\t\x03\x04\x07\x08\x0a\x0b\x0c\x0d\x0e\x0f\x10')
# if is_ip_or_domain(decrypted):
# results['c2s'].append({"c2_uri": "tcp://{0}".format(decrypted)})
if re.match('[^@]+@[^@]+\.[^@]+', decrypted):
results['c2s'].append(
{"c2_uri": "email://{0}".format(decrypted)})
except:
pass
return results
def get_bot_information(self, file_data):
# todo Pimp this out with https://github.com/kevthehermit/RATDecoders/blob/master/njRat.py
results = {}
wide_strings = [i for i in data_strings_wide(file_data, 1)]
#if "[endof]" not in wide_strings:
# return results
#wide_strings = wide_strings[:wide_strings.index("[endof]")]
start_index = 0
for x in xrange(len(wide_strings)):
if wide_strings[x].startswith(
"0."
) or "netsh firewall add allowedprogram" in wide_strings[x]:
start_index = x
break
wide_strings = wide_strings[start_index:]
potential_domains = [d for d in wide_strings if is_ip_or_domain(d)]
potential_ports = [int(p) for p in wide_strings if njRat._is_number(p)]
extra_domains = ["winlogon.com", "Microsoft.com"]
for d in extra_domains:
if d in potential_domains:
potential_domains.remove(d)
if len(potential_ports) > 1:
potential_ports = [p for p in potential_ports if p > 10]
#print potential_ports
#print potential_domains
# todo have less shitty extraction method
if len(potential_domains) > 0 and len(potential_ports) > 0:
if potential_domains[0].endswith(":" + str(potential_ports[0])):
results['c2_uri'] = "tcp://{0}".format(potential_domains[0])
else:
results['c2_uri'] = "tcp://{0}:{1}".format(
potential_domains[0], potential_ports[0])
#else:
# print "SHIT {0} {1}".format(potential_domains, potential_ports)
return results
def get_bot_information(self, file_data):
# todo Pimp this out with https://github.com/kevthehermit/RATDecoders/blob/master/njRat.py
results = {}
wide_strings = [i for i in data_strings_wide(file_data, 1)]
#if "[endof]" not in wide_strings:
# return results
#wide_strings = wide_strings[:wide_strings.index("[endof]")]
start_index = 0
for x in xrange(len(wide_strings)):
if wide_strings[x].startswith("0.") or "netsh firewall add allowedprogram" in wide_strings[x]:
start_index = x
break
wide_strings = wide_strings[start_index:]
potential_domains = [d for d in wide_strings if is_ip_or_domain(d)]
potential_ports = [int(p) for p in wide_strings if njRat._is_number(p)]
extra_domains = ["winlogon.com", "Microsoft.com"]
for d in extra_domains:
if d in potential_domains:
potential_domains.remove(d)
if len(potential_ports) > 1:
potential_ports = [p for p in potential_ports if p > 10]
#print potential_ports
#print potential_domains
# todo have less shitty extraction method
if len(potential_domains) > 0 and len(potential_ports) > 0:
if potential_domains[0].endswith(":" + str(potential_ports[0])):
results['c2_uri'] = "tcp://{0}".format(potential_domains[0])
else:
results['c2_uri'] = "tcp://{0}:{1}".format(potential_domains[0], potential_ports[0])
#else:
# print "SHIT {0} {1}".format(potential_domains, potential_ports)
return results
