initial commit of the files

2022-08-29 13:54:43 +02:00
commit 4625878297
9 changed files with 135 additions and 0 deletions
--- a/Hancitor/extract_config.py
+++ b/Hancitor/extract_config.py
@@ -0,0 +1,86 @@
 #everything is from here : https://www.youtube.com/watch?v=OQuRwpUTBpQ
 #i added comments so i can understand the code better
 import pefile   #working with a pe file
 import re       #regular expression search
 import struct   #convert data to numbers
 import hashlib  #sha1 hash
 import sys      #arg
 def rc4crypt(data, key):
    #If the input is a string convert to byte arrays
    if type(data) == str:
        data = data.encode('utf-8')
    if type(key) == str:
        key = key.encode('utf-8')
    x = 0
    box = list(range(256))
    for i in range(256):
        x = (x + box[i] + key[i % len(key)]) % 256
        box[i], box[x] = box[x], box[i]
    x = 0
    y = 0
    out = []
    for c in data:
        x = (x + 1) % 256
        y = (y + box[x]) % 256
        box[x], box[y] = box[y], box[x]
        out.append(c ^ box[(box[x] + box[y]) % 256])
    return bytes(out)
 if len(sys.argv) != 2 :
    print("Usage : python extract_config.py [sample.bin]")
    exit(0)
 sample_path = sys.argv[1]
 data = open(sample_path,"rb").read()
 pe = pefile.PE(data=data)
 """
 6A 08                                   push    8               ; dwDataLen
 68 10 50 57 00                          push    offset pbData   ; pbData
 68 00 20 00 00                          push    2000h           ; pdwDataLen
 """
 sig = rb"\x6A(.)\x68(....)\x68\x00\x20\x00\x00" #'.' is a wildcard, same as '?', '()' is for a capture group, so we can catch their values
 match = re.search(sig, data)
 if match == None :
    """
    Signature got updated
    6A 08                                   push    8               ; dwDataLen
    68 10 40 00 10                          push    offset pbData   ; pbData
    56                                      push    esi             ; pdwDataLen
    """
    sig = rb"\x6A(.)\x68(....)\x56" #'.' is a wildcard, same as '?', '()' is for a capture group, so we can catch their values
    match = re.search(sig, data)
 print("key length: %r" % match.group(1))
 print("key address: %r" % match.group(2))
 key_len = struct.unpack('b', match.group(1))[0]
 key_addr = struct.unpack('<I', match.group(2))[0] #'<I' : little endian
 key_rva = key_addr - pe.OPTIONAL_HEADER.ImageBase #RVA : Relative Virtual Address, we need that so we can translate it to a file offset
 key_offset = pe.get_offset_from_rva(key_rva)
 key_data = data[key_offset:key_offset+key_len]
 print("key data: %r" % key_data)
 config_data = data[key_offset+key_len:key_offset+key_len+0x2000]
 m = hashlib.sha1()
 m.update(key_data)      #sha1 the key data
 key = m.digest()[:5]    #keeping only the first 5 bytes of the sha1 of key_data
 config = rc4crypt(config_data, key)
 build_id = config.split(b'\x00')[0].decode()
 c2_string = ''
 for s in config.split(b'\x00')[1:]:
    if s != b'':
        c2_string = s.decode()
        break
 c2_list = c2_string.split("|")[:-1]
 print("build id: %s" % build_id)
 print("C2: %s" % c2_list)
--- a/Hancitor/hancitor.yara
+++ b/Hancitor/hancitor.yara
@@ -0,0 +1,11 @@
 rule hancitor : rat
 {
    meta:
        description = "Hancitor"
        threat_level = 3
        in_the_wild = true
    strings:
        $config_params = "GUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d(x64)"
    condition:
        $config_params
 }
--- a/Hancitor/sample.bin
+++ b/Hancitor/sample.bin
--- a/Hancitor/sample.bin.idb
+++ b/Hancitor/sample.bin.idb
--- a/Hancitor/sample2.bin
+++ b/Hancitor/sample2.bin
--- a/Hancitor/sample2.bin.idb
+++ b/Hancitor/sample2.bin.idb
--- a/Nanocore/nanocore_rat.yara
+++ b/Nanocore/nanocore_rat.yara
@@ -0,0 +1,13 @@
 rule nanocore_rat : rat
 {
    meta:
        description = "Nanocore rat"
        threat_level = 3
        in_the_wild = true
    strings:
        $nanocore_name = "NanoCore"
        $get_StartupPath = "get_StartupPath"
        $ConnectDone = "ConnectDone"
    condition:
        $nanocore_name and $get_StartupPath and $ConnectDone
 }
--- a/Quasar/quasar_rat.yara
+++ b/Quasar/quasar_rat.yara
@@ -0,0 +1,13 @@
 rule quasar_rat : rat
 {
    meta:
        description = "Quasar rat"
        threat_level = 3
        in_the_wild = true
    strings:
        $quasar_name = "Quasar"
        $add_DownloadFileCompleted = "add_DownloadFileCompleted"
        $reverse_proxy_data = "ReverseProxyData"
    condition:
        $quasar_name and $add_DownloadFileCompleted and $reverse_proxy_data
 }
--- a/README.md
+++ b/README.md
@@ -0,0 +1,12 @@
 # Malware research
 I am learning about reverse engineering and malware analysis, here you'll find all of my work, including my IDA database (for IDA Pro 7.5), my config extractors, and my Yara rules !
 # Samples
 Here you can find a list of the samples present in this repo :
 * [Quasar rat](https://github.com/ALittlePatate/Malware-Research/tree/main/Quasar)
 * [Nanocore rat](https://github.com/ALittlePatate/Malware-Research/tree/main/Nanocore)
 * [Hancitor](https://github.com/ALittlePatate/Malware-Research/tree/main/Hancitor)
 # Special thanks
 I want to thank [herrcore](https://github.com/herrcore) for his [videos](https://www.youtube.com/c/OALabs/videos) and [streams](https://www.twitch.tv/oalabslive) about malware analysis, also he was super kind responding to my weird begginer questions on [his discord](https://discord.gg/uBk7wyE8) !