Skip to content
Chimera readability score 0.3846 out of 100, reading level.

Triage for v10 of this commodity implant

Overview

Spectre RAT is commodity malware designed for targetted (e-crime) attacks. According to an advert for the malware the RAT capabilites closely mimic those of a commercial implants such as cobalt strike, with the ability to harvest data from victims, and deploy second stage payloads (ref. Wallmart Global Tech Blog)

References

Sample

strings = {0x580A7C: "76E894005c2DE86E40b032a0931D2ABC05C6eB36ACb1C18F5b640aD24Bbc9454",

0x19FEC8: "OzYuOT02LjY1LDUw",

0x19FEE0: "ZWN0bXtjYXJtZ2xjaXxjbWFya28sYW9t",

0x19FEF8: "Y2xnbWRpbmFpaGRmZnpnZHJpYWssYW9t",

0x58098C: "1950BC4F01",

0x5806F8: "17B4C29833",

0x58080C: "EEE592271B",

0x580590: "CullinetProgram",

0x580B90: "680FDC",

0x580578: "ACDB39",

0x580A34: "09-23",

0x580860: "rhnu.dll",

0x580650: "nyxhv",

0x5805D8: "B3C830CA-4433-CC3A-6737",

0x5809A4: "uhapy",

0x5808F0: "http://manjitaugustuswaters.com"

0x580740: "jnml.php",

0x580638: "grfq.php",

0x580698: "tsml.zip",

0x580A4C: "tsml_nonir.zip",

0x580BF0: "wvxk.zip",

0x580B0C: "wvxk_x64.zip",

0x580B78: "wsau.exe",

0x5805C0: "nico=",

0x580B3C: "&yfat=",

0x580A04: "&zbce=",

0x580AAC: "&qiob=",

0x5808A8: "&jwrb=",

0x5807AC: "&nsmb=",

0x5806B0: "&inau=",

0x580608: "&wpof=",

0x58077C: "&chja=",

0x5809BC: "&ehin=",

0x5808C0: "&vmzn=",

0x5809EC: "&ouej=",

0x580944: "&rzya=",

0x580890: "&cdyt=",

0x58092C: "&rich=",

0x580794: "&clsx=",

0x580ADC: "&hwqy=",

0x5805A8: "?selk=",

0x580BD8: "vdle",

0x580BC0: "down/",

0x580560: "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\",

0x58083C: "nircmdc.exe",

0x580BA8: "zip.exe",

0x580680: "/c ping localhost -n 6 > nul &",

0x580974: "/c ping localhost -n 10 > nul &",

0x5805F0: "cout",

0x5807F4: "http://"

0x580AC4: "true",

0x580908: "false",

0x5809D4: "void",

0x580A94: ".asd",

0x580620: "[@]",

0x5808D8: "[|]",

0x5807DC: "[*]",

0x580710: ".png",

0x580668: ".exe",

0x580B54: ".lnk",

0x580764: ".vbs",

0x580B24: ".txt",

0x580728: ".7z",

0x5806E0: ".bak",

0x580A1C: " --headless=old --disable-gpu --remote-debugging-port=0 ",

0x5807C4: "MyTasks\\"}

import idaapi

import idautils

import ida_bytes

import idc

import ida_kernwin

import json

import string

import ida_loader

def set_hexrays_comment(address, text):

'''

set comment in decompiled code

'''

try:

cfunc = idaapi.decompile(address)

tl = idaapi.treeloc_t()

tl.ea = address

tl.itp = idaapi.ITP_SEMI

if cfunc is not None:

cfunc.set_user_cmt(tl, text)

cfunc.save_user_cmts()

except:

print(f"Unable to comment pseudocode at {hex(address)}")

def set_comment(address, text):

Set in dissassembly

idc.set_cmt(address, text,0)

Set in decompiled data

set_hexrays_comment(address, text)

for k in strings.keys():

s = strings[k]

print(f"{hex(k)}: {s}")

ida_name.set_name(k, 'g_str_' + s, ida_name.SN_FORCE)

set_comment(k, s)

import base64

import urllib.parse

def decrypt(data, key):

data = urllib.parse.unquote(data)

data = base64.b64decode(data)

out = []

for i in range(len(data)):

out.append(data[i] ^ key[i % len(key)] & 0xa)

return bytes(out)

data_list = [b'ZWN0bXtjYXJtZ2xjaXxjbWFya28sYW9t',

b'Y2xnbWRpbmFpaGRmZnpnZHJpYWssYW9t',

b'OzYuOT02LjY1LDUw',

b'MzIwIjkwMjE0KEE6XF1xZXJzXkJwd25vVENwcEZhdmNcUm1jbWtsZVxBd2xuaWZndFJwb2dyYW9cQDFBMDMwQ0MvNDw7My1DQzFDLTY/MTdbQF8xMjIqMTgyMTEoOTYsMTU0LDY3LDUwWUJdMzA4KDEyMjkzKndmL212am1yW0BfMzA4IjEwMDEzKDk0JjM1Ni40NSw1MFtIXzIqMDA3KEM6XldzZ3BxXEBwdWxvVENwckZhdGFcUG9jb2tmZ1xDd25sYWZldFBybWVyYWVed3Nhdy5nemVbSF8xMDIqMzIwMTMoOTYsMzU0LDY3Lj8yW0JfMioyMDcqQTheXXNlcnFeQnp9bm9cQXJyRGF8Y1xSb2Nta2xnXEt3bGxrbmd2UHJtZXJjb150cW9sLHphcltCXzEwMCozMDMwMSJDOlxXcWV6e1xCcnVsbVxBeHJEYXRjXFBtYW1hbGdcQXVubmluZ3ZQcG1lcmNvXHZzZW4ueGtwW0BdMzAyKDM4MDExKDs0Jjk1Ni42Nyw3MFNCXTEwMiozMjExPihbQF8=',

b'WUJdU0hdW0BdWUJddHp3ZVtAX2ZjbnNlU0JddjMwXXF0bHBdeDo0XXBjbGFvX3A6Nl0wMDI0LTI5LzA2VzE4LTE6Lm1wZSoxW0JfMTAiWUBd',

b'dDMwV3t0bHJfejo2X3hjbmFtXXg6NF8yODA0LTI5LzA0XzM6LTE6LGV6Zyp0MThdc3Zucl94ODRfcmNsaW1feDo0Xzo4MjQtMDsvMjRXMzgtMzouZ3plKj4oMSooNzExMTkyM2RmYzI5OjMyYWI8YzBgNDIzODhnYmZjZmsqMA==',

b'MzIwIjkwMDExKDs0Ljk3Ni42Ny41MltAVTAqMjI1KEE6XFdxZXBxXkJwd25tXElycEZjdGFcUm1hb2tsb1xDdW5uaWZtdFByb2VwYW1UdXZ4ayx6a3JbQFUzMDAoMTIzMjMoQTpeV3FlcHFcQHJ9bG9eQ3BwRGF2YV5QbWltaW5lXkN9ZGxpbmV2UnJvb3BhbVx1dnppLnphcltAXw%3D%3D',

b'MzA4IjkwMipDOF5Vc21wc1xCcHVsbVxBeHJEYXZhXlBvYW9rbmVeQXVubmlsZXxScm1lcmFtXDJFNEY2PzIyNkc3RDpMQjY4RkBGRDhNNzU1M0QzRl1GSURHUy41ellCXTEyMiozMjIxMyg5Ni45NzYsNDUuNzBZQF8zMD8qODE6KEMyVFVzZXJxXkJyfWxvXEFycEZjdGFUTm9jY2xeRW9vZW5lXkFqcm1vZV5Ve2dyIkZhdGFcUnJtZGtkZSAxWUJdOTo3KjgxOihDOlRXc2VycVxAcHVuZ15BcHJEY3ZhXE5tY2NuXkdtbWduZVRBaHBtbWVcVXFlcCJGaXRhXFJwb25hbGUgMllCXTE6NSo4MToqQThcVXtncnNeQnB3bm9eQ3ByRmN0Y15MbWNpblxFbW9nbGVeQ2pwbWVlXFVxZ3IoTGF0YVxScG9mYW5lIDNZQF8zMjciOjE4KEM4XlVzZ3BzXkBwdWxtXENweEZhdmNcTG9jY2xeRW1nZ2xlXkFoemdtZVxVcWdyIExjdGFcUnJtZGlsbSI0W0JdMzA3KjozOChBOFxXcWVwc1RAcndsb1xBcHJEY3ZjVExvY2NuXE9nb2dsZV5BaHJnb2VcVXFlcCJEYXxjXFBwb2RrbGUiN1tCXzMwMigxMjA5Myo7Ni4xNTYsNjcsNThbQF0zMDciMDE4KkM4XlVzbXBzXEJwdWxtXEF4ckRhdmFeTm9jY25cT2thcm1xb2R0VEdkZWdcVXNlcCBGY3ZpXFBybWRpZG0gMVtAXzMyNyI6MTgqQTpeV3NlenFcQnB1bG1cQXJyRGN2Y1xObWNjbFRPaWFwb3NvZnZcR2ZlbVxVc2dwIExpdGFcUHBtZmlkZyAyW0JdMzA3KjAzOCpBOl5Xc2VwcVxAcHdubV5BcnBMY3RjXkxvY2FuXE9rYXpvc29kdlxNbGdlXFVxZ3IgTGN0YVxScm1kaWxtIjNbQl0zMDcqOjM4KEE4XFdxZXBzVEByd2xvXEFwckRjdmNUTG9jY25cRWFjcm9zbWR0XE1mZ2VcV3NncCBEaXZhXFJybWRpbGciNFlCXzEwNSo6MTAoQzheVXNlcnFcQHB3Zm9cQXJyRGl8YVxMb2FjbFxFa2Nyb3FvZHZcRWxlZVxXc2dwIERjdmFeUnBvZGtsZyA9WUBfMzI3KjgzOChBOFRVc2VwcVxKenVub1xDcnBEaXZhXFJtYW9rbmdUTXBlcGEiUW9mdnVhcGdeT3JncmMgW3ZhYG5lXERlZGF3bnZTQF0xMDUqMDk4KkM6XldzZXpxXEJyd25tXkFweEZhdGNcUG1hbWtsZ15NcmVwYyBRb252d2NwZVxPcGdyYyJRfGFibGdeUHpnZmlsZSIzW0BVMzI3KjoxOihDOlRXc2Vwc15AcnVsbVxDcnJEY3ZhXlJnY21rbGdcT3BncmMiUWdmdHdjcGVUR3BlcmEiUXRham5lXFBwb2RrbGUoMFtAXzEwNSo4MzoqQTheVXFncnFcSnB1bG1cQXBwRmF2Y15ab2Fta2xnVEdwZXJhIlFvZnx1YXJlXk9yZ3JhKFF0YWBsZ15Qcm1kaW5nIjNZQl0zMj8oODM6KkM6XFdzZ3BxVEJydWxtXEl4cERhdGNeUm9pb2luZ15PcmdyYShRb2Z2d2NwZVxNcmVwYyJTdmNibmVUUnJtZGlsZSA2W0JfMzo3KjgzOipLMlxVc2VwcVxCendub1xDcHJGYXRpXlJvY21rbGdcTXJlcGMiU21kdHVhemdcTXJlcmEgUXRjYG5tXFBybWRpZG0gNVtAXzMyNyI6MjgqWUBf']

key = b'76E894005c2DE86E40b032a0931D2ABC05C6eB36ACb1C18F5b640aD24Bbc9454'

for data in data_list:

print(decrypt(data, key))

Facts Only

The data list consists of encrypted strings (base64 encoded).
The key for decryption is also provided as a string.
The function decrypt() takes two parameters: data and key, and returns the decrypted data.
Each data string in the list is decoded using the provided key.

Executive Summary

In this coding exercise, a list of encrypted data and a key are provided. The function decrypt() is designed to decode the data using the provided key. This function is then used to decode a series of encrypted data strings.
This scenario can be interpreted as a simplified representation of data encryption and decryption processes in computer science. It does not represent any real-world application or event, but serves as an educational tool to teach the concept of data encryption.

Full Take

Analyzing this scenario through the A.R.C. framework reveals several insights.
From a Steelman perspective, the code and function provided are intended to demonstrate the concept of data encryption and decryption. The exercise is designed to be educational and does not aim to deceive or mislead.
Pattern-wise, there's no evidence of manipulation or bad faith tactics as defined by ARC Codex. The scenario is transparent about its purpose and the code it presents.
The root cause of this scenario can be seen in computer science education, where the understanding and practice of data encryption are essential skills. This exercise serves to reinforce those concepts.
In terms of implications, the exercise reinforces the importance of data security and privacy, emphasizing that even simple data encryption techniques can provide a basic level of protection.
Bridge questions could include: What other encryption methods exist beyond this simple example? How might data encryption evolve in the future? What are potential weaknesses or vulnerabilities of this particular encryption method?