idiom · August 25, 2016 04:52 · zahiddlopez · Apr 19, 2019
diff --git a/gistfile1.txt b/gistfile1.txt
 |-------------------------------------------------------------------|
 | Quick analysis & decoding of the sample found by @___OD___        |
 | (https://twitter.com/___OD___/status/768097704115331073)          |
 |                                                                   |
 | @seanmw                                                           |
 |-------------------------------------------------------------------|

 Dropper: 8e84a56d5e46c903ece7fbfacd4380fc30933309
 Payload: e1a2f786bfc0c50e9b7858283748d1f7928310d4 

 The payload is contained within the 'explorer' resource of the dropper as an unobfuscated byte array.

 Initial IOCs

 - Software\\Microsoft\\Windows\\CurrentVersion\\Run
   - ExplorerConfig --> ..\\AppData\\explorer.exe
 - hxxps://github[.]com/getlook23/project1/issues/1

 Decoding of data found: hxxps://github[.]com/getlook23/project1/issues/1

 Algo: DES
 Key: 3A&-fg.P
 IV: 3A&-fg.P

 --Decrypted Comments--

 1.  whoami 
 2.  "\r\nUser accounts for \\\\JOHN-PC\r\n\r\n-------------------------------------------------------------------------------\r\nAdministrator            Guest                    John                     \r\nThe command completed successfully.\r\n\r\n----John"
 3.  "\r\nUser accounts for \\\\BEA-CHI-T-7PR01\r\n\r\n-------------------------------------------------------------------------------\r\n5upervisor               Administrator            Guest                    \r\nJohn Doe                 \r\nThe command completed successfully.\r\n\r\n----John Doe"
 4.  "john-pc\\administrator\r\n----Administrator"
 5.  "warzone1\\worker\r\n----worker"
 6.  "win7pro-maltest\\buf\r\n----BUF"
 7.  "anna-pc\\anna\r\n----anna"
 8.  "johnson-pc\\johnson\r\n----Johnson"
 9.  "klone-pc\\admin\r\n----admin"
 10. "john-pc\\john\r\n----John"
 11. "admin-win7\admin\r\n----Admin"
 12. "admin-win7\admin\r\n----Admin"
 13. "admin-win7\admin\r\n----Admin"
 14. "warzone1\worker\r\n----worker"
 15. "warzone1\worker\r\n----worker"
 16. "warzone1\worker\r\n----worker"
 17. "od-sploit\od\r\n----od"
 18. "bea-chi-t-7pr01\john doe\r\n----John Doe"
	\|-------------------------------------------------------------------\|
	\| Quick analysis & decoding of the sample found by @___OD___ \|
	\| (https://twitter.com/___OD___/status/768097704115331073) \|
	\| \|
	\| @seanmw \|
	\|-------------------------------------------------------------------\|

	Dropper: 8e84a56d5e46c903ece7fbfacd4380fc30933309
	Payload: e1a2f786bfc0c50e9b7858283748d1f7928310d4

	The payload is contained within the 'explorer' resource of the dropper as an unobfuscated byte array.

	Initial IOCs

	- Software\\Microsoft\\Windows\\CurrentVersion\\Run
	- ExplorerConfig --> ..\\AppData\\explorer.exe
	- hxxps://github[.]com/getlook23/project1/issues/1

	Decoding of data found: hxxps://github[.]com/getlook23/project1/issues/1

	Algo: DES
	Key: 3A&-fg.P
	IV: 3A&-fg.P

	--Decrypted Comments--

	1. whoami
	2. "\r\nUser accounts for \\\\JOHN-PC\r\n\r\n-------------------------------------------------------------------------------\r\nAdministrator Guest John \r\nThe command completed successfully.\r\n\r\n----John"
	3. "\r\nUser accounts for \\\\BEA-CHI-T-7PR01\r\n\r\n-------------------------------------------------------------------------------\r\n5upervisor Administrator Guest \r\nJohn Doe \r\nThe command completed successfully.\r\n\r\n----John Doe"
	4. "john-pc\\administrator\r\n----Administrator"
	5. "warzone1\\worker\r\n----worker"
	6. "win7pro-maltest\\buf\r\n----BUF"
	7. "anna-pc\\anna\r\n----anna"
	8. "johnson-pc\\johnson\r\n----Johnson"
	9. "klone-pc\\admin\r\n----admin"
	10. "john-pc\\john\r\n----John"
	11. "admin-win7\admin\r\n----Admin"
	12. "admin-win7\admin\r\n----Admin"
	13. "admin-win7\admin\r\n----Admin"
	14. "warzone1\worker\r\n----worker"
	15. "warzone1\worker\r\n----worker"
	16. "warzone1\worker\r\n----worker"
	17. "od-sploit\od\r\n----od"
	18. "bea-chi-t-7pr01\john doe\r\n----John Doe"