Created
April 8, 2025 23:52
-
-
Save vedhavyas/3dc1e7ced870976cddd4903163d9bfce to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Colors for readability | |
| GREEN='\033[0;32m' | |
| RED='\033[0;31m' | |
| YELLOW='\033[0;33m' | |
| NC='\033[0m' # No Color | |
| # Function to check and display result | |
| check() { | |
| local name="$1" | |
| local cmd="$2" | |
| local output | |
| echo -n "$name - " | |
| if output=$(eval "$cmd" 2>/dev/null) && [ -n "$output" ]; then | |
| echo -e "${RED}DETECTED${NC}" | |
| echo -e " ${YELLOW}Details: ${output:0:500}${NC}" | |
| if [ ${#output} -gt 500 ]; then | |
| echo -e " ${YELLOW}(Output truncated, showing first 500 characters)${NC}" | |
| fi | |
| return 1 | |
| else | |
| echo -e "${GREEN}PASS${NC}" | |
| return 0 | |
| fi | |
| } | |
| # All known C2 IPs from the analyzed samples | |
| C2_IPS="154\.91\.0\.103|85\.239\.62\.36|85\.239\.60\.213|d\.zcaptcha\.xyz|104\.16\.2\.35|23\.234\.80\.170" | |
| # Known C2 ports | |
| C2_PORTS="27017|3306|443|mysql" | |
| # ------------------------------------------------------------------------------------------ | |
| echo -e "\n${YELLOW}===== NETWORK-BASED INDICATORS =====${NC}" | |
| # ------------------------------------------------------------------------------------------ | |
| echo -e "-- Active Connections --" | |
| # C2 IP connections - Direct evidence of communication with command & control servers identified in the malware | |
| check "[C2_IP_CONNECTIONS]" "netstat -an | grep -E '$C2_IPS'" | |
| # Malware uses ports 27017/3306 for C2 communication, focusing on outbound connections | |
| check "[C2_PORT_OUTGOING_CONNECTIONS]" "netstat -an | grep ESTABLISHED | grep -v '127.0.0.1' | grep -E ':($C2_PORTS)'" | |
| # Node.js used by malware to establish persistent connections to C2 servers | |
| check "[NODE_MALICIOUS_CONNECTIONS]" "lsof -i | grep -E 'node.*($C2_IPS)'" | |
| # Python was used by the malware for additional execution capabilities and C2 communication | |
| check "[PYTHON_MALICIOUS_CONNECTIONS]" "lsof -i | grep -E 'python.*($C2_IPS)'" | |
| # General check for any process connecting to C2 IPs regardless of language | |
| check "[ALL_MALICIOUS_CONNECTIONS]" "lsof -i | grep -E '$C2_IPS'" | |
| # Malware communicates on specific ports, checking for any processes using them | |
| check "[OUTGOING_MALICIOUS_PORT_CONNECTIONS]" "lsof -i | grep -v 'LISTEN' | grep -E '\->.*:($C2_PORTS)'" | |
| # ------------------------------------------------------------------------------------------ | |
| echo -e "\n${YELLOW}===== PROCESS-BASED INDICATORS =====${NC}" | |
| # ------------------------------------------------------------------------------------------ | |
| # Malware uses 'global["_V"]' pattern to store version identifier for phoning home | |
| check "[MALICIOUS_NODE_PROCESS]" "ps aux | grep -E \"node.*global\" | grep -v grep" | |
| # Obfuscation technique using '_$af' prefix for variables to hide functionality | |
| check "[OBFUSCATED_NODE_PROCESS]" "ps aux | grep -E \"node.*_\\$af[0-9]+\" | grep -v grep" | |
| # Malware uses node -e with various obfuscation techniques and creates detached processes | |
| check "[SUSPICIOUS_NODE_EVAL]" "ps aux | grep -E \"node.*-e.*global\\['_|node.*-e.*\\\\\\$af[0-9]|node.*-e.*\\\\\\\"|node.*-e.*\\\\\\\";.*\\\\\\{.*detached|node.*-e.*requiresArgv\\\\\\\"|node.*-e.*windowsHide\" | grep -v grep" | |
| # Python -c code execution pattern used to run encoded payloads from the C2 server | |
| check "[MALICIOUS_PYTHON_PROCESS]" "ps aux | grep -E \"python.*-c.*code\" | grep -v grep" | |
| # Malware uses Python subprocess to spawn detached processes for persistence | |
| check "[PYTHON_SUBPROCESS_PROCESS]" "ps aux | grep -E \"python.*subprocess\" | grep -v grep" | |
| # os.setsid used by malware to detach processes from terminal on Unix systems | |
| check "[DETACHED_PYTHON_PROCESS]" "ps aux | grep -E \"python.*os.setsid\" | grep -v grep" | |
| # User may have manually executed commands contacting C2 servers | |
| check "[SUSPICIOUS_COMMANDS_HISTORY]" "grep -E '$C2_IPS' ~/.*_history 2>/dev/null" | |
| check "[SUSPICIOUS_GGLAB_REPO]" "grep -E 'gglab' ~/.*_history 2>/dev/null" | |
| echo -e "\n${YELLOW}===== PACKAGE MANAGEMENT INDICATORS =====${NC}" | |
| # Malware installs these npm packages for network communication capabilities | |
| check "[SUSPICIOUS_NPM_INSTALLS]" "npm list -g socket.io-client axios 2>/dev/null" | |
| # Looking for suspicious Python package locations matching malware installation paths | |
| check "[SUSPICIOUS_PIP_INSTALLS]" "pip list 2>/dev/null | grep -E 'urllib3|requests' && pip show urllib3 requests 2>/dev/null | grep -E 'Location.*(\\.pyenv|Python3127)'" | |
| check "[SUSPICIOUS_PIP3_INSTALLS]" "pip3 list 2>/dev/null | grep -E 'urllib3|requests' && pip3 show urllib3 requests 2>/dev/null | grep -E 'Location.*(\\.pyenv|Python3127)'" | |
| # ------------------------------------------------------------------------------------------ | |
| echo -e "\n${YELLOW}===== FILE-BASED INDICATORS =====${NC}" | |
| # ------------------------------------------------------------------------------------------ | |
| echo -e "- Hidden Directories --" | |
| # Hidden .node_modules directory in home folder used for malware persistence | |
| check "[HIDDEN_NODE_MODULES]" "ls -la ~/.node_modules 2>/dev/null" | |
| # Malware creates hidden .pyenv directory for custom Python installation | |
| check "[HIDDEN_PYENV_DIR]" "ls -la ~/.pyenv 2>/dev/null" | |
| echo -e "\n-- Suspicious Files --" | |
| # Malware like this can use Pyzipper python module (suspicious package) | |
| for pip in $(find /usr/local/bin /usr/bin /opt/homebrew/bin ~/.local/bin $(echo $PATH | tr ":" " ") -type f -name 'pip*' 2>/dev/null); do | |
| if [[ -x "$pip" ]]; then | |
| check "[PYZIPPER_INSTALLED - $pip]" "$pip show pyzipper" | |
| fi | |
| done | |
| # Malware downloads these zip files for installing custom Python | |
| check "[MALICIOUS_ZIP_FILES]" "find ~ -name \"python.zip\" -o -name \"python.7z\" -o -name \"pyenv.zip\" 2>/dev/null" | |
| # 7zr.exe used by Windows variant to extract malicious Python | |
| check "[SUSPICIOUS_EXECUTABLE_FILES]" "find ~ -name \"7zr.exe\" 2>/dev/null" | |
| # get-pip.py downloaded by malware to install pip in custom Python environment | |
| check "[SUSPICIOUS_PIP_INSTALLER]" "find /tmp ~ -name \"get-pip.py\" 2>/dev/null" | |
| # Malware installs these npm modules in non-standard locations | |
| check "[SUSPICIOUS_NPM_MODULES]" "find ~ -path \"*/node_modules/socket.io-client\" -o -path \"*/node_modules/axios\" -not -path \"*/node_project*/node_modules/*\" 2>/dev/null" | |
| echo -e "\n-- File Content Analysis --" | |
| # XOR decryption key used by malware for Python payloads | |
| check "[MALICIOUS_PYTHON_XOR_KEY]" "grep -r \"9KyASt+7D0mjPHFY\" --include=\"*.py\" /tmp ~/.pyenv ~ 2>/dev/null" | |
| # XOR decryption key used by malware for Node.js payloads | |
| check "[MALICIOUS_NODE_XOR_KEY]" "grep -r \"hk7#cH%v806Q/GH\" --include=\"*.js\" ~ 2>/dev/null" | |
| # Obfuscation pattern in JavaScript files indicating malware presence | |
| check "[OBFUSCATED_JS_CODE]" "grep -r \"_\\\$af[0-9]\\+\" --include=\"*.js\" ~ 2>/dev/null" | |
| # Global version variable set in JavaScript files used by malware for tracking | |
| check "[SUSPICIOUS_JS_EVAL]" "grep -r \"global\\['_V'\\]\" --include=\"*.js\" ~ 2>/dev/null" | |
| # Malware installs Python scripts in specific locations with timestamp patterns in filenames | |
| check "[RECENTLY_MODIFIED_PYTHON]" "find ~ -path \"*/Temp/tmp*.py\" -o -path \"*/tmp/get-pip.py\" -o -path \"*/.pyenv/*/tmp*.py\" -mtime -7 2>/dev/null" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment