Scripts and References for Snake Malware
Registry blob:
Invoke-AtomicTest T1112 -TestNumbers 56
queue file:
Invoke-AtomicTest T1027 -testnumbers 9
comadmin:
Invoke-AtomicTest T1547.006 -TestNumbers 4
werfault:
Invoke-AtomicTest T1569.002 -TestNumbers 6
Here's a one-liner that creates an example registry key with a value that meets the criteria (0x1000 bytes in size and entropy of at least 7.9). This example key can be used for testing purposes.
New-Item -Path "HKCU:\\Software\\TestRegBlob" -Force; $randomBytes = New-Object Byte[] 0x1000; (New-Object Random).NextBytes($randomBytes); Set-ItemProperty -Path "HKCU:\\Software\\TestRegBlob" -Name "Example (RegBlob)" -Value $randomBytes
This one-liner creates a new registry key at "HKEY_CURRENT_USER\Software\TestRegBlob" and sets a value named "Example (RegBlob)" with 0x1000 random bytes. You can use this to test the modified script provided in the previous answer.
Please note that creating registry keys can have unintended side effects. Always be cautious when modifying the registry and make sure you understand the implications. When you are done testing, you can remove the test key using the following one-liner:
Remove-Item -Path "HKCU:\\Software\\TestRegBlob" -Recurse -Force
This one-liner will delete the "HKEY_CURRENT_USER\Software\TestRegBlob" registry key along with its values.
This is the value the snake used
$typicalPath = "HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds"; $randomBytes = New-Object Byte[] 0x1000; (New-Object Random).NextBytes($randomBytes); New-ItemProperty -Path $typicalPath -Name "AtomicSnake" -Value $randomBytes -PropertyType Binary -Force | Out-Null
To delete
$typicalPath = "HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds"; Remove-ItemProperty -Path $typicalPath -Name "AtomicSnake" -ErrorAction SilentlyContinue | Out-Null
When it works
PS > .\find_regblob.ps1
Checking typical path: HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds
Not found at typical path, scanning the full registry...
Searching in hive: HKLM:
Searching in hive: HKCU:
Found matching registry value:
Searching in hive: HKCR:
Searching in hive: HKU:
Searching in hive: HKCC:
Time taken for the scan: 00:04:30.2056325
Path Name Value
---- ---- -----
Example (RegBlob) {88, 244, 118, 249...}
OneLiner
$randomGuid = [guid]::NewGuid().ToString(); $fileName = "$randomGuid.$randomGuid.crmlog"; $filePath = "$env:windir\registration\"; $fullPath = Join-Path $filePath $fileName; New-Item -Path $fullPath -ItemType File -Force | ForEach-Object { $_.Attributes = "Hidden", "System", "Archive"; Write-Host "File created: $($_.FullName)" }
Add example file
$examplePath = Join-Path $env:windir "system32\Com"; if (-not (Test-Path $examplePath)) { New-Item -ItemType Directory -Path $examplePath | Out-Null }; $exampleName = "comadmin.dat"; $exampleFullPath = Join-Path $examplePath $exampleName; $randomBytes = New-Object Byte[] 0x1000; (New-Object Random).NextBytes($randomBytes); [System.IO.File]::WriteAllBytes($exampleFullPath, $randomBytes)
delete
$examplePath = Join-Path $env:windir "system32\Com"; $exampleName = "comadmin.dat"; $exampleFullPath = Join-Path $examplePath $exampleName; if (Test-Path $exampleFullPath) { Remove-Item $exampleFullPath -Force }
New-Service -Name "WerFaultSvc" -BinaryPathName "$env:windir\WinSxS\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_4.0.9600.16384_none_a13f7e283339a050\WerFault.exe" -DisplayName "WerFault Service" -Description "Example Snake-like service" -StartupType Automatic
sc.exe
sc.exe create "WerFaultSvc" binPath= "$env:windir\WinSxS\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_4.0.9600.16384_none_a13f7e283339a050\WerFault.exe" DisplayName= "WerFault Service" start= auto