Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
..
Failed to load latest commit information.
README.md
iocs.csv
kb_c2Decode.py
kb_configDecode.py
keyboy.yar
misp.json
openioc.ioc
stix.xml

README.md

KeyBoy IOCs

This directory contains IOCs from the Citizen Lab report It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community published the 17th of November 2016.

Files included in this directory:

  • openioc.ioc : IOCs in OpenIOC format
  • stix.xml : IOCs in STIX XML format
  • iocs.csv : IOCs in csv format
  • keyboy.yar : Yara rules related to the KeyBoy samples identified
  • kb_c2Decode.py : script to decode KeyBoy C2 communications (see help hereafter)
  • kb_configDecode.py : script to decode KeyBoy configuration (see help hereafter)

kb_c2Decode.py

Help:

$ python kb_c2Decode.py -h
usage: kb_c2Decode.py [-h] (-k KEY | -b BINARY) [--verbose] PCAPF

Decode KeyBoy C2 traffic from pcap file

positional arguments:
  PCAPF                 PCAP File containing c2 traffic

optional arguments:
  -h, --help            show this help message and exit
  -k KEY, --key KEY     Manually provide C2 decode key
  -b BINARY, --binary BINARY
                        KeyBoy binary
  --verbose, -v         Enable verbose output

Example:

$ python kb_c2Decode.py -b wab32res.dll dump.pcap
============================
{KeyBoy C2 Traffic decoder}
============================

Found constant: 0x71
Computing decode value...
Found decoding multiplier (inverse): 0x91
Searching PCAP for RAW TCP packets and decoding...

*a*
HOME-PC
192.168.100.103
MyUser
2016/06/03 00:24:20
20151108

kb_configDecode.py

Help:

$ python kb_configDecode.py -h
usage: kb_configDecode.py [-h] [--verbose] [--skip SKIP] FILE

Decode KeyBoy backdoor configuration files

positional arguments:
  FILE                  KeyBoy encoded config file

optional arguments:
  -h, --help            show this help message and exit
  --verbose, -v         Enable verbose output
  --skip SKIP, -s SKIP  Skip over <SKIP> bytes at beginning of file

Example:

$ python kb_configDecode.py cfs.dat
============================
{KeyBoy Config file Decoder}
============================

Configuration Data:
==============================
Identity Code:  9876543210
C2 Host/IP #1:  103.242.134.243
C2 Host/IP #2:  103.242.134.243
C2 Host/IP #3:  103.242.134.243
C2 Port #1: 443
C2 Port #2: 1234
C2 Port #3: 1234
Password:   password8888
Campaign ID:    MyUser