/
infostealer_mail.py
69 lines (61 loc) · 2.91 KB
/
infostealer_mail.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# Copyright (C) 2010-2015 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
from lib.cuckoo.common.abstracts import Signature
class MailStealer(Signature):
name = "infostealer_mail"
description = "Harvests credentials from local email clients"
severity = 3
categories = ["infostealer"]
authors = ["Cuckoo Technologies"]
minimum = "2.0"
ttp = ["T1081", "T1003", "T1005"]
regkeys_re = [
".*\\\\Software\\\\(Wow6432Node\\\\)?IncrediMail"
".*\\\\RIT\\\\The\\ Bat\\!",
".*\\\\Microsoft\\\\Internet\\ Account\\ Manager\\\\Accounts",
".*\\\\Software\\\\Microsoft\\\\Windows\\ Mail",
".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\ Live\\ Mail",
".*\\\\Microsoft\\\\Windows\\ Messaging\\ Subsystem\\\\MSMapiApps",
".*\\\\Microsoft\\\\Windows\\ Messaging\\ Subsystem\\\\Profiles.*",
".*\\\\Software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\ Messaging\\ Subsystem",
".*\\\\Software\\\\Microsoft\\\\Internet\\ Account\\ Manager",
".*\\\\Software\\\\Microsoft\\\\Office\\\\Outlook\\\\OMI\\ Account\\ Manager",
".*\\\\Software\\\\RimArts\\\\B2\\\\Settings",
".*\\\\Software\\\\Poco\\ Systems\\ Inc",
".*\\\\Software\\\\Mozilla\\\\Mozilla\\ Thunderbird",
".*\\\\Software\\\\(Wow6432Node\\\\)?Clients\\\\Mail",
".*\\\\Microsoft\\\\Office\\\\.*\\\\Outlook\\\\Profiles\\\\Outlook",
# Well, strictly speaking..
".*\\\\Software\\\\Google\\\\Google\\ Talk",
]
files_re = [
".*\\\\The\\ Bat!\\\\",
".*\\\\ICQ\\\\",
".*\\\\Miranda\\\\",
".*\\\\SmartFTP\\\\",
".*\\\\QIP\\\\",
".*\.pst$",
".*\\\\Microsoft\\\\Windows\\ Live\\ Mail.*",
".*\\\\Microsoft\\\\Address\\ Book\\\\.*\.wab$",
".*\\\\Microsoft\\\\Outlook\\ Express\\\\.*\.dbx$",
".*\\\\Foxmail\\\\mail\\\\.*\\\\Account\.stg$",
".*\\\\Foxmail.*\\\\Accounts\.tdat$",
".*\\\\Thunderbird\\\\Profiles\\\\.*\.default$",
".*\\\\AppData\\\\Roaming\\\\Thunderbird\\\\profiles.ini$",
]
# To be replaced by a check_file(dirs=True) whenever we can do that in a
# backwards compatible way. Even better if we can provide an ioc=True to
# check_file() etc functions to return the IOC type for each result.
file_actions = [
"file_opened", "file_exists", "file_failed", "directory_enumerated",
]
def on_complete(self):
for indicator in self.files_re:
for filepath in self.check_file(pattern=indicator, regex=True, all=True):
self.mark_ioc("file", filepath)
for indicator in self.regkeys_re:
registry = self.check_key(pattern=indicator, regex=True)
if registry:
self.mark_ioc("registry", registry)
return self.has_marks()