Kimsuky-PS-Backdoor: Kimsuky PowerShell Backdoor Analysis
Contents
credits: https://twitter.com/asdasd13asbz/status/1763068671428383152
Commands:
public enum _OP_CODE : ushort { OP_UNIQ_ID = 0x401, #Check-In Unique ID - Sent with first packet from Client OP_REQ_DRIVE_LIST = 0x402, # Request from Server for logical drive info OP_RES_DRIVE_LIST = 0x403, # Response from client with logical drive info OP_REQ_PATH_LIST = 0x404, # Request from Server for list of dir & files from path OP_RES_PATH_LIST = 0x405, # Response from client with list of dir, files from path OP_REQ_PATH_DOWNLOAD = 0x406, # Request from server to exfiltrate file/dir to the C2 - arg: file/dir_path;c2_url OP_RES_PATH_DOWNLOAD = 0x407, # Response from client once the file/dir (ZIP + b64 encoded) is exfiltrated to C2 OP_REQ_PATH_DELETE = 0x408, # Request from server to delete dir/file - arg:path OP_RES_PATH_DELETE = 0x409, # Response from client after deleting dir/file OP_REQ_FILE_UPLOAD = 0x40A, # Request from server to upload file on the machine OP_RES_FILE_UPLOAD = 0x40B, # Response from client once the uploaded …
Commands:
public enum _OP_CODE : ushort { OP_UNIQ_ID = 0x401, #Check-In Unique ID - Sent with first packet from Client OP_REQ_DRIVE_LIST = 0x402, # Request from Server for logical drive info OP_RES_DRIVE_LIST = 0x403, # Response from client with logical drive info OP_REQ_PATH_LIST = 0x404, # Request from Server for list of dir & files from path OP_RES_PATH_LIST = 0x405, # Response from client with list of dir, files from path OP_REQ_PATH_DOWNLOAD = 0x406, # Request from server to exfiltrate file/dir to the C2 - arg: file/dir_path;c2_url OP_RES_PATH_DOWNLOAD = 0x407, # Response from client once the file/dir (ZIP + b64 encoded) is exfiltrated to C2 OP_REQ_PATH_DELETE = 0x408, # Request from server to delete dir/file - arg:path OP_RES_PATH_DELETE = 0x409, # Response from client after deleting dir/file OP_REQ_FILE_UPLOAD = 0x40A, # Request from server to upload file on the machine OP_RES_FILE_UPLOAD = 0x40B, # Response from client once the uploaded …