Ankur Tyagi 7h3rAm
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import sys | |
| import re | |
| import datetime, time | |
| import argparse | |
| import nids | |
| end_states = (nids.NIDS_CLOSE, nids.NIDS_TIMEOUT, nids.NIDS_RESET) |
7h3rAm
/ gist:350463abeeb1edc85ee2
Created
October 4, 2014 17:45
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Verifying that +7h3ram is my Bitcoin username. You can send me #bitcoin here: https://onename.io/7h3ram |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import datetime, re, difflib | |
| def k10(stack): | |
| if len(stack) <= 1: | |
| return | |
| checkHashes, checkDuplicates, checkDelta, checkName = True, True, True, True | |
| score, dCount, fCount, deltaScore, fnameScore, chainAverage = 65, 0, 0, 0, 0, 0 | |
| duplicates, dChain, fChain, features = [], [], [], [ 'valid_filenames' ] |
7h3rAm
/ dga_banjori.py
Created
May 19, 2015 09:32
DGA of Banjori - http://johannesbader.ch/2015/02/the-dga-of-banjori/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def map_to_lowercase_letter(s): | |
| return ord('a') + ((s - ord('a')) % 26) | |
| def next_domain(domain): | |
| dl = [ord(x) for x in list(domain)] | |
| dl[0] = map_to_lowercase_letter(dl[0] + dl[3]) | |
| dl[1] = map_to_lowercase_letter(dl[0] + 2*dl[1]) | |
| dl[2] = map_to_lowercase_letter(dl[0] + dl[2] - 1) | |
| dl[3] = map_to_lowercase_letter(dl[1] + dl[2] + dl[3]) | |
| return ''.join([chr(x) for x in dl]) |
7h3rAm
/ dga_shiotob.py
Last active
August 29, 2015 14:21
— forked from baderj/gist:a407613245f1c74022e8
DGA of Shiotob - http://johannesbader.ch/2015/01/the-dga-of-shiotob/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import argparse | |
| """ | |
| Shiotob DGA | |
| Generates domains for the Shiotob malware | |
| - top level domains alternate between '.net' and '.com' | |
| - domains are between 14 and 19 characters long | |
| - domains consist of all letters and digits 123945 |
7h3rAm
/ dga.py
Last active
August 29, 2015 14:21
— forked from baderj/dga.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| generate domains according to: | |
| - https://www.endgame.com/blog/malware-with-a-personal-touch.html | |
| - http://www.rsaconference.com/writable/presentations/file_upload/br-r01-end-to-end-analysis-of-a-domain-generating-algorithm-malware-family.pdf | |
| requires words1.txt and words2.txt | |
| """ | |
| import time | |
| from datetime import datetime | |
| import argparse |
7h3rAm
/ dga_symmi.py
Last active
August 29, 2015 14:21
— forked from baderj/dga_symmi.py
DGA of symmi - http://johannesbader.ch/2015/01/the-dga-of-symmi/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import argparse | |
| from datetime import datetime | |
| seed_const = 42 | |
| days_period = 16 | |
| nr_of_domains = 64 | |
| third_lvl_min_len = 8 | |
| third_lvl_max_len = 15 | |
| class Rand: |
7h3rAm
/ dga_shiz.py
Last active
August 29, 2015 14:21
— forked from baderj/dga_shiz.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import argparse | |
| def get_domains(nr, how_many): | |
| bases = { | |
| 1: { | |
| 'length': 7, | |
| 'tld': 'com', | |
| 'key': '1676d5775e05c50b46baa5579d4fc7', | |
| 'base': 0x45AE94B2 | |
| }, |
7h3rAm
/ dga_newGOZ.py
Created
May 19, 2015 09:16
DGA of Zeus Gameover Variant - newGOZ - http://www.johannesbader.ch/2014/12/the-dga-of-newgoz/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import hashlib | |
| from datetime import datetime, timedelta | |
| import struct | |
| import argparse | |
| def get_seed(seq_nr, date): | |
| key = "\x01\x05\x19\x35" | |
| seq_nr = struct.pack('<I', seq_nr) | |
| year = struct.pack('<H', date.year) | |
| month = struct.pack('<H', date.month) |
7h3rAm
/ dga_ramnit.py
Last active
August 29, 2015 14:21
DGA of Ramnit - http://johannesbader.ch/2014/12/the-dga-of-ramnit/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import argparse | |
| class RandInt: | |
| def __init__(self, seed): | |
| self.seed = seed | |
| def rand_int_modulus(self, modulus): | |
| ix = self.seed | |
| ix = 16807*(ix % 127773) - 2836*(ix / 127773) & 0xFFFFFFFF |
OlderNewer