Skip to content

Instantly share code, notes, and snippets.

Michael Gillespie Demonslay335

  • Facet Technologies, Inc.
  • United States
Block or report user

Report or block Demonslay335

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@Demonslay335
Demonslay335 / notes.txt
Last active Feb 29, 2020
Makop Ransomware Notes
View notes.txt
Sample:
fe52d906fa596e7ae16633074ff7178b3ac40e26a93f0009f1b33d5cbf219e91
Strings and config encrypted with static AES-256 key:
08 02 00 00 10 66 00 00 20 00 00 00 5D 1D E0 32 A9 6D E4 05 A5 5B 12 E1 1F B9 03 A1 CF 2D F8 5A 29 87 78 4D EC 28 61 C1 13 96 FA 15
Decrypted RSA-1024 public key:
06 02 00 00 00 A4 00 00 52 53 41 31 00 04 00 00 01 00 01 00 F1 D1 12 AA DF 72 34 19 DC A4 6E 18 07 15 67 9F F2 6F 4F 03 A7 61 5B 97 C5 6C 20 13 21 A7 40 24 48 91 8D 47 32 81 9B 14 D4 82 0F AF 8A F8 EC 66 8E 87 26 CD 15 37 FC 03 8D 10 BB 90 6D 1D D0 A6 41 A4 B2 60 5F 60 46 45 4C 70 44 20 54 90 C0 D9 4D F6 B2 90 33 BF 78 51 AC E5 76 F6 EB 9C CF 83 A3 21 DD F8 B9 46 67 8B 7A 04 71 54 FD D7 1B 17 DE 39 7A 70 D6 04 AE AD AF 38 B8 1C B8 73 5D A6
Targeted extensions:
View FixProfile.bat
@ECHO OFF
SETLOCAL EnableDelayedExpansion
FOR /F "tokens=1,2 delims=#" %%A IN ('"prompt #$H#$E# & ECHO ON & FOR %%B IN (1) DO REM"') DO SET "DEL=%%A"
:: Elevation does not work in XP
VER | FIND /I "XP" > NUL
IF ERRORLEVEL 1 CALL :CHECK-ELEVATE
:: Process arguments
@Demonslay335
Demonslay335 / dump.py
Last active Oct 28, 2019
Dumps a PE from VirtualAlloc/VirtualProtect
View dump.py
import os
import sys
import time
import winappdbg
import traceback
class MyEventHandler(winappdbg.EventHandler):
last_alloc_memory = 0
@Demonslay335
Demonslay335 / permutations_of_arrays.cs
Last active Jan 31, 2019
Generate permutations of an array of arrays
View permutations_of_arrays.cs
// Get permutations of an array of arrays
// Adapted from: https://www.geeksforgeeks.org/combinations-from-n-arrays-picking-one-element-from-each-array/
public static IEnumerable<List<T>> PermutationsOfArrays<T>(IList<List<T>> arr)
{
// Number of arrays
int n = arr.Count();
// Keep track of next element in each of the n arrays
int[] indices = new int[n];
@Demonslay335
Demonslay335 / jemd_keygen.py
Created Dec 19, 2018
Keygen for Jemd Ransomware
View jemd_keygen.py
import os, sys, argparse
# Charset used by Jemd ransomware
charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
# https://en.wikipedia.org/wiki/Linear_congruential_generator
def lcg(modulus, a, c, seed):
while True:
seed = (a * seed + c) % modulus
yield seed
@Demonslay335
Demonslay335 / calculate_rsa.cs
Last active Dec 17, 2018
Generate private RSA key from factored primes
View calculate_rsa.cs
using System;
using Org.BouncyCastle.Math;
public BigInteger CalculateRSA(BigInteger p, BigInteger q, BigInteger e)
{
// n = p*q - for illustration
BigInteger n = p.Multiply(q);
// phi / r = (p-1)*(q-1)
BigInteger phi = p.Subtract(BigInteger.One).Multiply(q.Subtract(BigInteger.One));
@Demonslay335
Demonslay335 / peplink_ipsec.py
Created Oct 17, 2018
Get status of IPsec VPN tunnels on Peplink Balance
View peplink_ipsec.py
@Demonslay335
Demonslay335 / QueryQNAPUpdate-PS2.ps1
Created Sep 20, 2018
Query a QNAP for any available updates using the API (PowerShell 2)
View QueryQNAPUpdate-PS2.ps1
# Ignore self-certs
if (-not ([System.Management.Automation.PSTypeName]'ServerCertificateValidationCallback').Type)
{
$certCallback = @"
using System;
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
public class ServerCertificateValidationCallback
{
@Demonslay335
Demonslay335 / QueryQNAPUpdate.ps1
Created Sep 20, 2018
Query a QNAP for any available updates using the API (PowerShell 5)
View QueryQNAPUpdate.ps1
# Ignore self-certs
if (-not ([System.Management.Automation.PSTypeName]'ServerCertificateValidationCallback').Type)
{
$certCallback = @"
using System;
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
public class ServerCertificateValidationCallback
{
View rapid_config.py
"""
Extract Rapid 2.0 ransomware config from encrypter or decrypter
Author: @demonslay335
"""
import os, sys, string, re, binascii, base64, argparse
# https://stackoverflow.com/a/17197027/1301139
def strings(filename, min=4, max=10000):
with open(filename, "rb") as f: # Python 2.x
You can’t perform that action at this time.