Skip to content

Instantly share code, notes, and snippets.

Avatar

Michael Gillespie Demonslay335

  • Facet Technologies, Inc.
  • United States
View GitHub Profile
@Demonslay335
Demonslay335 / gen_id.py
Last active Aug 12, 2020
DarkSide Ransomware ID Generation
View gen_id.py
import zlib, sys
def get_id(mac):
mac = int(mac, 16).to_bytes(6, 'big')
return checksum(mac, True)
def checksum(input, compression=False):
v3 = zlib.crc32(input, 0xDEADBEEF)
v4 = zlib.crc32(input, v3)
@Demonslay335
Demonslay335 / Sosemanuk.cs
Created Jul 23, 2020
Sosemanuk cryptographic algorithm in C#.
View Sosemanuk.cs
// Adapted from https://www.seanet.com/~bugbee/crypto/sosemanuk/
public class Sosemanuk
{
public Sosemanuk(byte[] key, byte[] iv)
{
BuildAlphas();
SetKey(key);
SetIV(iv);
}
@Demonslay335
Demonslay335 / QueryQNAPUpdate-PS2.ps1
Created Sep 20, 2018
Query a QNAP for any available updates using the API (PowerShell 2)
View QueryQNAPUpdate-PS2.ps1
# Ignore self-certs
if (-not ([System.Management.Automation.PSTypeName]'ServerCertificateValidationCallback').Type)
{
$certCallback = @"
using System;
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
public class ServerCertificateValidationCallback
{
@Demonslay335
Demonslay335 / dump.py
Last active Jul 23, 2020
Dumps a PE from VirtualAlloc/VirtualProtect
View dump.py
import os
import sys
import time
import winappdbg
import traceback
class MyEventHandler(winappdbg.EventHandler):
last_alloc_memory = 0
@Demonslay335
Demonslay335 / globeimposter_config.py
Last active May 23, 2020
Extract GlobeImposter ransomware config
View globeimposter_config.py
"""
Extract GlobeImposter 2.0 Ransomware Config
Author: @demonslay335
"""
import os
import sys
import binascii
import re
import hashlib
@Demonslay335
Demonslay335 / notes.txt
Last active Feb 29, 2020
Makop Ransomware Notes
View notes.txt
Sample:
fe52d906fa596e7ae16633074ff7178b3ac40e26a93f0009f1b33d5cbf219e91
Strings and config encrypted with static AES-256 key:
08 02 00 00 10 66 00 00 20 00 00 00 5D 1D E0 32 A9 6D E4 05 A5 5B 12 E1 1F B9 03 A1 CF 2D F8 5A 29 87 78 4D EC 28 61 C1 13 96 FA 15
Decrypted RSA-1024 public key:
06 02 00 00 00 A4 00 00 52 53 41 31 00 04 00 00 01 00 01 00 F1 D1 12 AA DF 72 34 19 DC A4 6E 18 07 15 67 9F F2 6F 4F 03 A7 61 5B 97 C5 6C 20 13 21 A7 40 24 48 91 8D 47 32 81 9B 14 D4 82 0F AF 8A F8 EC 66 8E 87 26 CD 15 37 FC 03 8D 10 BB 90 6D 1D D0 A6 41 A4 B2 60 5F 60 46 45 4C 70 44 20 54 90 C0 D9 4D F6 B2 90 33 BF 78 51 AC E5 76 F6 EB 9C CF 83 A3 21 DD F8 B9 46 67 8B 7A 04 71 54 FD D7 1B 17 DE 39 7A 70 D6 04 AE AD AF 38 B8 1C B8 73 5D A6
Targeted extensions:
View FixProfile.bat
@ECHO OFF
SETLOCAL EnableDelayedExpansion
FOR /F "tokens=1,2 delims=#" %%A IN ('"prompt #$H#$E# & ECHO ON & FOR %%B IN (1) DO REM"') DO SET "DEL=%%A"
:: Elevation does not work in XP
VER | FIND /I "XP" > NUL
IF ERRORLEVEL 1 CALL :CHECK-ELEVATE
:: Process arguments
@Demonslay335
Demonslay335 / permutations_of_arrays.cs
Last active Jan 31, 2019
Generate permutations of an array of arrays
View permutations_of_arrays.cs
// Get permutations of an array of arrays
// Adapted from: https://www.geeksforgeeks.org/combinations-from-n-arrays-picking-one-element-from-each-array/
public static IEnumerable<List<T>> PermutationsOfArrays<T>(IList<List<T>> arr)
{
// Number of arrays
int n = arr.Count();
// Keep track of next element in each of the n arrays
int[] indices = new int[n];
@Demonslay335
Demonslay335 / jemd_keygen.py
Created Dec 19, 2018
Keygen for Jemd Ransomware
View jemd_keygen.py
import os, sys, argparse
# Charset used by Jemd ransomware
charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
# https://en.wikipedia.org/wiki/Linear_congruential_generator
def lcg(modulus, a, c, seed):
while True:
seed = (a * seed + c) % modulus
yield seed
@Demonslay335
Demonslay335 / calculate_rsa.cs
Last active Dec 17, 2018
Generate private RSA key from factored primes
View calculate_rsa.cs
using System;
using Org.BouncyCastle.Math;
public BigInteger CalculateRSA(BigInteger p, BigInteger q, BigInteger e)
{
// n = p*q - for illustration
BigInteger n = p.Multiply(q);
// phi / r = (p-1)*(q-1)
BigInteger phi = p.Subtract(BigInteger.One).Multiply(q.Subtract(BigInteger.One));
You can’t perform that action at this time.