Strings decoded from the newer version of #EKANS ransomware.
import re
import sys
import pefile
import struct
import binascii
Strings decoded from the newer version of #EKANS ransomware.
import re
import sys
import pefile
import struct
import binascii
The following steps detail how to connect over Remote Desktop from Linux Mint or Ubuntu to Windows 10 with an AzureAD username and password login account.
#Source Blog Post | |
https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a | |
--- | |
#Yara Rules | |
--- | |
rule WinntiLinux_Dropper : azazel_fork | |
{ | |
meta: | |
desc = "Detection of Linux variant of Winnti" |
Windows version: | |
reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | |
Users who have authed to the system: | |
ls C:\Users\ | |
System env variables: | |
reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment | |
Saved outbound RDP connections: |
$> brew install openssl | |
$> brew install swig | |
$> env LDFLAGS="-L$(brew --prefix openssl)/lib" \ | |
CFLAGS="-I$(brew --prefix openssl)/include" \ | |
SWIG_FEATURES="-cpperraswarn -includeall -I$(brew --prefix openssl)/include" \ | |
pip install m2crypto |
#!/bin/bash | |
(strings -a -td "$@" | sed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 A \2/' ; strings -a -td -el "$@" | sed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 W \2/') | sort -n |