Skip to content

Instantly share code, notes, and snippets.

Avatar

John Lambert JohnLaTwC

View GitHub Profile
View 59997a68286a73e42ac56b2e5729995a4193e5ec3a8bc4889571751debec287e
#!/usr/bin/python
# -*- coding: utf-8 -*-
'Loader (Build Your Own Botnet)'
# standard library
import imp
import sys
import logging
import contextlib
if sys.version_info[0] < 3:
View gist:3f234e00bc57746224e6f56fb4c39480
import vt
import nest_asyncio
nest_asyncio.apply()
RULE_NAME = 'MSCOVID19_FEED'
def get_ruleset_id(api_key, rule_name):
with vt.Client(api_key) as client:
obj = client.get_json('/intelligence/hunting_rulesets',
params = {'filter':'enabled:true name:%s ' % rule_name, 'limit':1})
View 4e51c7d720dd46ae3977239714b5743d548b93ff6621ec3a4819466623aef1c5-191c3eeb
olevba 0.55.1 on Python 3.7.6 - http://decalage.info/python/oletools
===============================================================================
FILE: hola3.otm
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisOutlookSession.cls
in file: hola3.otm - OLE stream: 'OutlookVbaData/VBA/ThisOutlookSession'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Private Sub Application_Quit()
View f9d64c96a8090b2599bd5329fbfed3a852fce5455ba5f658363abb19075bbab3
## Sample hash f9d64c96a8090b2599bd5329fbfed3a852fce5455ba5f658363abb19075bbab3
## Uploaded by @JohnLaTwC
#################### VBA Macro #####################
olevba 0.55.1 on Python 3.7.6 - http://decalage.info/python/oletools
===============================================================================
FILE: f9d64c96a8090b2599bd5329fbfed3a852fce5455ba5f658363abb19075bbab3
Type: OLE
-------------------------------------------------------------------------------
@JohnLaTwC
JohnLaTwC / commands
Last active Jun 16, 2020
doskey Macro test
View commands
doskey /macros
cd c:\Users\All Users\Application Data
b 1
cd C:\Windows\System32\
b 2
cd "C:\Program Files"
b 3
g 1
g 2
g 3
View cmd_macros.lst
;= bookmark and GO commands:
b=setx _bm$1 "%CD%" 1>nul && set _bm$1="%CD%" 1>nul && @echo Bookmarked %CD% in $1.
g=pushd . && cd /d %_bm$1%
;= quickly edit the macro file
em=start /WAIT notepad %userprofile%\cmd_macros.lst && doskey /macrofile=%userprofile%\cmd_macros.lst
;= convenience commands
..=cd ..
...=cd .. & cd ..
View 96cefc000e35446bf3d2cc117df80858f8df2caa9395aa2e9a0862646ee150e3
_ _______
|\ /|( \ ( )
( \ / )| ( | () () |
\ (_) / | | | || || |
) _ ( | | | |(_)| |
/ ( ) \ | | | | | |
( / \ )| (____/\| ) ( |
|/ \|(_______/|/ \|
______ _______ _______ ______ _______ _______ _______ _______ _________ _______ _______
View ed933e3c4add755c7e1066f2c8c765e8516fabb6445f1e5265e3bc11b6b50b1d
This file has been truncated, but you can view the full file.
ed933e3c4add755c7e1066f2c8c765e8516fabb6445f1e5265e3bc11b6b50b1d
_ _______
|\ /|( \ ( )
( \ / )| ( | () () |
\ (_) / | | | || || |
) _ ( | | | |(_)| |
/ ( ) \ | | | | | |
( / \ )| (____/\| ) ( |
@JohnLaTwC
JohnLaTwC / sample chain
Created May 24, 2020
Template injection attack 0733b16e7f871c095c124a5da28c554d3e8861d8160d879dbb2c0bc4668012b9
View sample chain
This file has been truncated, but you can view the full file.
## Sample hash:
## DOCX: 0733b16e7f871c095c124a5da28c554d3e8861d8160d879dbb2c0bc4668012b9
## template injection: 79658efd6d19e0704902af2ea9e3a30a7c2dc624e7195998e3af3c2289877b8d
## VBS: 9d77e8df4dc2c49594dac3bed4373051f3b9dd5f1228d1eeeb63f5d8048d9685
## Payload: 6d3d5cc0a0b26be8180ae4ade5f5cec26c94d06754a62251869d832ac6fe1c0c
## http://moveis-schuster-com.ga/Order.jpg returns:
View error
[Loading Cells]
auto_open: auto_openhmqja->Sheet2!$HT$59712
[Starting Deobfuscation]
CELL:HT59712 , FullEvaluation , SET.VALUE(Sheet2!IJ9596,-4545)
CELL:HT59713 , FullEvaluation , GOTO(AG21387)
CELL:AG21387 , FullEvaluation , SET.VALUE(Sheet2!GY52195,-50.25)
CELL:AG21388 , FullEvaluation , RUN(Sheet2!HU17490)
CELL:HU17490 , FullEvaluation , SET.VALUE(Sheet2!II36015,-424)
CELL:HU17491 , FullEvaluation , RUN(Sheet2!DX56863)
You can’t perform that action at this time.