John Lambert JohnLaTwC
JohnLaTwC
/ 38bd9e647609d121621fc817ab2fdb5b58e9a2ac6c2f6640c36bc2164e7d54f1
Created
October 1, 2020 01:41
A very interesting DOCX no?
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| olevba 0.55.1 on Python 3.8.3 - http://decalage.info/python/oletools | |
| =============================================================================== | |
| FILE: 38bd9e647609d121621fc817ab2fdb5b58e9a2ac6c2f6640c36bc2164e7d54f1 | |
| Type: OpenXML | |
| ------------------------------------------------------------------------------- | |
| VBA MACRO ThisDocument.cls | |
| in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument' | |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| Private Declare PtrSafe Function ExpandString Lib "kernel32" Alias "ExpandEnvironmentStringsA" (ByVal lpSrc As String, ByVal lpDst As String, ByVal nSize As Long) As Long |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sha256 | |
| caff2481325d66d93aa9aaa859ac5c6358d45ae29631414cac4212c726f9b822 | |
| 23f1c8e271c622ed8bd5fdff31cd35e7384288732552b29a34011c429e7bf15d | |
| 29ef47a455d5c439d7d072f1e1911bc18984d86e5333e06682a6b18b14719a5b | |
| 85fac93bf6bf6220a9eb753ee8727d9e9661320504efcf5a470f48b0439c36f6 | |
| e23f9f55e10f3f31a2e76a12b174b6741a2fa1f51cf23dbd69cf169d92c56ed5 | |
| eebd278919de6536f3e07401f4d6406d327ab069083ffc893dbf55026b766c12 | |
| e1833eab2c51dd30d06919cfefd44078a09cd1d8822bb999ba81e528286c11b7 | |
| 56ff65b7f6bf5936883f52b50ca66e768b2088158cc77af681ffab7122be7753 | |
| 863f565b676a7170255d30334e4b2b3863cde0ad6d52759464ae2123ff1868a9 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule auto_open_evasion | |
| { | |
| meta: | |
| reference="https://malware.pizza/2020/05/12/evading-av-with-excel-macros-and-biff8-xls/" | |
| hash="e23f9f55e10f3f31a2e76a12b174b6741a2fa1f51cf23dbd69cf169d92c56ed5" | |
| hash1="bb3c9739de8ffe2e0f375847d41a010463ec19f1d3f578ac053651a51ed69bbc" | |
| hash2="56ff65b7f6bf5936883f52b50ca66e768b2088158cc77af681ffab7122be7753" | |
| hash3="97243214ac3cad74d60b0648e39d6a9600860edba51c670b5226e058ba658957" | |
| hash4 = "9ebf085c05ae94c1b6c4e011001a6c11de3ca754a56ed380314ef501b777e593" |
JohnLaTwC
/ xls_wrapper_2.py
Created
September 24, 2020 15:31
Defined name matching mod for UTF16 names
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def get_defined_name(self, name, full_match=True): | |
| result = [] | |
| name = name.lower().replace('[', '') | |
| if full_match: | |
| if name in self.get_defined_names(): | |
| result = self._defined_names[name] | |
| else: | |
| for defined_name, cell_address in self.get_defined_names().items(): |
JohnLaTwC
/ 59997a68286a73e42ac56b2e5729995a4193e5ec3a8bc4889571751debec287e
Created
August 26, 2020 20:15
BYOB example
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| # -*- coding: utf-8 -*- | |
| 'Loader (Build Your Own Botnet)' | |
| # standard library | |
| import imp | |
| import sys | |
| import logging | |
| import contextlib | |
| if sys.version_info[0] < 3: |
JohnLaTwC
/ gist:3f234e00bc57746224e6f56fb4c39480
Created
August 26, 2020 20:00
VT API Update Rule gist
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import vt | |
| import nest_asyncio | |
| nest_asyncio.apply() | |
| RULE_NAME = 'MSCOVID19_FEED' | |
| def get_ruleset_id(api_key, rule_name): | |
| with vt.Client(api_key) as client: | |
| obj = client.get_json('/intelligence/hunting_rulesets', | |
| params = {'filter':'enabled:true name:%s ' % rule_name, 'limit':1}) |
JohnLaTwC
/ 4e51c7d720dd46ae3977239714b5743d548b93ff6621ec3a4819466623aef1c5-191c3eeb
Created
July 15, 2020 15:59
VbaOutlook.OTM
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| olevba 0.55.1 on Python 3.7.6 - http://decalage.info/python/oletools | |
| =============================================================================== | |
| FILE: hola3.otm | |
| Type: OLE | |
| ------------------------------------------------------------------------------- | |
| VBA MACRO ThisOutlookSession.cls | |
| in file: hola3.otm - OLE stream: 'OutlookVbaData/VBA/ThisOutlookSession' | |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| Private Sub Application_Quit() |
JohnLaTwC
/ f9d64c96a8090b2599bd5329fbfed3a852fce5455ba5f658363abb19075bbab3
Created
June 17, 2020 19:27
OSX macro threat
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Sample hash f9d64c96a8090b2599bd5329fbfed3a852fce5455ba5f658363abb19075bbab3 | |
| ## Uploaded by @JohnLaTwC | |
| #################### VBA Macro ##################### | |
| olevba 0.55.1 on Python 3.7.6 - http://decalage.info/python/oletools | |
| =============================================================================== | |
| FILE: f9d64c96a8090b2599bd5329fbfed3a852fce5455ba5f658363abb19075bbab3 | |
| Type: OLE | |
| ------------------------------------------------------------------------------- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| doskey /macros | |
| cd c:\Users\All Users\Application Data | |
| b 1 | |
| cd C:\Windows\System32\ | |
| b 2 | |
| cd "C:\Program Files" | |
| b 3 | |
| g 1 | |
| g 2 | |
| g 3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ;= bookmark and GO commands: | |
| b=setx _bm$1 "%CD%" 1>nul && set _bm$1="%CD%" 1>nul && @echo Bookmarked %CD% in $1. | |
| g=pushd . && cd /d %_bm$1% | |
| ;= quickly edit the macro file | |
| em=start /WAIT notepad %userprofile%\cmd_macros.lst && doskey /macrofile=%userprofile%\cmd_macros.lst | |
| ;= convenience commands | |
| ..=cd .. | |
| ...=cd .. & cd .. |