rain-1

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

• Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
• Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
• Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
• Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
• Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru

stamparm

botsmustdie@gmail.com
jgou.veia@gmail.com
malicious-domains@shadowserver.org
the.malware.cabal@gmail.com
bdomaincontrol@gmail.com
malsinkhole@gmail.com
cyd-dns@ic.fbi.gov
s1nkh0l3@yahoo.com
info@fitsec.com
ctu-sinkhole@secureworks.com

DimitarChristoff

<!-- view-source:http://cofinsa.info/helloworld.php?city=GB&clickid=wOG4PFS3EJJ786J0H5TOVOG4 -->
 <!--<script>if(history.replaceState) history.replaceState({}, "", "/");</script>-->



 <script>confirm('Add Extension to Leave');</script>
 <!DOCTYPE html>
 <html>
 <head>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

williballenthin

'''
IDAPython script that generates a YARA rule to match against the
basic blocks of the current function. It masks out relocation bytes
and ignores jump instructions (given that we're already trying to
match compiler-specific bytes, this is of arguable benefit).

If python-yara is installed, the IDAPython script also validates that
the generated rule matches at least one segment in the current file.

author: Willi Ballenthin <william.ballenthin@fireeye.com>

glaslos

import SimpleHTTPServer
import SocketServer

paths = set()


class Handler(SimpleHTTPServer.SimpleHTTPRequestHandler):
    def do_GET(self):
        # Detect remote file inclusion
        if '=http' in self.path:

Neo23x0

This Gist has been transfered into a Github Repo. You'll find the most recent version here.

YARA Performance Guidelines

When creating your rules for YARA keep in mind the following guidelines in order to get the best performance from them. This guide is based on ideas and recommendations by Victor M. Alvarez and WXS.

• Revision 1.4, October 2020, applies to all YARA versions higher than 3.7

ryancdotorg

#!/usr/bin/env python

import sys
import gmpy

import curve25519

from struct import pack
from hashlib import sha256
from binascii import hexlify, unhexlify

baderj

import argparse
"""
Shiotob DGA 

Generates domains for the Shiotob malware 

- top level domains alternate between '.net' and '.com'
- domains are between 14 and 19 characters long
- domains consist of all letters and digits 123945

mwgamera

#!/usr/bin/python

import cv2
import numpy as np
import wave
import struct
import sys

# usage instructions:
# ./image2spectrogram.py input.png

9b

import datetime, re, difflib

def k10(stack):
    if len(stack) <= 1:
        return

    checkHashes, checkDuplicates, checkDelta, checkName = True, True, True, True
    score, dCount, fCount, deltaScore, fnameScore, chainAverage = 65, 0, 0, 0, 0, 0
    duplicates, dChain, fChain, features = [], [], [], [ 'valid_filenames' ]