adulau

MISP Training Wednesday December 4 2019

Evidence and report to add in the MISP instance and share back with the training community

• (1) https://mobile.twitter.com/James_inthe_box/status/1195354125950689280
• (2) https://mobile.twitter.com/1ZRR4H/status/1201249017549729793
• (3) https://twitter.com/Int2e_/status/1192206123451011072
• (4) https://www.foo.be/cours/dess-20192020/pub/gru/
• (5) https://blog.telsy.com/lazarus-gate/
• (6) https://app.any.run/tasks/8286e7e1-710a-4570-805d-8a03395caa31/

adulau

a list to a sane default

cat /tmp/lang.txt | awk -F'\\\\n' '{ printf "\"%s\", \n", $1 }'

adulau

<?xml version="1.0" encoding="us-ascii"?>
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="fc2d3e44-80a6-4add-ad94-de9f289e62ff" last-modified="2011-10-28T21:00:13" xmlns="http://schemas.mandiant.com/2010/ioc">
  <short_description>CCAPP.EXE</short_description>
  <description>Custom Reverse shell.</description>
  <keywords />
  <authored_by>Mandiant</authored_by>
  <authored_date>2010-12-13T12:49:53</authored_date>
  <links>
    <link rel="grade">Alpha</link>
  </links>

adulau

5d323e196ae9cd8b05c7711538264ebc59f0d690
3c5b1fa5b76033ae9ab6a28af6d495487b509fa7
aacd28512f3e5690c70fcb9018f0da7d94f873a2
6c80fd53423f99bdcff0a1460d0e1b3c7078f58e
4c9bf438d46ca87cfed57d851d69766b017a4aca
28307d491aa8262e09e147fba06a5b2314124c57
179cefa4d2e29d17ec38a7e2c28f0bd847504694
80be5349ebe8ab391303cc4b9045ffbf7c8a4ce2
b642848933f2aae2500d3ad77ccce3d4250d928d

adulau

Scanning for devices...
    Device (new): 6c:d9:23:52:61:b4 (random), -73 dBm 
	Flags: <1a>
	Manufacturer: <4c001005111c67c1fb>
    Device (new): 5a:b4:cf:1d:94:50 (random), -78 dBm 
	Flags: <1a>
	Manufacturer: <c400073302131580>
	Complete 16b Services: <0000feb9-0000-1000-8000-00805f9b34fb>
	0x1b: <00ed908eaa6fa0>
    Device (new): 40:fd:ed:6d:c0:45 (random), -87 dBm 

adulau

Tools

feh

feh -B white -Z -z -F -D 4 --hide-pointer -auto-rotate

adulau

Introduction

As the Ghidra open source community is growing, trying to document the new projects around Ghidra. Feel free to fork the gist and propose improvements.

CPU support

• New 6502 language module for Ghidra
• Atmel AVR helpers for Ghidra - ATmega328p
• Processor definitions for DMG and CGB in Ghidra - Gameboy CPU (LR35902) (WiP)
• ghidra based disassembly of the x68000's IPL.

adulau

Theory

• In signal processing, cross-correlation is a measure of similarity of two series as a function of the displacement of one relative to the other.
• Manhattan distance
• Bhattacharyya distance measures the similarity of two probability distributions.

Libraries

• ImageHash which supports average hashing, perception hashing, difference hashing and wavelet hashing.
• dhash is a Python library which supports a perceptual hash based on Neal Krawetz’s dHash algorithm in this “Hacker Factor” blog entry.

adulau

od -x /dev/urandom | head -1 | awk '{OFS="-"; print $2$3,$4,4 substr($5, 0, 3),8 substr($6, 0, 3),$7$8$9}'

adulau

/9j/4AAQSkZJRgABAQEASABIAAD/4QEgRXhpZgAATU0AKgAAAAgACAEPAAIAAAAoAAAAbgEQAAIA
AAAoAAAAlgEaAAUAAAABAAAAvgEbAAUAAAABAAAAxgEoAAMAAAABAAIAAAE7AAIAAAAIAAAAzgIT
AAMAAAABAAEAAIKYAAIAAABBAAAA1gAAAABUaGUgaGludCBmcm9tIFNhdG9zaGkgTmFrYW1hdG86
IFRyaWJ1dGUAVGhlIGhpbnQgZnJvbSBTYXRvc2hpIE5ha2FtYXRvOiBUcmlidXRlAAAAAEgAAAAB
AAAASAAAAAFUcmlidXRlADAwMDAwMDAwMDAwMDA3OTgxMTVmMzAyY2I1ZjcxY2ZjNDE0NmIwZjIx
YjYxZjE0NjE1MzdlOTFkZmUyODQ4M2MAAP/tA8pQaG90b3Nob3AgMy4wADhCSU0EBAAAAAADrRwC
bgAgVGhlIGhpbnQgZnJvbSB0aGUgU2F0b3NoaSBOYWthbWEcAgAAAgAEHAIZAEAwMDAwMDAwMDAw
MDAwNzk4MTE1ZjMwMmNiNWY3MWNmYzQxNDZiMGYyMWI2MWYxNDYxNTM3ZTkxZGZlMjg0ODNjHAIZ
AEAwMDAwMDAwMDAwMDAwNzk4MTE1ZjMwMmNiNWY3MWNmYzQxNDZiMGYyMWI2MWYxNDYxNTM3ZTkx