Albert Zsigovits albertzsigovits

## yara-perf-bits.txt
#0:
strings are always evaluated first
filesize < 100KB will not help

#1:
// condition order does not matter, will only short-circuit
condition:
  $str1 and $str2 and uint16(0) == 0xFFFF and ...
  uint16(0) == 0xFFFF and $str1 and $str2 and ...

## malware-projects.txt
https://www.bootloaders.io/
https://loldrivers.io
https://gtfobins.github.io
https://lolbas-project.github.io
https://wtfbins.wtf
https://lots-project.com
https://filesec.io
https://malapi.io
https://hijacklibs.net
https://wadcoms.github.io

## yara-usecases.txt
YARA use cases:
===============

Conditions:
-----------
uint16(0) == 0x5A4D // MZ
uint32(uint32(0x3C)) == 0x00004550 // PE
uint32(0) == 0x464C457F // ELF
uint8be(uint32(0x3C)+4) == 0x64 // 64-bit
uint32be(uint32(0x3C)+8) == 0x174a505c // Compiled time

## mlwr-decrypt.txt
import argparse

parser = argparse.ArgumentParser()
parser.add_argument("file_path", help="path to input file")
args = parser.parse_args()

KEY_OFFSET = 0x5000
DATA_OFFSET = 0x15000
KEY_SIZE = 8
DATA_SIZE = 256

## mlwr-cfg.txt
References to malware configuration extraction and memory dumping:

    https://www.vmray.com/cyber-security-blog/vmray-platform-feature-highlight-extended-smart-memory-dumping/
    https://www.vmray.com/cyber-security-blog/malware-configuration-extraction-vmray-analyzer-4-5-feature-highlight/
    https://any.run/cybersecurity-blog/malware-configuration/
    https://developers.virustotal.com/reference/malware_config

Commercial projects:

    https://malwareconfig.com/

## apt.txt
# APT resources

https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/edit#gid=1864660085
https://www.mandiant.com/resources/insights/apt-groups
https://attack.mitre.org/groups/
https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections

## c2-frameworks.txt
# Commercial tools
Cobalt Strike - https://www.cobaltstrike.com
Brute Ratel C4 - https://bruteratel.com
Nighthawk - https://www.mdsec.co.uk/nighthawk

# Open-source tools
Metasploit - https://www.metasploit.com
Posh C2 - https://github.com/nettitude/PoshC2
Empire - https://github.com/BC-SECURITY/Empire
Sliver - https://github.com/BishopFox/sliver

## ti-forums.txt
Breached - breached[.]co	- DOWN
Eternia - eternia[.]to
Cracked - cracked[.]to
Nulled - nulled[.]to
Raidforums - DOWN - DoJ hijacked
Hackforums - hackforums[.]net
Eleaks - eleaks[.]to
Sinister - sinister[.]ly
XSS - xss[.]is
Exploit - exploit[.]in

## mlwr-sandboxes.txt
VirusTotal - https://www.virustotal.com
JoeSandbox - https://www.joesandbox.com
VMRay - https://www.vmray.com
ReversingLabs - https://www.reversinglabs.com
HybridAnalysis - https://www.hybrid-analysis.com
Any.Run - https://app.any.run/submissions
Tria.ge - https://tria.ge/reports/public
Threat.Zone - https://app.threat.zone/public-submissions
CAPE Sandbox - https://capesandbox.com
Cuckoo CERT-EE - https://cuckoo.cert.ee

## mlwr-trackers.txt
Viriback's tracker - https://tracker.viriback.com/
DRM Ransomware tracker - https://ransom.insicurezzadigitale.com/?date=2022
Virusdeck - https://virusdeck.com/
Threatshare.io - https://threatshare.io/malware/
Xily's tracker - https://cybercrime-tracker.net/
VXVault - https://vxvault.net/ViriList.php
Fumik0's tracker - https://tracker.fumik0.com/
CVE trends - https://cvetrends.com/
TweetIOC - https://tweettioc.com/
	#0:
	strings are always evaluated first
	filesize < 100KB will not help

	#1:
	// condition order does not matter, will only short-circuit
	condition:
	$str1 and $str2 and uint16(0) == 0xFFFF and ...
	uint16(0) == 0xFFFF and $str1 and $str2 and ...
	https://www.bootloaders.io/
	https://loldrivers.io
	https://gtfobins.github.io
	https://lolbas-project.github.io
	https://wtfbins.wtf
	https://lots-project.com
	https://filesec.io
	https://malapi.io
	https://hijacklibs.net
	https://wadcoms.github.io
	YARA use cases:
	===============

	Conditions:
	-----------
	uint16(0) == 0x5A4D // MZ
	uint32(uint32(0x3C)) == 0x00004550 // PE
	uint32(0) == 0x464C457F // ELF
	uint8be(uint32(0x3C)+4) == 0x64 // 64-bit
	uint32be(uint32(0x3C)+8) == 0x174a505c // Compiled time
	import argparse

	parser = argparse.ArgumentParser()
	parser.add_argument("file_path", help="path to input file")
	args = parser.parse_args()

	KEY_OFFSET = 0x5000
	DATA_OFFSET = 0x15000
	KEY_SIZE = 8
	DATA_SIZE = 256
	References to malware configuration extraction and memory dumping:

	https://www.vmray.com/cyber-security-blog/vmray-platform-feature-highlight-extended-smart-memory-dumping/
	https://www.vmray.com/cyber-security-blog/malware-configuration-extraction-vmray-analyzer-4-5-feature-highlight/
	https://any.run/cybersecurity-blog/malware-configuration/
	https://developers.virustotal.com/reference/malware_config

	Commercial projects:

	https://malwareconfig.com/
	# APT resources

	https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/edit#gid=1864660085
	https://www.mandiant.com/resources/insights/apt-groups
	https://attack.mitre.org/groups/
	https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections
	# Commercial tools
	Cobalt Strike - https://www.cobaltstrike.com
	Brute Ratel C4 - https://bruteratel.com
	Nighthawk - https://www.mdsec.co.uk/nighthawk

	# Open-source tools
	Metasploit - https://www.metasploit.com
	Posh C2 - https://github.com/nettitude/PoshC2
	Empire - https://github.com/BC-SECURITY/Empire
	Sliver - https://github.com/BishopFox/sliver
	Breached - breached[.]co - DOWN
	Eternia - eternia[.]to
	Cracked - cracked[.]to
	Nulled - nulled[.]to
	Raidforums - DOWN - DoJ hijacked
	Hackforums - hackforums[.]net
	Eleaks - eleaks[.]to
	Sinister - sinister[.]ly
	XSS - xss[.]is
	Exploit - exploit[.]in
	VirusTotal - https://www.virustotal.com
	JoeSandbox - https://www.joesandbox.com
	VMRay - https://www.vmray.com
	ReversingLabs - https://www.reversinglabs.com
	HybridAnalysis - https://www.hybrid-analysis.com
	Any.Run - https://app.any.run/submissions
	Tria.ge - https://tria.ge/reports/public
	Threat.Zone - https://app.threat.zone/public-submissions
	CAPE Sandbox - https://capesandbox.com
	Cuckoo CERT-EE - https://cuckoo.cert.ee
	Viriback's tracker - https://tracker.viriback.com/
	DRM Ransomware tracker - https://ransom.insicurezzadigitale.com/?date=2022
	Virusdeck - https://virusdeck.com/
	Threatshare.io - https://threatshare.io/malware/
	Xily's tracker - https://cybercrime-tracker.net/
	VXVault - https://vxvault.net/ViriList.php
	Fumik0's tracker - https://tracker.fumik0.com/
	CVE trends - https://cvetrends.com/
	TweetIOC - https://tweettioc.com/