Andrea Fortuna andreafortuna

## vboxmemdump.sh
#!/bin/bash
#Simple script for VirtuaBox memory extraction
# Usage: vboxmemdump.sh <VM name>

VBoxManage debugvm $1 dumpvmcore --filename=$1.elf

size=0x$(objdump -h $1.elf|egrep -w "(Idx|load1)" | tr -s " " |  cut -d " " -f 4)
off=0x$(echo "obase=16;ibase=16;`objdump -h $1.elf|egrep -w "(Idx|load1)" | tr -s " " |  cut -d " " -f 7 | tr /a-z/ /A-Z/`" | bc)
head -c $(($size+$off)) $1.elf|tail -c +$(($off+1)) > $1.raw

## transfer.sh
transfer() {
    # check arguments
    if [ $# -eq 0 ];
    then
        echo "No arguments specified. Usage:\necho transfer /tmp/test.md\ncat /tmp/test.md | transfer test.md"
        return 1
    fi

    # get temporarily filename, output is written to this file show progress can be showed
    tmpfile=$( mktemp -t transferXXX )

## mavohomepagedemo.html
<html>
<head>
<script src="https://get.mavo.io/mavo.min.js"></script>
<link rel="stylesheet" href="https://get.mavo.io/mavo.css">

<link rel='stylesheet' href='https://mavo.io/css/style.css'>
<link rel='stylesheet' href='https://mavo.io/demos/style.css'>
<link rel='stylesheet' href='https://mavo.io/demos/homepage/style.css'>

</head>

## wannacry-bitcoin-tracking.sh
#!/bin/sh

curl -s "https://blockchain.info/q/getreceivedbyaddress/\
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94|\
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw|\
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn" |
python -c 'import sys; r = sys.stdin.readline(); print float(r) / 100000000'

## CVE-2017-0290_POC.zip
(new Error()).toString.call({message: 0x41414141 >> 1})

// This is just some junk to trigger the evaluation heursitic.
(function(){var je=google.j,dr=0,fp='2a46ce7cd718d6cf',_loc='',_ss=0;je.api({'n':'ac','c':{},'fp':fp,'r':dr,'sc':0,'is':_loc,'ss':_ss});je.api({'n':'pcs','i':'gstyle','css':'body{color:#000;margin:0;overflow-y:scroll}body,#leftnav,#tbdi,#hidden_modes,#hmp{background:#fff}a.gb1,a.gb2,a.gb3,.link{color:#12c!important}.ts{border-collapse:collapse}.ts td{padding:0}.ti,.bl,#res h3{display:inline}.ti{display:inline-table}#tads a.mblink,#tads a.mblink b,#tadsb a.mblink,#tadsb a.mblink b,#rhs a.mblink,#rhs a.mblink b{color:#1122cc!important}#tads .ch,#tadsb .ch,#rhs .ch{margin-top:4px;}a:link,.w,#prs a:visited,#prs a:active,.q:active,.q:visited,.kl:active{color:#12c}.mblink:visited,a:visited{color:#609}.vst:link{color:#609}.cur,.b{font-weight:bold}.j{width:42em;font-size:82%}.s{max-width:42em}.sl{font-size:82%}.hd{position:absolute;width:1px;height:1px;top:-1000em;overflow:hidden}.f,.f a:link,.m,.c

## GC-BondnetCleaner.vbs
set objStdOut = WScript.StdOut

Const TrojanLogFile = "\temp\dfvt.log"
Const AttackLogFile = "\wb2010kb.log"
Const TrojanWMIProvider = "ASEventConsumerdr"
TrojanWMIEventFilters = Array("EF", "EFNMdr")
MinerProcesses = Array("smssm.exe", "z64.exe", "servies.exe", "msdc.exe")
MinerSchedTaskNames = Array("gm", "ngm","cell")

Const ScriptLogFile = "detection.log"

## olppscan.pl
#!/usr/bin/perl
use IO::Socket;for ($i=1;$i<65536;$i++) { if (my $s=IO::Socket::INET->new(PeerAddr=>$ARGV[0],PeerPort=>$i,Proto=>'tcp') ) { print "$i\n";close ($s); }}

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                andreafortuna
                / keybase.md
            
            
              Created
              October 19, 2016 15:35
            
          
    Keybase proof

I hereby claim:

I am andreafortuna on github.
I am andreafortuna (https://keybase.io/andreafortuna) on keybase.
I have a public key whose fingerprint is 8DDA 5C15 8FF7 CFAD 727F  B9DF A4BD 72BF 1171 9AB8

To claim this, I am signing this object:

  
## wordpresscourtesypage.php
 if(!is_user_logged_in()){
     wp_die('<h1 style="color:red">WebSite Coming Soon!</h1>');
 }

## Testingperformance.js
<script>
    var url = window.location.toString();
    url = url.replace("www.site.com","dev.site.com")
    var ifrm = document.createElement('iframe');
    ifrm.setAttribute('src', url);
    ifrm.setAttribute('width', "1px");
    ifrm.setAttribute('height', "1px");
    document.body.appendChild(ifrm);
</script>
	#!/bin/bash
	#Simple script for VirtuaBox memory extraction
	# Usage: vboxmemdump.sh <VM name>

	VBoxManage debugvm $1 dumpvmcore --filename=$1.elf

	size=0x$(objdump -h $1.elf\|egrep -w "(Idx\|load1)" \| tr -s " " \| cut -d " " -f 4)
	off=0x$(echo "obase=16;ibase=16;`objdump -h $1.elf\|egrep -w "(Idx\|load1)" \| tr -s " " \| cut -d " " -f 7 \| tr /a-z/ /A-Z/`" \| bc)
	head -c $(($size+$off)) $1.elf\|tail -c +$(($off+1)) > $1.raw
	transfer() {
	# check arguments
	if [ $# -eq 0 ];
	then
	echo "No arguments specified. Usage:\necho transfer /tmp/test.md\ncat /tmp/test.md \| transfer test.md"
	return 1
	fi

	# get temporarily filename, output is written to this file show progress can be showed
	tmpfile=$( mktemp -t transferXXX )
	<html>
	<head>
	<script src="https://get.mavo.io/mavo.min.js"></script>
	<link rel="stylesheet" href="https://get.mavo.io/mavo.css">

	<link rel='stylesheet' href='https://mavo.io/css/style.css'>
	<link rel='stylesheet' href='https://mavo.io/demos/style.css'>
	<link rel='stylesheet' href='https://mavo.io/demos/homepage/style.css'>

	</head>
	#!/bin/sh

	curl -s "https://blockchain.info/q/getreceivedbyaddress/\
	13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94\|\
	12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw\|\
	115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn" \|
	python -c 'import sys; r = sys.stdin.readline(); print float(r) / 100000000'
	(new Error()).toString.call({message: 0x41414141 >> 1})

	// This is just some junk to trigger the evaluation heursitic.
	(function(){var je=google.j,dr=0,fp='2a46ce7cd718d6cf',_loc='',_ss=0;je.api({'n':'ac','c':{},'fp':fp,'r':dr,'sc':0,'is':_loc,'ss':_ss});je.api({'n':'pcs','i':'gstyle','css':'body{color:#000;margin:0;overflow-y:scroll}body,#leftnav,#tbdi,#hidden_modes,#hmp{background:#fff}a.gb1,a.gb2,a.gb3,.link{color:#12c!important}.ts{border-collapse:collapse}.ts td{padding:0}.ti,.bl,#res h3{display:inline}.ti{display:inline-table}#tads a.mblink,#tads a.mblink b,#tadsb a.mblink,#tadsb a.mblink b,#rhs a.mblink,#rhs a.mblink b{color:#1122cc!important}#tads .ch,#tadsb .ch,#rhs .ch{margin-top:4px;}a:link,.w,#prs a:visited,#prs a:active,.q:active,.q:visited,.kl:active{color:#12c}.mblink:visited,a:visited{color:#609}.vst:link{color:#609}.cur,.b{font-weight:bold}.j{width:42em;font-size:82%}.s{max-width:42em}.sl{font-size:82%}.hd{position:absolute;width:1px;height:1px;top:-1000em;overflow:hidden}.f,.f a:link,.m,.c
	set objStdOut = WScript.StdOut

	Const TrojanLogFile = "\temp\dfvt.log"
	Const AttackLogFile = "\wb2010kb.log"
	Const TrojanWMIProvider = "ASEventConsumerdr"
	TrojanWMIEventFilters = Array("EF", "EFNMdr")
	MinerProcesses = Array("smssm.exe", "z64.exe", "servies.exe", "msdc.exe")
	MinerSchedTaskNames = Array("gm", "ngm","cell")

	Const ScriptLogFile = "detection.log"
	#!/usr/bin/perl
	use IO::Socket;for ($i=1;$i<65536;$i++) { if (my $s=IO::Socket::INET->new(PeerAddr=>$ARGV[0],PeerPort=>$i,Proto=>'tcp') ) { print "$i\n";close ($s); }}
	if(!is_user_logged_in()){
	wp_die('<h1 style="color:red">WebSite Coming Soon!</h1>');
	}
	<script>
	var url = window.location.toString();
	url = url.replace("www.site.com","dev.site.com")
	var ifrm = document.createElement('iframe');
	ifrm.setAttribute('src', url);
	ifrm.setAttribute('width', "1px");
	ifrm.setAttribute('height', "1px");
	document.body.appendChild(ifrm);
	</script>