Johannes Bader baderj

## xbmc_missing_artwork.py
import argparse
import sqlite3 as lite
import os
from collections import defaultdict

def _open_db(db):
    try:
        con = lite.connect(db)
        cur = con.cursor()
        return (cur,con)

## gist:ff8e67865f11948a4f1a
wtipubctwiekhir.net
rwmu35avqo12tqc.com
rskb5bsfhm2fk5h.net
rbp9pprrxgflut9.com
zzxeyzgy45yy2a.net
e3oa4wglvd21xa.com
mqmq1hvmtxzjv.net
pd4o4wu24vimn.com
tlmrzvpbpsqsb.net
pbmnz59uzndpo.com

## gist:a407613245f1c74022e8
import argparse
"""
Shiotob DGA

Generates domains for the Shiotob malware

- top level domains alternate between '.net' and '.com'
- domains are between 14 and 19 characters long
- domains consist of all letters and digits 123945

## dga_symmi.asm
10006520 ; =============== S U B R O U T I N E =======================================
10006520
10006520 ; Attributes: bp-based frame
10006520
10006520 ; int __cdecl create_domain(int third_lvl_len, int second_and_top_lvl, size_t type)
10006520 create_domain   proc near               ; CODE XREF: calls_create_next_url+A30p
10006520                                         ; sub_1000B530+1A6p ...
10006520
10006520 first_letters   = dword ptr -0Ch
10006520 second_letters  = dword ptr -8

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                baderj
                / keybase.md
            
            
              Created
              May 23, 2015 11:51
            
          
    Keybase proof

I hereby claim:

I am baderj on github.
I am baderj (https://keybase.io/baderj) on keybase.
I have a public key whose fingerprint is 7530 7937 A795 95FD AB48  22BB AC3C 4431 B7A7 41E6

To claim this, I am signing this object:

  
## dga.py
# see http://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/
import argparse

class RandInt:

    def __init__(self, seed):
        self.seed = seed

    def rand_int_modulus(self, modulus):
        ix = self.seed

## murofet_dga.py
import hashlib
from datetime import datetime, timedelta
import argparse

def dga(date, key):

    for min17 in range(1020):
        seed = 8*[0]
        seed[0] = (date.year & 0xFF + 0x30) & 0xFF
        seed[1] = date.month & 0xFF

## dga_shiz.py
import argparse

def get_domains(nr, how_many):
    bases = {
        1: {
            'length': 7,
            'tld': 'com',
            'key': '1676d5775e05c50b46baa5579d4fc7',
            'base': 0x45AE94B2
        },

## tinba_seeds
Tinba Seeds
===========

DGA described here: http://garage4hackers.com/entry.php?b=3086

## Sample 241182633670431857e068736088c737
harddomain: blackfreeqazyio.cc
seed: jc74FlUna852Ji9o
malwr link: https://malwr.com/analysis/OTQ3NjYzNmUyZDQ2NGY2YTk1NDNjNmYxYTdlMmQ1MjM/

## missing_or_duplicate_movies.py
import argparse
import sqlite3 as lite
import os

def _open_db(db):
    try:
        con = lite.connect(db)
        cur = con.cursor()
        return (cur,con)
    except lite.Error as e:
	import argparse
	import sqlite3 as lite
	import os
	from collections import defaultdict

	def _open_db(db):
	try:
	con = lite.connect(db)
	cur = con.cursor()
	return (cur,con)
	wtipubctwiekhir.net
	rwmu35avqo12tqc.com
	rskb5bsfhm2fk5h.net
	rbp9pprrxgflut9.com
	zzxeyzgy45yy2a.net
	e3oa4wglvd21xa.com
	mqmq1hvmtxzjv.net
	pd4o4wu24vimn.com
	tlmrzvpbpsqsb.net
	pbmnz59uzndpo.com
	import argparse
	"""
	Shiotob DGA

	Generates domains for the Shiotob malware

	- top level domains alternate between '.net' and '.com'
	- domains are between 14 and 19 characters long
	- domains consist of all letters and digits 123945
	10006520 ; =============== S U B R O U T I N E =======================================
	10006520
	10006520 ; Attributes: bp-based frame
	10006520
	10006520 ; int __cdecl create_domain(int third_lvl_len, int second_and_top_lvl, size_t type)
	10006520 create_domain proc near ; CODE XREF: calls_create_next_url+A30p
	10006520 ; sub_1000B530+1A6p ...
	10006520
	10006520 first_letters = dword ptr -0Ch
	10006520 second_letters = dword ptr -8
	# see http://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/
	import argparse

	class RandInt:

	def __init__(self, seed):
	self.seed = seed

	def rand_int_modulus(self, modulus):
	ix = self.seed
	import hashlib
	from datetime import datetime, timedelta
	import argparse

	def dga(date, key):

	for min17 in range(1020):
	seed = 8*[0]
	seed[0] = (date.year & 0xFF + 0x30) & 0xFF
	seed[1] = date.month & 0xFF
	import argparse

	def get_domains(nr, how_many):
	bases = {
	1: {
	'length': 7,
	'tld': 'com',
	'key': '1676d5775e05c50b46baa5579d4fc7',
	'base': 0x45AE94B2
	},
	Tinba Seeds
	===========

	DGA described here: http://garage4hackers.com/entry.php?b=3086

	## Sample 241182633670431857e068736088c737
	harddomain: blackfreeqazyio.cc
	seed: jc74FlUna852Ji9o
	malwr link: https://malwr.com/analysis/OTQ3NjYzNmUyZDQ2NGY2YTk1NDNjNmYxYTdlMmQ1MjM/