Skip to content

Instantly share code, notes, and snippets.

View baderj's full-sized avatar

Johannes Bader baderj

190 followers · 4 following
View GitHub Profile
@baderj
baderj / matiex_keylogger.yara
Created July 21, 2020 17:14
rule win_matiex_keylogger_v1 {
meta:
author = "Johannes Bader @viql"
date = "2020-07-20"
description = "detects the Matiex Keylogger"
tlp = "white"
strings:
$obfuscator_1 = "OiCuntJollyGoodDayYeHavin_____________________________________________________"
@baderj
baderj / gozi_rfc.txt
Last active April 5, 2016 19:47
Gozi "Mar 9 2016" DGA Wordlist, sample https://twitter.com/Techhelplistcom/status/708341104685371392. Wordlist is taken from www.ietf.org/rfc/rfc4343.txt
network
working
group
eastlake
request
for
comments
motorola
laboratories
updates
@baderj
baderj / murofet_dga.py
Created July 22, 2015 12:34
DGA of Murofet (with support of key)
import hashlib
from datetime import datetime, timedelta
import argparse
def dga(date, key):
for min17 in range(1020):
seed = 8*[0]
seed[0] = (date.year & 0xFF + 0x30) & 0xFF
seed[1] = date.month & 0xFF
@baderj
baderj / dga.py
Last active August 29, 2015 14:22
Domain Generation Algorithm (DGA) of DirCrypt
# see http://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/
import argparse
class RandInt:
def __init__(self, seed):
self.seed = seed
def rand_int_modulus(self, modulus):
ix = self.seed
@baderj
baderj / keybase.md
Created May 23, 2015 11:51

Keybase proof

I hereby claim:

  • I am baderj on github.
  • I am baderj (https://keybase.io/baderj) on keybase.
  • I have a public key whose fingerprint is 7530 7937 A795 95FD AB48 22BB AC3C 4431 B7A7 41E6

To claim this, I am signing this object:

@baderj
baderj / tinba_seeds
Last active September 9, 2015 02:26
Some new seeds for the Tinba (TinyBanker) Domain Generation Algorithm
Tinba Seeds
===========
DGA described here: http://garage4hackers.com/entry.php?b=3086
## Sample 241182633670431857e068736088c737
harddomain: blackfreeqazyio.cc
seed: jc74FlUna852Ji9o
malwr link: https://malwr.com/analysis/OTQ3NjYzNmUyZDQ2NGY2YTk1NDNjNmYxYTdlMmQ1MjM/
@baderj
baderj / dga_shiz.py
Last active September 9, 2015 02:20
DGA of Simda / Shiz
import argparse
def get_domains(nr, how_many):
bases = {
1: {
'length': 7,
'tld': 'com',
'key': '1676d5775e05c50b46baa5579d4fc7',
'base': 0x45AE94B2
},
@baderj
baderj / dga.py
Last active January 12, 2016 13:02
"""
generate domains according to:
- https://www.endgame.com/blog/malware-with-a-personal-touch.html
- http://www.rsaconference.com/writable/presentations/file_upload/br-r01-end-to-end-analysis-of-a-domain-generating-algorithm-malware-family.pdf
requires words1.txt and words2.txt
"""
import time
from datetime import datetime
import argparse
@baderj
baderj / dga_symmi.asm
Created January 21, 2015 16:22
The DGA of Symmi sample b75f00d7ae2857a3e1cc8f5eb4dc11b9
10006520 ; =============== S U B R O U T I N E =======================================
10006520
10006520 ; Attributes: bp-based frame
10006520
10006520 ; int __cdecl create_domain(int third_lvl_len, int second_and_top_lvl, size_t type)
10006520 create_domain proc near ; CODE XREF: calls_create_next_url+A30p
10006520 ; sub_1000B530+1A6p ...
10006520
10006520 first_letters = dword ptr -0Ch
10006520 second_letters = dword ptr -8
@baderj
baderj / dga_symmi.py
Created January 21, 2015 16:20
The DGA of Symmi sample b75f00d7ae2857a3e1cc8f5eb4dc11b9
import argparse
from datetime import datetime
seed_const = 42
days_period = 16
nr_of_domains = 64
third_lvl_min_len = 8
third_lvl_max_len = 15
class Rand: