| Petna / Eternalblue Petya | |
| ------------------------- | |
| Hashes: | |
| Main DLL: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 | |
| Hashes below via McAfee article: https://securingtomorrow.mcafee.com/mcafee-labs/new-variant-petya-ransomware-spreading-like-wildfire/ | |
| Main DLL: 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1 | |
| PSEXEC.EXE: f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5 | |
| 64-bit EXE: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f | |
| 32-bit EXE: eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998 |
| def decodeScrapeshieldEmail(s): | |
| retval = "" | |
| key = int(s[:2], 16) | |
| for char in [int(s[i:i+2], 16) for i in range(2, len(s), 2)]: | |
| retval += chr(char ^ key) | |
| return retval | |
| #return "".join([chr(c^int(s[:2],2))for c in [int(s[i:i+2],16)for i in range(2,len(s),2))]]) |
| # Run me with: | |
| # | |
| # $ nginx -p /path/to/this/file/ -c nginx.conf | |
| # | |
| # All requests are then routed to authenticated user's index, so | |
| # | |
| # GET http://user:password@localhost/_search?q=* | |
| # | |
| # is rewritten to: | |
| # |
Collecting some information about the extend and affected products and keys of the Infineon RSA vulnerability (ROCA).
Estonian eID cards
| for _ in {1..500}; do | |
| for _ in {1..100}; do | |
| gpg --gen-key --batch keygen | |
| gpg --quick-sign-key -u Marc EC18257DB21746FC711054BEB19C61D61333360C | |
| rm ~/.gnupg/private-keys-v1.d/*.key | |
| done | |
| rm ~/.gnupg/openpgp-revocs.d/*.rev | |
| gpg -a --export > ~/Desktop/keyblock.asc |
| # Simulate fake processes of analysis sandbox/VM that some malware will try to evade | |
| # This just spawn ping.exe with different names (wireshark.exe, vboxtray.exe, ...) | |
| # It's just a PoC and it's ugly as f*ck but hey, if it works... | |
| # Usage: .\fake_sandbox.ps1 -action {start,stop} | |
| param([Parameter(Mandatory=$true)][string]$action) | |
| $fakeProcesses = @("wireshark.exe", "vmacthlp.exe", "VBoxService.exe", | |
| "VBoxTray.exe", "procmon.exe", "ollydbg.exe", "vmware-tray.exe", |
| <!-- | |
| This is a Microsoft Sysmon configuration to be used on Windows workstations | |
| v0.2.1 December 2016 | |
| Florian Roth (with the help and ideas of others) | |
| The focus of this configuration is | |
| - malware detection (execution) | |
| - malware detection (network connections) | |
| - exploit detection | |
| It is not focussed on |
| <# | |
| Powershell script to create and monitor a ransomware canary file; | |
| If the canary is modified, the script will notify the user, log the data, | |
| create an entry in the event log, and stop the workstation service, | |
| crippling the machine's ability to map or access network drives. | |
| Modified from a script found at freeforensics.org | |
| #> | |
| $DirPath = "C:\Temp\" |
| #!/bin/bash | |
| while :; do | |
| verf=$(cat /dev/urandom | tr -dc '0-9' | fold -w 8 | head -n 1) | |
| pin=$(cat /dev/urandom | tr -dc '0-9' | fold -w 5 | head -n 1) | |
| ip=$(printf "%d.%d.%d.%d\n" "$((RANDOM % 256))" "$((RANDOM % 256))" "$((RANDOM % 256))" "$((RANDOM % 256))") | |
| 😒🙅🙄 | |
| $thing for fun and profit | |
| all your $thing are belong to $shutup | |
| honey I $verbed the $thing | |
| $thing demystified | |
| $thing: a deep dive | |
| $verb all the things | |
| make $thing great again | |
| $x and $y and $z, oh my! |
