Vesselin Bontchev bontchev

## disable_win10_foistware.reg
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy]
"Disabled"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager]
"SubscribedContent-338388Enabled"=dword:00000000


## Kill-Ransomware.ps1
# Ransomware Killer v0.1 by Thomas Patzke <thomas@patzke.org>
# Kill all parent processes of the command that tries to run "vssadmin Delete Shadows"
# IMPORTANT: This must run with Administrator privileges!
Register-WmiEvent -Query "select * from __instancecreationevent within 0.1 where targetinstance isa 'win32_process' and targetinstance.CommandLine like '%vssadmin%Delete%Shadows%'" -Action {
    # Kill all parent processes from detected vssadmin process
    $p = $EventArgs.NewEvent.TargetInstance
    while ($p) {
       $ppid = $p.ParentProcessID
        $pp = Get-WmiObject -Class Win32_Process -Filter "ProcessID=$ppid"
        Write-Host $p.ProcessID

## rol-ror.py
###########################################################################
# Rotating bits (tested with Python 2.7)

from __future__ import print_function   # PEP 3105

# max bits > 0 == width of the value in bits (e.g., int_16 -> 16)

# Rotate left: 0b1001 --> 0b0011
rol = lambda val, r_bits, max_bits: \
    (val << r_bits%max_bits) & (2**max_bits-1) | \

## smbloris.c
/* SMBLoris attack proof-of-concept
 *
 * Copyright 2017 Hector Martin "marcan" <marcan@marcan.st>
 *
 * Licensed under the terms of the 2-clause BSD license.
 *
 * This is a proof of concept of a publicly disclosed vulnerability.
 * Please do not go around randomly DoSing people with it.
 *
 * Tips: do not use your local IP as source, or if you do, use iptables to block

## INSTALL.md

      
              2 files
            
          
              10 forks
            
          
              5 comments
            
          
              35 stars
            
          
                thomhastings
                / INSTALL.md
            
            
              Last active
              September 29, 2022 05:33
            
          
    Notes on Shadow Brokers EQGRP-LiT

credit: @GossiTheDog: "If you want to setup FUZZBUNCH (the Equation exploit framework) you need Win7 VM + Python 2.6 + Pywin 2.6, then python fb.py for shell"

h/t @x0rz @DEYCrypt @hackerfantastic
HOW 2 SETUP + INSTALL FUZZBUNCH & DANDERSPRITZ

context: https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation

writeup: https://www.trustedsec.com/blog/equation-group-dump-analysis-full-rce-win7-fully-patched-cobalt-strike/

decrypted files: https://github.com/x0rz/EQGRP_Lost_in_Translation

  
## magniber_decryptor.cpp
/*
 * This tool will decrypt files encrypted by the Magniber ransomware with
 * AES128 ( CBC mode ) algorithm.
 *
 * RE and report by MalwareBytes ( @hasherezade )
 *
 *  https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/
 *
 * Decryptor written by Simone 'evilsocket' Margaritelli
 *

## badrabbit-info.txt
Rough summary of developing BadRabbit info
------------------------------------------

BadRabbit is locally-self-propagating ransomware (ransom: 0.05 BTC), spreading via SMB once inside.
Requires user interaction.
Mostly targeting Russia and Ukraine so far, with a few others (Germany, Turkey, Bulgaria, Montenegro ...)
Not globally self-propagating, but could be inflicted on selected targets on purpose.
May be part of same group targeting Ukraine generally (BACKSWING) (per FireEye)
Confirmed to use ETERNALROMANCE exploit, and same source code and build chain as NotPetya (per Talos)
Mitigations are similar to Petya/NotPetya resistance. An inoculation is also available (see below).

## BadTalkTitles
😒🙅🙄

$thing for fun and profit
all your $thing are belong to $shutup
honey I $verbed the $thing
$thing demystified
$thing: a deep dive
$verb all the things
make $thing great again
$x and $y and $z, oh my!

## trash.sh
#!/bin/bash

while :; do

    verf=$(cat /dev/urandom | tr -dc '0-9' | fold -w 8 | head -n 1)
    pin=$(cat /dev/urandom | tr -dc '0-9' | fold -w 5 | head -n 1)

    ip=$(printf "%d.%d.%d.%d\n" "$((RANDOM % 256))" "$((RANDOM % 256))" "$((RANDOM % 256))" "$((RANDOM % 256))")


## ransomcanary.ps1
<#
Powershell script to create and monitor a ransomware canary file;
If the canary is modified, the script will notify the user, log the data,
create an entry in the event log, and stop the workstation service,
crippling the machine's ability to map or access network drives.
Modified from a script found at freeforensics.org
#>


$DirPath = "C:\Temp\"
	Windows Registry Editor Version 5.00

	[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy]
	"Disabled"=dword:00000001

	[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager]
	"SubscribedContent-338388Enabled"=dword:00000000
	# Ransomware Killer v0.1 by Thomas Patzke <thomas@patzke.org>
	# Kill all parent processes of the command that tries to run "vssadmin Delete Shadows"
	# IMPORTANT: This must run with Administrator privileges!
	Register-WmiEvent -Query "select * from __instancecreationevent within 0.1 where targetinstance isa 'win32_process' and targetinstance.CommandLine like '%vssadmin%Delete%Shadows%'" -Action {
	# Kill all parent processes from detected vssadmin process
	$p = $EventArgs.NewEvent.TargetInstance
	while ($p) {
	$ppid = $p.ParentProcessID
	$pp = Get-WmiObject -Class Win32_Process -Filter "ProcessID=$ppid"
	Write-Host $p.ProcessID
	###########################################################################
	# Rotating bits (tested with Python 2.7)

	from __future__ import print_function # PEP 3105

	# max bits > 0 == width of the value in bits (e.g., int_16 -> 16)

	# Rotate left: 0b1001 --> 0b0011
	rol = lambda val, r_bits, max_bits: \
	(val << r_bits%max_bits) & (2**max_bits-1) \| \
	/* SMBLoris attack proof-of-concept
	*
	* Copyright 2017 Hector Martin "marcan" <marcan@marcan.st>
	*
	* Licensed under the terms of the 2-clause BSD license.
	*
	* This is a proof of concept of a publicly disclosed vulnerability.
	* Please do not go around randomly DoSing people with it.
	*
	* Tips: do not use your local IP as source, or if you do, use iptables to block
	/*
	* This tool will decrypt files encrypted by the Magniber ransomware with
	* AES128 ( CBC mode ) algorithm.
	*
	* RE and report by MalwareBytes ( @hasherezade )
	*
	* https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/
	*
	* Decryptor written by Simone 'evilsocket' Margaritelli
	*
	Rough summary of developing BadRabbit info
	------------------------------------------

	BadRabbit is locally-self-propagating ransomware (ransom: 0.05 BTC), spreading via SMB once inside.
	Requires user interaction.
	Mostly targeting Russia and Ukraine so far, with a few others (Germany, Turkey, Bulgaria, Montenegro ...)
	Not globally self-propagating, but could be inflicted on selected targets on purpose.
	May be part of same group targeting Ukraine generally (BACKSWING) (per FireEye)
	Confirmed to use ETERNALROMANCE exploit, and same source code and build chain as NotPetya (per Talos)
	Mitigations are similar to Petya/NotPetya resistance. An inoculation is also available (see below).
	😒🙅🙄

	$thing for fun and profit
	all your $thing are belong to $shutup
	honey I $verbed the $thing
	$thing demystified
	$thing: a deep dive
	$verb all the things
	make $thing great again
	$x and $y and $z, oh my!
	#!/bin/bash

	while :; do

	verf=$(cat /dev/urandom \| tr -dc '0-9' \| fold -w 8 \| head -n 1)
	pin=$(cat /dev/urandom \| tr -dc '0-9' \| fold -w 5 \| head -n 1)

	ip=$(printf "%d.%d.%d.%d\n" "$((RANDOM % 256))" "$((RANDOM % 256))" "$((RANDOM % 256))" "$((RANDOM % 256))")
	<#
	Powershell script to create and monitor a ransomware canary file;
	If the canary is modified, the script will notify the user, log the data,
	create an entry in the event log, and stop the workstation service,
	crippling the machine's ability to map or access network drives.
	Modified from a script found at freeforensics.org
	#>


	$DirPath = "C:\Temp\"