chrisdoman
We can make this file beautiful and searchable if this error is corrected: It looks like row 7 should actually have 3 columns, instead of 1. in line 6.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| title,reference,created | |
| Continued PassCV Malware,https://drive.google.com/file/d/1pzZT7Stig6i8hTqjxUUgxDSmGEJ7W9ak/view,2018-08-06 | |
| Blackgear Cyberespionage Campaign Resurfaces Abuses Social Media for C and C Communication,https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-cyberespionage-campaign-resurfaces-abuses-social-media-for-cc-communication/,2018-07-18 | |
| Golden Rat long-term espionage campaign in Syria is still ongoing,http://csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf,2018-07-23 | |
| Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July 2018 Elections and Reveals Broad Operations Globally,https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html,2018-07-11 | |
| Certificates stolen from Taiwanese tech-companies misused in Plead malware campaign,https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/,2018-07-09 | |
| NavRAT Uses US-North Korea Summit As Decoy |
chrisdoman
/ North Korean Cyber-Attacks and Collateral Damage.txt
Created
January 19, 2024 19:55
North Korean Cyber-Attacks and Collateral Damage
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| North Korean Cyber-Attacks and Collateral Damage | |
| February 15, 2018 | Chris Doman | |
| WannaCry was incredibly destructive. The attackers made about $150,000 - but the total damage caused by WannaCry has been estimated in the billions of dollars. | |
| There is strong evidence linking WannaCry to a group of hackers known as ‘Lazarus’, reportedly operating out of the DPRK (North Korea). Whilst WannaCry is perhaps the most famous attack by Lazarus, it isn’t the only ‘collateral damage’ caused by the DPRK’s cyber actions. | |
| Below we disclose new details on three attacks that have spread out of control. Two likely originating from the DPRK - and one targeting the DPRK. | |
| The Voice of Korea and the Rivts Virus | |
| This section describes a piece of malware that may have been created within the DPRK as part of a test project - and accidentally leaked out onto the wider internet. |
We can't make this file beautiful and searchable because it's too large.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Trojan:Win32/AgentBypass,92bc9fe6a053916317d1ea78aa342265e32c0c8e70f51e9af0028e6fcc7f917a|,Trojan.Win32.Demp.cxoswz|TrojanDropper.Demp.aao|Trojan[Dropper]/Win32.Injector| | |
| :FileSizeLE10000,34575189df0d1e5a1c7f1d505cc6eb0c41ac9e8a7edcb72eae2298d25cb4e6f2|,Android.Shedun.E|Android.Trojan-Dropper.Shedun.b|Other:Android.Reputation.2|A.L.Rog.SexVideo.EI|Trojan.Android.MLW.ebzlbe|Android.DownLoader.329.origin|Trojan[Dropper]/Android.Shedun.v|Android-PUP/SmsPay.72a8b|a.gray.tatic|Trojan-Dropper.AndroidOS.Shedun|Android/Piom.JO!tr|Win32/Trojan.ecf| | |
| Backdoor:MSIL/Lizarbot,fb3a52e70eedcc6cab0ddde2fe47b5729a6c96f83fecf0b06b3b8ee9942eef2f|40c95b2afb8d7e4e4252968d5234f24c71181c0252819d850694b4489a43ca28|c80d3e483e423b271a2fd7dc89ffa7612409f13ed66dc3faa5b40d0bcf725f72|177cd95dcc500338d433455461d8ce0a2c159657a287baae01de8ffc77155291|,Backdoor.Lizarbot.FC.2716|Backdoor.IRCBot|BKDR_LIZARBOT.SMVJ18|Win32.Trojan.WisdomEyes.16070401.9500.9998|W32/Trojan.QJOG-5659|Backdoor.IRC.Bot|BKDR_LIZARBOT.SMVJ18|Win.Trojan.Lizarbot-1|MSIL.T |
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| differentia.ru CNAME . | |
| *.differentia.ru CNAME . | |
| disorderstatus.ru CNAME . | |
| *.disorderstatus.ru CNAME . | |
| gvaq70s7he.ru CNAME . | |
| *.gvaq70s7he.ru CNAME . | |
| atomictrivia.ru CNAME . | |
| *.atomictrivia.ru CNAME . | |
| 4nbizac8.ru CNAME . | |
| *.4nbizac8.ru CNAME . |
chrisdoman
/ OTX Example API Calls
Created
November 29, 2017 19:18
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| = Examples of how OTX API calls relate different indicator types = | |
| Official documentation is available at https://otx.alienvault.com/api but may be missing a couple of the newer calls | |
| These are some unofficial notes | |
| The API key below is for a dummy demo account. It should work but I would suggest using your own. | |
| Some of the JSON responses are quite nested, and editor such as http://jsoneditoronline.org/ may be useful | |
| == Input: Hostname / Domain == | |
| The following calls can be made for both domains and hostname, ie you can swap 'hostname' with 'domain' below. |
chrisdoman
/ getUrlScanGreatCannonHits.py
Created
September 2, 2019 16:53
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| Gets possible Great Cannon injections from UrlScan | |
| ''' | |
| import requests | |
| import json | |
| # Insert your urlscan API Key | |
| api_key = '' |
chrisdoman
/ cado_lambda.py
Created
February 2, 2022 11:56
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import json | |
| import urllib3 | |
| import requests | |
| import datetime | |
| import random | |
| import string | |
| import logging | |
| def lambda_handler(event, context): |
We can't make this file beautiful and searchable because it's too large.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| indicator,indicator_type,pulse_title,pulse_author,tlp | |
| ihracat.myq-see.com,hostname,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| phantom101.duckdns.org,hostname,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| goodattack.duckdns.org,hostname,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| http://www.tempinfo.96.lt/wras/savekey.php,url,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| http://www.tempinfo.96.lt/wras/createkeys.php,url,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| http://www.tempinfo.96.lt/wras/RANSOM20.jpg,url,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| www.tempinfo.96.lt,hostname,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326,file,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| 62d38f19e67013ce7b2a84cb17362c77e2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [default] | |
| aws_access_key_id = AKIAXYZDQCENYTNALZP5 | |
| aws_secret_access_key = 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 | |
| output = json | |
| region = us-east-2 | |
| * This is just a honey token to detect automated scanners looking for AWS keys - this is not a real AWS account! * |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Short demonstration script to write OTX hostnames to a RPZ format text-file | |
| from OTXv2 import OTXv2 | |
| import os | |
| # This is the API key for the user "api_example" | |
| otx = OTXv2('766ba1df3ab54db9c0fcbf62ef048c3a04c260e8ca65b6c25346084b7b4719ad') | |
| events = otx.get_all_indicators(author_name='alienvault') | |
| output = '' |
NewerOlder