Kevin Holvoet digihash

## yara-ops.py
import hashlib
import re
import plyara

# Florian Roth, Christian Burkard
# Version 3.0
# January 2023
#
# Known issues: fails in some cases in which 'private' rules are used

## badrabbit-info.txt
Rough summary of developing BadRabbit info
------------------------------------------

BadRabbit is locally-self-propagating ransomware (ransom: 0.05 BTC), spreading via SMB once inside.
Requires user interaction.
Mostly targeting Russia and Ukraine so far, with a few others (Germany, Turkey, Bulgaria, Montenegro ...)
Not globally self-propagating, but could be inflicted on selected targets on purpose.
May be part of same group targeting Ukraine generally (BACKSWING) (per FireEye)
Confirmed to use ETERNALROMANCE exploit, and same source code and build chain as NotPetya (per Talos)
Mitigations are similar to Petya/NotPetya resistance. An inoculation is also available (see below).

## google-dorks

"          _                      _          "
"   _     /||       .   .        ||\     _   "
"  ( }    \||D    '   '     '   C||/    { %  "
" | /\__,=_[_]   '  .   . '       [_]_=,__/\ |"
" |_\_  |----|                    |----|  _/_|"
" |  |/ |    |                    |    | \|  |"
" |  /_ |    |                    |    | _\  |"

	It is all fun and games until someone gets hacked!

## google-dorks

"          _                      _          "
"   _     /||       .   .        ||\     _   "
"  ( }    \||D    '   '     '   C||/    { %  "
" | /\__,=_[_]   '  .   . '       [_]_=,__/\ |"
" |_\_  |----|                    |----|  _/_|"
" |  |/ |    |                    |    | \|  |"
" |  /_ |    |                    |    | _\  |"

	It is all fun and games until someone gets hacked!

## Captive Network Assistant
#!/usr/bin/php
<?php
$SSID=trim(`/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -I | awk -F: '/ SSID:/ {print $2}' | sed -e 's/.*SSID: //'`);
if ( $SSID == 'TELENETHOTSPOT' )
{
  if (`curl --cookie-jar /tmp/cookiejar \
	     --data "c=std&lang=nl&checkterms=1&userid=USERNAME&password=PASSWORD&remember=on&terms=on" \
	     --cookie "TNLANG=nl&TN_HS_COOKIE_DETECT=HELLO" \
             --max-time 60 \
	     --user-agent "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:20.0) Gecko/20100101 Firefox/20.0" \

## centos_python_env_setup
#!/bin/bash

# Source: http://toomuchdata.com/2012/06/25/how-to-install-python-2-7-3-on-centos-6-2/

# Install stuff #
#################

# Install development tools and some misc. necessary packages
yum -y groupinstall "Development tools"
yum -y install zlib-devel  # gen'l reqs

## countryinfo.py
countries = [
{'timezones': ['Europe/Andorra'], 'code': 'AD', 'continent': 'Europe', 'name': 'Andorra', 'capital': 'Andorra la Vella'},
{'timezones': ['Asia/Kabul'], 'code': 'AF', 'continent': 'Asia', 'name': 'Afghanistan', 'capital': 'Kabul'},
{'timezones': ['America/Antigua'], 'code': 'AG', 'continent': 'North America', 'name': 'Antigua and Barbuda', 'capital': "St. John's"},
{'timezones': ['Europe/Tirane'], 'code': 'AL', 'continent': 'Europe', 'name': 'Albania', 'capital': 'Tirana'},
{'timezones': ['Asia/Yerevan'], 'code': 'AM', 'continent': 'Asia', 'name': 'Armenia', 'capital': 'Yerevan'},
{'timezones': ['Africa/Luanda'], 'code': 'AO', 'continent': 'Africa', 'name': 'Angola', 'capital': 'Luanda'},
{'timezones': ['America/Argentina/Buenos_Aires', 'America/Argentina/Cordoba', 'America/Argentina/Jujuy', 'America/Argentina/Tucuman', 'America/Argentina/Catamarca', 'America/Argentina/La_Rioja', 'America/Argentina/San_Juan', 'America/Argentina/Mendoza', 'America/Argentina/Rio_Gallegos', 'America/Argentina/Ushuai

## removecompletedtorrents.sh
#!/bin/sh
# script to check for complete torrents in transmission folder, then stop and move them
# either hard-code the MOVEDIR variable here…
MOVEDIR=/home/mjdescy/media # the folder to move completed downloads to
# …or set MOVEDIR using the first command-line argument
# MOVEDIR=%1

# use transmission-remote to get torrent list from transmission-remote list
# use sed to delete first / last line of output, and remove leading spaces
# use cut to get first field from each line
	import hashlib
	import re
	import plyara

	# Florian Roth, Christian Burkard
	# Version 3.0
	# January 2023
	#
	# Known issues: fails in some cases in which 'private' rules are used
	Rough summary of developing BadRabbit info
	------------------------------------------

	BadRabbit is locally-self-propagating ransomware (ransom: 0.05 BTC), spreading via SMB once inside.
	Requires user interaction.
	Mostly targeting Russia and Ukraine so far, with a few others (Germany, Turkey, Bulgaria, Montenegro ...)
	Not globally self-propagating, but could be inflicted on selected targets on purpose.
	May be part of same group targeting Ukraine generally (BACKSWING) (per FireEye)
	Confirmed to use ETERNALROMANCE exploit, and same source code and build chain as NotPetya (per Talos)
	Mitigations are similar to Petya/NotPetya resistance. An inoculation is also available (see below).

	" _ _ "
	" _ /\|\| . . \|\|\ _ "
	" ( } \\|\|D ' ' ' C\|\|/ { % "
	" \| /\__,=_[_] ' . . ' [_]_=,__/\ \|"
	" \|_\_ \|----\| \|----\| _/_\|"
	" \| \|/ \| \| \| \| \\| \|"
	" \| /_ \| \| \| \| _\ \|"

	It is all fun and games until someone gets hacked!
	#!/usr/bin/php
	<?php
	$SSID=trim(`/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -I \| awk -F: '/ SSID:/ {print $2}' \| sed -e 's/.*SSID: //'`);
	if ( $SSID == 'TELENETHOTSPOT' )
	{
	if (`curl --cookie-jar /tmp/cookiejar \
	--data "c=std&lang=nl&checkterms=1&userid=USERNAME&password=PASSWORD&remember=on&terms=on" \
	--cookie "TNLANG=nl&TN_HS_COOKIE_DETECT=HELLO" \
	--max-time 60 \
	--user-agent "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:20.0) Gecko/20100101 Firefox/20.0" \
	#!/bin/bash

	# Source: http://toomuchdata.com/2012/06/25/how-to-install-python-2-7-3-on-centos-6-2/

	# Install stuff #
	#################

	# Install development tools and some misc. necessary packages
	yum -y groupinstall "Development tools"
	yum -y install zlib-devel # gen'l reqs
	countries = [
	{'timezones': ['Europe/Andorra'], 'code': 'AD', 'continent': 'Europe', 'name': 'Andorra', 'capital': 'Andorra la Vella'},
	{'timezones': ['Asia/Kabul'], 'code': 'AF', 'continent': 'Asia', 'name': 'Afghanistan', 'capital': 'Kabul'},
	{'timezones': ['America/Antigua'], 'code': 'AG', 'continent': 'North America', 'name': 'Antigua and Barbuda', 'capital': "St. John's"},
	{'timezones': ['Europe/Tirane'], 'code': 'AL', 'continent': 'Europe', 'name': 'Albania', 'capital': 'Tirana'},
	{'timezones': ['Asia/Yerevan'], 'code': 'AM', 'continent': 'Asia', 'name': 'Armenia', 'capital': 'Yerevan'},
	{'timezones': ['Africa/Luanda'], 'code': 'AO', 'continent': 'Africa', 'name': 'Angola', 'capital': 'Luanda'},
	{'timezones': ['America/Argentina/Buenos_Aires', 'America/Argentina/Cordoba', 'America/Argentina/Jujuy', 'America/Argentina/Tucuman', 'America/Argentina/Catamarca', 'America/Argentina/La_Rioja', 'America/Argentina/San_Juan', 'America/Argentina/Mendoza', 'America/Argentina/Rio_Gallegos', 'America/Argentina/Ushuai
	#!/bin/sh
	# script to check for complete torrents in transmission folder, then stop and move them
	# either hard-code the MOVEDIR variable here…
	MOVEDIR=/home/mjdescy/media # the folder to move completed downloads to
	# …or set MOVEDIR using the first command-line argument
	# MOVEDIR=%1

	# use transmission-remote to get torrent list from transmission-remote list
	# use sed to delete first / last line of output, and remove leading spaces
	# use cut to get first field from each line