Thomas Roccia fr0gger

## floss-lite.py
#!/usr/bin/env python3
'''
A simplified FLOSS implementation that only supports stackstrings.

requirements:
  - yara-python
  - unicorn

author: Willi Ballenthin
email: william.ballenthin@fireeye.com

## msthreatinfo.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Author: Thomas Roccia, @fr0gger_
"""Threat Encyclopedia Lookup, retrieve Defender Signature information.
This script will retrieve the information related to the specified signature.

Usage:
python threatinfo.py [options]

Requirements:

## HermeticWiper_Source
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia
https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
https://twitter.com/juanandres_gs/status/1496581710368358400?s=20&t=ceSYl9EWREXS0ELncl4grA
https://twitter.com/0xAmit/status/1496641159371837444?s=20&t=BGgh4TA4xPH1SbmShMkULw
https://twitter.com/JusticeRage/status/1496894253376720901?s=20&t=j42L_Y0O-Q2-oTI3YEcSZw
https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/a82e9105-2405-4e37-b2c3-28c773902d85
https://docs.microsoft.com/en-us/windows/win32/devnotes/attribute-list-entry
https://twitter.com/Lexsek_/status/1496806942630633475?s=20&t=BGgh4TA4xPH1SbmShMkULw
https://www.cisa.gov/uscert/ncas/alerts/aa22-057a

## exphash.py
'''
Simple POC for calculating the Export Table Hash by Thomas Roccia | @fr0gger_
Similarly as ImpHash, the Export Hash is calculated by extracting the function names from the export table and hashing them.
Exported function names are extracted in order, then all characters are converted to lowercase.
The function names are then joined together and hashed using SHA256.
The hash is dubbed "ExpHash".

Example:
python .\exphash.py .\AppXDeploymentClient.dll
ExpHash: 50644ab76c9421984137aadca2ba9b2883763f0189daf4010a699c490d263a86

## FakeAV_Edge_ioc
http://abraajenergy.com/
http://abraajenergy.com/m9lowa3/discord-server-link-checker.html
http://chpok.site/
https://rockstorageplace.com/away.php
yourflash24.com
phonestar.info
dougale.com
gomusic.info
premiumbros.com
totalav.com

## DhashIcon.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Thomas Roccia | IconDhash.py
# pip3 install lief
# pip3 install pillow
# resource: https://www.hackerfactor.com/blog/?/archives/529-Kind-of-Like-That.html

import lief
import os
import argparse

## richhash.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""
Rich Hash standalone support for python3 - Thomas Roccia - @fr0gger_
"""

import hashlib
import sys
import re

## yara_performance_guidelines.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                fr0gger
                / yara_performance_guidelines.md
            
            
              Created
              February 16, 2021 09:23
                — forked from Neo23x0/yara_performance_guidelines.md
            
              
                YARA Performance Guidelines
              
          
    YARA Performance Guidelines

When creating your rules for YARA keep in mind the following guidelines in order to get the best performance from them.
This guide is based on ideas and recommendations by Victor M. Alvarez and WXS.

Revision 1.4, October 2020, applies to all YARA versions higher than 3.7

Atoms

YARA extracts from the strings short substrings up to 4 bytes long that are called "atoms". Those atoms can be extracted from any place within the string, and YARA searches for those atoms while scanning the file, if it finds one of the atoms then it verifies that the string actually matches.

  
## sunburst_glossary.csv

          
            Name
            Description

            
              Solarwinds
              Compromised company used to spread the Sunburst malware through the Orion platform.

            
              Orion Platform
              Compromised platform used to deliver the Sunburst malware in a supply chain attack.

            
              Sunspot
              Malware name attributed by CrowdStrike and used to insert the Sunburst backdoor.

            
              Sunburst
              Malware name attributed by FireEye and inserted in the Orion platform. AKA Solorigate.

            
              Solorigate
              Malware name attributed by Microsoft and inserted in the Orion platform. AKA Sunburst.

            
              Teardrop
              Additional payload delivered by the Sunburst backdoor used to deploy a custom Cobalt Strike Beacon.

            
              Raindrop
              Loader which delivers a payload of Cobalt Strike. Similar to Teardrop.

            
              Beacon
              Malware name used by FireEye to define custom Cobalt Strike payload.

            
              GoldMax
              Written in Go GoldMax acts as command-and-control backdoor for the actor. AKA Sunshuttle.

## unprotect_matrix.csv
Anti-Sandboxing,Antivirus Evasion,Anti-Debugging,Process Manipulating,Anti-Disassembly,Anti-Monitoring,Data Obfuscation ,Anti-Forensic,Network Evasion,Others,Packers,Anti-Machine Learning
Checking memory artifcacts ,Evading hash signature,IsDebuggerPresent,Process hollowing,API Obfuscation,Disable process ,XOR,Remove event log,Fast flux,Infection by localisation,Packer compression,Direct gradient-based attacks
MAC address detection,Evading specific signature,CheckRemoteDebuggerPresent,Reflective DLL injection,Control Flow Graph Flatening,Check running process,Base64,Wipe disk,Double fast flux,Detect language installed,Crypter,Attacks against models that report a score
Registry keys detection,PE format tricks,NtQueryInformationProcess,Suspend inject and resume,Dead code insertion,Find window,Cesar/ROT,Melt file,DGA,Malicious shortcut,Virtual machine,Binary black-box attacks
Checking process,Fingerprinting emulator,NtSetInformationThread,Hook injection,Spaghetti code,Detect parent process,ROL,Hidden attributes,
	#!/usr/bin/env python3
	'''
	A simplified FLOSS implementation that only supports stackstrings.

	requirements:
	- yara-python
	- unicorn

	author: Willi Ballenthin
	email: william.ballenthin@fireeye.com
	#!/usr/bin/env python
	# -- coding: utf-8 --
	# Author: Thomas Roccia, @fr0gger_
	"""Threat Encyclopedia Lookup, retrieve Defender Signature information.
	This script will retrieve the information related to the specified signature.

	Usage:
	python threatinfo.py [options]

	Requirements:
	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia
	https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
	https://twitter.com/juanandres_gs/status/1496581710368358400?s=20&t=ceSYl9EWREXS0ELncl4grA
	https://twitter.com/0xAmit/status/1496641159371837444?s=20&t=BGgh4TA4xPH1SbmShMkULw
	https://twitter.com/JusticeRage/status/1496894253376720901?s=20&t=j42L_Y0O-Q2-oTI3YEcSZw
	https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/
	https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/a82e9105-2405-4e37-b2c3-28c773902d85
	https://docs.microsoft.com/en-us/windows/win32/devnotes/attribute-list-entry
	https://twitter.com/Lexsek_/status/1496806942630633475?s=20&t=BGgh4TA4xPH1SbmShMkULw
	https://www.cisa.gov/uscert/ncas/alerts/aa22-057a
	'''
	Simple POC for calculating the Export Table Hash by Thomas Roccia \| @fr0gger_
	Similarly as ImpHash, the Export Hash is calculated by extracting the function names from the export table and hashing them.
	Exported function names are extracted in order, then all characters are converted to lowercase.
	The function names are then joined together and hashed using SHA256.
	The hash is dubbed "ExpHash".

	Example:
	python .\exphash.py .\AppXDeploymentClient.dll
	ExpHash: 50644ab76c9421984137aadca2ba9b2883763f0189daf4010a699c490d263a86
	http://abraajenergy.com/
	http://abraajenergy.com/m9lowa3/discord-server-link-checker.html
	http://chpok.site/
	https://rockstorageplace.com/away.php
	yourflash24.com
	phonestar.info
	dougale.com
	gomusic.info
	premiumbros.com
	totalav.com
	#!/usr/bin/env python
	# -- coding: utf-8 --
	# Thomas Roccia \| IconDhash.py
	# pip3 install lief
	# pip3 install pillow
	# resource: https://www.hackerfactor.com/blog/?/archives/529-Kind-of-Like-That.html

	import lief
	import os
	import argparse
	#!/usr/bin/env python
	# -- coding: utf-8 --
	"""
	Rich Hash standalone support for python3 - Thomas Roccia - @fr0gger_
	"""

	import hashlib
	import sys
	import re
	Name	Description
	Solarwinds	Compromised company used to spread the Sunburst malware through the Orion platform.
	Orion Platform	Compromised platform used to deliver the Sunburst malware in a supply chain attack.
	Sunspot	Malware name attributed by CrowdStrike and used to insert the Sunburst backdoor.
	Sunburst	Malware name attributed by FireEye and inserted in the Orion platform. AKA Solorigate.
	Solorigate	Malware name attributed by Microsoft and inserted in the Orion platform. AKA Sunburst.
	Teardrop	Additional payload delivered by the Sunburst backdoor used to deploy a custom Cobalt Strike Beacon.
	Raindrop	Loader which delivers a payload of Cobalt Strike. Similar to Teardrop.
	Beacon	Malware name used by FireEye to define custom Cobalt Strike payload.
	GoldMax	Written in Go GoldMax acts as command-and-control backdoor for the actor. AKA Sunshuttle.
	Anti-Sandboxing,Antivirus Evasion,Anti-Debugging,Process Manipulating,Anti-Disassembly,Anti-Monitoring,Data Obfuscation ,Anti-Forensic,Network Evasion,Others,Packers,Anti-Machine Learning
	Checking memory artifcacts ,Evading hash signature,IsDebuggerPresent,Process hollowing,API Obfuscation,Disable process ,XOR,Remove event log,Fast flux,Infection by localisation,Packer compression,Direct gradient-based attacks
	MAC address detection,Evading specific signature,CheckRemoteDebuggerPresent,Reflective DLL injection,Control Flow Graph Flatening,Check running process,Base64,Wipe disk,Double fast flux,Detect language installed,Crypter,Attacks against models that report a score
	Registry keys detection,PE format tricks,NtQueryInformationProcess,Suspend inject and resume,Dead code insertion,Find window,Cesar/ROT,Melt file,DGA,Malicious shortcut,Virtual machine,Binary black-box attacks
	Checking process,Fingerprinting emulator,NtSetInformationThread,Hook injection,Spaghetti code,Detect parent process,ROL,Hidden attributes,