Skip to content

Instantly share code, notes, and snippets.

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>Markmap</title>
<style>
* {
margin: 0;
#!/usr/bin/env python3
'''
A simplified FLOSS implementation that only supports stackstrings.
requirements:
- yara-python
- unicorn
author: Willi Ballenthin
email: william.ballenthin@fireeye.com
@fr0gger
fr0gger / msthreatinfo.py
Last active August 19, 2022 04:54
Threat Info Lookup: Retrieve Microsoft Defender signature details from the Threat Encyclopedia
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Author: Thomas Roccia, @fr0gger_
"""Threat Encyclopedia Lookup, retrieve Defender Signature information.
This script will retrieve the information related to the specified signature.
Usage:
python threatinfo.py [options]
Requirements:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia
https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
https://twitter.com/juanandres_gs/status/1496581710368358400?s=20&t=ceSYl9EWREXS0ELncl4grA
https://twitter.com/0xAmit/status/1496641159371837444?s=20&t=BGgh4TA4xPH1SbmShMkULw
https://twitter.com/JusticeRage/status/1496894253376720901?s=20&t=j42L_Y0O-Q2-oTI3YEcSZw
https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/a82e9105-2405-4e37-b2c3-28c773902d85
https://docs.microsoft.com/en-us/windows/win32/devnotes/attribute-list-entry
https://twitter.com/Lexsek_/status/1496806942630633475?s=20&t=BGgh4TA4xPH1SbmShMkULw
https://www.cisa.gov/uscert/ncas/alerts/aa22-057a
'''
Simple POC for calculating the Export Table Hash by Thomas Roccia | @fr0gger_
Similarly as ImpHash, the Export Hash is calculated by extracting the function names from the export table and hashing them.
Exported function names are extracted in order, then all characters are converted to lowercase.
The function names are then joined together and hashed using SHA256.
The hash is dubbed "ExpHash".
Example:
python .\exphash.py .\AppXDeploymentClient.dll
ExpHash: 50644ab76c9421984137aadca2ba9b2883763f0189daf4010a699c490d263a86
http://abraajenergy.com/
http://abraajenergy.com/m9lowa3/discord-server-link-checker.html
http://chpok.site/
https://rockstorageplace.com/away.php
yourflash24.com
phonestar.info
dougale.com
gomusic.info
premiumbros.com
totalav.com
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Thomas Roccia | IconDhash.py
# pip3 install lief
# pip3 install pillow
# resource: https://www.hackerfactor.com/blog/?/archives/529-Kind-of-Like-That.html
import lief
import os
import argparse
#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""
Rich Hash standalone support for python3 - Thomas Roccia - @fr0gger_
"""
import hashlib
import sys
import re
@fr0gger
fr0gger / yara_performance_guidelines.md
Created February 16, 2021 09:23 — forked from Neo23x0/yara_performance_guidelines.md
YARA Performance Guidelines

YARA Performance Guidelines

When creating your rules for YARA keep in mind the following guidelines in order to get the best performance from them. This guide is based on ideas and recommendations by Victor M. Alvarez and WXS.

  • Revision 1.4, October 2020, applies to all YARA versions higher than 3.7

Atoms

YARA extracts from the strings short substrings up to 4 bytes long that are called "atoms". Those atoms can be extracted from any place within the string, and YARA searches for those atoms while scanning the file, if it finds one of the atoms then it verifies that the string actually matches.

@fr0gger
fr0gger / sunburst_glossary.csv
Last active September 12, 2021 16:48
Sunburst/Solorigate glossary to keep track of used terms
Name Description
Solarwinds Compromised company used to spread the Sunburst malware through the Orion platform.
Orion Platform Compromised platform used to deliver the Sunburst malware in a supply chain attack.
Sunspot Malware name attributed by CrowdStrike and used to insert the Sunburst backdoor.
Sunburst Malware name attributed by FireEye and inserted in the Orion platform. AKA Solorigate.
Solorigate Malware name attributed by Microsoft and inserted in the Orion platform. AKA Sunburst.
Teardrop Additional payload delivered by the Sunburst backdoor used to deploy a custom Cobalt Strike Beacon.
Raindrop Loader which delivers a payload of Cobalt Strike. Similar to Teardrop.
Beacon Malware name used by FireEye to define custom Cobalt Strike payload.
GoldMax Written in Go GoldMax acts as command-and-control backdoor for the actor. AKA Sunshuttle.