herrcore herrcore
herrcore
/ panda_banker_string_decrypt.py
Created
November 23, 2016 23:34
Panda Banker string decrypt https://github.com/tildedennis/malware/tree/master/panda_banker
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idaapi, idc, idautils | |
| import re | |
| import struct | |
| start = 0x0041A558 | |
| end = 0x0041B1E8 | |
| for ptr in range(start,end,8): | |
| key = Byte(ptr) |
herrcore
/ vawtrak_string_decoder.py
Last active
May 10, 2023 12:23
IDA python string decoder for Vawtrak 930eccf4bedcd5e0901306410787adc6a95acd957a7383d326d9949c76fcc828
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idaapi, idc, idautils | |
| import re | |
| import struct | |
| import base64 | |
| flag_arr=[] | |
| def decrypt_algo(key, data, data_len): | |
| out="" | |
| for i in range(0, data_len): |
herrcore
/ memory_map.py
Created
January 3, 2017 17:58
Stand alone memory map tool using winappdbg based on: http://winappdbg.sourceforge.net/doc/v1.4/tutorial/_downloads/07_memory_map.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!~/.wine/drive_c/Python25/python.exe | |
| # -*- coding: utf-8 -*- | |
| # Copyright (c) 2009-2014, Mario Vilas | |
| # All rights reserved. | |
| # | |
| # Redistribution and use in source and binary forms, with or without | |
| # modification, are permitted provided that the following conditions are met: | |
| # | |
| # * Redistributions of source code must retain the above copyright notice, |
herrcore
/ lznt1.py
Created
January 20, 2017 14:12
Decompress lznt1 without the need for Windows! Standalone version of https://github.com/MITRECND/chopshop/blob/master/ext_libs/lznt1.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright (c) 2014 The MITRE Corporation. All rights reserved. | |
| # | |
| # Redistribution and use in source and binary forms, with or without | |
| # modification, are permitted provided that the following conditions | |
| # are met: | |
| # 1. Redistributions of source code must retain the above copyright | |
| # notice, this list of conditions and the following disclaimer. | |
| # 2. Redistributions in binary form must reproduce the above copyright | |
| # notice, this list of conditions and the following disclaimer in the | |
| # documentation and/or other materials provided with the distribution. |
herrcore
/ hancitor_download_decrypt.py
Last active
January 20, 2017 18:04
Decrypt hancitor downloads; first 8 bytes xor key, then lznt1 decompress
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| try: | |
| import lznt1 | |
| except: | |
| print "Cannot import lznt1, try this lib: https://gist.github.com/herrcore/344ba2ea540f622b52efba858050539f" | |
| import struct | |
| def decrypt(data): | |
| key = data[:8] | |
| data = data[8:] |
herrcore
/ brazil_banker_string_decrypt.py
Created
January 26, 2017 19:49
String decryption for unknown Brazil banker trojan; packed:dc8a114965069f91081c2bb0b9a0e8635c1627648a9b599f573c35713724b204, unpacked: 96d4a0d59f27be9cceb1473cb3d5f4dc2863837a9dfd94f0dfeab20092ea6466
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def decrypt_string(ctxt): | |
| tbl = 'UmlXZEyNki880daneIlvAipdZ5Kz45FucTmGiIhYdbFHromzJjbisCtBCm' | |
| ctxt_bin = '' | |
| for i in re.findall('..',ctxt): | |
| ctxt_bin += chr(int(i,16)) | |
| ptxt = '' | |
| for i in range(0,len(ctxt_bin) - 1): | |
| mut_chr = ord(ctxt_bin[i]) | |
| tmp_chr = ord(ctxt_bin[i+1]) ^ ord(tbl[i]) | |
| if mut_chr > tmp_chr: |
herrcore
/ ramnit_dga.py
Created
April 8, 2017 02:16
Ramnit DGA generator for MD5: abd2b832007338d6d6550339eec09fb0 - seed 0x36F066D
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| ################################################################## | |
| # | |
| # Ref sample: | |
| # MD5: abd2b832007338d6d6550339eec09fb0 (AegisI5.exe) | |
| # \_ MD5: cf5de95d94bb349f1f21bb5713a05d25 (fA1L0mX.exe) | |
| # \_ MD5: 17cb0563f7c4621bc98abd06965bdfa9 (svchost.exe injected DLL) | |
| # | |
| # DGA generator for Ramnit Trojan | |
| # |
herrcore
/ upatre_extractor.py
Last active
July 11, 2017 15:15
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/local/bin/env python | |
| #################################################### | |
| ## | |
| ## All credit to @_qaz_qaz for this awesome post | |
| ## https://secrary.com/ReversingMalware/Upatre/ | |
| ## | |
| ## Original script: | |
| ## https://gist.github.com/secrary/98c563688fa6cea1fd517170f97988ab | |
| ## |
herrcore
/ ucl_nrv2b.py
Created
October 2, 2017 03:41
UCL NRV2B Decompression Library - Full Python (compression used by Zeus variants)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| ################################################################################################ | |
| ## UCL NRV2B Decompression Library | |
| ## | |
| ## Code from "Clash of the Titans: ZeuS v SpyEye": | |
| ## https://www.sans.org/reading-room/whitepapers/malicious/clash-titans-zeus-spyeye-33393 | |
| ## Author: Harshit Nayyar, harshit.nayyar@telus.com | |
| ## | |
| ## NOTE: This is the compression algorithm used in the Zeus trojan and subsequent variants | |
| ## |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var oShell = new ActiveXObject("Shell.Application"); | |
| var commandtoRun = "calc.exe"; | |
| oShell.ShellExecute(commandtoRun,"","","","1"); |