I hereby claim:
- I am herrcore on github.
- I am herrcore (https://keybase.io/herrcore) on keybase.
- I have a public key whose fingerprint is 8E47 AB41 31AE D120 0655 3C4D 4339 149B F8AF 2E6A
To claim this, I am signing this object:
herrcore herrcore
herrcore
/ keybase.md
Created
March 5, 2015 22:23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| __AUTHOR__ = '@herrcore' | |
| ############################################################################################### | |
| ## | |
| ## Script to reproduce the DGA for #Dromedan dropper | |
| ## Sample SHA256: f88bc84fea3695cd1da1a315eb09c65f21cfc6b764defc3c8efd94d6c6396e0c | |
| ## | |
| ## Another @herrcore production | |
| ## | |
| ## And so me put in work work work work work work! |
herrcore
/ HummingBad.txt
Created
July 5, 2016 20:08
Koodous links for apps matching IOCs from CheckPoint "HummingBad" report (http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://analyst.koodous.com/apks/52c073ef52312049182773b3c4f3d275b2f3419e8d16d3dbdb5ed3446c09b439 | |
| https://analyst.koodous.com/apks/323d0c5ab28124361c96f2d337b2576216e076ab0e7cbc8cf981acae15916ee2 | |
| https://analyst.koodous.com/apks/dc6d831b8bd96623aef593b255a47fdc97460d7417b90478a55ea6a952b33344 | |
| https://analyst.koodous.com/apks/d337438242724d59183f769845733fc9d514b17512970c87a6a9f45547a00ee6 | |
| https://analyst.koodous.com/apks/b86c18b8c948c92966a998ede389c78c99c8f5e69779d2184fdce2a7974615b8 | |
| https://analyst.koodous.com/apks/a922f8990952c9635fb649dd735056999b0d1374f50ade15e2408d2be8a20057 | |
| https://analyst.koodous.com/apks/32a25f2f339b70601a33d5577a65424eca25e526222067699702f406be9aa027 | |
| https://analyst.koodous.com/apks/98a01bd62210bf1c818ecf64acb55fd3758a892310beaf4df28565f7df063d83 | |
| https://analyst.koodous.com/apks/cc294653372db1df592b597e4d88bdc8eb834edad9833637cff3be676f18efff | |
| https://analyst.koodous.com/apks/cb04a042013c72cebdce3dedc0c3b69ac32adb0415dd17474a4f5d05069e704a |
herrcore
/ disk_serial_extractor.py
Created
August 24, 2015 17:31
Extract the disk serial number from the SOFTWARE hive
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| ####################################################################### | |
| ## | |
| ## Extract the disk serial number from the SOFTWARE hive | |
| ## | |
| ####################################################################### | |
| __AUTHOR__ = '@herrcore' | |
| import datetime |
herrcore
/ asprox_id.ps1
Created
September 12, 2016 02:38
Use host specific attributes to generate asprox ID and ID_Key unique to host.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| Generate asprox ID and ID_Key. | |
| .DESCRIPTION | |
| Use host specific attributes to generate asprox ID and ID_Key unique to host. | |
| .NOTES | |
| File Name : asprox_id.ps1 | |
| Author : @herrcore | |
| Prerequisite : PowerShell V2 over Vista and upper. | |
| #> |
herrcore
/ panda_banker_string_decrypt.py
Created
November 23, 2016 23:34
Panda Banker string decrypt https://github.com/tildedennis/malware/tree/master/panda_banker
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idaapi, idc, idautils | |
| import re | |
| import struct | |
| start = 0x0041A558 | |
| end = 0x0041B1E8 | |
| for ptr in range(start,end,8): | |
| key = Byte(ptr) |
herrcore
/ memory_map.py
Created
January 3, 2017 17:58
Stand alone memory map tool using winappdbg based on: http://winappdbg.sourceforge.net/doc/v1.4/tutorial/_downloads/07_memory_map.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!~/.wine/drive_c/Python25/python.exe | |
| # -*- coding: utf-8 -*- | |
| # Copyright (c) 2009-2014, Mario Vilas | |
| # All rights reserved. | |
| # | |
| # Redistribution and use in source and binary forms, with or without | |
| # modification, are permitted provided that the following conditions are met: | |
| # | |
| # * Redistributions of source code must retain the above copyright notice, |
herrcore
/ lznt1.py
Created
January 20, 2017 14:12
Decompress lznt1 without the need for Windows! Standalone version of https://github.com/MITRECND/chopshop/blob/master/ext_libs/lznt1.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright (c) 2014 The MITRE Corporation. All rights reserved. | |
| # | |
| # Redistribution and use in source and binary forms, with or without | |
| # modification, are permitted provided that the following conditions | |
| # are met: | |
| # 1. Redistributions of source code must retain the above copyright | |
| # notice, this list of conditions and the following disclaimer. | |
| # 2. Redistributions in binary form must reproduce the above copyright | |
| # notice, this list of conditions and the following disclaimer in the | |
| # documentation and/or other materials provided with the distribution. |
herrcore
/ hancitor_download_decrypt.py
Last active
January 20, 2017 18:04
Decrypt hancitor downloads; first 8 bytes xor key, then lznt1 decompress
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| try: | |
| import lznt1 | |
| except: | |
| print "Cannot import lznt1, try this lib: https://gist.github.com/herrcore/344ba2ea540f622b52efba858050539f" | |
| import struct | |
| def decrypt(data): | |
| key = data[:8] | |
| data = data[8:] |
herrcore
/ brazil_banker_string_decrypt.py
Created
January 26, 2017 19:49
String decryption for unknown Brazil banker trojan; packed:dc8a114965069f91081c2bb0b9a0e8635c1627648a9b599f573c35713724b204, unpacked: 96d4a0d59f27be9cceb1473cb3d5f4dc2863837a9dfd94f0dfeab20092ea6466
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def decrypt_string(ctxt): | |
| tbl = 'UmlXZEyNki880daneIlvAipdZ5Kz45FucTmGiIhYdbFHromzJjbisCtBCm' | |
| ctxt_bin = '' | |
| for i in re.findall('..',ctxt): | |
| ctxt_bin += chr(int(i,16)) | |
| ptxt = '' | |
| for i in range(0,len(ctxt_bin) - 1): | |
| mut_chr = ord(ctxt_bin[i]) | |
| tmp_chr = ord(ctxt_bin[i+1]) ^ ord(tbl[i]) | |
| if mut_chr > tmp_chr: |
OlderNewer