kaganisildak

function getInvoices() {
  var sheet = SpreadsheetApp.getActiveSpreadsheet().getActiveSheet();
  var folderId = '';
  var folder = DriveApp.getFolderById(folderId);

  var threads = GmailApp.search('recepit OR invoice OR payment OR billing in:inbox'); 
  for (var i = 0; i < threads.length; i++) {
    var messages = threads[i].getMessages();
    for (var j = 0; j < messages.length; j++) {
      var date = messages[j].getDate();

kaganisildak

from flask import Flask, request, jsonify, Response
import os, glob, sys
from threading import Thread, Event
from multiprocessing import Process, cpu_count

from io import BytesIO as BytesIO

class RepeatingTimer(Thread):
    def __init__(self, interval_seconds, callback):
        super().__init__()

kaganisildak

Any.Run uses agents inside the VM for analysis processes. By manipulating the threads of the agent it uses, we can blind ANY.RUN from logging, and we can exceed the maximum time by breaking the machine's timing counter.

https://github.com/Malwation/InceptionAttack
https://github.com/Malwation/research/tree/main/oatos-1/anyrun
https://malwation.com/offensive-approach-to-online-sandboxes-1-any-run/

kaganisildak

Any.Run uses a fake root certificate to spy on traffic in the sandbox. The first information about the system can be obtained by querying the root certificate information.

The QEMU Agent application is modified and used to monitor the applications running in the virtual machine. In this way, api hooking and monitoring is performed. If a process named "srvpost.exe" is running and "winanr.dll", "winsanr.dll" libraries are loaded, we can fully understand that the Any.Run agent is running.

kaganisildak

import subprocess


def executer(args):
    proc = subprocess.Popen(args,stdout=subprocess.PIPE)
    return str(proc.communicate()[0])

cert = executer(["powershell.exe", "-Command","Get-ChildItem","-Recurse","Cert:CurrentUser\My"])
proc = executer(["powershell.exe","Get-Process"])
dlls = executer(["listdlls.exe","srvpost.exe","/accepteula"])

kaganisildak

using System;
using System.IO;
using System.Text.RegularExpressions;
namespace DoppSearcher
{
    class Program
    {
        static void Main(string[] args)
        {
            string[] readeddata = File.ReadAllLines("3doppmod.json");

kaganisildak

### Keybase proof

I hereby claim:

  * I am kaganisildak on github.
  * I am kagan_isildak (https://keybase.io/kagan_isildak) on keybase.
  * I have a public key ASCrhYVzWlEisMlMsZMpn9vsV63o31m0gAjXysDqabalpgo

To claim this, I am signing this object:

kaganisildak

format PE GUI
entry start
include 'win32a.inc'
define  OBJ_CASE_INSENSITIVE   0x00000040
FILE_READ_DATA = 0x0001
FILE_READ_ATTRIBUTES = 0x0080
FILE_READ_EA = 0x0008
define FILE_GENERIC_READ  (STANDARD_RIGHTS_READ or FILE_READ_DATA or FILE_READ_ATTRIBUTES or FILE_READ_EA)
define FILE_SUPERSEDE 0x00000000
define FILE_NON_DIRECTORY_FILE 0x00000040

kaganisildak

/***************
 * Simple Process Hollowing in C# 
 *
 * #Build Your Binaries
 * 		c:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe Hollowing.cs /unsafe
 *  
 *  @author: Michael Gorelik <smgorelik@gmail.com>
 *  gist.github.com/smgorelik/9a80565d44178771abf1e4da4e2a0e75
 * #Most of the code taken from here: @github: github.com/ambray

kaganisildak

# Usage: findelevate.py C:\Windows\System32\
# Needs sigcheck.exe in path [https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx]

import sys
import os
import glob
import subprocess

if len(sys.argv) < 2:
	print "Usage: findelevate.py <PATH>"