Skip to content

Instantly share code, notes, and snippets.

View kirk-sayre-work's full-sized avatar

Kirk Sayre kirk-sayre-work

61 followers · 0 following
  • Walmart
View GitHub Profile
@kirk-sayre-work
kirk-sayre-work / gist:6ebdee9eff31ba8bd6e35ec3f9efd726
Created May 15, 2019 19:17
Yara Rule to Detect Office Files Modified to Hide VBA Modules in Office VBA IDE.
rule vba_hidden_from_editor {
  strings:
    $header_office = { D0 CF 11 E0 }
    $has_macros = "\x0aDocument="
    $s1 = /\x0aDocument=.{3,1000}\x0d?\x0a\w{4,30}=(\{|"|[a-zA-Z])/
    $s2 = /\x0aDocument=This(Docume|Displa)[a-zA-Z](\x00.){10,}/
  condition:
@kirk-sayre-work
kirk-sayre-work / gist:8a48d1da87585535040f5c50280c3602
Last active May 17, 2019 14:45
FlawedAmmy Maldoc IOCs 5/17/2019
2nd Stage Download URLs:
http://185.128.213.12/rol1
http://185.231.155.59/rol2
http://91.200.41.236/vsupdate
http://kupitorta.net/lsadat1
http://kupitorta.net/lsadat2
http://kupitorta.net/lsadat3
http://zonaykan.com/lsadat1
http://zonaykan.com/lsadat2
@kirk-sayre-work
kirk-sayre-work / gist:125dc669616c385c9b87b12e4be8978d
Created May 17, 2019 14:51
GootKit Maldoc IOCs
2nd Stage Download URLs:
http://ami.diminishedvaluewashington.com/l2.php?vid=at1
http://ami.diminishedvaluewashington.com/l2.php?vid=pec4
http://ami.diminishedvaluewashington.com/loadercrypt_823EF8A810513A4071485C36DDAD4CC3.php?vid=pec3
http://ami.regroups.net/loadercrypt_823EF8A810513A4071485C36DDAD4CC3.php?vid=pecdoc
http://casa.bruceliu.com/api?acgj
http://casa.bruceliu.com/api?bjzfz
http://casa.bruceliu.com/api?bzduh
http://casa.bruceliu.com/api?bzdz
@kirk-sayre-work
kirk-sayre-work / gist:143f81c7bfefdb8eaadf82d0e0592acb
Created May 17, 2019 18:19
Trickbot Maldoc IOCs
2nd Stage Download URLs:
http://64.44.133.144/?3mhZb5
Maldoc Hashes:
0ba683568db6968cef83732e55dc107e5b303814ff6fe0d8403e6819cccff9a7
7f505a73ed5d4101c866d127d4f4d78ff61177f30fafda720c63571014004f2e
2180bf02929ec2b35fc8cc9e2338aa693eca0830558c48041f9166e64c359cf8
d2eee6d744a82fc20c563e71570c46492a3ce57c9a73c55a9f697fa2711f132c
@kirk-sayre-work
kirk-sayre-work / gist:a97d70d243b1603d76e3b92f808e098a
Created May 22, 2019 17:57
Qakbot VBScript Downloader Hashes
3ae504334bf5d9582ee772796ab5132d7c43e625bd417917a65f321207693b6e
6041efb2c42971b0b238e372bc4e24e9f2fcd7115fa288dcf2ba31d9a1beb311
db39e9aa376c10d4d4d69d88a0b8d12354e5881a42c797852157e265f984206d
67bcf22415ca18d00ce08beb5cb341d3cbcde882c33de6e21f1d06c81f25f059
4e2cb3b9e9026049427bdfaff30f4db36aee459824f20c0bb33fec90d1359e7a
ab24623ffa559cb01949ae79e2f4e9e4d1901692c596bb27f20e245ecd3618ee
6357f2011fdf0148213f65936af40a2a0a543d15949f00eac242851a47dfd537
002269e050dbfa9d4e1c6f16e1521c3f55f3c46e90d8e40fcf250f4901aecfd9
d3735ecc385af4319c79e493f4fa0c83b0cc525356e1e7d66c6175a3a46b5c39
c3cc342a0d331d252b8f99e2690b657aff8b313a2e1fa8fed4e1098c05c63377
@kirk-sayre-work
kirk-sayre-work / gist:c17c15eec9be0dc8b1eb0104890a46b2
Created May 22, 2019 17:59
Qakbot 2nd Stage Download URLs
http://adventure.kylespence.com/transfer_wise.png?bg=sp36&os=AAAA&av=AAAA
http://analytics.nhgreenscapes.com/404.html
http://analytics.nhgreenscapes.com/usflag.png?bg=sp35&os=AAAA&av=AAAA
http://angels.tastywienersonwheels.com/Svengali.png?bg=sp42&os=AAAA&av=AAAA
http://angels.tastywienersonwheels.com/cacophony.png?bg=sp42&os=AAAA&av=AAAA
http://angels.tastywienersonwheels.com/carte_blanche.png?bg=sp42&os=AAAA&av=AAAA
http://angels.tastywienersonwheels.com/caustic.png?bg=sp42&os=AAAA&av=AAAA
http://angels.tastywienersonwheels.com/dilettante.png?bg=sp42&os=AAAA&av=AAAA
http://angels.tastywienersonwheels.com/elan.png?bg=sp42&os=AAAA&av=AAAA
http://angels.tastywienersonwheels.com/epitome.png?bg=sp42&os=AAAA&av=AAAA
@kirk-sayre-work
kirk-sayre-work / gist:a7885d3483d8f365257076dffbd4445f
Created June 12, 2019 21:38
Anti-Sandoxing Maldoc 2nd Stage URLs
http://107.172.138.23/4296fff552695fa
http://66.55.64.191/b6d068dcce14f
http://66.55.64.191/b6d068dcce14f95
http://crm.theberriesblog.com/999776df194d0
http://crm.theberriesblog.com/999776df194d095
http://dijilandscape.ca/job_description.exe
http://fobmasters.com/pics/veve.exe
http://onedrive.autotalk.com.ng/file/crypt_2_7000.exe
http://storage.alfaeducation.mk/file/crypt_2_7000.exe
https://crm.theberriesblog.com/1a7aea242fe48a4
@kirk-sayre-work
kirk-sayre-work / gist:daae1c6bf11a4bb770edf2f441c95f74
Created June 12, 2019 21:39
Anti-Sandboxing Maldoc Hashes
8392a966b9d9f75bd7259c188667abebee2c91b7bdcc6e82a490b12484e08218
8750ca737e58926ae0bae7daea211a04b2fad28b5fe582cd492a432eae924258
f368f068a330347836df1007da00ae0706d6c791c307a599f14191adc920d49d
a880a6b7af4d7f26cab8d99cf06194165b0fdb6ec9198ac01f45293ce303f0d0
bb3c835150b6d5c22975e63d778f4562db4dd2f65c0285b3af1e3721c44f816d
07d50b5f8dae9c3a9aeb2e5116480c59bc7ec3393a1e0ab60a6c57651f2b7349
2df54f037c2d3da9cfe9d41f31c158fb93fb1fcebcb1468de6e1fd0f0cae4a47
81c234bf5bf83e96e3e7ae938eec1ca8701cd226cfd1ea9df9c1248c182bc29a
d45b59e308f8cf86cb6df94bbecd229d2857843bd412a2adc31c4efe37c1ce09
424b19580b268d14c2693bd2ecd3ee3e6eeb204f24770f1403d03c79808402d5
@kirk-sayre-work
kirk-sayre-work / gist:0f49410dd8f03ea358ed56073b74896d
Created June 13, 2019 16:50
solsin.top Maldocs
2nd Stage URLS:
http://109.94.209.178/r3
http://176.105.252.168/r1
http://185.140.248.17/lt1
http://185.140.248.17/lt2
http://solsin.top/w1
Maldoc Hashes:
@kirk-sayre-work
kirk-sayre-work / gist:ccb455fabfb5db7d79bd2c80c4e96342
Created June 25, 2019 19:38
Javascript Payload Maldoc Hashes
b9689d07172eb621a2c6c7441bad6301ee38100b2c903f7c9f63264be7217591
442663ccd827f1d10cb0c2f87327241d77675cc60b9374b5d93bc4abdbeaed87
a6e8282ebb8f59b97ce4a41375751a55190bd333a99368855f232d812badcaf3
f33266fb7f2a7c056b50b23ba8fe2d7841b25e6aef1bc060f0fb2f404a261ba6
7950dee7e6fd38627004ec6b4011fe605f7d491999b0fcdc1379b4502cd0e7ee
243e8a77c190d9154cc90571672019fc772edc139a21c8876adfd9b9a43ab0f9
a8f1be02dd869cf52d5a1718fd304330968d2a07d13bd7afd195d790efa53830
284cc165be2fe972108b84275c1c77be832d35cd65ed8693fa78f5fda6f1056b
6d745255975392550f5edc4f94373dcfb7d2a440db8029350e989550e5d28e1b
49de1aa07c860445d4e99e7c7c2595879c8f6ddc4211c893bec82ffe058a7bfb