Action Id | Description |
---|---|
1052 | search and delete log files |
1053 | self update (and remove traces of the update, rmdir /s /q c:\temp && del /q /f %temp%*.au30) |
1060 | delete shadow copies (c vssadmin delete shadows /for=c: /all /quiet) |
1072 | kill rar process and remove traces of rar archive |
1096 | ntdll used to execute payload in memory as notepad.exe |
1099 | Spoof parent PID to execute a cmd.exe |
1100 | APC injection via NtTestAlert |
1101 | APC injection via NtTestAlert |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import sys | |
import struct | |
CLSID = { | |
"IMediaEventEx": "56a868c0-0ad4-11ce-b03a-0020af0ba770,", | |
"INetworkCostManager": "dcb00008-570f-4a9b-8d69-199fdba5723b", | |
"INetworkConnectionCost": "dcb0000a-570f-4a9b-8d69-199fdba5723b", | |
"INetworkCostManagerEvents": "dcb00009-570f-4a9b-8d69-199fdba5723b", | |
"IEnumNetworks": "dcb00003-570f-4a9b-8d69-199fdba5723b", | |
"IEnumNetworkConnections": "dcb00006-570f-4a9b-8d69-199fdba5723b", |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Hexdump viewer | |
def hexdump(data: bytes, length: int = 16) -> None: | |
def is_printable(b): | |
return 0x20 <= b < 0x7f | |
def to_printable(b): | |
if is_printable(b): | |
return f'\033[34m{chr(b)}\033[0m' | |
else: | |
return f'\033[31m.\033[0m' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
void execute_next_stage() | |
{ | |
_IMAGE_DOS_HEADER *decompressed_buffer; // edi | |
IMAGE_NT_HEADERS *lfanew; // esi | |
_IMAGE_NT_HEADERS *v2; // esi | |
_BYTE *v3; // ebx | |
char *v4; // ebx | |
int v5; // ebx | |
int Heap; // [esp+C8h] [ebp-C8h] | |
int i; // [esp+100h] [ebp-90h] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
00000000f90100001719a606d06607001f3fa801e06607001e1db13ef06607006dc1ac9700670700c1ee3e8410670700340d98322067070027ff8235306707008ef8d80040670700be8278e250670700071ccc4460670700e7188913706707001a1fb02080670700b25b283c90670700b18c0b92a06707001b344cefb0670700113b9d12c06707001b3aa70ad06707002ed4fbaae06707003398c9edf0670700ef5799a900680700b95aa8bd10680700b42f2121206807009cb0ea5f306807007e78d35b40680700c62ed4c550680700c0d041c5606807008139947e90680700169dcdf3a068070095990786b0680700ecda52edc0680700b77c2270d0680700180572e0e06807004ae3b99cf0680700129898ac00690700b1c82aaf1069070087a91483206907000819882f30690700e36cc9e2406907007e78ad5f506907008cbab828606907007528e14e706907002ddeb2d680690700f115ac36906907007fe9abb5a0690700047e9f51b0690700525cce46c0690700e350ae6fd06907005dec9fb6e0690700c9c8bc0af06907000cf194fb006a070014ef8eee106a0700b19d1483206a07007dd02ff4306a07002c40bb2a406a0700a1983398506a070007308f16606a07009683069d706a0700102cba24806a0700f8921586906a07006ad2b798a06a070067b2de86b06a07007e4eb962c06a0700541b8c3ed06a0700 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import re | |
from itertools import filterfalse | |
from collections import Counter | |
from typing import List, Tuple, Set | |
reg_DENIS = re.compile(r"(dennis\(\")([0-9\]\"]{1,})(,)([0-9]{1,})([\/])([0-9]{1,})([\)])") | |
reg_INT_VAR = re.compile(r"(\$)(?P<name>[a-zA-Z0-9]{1,})( )=( )([0-9]{1,})") | |
def dennis(string, diff): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import os | |
import sys | |
import time | |
import struct | |
import logging | |
import socket | |
import select | |
import argparse | |
import platform | |
from itertools import zip_longest |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import sys | |
import pefile | |
from typing import List | |
def get_data_section_virtualAddress(pe: pefile.PE) -> int: | |
"""Return the .data section of a PE file.""" | |
data_va: int = 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#define DLL_QUERY_HMODULE 6 | |
#define DEREF( name )*(UINT_PTR *)(name) | |
#define DEREF_64( name )*(DWORD64 *)(name) | |
#define DEREF_32( name )*(DWORD *)(name) | |
#define DEREF_16( name )*(WORD *)(name) | |
#define DEREF_8( name )*(BYTE *)(name) | |
#define DLLEXPORT __declspec( dllexport ) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ByteFence | |
C:\Program Files (x86)\Avira | |
C:\Program Files (x86)\F-Secu | |
C:\Program Files (x86)\IObit | |
C:\Program Files (x86)\Sophos | |
C:\Program Files\Malwarebytes | |
C:\Program Files\Quick Heal | |
C:\ProgramData\Emsisoft | |
C:\ProgramData\Kaspersky Lab | |
Comodo |
NewerOlder