Navdeep nvdp01
nvdp01
/ decrypt_configblob.py
Created
August 19, 2023 11:23
Decrypts config file of a CN APT malware (sample: 00e4ddce2b3318fbebe2f7c0b72d9071486dd4ea705de0a212a4bf67698f1f00). This code decrypts cfg.pcs dropped by this sample.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import sys | |
| import zlib | |
| arguments = sys.argv[1:] | |
| if len (arguments) != 2 : | |
| print ("Usage: python3 decrypt_configblob.py <input blob> <output file>") | |
| sys.exit (1) | |
| crc32_table = ([ |
nvdp01
/ extract_eval_vba_userform_vars.py
Created
June 29, 2022 10:52
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Sample wrapper around oletools.oleform.extract_OleFormVariables() to extract VBA userform field values from an Office file and evaluate VBA expressions which use the values | |
| # Code released in public domain by @ItsNavdeep with no warranty and no rights | |
| import olefile | |
| import oletools | |
| from oletools import oleform | |
| from dotmap import DotMap | |
| import re | |
| import sys |