I hereby claim:
- I am pun1sh3r on github.
- I am pun1sh3r (https://keybase.io/pun1sh3r) on keybase.
- I have a public key whose fingerprint is 8D38 3337 AD32 0597 0796 A751 FD78 CCA9 CBDA 6ECC
To claim this, I am signing this object:
\x90\x90\x90\x90 pun1sh3r
pun1sh3r
/ jolt_transforms.txt
Created
August 12, 2021 20:39
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| { | |
| "operation": "default", | |
| "spec": { | |
| "source" : "https://bazaar.abuse.ch", | |
| "itype" : "hash", | |
| "ioc_index": "", | |
| "attributes": { | |
| "trt:threat_scraper": "malwareBazaar_scraper", | |
| "trt:malware_name": "", |
pun1sh3r
/ pastebin_decode.py
Created
September 22, 2020 17:16
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import base64 | |
| import requests | |
| req = requests.get('https://pastebin.com/raw/Q1MSN9j9') | |
| data = req.text | |
| data = data.replace('.','*!(@* #( !@ #*') | |
| data = data.replace('*!(@* #( !@ #*','0') | |
| with open('pastebin_decoded.bin', 'wb') as fd: | |
| fd.write(base64.b64decode(data[::-1])) |
pun1sh3r
/ csv_parsing.py
Created
January 23, 2020 15:49
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import pandas as pd | |
| import csv | |
| from collections import defaultdict | |
| data_dict = defaultdict(dict) | |
| folio_df = pd.read_csv('folio_data.csv',usecols=['Folio_number','Name','Email']) | |
| folio_df = folio_df.replace(to_replace='(b\'|\')', value='',regex=True) |
pun1sh3r
/ decoder.py
Created
September 11, 2019 20:47
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pprint import pprint | |
| import binascii | |
| byte_array = [ i for i in range(255)] | |
| first_hex_buffer = binascii.unhexlify('3fc05efced4c34d93f465921e18129c1') # suspicious buffer found at offset 417428 possible key? | |
| hex_array = [] | |
| possible_key = b'' | |
| count = 0 | |
| sum = 0 |
pun1sh3r
/ arcane_stealer.py
Created
August 27, 2019 19:57
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #arcane stealer config dumper | |
| import binascii | |
| import bitstring | |
| import glob | |
| src_files = glob.glob('/research/arcane_stealer/retrohunt/*.exe') | |
| for f in src_files: | |
| with open(f,'rb') as fh: |
pun1sh3r
/ simple_xor.py
Created
August 21, 2019 16:24
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import codecs | |
| f = codecs.open('resource.bin', encoding='ISO-8859-1') | |
| out_buffer = bytearray() | |
| data = f.read() | |
| key = bytearray('TfaryorHHrSn', 'utf-16') | |
| key = key[2:] | |
| data = bytearray(data, 'ISO-8859-1') | |
| for i in range(0, len(data), 1): |
pun1sh3r
/ azorult_c2_decoder.py
Created
July 18, 2019 21:16
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #azorult xor decoder | |
| import binascii | |
| import base64 | |
| import bitstring | |
| from pprint import pprint | |
| import glob | |
| def decode_url(ciphertext): | |
| #ciphertext = binascii.unhexlify('68 b7 72 39 9c 64 66 89 6c3ba91068a811659c124389413bb9596b8615799d4930ce434ac6506b9272659a633c884141be1d') | |
| key = binascii.unhexlify("09ff20") |
pun1sh3r
/ keybase.md
Created
January 12, 2018 04:39
pun1sh3r
/ Wannacrypt0r-FACTSHEET.md
Created
May 15, 2017 06:41
— forked from rain-1/Wannacrypt0r-FACTSHEET.md
- Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
- Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
- Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
- Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
- Kill switch: If the website
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comis up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).
update: A minor variant of the viru