Mert Degirmenci r00tten
r00tten
/ vti-cosplay_help.txt
Created
January 4, 2022 23:03
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| r00tten@vti-cosplay VTI-Cosplay % python3 vti-cosplay.py -h | |
| ,(#* | |
| ,(#*. | |
| *********(##* ,**********. | |
| .%%#////////*, .,///////(%#, | |
| .%%* *%#, | |
| .%%* *%#, | |
| .%%* *%#/,,,,,, | |
| ,(%%/. ,(((((((((. |
r00tten
/ emotet_powExtract.py
Last active
October 24, 2020 04:16
To extract Powershell command and CC details from Emotet Microsoft Office Word Documents. It is using oledump.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import re | |
| import sys | |
| import subprocess | |
| import glob | |
| import base64 | |
| import yaml | |
| def dumpYaml(data): |
r00tten
/ risk.yar
Last active
December 25, 2019 11:26
Yara rule for the analyzed Risk files. https://r00tten.com/in-depth-analysis-attack-vector-triggered-by-risk/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule Risk { | |
| meta: | |
| author = "Mert Degirmenci" | |
| description = "YARA rule for the files whose hash is one of the below" | |
| date = "12.11.2019" | |
| hash1 = "c40d59f85e1b4bacf10643b535da804af2e99caba91ab860b221121e24a2a9bb" | |
| hash2 = "11455bc66548fd161362d300d24c6539c36c7b236aafd4f457d8ee2d8b6c9262" | |
| hash3 = "29659dd2cd05d0e3c97c2fd3687644a78622ad487178901cb67f14be314c168b" | |
| hash4 = "3c3b311505b8a3b280024d05017ff9edcb19e193c1760cac099d09fb165e93d7" |
r00tten
/ b12c59c082db972b11cc6e78fb10afc4.yar
Last active
December 5, 2019 20:59
YARA rules, https://r00tten.com/in-depth-analysis-rtf-file-drops-agent_tesla/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule swift_copy { | |
| meta: | |
| author = "Mert Degirmenci" | |
| description = "Agent Tesla phishing RTF document" | |
| date = "22.10.2019" | |
| hash1 = "f1a00cdd704475ee21e7a4fc38a7188868addcb681660eaa1b71f072e265fffd" | |
| strings: | |
| $s_rtf = "{\\rtf1" |
r00tten
/ c14c8d99ab4652e631b61af1dca873b4_shellcode_r2
Last active
December 5, 2019 18:06
Flags that I have assigned during my analysis, https://r00tten.com/in-depth-analysis-rtf-file-drops-agent_tesla/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| af @ 0xbe | |
| afvb -52 sus.imp.VirtualProtectEx int32_t @ 0xbe | |
| afvb -84 sus.imp.ResumeThread int32_t @ 0xbe | |
| afvb -60 sus.imp.VirtualFree int32_t @ 0xbe | |
| afvb -108 sus.imp.ReadProcessMemory int32_t @ 0xbe | |
| afvb -112 sus.imp.SetThreadContext int32_t @ 0xbe | |
| afvb -96 sus.imp.GetThreadContext int32_t @ 0xbe | |
| afvb -88 sus.imp.TerminateProcess int32_t @ 0xbe | |
| afvb -44 sus.imp.WriteProcessMemory int32_t @ 0xbe | |
| afvb -104 sus.imp.VirtualAlloc int32_t @ 0xbe |
r00tten
/ b12c59c082db972b11cc6e78fb10afc4_powershell_decrypt.py
Last active
December 5, 2019 18:08
Decryption routine for Powershell script, https://r00tten.com/in-depth-analysis-rtf-file-drops-agent_tesla/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| import sys | |
| import re | |
| def decryptor(z5ef583): | |
| b9d4bc = "qaf669"; | |
| vfc9c = "" | |
| for i in xrange(0, len(z5ef583), 2): | |
| s3c1193 = int(('0x' + z5ef583[i:i+2]), 16) |
r00tten
/ c14c8d99ab4652e631b61af1dca873b4_shellcode-r2pipe.py
Last active
December 5, 2019 18:08
r2pipe script for the shellcode, https://r00tten.com/in-depth-analysis-rtf-file-drops-agent_tesla/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| import r2pipe | |
| file = open('importsNtdll', 'r') | |
| #file = open('importsKernel32', 'r') | |
| imports = file.read() | |
| file.close() | |
| imports = imports.split('\n') | |
| file = open('hashes', 'r') |
r00tten
/ cf38dd8ffa483be2768ac60eb0f00a4e_decrypt.py
Last active
December 5, 2019 18:09
Reimplementation of decryption routine of the file 6a64bc2905f213ed4baf27d9ca0844056c7184dd91269a56fcb55d2c707f52dc. https://r00tten.com/in-depth-analysis-rtf-file-drops-agent_tesla/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| import sys | |
| import struct | |
| import re | |
| from rijndael.cipher.crypt import new | |
| from rijndael.cipher.blockcipher import MODE_CBC | |
| encValues = [] | |
| def readValues(): |
r00tten
/ 43d7ffd611932cf51d7150b176ecfc29_r2DLL
Created
April 22, 2019 05:17
Flags that I have assigned during my analysis, https://r00tten.com/late-night-show-apt28-phishing-document/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| f sus.copyToBuffer 0 0x100030df | |
| f sus.lengthAsByte 0 0x10002b99 | |
| f sus.internetReadFile_caller 0 0x10003621 | |
| f sus.createMutex 0 0x10002cfc | |
| f sus.mainRoutine 0 0x10005b94 | |
| f sus.decrypterFunc 0 0x10002f3f | |
| f sus.heapFree_un 0 0x10003f83 | |
| f sus.multiByteToWideChar_caller 0 0x1000369a | |
| f sus.base64Decode 0 0x10002d4b | |
| f sus.base64Encode 0 0x10002d8f |
r00tten
/ 43d7ffd611932cf51d7150b176ecfc29_dll.yar
Last active
April 19, 2019 06:13
YARA rule of APT28 SedUploader variant. https://r00tten.com/late-night-show-apt28-phishing-document/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule SedUploader { | |
| meta: | |
| author = "Mert Degirmenci" | |
| description = "APT28 SedUploader variant" | |
| date = "15.04.2019" | |
| hash1 = "b20aab629ea7fa73b98be9f3df1568c0a3b37480" | |
| strings: | |
| // google.com |
NewerOlder