Skip to content

Instantly share code, notes, and snippets.

View r00tten's full-sized avatar

Mert Degirmenci r00tten

15 followers · 1 following
View GitHub Profile
@r00tten
r00tten / asciify.py
Last active March 21, 2019 18:56
asciify unicode strings within the files. I didn't have time to test it properly. If you find a bug, just tell me.
# [X] Reading from file
# [X] Splitting word by word
# [X] Split ascii and unicode
# [X] Determine a range and apply filter
# [X] Collect all the unique ones in an array
# [X] Create random english words for them
# [X] Create an updated file
# [ ] Work with folder and file as a input
#!/usr/bin/python
@r00tten
r00tten / unsetuid.py
Last active April 8, 2019 08:40
Unsetuid all files but whitelist
#!/usr/bin/python
import os
import logging
whitelist = []
def banner():
print("")
print(" ___ ___ _ _ ")
@r00tten
r00tten / report_template.yml
Last active April 17, 2019 05:47
# LS19 Zararlı Yazılım Analiz Ekibi
# Analiz Rapor Formatı
#
# Değer bölümünde | karakteri bulunan anahtarlara, çoklu girdi sağlayabilirsiniz.
#
# Örn:
# key: |
# First Value
# Second Value
#
@r00tten
r00tten / 43d7ffd611932cf51d7150b176ecfc29_decryptFunc.py
Last active April 19, 2019 06:14
Decrypter script, https://r00tten.com/late-night-show-apt28-phishing-document/
#!/usr/bin/python
import sys
import binascii
import struct
array = []
# Hard coded XOR key
xorKey = [0x2d, 0x30, 0x71, 0x1b, 0x07, 0x0f, 0x43, 0x2d, 0x56, 0x2a]
# Sample encryptted string
@r00tten
r00tten / 43d7ffd611932cf51d7150b176ecfc29_vbaScript.vba
Last active April 19, 2019 06:14
Execute function, https://r00tten.com/late-night-show-apt28-phishing-document/
Private Sub Execute()
Dim Path As String
Dim FileNum As Long
Dim xml() As Byte
Dim bin() As Byte
Const HIDDEN_WINDOW = 12
strComputer = "."
xml = ActiveDocument.WordOpenXML
Set xmlParser = CreateObject("Msxml2.DOMDocument")
@r00tten
r00tten / 43d7ffd611932cf51d7150b176ecfc29_responseAssurence.py
Last active April 19, 2019 06:13
Verification assurance script, https://r00tten.com/late-night-show-apt28-phishing-document/
#!/usr/bin/python
import sys
import binascii
array = []
xoredArray = []
# Hard coded XOR key
xorKey = ['0x56', '0xd7', 'a7', '0a']
@r00tten
r00tten / 43d7ffd611932cf51d7150b176ecfc29_dll.yar
Last active April 19, 2019 06:13
YARA rule of APT28 SedUploader variant. https://r00tten.com/late-night-show-apt28-phishing-document/
rule SedUploader {
meta:
author = "Mert Degirmenci"
description = "APT28 SedUploader variant"
date = "15.04.2019"
hash1 = "b20aab629ea7fa73b98be9f3df1568c0a3b37480"
strings:
// google.com
@r00tten
r00tten / 43d7ffd611932cf51d7150b176ecfc29_r2DLL
Created April 22, 2019 05:17
Flags that I have assigned during my analysis, https://r00tten.com/late-night-show-apt28-phishing-document/
f sus.copyToBuffer 0 0x100030df
f sus.lengthAsByte 0 0x10002b99
f sus.internetReadFile_caller 0 0x10003621
f sus.createMutex 0 0x10002cfc
f sus.mainRoutine 0 0x10005b94
f sus.decrypterFunc 0 0x10002f3f
f sus.heapFree_un 0 0x10003f83
f sus.multiByteToWideChar_caller 0 0x1000369a
f sus.base64Decode 0 0x10002d4b
f sus.base64Encode 0 0x10002d8f
@r00tten
r00tten / cf38dd8ffa483be2768ac60eb0f00a4e_decrypt.py
Last active December 5, 2019 18:09
Reimplementation of decryption routine of the file 6a64bc2905f213ed4baf27d9ca0844056c7184dd91269a56fcb55d2c707f52dc. https://r00tten.com/in-depth-analysis-rtf-file-drops-agent_tesla/
#!/usr/bin/python
import sys
import struct
import re
from rijndael.cipher.crypt import new
from rijndael.cipher.blockcipher import MODE_CBC
encValues = []
def readValues():
@r00tten
r00tten / c14c8d99ab4652e631b61af1dca873b4_shellcode-r2pipe.py
Last active December 5, 2019 18:08
r2pipe script for the shellcode, https://r00tten.com/in-depth-analysis-rtf-file-drops-agent_tesla/
#!/usr/bin/python
import r2pipe
file = open('importsNtdll', 'r')
#file = open('importsKernel32', 'r')
imports = file.read()
file.close()
imports = imports.split('\n')
file = open('hashes', 'r')