Mert Degirmenci r00tten
r00tten
/ asciify.py
Last active
March 21, 2019 18:56
asciify unicode strings within the files. I didn't have time to test it properly. If you find a bug, just tell me.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # [X] Reading from file | |
| # [X] Splitting word by word | |
| # [X] Split ascii and unicode | |
| # [X] Determine a range and apply filter | |
| # [X] Collect all the unique ones in an array | |
| # [X] Create random english words for them | |
| # [X] Create an updated file | |
| # [ ] Work with folder and file as a input | |
| #!/usr/bin/python |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| import os | |
| import logging | |
| whitelist = [] | |
| def banner(): | |
| print("") | |
| print(" ___ ___ _ _ ") |
r00tten
/ report_template.yml
Last active
April 17, 2019 05:47
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # LS19 Zararlı Yazılım Analiz Ekibi | |
| # Analiz Rapor Formatı | |
| # | |
| # Değer bölümünde | karakteri bulunan anahtarlara, çoklu girdi sağlayabilirsiniz. | |
| # | |
| # Örn: | |
| # key: | | |
| # First Value | |
| # Second Value | |
| # |
r00tten
/ 43d7ffd611932cf51d7150b176ecfc29_dll.yar
Last active
April 19, 2019 06:13
YARA rule of APT28 SedUploader variant. https://r00tten.com/late-night-show-apt28-phishing-document/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule SedUploader { | |
| meta: | |
| author = "Mert Degirmenci" | |
| description = "APT28 SedUploader variant" | |
| date = "15.04.2019" | |
| hash1 = "b20aab629ea7fa73b98be9f3df1568c0a3b37480" | |
| strings: | |
| // google.com |
r00tten
/ 43d7ffd611932cf51d7150b176ecfc29_responseAssurence.py
Last active
April 19, 2019 06:13
Verification assurance script, https://r00tten.com/late-night-show-apt28-phishing-document/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| import sys | |
| import binascii | |
| array = [] | |
| xoredArray = [] | |
| # Hard coded XOR key | |
| xorKey = ['0x56', '0xd7', 'a7', '0a'] |
r00tten
/ 43d7ffd611932cf51d7150b176ecfc29_vbaScript.vba
Last active
April 19, 2019 06:14
Execute function, https://r00tten.com/late-night-show-apt28-phishing-document/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Private Sub Execute() | |
| Dim Path As String | |
| Dim FileNum As Long | |
| Dim xml() As Byte | |
| Dim bin() As Byte | |
| Const HIDDEN_WINDOW = 12 | |
| strComputer = "." | |
| xml = ActiveDocument.WordOpenXML | |
| Set xmlParser = CreateObject("Msxml2.DOMDocument") |
r00tten
/ 43d7ffd611932cf51d7150b176ecfc29_decryptFunc.py
Last active
April 19, 2019 06:14
Decrypter script, https://r00tten.com/late-night-show-apt28-phishing-document/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| import sys | |
| import binascii | |
| import struct | |
| array = [] | |
| # Hard coded XOR key | |
| xorKey = [0x2d, 0x30, 0x71, 0x1b, 0x07, 0x0f, 0x43, 0x2d, 0x56, 0x2a] | |
| # Sample encryptted string |
r00tten
/ 43d7ffd611932cf51d7150b176ecfc29_r2DLL
Created
April 22, 2019 05:17
Flags that I have assigned during my analysis, https://r00tten.com/late-night-show-apt28-phishing-document/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| f sus.copyToBuffer 0 0x100030df | |
| f sus.lengthAsByte 0 0x10002b99 | |
| f sus.internetReadFile_caller 0 0x10003621 | |
| f sus.createMutex 0 0x10002cfc | |
| f sus.mainRoutine 0 0x10005b94 | |
| f sus.decrypterFunc 0 0x10002f3f | |
| f sus.heapFree_un 0 0x10003f83 | |
| f sus.multiByteToWideChar_caller 0 0x1000369a | |
| f sus.base64Decode 0 0x10002d4b | |
| f sus.base64Encode 0 0x10002d8f |
r00tten
/ c14c8d99ab4652e631b61af1dca873b4_shellcode_r2
Last active
December 5, 2019 18:06
Flags that I have assigned during my analysis, https://r00tten.com/in-depth-analysis-rtf-file-drops-agent_tesla/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| af @ 0xbe | |
| afvb -52 sus.imp.VirtualProtectEx int32_t @ 0xbe | |
| afvb -84 sus.imp.ResumeThread int32_t @ 0xbe | |
| afvb -60 sus.imp.VirtualFree int32_t @ 0xbe | |
| afvb -108 sus.imp.ReadProcessMemory int32_t @ 0xbe | |
| afvb -112 sus.imp.SetThreadContext int32_t @ 0xbe | |
| afvb -96 sus.imp.GetThreadContext int32_t @ 0xbe | |
| afvb -88 sus.imp.TerminateProcess int32_t @ 0xbe | |
| afvb -44 sus.imp.WriteProcessMemory int32_t @ 0xbe | |
| afvb -104 sus.imp.VirtualAlloc int32_t @ 0xbe |
r00tten
/ b12c59c082db972b11cc6e78fb10afc4_powershell_decrypt.py
Last active
December 5, 2019 18:08
Decryption routine for Powershell script, https://r00tten.com/in-depth-analysis-rtf-file-drops-agent_tesla/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| import sys | |
| import re | |
| def decryptor(z5ef583): | |
| b9d4bc = "qaf669"; | |
| vfc9c = "" | |
| for i in xrange(0, len(z5ef583), 2): | |
| s3c1193 = int(('0x' + z5ef583[i:i+2]), 16) |
OlderNewer