I hereby claim:
- I am silascutler on github.
- I am silascutler (https://keybase.io/silascutler) on keybase.
- I have a public key whose fingerprint is C55A FC29 84F9 375A 0C12 CF4F 3E18 4A6C 6554 A731
To claim this, I am signing this object:
I hereby claim:
To claim this, I am signing this object:
#!/bin/bash | |
# (C) Silas `p1nk` Cutler 2017 | |
# Simple Sandbox Runner | |
VM_NAME="sandbox" | |
VM_USER="administrator" | |
VM_PASS="password" |
from idautils import * | |
from idaapi import * | |
from idc import * | |
def descFlags(inflags): | |
if inflags & FUNC_NORET: | |
print "Flag: FUNC_NORET" | |
if inflags & FUNC_FAR: | |
print "Flag: FUNC_FAR" |
I hereby claim:
To claim this, I am signing this object:
StringFmt | Assessed Name | Description | |
---|---|---|---|
CFE | Create File Error | Sent if an error in calling CreateFileA() in sub_401C20() | |
GFSE | Get File Size Error | Sent if an error in calling GetFileSize() in sub_401C20() | |
LAE | Local Alloc Error | Sent if an error in calling LocalAlloc() in sub_401C20() | |
RFE | Read File Error | Sent if an error in calling ReadFile() in sub_401C20() | |
CPE | Creat Process Error | Sent if an error in calling CreateProcess() in WinMain() | |
DFE | Delete File Error | Sent if an error after calling function that calls DeleteFile() in WinMain() |
// https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter | |
rule CyclopsBlink_module_initialisation | |
{ | |
meta: | |
author = "NCSC" | |
description = "Detects the code bytes used to initialise the modules built into Cyclops Blink" | |
hash1 = "3adf9a59743bc5d8399f67cab5eb2daf28b9b863" | |
hash2 = "c59bc17659daca1b1ce65b6af077f86a648ad8a8" |
rule SiennaBlue | |
{ | |
meta: | |
author = "Microsoft Threat Intelligence Center (MSTIC)" | |
description = "Detects Golang package, function, and source file names observed in DEV-0530 Ransomware SiennaBlue samples" | |
hash1 = "f8fc2445a9814ca8cf48a979bff7f182d6538f4d1ff438cf259268e8b4b76f86" | |
hash2 = "541825cb652606c2ea12fd25a842a8b3456d025841c3a7f563655ef77bb67219" | |
strings: | |
$holylocker_s1 = "C:/Users/user/Downloads/development/src/HolyLocker/Main/HolyLock/locker.go" | |
$holylocker_s2 = "HolyLocker/Main.EncryptionExtension" |
5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e | |
45d8ac1ac692d6bb0fe776620371fca02b60cac8db23c4cc7ab5df262da42b78 | |
56925a1f7d853d814f80e98a1c4890b0a6a84c83a8eded34c585c98b2df6ab19 | |
830207029d83fd46a4a89cd623103ba2321b866428aa04360376e6a390063570 | |
458d258005f39d72ce47c111a7d17e8c52fe5fc7dd98575771640d9009385456 | |
99b0056b7cc2e305d4ccb0ac0a8a270d3fceb21ef6fc2eb13521a930cea8bd9f | |
1f8dcfaebbcd7e71c2872e0ba2fc6db81d651cf654a21d33c78eae6662e62392 | |
f226086b5959eb96bd30dec0ffcbf0f09186cd11721507f416f1c39901addafb | |
23eff00dde0ee27dabad28c1f4ffb8b09e876f1e1a77c1e6fb735ab517d79b76 | |
586f30907c3849c363145bfdcdabe3e2e4688cbd5688ff968e984b201b474730 |
rule netd_CreatedFiles { | |
meta: | |
author = "NCSC" | |
description = "Unique file paths created by netd" | |
date = "2023-08-31" | |
strings: | |
$ = "/data/local/tmp/.aid.cache" | |
$ = "/data/local/tmp/.syscache.csv" | |
$ = "/data/local/tmp/.syspackages.csv" | |
$ = "/data/local/tmp/.sysinfo.csv" |