Skip to content

Instantly share code, notes, and snippets.

View thez3r0's full-sized avatar

z3r0 thez3r0

View GitHub Profile
@thez3r0
thez3r0 / JAF Ransomware - FactSheet.md
Last active May 18, 2017 19:24
Jaff - New Ransomware From the Actors Behind the Distribution of Dridex, Locky, and Bart

Jaff - New Ransomware From the Actors Behind the Distribution of Dridex, Locky, and Bart

Jaff ransomware makes entries in the Windows Registry to achieve a form of persistence, and even launch and repress processes inside the Windows Operating System. Some of these entries are designed in a way that will start the virus automatically with every launch of Windows. One registry entry reported to be implemented by this ransomware is the following:

→HKCU\Control Panel\Desktop\Wallpaper “C:\ProgramData\Rondo\WallpapeR.bmp”

The ransom note will be displayed after the encryption process is complete. It will be put in three identical files which are ReadMe.bmp, ReadMe.html and ReadMe.txt. Inside them there will be instructions.

Jaff Ransomware Indicators of Compromise (IOCs) IOC IOC Type Description

@thez3r0
thez3r0 / Sinholer.bat
Created May 13, 2017 18:21
Check weter your AV block the Kill Switch URL or not
@Echo off
mode 50,9
title WannaCry SinkHoler
color 02
cls
ECHO.
echo ****************************
echo * WannaCry SinkHoler
echo * Author: .anir0y
echo * Follow: fb.com/anir0y
@thez3r0
thez3r0 / whatsapp_phone_enumerator_floated_div.js
Created May 13, 2017 17:58
PoC WhatsApp enumeration of phonenumbers, profile pics, about texts and online statuses (floated div)
/*
PoC WhatsApp enumeration of phonenumbers, profile pics, about texts and online statuses
Floated div edition
01-05-2017
(c) 2017 - Loran Kloeze - loran@ralon.nl
This script creates a UI on top of the WhatsApp Web interface. It enumerates certain kinds
of information from a range of phonenumbers. It doesn't matter if these numbers are part
of your contact list. At the end a table is displayed containing phonenumbers, profile pics,
about texts and online statuses. The online statuses are being updated every

Keybase proof

I hereby claim:

  • I am thez3r0 on github.
  • I am anir0y (https://keybase.io/anir0y) on keybase.
  • I have a public key whose fingerprint is C2DD 925A E4EA 4B4B 64F3 0522 EA60 6F14 2CBC AFD7

To claim this, I am signing this object: