Skip to content

Instantly share code, notes, and snippets.

View vkremez's full-sized avatar

Repo vkremez

51 followers · 1 following
View GitHub Profile
@vkremez
vkremez / apt_BADFLICK _backdoor.yar
Last active March 27, 2018 00:35
apt_BADFLICK _backdoor.yar
rule apt_BADFLICK_backdoor {
meta:
description = "Detects BADFLICK backdoor"
author = "@VK_Intel"
reference = "BADFLICK backdoor"
date = "2018-03-26"
hash = "7ba05abdf8f0323aa30c3d52e22df951eb5b67a2620014336eab7907b0a5cedf"
reference = "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html"
C2 = "103[.]243[.]175[.]181"
@vkremez
vkremez / sad
Created December 17, 2017 02:29
asdsa
asdsa
@vkremez
vkremez / 9-4-2017_trickbot_gtag.cong
Created September 4, 2017 15:57
9-4-2017 - Trickbot "ser904" gtag new version 1000045 #NatWest Theme
<mcconf>
<ver>1000045</ver>
<gtag>ser904</gtag>
<servs>
<srv>84.238.198.166:449</srv>
<srv>91.139.236.92:449</srv>
<srv>84.40.65.85:449</srv>
<srv>67.21.84.23:443</srv>
<srv>210.16.102.251:443</srv>
<srv>216.107.149.57:443</srv>
@vkremez
vkremez / gist:d6a5d0c457d53febb6919c997a247c81
Created July 1, 2017 07:42
"Amazon.com - Your Cancellation" Weight Loss Scam
Date: June 28 2017
Spam: Amazon.com - Your Cancellation
First redirect: hxxp://vision2010usa[.]com/images/tinkles[.]php
Second redirect: hxxp://lostfat-7diets[.]world/?a=401336&c=cpcdiet&s=28062017
@vkremez
vkremez / gist:2df7b516cf9ffa8d8ca6e4cb39b26d5b
Created June 29, 2017 01:47
06282017 - Kovter Config
.cp1::115.141.144.155:80>196.18.220.197:80>111.181.22.130:80>241.191.106.196:80>101.232.174.116:80>27.165.58.104:80>115.218.212.4:80>23.199.135.243:80>171.98.66.193:80>87.179.163.192:8080>246.38.96.164:80>188.191.63.246:80>134.105.3.91:80>120.114.52.254:80>192.170.199.3:80>171.89.31.78:80>150.68.63.246:80>178.168.24.168:53856>158.18.210.249:8080>74.107.177.73:80>114.242.151.116:8080>66.205.125.144:80>19.212.37.10:8080>253.187.101.22:443>53.180.117.7:80>243.81.24.164:443>231.23.140.126:80>234.192.88.104:80>62.123.36.99:80>224.97.64.69:80>163.121.42.25:80>214.12.208.238:80>106.213.198.246:443>81.225.20.169:80>100.230.196.136:80>72.105.170.136:80>32.43.40.74:443>167.32.78.120:80>253.226.227.196:80>55.22.186.75:8080>4.175.165.200:443>238.16.160.152:80>78.184.194.117:80>6.29.34.83:80>47.81.119.19:80>89.42.251.164:443>190.147.231.186:20631>190.14.254.34:80>59.180.151.107:443>191.242.204.19:80>78.135.99.179:8080>108.83.139.121:50409>96.86.187.121:8080>191.102.111.166:80>190.183.222.157:443>80.82.69.181:443>80.74.43.
@vkremez
vkremez / crime_win_dharma_targeted_extensions.txt
Created June 16, 2017 21:41
Dharma Ransomware -> Targeted Extensions
.1cd;.3ds;.3fr;.3g2;.3gp;.7z;.accda;.accdb;.accdc;.accde;.accdt;.accdw;.adb;.adp;.ai;.ai3;.ai4;.ai5;.ai6;.ai7;.ai8;.anim;.arw;.as;.asa;.asc;.ascx;.asm;.asmx;.asp;.aspx;.asr;.asx;.avi;.avs;.backup;.bak;.bay;.bd;.bin;.bmp;.bz2;.c;.cdr;.cer;.cf;.cfc;.cfm;.cfml;.cfu;.chm;.cin;.class;.clx;.config;.cpp;.cr2;.crt;.crw;.cs;.css;.csv;.cub;.dae;.dat;.db;.dbf;.dbx;.dc3;.dcm;.dcr;.der;.dib;.dic;.dif;.divx;.djvu;.dng;.doc;.docm;.docx;.dot;.dotm;.dotx;.dpx;.dqy;.dsn;.dt;.dtd;.dwg;.dwt;.dx;.dxf;.edml;.efd;.elf;.emf;.emz;.epf;.eps;.epsf;.epsp;.erf;.exr;.f4v;.fido;.flm;.flv;.frm;.fxg;.geo;.gif;.grs;.gz;.h;.hdr;.hpp;.hta;.htc;.htm;.html;.icb;.ics;.iff;.inc;.indd;.ini;.iqy;.j2c;.j2k;.java;.jp2;.jpc;.jpe;.jpeg;.jpf;.jpg;.jpx;.js;.jsf;.json;.jsp;.kdc;.kmz;.kwm;.lasso;.lbi;.lgf;.lgp;.log;.m1v;.m4a;.m4v;.max;.md;.mda;.mdb;.mde;.mdf;.mdw;.mef;.mft;.mfw;.mht;.mhtml;.mka;.mkidx;.mkv;.mos;.mov;.mp3;.mp4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt;.oqy;.orf;.p12;.p7b;.
@vkremez
vkremez / Cerber Config June 16, 2017
Created June 16, 2017 07:22
Cerber Ransomware for Network Defense
{"blacklist":{"extensions":[".bat",".cmd",".com",".cpl",".dll",".exe",".hta",".msc",".msi",".msp",".pif",".scf",".scr",".sys"],"files":["bootsect.bak","iconcache.db","ntuser.dat","thumbs.db"],"folders":[":\\$getcurrent\\",":\\$recycle.bin\\",":\\$windows.~bt\\",":\\$windows.~ws\\",":\\boot\\",":\\documents and settings\\all users\\",":\\documents and settings\\default user\\",":\\documents and settings\\localservice\\",":\\documents and settings\\networkservice\\",":\\intel\\",":\\msocache\\",":\\perflogs\\",":\\program files (x86)\\",":\\program files\\",":\\programdata\\",":\\recovery\\",":\\recycled\\",":\\recycler\\",":\\systemvolume information\\",":\\temp\\",":\\windows.old\\",":\\windows10upgrade\\",":\\windows\\",":\\winnt\\","\\appdata\\local\\","\\appdata\\locallow\\","\\appdata\\roaming\\","\\local settings\\","\\public\\music\\sample music\\","\\public\\pictures\\samplepictures\\","\\public\\videos\\sample videos\\","\\tor browser\\"],"languages":[1049,1058,1059,1064,1067,1068,1079,1087,1088,1090,
@vkremez
vkremez / gist:1436efa5e10b7caa49f7e2062b75c1a2
Created June 10, 2017 20:45
Translain LLC SHA1 hashes
bdf6f2cba229979d13994f51a1bfc2ebe61e22ba
3eb108c4192b971c3df8f873f259867dee076e9b
441f2044221eca642d30e7abdf9f188f308094e5
fe8b9e983c84b66a90ced390fc0b1bd30b7eae57
96607630983bff8668c3c664e33751542c29e60d
7105007b9271c673568efa097fde33262b4deff0
d5efc68d9f4ebd73ddcbe412ea867327b8ad03f8
0fba759bc891c2a05024dd3cca7d8570596b60ae
bbb20111d3b80c1beeb76b74dea44c4e3c90e22c
c631d6933da99ca5913b0a0dea73c9cfb7a00882
@vkremez
vkremez / keybase.md
Created December 7, 2016 03:32
keybase.md

Keybase proof

I hereby claim:

  • I am vkremez on github.
  • I am vk_intel (https://keybase.io/vk_intel) on keybase.
  • I have a public key ASAzBETY3F9hJnT3r_QFRspmRiyiGl101R_OyVHRiRlUkQo

To claim this, I am signing this object: