Trickbot COVID macro lure via MSFT: ec34b207d503a3c95ee743ee296a08e93a5e960aa4611ea8c39d8e5d4c5f6593
test.js
eval("WScript.CreateObject(\"WScript.Shell\").Run(\"calc.exe\");");
0xcpu
/ EndpointSecurityDemo.m
Created
May 18, 2022 12:46
— forked from Omar-Ikram/EndpointSecurityDemo.m
A demo of using Apple's EndpointSecurity framework - tested on macOS Monterey 12.2.1 (21D62)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // main.m | |
| // EndpointSecurityDemo | |
| // | |
| // Created by Omar Ikram on 17/06/2019 - macOS Catalina 10.15 Beta 1 (19A471t) | |
| // Updated by Omar Ikram on 15/08/2019 - macOS Catalina 10.15 Beta 5 (19A526h) | |
| // Updated by Omar Ikram on 01/12/2019 - macOS Catalina 10.15 (19A583) | |
| // Updated by Omar Ikram on 31/01/2021 - macOS Big Sur 11.1 (20C69) | |
| // Updated by Omar Ikram on 07/05/2021 - macOS Big Sur 11.3.1 (20E241) | |
| // Updated by Omar Ikram on 04/07/2021 - macOS Monterey 12 Beta 2 (21A5268h) |
0xcpu
/ snake_str_dec.py
Last active
June 12, 2020 06:03
IDAPython 3 Snake ransomware string decryption
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # IDAPython 3 | |
| import ida_funcs | |
| import idautils | |
| import ida_ua | |
| import ida_xref | |
| import ida_bytes | |
| import heapq | |
| from collections import defaultdict | |
| from ctypes import c_ubyte |
0xcpu
/ StreamNotes_04212020.md
Created
April 29, 2020 14:02
— forked from mattifestation/StreamNotes_04212020.md
Twitch Stream Notes 04/21/2020 - Obfuscated Script-based Malware Analysis with the Anti-Malware Scan Interface (AMSI)
Search in IDA for mov eax, 0 and exclude from results those occuring in main function. (Let's save all this in a file named step1)
Then filter the information from step1 to extract only addresses, For example, using this command:
awk '{ print $1 }' step1 | cut -d':' -f2 > avoid_addr
Then use angr script to find a solution.
import angr
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 32c32 | |
| < | |
| --- | |
| > | |
| 69c69 | |
| < | |
| --- | |
| > | |
| 112,113c112,113 | |
| < if isinstance(value, unicode): |
You should definitely check AdrenSys writeup as it covers details about the challenge and the binary, I don't want to repeat what is already done. (Thank you for a great writeup!)
What I would like to add is how I solved this challenge, in a slightly different way, without involving Z3(although it's a great tool, and you should
try it :) ).
The key idea is that all 4 parts of the license key must not be equal to 0, but we know that (email_checksum ^ license_checksum ^ 0xaecbcc2) == 0.
The email checksum is 0xaed12f1, so the license_checksum should be 0x01ae33. Keeping in mind that all 4 parts of the license key
should not be equal to 0, we can create a license key with 3 parts having value 1 and the 4th part having value 0x42b0.
0xcpu
/ Get-InjectedThread.ps1
Created
June 14, 2017 08:15
— forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-InjectedThread | |
| { | |
| <# | |
| .SYNOPSIS | |
| Looks for threads that were created as a result of code injection. | |
| .DESCRIPTION | |