Gianni Amato guelfoweb
guelfoweb
/ ps1_to_lumma.py
Last active
March 10, 2025 13:45
This script is designed to extract the LummaStealer executable (EXE) from the PowerShell script (PS1). It extracts the character codes from the PS1 script, decodes them from Base64, and applies a XOR operation with a default key to retrieve the final contents of the executable (lumma.exe.bin). Analysis: https://cert-agid.gov.it/news/analisi-di-u…
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import re | |
| import sys | |
| import base64 | |
| """ | |
| This script is designed to extract the LummaStealer executable (EXE) from the | |
| PowerShell script (PS1). It extracts the character codes from the PS1 script, decodes | |
| them from Base64, and applies a XOR operation with a default key to retrieve the final | |
| contents of the executable (lumma.exe.bin). |
guelfoweb
/ knock_subdomain_mapping.py
Created
August 31, 2017 13:26
This is an example of how to create a chart with subdomain network mapping
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This is an example of how to create a chart with subdomain network mapping | |
| # | |
| # url to download knockparse: | |
| # https://gist.github.com/guelfoweb/5f27210130da5d70066a7ed31696be98 | |
| from knockparse import KnockpyParse | |
| import matplotlib.pyplot as plt | |
| import networkx as nx |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import json | |
| """ | |
| # Knock Parser module | |
| # Just a parser for knockpy 4.1 output (full export with --json option) | |
| # knockpy: https://github.com/guelfoweb/knock | |
| # How to import knockparse: | |
| from knockparse import KnockpyParse |
guelfoweb
/ js_ransomware_downloader_decode.py
Created
March 21, 2016 11:05
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| l3 = '+cq+' | |
| t99 = ' "+' | |
| a89 = ' for' | |
| q3 = 'ring' | |
| g70 = 'rypt' | |
| y25 = 'r (' | |
| e43 = 'n+' | |
| q2 = '"+c' |
guelfoweb
/ js_locky_decode.py
Created
March 1, 2016 11:38
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import re | |
| filename = 'SCAN000189077.js' | |
| with open(filename, 'r') as file: | |
| data = file.read().split('\n') | |
| for str in data: | |
| uMatch = re.findall('\\\u[0-9]{3}[0-9a-fA-F]{1}', str) | |
| for u in uMatch: |
guelfoweb
/ AES Bookmarklet
Created
November 26, 2015 12:25
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| javascript:(function()%7Bfunction Cipher(input%2Cw)%7Bvar Nb%3D4%3Bvar Nr%3Dw.length%2FNb-1%3Bvar state%3D%5B%5B%5D%2C%5B%5D%2C%5B%5D%2C%5B%5D%5D%3Bfor(var i%3D0%3Bi<4*Nb%3Bi%2B%2B)state%5Bi%254%5D%5BMath.floor(i%2F4)%5D%3Dinput%5Bi%5D%3Bstate%3DAddRoundKey(state%2Cw%2C0%2CNb)%3Bfor(var round%3D1%3B round<Nr%3Bround%2B%2B)%7Bstate %3D SubBytes(state%2CNb)%3Bstate%3DShiftRows(state%2CNb)%3Bstate%3DMixColumns(state%2CNb)%3Bstate%3DAddRoundKey(state%2Cw%2Cround%2CNb)%3B%7Dstate%3DSubBytes(state%2C Nb)%3Bstate%3DShiftRows(state%2C Nb)%3Bstate%3DAddRoundKey(state%2Cw%2CNr%2CNb)%3Bvar output%3Dnew Array(4*Nb)%3Bfor(var i%3D0%3Bi<4*Nb%3Bi%2B%2B) output%5Bi%5D%3Dstate%5Bi%254%5D%5BMath.floor(i%2F4)%5D%3Breturn output%3B%7Dfunction SubBytes(s%2CNb) %7Bfor(var r%3D0%3Br<4%3Br%2B%2B)%7Bfor(var c%3D0%3Bc<Nb%3Bc%2B%2B) s%5Br%5D%5Bc%5D%3DSbox%5Bs%5Br%5D%5Bc%5D%5D%3B%7Dreturn s%3B%7Dfunction ShiftRows(s%2CNb)%7Bvar t%3Dnew Array(4)%3Bfor(var r%3D1%3Br<4%3Br%2B%2B)%7Bfor(var c%3D0%3Bc<4%3Bc%2B%2B) t%5Bc%5D%3Ds%5Br%5D%5B(c%2B |
guelfoweb
/ athena_http_decode.py
Last active
February 5, 2016 21:11
A little code to decode Athena HTTP POST request and c&c response
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| Athena HTTP - Decode HTTP POST request | |
| Gianni 'guelfoweb' Amato | |
| ''' | |
| import urllib | |
| import base64 | |
| import itertools | |
| from string import maketrans |