Skip to content

Instantly share code, notes, and snippets.

View idiom's full-sized avatar

Sean Wilson idiom

173 followers · 7 following
View GitHub Profile
@idiom
idiom / __JS_s2.js
Created August 10, 2017 01:05
Fin7 JS
function B(C){
var D = new ActiveXObject("CDO.Message");
var E = D.BodyPart;
E.ContentTransferEncoding = "base64";
E.Charset = "windows-1251";
var F = E.GetEncodedContentStream();
F.WriteText(C);
F.Flush();
F = E.GetDecodedContentStream();
F.Charset = "utf-8";
@idiom
idiom / IOCs_PHP_Ransomware
Last active May 6, 2020 12:28
Quick decoding script for PHP Ransomware
Server List
kominki.szczecin[.]pl
rcproracing[.]com
xn--80aaumty[.]xn--p1ai
www.proleite[.]com.pt
northernhydro.co[.]uk
Param
/counter/index.php?log=
@idiom
idiom / jrat.json
Created July 11, 2017 17:48
Recent Adwind/AlienSpy/Jrat Config
{
"NETWORK": [{
"PORT": 2888,
"DNS": "194.68.59.50"
}],
"INSTALL": true,
"MODULE_PATH": "ww/m/Pg.D",
"PLUGIN_FOLDER": "OthxlrLLffC",
"JRE_FOLDER": "MmghqR",
"JAR_FOLDER": "wXnIEPKkySF",
@idiom
idiom / psdecomp.py
Created July 10, 2017 15:18
Script to decode and decompress Powershell Commands
import base64
import zlib
import argparse
def decode_command(cmd):
try:
# base64 decode the command
p1 = base64.b64decode(cmd)
@idiom
idiom / whakmoles.py
Created July 9, 2017 05:34
Simple decryptor for strings found in MOLE ransomware sample
"""
Simple decryptor for strings found in MOLE ransomware sample
MD5: d87cebeb7298e8669079ed3b4f203fd7
"""
def decrypt_string(ctext):
out = ""
@idiom
idiom / lmute.py
Created June 30, 2017 21:39
LokiBot Mutex Generator
import argparse
import hashlib
"""
Generates a LokiBot mutex for the given Machine GUID
Usage: python lmute.py {guid}
By @seanmw
@idiom
idiom / rules.yara
Created June 21, 2017 04:14
Yara Rules
rule rarsfx{
strings:
$markerold = {52 45 7e 5e}
$markernew = {52 61 72 21 1a 07 (00|01|02)}
condition:
$markerold or $markernew in (0..0x100000)
}
@idiom
idiom / README.md
Created June 7, 2017 20:30
Remote Debugging a DLL in IDAPro

Easily debug a dll on a remote system:

  • Application: C:\windows\System32\rundll32.exe
  • Input File: Full path and dll name on the analysis workstation
  • Directory: Full path to the dll
  • Parameters: "Path on the remote workstation (location on win32_remote)\dll name",Export
@idiom
idiom / gist:fe3b7c2529296624548e9da21daae392
Created May 14, 2017 03:19
Virtualbox Import Error
Error Virtualbox Host Resource of type "Other Storage Device (20)" is not supported with SATA
Note: This was fixed in VirtualBox 5.0.22
Use the following steps to bypass the above error when importing an appliance.
1. Extract contents of the ovh file tar -xvf vm.ovh
2. vim vm.ovf and replace all instances of ElementName with Caption
3. Replace vmware.sata.ahci with AHCI
4. Kill the .mf file with fire
@idiom
idiom / psdecode.ps1
Created April 24, 2017 18:15
Script to decode a Base64 Encoded and Compressed PowerShell script
#
# Decode a base64 and compressed Powershell script.
#
#
#
#
$input = Read-Host -Prompt 'Base64 Text'
$decoded = $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream($(New-Object IO.MemoryStream(,$([Convert]::FromBase64String($input)))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();
Write-Host "----- Decoded -----"