Josh Stroschein jstrosch
jstrosch
/ gist:407378e4f6dbf1261ba564d872c3ff76
Created
August 10, 2021 21:57
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Originally reported: https://twitter.com/James_inthe_box/status/1425187264435429378 | |
| 2021-08-10 14:47:22,752 — SubCrawl — INFO — [YARA] Matches - protected_webshell (https://regiontreasure.com/js/vendor/option.php ) | |
| 2021-08-10 14:47:24,001 — SubCrawl — INFO — [YARA] Matches - protected_webshell (https://ishaninfocom.com/images/Newimage/core.lib.php ) | |
| 2021-08-10 14:48:16,637 — SubCrawl — INFO — [YARA] Matches - protected_webshell (https://glasstryon.com/webcamjs/flash/com/adobe/images/viewer.php ) | |
| 2021-08-10 14:48:32,720 — SubCrawl — INFO — [YARA] Matches - protected_webshell (https://toucan.webiknows.net/vendor/swiper/css/type.php ) | |
| 2021-08-10 14:49:03,635 — SubCrawl — INFO — [YARA] Matches - protected_webshell (https://essennvalves.in/essennvalves.in/plugins/material-design-iconic-font/css/app.class.php ) | |
| 2021-08-10 14:49:47,965 — SubCrawl — INFO — [YARA] Matches - protected_webshell (https://elearning.thegurukulonline.com/class_8/Computer/app.class.php ) | |
| 2021-08-10 14:50:36,629 — SubCrawl — INFO — [YARA] Ma |
jstrosch
/ gist:05cb214b8ec0a7925034b58536af232c
Last active
August 10, 2021 18:12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Host: hxxps://styservice[.]com/ | |
| Originally reported: https://twitter.com/TheDFIRReport/status/1425081154978435072 | |
| <===== styservice.com =====> | |
| [PayloadProcessing] pe32 executable (console) intel 80386, for ms windows( https://styservice.com/adfind.exe ) | |
| [SHA256] 842737b5c36f624c9420a005239b04876990a2c4011db87fe67504fa09281031 | |
| [PayloadProcessing] pe32 executable (console) intel 80386, for ms windows( https://styservice.com/bat/MsiZap.exe ) | |
| [SHA256] c8089b1734f68420e912978ac0dd29d8772b1f527d2bffbaaa9d3fad9f4051e5 | |
| [PayloadProcessing] pe32 executable (dll) (gui) intel 80386, for ms windows( https://styservice.com/croperdate/croperdate.dll ) | |
| [SHA256] 55822cc7e26fd8ba5d782eae68b2171b6551815f1f6eb5334ae0fcddbee70d39 |
jstrosch
/ gist:bf9f5f9a4f42dec4d9ec4162e8299d19
Created
July 1, 2021 20:40
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [!!] Found PE file at http://ourfirm.com/wordpress/bolo/bob/bilions.exe (a4442121fec5c10f6e974ba45b4f387c16e053f145aa19668d15d564759f32c2) | |
| [!!] Found PE file at http://ourfirm.com/wordpress/bolo/bob/bob.exe (21927bf4f06796fa88673a1c57da732c96b0db449c79006c9b73f48ac18f0a89) | |
| [!!] Found PE file at http://ourfirm.com/wordpress/bolo/bob/eba.exe (b1f257789748f730c5049aa47653680a1297a890c7ba86f8f914869b66249664) | |
| [!!] Found PE file at http://ourfirm.com/wordpress/bolo/bob/effot.exe (cf81c86cc82a3ffc8d21661e1042d2e4d9807828563d2d00a0a2079095eeac1e) | |
| [!!] Found PE file at http://ourfirm.com/wordpress/bolo/bob/father.exe (ea831d181c370ffd8dbfe01745f662406e2cd2ebbb517c071ea03195828927a5) | |
| [!!] Found PE file at http://ourfirm.com/wordpress/bolo/bob/jamiiiit.exe (0bd227d2f60b372d2981b296ee2fd1a11d18efd1ccb24f08753b8c857e019678) | |
| [!!] Found PE file at http://ourfirm.com/wordpress/bolo/bob/jasp.exe (b431ce5dc4ecd3ca9efbce074bbe8c85602765dc2a8cf98cc3765f6298f71569) | |
| [!!] Found PE file at http://ourfirm.com/wordpress/bolo/bob/jojo |
jstrosch
/ gist:69b13b22192b3eff87e08747243da6b1
Created
May 21, 2021 12:17
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://twitter.com/jstrosch/status/1381402587119845382 | |
| host: hxxp://45.15.143[.]191/files/ | |
| <===== PE =====> | |
| [*] PE SHA256:91e01b2c053bd6ebb4a00d3f9dd0ab710cd051ac1ccc1a0bd6feafbd915a00b9 | |
| [HOST] http://45.15.143.191/files/file1.exe | |
| [*] PE SHA256:11f1345ee856c98d60b582038559f98568bba03e9317d6ec09bc3ece4f04c422 | |
| [HOST] http://45.15.143.191/files/file3.exe | |
| [*] PE SHA256:c7ede30eb16f27dbc16ff274604fccb2c5bbce03784f989725abe9c43f491050 | |
| [HOST] http://45.15.143.191/files/file4.exe |
jstrosch
/ gist:a664b9a4f40a7f6760e6a728b65b1692
Created
May 21, 2021 12:06
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://twitter.com/FewAtoms/status/1395079628830748679 | |
| <===== PE =====> | |
| [*] PE SHA256:39198fb48d5a9783e54e386839fd37a14251ceb9229c3d02a23b22cdce64b651 | |
| [HOST] http://hshjiopklmsacnzbcjuewahfdsnvmlazbcuewqjh.ydns.eu/img/ABU.exe | |
| [*] PE SHA256:be8a33c8e69e56e967b34715eb20fe3184e1fd290d28c4b36530e3ba91efa21a | |
| [HOST] http://hshjiopklmsacnzbcjuewahfdsnvmlazbcuewqjh.ydns.eu/img/AVN.exe | |
| [*] PE SHA256:a78ed83d751821d85c9ad22ba633acde5b6dbc579ca08a69a6da07e4bfe35635 | |
| [HOST] http://hshjiopklmsacnzbcjuewahfdsnvmlazbcuewqjh.ydns.eu/img/EHH.exe | |
| [*] PE SHA256:f1829ec9df7ef7851d6310ddd4cab7cb74f59b12e3f193e0b960c2ebe7e32028 |
jstrosch
/ gist:73dfc00f8125791de26ed674133ba395
Created
May 17, 2021 19:47
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://twitter.com/FewAtoms/status/1394374576709189632 | |
| host: hxxp://45.15.143[.]191/files/ | |
| <===== PE =====> | |
| [*] PE SHA256:2d10eb6a268b69ddf6c3082094664039eb3b6844094d9cd2cd62637321a34c56 | |
| [HOST] http://45.15.143.191/files/file1.exe | |
| [*] PE SHA256:8a4fcda9c3f0f0fd4bc5f871edf239d6722797dbea1c3a91d966e972cfe74898 | |
| [HOST] http://45.15.143.191/files/file2.exe | |
| [*] PE SHA256:a8aaa72d6ce21c36d0c97f663830fa57855cf9bbb43afc5f1c85e65658288852 | |
| [HOST] http://45.15.143.191/files/file2s.exe |
jstrosch
/ gist:dbf874a40f1cedc139ca05363be49c40
Created
May 11, 2021 02:45
open directory with lokibot panel and trojan
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <===== ZIPS =====> | |
| [HOST] http://yarpa.lt/goodlogs | |
| [HOST] http://yarpa.lt/wire/LokiPanel.zip | |
| [HOST] http://yarpa.lt/money/LokiPanel.zip | |
| [HOST] http://yarpa.lt/excel/DHL%20AWB.zip | |
| [HOST] http://yarpa.lt/goodlog/LokiPanel.zip | |
| <===== PE =====> | |
| [*] PE SHA256:d92cff6842da2ab3bb0f2ed868b84b525071cb5c4b7a282974169cf14cae9ca4 | |
| [HOST] http://yarpa.lt/patric/Bskftg.exe |
jstrosch
/ gist:f76c07666f16de82cfe33eb48ff64806
Created
May 5, 2021 14:56
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://twitter.com/James_inthe_box/status/1389927787495002118 | |
| <===== PE =====> | |
| [*] PE SHA256:0df50fffae1f82940ba8ac5af3ea2d3f1a2d79b830ebf7e441ff5e25cc254189 | |
| [HOST] http://madagascar-green-island-discovery.com/Img/FRK.exe | |
| [*] PE SHA256:52b98cca3167f7f97a7ae7729aeddee0b2280a18841d692697bd6dea415f3abe | |
| [HOST] http://madagascar-green-island-discovery.com/Img/JOT.exe | |
| [*] PE SHA256:ea0e8d36f1761c49e88d9ea7bbb9bdfc9c42f7a6e4eeb5c50cbd8c89d754cb4d | |
| [HOST] http://madagascar-green-island-discovery.com/Img/KINO.exe | |
| [*] PE SHA256:755fede7240f600d66e808cfdc6e6cffaed4405eb07d139d632e4e8319929bce |
jstrosch
/ Generate Binary Images with Pixd from a directory
Created
February 16, 2021 18:37
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| SAMPLES=$1 | |
| # Ensure there is at least one argument | |
| if [ $# -eq 0 ]; then | |
| echo "[!] Usage: $0 'path to binary files'"; | |
| exit 1; | |
| fi |
jstrosch
/ arkime-process-pcap.sh
Last active
February 25, 2025 04:10
This script is designed to facilitate the process of ingesting PCAPs with Arkime. It will clear the local elastic database and process the PCAP using "moloch-capture" service. This script was primarily designed to be used with the following course on PluralSight: https://www.pluralsight.com/courses/network-analysis-arkime
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| #Author: Josh Stroschein (@jstrosch) | |
| #Date: 28 Nov 2020 | |
| #Desc: Script used to process a PCAP file with Arkime (formerly Moloch) | |
| PCAP=$1 | |
| # Ensure there is at least one argument | |
| if [ $# -eq 0 ]; then | |
| echo "[!] Usage: $0 'path to PCAP file'"; |