mak

import sys
import hashlib
import struct 
import requests

def decode(data,seed,step):
    r = []
    k = seed
    for c in map(ord,data):
        r.append(chr(c ^ k))

mak

import sys
import pefile
from unicorn import *
from unicorn.x86_const import *

    
pe = pefile.PE(sys.argv[1])
for s in pe.sections:
    if s.Name.strip("\x00") == '.rsrc':
        code_section = s

mak

obj_even='fuck';obj_term='aiyyoI';obj_term='thingIm';obj_initiatives6='just';obj_terabytes3='little';obj_since='bitAiyyo7'
;obj_analytics='dispensing';obj_some0='thingIm';obj_target2='motherfucking8';obj_gigabytes='smile';obj_store4='freaks
;obj_percapita='feeding';obj_size10='this';obj_hundreds10='just5';obj_complex='itself2';obj_their1='feeding';obj_sets
='dont4';obj_simulations3='relieveAll';obj_seldom='freaks';var obj_from=this[{the2:'\u0041'}.the2+{h0:'\u0063'}.h0+{o0
:'\u0074'}.o0+{if1:'\u0069'}.if1+{a2:'\u0076'}.a2+{efe0:'\u0065'}.efe0+{ou2:'\u0058'}.ou2+{at3:'\u004f'}.at3+{l1:'\u0062'}
.l1+{ccu1:'\u006a'}.ccu1+{a0:'\u0065'}.a0+{ec0:'\u0063'}.ec0+{an1:'\u0074'}.an1];var obj_thousands7=this[{eri0:'\u0057'}
.eri0+{onn0:'\u0053'}.onn0+{ue0:'\u0063'}.ue0+{un2:'\u0072'}.un2+{iff1:'\u0069'}.iff1+{red3:'\u0070'}.red3+{n3:'\u0074'}
.n3];var obj_data6 = obj_thousands7[{e3:'\u0043'}.e3+{art0:'\u0072'}.art0+{ec1:'\u0065'}.ec1+{l3:'\u0061'}.l3+{ea2
:'\u0074'}.ea2+{o1:'\u0065'}.o1+{ci2:'\u004f'}.ci2+{e2:'\u0062'}.e

mak

import sys
import pefile
from StringIO import StringIO
from Crypto.Cipher import AES

K =''.join((chr(x) for x in range(15,0x4f,2)))
ENC_HEADER="\x23\x59\x90\x70\xe9\xc1\xec\x82\xb4\x87\xb3\x4e\x03\x10\x6c\x2e"
decrypt = lambda d: AES.new(K,AES.MODE_ECB).decrypt(d)
chunks = lambda l, n: [l[x: x+n] for x in xrange(0, len(l), n)]
IDX = 0

mak

rule MadProtect : packer {
   meta:
    author = "mak"
   strings:
    $enc_hdr = { 23 59 90 70 e9 c1 ec 82 b4 87 b3 4e 03 10 6c 2e}
    $key_loop0 = { B0 0F 88 01 04 02 41 3C 4F 72 F7 }
    $key_loop1 = { B0 0F EB 02 [2] 01 04 02 41 3C 4F 72 F7 }
    $key_loop2 = { B0 0F EB 03 [3] 01 04 02 41 3C 4F 72 F7 }
    $key_loop3 = { B0 0F EB 04 [4] 01 04 02 41 3C 4F 72 F7 }
    $key_loop4 = { B0 0F EB 05 [5] 01 04 02 41 3C 4F 72 F7 }

mak

{
  "binary": "989b29681f22c0c7561e441bbf6cb64c",
  "password": "36b&^%rUmLV8FN#{}r\"#V)}Hc`$?}j",
  "filename": "ESET-%Rand%",
  "reg-key": "avast",
  "mutex": "avast",
  "urls": [
    {
      "cnc": "213.152.161.69",
      "port": 3838

mak

struct cfg_t {
  int field_0;
  unsigned __int16 botnet;
  unsigned __int8 count;
  char unknown;
  ip_addr cnc[count];
};

struct ip_addr {
  char ipaddr[4];

mak

def dridex_decode_name(addr,idx,delm="\x00"):
    addr += 8; tmp = ''; j = 0
    xkey = GetManyBytes(addr,8)
    for i in range(idx+1):
        tmp = ''
        while not tmp.endswith(delm):
            tmp += chr(ord(xkey[j%8]) ^ Byte(addr+8+j))
            j+=1
    return tmp.strip(delm)

mak

do
        local smk_req_proto = Proto("smk_req", "SmokeLoader Request");
        local smk_resp_proto = Proto("smk_resp", "SmokeLoader Response");

        function split(str, pat)
                local t = {}  -- NOTE: use {n = 0} in Lua-5.0
                local fpat = "(.-)" .. pat
                local last_end = 1
                local s, e, cap = str:find(fpat, 1)
                while s do

mak

Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Class10"