I hereby claim:
- I am silascutler on github.
- I am silascutler (https://keybase.io/silascutler) on keybase.
- I have a public key ASDDh8SdafblsJStYjOI-H-ItS33KeKle1vBidzY2cpeLgo
To claim this, I am signing this object:
Silas Cutler silascutler
silascutler
/ gist:1df43b57356e35780c24da1e2e5d9e83
Created
August 31, 2023 13:35
NCSC-MAR-Infamous-Chisel.yara
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule netd_CreatedFiles { | |
| meta: | |
| author = "NCSC" | |
| description = "Unique file paths created by netd" | |
| date = "2023-08-31" | |
| strings: | |
| $ = "/data/local/tmp/.aid.cache" | |
| $ = "/data/local/tmp/.syscache.csv" | |
| $ = "/data/local/tmp/.syspackages.csv" | |
| $ = "/data/local/tmp/.sysinfo.csv" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e | |
| 45d8ac1ac692d6bb0fe776620371fca02b60cac8db23c4cc7ab5df262da42b78 | |
| 56925a1f7d853d814f80e98a1c4890b0a6a84c83a8eded34c585c98b2df6ab19 | |
| 830207029d83fd46a4a89cd623103ba2321b866428aa04360376e6a390063570 | |
| 458d258005f39d72ce47c111a7d17e8c52fe5fc7dd98575771640d9009385456 | |
| 99b0056b7cc2e305d4ccb0ac0a8a270d3fceb21ef6fc2eb13521a930cea8bd9f | |
| 1f8dcfaebbcd7e71c2872e0ba2fc6db81d651cf654a21d33c78eae6662e62392 | |
| f226086b5959eb96bd30dec0ffcbf0f09186cd11721507f416f1c39901addafb | |
| 23eff00dde0ee27dabad28c1f4ffb8b09e876f1e1a77c1e6fb735ab517d79b76 | |
| 586f30907c3849c363145bfdcdabe3e2e4688cbd5688ff968e984b201b474730 |
silascutler
/ MSTIC_H0lyGh0st_yara_fixed
Created
July 14, 2022 17:20
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule SiennaBlue | |
| { | |
| meta: | |
| author = "Microsoft Threat Intelligence Center (MSTIC)" | |
| description = "Detects Golang package, function, and source file names observed in DEV-0530 Ransomware SiennaBlue samples" | |
| hash1 = "f8fc2445a9814ca8cf48a979bff7f182d6538f4d1ff438cf259268e8b4b76f86" | |
| hash2 = "541825cb652606c2ea12fd25a842a8b3456d025841c3a7f563655ef77bb67219" | |
| strings: | |
| $holylocker_s1 = "C:/Users/user/Downloads/development/src/HolyLocker/Main/HolyLock/locker.go" | |
| $holylocker_s2 = "HolyLocker/Main.EncryptionExtension" |
silascutler
/ NCSC Cyclops Blink yara Rules
Created
February 23, 2022 15:36
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter | |
| rule CyclopsBlink_module_initialisation | |
| { | |
| meta: | |
| author = "NCSC" | |
| description = "Detects the code bytes used to initialise the modules built into Cyclops Blink" | |
| hash1 = "3adf9a59743bc5d8399f67cab5eb2daf28b9b863" | |
| hash2 = "c59bc17659daca1b1ce65b6af077f86a648ad8a8" |
silascutler
/ MalShare Attackers Q1 2022
Created
February 12, 2022 20:36
silascutler
/ strfmt.csv
Created
February 13, 2019 01:47
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| StringFmt | Assessed Name | Description | |
|---|---|---|---|
| CFE | Create File Error | Sent if an error in calling CreateFileA() in sub_401C20() | |
| GFSE | Get File Size Error | Sent if an error in calling GetFileSize() in sub_401C20() | |
| LAE | Local Alloc Error | Sent if an error in calling LocalAlloc() in sub_401C20() | |
| RFE | Read File Error | Sent if an error in calling ReadFile() in sub_401C20() | |
| CPE | Creat Process Error | Sent if an error in calling CreateProcess() in WinMain() | |
| DFE | Delete File Error | Sent if an error after calling function that calls DeleteFile() in WinMain() |
silascutler
/ keybase.md
Created
November 28, 2018 00:16
silascutler
/ IDA describe flags
Created
February 17, 2018 02:46
IDAPython routine to describe a function flags
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from idautils import * | |
| from idaapi import * | |
| from idc import * | |
| def descFlags(inflags): | |
| if inflags & FUNC_NORET: | |
| print "Flag: FUNC_NORET" | |
| if inflags & FUNC_FAR: | |
| print "Flag: FUNC_FAR" |
silascutler
/ lsandbox
Created
September 26, 2017 13:19
Fast, Local script to sandbox PE files and record network activity
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # (C) Silas `p1nk` Cutler 2017 | |
| # Simple Sandbox Runner | |
| VM_NAME="sandbox" | |
| VM_USER="administrator" | |
| VM_PASS="password" |
silascutler
/ keybase.md
Created
October 8, 2014 11:59
I hereby claim:
- I am silascutler on github.
- I am silascutler (https://keybase.io/silascutler) on keybase.
- I have a public key whose fingerprint is C55A FC29 84F9 375A 0C12 CF4F 3E18 4A6C 6554 A731
To claim this, I am signing this object: