Karsten Hahn struppigel
struppigel
/ string_decrypter.py
Last active
March 2, 2025 11:32
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Uses PowerShell and dnlib to decrypt strings dynamically | |
| # requires pythonnet: pip install pythonnet | |
| # requires dnlib.dll: adjust path below if necessary, remove ZoneIdentifier if you downloaded it | |
| # | |
| # This is applicable for samples that have a non-generic static decrypt method with an integer | |
| # Small changes to the PS script will make it also work for non-static or generic methods | |
| # Caution: This script runs the sample's code! | |
| # author: Karsten Hahn @ G DATA CyberDefense | |
| import clr |
struppigel
/ privateloader.yar
Last active
December 7, 2024 07:55
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule PrivateLoader_ExportParsing | |
| { | |
| meta: | |
| author = "Karsten Hahn" | |
| description = "PrivateLoader export parsing" | |
| sha256 = "892834734712fe5bc7a6614be6972de1be2d74ad424ef47b2c701046e4912426" | |
| strings: | |
| $code = { | |
| b8 4d 5a 00 00 // MOV EAX,0x5a4d |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| format PE GUI | |
| entry start | |
| include 'win32a.inc' | |
| section '.text' code readable executable | |
| start: | |
| ; get handle to calling process | |
| push 0 |
struppigel
/ gist:3bc9cd078b607c11f70e01f38a29aed9
Created
November 17, 2024 07:00
Unpacking script x64dbg
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // for sample https://malshare.com/sample.php?action=detail&hash=20946142795ea4b9fafad9a279e5da0e2f491f567380d7f37570d451f3aa6b8f | |
| bc | |
| bphwc | |
| bp WriteProcessMemory | |
| run | |
| bc | |
| mov $payload,[esp+c] | |
| // calc size of dump area |
struppigel
/ dedosfuscator.py
Created
July 26, 2018 16:41
Deobfuscates Batch script in https://www.gdatasoftware.com/blog/2018/07/30924-g-data-analysis-discovers-dosfuscation-in-the-wild
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| import re | |
| if len(sys.argv) <= 1: exit() | |
| scriptpath = sys.argv[1] | |
| with open(scriptpath, 'r') as scriptfile: | |
| script = scriptfile.read().replace('^', '') | |
| p = re.compile('\([Ss][Ee][Tt][^=]+=([^&]+)&&') | |
| s = p.search(script) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Petna / Eternalblue Petya | |
| ------------------------- | |
| Hashes: | |
| Main DLL: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 | |
| Hashes below via McAfee article: https://securingtomorrow.mcafee.com/mcafee-labs/new-variant-petya-ransomware-spreading-like-wildfire/ | |
| Main DLL: 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1 | |
| PSEXEC.EXE: f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5 | |
| 64-bit EXE: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f | |
| 32-bit EXE: eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998 |