profile
viewpoint

decalage2/oletools 1374

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.

decalage2/ViperMonkey 651

A VBA parser and emulation engine to analyze malicious macros.

decalage2/awesome-security-hardening 547

A collection of awesome security hardening guides, tools and other resources

bontchev/pcodedmp 319

A VBA p-code disassembler

decalage2/olefile 136

olefile is a Python package to parse, read and write Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office 97-2003 documents, vbaProject.bin in MS Office 2007+ files, Image Composer and FlashPix files, Outlook messages, StickyNotes, several Microscopy file formats, McAfee antivirus quarantine files, etc.

decalage2/balbuzard 67

Balbuzard is a package of malware analysis tools in python to extract patterns of interest from suspicious files (IP addresses, domain names, known file headers, interesting strings, etc). It can also crack malware obfuscation such as XOR, ROL, etc by bruteforcing and checking for those patterns.

decalage2/exefilter 40

ExeFilter is an open-source tool and framework to filter file formats in e-mails, web pages or files. It detects many common file formats and can remove active content (scripts, macros, etc) according to a configurable policy.

decalage2/oledump-contrib 34

The oledump-contrib repository contains plugins and enhancements for the oledump tool published by Didier Stevens.

decalage2/pyhtgen 12

pyhtgen (formerly HTML.py) provides a few classes to easily generate HTML content such as tables and lists.

decalage2/awesome-security 4

A collection of awesome software, libraries, documents, books, resources and cools stuffs about security.

delete branch stuhli/dfirtrack

delete branch : testing_django_q_hook

delete time in 7 minutes

push eventkevoreilly/CAPEv2

doomedraven

commit sha 7b89b943d2d484e0827d48684a319c214a8d95b8

debugger tab

view details

push time in 38 minutes

push eventCERT-Polska/mwdb-core

Krzysztof Wielocha

commit sha 37e835804ed917259fe8034469d492a69797c4b1

Apply suggestions from code review to search Co-authored-by: Paweł Srokosz <pawel.srokosz@cert.pl>

view details

push time in an hour

issue commentfireeye/stringsifter

does not run under virtualenv

Can't reproduce this on macOS 10.14.6 with python 3.7.9 brew, libomp brew and stringsifter 1.20201201. Created a virtualenv in a directory with a space in the name, no issues

wesinator

comment created time in an hour

fork JohnLaTwC/TaskManagerBitmap

Displays a bitmap on Task Manager's CPU activity view. For systems with > 64 CPUs.

fork in 2 hours

push eventkevoreilly/CAPEv2

doomedraven

commit sha 68e12a113675d81ba8c267bb873125f729a2a129

Update static.py

view details

push time in 2 hours

push eventkevoreilly/CAPEv2

doomedraven

commit sha 3a62325edb75ace04904f0564383cc662db00b22

to support for db upgrade

view details

push time in 2 hours

pull request commentintelowlproject/IntelOwl

Stratosphere blacklist

This pull request introduces 3 alerts when merging e808e0fcb068827064069d7fbe43ea40abc645f0 into fa472db8c9b3d4c7ec5201ec552f6f928b076814 - view on LGTM.com

new alerts:

  • 3 for Request without certificate validation
Rishabh-Kumar-07

comment created time in 2 hours

issue commentintelowlproject/IntelOwl

Add Stratosphere prioritzed blacklists

I have made a PR. Let me know if some changes needs to be done.

mlodic

comment created time in 2 hours

PR opened intelowlproject/IntelOwl

Stratosphere blacklist

Description

Adding new analyzer to cross-reference the IP from blacklist provided by Stratosphere Labs.

Fixes

#216

Type of change

  • [+] New feature (non-breaking change which adds functionality).

Checklist

  • [+] The pull request is for the branch develop
  • [+] I changed the file Usage and ReadMe if I added a new analyzer.
  • [+] I have added tests in the Tests folder.
  • [+] The tests gave 0 errors.
  • [+] Black gave 0 errors.
  • [+] Flake gave 0 errors.
  • [+] I squashed the commits into a single one.

Real World Example

image image image

+181 -3

0 comment

8 changed files

pr created time in 2 hours

issue closedvxunderground/MalwareSourceCode

Reversed WannaCry by stacksmashing

Also Idea for you: Adding "Other" malware code (rewrited code, code parts & snippets, reversed & decompiled, tools)

Code: https://github.com/ghidraninja/ReversingWannacry

Videos: https://www.youtube.com/watch?v=Sv8yu12y5zM https://www.youtube.com/watch?v=Q90uZS3taG0 https://www.youtube.com/watch?v=ru5VzUigKqw

closed time in 2 hours

DartPower

issue commentcve-search/cve-search

Mismatch between documentation and API

That's correct; the public instance (cve.circl.lu) does not expose all the api endpoints of cve search. If you would like the full api "experience" you will need to host an instance (locally) for yourself.

Pamplemousse

comment created time in 2 hours

issue commentTeamMsgExtractor/msg-extractor

Error retrieving date

import extract_msg

msg = extract_msg.openMsg("path/to/msg/file.msg")
body = msg.rtfBody.decode('utf-8') # This is the body of the message, in rtf format. If you need to view it properly, you can save this to an rtf file.
url = body[body.index('href="') + 6:body.index('"', body.index('href="') + 6)] # This is the code I made to grab the url from the rtf body.

Hope this helps.

larytet

comment created time in 3 hours

issue openedcve-search/cve-search

Mismatch between documentation and API

When trying to fetch CVEs for a specific vendor's product on https://cve.circl.lu/api as per https://github.com/cve-search/cve-search/blob/9b953c05a8a5e0c1aefa0e62aace45f0fcfbb3cc/doc/markdown/api.md#L21-L27, I obtain a 404 error...

curl -I https://cve.circl.lu/api/search/microsoft/office
HTTP/1.1 404 NOT FOUND
Date: Wed, 02 Dec 2020 17:16:11 GMT
Server: TornadoServer/6.0.4
Strict-Transport-Security: max-age=15768000
Content-Type: text/html; charset=utf-8
Content-Length: 3022
Access-Control-Allow-Origin: https://cve.circl.lu

created time in 3 hours

issue commentTeamMsgExtractor/msg-extractor

Error retrieving date

I've seen some bad msg files in my time working on this, but this one actually took the cake for the worst.

The reason that warning is there is to let us know that an msg file might end up using a date stream that we are not currently aware of, and the warning will provide us with all the data we need to identify it if it exists.

I'll do what I can real quick to see if I can find the links in the data. The only stream of body text I could find was rtf. I'll post a response with code shortly.

larytet

comment created time in 3 hours

issue commentTeamMsgExtractor/msg-extractor

Error retrieving date

I do not know what program generated the problem. I suspect that the file - a phishing e-mail - is broken intentionally.

larytet

comment created time in 3 hours

issue closedfireeye/stringsifter

Python 3.8 not supported

Stringsifter depends on numpy==1.17.1 , scipy==1.3.1. These versions do not support Python 3.8. But in setup.py, it's mentioned that stringsifter supports python>=3.6.

closed time in 3 hours

Eshaan7

issue commentfireeye/stringsifter

Python 3.8 not supported

Fixed in version 2.20201202

Eshaan7

comment created time in 3 hours

push eventfireeye/stringsifter

Eamon Walsh

commit sha 3cb284a36f59a4827bfe517dd15e231a4cb6e279

Update README

view details

push time in 3 hours

create barnchfireeye/stringsifter

branch : feat/readme_update

created branch time in 3 hours

issue commentTeamMsgExtractor/msg-extractor

Error retrieving date

Thank you for sending this to us. Upon reviewing the error output as well as the file you sent, I have determined that you have what we would consider to be a bad msg file (the warning is caused by a problem with the file rather than a problem with our program).

The program uses a specific stream to get certain values, one type of which is dates. These dats have the extension of 0040, which none of the properties inside of your file have. The following is a list of all of the properties that were found (that don't have their own individual streams:

0017: Importance
0026: Priority
0E07: Message Flags
0E1F: Rtf In Sync?
340D: Store Support Mask
3FDE: Internet Codepage

None of these are date properties in any way. As such, the properties stream cannot retrieve a date from the file.

From my experience with msg files, I feel relatively confident that this was not generated using Microsoft Outlook (if it was, that's a big problem), so might I ask what program you used to generate this msg file?

larytet

comment created time in 3 hours

push eventswisskyrepo/PayloadsAllTheThings

Swissky

commit sha e13f152b748ca850f6ccb378d638c37ee389e177

AD - Recon

view details

push time in 3 hours

create barnchfireeye/stringsifter

branch : python3.7

created branch time in 4 hours

delete branch fireeye/stringsifter

delete branch : feat/python3.8

delete time in 4 hours

PR closed fireeye/stringsifter

Feat/python3.8
+89 -83

2 comments

8 changed files

ewalshfeye

pr closed time in 4 hours

pull request commentfireeye/stringsifter

Feat/python3.8

Pushed these changes directly after making additional Pipfile.lock changes. Closing

ewalshfeye

comment created time in 4 hours

push eventfireeye/stringsifter

Eamon Walsh

commit sha 859e9715c0fd44d9118e4dc6e78b617b44a905f0

Update pickled models and dependencies for Python 3.8

view details

Eamon Walsh

commit sha 55d1104bd24510e64cc2ca99d3889cfece542f08

Release 2.20121202

view details

push time in 4 hours

created tagfireeye/stringsifter

tagv2.20201202

A machine learning tool that ranks strings based on their relevance for malware analysis.

created time in 4 hours

issue openedTeamMsgExtractor/msg-extractor

Error retrieving date

extract_msg.properties:WARNING:properties.py:139:Error retrieving date. Setting as "Unknown". Please send the following data to developer:
--------------------
extract_msg.properties:WARNING:properties.py:140:000000000000000000000000000000000000000000000000000000000000000003000D340600000000000400000000000300DE3F06000000E4040000000000000201091006000000890B0000000000000B001F0E0600000001000000000000001F0037000600000026000000000000001F001D0E0600000026000000000000001F0070000600000026000000000000001F007D00060000001C0100000000000003002600060000000000000000000000030017000600000001000000000000000300070E0600000001000000000000001F001A00060000001200000000000000
extract_msg.properties:WARNING:properties.py:141:dict_keys(['340D0003', '3FDE0003', '10090102', '0E1F000B', '0037001F', '0E1D001F', '0070001F', '007D001F', '00260003', '00170003', '0E070003', '001A001F'])
extract_msg.properties:WARNING:properties.py:142:--------------------

created time in 4 hours

issue commentTheHive-Project/Cortex-Analyzers

[Bug] Mail Responder recipient address not found in tags

Same problem. Apparently this is due to the fact that when the tag is saved, The Hive4 changes "mail:" to "mail="

My workaround: in mailer.py replace mail_tags = [t[5:] for t in tags if t.startswith("mail:")] to mail_tags = [t[5:] for t in tags if t.startswith("mail=")]

jaysadat

comment created time in 4 hours

more