API tools faq
paste
Advertisement
James_inthe_box

Bleh

James_inthe_box
Aug 15th, 2018
446
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.48 KB | None | 0 0
raw download clone embed print report
  1. binsequencer.py samples/
  2.  
  3. [+] Extracting instructions and generating sets
  4.  
  5. [-]samples/0001.exe
  6. 8e^+B - 269464 instructions extracted
  7. .text - 11186 instructions extracted
  8. - 253 instructions extracted
  9. [-]samples/SWIFT-COPY.exe
  10. T%F~$>T - 111110 instructions extracted
  11. .text - 10624 instructions extracted
  12. - 253 instructions extracted
  13. [-]samples/ucheqqqqqqq.exe
  14. 
  15. _ - 5802 instructions extracted
  16. .text - 298403 instructions extracted
  17. - 255 instructions extracted
  18. [-]samples/order.exe
  19. .text - 209790 instructions extracted
  20. [-]samples/kestDP.exe
  21. .text - 303292 instructions extracted
  22. [-]samples/Doc0254632-2018.com.exe
  23. cd .text - 285656 instructions extracted
  24. [-]samples/jesusislord.exe
  25. .text - 160479 instructions extracted
  26. [-]samples/mineboy.exe
  27. .text - 229798 instructions extracted
  28.  
  29. [+] Golden hash (121987 instructions) - samples/SWIFT-COPY.exe
  30.  
  31. [+] Zeroing in longest mnemonic instruction set in T%F~$>T
  32.  
  33. [-] Matches - 0 Block Size - 4000 Time - 259.88 seconds
  34. [-] Matches - 0 Block Size - 2000 Time - 226.56 seconds
  35. [-] Matches - 0 Block Size - 1000 Time - 217.23 seconds
  36. [-] Matches - 0 Block Size - 500 Time - 216.30 seconds
  37. [-] Matches - 0 Block Size - 250 Time - 201.89 seconds
  38. [-] Matches - 0 Block Size - 125 Time - 183.79 seconds
  39. [-] Matches - 0 Block Size - 63 Time - 171.21 seconds
  40. [-] Matches - 0 Block Size - 32 Time - 144.23 seconds
  41.  
  42. [+] Zeroing in longest mnemonic instruction set in .text
  43.  
  44. [-] Matches - 0 Block Size - 4000 Time - 1.55 seconds
  45. [-] Matches - 0 Block Size - 2000 Time - 1.83 seconds
  46. [-] Matches - 0 Block Size - 1000 Time - 2.05 seconds
  47. [-] Matches - 0 Block Size - 500 Time - 2.27 seconds
  48. [-] Matches - 0 Block Size - 250 Time - 2.51 seconds
  49. [-] Matches - 0 Block Size - 125 Time - 2.97 seconds
  50. [-] Matches - 0 Block Size - 63 Time - 3.53 seconds
  51. [-] Matches - 4 Block Size - 32 Time - 4.69 seconds
  52. [-] Matches - 1 Block Size - 47 Time - 3.97 seconds
  53. [-] Matches - 0 Block Size - 54 Time - 3.72 seconds
  54. [-] Matches - 0 Block Size - 51 Time - 3.84 seconds
  55. [-] Matches - 1 Block Size - 49 Time - 3.91 seconds
  56. [-] Matches - 0 Block Size - 50 Time - 3.87 seconds
  57.  
  58. [-] Moving 1 instruction sets to review with a length of 49
  59. [!] Blacklisted a potentially bad match
  60.  
  61.  
  62. [+] Zeroing in longest mnemonic instruction set in
  63.  
  64. [-] Moving 21 instruction sets to review with a length of 253
  65. [!] Blacklisted a potentially bad match
  66.  
  67. [*] Do you want to display matched instruction set? [Y/N] Y
  68.  
  69. [*] Do you want to keep this set? [Y/N] Y
  70. [!] Blacklisted a potentially bad match
  71.  
  72. [+] Keeping 1 mnemonic set using 100 % commonality out of 8 hashes
  73.  
  74. [-] Length - 24 Section -
  75.  
  76. [+] Printing offsets of type: longest
  77.  
  78. [-] Gold matches
  79.  
  80. ----------v SET rule0 v----------
  81. inc|push|inc|jb|insd|ja|jb|sub|jb|imul|xor|add|inc|jb|insd|ja|jb|inc|imul|popal|insd|adc|dec|inc
  82. ----------^ SET rule0 ^-----------
  83.  
  84. samples/SWIFT-COPY.exe 0x1004b407 - 0x1004b43b in .text
  85.  
  86. [-] Remaining matches
  87.  
  88. ----------v SET rule0 v----------
  89. samples/0001.exe 0x100a9724 - 0x100a9758 in .text
  90. samples/ucheqqqqqqq.exe 0x1000adce - 0x1000ae02 in .text
  91. samples/order.exe 0x10079e2c - 0x10079e60 in .text
  92. samples/kestDP.exe 0x100aae87 - 0x100aaebb in .text
  93. samples/Doc0254632-2018.com.exe 0x100a2952 - 0x100a2986 in .text
  94. samples/jesusislord.exe 0x1005e015 - 0x1005e049 in .text
  95. samples/mineboy.exe 0x100853c1 - 0x100853f5 in .text
  96. ----------^ SET rule0 ^-----------
  97.  
  98. [+] Generating YARA rule for matches off of bytes from gold - samples/SWIFT-COPY.exe
  99.  
  100. [*] Do you want to try and morph rule0 for accuracy and attempt to make it VT Retro friendly [Y/N] Y
  101.  
  102. [+] Check 01 - Checking for exact byte match
  103. [*] Exact byte match found across all samples
  104.  
  105. [*] Do you want to include matched sample names in rule meta? [Y/N] Y
  106.  
  107. [*] Do you want to include matched byte sequence in rule comments? [Y/N] Y
  108.  
  109. [+] Completed YARA rules
  110.  
  111. /*
  112.  
  113. SAMPLES:
  114.  
  115. samples/SWIFT-COPY.exe
  116. samples/0001.exe
  117. samples/Doc0254632-2018.com.exe
  118. samples/ucheqqqqqqq.exe
  119. samples/mineboy.exe
  120. samples/jesusislord.exe
  121. samples/order.exe
  122. samples/kestDP.exe
  123.  
  124. BYTES:
  125.  
  126. 45544672616D65776F726B2C56657273696F6E3D76342E300100540E144672616D65776F726B446973706C61794E616D65102E4E45
  127.  
  128. INFO:
  129.  
  130. /opt/bin/binsequencer.py samples/
  131. Match SUCCESS for morphing
  132.  
  133. */
  134.  
  135. rule rule0
  136. {
  137. meta:
  138. description = "Autogenerated by Binsequencer v.1.0.4 from samples/SWIFT-COPY.exe"
  139. author = ""
  140. date = "2018-08-15"
  141.  
  142. strings:
  143. $rule0_bytes = { 45544672616D65776F726B2C56657273696F6E3D76342E300100540E144672616D65776F726B446973706C61794E616D65102E4E45 }
  144.  
  145. condition:
  146. all of them
  147. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!