I hereby claim:
- I am latonis on github.
- I am jacoblatonis (https://keybase.io/jacoblatonis) on keybase.
- I have a public key ASA6c8HatsF7mxScL3VndCChwVf6x07SLA194KjThvoNugo
To claim this, I am signing this object:
latonis
/ macho_libframework_suspicious.yara
Last active
January 5, 2025 19:08
YARA-X rule for recent LightSpy variant from https://www.huntress.com/blog/lightspy-malware-variant-targeting-macos
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "macho" | |
| rule macho_libframework_suspicious { | |
| meta: | |
| description = "Detects on LightSpy variant dylibs" | |
| author = "Jacob Latonis @jacoblatonis" | |
| date = "2024-04-25" | |
| condition: | |
| macho.has_dylib("/usr/lib/libsqlite3.dylib") and macho.has_dylib("/usr/local/lib/libframework.dylib") |
latonis
/ yara-x-devcontainer.json
Last active
January 29, 2024 21:00
quick (temporary) devcontainer setup for working on YARA-X
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // For format details, see https://aka.ms/devcontainer.json. For config options, see the | |
| // README at: https://github.com/devcontainers/templates/tree/main/src/rust | |
| { | |
| "name": "YARA-X devcontainer (Jacob's Version)", | |
| // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile | |
| "image": "mcr.microsoft.com/devcontainers/rust:1-1-bullseye", | |
| "mounts": [ | |
| "source=${localEnv:HOME}/yara/malware,target=/home/vscode/yara/malware,type=bind,consistency=cached", | |
| "source=${localEnv:HOME}/yara/rules,target=/home/vscode/yara/rules,type=bind,consistency=cached" | |
| ] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import argparse | |
| import binascii | |
| import hashlib | |
| import os | |
| import re | |
| import sys | |
| import traceback | |
| __author__ = "Jeff White [karttoon] @noottrak" |
latonis
/ keybase.md
Created
September 28, 2023 13:57
latonis
/ Dockerfile
Created
October 18, 2022 03:14
— forked from andreybleme/Dockerfile
Minimal Dockerfile container for running BPF programs using libbpf
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| FROM ubuntu:latest | |
| RUN apt-get update && \ | |
| apt-get install -y build-essential git cmake \ | |
| zlib1g-dev libevent-dev \ | |
| libelf-dev llvm \ | |
| clang libc6-dev-i386 | |
| RUN mkdir /src && \ | |
| git init |