(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for April 2017

The Darknet As Medium for Proof of Life K&R Deals AKA OpFOQ

leave a comment »

Last week someone pointed out a story about how the Qatari government or relatives of some Qatari’s that had been kidnapped on a falcon hunt had started a darknet site and a fund in bitcoins for information on their whereabouts and return. This story intrigued me so I went looking for the site and someone on Twitter kindly pointed to it and the twitter feed with the address. I went to the site and took a look at it and then started looking at the larger picture of who the Qatari’s hired to do this as well. What follows are my thoughts on using a darknet site like this for proof of life and or transactions like this as well as the company that the Qatari’s turned to to do it for them. Of note is that this attempt was closed down as soon as the story came out in the press so that is an added twist but given the things I have seen it makes total sense why a little light on the subject would make the “company” hired by Qatar to close shop and run away.

Qatari’s abducted falconing

Global Strategies Council Inc:

As reports online had mentioned, the “company”  Global Strategies Council, was given 2 million dollars up front for work attempting to get proof of life for the abducted falconers. I decided to look further than the reporters (at least as much as they reported) and found some interesting things concerning this alleged company and the person(s) involved in it. First off, the company is so stealth that you have to really dig a fair bit to get to the guts of what it is. Even then, you really do not get much detail on who is in the company, who works there, and what it does exactly. The hinge seems to be on this “shoe salesman” or “Shoe Mogul” if you will, Miltos Goudamanis and no, it is not Militas as you see in the reports in the news. His real name is Miltos and he has a rather obscure past, unless you just go with the shoe angle.

Miltos is evidently the international sales guy for “Naughty Monkey” shoes, a crappy ass site that sells shoes and poorly for a number of years attached to Cyprus. Now, one lately hear Cyprus and think first off of money laundering and banks and so did I. I checked the Panama papers and he is not in there but generally everything is pretty sketch around this guy. Naughty Monkey is the most solid hit for this guy that you can backtrace, so now one has to ask how does the Greek Al Bundy get to the point of dealing with international terrorists and asking for an advance of 2 million dollars to set up darknet sites eh? That question kept ringing in my ears as I dug deeper into the inception zone.

If you look at all the data above in the screen shots you can see that this guy has no real experience with military or national affairs so how does he suddenly become a director or chair at this Global think tank? Furthermore how does a guy who makes less than 10G’s a year is getting a net of 499k?

Blink blink…


This is starting to smell like some rotting carcass in the San Diego sun….

So yeahhhh, this “company” this think tank specializing in… In what? Well, fuckall really, is being run out of this condo it seems in San Diego according to all the records I could find. In fact the phone number to the place also matches with a land line for the area. Not one thing about this company says it has offices in Washington DC at all. Even though their site makes all kinds of DC imagery and allusions to connections therein… Obliquely that is.

Saaaaaaaayyyyyyyy.. is that office condo space zoned for this kind of fuckery?

Looking at their site you have to just ask yourself after reading it all; “Is this Enron?” because they seemed not able to tell you exactly what they did either and look what happened there huh? There are no employees, no experts listed on their rolls and certainly very little on Miltos as to his history or education for these kinds of things. If I were the Qatari’s I would be asking the guy who hooked this all up what cut of that two million he got. I am just gonna lay it out here in plain language;

  1. Company site is poorly made and has no real data
  2. No employees
  3. No history
  4. Two million up front and we get proof of life!
  5. PROFIT!

This all screams scam and when the whole operation was shut down I think we all got the same feeling about it huh? How are the Qatari families feeling about this? Is this guy just an opportunist shoe hawker or is there more? So far as I can tell this guy has been trying for years to get USGOV work and hasn’t been able to land anything. So a little grift for a cool two million and a cheap darknet site/twitter account is easy peezy.

About that darknet site….

Darknet Site:

The idea behind this site was to allow the hostage takers a medium to connect with the alleged “middle man” Miltos, to get in touch as well as maybe open source this thing so that anyone with information could leave a tip. Now, on the face of it this may be something of use if you keep it really down low and release that information only to the hostage takers right? I mean you leave this on the darknet and then publish it in the paper you are only gonna get trolls right?

I went to the site and checked it out. It was a clone of the global leaks site (using their frame) and you could create an ID and drop information there. You could log back in and see what responses came from Miltos and his crew but when I looked there were no other info drops that I could see. I signed up and got a number just to see how it would work.

Basically this was ill thought out and deployed so once again I think fly by night and not really meant to gather real intel on the status of the poor Qatari’s who have been jacked. Of course, it is now all shut down according to the Twitter account for the “Op” so so much for gathering information of proof of life for the families of those Qatari’s huh? I will keep an eye on the site to see when it comes down but generally I suspect it will just sit there on some rented space littering the darknet for years.

Thoughts on Darknet as Medium for Ransom:

Aside from thinking that this whole thing was just a grift by this guy Militos and his wife, the notion of using a site in the darknet as a means of proof of life is iffy at best. I should think that the terrorists or whoever that took these people is not surfing the darknet in the first place and would just as easily pick up a sat-phone or regular phone and call the Qatari government with their demands. These arcane measures just isn’t their shtick man.

For that matter just use a cutout gmail account and PGP huh? What the fuck! This whole debacle is just an exercise in how to pull off a short con on a lot of families looking for answers about their lost loved ones. If I were Qatar, I would be asking this Ali Hani about his connections to this Greek guy in San Diego tootsuite man. I am sure the money is spent already anyway…

Oh and as for the hacker angle of “OOOH SCARY HACKERS IN THE DARKNET MAKE SITE” cut the shit media! Anyone with half a brain can stand up a site in the darknet so cut it the fuck out. There was nothing spectacular here other than the lede that looked good for clickbait.

Now.. About those lost Qatari’s….


Written by Krypt3ia

2017/04/17 at 17:09

Posted in DARKNET

Black Edge on the Darknet?

leave a comment »

Black Edge

I was trawling the darknet as you all know I like to do and came across a site I had seen once before and bookmarked but never got back to. The site http://b34xhb2kjf3nbuyk.onion “The Stock Insiders” is a php site that claims to be an insider trading site seeking users who will provide insider information for the collective to profit from. Now I will admit that I have been watching Billions and I am also reading “Black Edge” so this site finally struck a chord with me and I decided to mirror it and take a look inside. The following post is the sum total of what I found and some thoughts on the idea in the first place. …I am sure you all will be amused.

The Idea:

Right, well the darknet is supposed to be super secret and encrypted if you believe all of the reporters out there who cover it with conspiratorially raised brows. It only stands to reason that some enterprising joker would go and set up a site like this to trade in illegal insider information yes? Well obviously yes because here it is! As you can see from the screenshot above they are making no bones about it, they want to have players here who can provide solid insider information so as to make trades illegally and make oodles of money! Of course there are problems with that idea and I will be going into those here. Sure they make caveats about the legalities but they also claim that the server is not physically in the US and the whole server is “encrypted” which, ugh, come on people! Crypto is only as good as the system being shut down and the type of crypto being used.

….But I digress…

Now let’s talk about the intricacies of insider information and it’s use. You see, it is not that easy to obtain good insider information in the first place and secondly, using it has to be carried out carefully so as to not tip the SEC and other investigative bodies to your use of it to profit right? So by trying to open source this on the darknet is kinda scary in more than a few ways to my mind. I mean, who are these people? How do you vet them and their information they are passing? How do you not know you are being baited by a Fed or some moron in the first place? Then, how do you make the trades and profit without a trail and maybe even the potential for being ratted out if things go badly? I just keep coming up with all these scenarios where things go poorly from this idea. Personally, the notion of this site is half baked in my mind but hey, this could just be a honeytrap right?

Alright, let’s assume it is legit, how do you really go about this? Well, you start off by getting members and then testing them by asking for legit insider info to trade on so they will be allowed in as “full members” ya know, like becoming a made man ehhhhh? Ok, so I am say “jpompo6” (oh yeah wait till you get to the bottom of this here post!) and I want in. I have to create an account, then go through the vetting process by passing data to the “root” account (yes, I did say root!! wink wink nudge nudge!) on a sweet sweet insider stock tip and hope upon hope that I am accepted into the inner sanctum. One of two outcomes will happen:

  1. I wait, and I wait, and nothing happens.
  2. I hear back that I am a made man and HOO HA! I can then get into the inner sanctum and start reading all the juicy posts and making trades on them! WIN!

Unfortunately I had no real insider info to pass and, well, I am not an idiot so I did not go further than setting up a dummy account on this site. Instead I started looking at the site itself and gathering whatever intelligence I could to do a little OSINT on the users that I could see.

…And boy did I see things-n-stuff.

Membership Rules:

Anywho, the community has rules and those rules are listed below. I do sincerely love the first rule of INSIDER TRADING CLUB which is YOU MUST BE AN HONEST GENTLEMAN! Now that is some deep derp there kids. You are telling me that you want honest gents in this here illegal enterprise of insider trading informatics on the darknets? NO. WAY. The other rules pretty much follow the rules of Fight Club, don’t talk about Fight Club, Don’t fuck with Fight Club, yadda yadda yadda. The more I read the rules the more cognitive dissonance I have about the whole thing really. I do like the whole you have to keep reporting in new leads every 90 days in accordance with the SEC practice of 10-q reporting hahaha.

Say, is there a profit sharing plan here? How are the health benefits? Do I get a 401K here? Honestly, this whole model is good when you are in the real world and you are face to face with people you have developed a rapport with, not some shmuck who may be a Fed on the darknet kids. In reading the Black Edge book you can see how much of the intelligence is gathered on companies, usually you have paid sources or sources you do favors for quid pro quo and there is an understanding that if you fuck me you fuck yourself. The whole idea that I am just gonna take some inside info from the darknet and apply it to large trades on the market is a bit much for me to believe. Now maybe if you wanted to communicate data like this with known and trusted people in the darknet using encrypted comms maybe I would buy that but this site just seems to be to either be a honeytrap or a scam looking for suckers to put their legit inside info out there for a quick pump and dump.

But that’s just me…


So yeah, you have this site out there and you promise all the super secret DARKNET black magic. You tell people that the data is secure and then you say “But.. You have to be careful” everyone is gonna take that to heart right? Well, almost everyone… Ok some people… Ok ok ok maybe one person. In the case of this site there was a “props” page that I found that listed users who they wanted to thank. For the most part the user names were innocuous enough to not go anywhere with an OSINT search regimen. However, there was one guy who seemed to not comprehend the idea of OPSEC.

The user JPOMPO6 who is listed in the thanks page seems to really not get the whole idea of not re-using online handles. This guy seems to have used his handle for everything online on this site and “root” likes him enough to give em props. A simple Google search for the ID drops a ton of hits that show this guy to might be Joe Pompo a CPA from upstate New York. Now given that the handle is exactly the same as the Twitter handle he uses and then further more that he is a CPA, well, I kinda think this is our man but I have to say for the record and for all you lawyers out there; (I Googled some shit and this MAY BE the guy, I am not saying IT IS THE GUY but JEEBUS it really does kinda all fit) so please, don’t sue me because I made a logical leap.

That this character under the handle jpompo6 is on this site does not in fact mean that they have traded insider information at all. In fact, I cannot see any postings by this user so it is not for me to say. All I can say is that a user who has the same handle as the Twitter user and that user has the name Joe Pompo exists is, well, there you have it… If this is the same guy then oops, your OPSEC sucks and the site’s admonishments were lost on you. One wonders what other OPSEC fails there must be inside the site, ya know, like using your corporate email or your one personal email as the contact for this site.

Oh my…..

Programming and Administration:

As if the OPSEC thing wasn’t bad enough, when the site was looked at from a security perspective things went from bad to worse. The site is leaking information, it was set up poorly and likely can be hacked if it hasn’t already. The mere fact that the root account is the one making all the posts here is scary as administrating php sites goes. However, when looking at the directory tree there was a lot left open. With all this hanging out I kinda really have my doubts about the security of the site don’t you? I personally would run away, change my name, and burn everything with my old name on it if I had traded anything of any import on this site kids.

So what have we learned today? Well, we learned that insider trading is best left to professionals and done in secret places other than the darknet I think. While the idea of insider trading is appealing to some, it is really going to fuck only you in the end when the feds come for you. Honestly, I think a better alternative is to just do OSINT and find data that has been accidentally leaked by companies and then make your trades, and as I understand it that is kinda grey area right? I mean no one told you the info, you did not pay for it, you happened upon it right? In the present day state of the internet there is so much information that is out there on mis-configured servers and the like that you could likely use that to day trade your way to riches right?

End of the day, stay away from these scam sites in the darknet kids… Unless federal prison appeals or being totally taken by fraudsters.


PS.. Props to @chkefa for the heads up on jpompo6!

Written by Krypt3ia

2017/04/13 at 19:50

Posted in BlackEdge, DARKNET

OpISIS C2’s and Malware?

leave a comment »

I was bored again and let my fingers do the walking on ThreatCrowd with some interesting results. Did you all know that you could put words into that search engine and come up with malware hits? So, in the case of my word searches I decided to look for Arabi words that have meaning to Da’esh and the jihadi set with some interesting results. In the case of the word “jihad” I came up with the following hits:

The hits there show you the attendant hashes of malware alleged to be connected to those domains as C2’s (Command and Control) systems. When you click on them you get the Maltego maps and all of the data concerning them so you can see where everything pivots to and what other servers may be involved with it. Using this method I ran into a set of results for Balabindi, which is the same malware as seen in the recent attack on the Amaq Da’esh site that was hacked and served malware out to about 600 people (claimed) by stats from the link shortener used to propagate it.


The Balabindi though is all sourcing from one domain address:

Balabindi malware set and variants

MSI pivot on Balabindi

The searches that I ran showed that there were concerted efforts with Balabindi using dynDNS sites ( and others) as command and controls for the Balabindi variants used against jihadists in the past and they continue today. There is even a minecraft server ( that may also be involved as well. Of course it is funny ha ha to name these servers jihadihacker and other names to poke at the jihobbyists but it is kinda bad OPSEC really in my book. So either these are OpISIS or someone is having a bit of a joke, but the malware in the case of is just “server.exe” and basically like the rest of the samples I was seeing was a RAT, so I can see how these are just being used to pwn these jihadi’s and harvest their real data, that is if they are stupid enough to run “server.exe” on their box.

Malware from

Malware from VT of same malware sample

Generally I am seeing the same kinds of attacks with older off the shelf malware that may get past some old AV or work on people who have no AV at all but nothing so far has stood out as exotic so I am thinking this is the Anon’s doing their thing, or trying to… At the least it was interesting to find the function on ThreatCrowd and leverage it. I think I will plink away at it some more using Russian words next for shits and giggles.. Or.. OOOH maybe Korean huh?

I guess the last thing I would say on all of this is that the Anon’s may have had some success with these attacks and maybe passed on some info to the right people but generally I am not impressed with the op’s against Da’esh as a whole. Taking down the jihobbyist sites may be splashy for the tabloids but the reality of it is that these sites like Amaq are just for the lowest of fruit users online wanking off to jihad. Sure, some could maybe go full “lone wolf nutbag” and try something but generally the real players got off the boards years ago because they were just for skidz and wannabe’s. Most of the real shit happens in closed sites that are below the radar and of course on chat systems like Telegram and others where they can talk with some crypto and not be hassled by some poor php site that gets popped every other day and taken offline.



Threatcrowd for word jihad:

Threatcrowd for word ISIS:
MD5=22e2fa976906b4aac9509828e124c734 MD5=cf084279a857462e2cf96b053a7175af*Win32/Rebhip.A
Reference=Houdini/Dinihu/Jenxcus/H-worm Reference= Reference= Reference=
MD5=764ecc97921c87de344bf98157e76e49 MD5=910dd000e8d8675348d94649c1ad9273
MD5=11b45bfbbbd944ca9bf1f5f69628d055 MD5=1eb1a366dae694202235656f2f42aa9a MD5=7f209fa351a6792484fcc4d786a17ffd MD5=cd685e040b584909bd208e8fcad0c846
MD5=b31ac43984d38772f11a2ad1970e8e95 MD5=dc86dc3747a43f6bdda6abf36fa657d1

Written by Krypt3ia

2017/04/10 at 20:34

Posted in OpISIS

Trump Hotels Dot Com: Malware C2 In 2014

leave a comment »

Credit CNN


Remember when the news media was told by Brian Krebs that Turnip’s hotels had been hacked and their credit card data has been stolen? Well there is more to the very little story that made the press after Krebs dropped a dime on them. In looking around the ThreatCrowd today I decided to take a look at the Turnip brand and, well, they have over three thousand domains but a couple jumped out on the searches due to their being connections in some malware back in April of 2014. This coincides with the hack time frame according to the stories I have seen including the one by CNN above where not much is said by Trump nor the FBI or USSS because they were looking into it and that Turnip was a candidate for president. Given that no one has really said anything about this hack post Krebs I have to wonder just how deep these guys got in and what actor group it may have been. If it was straight up carding was it Rescator? Some other Eastern Block group? If it was Russian then, well, you know how they like to dual use these hacks right?

Well, the malware in this case was programmed to attempt to connect with the hotel psmtp server as well as the main domain. This means that they were compromised enough to used as a C2 or perhaps it was just garbage traffic as as been seen in the past with some malware creators. The real kicker is that this malware was doing it’s thing in the same time frame that the hack was alleged to have happened, so I have to think that the case here is that they did in fact use them as a C2 as well, or another actor did piggybacking on the other hacking going on.

Maybe Turnip’s security just sucked? Oh well, as you can see from the maps below they were pretty busy. The best thing for me though was the name of the file that the malware was propagating by.

(scroll down but don’t be drinking anything hot FAIR WARNING)

Maltego of psmtp server at Turnip Hotels Domain ThreatCrowd ThreatCrowd

Money shot of the malware that has trumphotels in the C2 list

Oh, and Turnip loves him Godaddy, the Mos Eisley of domain registries and server farms.

The Malware:

So that malware that had the Turnip hotel as a C2? Yeah, it was in the guise of a file called SHEMALE_MOVIE_83.MPEG.EXE I shit you not! So GoldShower’s systems were being used to pimp malware that went under the name of SHEMALE_MOVIE_83.MPEG.EXE



I do love the schadenfreude here. Evidently it was a trojan that harvested creds, listened to all traffic, and manipulated the SMTP on the system as well. I have to wonder who at Turnip Hotels may have gotten an email with this file and clicked on it. I also have to wonder if they were acutally mailing this shit out from Turnip central as they had connections to the PSMTP server as well. Say, any of you get any dirty email from Turnip back in 2014 or 2015?


As I write I have this grin on my face…

Enjoy the schadenfreude kids!




Written by Krypt3ia

2017/04/06 at 19:12

You See What Happens When I Get Bored? –> –> —> TURLA?

leave a comment »

So yeah, I was bored earlier and when I am bored my brain likes to take a walk down the darker hallways of the intertubes. Today I was plinking around with ThreatCrowd as is my wont, and I decided to start messing about with addresses. So I did a search for just which netted me nada. So I went back to the drawing board and looked up all the .kp addresses out there. I messed around a bit and hit which had the nugget of the day I was looking for.

See that big purple thing? Yeaaaaaahhhh that is malware activity and a has all the hallmarks for nation state malware kids! Upon looking closer at this closer at this you can see that this piece of malware is talking to other interesting places like Iran and China! This really piqued my interest because just look at those addresses huh? Iranian mil sites, the presidents site, their news service (FARS) and china! Now what could be happening here kids? Was this malware or something else? Is the anticipation killing you yet?

Right! So I then started to circle out to the other sites on TC and of course clicked on the malware hash itself to see what the deal was here and when this all came about. To my surprise this malware and the activity happened last year in June. The malware was run privately on Hybrid on June 22nd 2016 but if you look closely at the image at the top of this piece, you see that the post is listed as December 3rd 2016? How does that work one wonders? Is this a post to the site after the original piece was uploaded? Was there something going on here that made the dates all messed up? In any case, the fact that this was posted privately to Hybrid in June shows that someone was either testing their malware or someone just found this and decided to post it privately to not trip up they had found it.

The sample itself is the php on the site ( which is not around at the moment to attempt to gather a sample directly. I also checked The Wayback Machine too and alas they did not have the site cached on the date or after where I would need to get the sample. At the time of testing this malware injected an exe (FP_AX_CAB_INSTALLER64.3×3) in temp and begins the work of pwning the system. It drops some files on the system and within the process is an IP address ( which is in China.

Ok, so I pivot over to the malware 866fd7c29b0b6082c9295897d5db9e67 and whoa, look at all the malware traffic! It’s a festival out there man! Looks like someone is using a flash update to pwn all the things in Iran, China, and DPRK maybe huh? When you look at the malware C2 call outs it makes in the Hybrid analysis you can see them all. But when i start looking at the sites in the binary it is then I start to see where the other sites have bad histories and the files that seem to have been a part of the arcology.

Pattern match: “”
Pattern match: “”
Pattern match: “”
Pattern match: “”
Pattern match: “″
Pattern match: “”
Pattern match: “”
Pattern match: “”
Pattern match: “”
Pattern match: “”
Pattern match: “,/”
Pattern match: “,/”
Pattern match: “,/”
Pattern match: “”
Pattern match: “”

Other hits for the hash:

Threat Miner:


Threat Miner:

Threat Miner:

It gets stranger with the sites that this thing attempts to connect with as well. All of the connections are GET’s on port 80 so is this just polling sites or are some of these carriers of malware second stage? I have yet to go through all of them but one stood out already in the odd department (in red) this site came up dirty on more than one occasion and also the site resides in the US but has a guy from Iran ostensibly as owner who has a Yahoo account for an email. When you look at the site it seems to be a pro Iran mil site that kind of mirrors many of the others in Iran (think Geoshitties from hell) but why is an official site like this being hosted in the US huh? Iran (ISLAMIC Republic Of) Iran (ISLAMIC Republic Of) European Union China United States European Union France China United States China Iran (ISLAMIC Republic Of) China United States Korea Democratic People’s Republic of United States China Korea Republic of China

An address inn memory though there was this little hit: When looking at this site it has been rather naughty over time and has a high hit ratio for malware: This site also seems to be tied to APT activity.

This site has a lot of trojan activity over time so this may be the hit we are looking for. When I dug into this site I located the key piece of information that I believe nails this as Turla activity. When you look up the domain for you get an email address attached; which then turns up in the ThreatMiner report as being a C2 for Turla. So, it looks like my boredom has maybe led me to RU APT activities against CN/IR/DPRK in June of last year.


Is this in fact the case? Has anyone else seen this? I will keep plinking along but do take a look you malware mavens and see what you think.


Written by Krypt3ia

2017/04/04 at 18:23

Posted in Malware

Amaq News Malware Attempt Using Old Malware

with one comment

Amaq Hack:

Vice reported on the Amaq News Agency’s hack and dissemination of malware last week and the report really kind of fails to do much more than attempt to amplify the booga booga of the whole affair. I thought I would go hunt down the sample(s) of the malware and have a looksee for myself. Which is exactly what I did and located two samples of malware that are from other domains owned by the same players. What follows is a run down of those samples (I was unable to find the one mentioned in the story as of yet but did locate the VT assessment of it) and a fuller deconstruction of the domains involved.

As some of you may know, Amaq is just the news site for the dissemination of propaganda so this would be a good target for someone to go after, infect, and hopefully reap the rewards of anyone stupid enough to install the file that was being served out. Interestingly though the malware mentioned in the piece on the 30th is a flash update and the malware I located on the other attached domains is an .apk file that allegedly is for a flash update? In any event, my first impression from the Vice piece was that it was derptastic. You are going to use a 2013 rat that everyone see’s to pwn an alleged 600 click happy jihadi’s?


Right so as the Vice article says the malware was easily seen by a multitude of AV products so really, you are hitting the lowest common denominator here if they click on it and have no AV at all. Of course if you were aiming at phones that would be different but this was an executable binary so.. uhh.. Duh? Right, well the malware in the story was ostensibly just an update to Flash if what has been posted is in fact true. I went to the site listed in the shortlink and no joy on that, nothing there anymore.


After checking the domain from the url that was serving the malware last week I began tracking down the owner data. What came from that is that the email address of is a throw away account as far as I can tell with only three domains being registered with it. Once you look though, you can see that more domains actually had been created by the same actor using the name “dertou” as well. Those domains are,,, and

Without going too far down the rabbit hole here I just wanted to point out that these addresses were all created on the 29th of March and deployed along with the other exploit it seems. One of the domains is still live and are serving out the malware:

Now this address would match up with the attempts at trying to get amaq users to go to a bad squatted address and this is where I got the malware I mentioned above (details below) The other domains are all interesting in that some have names that are close to such things as the Da’esh magazine “Baqiya” but others like have nothing to do with all that and in fact ad13 is much much older a domain. Ad13 was originally created in around 2013 and was decomissioned around October 2016 with changes made to the domain in July 2016.

When I started looking up the address I hit a road block for now but I will keep poking at that because I feel that this person is one of the key players if not the key player here. Otherwise there is the usual obfuscation going on with the other addresses out there and as such I am just going to drop them for now. Instead, I will look at the malware and where that is making calls to after dumping the IOC’s on you all.

Here you go!


Malware: –> Malware –> Malware —> Malware –> Malware



The malware sample I got from the amaq xyz site was named FlashPlayer8x86_x64.exe and downloads as an .apk (Android) file by name obfuscation from the url. Once run it attempts to contact several domains and IP addresses for the second stage.

These addresses don’t actually have sites on them so they are just C2 and in the case of the original malware in the Vice piece there was a site with a gate.php address which may have been an IP collection point or a second stage malware install site. None of these though have the gate.php and the fact that this site is still working makes me think that perhaps this was to be the second wave of attacks had not Vice and other sources reported on the hack. Perhaps though because it is still live the hackers plan on another attempt at going back to the well no?

Overall the sites have been updated recently but have been around a while. The malware is easily detectable by AV, and the RAT is old so was this a real attempt at harvesting or was this some sort of pranksterism or PSYOP? Frankly I can see it both being semi-experienced hackers doing this or more astute actors using easily seen malware to perhaps scare users into not looking at the site anymore. That I could track it back so far to the user to me says that there may be more to this if I dig further but then I have to be that interested in who may be fucking with amaq.

The fact of the matter is Da’esh is losing ground and losing the interest of those who think they are a righteous Caliphate because they are losing ground. The attempts to garner more lone wolves and perpetuate the jihad with these guys has been too plagiaristic for me. Basically Da’esh stole AQAP’s model but carried it off with less style so once they lose Raqqa they will lose a great deal of cred online in my opinion. Perhaps then they will be less of a threat on the GWOT in that respect… Maybe not.

Anyway, yeah, these guys are soft targets and not the sharpest tools in the tool box so hacking them has never been a challenge. All these insecure PHP sites and their users are easy pickins really so this is a non story to me. It is more interesting to me who may be trying to fuck with them and to determine why exactly. Is this the IC trying to deter them or is this an OpISIS kind of thing?

I am still deciding…


Written by Krypt3ia

2017/04/03 at 18:42

Posted in CyberFAIL, Da'esh, jihad