Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Da’esh’ Category

Amaq News Malware Attempt Using Old Malware

with one comment

Amaq Hack:

Vice reported on the Amaq News Agency’s hack and dissemination of malware last week and the report really kind of fails to do much more than attempt to amplify the booga booga of the whole affair. I thought I would go hunt down the sample(s) of the malware and have a looksee for myself. Which is exactly what I did and located two samples of malware that are from other domains owned by the same players. What follows is a run down of those samples (I was unable to find the one mentioned in the story as of yet but did locate the VT assessment of it) and a fuller deconstruction of the domains involved.

As some of you may know, Amaq is just the news site for the dissemination of propaganda so this would be a good target for someone to go after, infect, and hopefully reap the rewards of anyone stupid enough to install the file that was being served out. Interestingly though the malware mentioned in the piece on the 30th is a flash update and the malware I located on the other attached domains is an .apk file that allegedly is for a flash update? In any event, my first impression from the Vice piece was that it was derptastic. You are going to use a 2013 rat that everyone see’s to pwn an alleged 600 click happy jihadi’s?

REALLY?

Right so as the Vice article says the malware was easily seen by a multitude of AV products so really, you are hitting the lowest common denominator here if they click on it and have no AV at all. Of course if you were aiming at phones that would be different but this was an executable binary so.. uhh.. Duh? Right, well the malware in the story was ostensibly just an update to Flash if what has been posted is in fact true. I went to the site listed in the shortlink and no joy on that, nothing there anymore.

Domains:

After checking the domain jiko.at from the url that was serving the malware last week I began tracking down the owner data. What came from that is that the email address of alibenmohaed216@gmail.com is a throw away account as far as I can tell with only three domains being registered with it. Once you look though, you can see that more domains actually had been created by the same actor using the name “dertou” as well. Those domains are ad13.de, amaqqq.xyz, baqiyy.at, and jkikkia.at.

Without going too far down the rabbit hole here I just wanted to point out that these addresses were all created on the 29th of March and deployed along with the other exploit it seems. One of the domains is still live and are serving out the malware:

Now this address would match up with the attempts at trying to get amaq users to go to a bad squatted address and this is where I got the malware I mentioned above (details below) The other domains are all interesting in that some have names that are close to such things as the Da’esh magazine “Baqiya” but others like ad13.de have nothing to do with all that and in fact ad13 is much much older a domain. Ad13 was originally created in around 2013 and was decomissioned around October 2016 with changes made to the domain in July 2016.

When I started looking up the list.ru address I hit a road block for now but I will keep poking at that because I feel that this person is one of the key players if not the key player here. Otherwise there is the usual obfuscation going on with the other addresses out there and as such I am just going to drop them for now. Instead, I will look at the malware and where that is making calls to after dumping the IOC’s on you all.

Here you go!

IOC’s:

Malware:

https://www.hybrid-analysis.com/sample/b641c03fe4334d7c0045db7db70fd7d1c8756ba5a50f35a6ec5257bd533c1630?environmentId=100 –> Malware
https://malwr.com/analysis/OTllNDU5YjNkYzVlNDFhOWI1Yzc2YWY0ZWI3NWY0N2Q/ –> Malware
http://urlquery.net/report.php?id=1490856486148
https://virustotal.com/en/file/379cd2fed583c183fc1c5d1597421642f8e6b15af74ec58348e40ee80f227b25/analysis/1490880990/ —> Malware
https://www.hybrid-analysis.com/sample/b641c03fe4334d7c0045db7db70fd7d1c8756ba5a50f35a6ec5257bd533c1630?environmentId=100 –> Malware
https://malwr.com/analysis/ZDgyOWFkYTIwNjdlNGJjOWE2MTMwYjQwYmJmNmRiN2M/

Domains:
https://virustotal.com/en/domain/saitamasinse.com/information/
https://www.threatcrowd.org/domain.php?domain=amqqq.xyz
https://virustotal.com/en/domain/saitamasinsefesa1forall.com/information/
https://virustotal.com/en/domain/saitamasinsefesa1formelol.com/information/
https://virustotal.com/en/domain/fgssaitamasinsefesabgformelol.com/information/
https://www.threatcrowd.org/domain.php?domain=saitamasinse.com
https://www.threatcrowd.org/domain.php?domain=ad13.de
https://www.threatcrowd.org/ip.php?ip=66.85.157.86

Malware:

The malware sample I got from the amaq xyz site was named FlashPlayer8x86_x64.exe and downloads as an .apk (Android) file by name obfuscation from the url. Once run it attempts to contact several domains and IP addresses for the second stage.

These addresses don’t actually have sites on them so they are just C2 and in the case of the original malware in the Vice piece there was a site with a gate.php address which may have been an IP collection point or a second stage malware install site. None of these though have the gate.php and the fact that this site is still working makes me think that perhaps this was to be the second wave of attacks had not Vice and other sources reported on the hack. Perhaps though because it is still live the hackers plan on another attempt at going back to the well no?

Overall the sites have been updated recently but have been around a while. The malware is easily detectable by AV, and the RAT is old so was this a real attempt at harvesting or was this some sort of pranksterism or PSYOP? Frankly I can see it both being semi-experienced hackers doing this or more astute actors using easily seen malware to perhaps scare users into not looking at the site anymore. That I could track it back so far to the list.ru user to me says that there may be more to this if I dig further but then I have to be that interested in who may be fucking with amaq.

The fact of the matter is Da’esh is losing ground and losing the interest of those who think they are a righteous Caliphate because they are losing ground. The attempts to garner more lone wolves and perpetuate the jihad with these guys has been too plagiaristic for me. Basically Da’esh stole AQAP’s model but carried it off with less style so once they lose Raqqa they will lose a great deal of cred online in my opinion. Perhaps then they will be less of a threat on the GWOT in that respect… Maybe not.

Anyway, yeah, these guys are soft targets and not the sharpest tools in the tool box so hacking them has never been a challenge. All these insecure PHP sites and their users are easy pickins really so this is a non story to me. It is more interesting to me who may be trying to fuck with them and to determine why exactly. Is this the IC trying to deter them or is this an OpISIS kind of thing?

I am still deciding…

K.

Written by Krypt3ia

2017/04/03 at 18:42

Posted in CyberFAIL, Da'esh, jihad

أخبار المسلمين akhbar almuslimin: Muslim News

leave a comment »

Screenshot from 2016-08-08 12-17-55

Yep, yet another Da’esh darknet site popped up this morning. This one is a rather bare bones effort that relies on free DynDNS, Tor2web and links back to things like WordPress and imgur and Cloudflare. The site came up and then went down after the kids from OpISIS came and went. The cloudflare though seemed to help as well as the tor2web linkage. As of this writing Cloudflare started to act up and the site was losing bits of itself as I was interrogating it for information.

Anyway, this site is pretty sparse design wise but has a lot of content to click. As you can see below it is low tek but the content is brand new. No mention of official ties but it has the flag in the tab as you can see. All of the links go to external clearnet sites for content so much of the work is being placed on the clearnet sites that the daeshbags upload shit to like mega and the like.

Screenshot from 2016-08-08 12-18-31Videos from Syria

 

Screenshot from 2016-08-08 12-21-37Dabiq 15 linked to clearnet dump

 

Screenshot from 2016-08-08 12-24-34Other mags

 

Screenshot from 2016-08-08 12-24-56Al Bayan radio streams

 

Screenshot from 2016-08-08 12-25-51Martyrs and usual propaganda crap

 

Screenshot from 2016-08-08 12-26-35Single page content links

 

Screenshot from 2016-08-08 14-00-25Page info

 

Overall, not much to write home about. The site I assume will be down and up for a while but this just shows you that the daeshbags are trying to get content in the darknet but they seem to be unable to host it all themselves on a single server. Until they can do this, then technically they will continue to be taken offline pretty easily by the kids.

I will be pulling all the metadata since I have already archived the site en toto with wget… More when I have it.

Dr. K.

 

–UPDATE–

I ran an onion scan on this site for all you kids.. Go.. play..

krypt3ia@krypt3ia:~/go$ sudo ./bin/onionscan http://ou7zytv3h2yaosqq.onion/
2016/08/10 12:59:25 Starting Scan of http://ou7zytv3h2yaosqq.onion/
2016/08/10 12:59:25 This might take a few minutes..

————— OnionScan Report —————
High Risk Issues: 0
Medium Risk Issues: 0
Low Risk Issues: 0
Informational Issues: 4

Info: Missing X-Frame-Options HTTP header discovered!
Why this is bad: Provides Clickjacking protection. Values: deny – no rendering within a frame, sameorigin
– no rendering if origin mismatch, allow-from: DOMAIN – allow rendering if framed by frame loaded from DOMAIN
To fix, use X-Frame-Options: deny
Info: Missing X-XSS-Protection HTTP header discovered!
Why this is bad: This header enables the Cross-site scripting (XSS) filter built
into most recent web browsers. It’s usually enabled by default anyway,
so the role of this header is to re-enable the filter for this particular website if it was disabled by the user.
To fix, use X-XSS-Protection: 1; mode=block
Info:  Missing X-Content-Type-Options HTTP header discovered!
Why this is bad: The only defined value, “nosniff”, prevents browsers
from MIME-sniffing a response away from the declared content-type.
This reduces exposure to drive-by download attacks and sites serving user
uploaded content that, by clever naming, could be treated as executable or dynamic HTML files.
To fix, use  X-Content-Type-Options: nosniff
Info: Missing X-Content-Type-Options HTTP header discovered!
Why this is bad: Content Security Policy requires careful tuning and precise definition of the policy.
If enabled, CSP has significant impact on the way browser renders pages (e.g., inline
JavaScript disabled by default and must be explicitly allowed in policy).
CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections.
To fix, use  Content-Security-Policy: default-src ‘self’
krypt3ia@krypt3ia:~/go$

 

Written by Krypt3ia

2016/08/08 at 20:44

Posted in Da'esh, DARKNET

Two More Da’eshbag Darknet Sites Popped Up

leave a comment »

Screenshot from 2016-04-29 08:48:34The Cyber Kahilafah

 A couple more daring Da’eshbags have decided that the darknet is the place for them to spread their propaganda. The sites just popped up and aren’t quite finished. The Cyber “Khahilafah” خِلافة “Caliphate” has a total of 5 main pages with links off of those to other internal and external pages.The main page has the following text:

Screenshot from 2016-04-29 10:54:27

Fight in the cause of God those who fight you not transgress Allah loveth not aggressors} Al-Baqarah: 190}

————————————————– ———-

The books you dislike it, and it may be that you dislike a thing which is good for you, and that ye love a thing which is bad for you. Allah knows and you do not know the cow} 216}

————————————————– ———-

Very soon will be open all sections

We hope to collect the largest number of individual wolves

Cyber kahilafah

!Beware no joking here!

Overall this page is really quite simple and reminds me of just about every other page on the darknet (some remnant from Geocities got loose in the darknet and multiplied!) it’s kinda ugly and simple. As the site is not finished there isn’t much to look at right now but I thought I would archive it and pass it along before the kids hear about it and DD0S the crap out of it or hack the node and take it down. Of course if someone hacks it and somehow get’s a raw IP that would be interesting huh? *hint hint NSA*

Anywho, this site is different from the last one because it is not really pulling a whole lot from the clearnet and it is certainly not at this time like any of the other jihadi boards out there but it seems to me that is what they may be aiming at later on down the line. I am sure it won’t be around that long anyway but it’s amusing to see them try.. Ok on to the data and further below the second site!

DATA

The sub pages consist of the following headings:

/bomb/

Screenshot from 2016-04-29 10:27:03with sub categories of /bomb/ for redundancy?

/kafia/

which seems to be a version of Keffeyah which is a scarf, head dress common to the region.

Screenshot from 2016-04-29 10:29:21

Both of the downloads fail and the domain they point to are:

Now the 00-up domain is interesting because it has a long stories WHOIS history and the present owner is a Mohammed Ezz out of Egypt according to the data.

Screenshot from 2016-04-29 10:32:08

Screenshot from 2016-04-29 10:33:00/army/

Screenshot from 2016-04-29 10:44:15/army/ only has “coming soon” in Arabi on it at the moment

/armyb/

has the following single page with a link (Infantry Mechanisms In Desert Operations)

Screenshot from 2016-04-29 10:45:15

Screenshot from 2016-04-29 10:45:54

The desert operations piece is pretty much a re-hash of the desert war tactics from WWII. It’s an interesting read if you are in to desert warfare but I am not sure why they have put this up there because it is specific to the Sahara.

/isdarat/

Isdarat we saw the last time and refers to isdarat.tv so maybe these are the same guys?

Screenshot from 2016-04-29 10:44:15Another “coming soon” image

/gun/

Screenshot from 2016-04-29 10:51:59

“Kalashnikov Weapon” which links to some videos that don’t work

Screenshot from 2016-04-29 10:53:11

That’s all she wrote for this site. The next one though is a stand alone with the same name as this one but really is just a shingle for the Da’esh Cyber Kahilafah Al Bayan (popular news paper in the region) radio link. This link is not working but there were some interesting links that were offshoots to this.

 Screenshot from 2016-04-29 09:52:20Cyber Khaliafa Radio (non functional)

Now Al Bayan is the radio station that the da’eshbags started when they took over a station in the region. It is on FM and cannot be heard here unless you get it online. Thus this page and links. As they are not working it may be that they only post things or make the link live at certain times. In any case, the links on this page led to the clearnet and some interesting people and places (see below)

Screenshot from 2016-04-29 11:25:43

Screenshot from 2016-04-29 10:10:54

 

Screenshot from 2016-04-29 10:11:18

 

Screenshot from 2016-04-29 10:19:22

Screenshot from 2016-04-29 10:21:29

I have yet to try and give a listen but when I get a working link I will. Until then, you kids have fun with these guys in the darknets! Once again they show that they have some sophistication in being able to set up a tor site but then they completely lack the ability to really program it or keep it online. These are not the cyber warriors the media would like you to think they are.

Dr. K.

EDIT: There is a THIRD site evidently. I have found the “creator” of the site and located yet another page he/she/they are looking to link from. This one will eventually have the bomb making tutorials for making phone bombs.

Screenshot from 2016-04-29 13:12:15

 

Written by Krypt3ia

2016/04/29 at 15:28

Posted in Da'esh, DARKNET

isdratetp4donyfy.onion The Da’esh Darknet Propaganda Site: Down But Still Telling Tales

leave a comment »

Screenshot from 2015-11-15 16:46:15

The Isdarat Onion and the MoD Address:

After posting my second piece on the da’esh propaganda site in the darknet (under the hood) it wasn’t long before the darknet site was down for the count. Interestingly though, before it went down some information could be gleaned as to perhaps it’s IP address as well as what it was running. I had already mentioned that it was running a WordPress frontend but behind everything was a bit more interesting. When a whatweb was carried out on the url it came back with an IP address that on the face of it was just another IP. However, when Googled, the IP had a nice little hit that shed some light on perhaps what may have been going on before I got there.

Whatweb -v

http://isdratetp4donyfy.onion/ [200]
http://isdratetp4donyfy.onion [200] Country[RESERVED][ZZ], HTTPServer[nginx/1.8.0], IP[10.213.114.145], UncommonHeaders[link], nginx[1.8.0], x-pingback[http://isdratetp4donyfy.onion/ar/xmlrpc.php]
URL    : http://isdratetp4donyfy.onion
Status : 200
Country ——————————————————————–
Description: Shows the country the IPv4 address belongs to. This uses
the GeoIP IP2Country databTEXTase from
http://software77.net/geo-ip/. Instructions on updating the
database are in the plugin comments.
String     : RESERVED
Module     : ZZ

HTTPServer —————————————————————–
Description: HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String     : nginx/1.8.0 (from server string)

IP ————————————————————————-
Description: IP address of the target, if available.
String     : 10.213.114.145

UncommonHeaders ————————————————————http://isdratetp4donyfy.onion/ [200]
http://isdratetp4donyfy.onion [200] Country[RESERVED][ZZ], HTTPServer[nginx/1.8.0], IP[10.213.114.145], UncommonHeaders[link], nginx[1.8.0], x-pingback[http://isdratetp4donyfy.onion/ar/xmlrpc.php]
URL    : http://isdratetp4donyfy.onion
Status : 200
Country ——————————————————————–
Description: Shows the country the IPv4 address belongs to. This uses
the GeoIP IP2Country database from
http://software77.net/geo-ip/. Instructions on updating the
database are in the plugin comments.
String     : RESERVED
Module     : ZZ

HTTPServer —————————————————————–
Description: HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String     : nginx/1.8.0 (from server string)

IP ————————————————————————-
Description: IP address of the target, if available.
String     : 10.213.114.145

UncommonHeaders ————————————————————
Description: Uncommon HTTP server
Description: Uncommon HTTP server headers. The blacklist includes all
the standard headers and many non standard but common ones.
Interesting but fairly common headers should have their own
plugins, eg. x-powered-by, server and x-aspnet-version.
Info about headers can be found at http://www.http-stats.com
String     : link (from headers)

nginx ———————————————————————-
Description: Nginx (Engine-X) is a free, open-source, high-performance
HTTP server and reverse proxy, as well as an IMAP/POP3
proxy server. – Homepage: http://nginx.net/
Version    : 1.8.0

x-pingback —————————————————————–
Description: A pingback is one of three types of linkbacks, methods for
Web authors to request notification when somebody links to
one of their documents. This enables authors to keep track
of who is linking to, or referring to their articles. Some
weblog software, such as Movable Type, Serendipity,
WordPress and Telligent Community, support automatic
pingbacks
String     : http://isdratetp4donyfy.onion/ar/xmlrpc.php

Once you Googled the IP address alone you got some usual stuff but one thing stood out. and index of logs for that IP and another. What was this? Well, it was a site holding the logs for a keylogger by DarkZhyk a Russian keylogger RAT. So, it seems that this IP address as of February 28th 2015 had a RAT/Kelogger on the box that had the IP at the time. Now, the question is was this IP a static box that held the onion or was this somehow the box that the webserver sat on? I really would have to do some more digging but let’s just leave that for now because it is the second address that is the interesting bit. It seems that 25.154.73.36 belongs to the Ministry of Defense in the U.K.

Screenshot from 2015-11-24 14:42:06

Screenshot from 2015-11-24 14:42:58

Screenshot from 2015-11-24 14:44:25

That’s right kids, in February of this year that IP address cited from that whatweb was logged into by the MoD. Quite the interesting tidbit huh? I did not poke around the MoD at all but I have told some peeps to keep their eyes open and maybe wink wink nudge nudge some folks about this. Could this be a sign that the site was already compromised? The box itself compromised? That the MoD knew about this box and already had been inside it? One wonders. I do know thought that the clearnet RSS feed was a Windows box as well and in all it took no time whatsoever for the kiddies to take this site down. It’s pretty much as I intoned in the last piece that this site was pretty poorly secured.

So let the games begin!

But wait, there’s more!

Screenshot from 2015-11-25 13_54_33

In the interim as the site was down I decided to do all the OSINT work on the players involved. See, unlike Anonymous or goatsec I actually do research on targets before I do any kind of reporting. In looking at these guys it became clear that not only were their sites all over the place but also that they are in fact Indonesian in origin. It seems that these guys spend quite a bit of time buying domains anonymously to RSS feed this shit to the world under the “Isdarat” moniker. Isdarat by the way is “to spread” in Arabic so basically to spread the word so to speak. While anonymous has been trying to swat all these sites down they have just gone back to backup sites as usual with no real effect on their ability to stream videos and push the propaganda levers for da’esh.

Screenshot from 2015-11-29 12_30_43

http://isdarat.in.hypestat.com/

http://isdarat.xyz.hypestat.com/

http://isdarat.xyz.hypestat.com/

http://isdarat.tv.hypestat.com/

http://isdarat.sd.hypestat.com/

http://isdarattv.blogspot.com/

http://isdarat.tumblr.com/

http://isdarat-istube.cf

https://khilafahdaulahislamiyyah.wordpress.com/

http://web.archive.org/web/20150430091539/http://isdarat.in/

http://khilafahtoday.blogspot.no/2015/05/terowongan-tentara-khilafah-menyusup-ke.html

https://plus.google.com/100434261915807680617/posts

https://www.facebook.com/pages/Khilafah-daulah-Islamiyyah/726338634152991

http://www.al-hisbah.com/

Isdarat Admin: http://mig.me/u/isdarat

http://www.muqawamah.net/contact-us/ —————–> redaksi.muqawamah@gmail.com

and… redaski.daulahislamiyyah@gmail.com

 

Screenshot from 2015-11-29 12_33_40

Screenshot from 2015-11-29 12_31_58

Screenshot from 2015-11-29 12_31_21

 

Screenshot from 2015-11-29 12_27_28

 

Screenshot from 2015-11-29 11_56_07

 

Screenshot from 2015-11-29 11_21_42

 

Screenshot from 2015-11-29 11_19_14

 

Yep, these guys are all over the place. So far I have yet to get a lock on any real names. So far all the pseudonyms come back to either nonsense or in one case the name of a famous Indo jihadi who died back in 2009. The upshot here is that not too many people talk about the Malay or Indo areas where Jihad and da’esh are concerned. These players have been around for a long time and I used to see a lot of activity by them for AQ. Piradius, the hosting/internet company was the Mos Eisley of the internet back in the day and it may be time to circle back to that neck of the woods again and take a look around.

Oh well, I am sure the KDI/daulahislamiyyah guys will be back with main sites again to go along with all the other ones they have hidden around.

Anonymous/goatsec 0

daulahislamiyyah 1

 

K.

Written by Krypt3ia

2015/11/29 at 21:42

Posted in Da'esh, DARKNET

Daesh Darknet: Under The Hood

leave a comment »

Screenshot from 2015-11-15 16:46:15

After having mirrored the new “unofficial” official da’esh darknet site I have some more insight into who may have done this as well as where the data is coming from. First off a mea culpa of sorts that this site claims to be the “unofficial” source for the darknet but they are using feeds from official sources. So really I guess unless you really don’t understand da’esh you could say it is unofficial but the reality is they will claim just about anything as a win and at their behest so make of that what you will. In either case this site exists, it is using approved da’esh propaganda from Al-Hayat, and thus to me it’s still pretty official.

So back to the under the hood look at this new darknet propaganda tool…

Screenshot from 2015-11-17 08-50-02

Once I started looking at the site code the following became apparent:

  • It’s a wordpress site
  • It’s got a backend feed in the clear
  • It’s a re-hash of a site out on the clearnet called isdarat.tv
  • It’s an amateur job at darknet security

Since this story hit all the news sites many people called into question whether or not this was a ‘real’ site because… Well I have no idea why people would call it into question really. Anyway, the fact of the matter is that this was put up by an acolyte of da’esh who at least has enough wherewithal to get a host in the darknet and forward a clearnet feed to it. The fact that they are using WordPress 4.3 is another interesting tidbit. Perhaps they are not as mental genius as some people, maybe the ones calling this site into question in the first place might have been thinking. You see kids, these guys are not all mental geniuses ok? They make mistakes all the time and most of the time they are rookie stupid ones at that.

That said, here is the data I pulled from the site:

<guid isPermaLink=”false”>https://185.92.223.109/?p=29759</guid&gt;;

inetnum:        185.92.220.0 – 185.92.223.255
netname:        US-CHOOPA-20150320
descr:          Choopa, LLC
country:        FR
org:            ORG-CL301-RIPE
admin-c:        CN3183-RIPE
tech-c:         CN3183-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      MAINT-AS20473
mnt-routes:     MAINT-AS20473
mnt-domains:    MNT-CHOOPA
created:        2015-03-20T07:30:59Z
last-modified:  2015-03-30T17:31:46Z
source:         RIPE # Filtered

organisation:   ORG-CL301-RIPE
org-name:       Choopa, LLC
org-type:       LIR
address:        100 Matawan Rd. Suite 420
address:        NJ 07747
address:        Matawan
address:        UNITED STATES
phone:          +19738490500
fax-no:         +17325661268
mnt-ref:        MAINT-AS20473
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
created:        2015-03-19T08:30:22Z
last-modified:  2015-03-23T12:14:27Z
source:         RIPE # Filtered

person:         Choopa Network
address:        100 Matawan Rd. Suite 420 Matawan, NJ 07747
phone:          +1-973-849-0500
nic-hdl:        CN3183-RIPE
mnt-by:         MAINT-AS20473
created:        2015-03-11T16:38:19Z
last-modified:  2015-03-11T16:38:20Z
source:         RIPE # Filtered

As you can see the site in the clearnet is hosted out of Choopa LLC which has it’s HQ in New Jersey. However, when you start to dig on this you also get information that the server actually resides in Amsterdam.

Screenshot from 2015-11-18 08:06:16

Screenshot from 2015-11-18 07:52:23

Either way, the system behind this data feed is in fact a windows box and could be vulnerable to some attacks as you can see from this Nmap:

Nmap scan report for 185.92.223.109.vultr.com (185.92.223.109) ———-> VULTR.com is a virtual hosting connected to choopa
Host is up (0.11s latency).
Not shown: 995 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
139/tcp  filtered netbios-ssn
443/tcp  open     https
445/tcp  filtered microsoft-ds
1720/tcp filtered H.323/Q.931

All this data leads me to believe that the end user can be tracked down easily enough by authorities but I also think that without that, I can still track down who set this up without having to attack an onion site like the FBI. Besides, I don’t have a million dollars to give to a university to deanonymize anything. So let’s look at it from another angle. When you look at the onion site, if you look carefully, at the bottom right corner of the pages you see the following address: esdaratreturn.info Let’s have a closer look at that and see what we find shall we?

ESDARATRETURN.INFO

EsdaratReturn is a re-spelling of “Isdarat” which was a site put together by da’eshbags in the past to be the alternative to YouTube as you can see below. This site is presently offline it seems and my guess is that this person(s) wanted to re-kindle that flame in the darknet because their site went boom boom. Isdarat started in May it seems and I am not fully up to speed on it’s history. That will be for my next blog post. I plan on continuing the backtrace to accounts on twitter that mentioned not only Isdarat, but also esdarat. Once I backtrack I believe I will be able to come up with the who and more of the why this site came to be in the darknet.

Screenshot from 2015-11-18 08:24:58

In the meantime though, I suspect that this post will cause a stir in the jimmies not only to the creator of the onion site but also all those keen watchers out there who wanna take things down like esdarat or isdarat or whatever shingle the daeshbags hang to serve their propaganda from. Since the rss box is in the clearnet and the content seems to be coming from Google, I expect to see a site in the darknet soon without any real content on it if you know what I mean… Have fun kids!

Make it so.

K.

UPDATE: Seems the daeshbag onion has fallen down and gone boom already!

Screenshot from 2015-11-18 09:49:24

UPDATE 2 11/23/2015

Now both of the sites are down. The onion site and the backend RSS in the clearnet.

Fall down… Go boom.

Written by Krypt3ia

2015/11/18 at 13:57

Posted in Da'esh, DARKNET

The First Official Da’esh DARKNET Bulletin Board Has Arrived

with 4 comments

Screenshot from 2015-11-15 16:46:15

The Al-Hayat media group (daesh) has posted a link and explanation on how to get to their new darknet site today on the Shamikh forum (jihadi bulletin board in the clearnet) and linked it to Twitter as well to search for how to’s and links.

 بسم الله الرحمن الرحيم نظراً للتضييق الشديد على موقع #إصدارات_الخلافة بحيث أنه يتم حذف أي نطاق جديد بعد نشره نعلن إنطلاق الموقع على “Dark web” *وسيعمل لمُستخدمي الTor وللمستخدمين العاديين رابط مستخدمي الTor : XXXXXXXXXX رابط المستخدمين العاديين : XXXXXXX ونعدكم بأننا مستمرون فى مُحاولة الحصول على نطاق جديد عادي وسننشره إن شاء الله عند الحصول عليه بجانب نطاق الTor {ولله العزة ولرسوله وللمؤمنين}

I have redacted the site from the post but the right people are in the know now as to the location. The site mirrors many of the other standard bulletin boards that the jihadi’s have had over the years replete with videos and sections in all languages. Given that this site has popped up today in the darknet just post the attacks in Paris, one has to assume that an all out media blitz is spinning up by Al-Hayat to capitalize on the situation.

Screenshot from 2015-11-15 17:44:23

As you can see from the picture here they have also included their (semi) new encrypted chat/messaging  program of choice (Telegram) which they used in their claim on the Paris attacks. There are several accounts as well as other new ones I have seen popping up on jihadi Twitter accounts as well as Facebook. The rub in this Telegram service is that it is run by ex-pat Russians.

(correction: The Russian government has no control it seems over the owners and the physical location of the company is Germany. Also within the time since the original post here they have started to drop accts that daesh were using for propaganda)

Oddly enough today POTUS met with Vladimir Putin for about thirty minutes to have a serious discussion about Syria and the Paris attacks. I would like to see Putin and the FSB do a little work on the Telegram company to get some intel but yeah, then it strays into that whole privacy thing that we are all upset about. It’s a hard game to play and unfortunately with da’esh using this it will be hard to break.

Another problematic thing about da’esh now having a real site in the darknet is that all the videos and files that they want to upload and have users access will also be in some backend on the darknet. This means that trying to intercept them or tamper with the supply chain is going to be all the much more hard. Of course given the recent turn of events with the exploit against the darknet by UM and the FBI this all may be moot enough if they employ their new attack against this site. I would expect that soon this site will b e attacked anyway by various players and in the end may be exposed for backend IP addresses and raids thereafter.

The site is still being explored and mirrored so once I have more on it I will post.

K.

Written by Krypt3ia

2015/11/15 at 23:56

Posted in Da'esh, DARKNET

No, Juny Was Not Whacked Because He Was A Hacker

leave a comment »

1488

With the alleged death of Juny “AbuHussain Al Britani” Hussain at the local Gas-N-Sip in Raqqa has come the steady stream of self serving headlines and leading questions from the media and the hacking community. I am here to stop you right now and tell you to cut the shit out and read more about what is going on with Da’esh and just who Juny was. The fact of the matter is that Juny was a recruiter as well as an instigator who was directly tied to the Garland shootings because he was on Twitter exhorting those fucktards into action.

Juny as a hacker is a separate story and one that at some times shows he had some talents but overall once he left for Syria he was fuck all as a hacker or part of the alleged “cyber caliphate” In fact if you really look at the alleged hacks by the Caliphate there is not much to look at really. The DOD/Pentagon emails and the open sourced intelligence that was often wrong on military members was all low level fuckery and not a clear and present danger to the West. No, it was not the hacking that made him a HVT on the US and British lists, it was that he was someone these shitheads look up to and was an avowed Da’eshbag who was ‘in country’ and fighting with Da’esh.

That is why they killed him with a hellfire fired from a drone. It was not because he was a hacker and for fucks sake stop it with the “Ermegerd hackers are now targets of drones!” self important bullshit.

So please stop it with all the bullshit that he was a HVT that we really really wanted because he hacked. The reality is he was a HVT but he was also a target of opportunity as well. Another thing to note is that the stories also all cite “anonymous intelligence sources” and the like. That is a euphamism for the government wanting to claim a win and have it all look good. I am still going by the axiom of ‘DNA or it didn’t happen” So far Umm Britani has said he is not dead and there has not been a host of shahidi bullshit videos and poems on the boards or anywhere else online. Perhaps we all are waiting to see some proof here but for fucks sake hackers, hacker media, and news media in general.

Cut it the fuck out. He was an unlawful combatant in country, in the alleged Caliphate and a mouthpiece for Da’esh. It’s as simple as that.

K.

Written by Krypt3ia

2015/08/28 at 10:37

Posted in .gov, .mil, Da'esh