(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Malware’ Category

Create NEW Ransomware: Darknet Site Ransomware Scheme

leave a comment »

Surfing the darknet as I do, I came across this little gem of a site today. The idea here is that you can share in the bitcoin ransom by entering your wallet address and then getting a download of the malware to deploy wherever you like. This seems like a ponzi scheme to me where you offer a great reward for a little action and in the end you get ripped off but ok, let’s run with it. The site is in the darknet and I am not sure if or how they are publishing this site elsewhere so people can find it and use it. I must say though that the site is more complete than I thought it would be once you start to dig and the ransomware is new to me as well as it seems to be to VT and Hybrid.

So yeah, I decided to play along and I used someone’s wallet to start the process here. Who’s wallet you ask? Well this guy’s wallet will do since he has never had anything in it. So it’s fairly simple, you put in the wallet address then solve the captcha and lo and behold you download the ransomware. I also decided to see if I put in an alternate wallet address would I get another hashed file, and yes, yes I did. I only changed the wallet address by one letter (a) and got a new file that I uploaded to VT after the first one.


Upon upload to VT and Hybrid I get hits on the major players and the designation of the malware is of course ransomware but you choose the name you like because there are too many per the AV firms (please stop this)…

So yeah, the ransomware is not so stealth and likely anyone with current AV will have some intervention one hopes …But how many really keep their AV up to date and working?


Anyway, I uploaded it to Hybrid and got the following report and the second with the second sample here


The malware reaches out to the darknet via .casa online bridge to the darknets. Once you plug in that address you get the Qrypter site frontend. This site is your C&C ostensibly to track your malware and your bitcoin “donations” from the poor sods who get the malware. The unfortunate bit is that when you go to the url that is in the malware you get the following sad news:

OH NOES! Are you smelling a scam? Cuz I am kinda smelling a scam here now…

Anywho, the interesting bit for the site itself is that it has a display on how many AV vendors are seeing the malware and as of today it’s… Wrong?

Mmmmmmyeaahhhh no, I see 14 vendors seeing this as malware and I have just added to the hash pile by uploading my samples here so that is likely to get even more detected as the day passes on. So, this is an interesting turn in malware as a service, or in this case Ransomware As A Service (RAAS) as I have seen out there on the net. I have captured the whole site in the darknet and I will be spending some more cycles on the malware later on so updates will likely follow on this post. For now though, just enjoy the novelty and the derp.



UPDATE: This is evidently a new replay of something seen in 2017

Written by Krypt3ia

2018/02/19 at 15:49

Posted in DARKNET, Malware, Ransomware

Halloware Ransomware On Sale Now

leave a comment »


I was paging through the new sites on the darknet from the spider and this page popped up. Upon opening it I saw the evil clown and thought RED ROOM but instead it’s a site offering a new-ish ransomware package by a person(s) calling themselves TNCYBERSQUAD or as I later found out a Turk with the handle of LUC1F3R. So the site says you can buy this new and undetected malware for a mere 40 bucks lifetime! They even give a scan on nodistribute that shows the executable not being detected by any of the AV vendors out there now. I poked around the site and checked the page listed in the clown image and found that their landing page for collection on their ransom is not fully operational. I could not get the link to their bitcoin system to work nor would the site render all the images either.

I expanded my search to see if I could use the hash from the nodistribute session and got no love at all on this. Of course the exe and the hash are brand new with the actual dates on the testing and the offerings for this malware being from 11/30 to today. The only problem I have with this is that I cannot verify the sample as something that would not be seen as clean because the hash, when searched turns up absolutely nothing and the executable is not on offer unless you pay them as well as email them. So, this file could be just a lot of nothing in an attempt to scam people into dropping 40 bucks and getting nada.

MD5 HASH: b01230be6e42bf7210ce244ca493a697

I actually put a cutout address into the email on the page and hit send and as yet I have nothing back from luc1f3r at all. In the interim though, I started looking outside the darknet for more and I found some interesting tidbits. First of which is that when you start looking for Halloware you come up with some YouTube videos and links to a site that this seems to have first been posted as a free download. The file downloaded is not the same as the one offered in the darknet and when run in VT comes up as a trojan.

This site is pretty open to just giving up contacts and the malware so I think this is just proof of concept and now they have moved on to application and monetization. I may go down the rabbit hole more on the email addresses and other details there but for now I don’t see this ransomware as a real threat to much of anybody unless the sample gets out and is then used by the masses. When I began looking at the code of the darknet site and links in other places I came up with another site outside the darknet that mirrors the hidden site but has some interesting code.

These guys are collecting IP addresses too

Aanyway, I watched all the YouTube videos and basically Luc1fer shows how you can hide the malware as a file etc in broken english on a text pad. He show’s an IP address too and generally has crappy OPSEC.



All of this stuff seems predicated on a python script and some manipulation so I am not sure how they claim there is no programming knowledge needed to create the malware but ok dude. I know that ransomware is all the rage but honestly this one seems kinda weak and maybe just a scam. I will keep an eye out for another sample though. Until then you may all want to take that hashes from VT I pasted in above and add it to your systems to detect it. Luc1fer made the rounds today offering the malware and the darknet link on a bunch of shops so maybe people will take em up on it and send out a blast.

I will update if I see more.

Have fun!


Written by Krypt3ia

2017/12/01 at 18:16

Posted in Malware, Ransomware

Trump Domains Hacked and Shadow Subdomains

leave a comment »

Well now, the worm is turning on our old friend trunip ain’t it? It seems that something I was playing with back last April should have dug deeper I guess because today Mother Jones put up a post on how Donny’s domains had shadow subdomains that all pointed to Russia! Of course in the interim since the post went public two things happened. One, Donny and his people said “We ain’t been hacked! We have the BEST security! Nothing to see here!” and then rather rapidly. some of the domains started to go down and be unreachable on the tubes today! Well, I did some more digging after reading this Mother Jones post and while I was not seeing the same IP addresses used in the stuff that was posted today, the malware I was seeing back in April still had some commonalities to ranges in the same region of the world.

Back in 2014 Trump was hacked and credit cards were stolen by the attackers. It seems though that perhaps it wasn’t only credit cards that were hacked but also a persistence to the network may have occurred as well as access to the Trump domains registrar as well. In the Mother Jones piece they show how sub domains or “shadow” domains had been created with interesting domain names that usually involved random letters. These domains, once you start looking at them show a couple of things. First off, that these domains were all created under the Trump umbrella’s account and second the IP’s that these pointed to resided in Russia. In looking at these domains myself I noted a few other interesting factoids that I will share here for context.

First off, the hackers used the same registrar as Donny did (more likely his minions) using the “Trump General Counsel” moniker as the owner of the domains;

These domains were registered with Godaddy and then pointed to other IP addresses later on. Also, the sample I just pulled randomly show both being created in 2009 on 5/22/2009 to be precise. So the question for me is this, were these created by the trump org themselves as a means of stopping domain squatting or were they owned (Trump networks) earlier than we assumed from the article by Mother Jones? It is kinda of hard for me to think that Trump and his org would have been creating such domains as to prevent squatting. Trump ain’t the sharpest marble on the internets and certainly Barron wasn’t an uber hacker back then right? Curiouser and Curiouser, but maybe they were being overly litigious and decided to take up all the permutations right?

So, looking at the IP addresses that the domains were pointing to also adds some interesting context here…

When the domains were created they sat on Godaddy from 2009 to 2013 when the IP changes. In the case of both of these domains on GoDaddy, the IP has a long storied history of having bad actors attached to it.

…But that is GoDaddy for ya right? They aren’t the cleanest of the orgs out there so meh. However, in 2013 the IP was redirected as Mother Jones showed to another IP; which is also a GoDaddy IP. Now, looking at this IP in VT and in ThreatCrowd, you can see it also has a pretty dirty history as well.

So was the change made by Trump or Godaddy? Or was this change made by the actors in 2013 to a host they owned in Godaddy? Now historically I am not able to see the malware history for the IP or the domain name for 2013, which would be a nice feature for VT and Threatcrowd to offer right? Anyway, the point is not all of the addresses were pointed to the Russian addresses in the Mother Jones piece. Over the whole of the domain space it is likely that the IP’s used by the actors who had access to the Trump registrar account were not only focused on the Russia space as C2’s go. In fact the second sample I pulled also was changed to another GoDaddy IP as well that has some dirty history as well.

So maybe these were moves by the trump org or maybe it was the attackers moving these around per their needs for each campaign? Inasmuch as I can tell many of these domains never had sites attached to them and were in fact just parked domains. However, in the case of I see a lot of action moving this around the globe for IP pointers over the years. So what is the deal with that? Looking at the Wayback Machine for this domain shows the following activity over the years.

It’s been parked since inception but that parked page has some redirects and popups to potential scams. What does this all mean? Well, that Trump has not been paying attention to his domains and that what has been laid out is exactly the case. The only thing I can maybe say is that the activities have been going on longer than we are led to believe in the Mother Jones piece from the samples of IP changes I have seen in Domain Tools. If that is the case what else has been going on with Trump domains and perhaps their internal networks?

See, this is the question that the Trump admin will not want to touch with a very long poll but it may also lend credence to the DNS stuff that was happening with the Alpha servers as well. If there was traffic going on that was amiss, and it was perhaps as others suggest, spam traffic, then maybe it was indeed the same actor using their domains and network systems to route traffic and not a secret plot against America huh? We do know that Trump Hotels had been popped back in 2014/2015 as they have admitted it. What we really don’t have any idea of was the level of compromise that occurred and just whether or not they were able to get them out of the network. What I am seeing here is that maybe they did not and in fact the adversaries used them for even more things.. And it may still be going on.

Imagine that kids… Trumps networks owned and he may still be using them for things while in the White House?


Just remember that Ivanka and Jarred were using that secret email server on that personal domain too!

Anyway, there are over 3k domains and I am not spending all that time on all of them to track the IP changes over the years. Others can do all that leg work if they want to. For me, this just shows that there may be much more that has happened with Trump networks and domains than we are aware of. Russian IP space does not imply KGB or GRU access but let’s just spin it this way; We know that the Russians use the criminal hacker groups to do their work as well as the actual operators from KGB and GRU so there is that. If the actors using these shadow domains for malware deployment, they may also have used them for other activities right? Maybe propaganda spam? Other stuff? Who really knows right?

As for the malware involved with the cited IP’s and urls we see .zip files that only are seen by one or two vendors on VT (Kaspersky being the one continually) I am told that the files were in fact not zip files but jar files and java infrastructure to deploy malware. Which malware? Well, no one really knows at the present time that I am ware of. I could not get a sample of the alleged zip files and all the domains were non responsive and not in Wayback Machine to gather so there is that. It could be that these guys were using this infrastructure for Locky or they could have been passing out RAT’s so until we have some solid telemetry and samples it is once again, hard to say what went down. The interesting bit is that most of the RU I space I looked at all had stuff going on last August.

Just in the middle of the election huh?


Welp, I am done looking at this for now. You kids have a look and lemme know what you all see. Just remember to ask this one question; “Just how compromised are Donny’s networks today?”


Written by Krypt3ia

2017/11/03 at 15:12

Posted in Malware, TRUMP

Eugene and the DoD

leave a comment »

Da! Let me share you this blog on Eugene! Look, this whole kerfuffle over Eugene and the DoD has reached epic douchery in the news and now with the Putin administration threating “actions” against the US if they somehow embargo Eugene’s business. Well, let me first start with this little ditty below.. Go ahead, read it…

Ok done? Yeah, Eugene was in the KGB school and he worked for the GRU too according to the Wiki page here. What this means is that Eugene is a “former” made man of the KGB and Military Intelligence apparatus in Russia. He lived in the times when it was the Soviet Union and at the height of the times where the cold war was in a deep freeze. Fuck, just go watch The Amerikans and then come back… I will be waiting…

Ok watched them all have we? So now you know how it was to live in the 80’s huh? Well there you have it. Anyway, Eugene was a member of the organizations that have recently hacked us. What? You are saying it’s the FSB now and it isn’t the KGB?

Fuck you.

FSB is KGB with different letters at the front now ok? If you actually read up a bit you will see that Putin actually gave back the powers that the KGB had back in the day recently so once again they are functioning much like the old bad days as the KGB. Putin as well is an old school KGB man who has used all kinds of KGB fuckery to get where he is and stay there so once again, you say FSB, I say; Fuck. You.

Right, so now back to the present unpleasantness, it seems that Eugene is now offering a code evaluation by anyone who wants to (specifically the DoD) so pretty pretty please buy our shit? Look, it’s not about the code, we don’t necessarily think there are backdoor’s in the product now. No, what the worry is consists of that close snookums relationship Eugene had with the TWO entities that just hacked our election in 2016. Come on people, no one leaves the KGB and certainly NO ONE says NO to Putin right?

Imagine that Eugene’s software is clean as a whistle.

Now imagine that it is sitting on many USGOV and MIL systems.

Now imagine that all that telemetry from those systems is going to RUSSIA.

Then alternatively consider that with all those systems running Eugene’s product, how easy it would be to say, inject a malware or a protocol into all of it to do… “Things”

Think about that hacker kids.

Think about that you spies too.

You all see where I am going with this right? Now of course you could maybe do that with another vendor too but how much more work would it be to do that with Symantec? What I am saying is that Eugene lives in Russia, his assets are there, his LIFE is there and if Putin were to sidle up and say “do this thing” what choice would he have? JESUS FUCK PEOPLE! You know who the next randomly dead Russian would be right Eugene?

So, all this fuckery around the code and exploits etc… Stop. It’s really about access and what could happen in a place where we have seen pretty nakedly what Putin wants and does. So no, the DoD should not have Kaspersky products on their shit. I would be really surprised if they did given where it is made and managed… But then again, I think about all those SF86’s and China and… Fuck….

So there you have it. We are in another hot cold war with a Putichurian candidate in office. Do you really think we need the trifecta of Eugene’s access potential to be expanded to the military?

Yeah neither do I.


Written by Krypt3ia

2017/07/03 at 16:38

Nyetya, Being Downrange, and Active Measure Campaigns in Ukraine

with 2 comments


While all the AV/TI/INFOSEC firms have been masturbating to the latest outbreak of systems degrading malware, I have been sitting back after insuring that my environment has not been hit nor anyone connected to it. Since the reversal’s and the inevitable attribution fuckery cycle has spun up I have been pondering things outside the usual whodunnit. Lesley Carhart had a good post on why one should worry about such attacks and this kind of malware that people should read, I want to go a different route. What I want to talk about is motivation and with that motivation, yes, who is more likely to have carried out the attack. In this case we have yet another piece of malware that was either well coded or poorly coded depending on who you talk to. It was targeted or not targeted depending on who wants to sell you a service too. Well, I have nothing to sell you all, I just want to point out some interesting things regarding the whole mess.

The one simple fact that the malware used a Ukrainian tax software (MEDoc) as the means of initial attack is telling. The time-line on this also pretty much shows (and I experienced this from messages to me the day of the incident) that Ukraine was patient zero. By looking at the image below from the linked page you can see that a great swath of Ukrainian infrastructure was hit on the 27th. Coinciding with this malware attack later in the day several military and government individuals were assassinated in Ukraine as well. Are you starting to see a pattern here?

Recently Wired had a big article on how some in the security community had been feeling that Ukraine was the testbed for Russian active measures in the cyber warfare battle space and this is something I agree with. They have been using active measures of this nature for some time. In fact I actually located some malware in dumps of the Russian media company created by Putin to be a propaganda and intelligence wing for Russia in the region last year. The attacks on the Ukrainian elections as well as the electrical grid now twice by “unknown actors” (Russia) (insert stupid code name from TI firm HERE) have shown just how willing the Russians are to use such technologies in the region. Understanding what they are doing though needs more than the myopia of reverse engineers and sales people in the security space to impart that to you so I will put it plainly here for you;

  • Russia is carrying out an all out war against Ukraine and they are now using the means to an end of malware to deny, degrade, and deter the Ukrainian people and their government from being their own.
  • Russia’s use of these malware attacks have a secondary but important function psychologically to bolster the idea that the Ukrainian government cannot protect itself nor its people
  • Russia’s use of these kinds of measures is just another part of the playbook to add to the battle-space

The Russians get the advantage of using these techniques on Ukraine and no one is stopping them. They get  the advantage of a smaller state infrastructure to attack which means more amplification of the effects on the populace as well. In larger states it is harder to carry these out and obviously would take much more effort. In fact, in the case of the Russian meddling in the US elections last year, one can see how much effort it took on the Russians part to carry out the attacks but as well, how a larger and diffused infrastructure gives varying levels of returns. Alas, for poor Ukraine you can see just how effective at degrading and perhaps disenfranchising the general populace can be with such attacks on their infrastructure. I heard one comment from a Ukrainian that just bespoke their resignation to the interruptions as they happen so much. All of this though, demoralizes the population and in the case of Ukraine, since the Maidan event, they have fought hard to stay free and that is why Russia is ramping up their attacks.

So yeah, my money is on Russia and I will stick with Occam’s razor on that one. Now, on other thoughts about this malware and Wannacry I just have to once again muse about how we have now reached a place where malware is reaching parity with bio weapons. I say this in the sense that malware like Nyetya and Wannacry both had unintended consequences once released either willfully for by accident. They broke out of their cages, their battle-spaces, and began to infect the populace globally. Instead of having some poor shmuck getting on a plane and infecting the world, we now have malware that is either scanning the net for clients to attack or being sent out and then forwarded by accident (or on purpose) by actors. Could some of the infection vectors and trajectories be chaff to obscure the real targets? Sure, but I think in these last two cases the attackers perhaps did not take into account the interconnectedness of the world today.

….Or that’s exactly what the counted on…

Anyway, those are my thoughts on the subject. We are at a crossroads where malware like this can cause headaches but in the end, the world did not end did it?

Did I miss it?


EDIT: I also failed to mention that this attack took place one day before their Consitution Day, ya know that thing where they proclaim they are not a part of Russia. Mmmmmyeah…

Wednesday June 28 Constitution Day Marks the signing of the Constitution of Ukraine in 1996


Written by Krypt3ia

2017/06/30 at 14:13


leave a comment »

Continuing on the hot topic of the month I had some thoughts about WannaCry’s infection vector and heat maps that I have been seeing all over the place. I wanted to see who patient zero may be and having played many a game of Pandemic, I thought maybe this approach might yield something of use. In looking online I found only two heat maps that give a timeline that shows what may be patient zero’s location(s) but in doing this research I cam to the conclusion that this may be impossible without the help of all of the AV vendors out there. When trying to ascertain who may be patient and country zero for this malware it becomes apparent that you have to rely on various vendors who may or may not have seen the malware with their products. So far I have Malwarebytes timeline and Symantec. Now, given that Symantec has a larger market share I will go with them for the base assessment of patient zero on Wannacry but if the other vendors want to kick on and give a timeline for each of their products seeing infections I would welcome the data.

Since Wannacry traversed the net via SMB attacks (ETERNALBLUE and DOUBLE PULSAR) it may be possible to see just who was infected first and just maybe, get a lock on where that SMB connection came from. This might help the investigations into who did this at least nominally because one would assume the adversary used a proxy box or some other obfuscation to launch the initial attack… Unless, they are inept n00bs that is, so maybe something could come of this line of investigation. Anyway, the best timeline(s) I saw were Malwarebytes and Symantec as I said above. Here are the findings of those two companies telemetry;

Malwarebytes has the first infection in Russia.

Symantec see’s the first infection vector in Thailand.

Which is correct? Are either of them right? I am not able to be sure but, given at least the market share of Symantec both legally and illegally, I would be looking to Thailand as the potential patient zero here. Now, in talking to people on Twitter about this someone (@Tinkersec) notes that there is IP space in Thailand that starts with so there is the possibility according to his theory, that a scripted scan looking for 445 open on the internet could have just hit on those addresses because the script started scanning at say (or to which I can grok. Either way, if Thailand was patient Zero, and that IP space for Thailand Chiang Rai Tot Public Company Limited, an telco in Thailand.

This line of thought is quite possible and I like it (thanks Tink!) it would explain the rando Thailand hit as the first infections started to show up. Now, how though would this work if not for some scripted mass-scan? Well, someone would either have to be phished on a very small targeted scale to start this or the malware was physically implanted in a network and set free. So far I am not seeing too much talk about how this thing all started so I would like to put all this out there as a possible explanation as to the how. I am not aiming at the who because right now it is a festival of attribution out there and my opinion of that is low. The how is more important and in fact could lead to the who if the gumshoe work is done properly.

Still, I would like more data… Anyone from said AV vendors care to speak up?


EDIT: Someone just mentioned passive DNS too on the killswitch site. Say, anyone in the DNS world wanna stop talking about Trumps servers and weigh in on Wannacry telemetry?

Written by Krypt3ia

2017/05/24 at 12:48

Posted in EPIDEMIOLOGY, Malware

WannaCrypt0r Roundup

leave a comment »

So last weekend and this week have been fun times in INFOSEC am I right or am I right? When Wannacry started making the rounds on Twitter I knew pretty much then and there I just likely lost my weekend to the derp of yet another ransomware distro. Luckily for me though, I forced my org to “do the things” on patching etc where the Shadowbrokers dump was concerned. So at the end of the day we came through the weekend unscathed by WannaCry yay me! However, in looking at the Twitter feed and Hyrbid/VT pages I began to worry that soon enough this malware would come at us all not just by worming through the net but also from phish waves. Today was the first day I have seen someone trying to at least possibly send a phish wave using a popped box in Egypt with the WannaCry.exe for download so hang on kids, you may well be seeing this as well and if you have not patched your shit and have old 2003/Xp your days may get to be like the end times that others around the globe have had since last Friday.

In the meantime though, I began looking at all the malware C2’s and exploits and notice a couple things. First off I kept seeing two IP addresses tied to the IPC$ in the binary/memory of the malware. I began to look for these addresses and while I surmised the 192.168 address was a off the shelf home router, the other maybe was something else. After some searches I came to the conclusion that this was another non routable address but that it may belong to an org or another off the shelf router of some kind.

With a little more looking I had thought that I had come up with the answer. It was some default IP scheme for a GSM gateway or some internal network somewhere in the world like China (found an F-5 with that scheme) but then I hit upon one last hit that suddenly appeared from a blog post by ZeroSum0X0. The post on Github was 6 days ago and that places it before the malware started to make the rounds. One day before the malware started burning through NHS I think if the reports are right from the news. Now this really has piqued my interest because if this IP and system belong to the blog poster or who they work with, then maybe the exploit was cribbed by the malware cabal to use EternalBlue. The poster (ZeroSum) seems to work for Rapid7 and Rapid7 was working on deploying the code for EternalBlue for Metasploit.

I reached out to ZeroSum on Twitter but nothing back so far. Coincidentally the code for the EternalBlue exploit was deployed this afternoon (as of this writing about an hour ago) to Metasploit. Now, the question I have is about this IP/System call that is in all the malware out there. Was this IP/system in the original binary that was pulled apart by ZeroSum from EternalBlue or was this an internal system that was being used to make the code work in some way? That it is directly in the post and that is a day before the great conflagration, I have to wonder. I would love for someone at R7 or Zero to let me know what the deal is with this. I mean, did someone steal the exploit code from you guys and deploy it after you got it working or, was this in the binary already? This is kind of a keystone to many questions concerning who may have created and deployed this malware as I see it.

The argument goes like this….

  1. The WannaCry campaign was carried out by criminals looking to score big money
  2. The WannaCry campaign was carried out by nation state actors (Lazarus Group/DPRK? Russia?)
  • Well, if it was just a criminal gang then did they reverse the binary and make this thing work? If they did then is that an internal IP that they used and forgot to sanitize from the code?
  • Well, if the nation state actors who potentially stole the exploits in the first place had to steal the actual working exploit from R7 then just how good are these guys anyway? It seems that there have been some other mistakes in coding as well that lead to snafoo’s with the bitcoin wallets as well so…

You see where I am going with this right?

Now, I had said from the beginning that this attack did not feel like it was about the money and the low numbers in the wallets kind of bears that out in my mind. However, there are some inconsistencies here and that IP/System in there makes me wonder some more especially when I see the same string in the code tied to R7’s work that was released today. If the code did in fact get cribbed from ZeroSum and by proxy R7 that does not bode well in the PR department for companies that do this kind of work (metasploit etc pentest tool vendors and creators) does it? It is kind of akin to leaving that hand grenade in front of the toddler right?

So, if R7/ZeroSum could respond to this little factoid it would be great. All of this also may bear some significance on the attempts at attribution that are flying about the news and Twittersphere right now where this attack is concerned. Frankly this all could have been much much worse had the coders thought to make domains that could not possibly be on the internet as kill switches. Kinda like this one I think (see below) that has been making the rounds in Hybrid and VT.

No kill switch and no way to sinkhole it would be a lot more devastating right? Of course the whole thing about the killswitch being there in the first place has a lot of people wondering. Then, there is the whole shadowbrokers foolery with the post last night they made. They are now claiming to have much more and will parse it all out in coming months…

Interesting times…

Ok.. Off to the deck for sun.



Well, I made some connections and had a chance to DM with someone from R7. For the record ZeroSum does not work for R7 he works for another company but is a contributor to Metasploit. R7 as of yesterday was trying to get a hold of ZeroSum to ask how that IP with IPC$ got in there and where it came from in the first place. As of this writing I have not heard back from them.

Tuesday when I posted this I connected with ZeroSum and he said someone else would email me….

I have no email.

In the interim the page that I located the IPC$ code snippet is no longer there. The page has been redacted. It also turns out that Malware Unicorn made a comment about the malware seeming to have been using Metasploit framework code for deployment of the exploit (DoublePulsar) and has since redacted that page as well…

Screenshot from 2017-05-18 16-00-52

So here’s my thing… Was the code snippet taken before the malware was launched and kluged into the wannacry malware to make it work? Was that code taken from the Zerosum git page on the day before or before that and then implemented by the wannacry authors? This would seem to be something logical given the hints I have seen with regard to that IPC$ and non route-able IP address. Was this an IP inside the networks where this code was being tested and perfected?

In essence, did someone fuck up and place code on the net for research that in turn was used by the adversaries to make Wannacry work and launch it into the wild?

I ask this because of the time table here and the events since that lead me to believe this is the case. I cannot say for sure because no one has given me any information to counter this belief. No one is saying much of anything other than R7 saying they are looking into it (which I know they are in reality) so I believe them.

So, it’s either this code and the telemetry from it were in an original sample of the malware that maybe ZeroSum had BEFORE the outbreak and was reversing to use to make the git posts and get the metasploit deployment working or this code maybe was cribbed by the malware creators and used to global effect.

Which is it?

Of course all of this also paints a new picture on attribution right? If LAZARUS is the culprit (a theory I do not ascribe to) then why  would they hang around this git to grab code? These guys should have had the time to fully reverse this stuff and make it workable for them. It is my opinion either there is EPIC obfuscation going on here to make it look as though it is LAZARUS or that LAZARUS is deliberately trying to look inept and throw investigators off the trail. This information though, if true and can be verified might lead to some more breadcrumbs.

I look forward to some more light on this.


UPDATE II: Response from RiskSense


The Metasploit module for the EternalBlue vulnerability was developed by community contributors, zerosum0x0 and JennaMagius, security researchers at RiskSense, a provider of pro-active cyber risk management solutions. The module was developed to enable security professionals to test their organization’s vulnerability and susceptibility to attack via EternalBlue. As part of their research, the researchers created a recording of the network traffic that occurs when the Fuzzbunch EternalBlue exploit is run. The purpose of this recording was to help educate other security professionals, and get feedback as they worked through the process. This kind of approach is fairly common in both the security researcher and open source contributor communities, where transparent collaboration enables individuals to pool their expertise and achieve greater results. It’s possible that data from this analysis was copied and rewritten by individuals with malicious intent; we cannot confirm if this is the case or not. Unfortunately, this is a risk that is taken whenever technical information and techniques are shared publicly. None-the-less, we believe the educational and collaborative benefits generally outweigh the risk. To our knowledge, no code from the Metasploit module was ever used in the WannaCry attacks, and once Krypt3ia’s blog pointed out the possibility that some of the information may have been used by the attackers, we removed the video from the Github repository to ensure no other bad actors would be able to do likewise to create variants of the malware.

Here’s a summary of context and the technical details:

–          On April 27th, JennaMagius created a recording of the network traffic that occurs when the Fuzzbunch EternalBlue exploit is run. That recording was subsequently posted at The recording included an IP that was used as a lab target of the original exploits.

–          Recording the replay and playing it back works against freshly booted boxes because the Tree Connect AndX response will assign TreeID 2048 on the first few connections, after which it will move on to other tree IDs. This is the same for the user login request. The replay would then fail because the rest of the replay is using “2048” for the tree and user IDs, and the server has no idea what the client is talking about.

–          On April 30th, JennaMagius published a script that slightly enhanced that replay by substituting in the server provided TreeIDs and UserIDs. This code was subsequently posted at

–          Zerosum0x0x’s research supplemented these findings by outlining that __USERID__PLACEHOLDER__ and __TREEID__PLACEHOLDER__ strings were also present in the malware.

Replaying ANY recording of EternalBlue will produce the same result, so the attackers may have chosen to use that particular recording to throw investigators off track. It is important to note that to our knowledge no code from the Metasploit module was ever used in the WannaCry attacks.

To be successful, the attackers independently implemented sending the network traffic in C; constructed additional code to interact with DoublePulsar (which is a significantly harder undertaking than just replaying the recorded traffic), implemented the rest of their malware (maybe before or after), and then released it on the world.


Written by Krypt3ia

2017/05/16 at 18:23

Posted in Malware