Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Turnip’ Category

Trump Personal Emails for Government Business: How Many Sites Do They Have?

with 2 comments

The recent story about Javanka’s personal email server that they had used for government business made me ponder when it had been created and just how many others the Trumps may have out there. So after looking at the pastebin listing all their domains I noticed a couple things. The first thing I noticed was that after doing the WHOIS on their domain in question recently, was that it was a new acquisition. The domain had been created 12/31/16 which means it is pretty new as their domains go. Secondly, this domain is not attached to the over one thousand domains owned by Trump which kinda made me go “hmmmmm that there looks like obfuscation” and made mu Spidey sense tingle.

Ivanka and Jared’s Server: IJKFAMILY.COM

Domain Name: IJKFAMILY.COM
Registry Domain ID: 2086283293_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2017-03-06T06:55:27Z
Creation Date: 2016-12-31T01:33:34Z
Registry Expiry Date: 2017-12-31T01:33:34Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com

If you will take note that all of the other domains (see link above) are affiliated with the Trump name but this one was under the radar so to speak (IJKFAMILY.COM) being it is not overtly Trumpian in it’s name scheme. So my first question became “Did they set this up for this sole purpose? Or was it just a domain they had in the wings for something but decided to spin up port 25 and SMTP?” I am not sure on either of those reasons behind the creation of this particular domain but it did start the wheels of my mind turning toward the notion that out of all the Trump domains out there, how many could support an easy means of email under the radar for Donny and his brood? Well, the real answer here is that there are over one thousand possible domains that could immediately be set up to send email. However, upon looking into all those domains there are only 25 presently that have the ports open for email and running the services to allow for emails to be sent via them. Some of those systems have the ports filtered but many others do not and interestingly some of these also have secure protocols in place for emails using encryption which is very interesting indeed…

25 Instances on 8 Domains SMPT/POP/IMAP Already Running:

chicagotrumplimo.com
estatesattrumpnational.com
realdonaldtrump.info
theestatesattrumpnational.com
tirpromotions.com
trumpgolfscoring.com
trumppuntadeleste.com
votefordonaldtrump.com
trumpublican.org
200riversideboulevard.com
220rb.com
240rb.com
502parkavenue.com
721fifth.com
trumpparceast.com
trumpworldtower.com
votefordonaldtrump.com
chicagotrumplimo.com
estatesattrumpnational.com
realdonaldtrump.info
theestatesattrumpnational.com
tirpromotions.com
trumpgolfscoring.com
trumppuntadeleste.com
trumpwaikiki.com

So, all of these domains should be on the radar of the investigators out there in the Senate, House, FBI, IC etc and  I would hope that is the case. If I were those investigatory bodies I would be asking for some records from those domains if I were them, ya know, just to see if there were some emails going out concerning government business like Javanka’s little mishap recently. It is utterly fatuous that these people, who made a feast of Hillary’s email server are using private domains and emails to bypass the national record are doing this so flagrantly. Many of the servers also have some interesting ports open but I digress. Suffice to say that these people have patterns of behaviour so I would not be surprised if more turned up on other domains or that they may have even started new domains under the radar like Javanka there to hide the emails.

Now, on another note, I noticed something else as I was doing this little investigation. I noted a few domains that involved Russia and the Baltics. Once I did the WHOIS on them I also noted that they all were created around the same time in 2008. I have yet to really look into the timeline around 2008 for Trump but I have to ask just what was happening then that he thought to buy these domains? Were these domains bought after a possible deal had been struck or in hopes that talks would work out? I mean, if that is the case how could Trump make that claim that he had no business with Russia?

Well, yeah I know he lies like a bad toupee but really…

Domain Name: TRUMPRUSSIA.COM
Registry Domain ID: 1508991998_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2017-06-28T20:25:15Z
Creation Date: 2008-07-17T20:24:29Z
Registry Expiry Date: 2018-07-01T03:59:59Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: 480-624-2505
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Name Server: NS49.DOMAINCONTROL.COM
Name Server: NS50.DOMAINCONTROL.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2017-10-09T13:04:03Z <<< Domain Name: TRUMPUKRAINE.COM Registry Domain ID: 1508992006_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.godaddy.com Registrar URL: http://www.godaddy.com Updated Date: 2017-06-28T20:26:04Z Creation Date: 2008-07-17T20:24:29Z Registry Expiry Date: 2018-07-01T03:59:59Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: abuse@godaddy.com Registrar Abuse Contact Phone: 480-624-2505 Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Name Server: NS49.DOMAINCONTROL.COM Name Server: NS50.DOMAINCONTROL.COM DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2017-10-09T13:26:27Z <<< Domain Name: TRUMPBAKIAZERBAIJAN.COM Registry Domain ID: 1679227892_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.godaddy.com Registrar URL: http://www.godaddy.com Updated Date: 2017-06-28T20:27:01Z Creation Date: 2011-09-27T14:00:19Z Registry Expiry Date: 2018-06-30T11:59:59Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: abuse@godaddy.com Registrar Abuse Contact Phone: 480-624-2505 Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Name Server: NS49.DOMAINCONTROL.COM Name Server: NS50.DOMAINCONTROL.COM DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2017-10-09T16:52:03Z <<<

So what made them buy all but one of these domains on July 17th 2008 I wonder? Now, one might then want to look into say Felix Sater’s domains that he might own on the internet as well right? After all Felix was the point man on all these deals with Russia that seem to keep bubbling back up. Not that I would go and do some digging like that…

Right?

Maybe next post…

Oh well, there’s a data dump for you all. Interesting stuff no?

Dr. K.

 

Written by Krypt3ia

2017/10/09 at 16:57

Posted in Turnip

Trump Hotels Dot Com: Malware C2 In 2014

leave a comment »

Credit CNN

TURNIP HACKED!

Remember when the news media was told by Brian Krebs that Turnip’s hotels had been hacked and their credit card data has been stolen? Well there is more to the very little story that made the press after Krebs dropped a dime on them. In looking around the ThreatCrowd today I decided to take a look at the Turnip brand and, well, they have over three thousand domains but a couple jumped out on the searches due to their being connections in some malware back in April of 2014. This coincides with the hack time frame according to the stories I have seen including the one by CNN above where not much is said by Trump nor the FBI or USSS because they were looking into it and that Turnip was a candidate for president. Given that no one has really said anything about this hack post Krebs I have to wonder just how deep these guys got in and what actor group it may have been. If it was straight up carding was it Rescator? Some other Eastern Block group? If it was Russian then, well, you know how they like to dual use these hacks right?

Well, the malware in this case was programmed to attempt to connect with the hotel psmtp server as well as the main domain. This means that they were compromised enough to used as a C2 or perhaps it was just garbage traffic as as been seen in the past with some malware creators. The real kicker is that this malware was doing it’s thing in the same time frame that the hack was alleged to have happened, so I have to think that the case here is that they did in fact use them as a C2 as well, or another actor did piggybacking on the other hacking going on.

Maybe Turnip’s security just sucked? Oh well, as you can see from the maps below they were pretty busy. The best thing for me though was the name of the file that the malware was propagating by.

(scroll down but don’t be drinking anything hot FAIR WARNING)

Maltego of psmtp server at Turnip Hotels

 

Trumphotels.com Domain ThreatCrowd

Trumphotels.com.s9a1.psmtp.com ThreatCrowd

Money shot of the malware that has trumphotels in the C2 list

Oh, and Turnip loves him Godaddy, the Mos Eisley of domain registries and server farms.

The Malware:

So that malware that had the Turnip hotel as a C2? Yeah, it was in the guise of a file called SHEMALE_MOVIE_83.MPEG.EXE I shit you not! So GoldShower’s systems were being used to pimp malware that went under the name of SHEMALE_MOVIE_83.MPEG.EXE

BAAAAAAAAHAHAHAHAHAHAHAHAHAHAHAHAAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAAHAHAHAHAHAAH!

SHEMALE_MOVIE_83.MPEG.EXE

I do love the schadenfreude here. Evidently it was a trojan that harvested creds, listened to all traffic, and manipulated the SMTP on the system as well. I have to wonder who at Turnip Hotels may have gotten an email with this file and clicked on it. I also have to wonder if they were acutally mailing this shit out from Turnip central as they had connections to the PSMTP server as well. Say, any of you get any dirty email from Turnip back in 2014 or 2015?

 

As I write I have this grin on my face…

Enjoy the schadenfreude kids!

K.

IOC’s

https://www.threatcrowd.org/searchTwo.php?data=trump

https://www.threatcrowd.org/domain.php?domain=trumphotels.com.s9a1.psmtp.com

https://www.threatcrowd.org/malware.php?md5=833009a54c295a72ad64ab0941f482fe

https://virustotal.com/en/file/e11f563e084bf435ba59ab74bf13aba88f382fa1cadc6186ddca2b63209c9b3b/analysis/

https://malwr.com/analysis/YTY4NTM5YWY5NDNjNDAwYjkyNWNmMjQwM2RmMjAwYTE/

4/25/2014

https://www.threatcrowd.org/listMalware.php?antivirus=BackDoor.SlymENT.1498

https://www.threatcrowd.org/ip.php?ip=202.71.129.187

https://www.threatcrowd.org/domain.php?domain=email.cz

https://www.threatcrowd.org/ip.php?ip=72.29.227.205

https://www.threatcrowd.org/domain.php?domain=trumphotels.com

https://malwr.com/analysis/YTY4NTM5YWY5NDNjNDAwYjkyNWNmMjQwM2RmMjAwYTE/

https://www.threatcrowd.org/listMalware.php?antivirus=BackDoor.SlymENT.1498

Written by Krypt3ia

2017/04/06 at 19:12