Skip to content

Instantly share code, notes, and snippets.

View bontchev's full-sized avatar

Vesselin Bontchev bontchev

View GitHub Profile

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru

@worawit
worawit / eternalblue8_exploit.py
Last active March 16, 2024 18:38
Eternalblue exploit for Windows 8/2012
#!/usr/bin/python
# This file has no update anymore. Please see https://github.com/worawit/MS17-010
from impacket import smb, ntlm
from struct import pack
import sys
import socket
'''
EternalBlue exploit for Windows 8 and 2012 by sleepya
The exploit might FAIL and CRASH a target system (depended on what is overwritten)

#petya #petrWrap #notPetya

Win32/Diskcoder.Petya.C

Ransomware attack.

About

This gist was built by the community of the researchers and was scribed by Kir and Igor from the QIWI/Vulners. We are grateful for the help of all those who sent us the data, links and information. Together we can make this world a better place!

Gist updates

@struppigel
struppigel / Petna.txt
Last active July 3, 2017 09:17
Petna / Eternalblue Petya
Petna / Eternalblue Petya
-------------------------
Hashes:
Main DLL: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
Hashes below via McAfee article: https://securingtomorrow.mcafee.com/mcafee-labs/new-variant-petya-ransomware-spreading-like-wildfire/
Main DLL: 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
PSEXEC.EXE: f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5
64-bit EXE: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
32-bit EXE: eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998
@marcan
marcan / smbloris.c
Last active November 22, 2022 08:32
SMBLoris attack proof of concept
/* SMBLoris attack proof-of-concept
*
* Copyright 2017 Hector Martin "marcan" <marcan@marcan.st>
*
* Licensed under the terms of the 2-clause BSD license.
*
* This is a proof of concept of a publicly disclosed vulnerability.
* Please do not go around randomly DoSing people with it.
*
* Tips: do not use your local IP as source, or if you do, use iptables to block
@hannob
hannob / infineon-roca.md
Last active October 25, 2020 15:55
Affected Products and Keys by Infineon RSA vulnerability
/*
* This tool will decrypt files encrypted by the Magniber ransomware with
* AES128 ( CBC mode ) algorithm.
*
* RE and report by MalwareBytes ( @hasherezade )
*
* https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/
*
* Decryptor written by Simone 'evilsocket' Margaritelli
*
@wdormann
wdormann / disable_ddeauto.reg
Last active May 8, 2024 07:50
Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options]
"DontUpdateLinks"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options]
"DontUpdateLinks"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options]
"DontUpdateLinks"=dword:00000001
@roycewilliams
roycewilliams / badrabbit-info.txt
Last active June 17, 2022 11:18
badrabbit-info.txt
Rough summary of developing BadRabbit info
------------------------------------------
BadRabbit is locally-self-propagating ransomware (ransom: 0.05 BTC), spreading via SMB once inside.
Requires user interaction.
Mostly targeting Russia and Ukraine so far, with a few others (Germany, Turkey, Bulgaria, Montenegro ...)
Not globally self-propagating, but could be inflicted on selected targets on purpose.
May be part of same group targeting Ukraine generally (BACKSWING) (per FireEye)
Confirmed to use ETERNALROMANCE exploit, and same source code and build chain as NotPetya (per Talos)
Mitigations are similar to Petya/NotPetya resistance. An inoculation is also available (see below).
def decodeScrapeshieldEmail(s):
retval = ""
key = int(s[:2], 16)
for char in [int(s[i:i+2], 16) for i in range(2, len(s), 2)]:
retval += chr(char ^ key)
return retval
#return "".join([chr(c^int(s[:2],2))for c in [int(s[i:i+2],16)for i in range(2,len(s),2))]])