Skip to content

Instantly share code, notes, and snippets.


Vesselin Bontchev bontchev

View GitHub Profile

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru

worawit /
Last active Oct 3, 2021
Eternalblue exploit for Windows 8/2012
# This file has no update anymore. Please see
from impacket import smb, ntlm
from struct import pack
import sys
import socket
EternalBlue exploit for Windows 8 and 2012 by sleepya
The exploit might FAIL and CRASH a target system (depended on what is overwritten)

#petya #petrWrap #notPetya


Ransomware attack.


This gist was built by the community of the researchers and was scribed by Kir and Igor from the QIWI/Vulners. We are grateful for the help of all those who sent us the data, links and information. Together we can make this world a better place!

Gist updates

katjahahn / Petna.txt
Last active Jul 3, 2017
Petna / Eternalblue Petya
View Petna.txt
Petna / Eternalblue Petya
Main DLL: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
Hashes below via McAfee article:
Main DLL: 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
PSEXEC.EXE: f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5
64-bit EXE: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
32-bit EXE: eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998
marcan / smbloris.c
Last active Dec 14, 2021
SMBLoris attack proof of concept
View smbloris.c
/* SMBLoris attack proof-of-concept
* Copyright 2017 Hector Martin "marcan" <>
* Licensed under the terms of the 2-clause BSD license.
* This is a proof of concept of a publicly disclosed vulnerability.
* Please do not go around randomly DoSing people with it.
* Tips: do not use your local IP as source, or if you do, use iptables to block
hannob /
Last active Oct 25, 2020
Affected Products and Keys by Infineon RSA vulnerability
View magniber_decryptor.cpp
* This tool will decrypt files encrypted by the Magniber ransomware with
* AES128 ( CBC mode ) algorithm.
* RE and report by MalwareBytes ( @hasherezade )
* Decryptor written by Simone 'evilsocket' Margaritelli
wdormann / disable_ddeauto.reg
Last active Mar 26, 2021
Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016
View disable_ddeauto.reg
Windows Registry Editor Version 5.00
View badrabbit-info.txt
Rough summary of developing BadRabbit info
BadRabbit is locally-self-propagating ransomware (ransom: 0.05 BTC), spreading via SMB once inside.
Requires user interaction.
Mostly targeting Russia and Ukraine so far, with a few others (Germany, Turkey, Bulgaria, Montenegro ...)
Not globally self-propagating, but could be inflicted on selected targets on purpose.
May be part of same group targeting Ukraine generally (BACKSWING) (per FireEye)
Confirmed to use ETERNALROMANCE exploit, and same source code and build chain as NotPetya (per Talos)
Mitigations are similar to Petya/NotPetya resistance. An inoculation is also available (see below).
def decodeScrapeshieldEmail(s):
retval = ""
key = int(s[:2], 16)
for char in [int(s[i:i+2], 16) for i in range(2, len(s), 2)]:
retval += chr(char ^ key)
return retval
#return "".join([chr(c^int(s[:2],2))for c in [int(s[i:i+2],16)for i in range(2,len(s),2))]])