Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

View redmouth's full-sized avatar

Muller redmouth

4 followers · 3 following
  • Shanghai
View GitHub Profile
@redmouth
redmouth / gist:2591659c917c0728809e939d0d6a4f1c
Created September 27, 2017 14:07
0x3729f56fa5954cE497C97Fa7b3e2906f17D25f3e
@redmouth
redmouth / gist:17c1c551e4aa7deeaf6441faa316e8cc
Created September 27, 2017 11:51
0xcf6318487971cd2fb91ae75df839ba9d6a33332c
@redmouth
redmouth / gist:10374a256daa0dc71ccd57232d81e9db
Created September 27, 2017 10:07
9f3bdf37f348fb82fdd4cbcffc126c9282ef319a
@redmouth
redmouth / account
Last active September 27, 2017 10:04
9f3bdf37f348fb82fdd4cbcffc126c9282ef319a
@redmouth
redmouth / gist:e41774fe0da6a679c51a5de9f9ed202d
Created September 27, 2017 09:50
coinbase
9f3bdf37f348fb82fdd4cbcffc126c9282ef319a
@redmouth
redmouth / Wannacrypt0r-FACTSHEET.md
Created May 13, 2017 13:21 — forked from 0x43f/Wannacrypt0r-FACTSHEET.md

WannaCry|WannaDecrypt0r NSA-Cybereweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. (source: malwarebytes)
  • Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. UPDATE: There is apparently a sample out there now which does not include the killswitch via @JR0driguezB

SECURITY BULLETIN AND UPDATES HERE: https://technet.

@redmouth
redmouth / Wannacrypt0r-FACTSHEET.md
Created May 13, 2017 12:52 — forked from Epivalent/Wannacrypt0r-FACTSHEET.md

WannaCry|WannaDecrypt0r NSA-Cybereweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.

SECURITY BULLETIN AND UPDATES HERE: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Malware samples

@redmouth
redmouth / Wannacrypt0r-FACTSHEET.md
Created May 13, 2017 12:51 — forked from rain-1/Wannacrypt0r-FACTSHEET.md

WannaCry|WannaDecrypt0r NSA-Cybereweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm.

SECURITY BULLETIN AND UPDATES HERE: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx