Richard "mtfnpy" Harman warewolf

## fvwm-stalone.conf
*FvwmButtons: Geometry 48x24-0-0
*FvwmButtons: (Frame 0, Swallow (UseOld,Respawn,NoClose,NoKill) "stalonetray" 'Exec /usr/bin/stalonetray &')
Module FvwmButtons

## e_vestigator pastebin manifesto.txt
[BEGIN] Notice pursuant to the Crimes Act 1958 (Vic) s21A(2ba)ii.  I am the real Simon Smith, with proven credibility, qualifications, and testimony, and you have been flagged as making unlawful attacks and false accusations on my name and reputation. Those who don't know me, must desist from stalking me with hearsay unqualified evidence now. Offenders will be publically identified and sued for stalking along with a summons to twitter, guaranteed. Deal with your own insecurities, seek the truth. remove any fake account or unjustified comment about me within 48 hours, and cease making any new ones. I will exercise my rights to identify the public stalkers’ details, publish the content, send it to the police, make a stakeholder complaint to any employer or education board, and pass it to my lawyer. I will at minimum sue you for stalking, guaranteed. This is no threat, I have summoned 5 offenders so far. If you cross the line, you will receive 3 words indicating you have "crossed the line". If you think I'm joki

## gist:0ac389a22aaa170c8867e2c5d9cbe113
<iq from="+17038675309@voice.google.com/srvenc-LqN75k1Lw8QoaZR/xrQKgMekAw0idzcR" to="warewolfs.googleid@gmail.com/asteriskAC809D38" id="jingle:10.30.158.206-1172688898:1:50069535" type="set">
  <ses:session type="initiate" id="SIPo89fk5j4_jkl5j2h_12387578432982340959" initiator="+17038675309@voice.google.com/srvenc-Lk5j43klqwejkfi/kjl5943asdfr5j5R" xmlns:ses="http://www.google.com/session">
    <pho:description xmlns:pho="http://www.google.com/session/phone">
      <pho:payload-type id="0" name="PCMU" clockrate="8000" />
      <pho:payload-type id="101" name="telephone-event" />
    </pho:description>
    <transport behind-symmetric-nat="false" can-receive-from-symmetric-nat="false" xmlns="http://www.google.com/transport/raw-udp" />
    <transport xmlns="http://www.google.com/transport/p2p" />
    <nick:nick xmlns:nick="http://jabber.org/protocol/nick">My Fiancee</nick:nick>
  </ses:session>

## domain.xml
<domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
  <sysinfo type='smbios'>
    <bios>
      <entry name='vendor'>LENOVO</entry>
    </bios>
    <system>
      <entry name='manufacturer'>LENOVO</entry>
      <entry name='product'>987654U</entry>
      <entry name='version'>ThinkPad W540</entry>
      <entry name='serial'>IHNJKV4</entry>

## build.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                warewolf
                / build.md
            
            
              Created
              July 11, 2017 19:15
            
          
    https://www.newegg.com/Product/Product.aspx?Item=N82E16835209049
https://www.newegg.com/Product/Product.aspx?Item=N82E16813131876
https://www.newegg.com/Product/Product.aspx?Item=N82E16820231590
https://www.newegg.com/Product/Product.aspx?Item=N82E16819113284
https://www.newegg.com/Product/Product.aspx?Item=N82E16811129180

  
## diff.patch
--- /tmp/left-bA3uU/left-system-reg-l5GJd.tmp   2017-07-04 23:48:10.086963908 -0400
+++ /tmp/right-3nTJO/right-system-reg-ydUqH.tmp 2017-07-04 23:48:10.086963908 -0400
@@ -101,20 +101,20 @@

 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\SqmData]
 "AvgCountDiff"=dword:000001f6
 "AvgFileCount"=dword:000001f6
-"CMFLastStartTime"=hex(b):05,ff,f9,48,41,04,ca,01
-"CMFStartTime"=hex(b):c0,b2,bb,72,d6,f4,d2,01
+"CMFLastStartTime"=hex(b):c0,b2,bb,72,d6,f4,d2,01

## ifcfg-gremonitor0
# set remote_ip below to your cuckoo VM's management IP
# set local_ip below to your VM server's management IP

TYPE="OVSTunnel"
OVS_TUNNEL_TYPE="gre"
OVS_BRIDGE="malwarebr0"
DEVICE="gremonitor0"
OVS_TUNNEL_OPTIONS="options:remote_ip=192.168.2.100 options:local_ip=192.168.2.70"
OVS_EXTRA="\
  -- --id=@p get port gremonitor0 \

## core_debug_logs-different_call.txt
[Feb 28 00:12:10] DEBUG[30298][C-0000000c] sdp_srtp.c: local_key64 W2rZR1yHSV+hefz2Haeu5L3F7U0nuW4OOtMgXRba len 40
[Feb 28 00:12:10] DEBUG[30298][C-0000000c] res_srtp.c: Adding new policy for SSRC 1571565691
[Feb 28 00:12:10] DEBUG[30298][C-0000000c] sdp_srtp.c: SRTP policy activated
[Feb 28 00:12:10] DEBUG[30298][C-0000000c] sdp_srtp.c: Crypto line: a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:W2rZR1yHSV+hefz2Haeu5L3F7U0nuW4OOtMgXRba
[Feb 28 00:12:10] DEBUG[30298][C-0000000c] chan_sip.c: Processing media-level (audio) SDP a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:ODc0MjU5AABmZWU0ZWMzADJkNWRlMmRkNjA2NDhm... OK.
[Feb 28 00:12:10] DEBUG[30298][C-0000000c] chan_sip.c: Processing media-level (audio) SDP a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:NTRlM2Y2NmIzNDhhMmM5NTY4NzU3ZTQAMzYxNjNj... UNSUPPORTED OR FAILED.
[Feb 28 00:12:10] DEBUG[30298][C-0000000c] chan_sip.c: Processing media-level (audio) SDP a=crypto:3 F8_128_HMAC_SHA1_80 inline:MjUzYTdkYTY0ZTY0NGQ0YjJiMWUzMzM2NDVjYzEz... UNSUPPORTED OR FAILED.
[Feb 28 00:12:

## initrd.txt
   491765      4 drwx--S---  20  warewolf warewolf     4096 Sep 24 01:50 .
   499825      4 drwxrwxrwx   2  warewolf warewolf     4096 Sep 24 01:50 ./sys
   499866      4 drwxrwxrwx   2  warewolf warewolf     4096 Sep 24 01:50 ./home
   499828      4 drwxrwxrwx   4  warewolf warewolf     4096 Sep 24 01:50 ./etc
   420858      4 -rwxrwxrwx   1  warewolf warewolf     2478 Sep 24 01:50 ./etc/protocols
   420860      4 -rwxrwxrwx   1  warewolf warewolf     3399 Sep 24 01:50 ./etc/inittab
   420859      4 -rwxrwxrwx   1  warewolf warewolf      101 Sep 24 01:50 ./etc/mtab
   420839      4 -rwxrwxrwx   1  warewolf warewolf       30 Sep 24 01:50 ./etc/fs-version
   420857     16 -rwxrwxrwx   1  warewolf warewolf    15958 Sep 24 01:50 ./etc/services
   420838      4 -rwxrwxrwx   1  warewolf warewolf        9 Sep 24 01:50 ./etc/group

## foscam_initrd_strings.txt
blar:   85898 echo "${GREEN}You are welcomed by FOSCAM R&D.${NORMAL}"
blar:   85956 070701000002E1000081FF000003E8000003E80000000153AABED00000003B000000030000000100000000000000000000000B00000000etc/passwd
blar:   86080 root:$1$uYfJBoag$N8ofdlVBVcfzOY7utbTfo0:0:0::/root:/bin/sh
blar:   86140 070701000002E2000081FF000003E8000003E8000000015330D62300000026000000030000000100000000000000000000000C00000000etc/passwd-
blar:   86264 root:ab8nBoH3mb8.g:0:0::/root:/bin/sh
blar:   86304 070701000002E3000041FF000003E8000003E80000000256680ABA00000000000000030000000100000000000000000000000B00000000etc/init.d
blar:   86428 070701000002E4000081FF000003E8000003E8000000015330D62300000087000000030000000100000000000000000000001300000000etc/init.d/S90init
	*FvwmButtons: Geometry 48x24-0-0
	*FvwmButtons: (Frame 0, Swallow (UseOld,Respawn,NoClose,NoKill) "stalonetray" 'Exec /usr/bin/stalonetray &')
	Module FvwmButtons
	<iq from="+17038675309@voice.google.com/srvenc-LqN75k1Lw8QoaZR/xrQKgMekAw0idzcR" to="warewolfs.googleid@gmail.com/asteriskAC809D38" id="jingle:10.30.158.206-1172688898:1:50069535" type="set">
	<ses:session type="initiate" id="SIPo89fk5j4_jkl5j2h_12387578432982340959" initiator="+17038675309@voice.google.com/srvenc-Lk5j43klqwejkfi/kjl5943asdfr5j5R" xmlns:ses="http://www.google.com/session">
	<pho:description xmlns:pho="http://www.google.com/session/phone">
	<pho:payload-type id="0" name="PCMU" clockrate="8000" />
	<pho:payload-type id="101" name="telephone-event" />
	</pho:description>
	<transport behind-symmetric-nat="false" can-receive-from-symmetric-nat="false" xmlns="http://www.google.com/transport/raw-udp" />
	<transport xmlns="http://www.google.com/transport/p2p" />
	<nick:nick xmlns:nick="http://jabber.org/protocol/nick">My Fiancee</nick:nick>
	</ses:session>
	<domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
	<sysinfo type='smbios'>
	<bios>
	<entry name='vendor'>LENOVO</entry>
	</bios>
	<system>
	<entry name='manufacturer'>LENOVO</entry>
	<entry name='product'>987654U</entry>
	<entry name='version'>ThinkPad W540</entry>
	<entry name='serial'>IHNJKV4</entry>
	--- /tmp/left-bA3uU/left-system-reg-l5GJd.tmp 2017-07-04 23:48:10.086963908 -0400
	+++ /tmp/right-3nTJO/right-system-reg-ydUqH.tmp 2017-07-04 23:48:10.086963908 -0400
	@@ -101,20 +101,20 @@

	[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\SqmData]
	"AvgCountDiff"=dword:000001f6
	"AvgFileCount"=dword:000001f6
	-"CMFLastStartTime"=hex(b):05,ff,f9,48,41,04,ca,01
	-"CMFStartTime"=hex(b):c0,b2,bb,72,d6,f4,d2,01
	+"CMFLastStartTime"=hex(b):c0,b2,bb,72,d6,f4,d2,01
	# set remote_ip below to your cuckoo VM's management IP
	# set local_ip below to your VM server's management IP

	TYPE="OVSTunnel"
	OVS_TUNNEL_TYPE="gre"
	OVS_BRIDGE="malwarebr0"
	DEVICE="gremonitor0"
	OVS_TUNNEL_OPTIONS="options:remote_ip=192.168.2.100 options:local_ip=192.168.2.70"
	OVS_EXTRA="\
	-- --id=@p get port gremonitor0 \
	[Feb 28 00:12:10] DEBUG[30298][C-0000000c] sdp_srtp.c: local_key64 W2rZR1yHSV+hefz2Haeu5L3F7U0nuW4OOtMgXRba len 40
	[Feb 28 00:12:10] DEBUG[30298][C-0000000c] res_srtp.c: Adding new policy for SSRC 1571565691
	[Feb 28 00:12:10] DEBUG[30298][C-0000000c] sdp_srtp.c: SRTP policy activated
	[Feb 28 00:12:10] DEBUG[30298][C-0000000c] sdp_srtp.c: Crypto line: a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:W2rZR1yHSV+hefz2Haeu5L3F7U0nuW4OOtMgXRba
	[Feb 28 00:12:10] DEBUG[30298][C-0000000c] chan_sip.c: Processing media-level (audio) SDP a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:ODc0MjU5AABmZWU0ZWMzADJkNWRlMmRkNjA2NDhm... OK.
	[Feb 28 00:12:10] DEBUG[30298][C-0000000c] chan_sip.c: Processing media-level (audio) SDP a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:NTRlM2Y2NmIzNDhhMmM5NTY4NzU3ZTQAMzYxNjNj... UNSUPPORTED OR FAILED.
	[Feb 28 00:12:10] DEBUG[30298][C-0000000c] chan_sip.c: Processing media-level (audio) SDP a=crypto:3 F8_128_HMAC_SHA1_80 inline:MjUzYTdkYTY0ZTY0NGQ0YjJiMWUzMzM2NDVjYzEz... UNSUPPORTED OR FAILED.
	[Feb 28 00:12:
	491765 4 drwx--S--- 20 warewolf warewolf 4096 Sep 24 01:50 .
	499825 4 drwxrwxrwx 2 warewolf warewolf 4096 Sep 24 01:50 ./sys
	499866 4 drwxrwxrwx 2 warewolf warewolf 4096 Sep 24 01:50 ./home
	499828 4 drwxrwxrwx 4 warewolf warewolf 4096 Sep 24 01:50 ./etc
	420858 4 -rwxrwxrwx 1 warewolf warewolf 2478 Sep 24 01:50 ./etc/protocols
	420860 4 -rwxrwxrwx 1 warewolf warewolf 3399 Sep 24 01:50 ./etc/inittab
	420859 4 -rwxrwxrwx 1 warewolf warewolf 101 Sep 24 01:50 ./etc/mtab
	420839 4 -rwxrwxrwx 1 warewolf warewolf 30 Sep 24 01:50 ./etc/fs-version
	420857 16 -rwxrwxrwx 1 warewolf warewolf 15958 Sep 24 01:50 ./etc/services
	420838 4 -rwxrwxrwx 1 warewolf warewolf 9 Sep 24 01:50 ./etc/group
	blar: 85898 echo "${GREEN}You are welcomed by FOSCAM R&D.${NORMAL}"
	blar: 85956 070701000002E1000081FF000003E8000003E80000000153AABED00000003B000000030000000100000000000000000000000B00000000etc/passwd
	blar: 86080 root:$1$uYfJBoag$N8ofdlVBVcfzOY7utbTfo0:0:0::/root:/bin/sh
	blar: 86140 070701000002E2000081FF000003E8000003E8000000015330D62300000026000000030000000100000000000000000000000C00000000etc/passwd-
	blar: 86264 root:ab8nBoH3mb8.g:0:0::/root:/bin/sh
	blar: 86304 070701000002E3000041FF000003E8000003E80000000256680ABA00000000000000030000000100000000000000000000000B00000000etc/init.d
	blar: 86428 070701000002E4000081FF000003E8000003E8000000015330D62300000087000000030000000100000000000000000000001300000000etc/init.d/S90init