⸻〔 eCrime Services 〕⸻
🔍🕸️https://archive.today/ecrime.ch
🔍♾️http://archiveiya74codqgiixo33q62qlrqtkgmcitqx5u2oeqnmn5bpcbiyd.onion/ecrime.ch
⸻〔 RANSOM DB 〕⸻
🔍🕸️https://archive.today/www.ransom-db.com
🔍♾️http://archiveiya74codqgiixo33q62qlrqtkgmcitqx5u2oeqnmn5bpcbiyd.onion/www.ransom-db.com
⸻〔 RANSOMWARE GROUP SITES (list) 〕⸻
| ip,port,time_scanned,arch,Beacon Type,Port,Polling,Jitter,Max DNS,C2 Server,User Agent,HTTP Method Path 2,Header 1,Header 2,Injection Process,Pipe Name,Year,Month,Day,DNS Idle,DNS Sleep,Method 1,Method 2,Spawn To,Proxy Hostname,Proxy Username,Proxy Password,Proxy Access Type,CreateRemoteThread,Watermark | |
| 185.20.186.108,443,1.62002E+12,x86,8 (HTTPS),443,5000,0,,"185.20.186.108,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",,/N4215/adj/amzn.us.sr.aps,,,,,,,,,,GET,POST,%windir%\syswow64\rundll32.exe,,,,,,1359593325 | |
| 185.20.186.108,443,1.62002E+12,x64,8 (HTTPS),443,5000,0,,"185.20.186.108,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",,/N4215/adj/amzn.us.sr.aps,,,,,,,,,,GET,POST,%windir%\sysnative\rundll32.exe,,,,,,1359593325 | |
| 213.202.211.246,80,1.62002E+12,x86,0 (HTTP),80,10000,5,,"213.202.211.246,/metro91/admin/1/ppptp.jpg",,/metro91/admin/1/secure.php,,,,,,,,,,GET,POST,%windir%\syswow64\rundll32.exe,,,,,,0 | |
| 213.202.211.246,80,1.62002E+12,x64,0 (HTTP),80,10000,5,,"213.202.211.246,/metr |
| /** | |
| * Example usage: | |
| * const hotspots = findAllDeep(element, `[slot*="hotspot"]`, 10); | |
| */ | |
| const findAllDeep = (parent, selectors, depth = null) => { | |
| let nodes = new Set(); | |
| let currentDepth = 1; | |
| const recordResult = (nodesArray) => { | |
| for (const node of nodesArray) { | |
| nodes.add(node) |
Recent variants of Ryuk have had their code cleaned up. They removed non-referenced strings that are relics from the HERMES source code days. One interesting part of the code clean-up is a new string decoder. The string decoder is the first MD5 brute forcer that I have observed in malware. It's an interesting technique because it is a computational attack that delays execution of Ryuk before the strings are decoded in memory. The decoding of strings happens in two phases. The first phase uses a hardcoded lookup table that is to decode API names. Once the API names are decrypted, they are dynamically imported and then used to recover the original string from an MD5 hash. After the original string is discovered, each byte of the string is hashed and then the hash is MD5ed, then the hexdigest contents are appended to a string. Each byte within the appended MD5 strings is used to create a second lookup table which is then used to decrypt strings.
Example Python code of the MD5 Brutef
The r2con CTF is the CTF for the r2con 2019 held during the weekend before the conference which consisted mainly of reversing challenges. I managed to solve all but one challenge (technicaly, at least...) and it was so much fun! I'd like to thank the organizers a lot for making the event happen :-)
There may be errors and inclompete sections. I tried to make a write-up for every challenge, just contact me if anything is unclear or missing!
Time to remember the best games ever!
| <Sysmon schemaversion="4.32"> | |
| <!-- Capture all hashes --> | |
| <HashAlgorithms>*</HashAlgorithms> | |
| <DnsLookup>False</DnsLookup> | |
| <ArchiveDirectory>Archive</ArchiveDirectory> | |
| <EventFiltering> | |
| <RuleGroup name="" groupRelation="or"> | |
| <!-- Event ID 1 == Process Creation. Log all newly created processes except --> | |
| <ProcessCreate onmatch="exclude"> | |
| <Image condition="contains">splunk</Image> |