WannaCry or WannCrypt or WannaCrypt.RSM (high risk alert)

Ransom: Of course it means (in the dictionary of cambridge) — a large amount of money that is demanded in exchange for someone who has been taken prisoner, or sometimes for an animal: plus, nowadays, Yes! for an important data. When it comes for a vital data/information and it was modified to be known as ransomware.



This time we wanna discuss a high risk alert ransomware called WannaCry! According to SonicWall Security Center’s research in mid-April they have noticed the ransomware and published protections and now the ransomware was updated to WannaCrypt version 2 and the UI looks like as the image we’ve featured to this post and they public some symptoms that you will face when you have got the attack on your system. Then we’d like to share these with you to make you aware of the ransomware.

A ransomware will be causing denial of access your vital information. Be aware of this.


SonicWall Security Center Alert the followings

WannaCrypt.RSM is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user’s computer in malicious ways. Trojans do not replicate or spread to other computers.

File Related Changes:
It drops the following file(s) on the system:

  • “C:\Documents and Settings\Default User\Start Menu\Programs\Startup\SDEF.tmp”
  • “C:\WINDOWS\Temp\!WannaDecryptor!.exe”
  • “C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SDCE.tmp”
  • “C:\WINDOWS\Temp\112881393834640_.bat”
  • “C:\Documents and Settings\Admin\Start Menu\Programs\Startup\SD8D.tmp”

It modifies the following additional file(s) on the system:

  • “C:\WINDOWS\system32\wbem\Logs\WMIC.LOG”

Process Related Changes:
It creates the following mutex(es):

  • ZonesCacheCounterMutex”
  • ZonesLockedCacheCounterMutex”
  • c:!documents and settings!admin!local settings!history!history.ie5!”
  • CTF.TMD.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003″
  • CTF.TimListCache.FMPDefaultS-1-5-21-1078081533-842925246-854245398-1003MUTEX.DefaultS-1-5-21-1078081533-842925246-854245398-1003″
  • CTF.Compart.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003″
  • c:!documents and settings!admin!local settings!temporary internet files!content.ie5!”
  • ZoneAttributeCacheCounterMutex”
  • WininetConnectionMutex”
  • CTF.Layouts.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003″
  • CTF.Asm.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003″
  • ZonesCounterMutex”
  • CTF.LBES.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003″
  • c:!documents and settings!admin!cookies!”

It creates the following process(es):

  • C:\WINDOWS\system32\taskkill.exe [ taskkill /f /im Microsoft.Exchange. ]
  • C:\WINDOWS\Temp\!WannaDecryptor!.exe [ !WannaDecryptor!.exe ]
  • C:\WINDOWS\Temp\b9b3965d1b218c63cd317ac33edcb942.exe [ \c:\windows\temp\b9b3965d1b218c63cd317ac33edcb942.exe ]
  • C:\WINDOWS\system32\taskkill.exe [ taskkill /f /im MSExchange ]
  • C:\WINDOWS\Temp\!WannaDecryptor!.exe [ !WannaDecryptor!.exe v ]
  • C:\WINDOWS\system32\cmd.exe [ cmd.exe /c start /b !WannaDecryptor!.exe v ]
  • C:\WINDOWS\system32\cmd.exe [ cmd.exe /c vssadmin delete shadows /all /quiet wmic shadowcopy delete bcdedit /set {default} bootstatuspolicy ignoreallfailures bcdedit /set {default} recoveryenabled no wbadmin delete catalog -quiet ]
  • C:\WINDOWS\system32\wbem\wmic.exe [ wmic shadowcopy delete ]
  • C:\WINDOWS\Temp\!WannaDecryptor!.exe [ !WannaDecryptor!.exe c ]
  • C:\WINDOWS\system32\taskkill.exe [ taskkill /f /im sqlserver.exe ]
  • C:\WINDOWS\system32\cmd.exe [ cmd /c 112881393834640.bat ]
  • C:\WINDOWS\system32\taskkill.exe [ taskkill /f /im sqlwriter.exe ]
  • C:\WINDOWS\Temp\!WannaDecryptor!.exe [ !WannaDecryptor!.exe f ]

Network Activity:
We observed the following DNS query/queries:

  • dist.torproject.org
  • www.dropbox.com
  • www.download.windowsupdate.com

It attempts to connect to the following remote servers:

  • 127.xxxxxx:1031
  • 127.xxxxxx:1037


As of May 12th 2017 we have observed a new variant of the WannaCrypt Ransomware. It has been reported that version 2 of this ransomware has been deployed by its operators on a large international scale. It has wreaked havoc among UK’s National Health Service by hitting at least 15 hospitals across the nation causing denial of access to vital patient information. Other attacks include Spanish telecommunications companies such as Vodafone and Telefonica.


School For Hackers


For You!



Hacking for a digital marketer

This entry is part 4 of 7 in the series [ Hacker Night School ]

What is Digital Marketing

In this digital world almost everything is steadily replaced by the term of digital. An umbrella terms was created for the term marketing as well. Marketing itself is a technique which is to change the concepts of people and makes them to be wanting to buy the marketed products or services. And of course everywhere a demand and supply is occurred can supposed as a market place even on a rope which conveys purchase orders, cash and the products or services.

Digital Marketing is a technique as well but it occurs by using digital technologies, mainly on the internet also including mobile phones (of course the annoying calls form the service providers), display advertising, sharing the freeware or free to use product or trials (of course; if you don’t have to pay, you are a product) and any other digital methods.

Advancing technology of Digital Marketing techniques are such as search engine optimization (SEO), search engine marketing (SEM), content marketing, influencer marketing, content automation, campaign marketing, data-driven marketing[ and e-commerce marketing, social media marketing, social media optimization, e-mail direct marketing, display advertising, e–books, and optical disks and games are becoming more common in our advancing technology. In fact, digital marketing now extends to non-Internet channels that provide digital media, such as mobile phones (SMS and MMS), callback, and on-hold mobile ring tones.
Who will be your 1st priority?

Of course you know the technique, you have a product to market but an interesting question is “Who will be the right person to be marketed effectively and what his/her current hard time is?” We should consider it rather than what kind of digital marketing is going to be performed. In this topic the most effective way to answer the interesting question is to collect intelligence from publicly available sources otherwise OSINT (Open-Source Intelligence) before you do a digital marketing.

What is and Why OSINT?

Open-Source Intelligence gathering is intelligence collected from publicly available sources (as opposed to covert or clandestine sources) in brief and completely meaning.

Because it can help you to gather a mess of useful information and it’s the very first step to full scope of real world marketing plan. And it simulates real world connections, and can get comprehensive information of a company, its employees or your competitors and his/her employee and so on. With the knowledge of your competitors’ or your target’s information, you own the market no matter SEO or SEM.

Even though there are many tools out there helping to perform OSINT, here is a link to start Meltego. And become a Hacker Inside Digital Marketer .

Written By,

Starry Sky

Raspberry Pi Fedora 24 Security Spin OS Images for Raspberry Pi

It has been a very interesting week, wrestling with uploading Raspberry Pi OS images and trying to tame the bugs in Fedora 25 for Pi. But we’ve got downloadable images here!

To keep the numbers manageable, I’ve set this up so that you can sign up as a student here (use the Register link above), then you’ll get access to the link and instructions.

Our School for Hackers Linux running Fedora 24 with the Security Spin (or Security Lab), on the other hand, is stable and highly useful for teaching security testing. I started using the FSS quite a while back rather than turning students loose with the bazooka that is Kali, and at this point I’m building my lessons for use on School for Hackers Linux.

Let me say for the record that at the moment, Fedora 25 for Pi is “beta” in the strictest sense: It will boot. Almost everything else takes manual bashing as root, from networking to shutting down. I made it run, and got it stable, but I can’t in good conscience turn this OS image loose in the wild. People could get killed.

Compressed, the S4H Linux F24 images are 3.7GB and 4.6GB, but that still makes for some ugly uploading from my end. Downloading, on the other hand, might be slick.Comment here on your experience: downloading it, imaging it, and using it. Let’s make this a sweet cyber security teaching OS. Thanks –

Devices You Should Never Build, Oh No

Glenn Norman

From Hackaday comes this interesting article about the Internet of Things, which will inevitably lead to a few terrible ideas, what they call the “Internet of Wrongs.” What would you think of a device that sends out Wake On Lan packets to every device on your network? Or how about a little “de-auth” box that kicks everyone off the local WiFi?

Well, these things would be very bad ideas. In the US, the FCC would swoop down on you in black helicopters. But wait, there’s more: read the comments on this page to find links to a couple of wonderful “make everyone reboot” tools. I’m sure that wouldn’t be annoying at all, though it would certainly be a minor felony – so don’t do it.

What you should do, however, is think about how some devices intended to be useful might in fact do some pretty terrible things:

The Terrible Devices Of The Internet Of Wrongs

Seriously! A rig to connect to WiFi over two miles away –

Image: Benjamin Caudill

What a sweet Raspberry Pi project: connect to a wifi network up to about 2.5 miles away using this slick wireless relay you could hide in a library book.

Proxyham is made of a Raspberry Pi computer with a Wi-Fi card, connected to three antennas, a Wi-Fi one that connects to the internet at a public space (think Starbucks or a public library) and a dual antenna that transmits at 900MHz, this is used to communicate and beam data back and forth with the user, who can be as far as 2.5 miles from the device, according to Caudill.

The real trick is that there’s no real reason (beyond accumulating latency) that this kind of relay can’t be repeated over and over. The hacker mind boggles.

Tech and Gamer Gear Galore: Massdrop

Daniel Clarke

Massdrop (www.massdrop.com) is a group-buy website located out of New Jersey where people commit to buying a product. Once enough people commit to buying the product, the price begins to drop. After the drop has ended, Massdrop will place an order with the manufacturer. Massdrop has several different “communities” that it uses to list like products in the same area. A few of these communities include: Everyday Carry for knives and useful tools that you can keep in your pocket, Audiophile to suit your listening needs, and Tech for gadgets like a Raspberry Pi or other devices. Those are just a few of the (currently) 13 communities that Massdrop has to offer.

As an example, we’ll look at the DXRacer OH/IS11 Iron Series Chair. The drop can be located at https://www.massdrop.com/buy/dxracer-oh-is11-iron-series-chair. You’ll need to authenticate with Facebook or create an account using an email address; we suggest anonymizing services like Mailinator.com.

Each product has different requirements for the total number of people needed in order to get the discounted price. When the chair first “dropped” or came available for purchase, it was listed for $399.99. As more people purchase the chair, the price drops by $10 with every five people until it reaches the lowest price available of $369.99.

Stages of a Drop
Gamer chairs!

If you are interested in the product but only want it if it reaches the maximum discount, you can commit to buy the product at the lowest price. IMAGE (Commit) To compare the requirements for purchase, we will look at some GMK QMX-Clip Sound Dampening Brackets (located at https://www.massdrop.com/buy/gmk-sound-dampening-brackets).

Stages of a Drop: 2
Stages of a Drop: 2

These brackets are used to dampen the sound coming from a mechanical keyboard and are much cheaper than the chair. In order for it to be cost effective for both Massdrop and GMK, more people need to purchase the clips in order to justify a group-buy discount. In this case, at least 50 people are needed to get a discount with 100 people needed to reach the maximum discount.

Now, before you rush onto the site and place a bunch of orders, there are a few issues to understand about Massdrop.

One major complaint is the amount of time that it takes to receive a package. For example, I ordered a wicked set of keycaps on September 30,2015 (https://www.massdrop.com/buy/danger-zone-sa-keycap-set). The keycaps (I know, they’re badass huh?) didn’t arrive until February 17, 2016. Four and a half months is almost unheard of to wait for a product to reach you, especially when Amazon Prime will ship me something in 2 days. One reason is that it was a custom set of keycaps that was made specifically for those who purchased it from Massdrop. The other reason is that your order doesn’t drop ship directly to your door. The manufacturer sends the entire order to Massdrop who then sorts the order and ships it to the customer. I have since purchased other products from Massdrop and both of those orders took about three weeks.

Another major complaint that I have seen, especially recently, is that for products that are not custom made (think knives, chairs, headphones, etc.) it is possible to find the exact same or very similar product for the same price (give or take $5-10) on a major online retailer like Amazon or eBay. In that case, is it worth a few dollars extra to have your product within a week, or are you ok waiting significantly longer to receive it from Massdrop?

Nevertheless, I have used and will continue to use Massdrop.com and watch for new drops that happen daily. If I feel that it is a good deal, I will do my research to make sure that I cannot find the same product for cheaper elsewhere, and if I can’t, I will buy from Massdrop. As a price-conscious consumer, it would be unwise to do differently. As a techie, how can I help myself?

[Daniel Clark is an up-and-coming IT and security consultant in Albuquerque, NM, USA. This is his first contribution to School for Hackers, with more articles on technology and related goodies to come.]

Fedora 23 Security Lab card for Raspberry Pi 2

$29.95, shipping in the US $6.45


Note: Shipping rate is valid only in the USA. Contact us for overseas shipping rates.

The choices of OS for Raspberry Pies haven’t been many, especially since the fading of the Pidora distribution. Raspbian has stayed the top choice, among some smaller players, as well as the Debian-based Kali ARM distro.

Kali is a great tool, but learning the basics of security testing with Kali is like going to the shooting range with a bazooka. If you’re not aware of the many (many) interactions, dependencies and moving parts, it can be dangerous.

The people at Fedora both produce an up-to-the-minute ARM kernel for Pi and other ARM computers, and they also sponsor “spins,” which are specially-configured versions of Fedora for a large number of uses – including security testing. You can find some basic information at https://labs.fedoraproject.org/de/security/.

We’ve taken the trouble out of setting up the boot scripts, installing Fedora 23, setting up the Security Lab, VNC Server so you can use VNC remote desktop access, the sshd so you can SSH in immediately, and much more. The 8GB Class 10 card has room for your files and is the highest speed category.

This OS and card are for the Raspberry Pi 2.