At the end of S02E01 of Mr Robot, there is a scene where Darlene generate a ransomware with a modified SET toolkit. My fingers were itching for the IP address 192.251.68.254 which seems to be the C2 address for this malware. Not surprisingly, WHOIS resolved to NBC-UNIVERSAL. Lets see how deep this rabbit hole is.
The last page http://i239.bxjyb2jvda.net displays a message about “YOUR PERSONAL FILES ARE ENCRYPTED”. You may wait for 24hours or just check the javascript controlling the countdown timer, where you will find a base64 encoded string.
PGRpdiBjbGFzcz0ib3ZlciI+PGRpdj4iSSBzaW5jZXJlbHkgYmVsaWV2ZSB0aGF0IGJhbmtpbmcgZXN0YWJsaXNobWVudHMgYXJlIG1vcmUgZGFuZ2Vyb3VzIHRoYW4gc3RhbmRpbmcgYXJtaWVzLCBhbmQgdGhhdCB0aGUgcHJpbmNpcGxlIG9mIHNwZW5kaW5nIG1vbmV5IHRvIGJlIHBhaWQgYnkgcG9zdGVyaXR5LCB1bmRlciB0aGUgbmFtZSBvZiBmdW5kaW5nLCBpcyBidXQgc3dpbmRsaW5nIGZ1dHVyaXR5IG9uIGEgbGFyZ2Ugc2NhbGUuIjwvZGl2PjxkaXYgY2xhc3M9ImF1dGhvciI+LSBUaG9tYXMgSmVmZmVyc29uPC9zcGFuPjwvZGl2PjwvZGl2Pg==This decodes to:
I sincerely believe that banking establishments are more dangerous than standing armies, and that the principle of spending money to be paid by posterity, under the name of funding, is but swindling futurity on a large scale.Edit:
– Thomas Jefferson
By inspecting the SSL certificate for this webserver, I discovered plenty other Mr Robot related domains in the Subject Alternative Names field.
DNS Name=www.racksure.com
DNS Name=racksure.com
DNS Name=*.serverfarm.evil-corp-usa.com
DNS Name=www.e-corp-usa.com
DNS Name=iammrrobot.com
DNS Name=www.conficturaindustries.com
DNS Name=www.iammrrobot.com
DNS Name=*.seeso.com
DNS Name=*.evil-corp-usa.com
DNS Name=e-corp-usa.com
DNS Name=*.bxjyb2jvda.net
DNS Name=whoismrrobot.com
DNS Name=seeso.com
DNS Name=fsoc.sh
DNS Name=www.fsoc.sh
DNS Name=conficturaindustries.com
DNS Name=whereismrrobot.com
DNS Name=www.whoismrrobot.com
DNS Name=www.whereismrrobot.com
DNS Name=evil-corp-usa.com
DNS Name=www.seeso.com
At the beginning of S02E01 you will notice Eliot logs in the bkuw300ps345672-cs30.serverfarm.evil-corp-usa.com by SSH.
As for the puzzle at https://fsoc.sh:
If you look at this page, you may notice that the cursor is blinking with random intervals.
It’s not really hard to see that this is morse code, but I’m terrible at solving these tings manually. So I’d rather do it the techie way.
https://www.fsoc.sh/assets/main.js
all praise https://0x41.no for their craftiness
source from http://www.mrrobothacks.com/look-found-mr-robot-s02e01/
No comments:
Post a Comment