Tuesday, 10 April 2018

Maktub ransomware: possibly rebranded as Iron



In this post, we'll take a quick look at a possible new ransomware variant, which appears to be the latest version of Maktub ransomware, also known as Maktub Locker.

Hasherazade from Malwarebytes has, as per usual, written an excellent blog on Maktub Locker in the past, if you wish to learn more: Maktub Locker – Beautiful And Dangerous

Update - 2018-04-14: Read the conclusion at the end of this post to learn more about how Iron ransomware mimicked at least three different ransomware families.


Analysis

A file was discovered, named ado64 with the following properties:



Maktub typically sports a graphically appealing lock screen, as well as payment portal, and promotes "Maktub Locker" extensively. 


Interestingly enough, this variant has removed all references to Maktub. The figures below represent lock screen and payment portal, when stepping through.


Figure 1 - Lock screen/warning

Email address: recoverfile@mail2tor.com
Bitcoin address: 1cimKyzS64PRNEiG89iFU3qzckVuEQuUj
Ransomware note: !HELP_YOUR_FILES.HTML


Figure 2 - Payment portal

Figure 3 - Hello! (after entering the personal ID)
The text reads:

We’re very sorry that all of your personal files have been encrypted :( But there are good news – they aren’t gone, you still have the opportunity to restore them! Statistically, the lifespan of a hard-drive is anywhere from 3 to 5 years. If you don’t make copies of important information, you could lose everything! Just imagine! In order to receive the program that will decrypt all of your files, you will need to pay a certain amount. But let’s start with something else…


Figure 4 - "We are not lying"


Figure 5 - Ransomware cost


Figure 6 - Where to pay


Figure 7- Last but not least: how to buy Bitcoins


In previous versions of Maktub, you could decrypt 1 file for free, however, with the current rebranding, this option has disappeared. Since the ransomware has rebranded, we'll name it "Iron" or "Iron ransomware", due to the name of the decrypter, IronUnlocker.

 Iron encrypts a whopping total of 374 extensions, these are as follows:

.001, .1cd, .3fr, .8ba, .8bc, .8be, .8bf, .8bi8, .8bl, .8bs, .8bx, .8by, .8li, .DayZProfile, .abk, .ade, .adpb, .adr, .aip, .amxx, .ape, .api, .apk, .arch00, .aro, .arw, .asa, .ascx, .ashx, .asmx, .asp, .asr, .asset, .bar, .bay, .bc6, .bc7, .bi8, .bic, .big, .bin, .bkf, .bkp, .blob, .blp, .bml, .bp2, .bp3, .bpl, .bsa, .bsp, .cab, .cap, .cas, .ccd, .cch, .cer, .cfg, .cfr, .cgf, .chk, .class, .clr, .cms, .cod, .col, .con, .cpp, .cr2, .crt, .crw, .csi, .cso, .css, .csv, .ctt, .cty, .cwf, .d3dbsp, .dal, .dap, .das, .db0, .dbb, .dbf, .dbx, .dcp, .dcr, .dcu, .ddc, .ddcx, .dem, .der, .desc, .dev, .dex, .dic, .dif, .dii, .disk, .dmg, .dmp, .dob, .dox, .dpk, .dpl, .dpr, .dsk, .dsp, .dvd, .dxg, .elf, .epk, .eql, .erf, .esm, .f90, .fcd, .fla, .flp, .for, .forge, .fos, .fpk, .fpp, .fsh, .gam, .gdb, .gho, .grf, .h3m, .h4r, .hkdb, .hkx, .hplg, .htm, .html, .hvpl, .ibank, .icxs, .img, .indd, .ipa, .iso, .isu, .isz, .itdb, .itl, .itm, .iwd, .iwi, .jar, .jav, .java, .jpe, .kdc, .kmz, .layout, .lbf, .lbi, .lcd, .lcf, .ldb, .ldf, .lgp, .litemod, .lng, .lrf, .ltm, .ltx, .lvl, .m3u, .m4a, .map, .mbx, .mcd, .mcgame, .mcmeta, .md0, .md1, .md2, .md3, .mdb, .mdbackup, .mddata, .mdf, .mdl, .mdn, .mds, .mef, .menu, .mm6, .mm7, .mm8, .moz, .mpq, .mpqge, .mrwref, .mxp, .ncf, .nds, .nrg, .nri, .nrw, .ntl, .odb, .odf, .odp, .ods, .odt, .orf, .owl, .oxt, .p12, .p7b, .p7c, .pab, .pbp, .pef, .pem, .pfx, .pkb, .pkh, .pkpass, .plc, .pli, .pot, .potm, .potx, .ppf, .ppsm, .pptm, .prc, .prt, .psa, .pst, .ptx, .pwf, .pxp, .qbb, .qdf, .qel, .qic, .qpx, .qtr, .r3d, .raf, .re4, .res, .rgn, .rgss3a, .rim, .rofl, .rrt, .rsrc, .rsw, .rte, .rw2, .rwl, .sad, .sav, .sc2save, .scm, .scx, .sdb, .sdc, .sds, .sdt, .shw, .sid, .sidd, .sidn, .sie, .sis, .slm, .slt, .snp, .snx, .spr, .sql, .sr2, .srf, .srw, .std, .stt, .sud, .sum, .svg, .svr, .swd, .syncdb, .t01, .t03, .t05, .t12, .t13, .tar.gz, .tax, .tcx, .thmx, .tlz, .tor, .torrent, .tpu, .tpx, .ttarch2, .tur, .txd, .txf, .uax, .udf, .umx, .unity3d, .unr, .uop, .upk, .upoi, .url, .usa, .usx, .ut2, .ut3, .utc, .utx, .uvx, .uxx, .vcd, .vdf, .ver, .vfs0, .vhd, .vmf, .vmt, .vpk, .vpp_pc, .vsi, .vtf, .w3g, .w3x, .wad, .war, .wb2, .wdgt, .wks, .wmdb, .wmo, .wotreplay, .wpd, .wpl, .wps, .wtd, .wtf, .x3f, .xla, .xlam, .xlc, .xlk, .xll, .xlm, .xlr, .xlsb, .xltx, .xlv, .xlwx, .xpi, .xpt, .yab, .yps, .z02, .z04, .zap, .zipx, .zoo, .ztmp

Iron doesn't spare gamers, as it will also encrypt Steam files (.vdf), World of Tanks replays (.wotreplay). DayZ (.DayZProfile), and possibly others.

Folders containing the following words are exempt from encryption:

Windows, windows, Microsoft, Mozilla Firefox, Opera, Internet Explorer, Temp, Local, LocalLow, $Recycle.bin, boot, i386, st_v2, intel, recycle, 360rec, 360sec, 360sand, internet explorer, msbuild

Interestingly enough, 360sec, 360rec, and 360sand is developed by Qihoo 360, an internet security company based in China, and is an antivirus (360 Total Security is one example).  This, as well as the fact that the Iron ransomware also includes resources in Chinese Simplified, alludes this variant may be developed by a Chinese speaker.

The ransomware will additionally delete the original files after encryption, and will also empty the recycle bin. It does not remove Shadow Volume Copies or Restore Points.

Iron embeds a public RSA key as follows:

-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBAIOYf0KqEOGaxdLmMLypMyZ1q/K+r6DuCdYpwZfs0EPug3ye7UjZa0QMOP5/OySr
l/uBJtkmEghEtUEo/zfcBJ7332O1ytJ7/ebIUv+ZcN1Rlswzdv7uZxYRC8u1HvrgBvAz4Atb
zx+FbFVqLB0gGixYTqbjqANq21AR6r91+oJtAgMBAAE=
-----END RSA PUBLIC KEY-----

The Iron ransomware will determine the user's WAN IP and also send a POST request to its C2 server, http://y5mogzal2w25p6bn[.]ml.

Figure 8 - Traffic

It appears Iron will create a new, random GUID, and use it as a mutex, in order to not infect the machine twice. The following values will be sent to the C2:

  • Encryption key;
  • Randk (seed);
  • GUID (mutex);
  • Start (whether ransom successfully started);
  • Market (unknown).
The C2 server will then respond with another set of values, and generate a unique Bitcoin address, which means that victims may pay twice to different addresses. Rule of thumb: do not pay the ransomware.

Of note is an email address in the response: oldblackjack@outlook.com.

Iron will additionally save certain values, such as the GUID, in HKCU\Software\CryptoA:

Figure 9 - Registry values (click to enhance)

Encrypted files will have the .encry extension appended. It is likely not possible to restore data.


Conclusion

It is currently unknown if Iron is indeed a new variant by the same creators of Maktub, or if it was simply inspired by the latter, by copying the design for the payment portal for example.

We know the Iron ransomware has mimicked at least three ransomware families:
  • Maktub (payment portal design)
  • DMA Locker (Iron Unlocker, decryption tool)
  • Satan (exclusion list)
From the screenshots above, it is obvious the portal design has been copy pasted from Maktub.

As for copying from DMA Locker, see this tweet:

And, last but not least, it uses the exact same exclusion list (folders and its content that will not be encrypted) from Satan:

Code is indeed quite unique, and Iron seems like a totally new ransomware, and may even be a "side project" by the creators of the Satan ransomware. However, at this point, there is no sure way of telling who's behind Iron. Time may be able to tell.

Decryption is impossible without the author's private key, however, it is possible to restore files using Shadow Volume Copies, or alternatively Shadow Explorer. If that doesn't work, you may try using a data recovery program such as PhotoRec or Recuva.

Take note of ID ransomware, if a decryptor should ever become available. Additionally, it may identify other families of ransomware if you are ever affected. Another service to take note of in this regard is NoMoreRansom.

For preventing ransomware, have a look here:

In short: create backups!

Questions, comments, feedback or help: leave a comment below or contact me on Twitter.


Indicators:



By at No comments:
Labels:forex, iqoption, pubg Hacked , , , , , , , ,

Guns of Boom Mod v3.3.0 By Game Killer

Guns of Boom - Mega Mod


👇FEATURES OF THIS HACK👇

(1) UNLIMITED MONEY

(2) UNLIMITED AMMO+ NO RELOADE

(3) ALL WEAPONS UNLOCK

(4) UPDATED VERSION

(5) GAME KILLER MOD ENABLE

(6) *NO ROOT*

(7) Etc...

FRIENDS MY ALL MODS ARE FREE SO PLEASE SUPPORT MY CHANNEL AND HELP ME TO GET MORE SUBSCRIBES




Fill The Captcha


To Luarn How To Hack Any Games Subscribe Hack Now Channel


By at No comments:

What's Kali Linux Metapackages and How to install it?


Kali Linux Metapackages
Metapackages give you the flexibility to install specific subsets of tools based on your particular needs. For instance, if you are going to conduct a wireless security assessment, you can quickly create a custom Kali ISO and include the kali-linux-wireless metapackage to only install the tools you need.

These metapackages allow for easy installation of certain tools in a specific field, or alternatively, for the installation of a full Kali suite. All of the Kali metapackages follow a particular naming convention, starting with kali-linux so if you want to see which metapackages are available, you can search for them as follows:
   Example: apt-get update && apt-cache search kali-linux

Until recently, Kali Linux had a handful of these meta packages but Kali Linux have since expanded the metapackage list to include far more options:

kali-linux: The Base Kali Linux System
 * The kali-linux metapackage is a completely bare-bones installation of Kali Linux and includes various network services such as Apache and SSH, the Kali kernel, and a number of version control applications like git, svn, etc. All of the other metapackages listed below also contain kali-linux.
 * Installation Size: 1.5 GB
 * How to install: sudo apt update && sudo apt install kali-linux

kali-linux-full: The Default Kali Linux Install
 * When you download a Kali Linux ISO, you are essentially downloading an installation that has the kali-linux-full metapackage installed. This package includes all of the tools you are familiar with in Kali.
 * Installation Size: 9.0 GB
 * How to install: sudo apt update && sudo apt install kali-linux-full

kali-linux-all: All Available Packages in Kali Linux
 * In order to keep our ISO sizes reasonable, we are unable to include every single tool that we package for Kali and there are a number of tools that are not able to be used depending on hardware, such as various GPU tools. If you want to install every available Kali Linux package, you can install the kali-linux-all metapackage.
 * Installation Size: 15 GB
 * How to install: sudo apt update && sudo apt install kali-linux-all

kali-linux-top10: Top 10 Kali Linux Tools
 * In Kali Linux, we have a sub-menu called “Top 10 Security Tools”. The kali-linux-top10 metapackage will install all of these tools for you in one fell swoop.
Top 10 Kali Security Tools
 * Installation Size: 3.5 GB
 * How to install: sudo apt update && sudo apt install kali-linux-top10

kali-linux-forensic: Kali Linux Forensic Tools
 * If you are doing forensics work, you don’t want your analysis system to contain a bunch of unnecessary tools. To the rescue comes the kali-linux-forensic metapackage, which only contains the forensics tools in Kali.
 * Installation Size: 3.1 GB
 * How to install: sudo apt update && sudo apt install kali-linux-foresic

kali-linux-gpu: Kali Linux GPU-Powered Tools
 * GPU utilities are very powerful but need special hardware in order to function correctly. For this reason, they are not included in the default Kali Linux installation but you can install them all at once with kali-linux-gpu and get cracking.
 * Installation Size: 4.8 GB
 * How to install: sudo apt update && sudo apt install kali-linux-gpu

kali-linux-pwtools: Kali Linux Password Cracking Tools
 * The kali-linux-pwtools metapackage contains over 40 different password cracking utilities as well as the GPU tools contained in kali-linux-gpu.
 * Installation Size: 6.0 GB
 * How to install: sudo apt update && sudo apt install kali-linux-pwtools

kali-linux-rfid: Kali Linux RFID Tools
 * For our users who are doing RFID research and exploitation, we have the kali-linux-rfid metapackage containing all of the RFID tools available in Kali Linux.
 * Installation Size: 1.5 GB
 * How to install: sudo apt update && sudo apt install kali-linux-rfid

kali-linux-sdr: Software Defined Radio (SDR) Tools in Kali Linux
 * The kali-linux-sdr metapackage contains a large selection of tools for your Software Defined Radio hacking needs.
 * Installation Size: 2.4 GB
 * How to install: sudo apt update && sudo apt install kali-linux-sdr

kali-linux-voip: Kali Linux VoIP Tools
 * Many people have told us they use Kali Linux to conduct VoIP testing and research so they will be happy to know we now have a dedicated kali-linux-voip metapackage with 20+ tools.
 * Installation Size: 1.8 GB
 * How to install: sudo apt update && sudo apt install kali-linux-voip

kali-linux-web: Kali Linux WebApp Assessment Tools
 * Web application assessments are very common in the field of penetration testing and for this reason, Kali includes the kali-linux-web metapackage containing dozens of tools related to web application hacking.
 * Installation Size: 4.9 GB
 * How to install: sudo apt update && sudo apt install kali-linux-voip

kali-linux-wireless: Wireless Tools in Kali Linux
 * Like web applications, many penetration testing assessments are targeted towards wireless networks. The kali-linux-wireless metapackage contains all the tools you’ll need in one easy to install package.
 * Installation Size: 6.6 GB
 * How to install: sudo apt update && sudo apt install kali-linux-wireless

To see the list of tools included in a metapackage, you can use simple apt commands. For example, to list all the tools included in the kali-linux metapackage, enter this command: sudo apt-cache show kali-linux

Read more: Kali Linux Metapackages
By at No comments:
Labels:forex, iqoption, pubg Hacked

Sunday, 8 April 2018

Is investing in the stock market risky?

Is investing in the stock market risky?

Investing in the stock market is probably risky if you do not know what you are doing. It all depends on the knowledge you have. When you have a method to choose the companies that will be part of the stock portfolio, the risk is much lower. The stock market is riskier than fixed income, but the yield is much higher.

It is important to understand that there is a natural oscillation of the stock market price, where there may be negative periods, but the trend is to a good return in the medium and long term.

The security of the investor lies in the selection of the right actions. If the company is doing well, it does not have to because its price is falling steadily. If the price starts to fall and untie what is happening with the company, the big investors start investing and the price goes up again.

It is normal that he never invested to be afraid of news of the fall of stock markets, but it is fundamental to overcome this first stage of fear. The advantage is that it is possible to start with little money, to make small investments and, with learning, to lose the fear of doing these operations.
Do I need a lot of money to start?

It does not take a lot of money to start investing in the stock market. You can start with just over $ 300. It is recommended to make a monthly investment in the stock market, but it is not necessary.

If you only have an initial contribution of this value, you can make one investment. But keep in mind that this unique contribution will not solve your life. You can be rich with R $ 100 or R $ 200 a month, but not with a single investment of just $ 500, for example. In any case, if you have the opportunity today of R $ 200, you can start with this value and prepare, if you wish, more and more investments.

And remember: invest in your knowledge to get more and more back on your financial investments. Our goal is to help you learn to invest and become a successful investor, whether on the stock market, in the currency or in the chosen mode.

I have prepared a video course for you, where I explain step by step a method that explains how to invest in stocks. Know the strategy I use to achieve profitability in the stock market and that has helped thousands of beginning investors transform their financial lives.
By at No comments:
Labels:forex, iqoption, pubg Hacked , , ,

[WARHOX] google chrome diagnostics ✔ [Hacked] game


DISCLAIMER: This Channel DOES NOT Promote or encourage Any illegal activities , all contents provided by This Channel is meant for EDUCATIONAL PURPOSE only .

Copyright Disclaimer Under Section 107 of the Copyright Act 1976, allowance is made for "fair use" for purposes such as criticism, comment, news reporting, teaching, scholarship, and research. Fair use is a use permitted by copyright statute that might otherwise be infringing. Non-profit, educational or personal use tips the balance in favor of fair use.


How to hack Chrome dinosaur game check here with our 100% working script ! Subscribe for more hacks

What is this Game all about?


 Turn off your Wi-Fi connection (or use the developer tools in Chrome to simulate this). Then, open a new tab and load up a website. You’ll see the standard (though redesigned) Network Error page, topped by the lonely T-Rex glyph created by Google designer Sebastien Gabriel.

 Typically at this point you’d close the tab and tut loudly, gesturing for the nearest barista to go and reboot the router. Instead, tap the space bar on your keyboard.


 The lonely T-Rex at the top of the page will suddenly bounce. A stretch of land will appear before him. And then…he’ll start running.


Like other endless runner games the goal is simple: run as far as you can, for as long as you can, until you crash. You’ll need to keep mashing the space bar on your keyboard to help the T-Rex clear the conveyor belt of variously spaced, differently sized cacti.


 Every 100 points marker is punctuated by a screeching high score blip.


What is the Inspect Element Option? Inspect Element is Chrome's version of Firebug. It's not quite as full-featured, but it is still a very useful tool. Make sure that the Resource tab is enabled - if it isn't, you won't be getting any load times. Click the big "Enable resource tracking" button.


 ►Game Script


::::::::::::::::::::::::::::::::::::::game script::::::::::::::::::::::::::::::::::::::
_________________________________________________________________
Runner.prototype.gameOver=function(){console.log("WARHOX_CODES")}

Runner.instance_.setSpeed(15000)
------------------------------------------------------------------------------
normla speed: runner.instance_.setspeed(10)
------------------------------------------------------------------------------
_________________________________________________________________

enjoy your high score

hack game video


By at No comments:
Subscribe to: Posts (Atom)