purpose of this: a collection of stuxnet-related files I have gathered from various sources in order to make it more public for researchers (to help AVs',etc) Note some is extracted, analyzed, dumped, etc. And so on. Why I make this repo is its easy to find samples of stuxnet (actual infections n stuff) but dumped stuff, de-hexed, de-obfuscated, analyzed, outputs, dumps, memory dumps, etc, is very difficult to find. Same with fanny.bmp and other malwares in the same malware family. So that's why I make this repo.
please find it here only_malware
- and if you see
need PK compat. v5.1 (can do v4.6)
you just need to installengrampa
for example, on linux. I Use qubes for malwares and engrampa to pack the infected archives.
===================================================================================================
Brutal_Kangaroo
- Fanny.bmp - the Precursor /Derivative to StuxNet
- nls_933w.dll file
- Gauss
- FlamER <-
fork
UNSORTED README
is a Worm that attacked Nuclear Power plants, trough unusual vulnerabilities. So-called 0Day vulnerabilities.
Includes:
- Source files, (plc etc)
- Binaries (malware etc)
- PLC Sample program (plc etc)
-
Fanny (known as fanny.bmp or, the classical a,b,c,d,e,...,j.lnk worm,(Is (likely) **not ** visible in Windows XP and such, (but I have seen some versions of it where it has a,b and c - all the way up to j)- on other versions of Windows.
-
Propagates trough Removable USB devices, which has a extremely sophisticated Rootkit, which not only hides itself, but adds itself at startup in the reg in windows machines, but it has also some other, quite shocking capabilities, such as a submodule to re-program hardware, (more specifically, HDD's Firmware) for Extreme persistence.) It exploited same vulns as Stuxnet did, and has striking similarities with it, and was used before even Stuxnet was used)
Link to fanny.bmp: https://github.com/loneicewolf/fanny.bmp
-
Flame( Aka, SKyWiper, Flame, FlameR!, PROPS_FLAME)
-
https://www.theregister.com/2015/02/17/kaspersky_labs_equation_group/
Overview of Files in FILES.ZIP
STUXNET.DLL_EMBEDDED_RSRCS:
bin201.bin
bin202.bin
bin203.bin
bin205.bin
bin208.bin
bin209.bin
bin210.bin
bin221.bin
bin222.bin
bin240.bin
bin241.bin
bin242.bin
bin250.bin
STEP7:
STL-cheat-sheet-by-category.pdf -'STL-cheat-sheet-by-alphabet (1).pdf'
S_ST70_XX_00030V.TIF
SIMATIC_STEP7_Basic_software.jpg
HW_e.gif
25209116_STEP7Example.zip
BINS:
'~WTR4141_J_37FC7C5D89F1E5A96F54318DF1A2B905.dll'
wincc_kernel32.dll.aslr.00013b86.livebin.exe
unknown_hook_in_services_memorymod-0x006b0000-0x006b1000.livebin.exe
S_D102BDAD06B27616BABE442E14461059
R_98FBEBD8883021FBE6464C37ACF17938
Q_C1CB4117D9998C79AE10C1B890C23A4D
P_F9BAE53E77B31841235F698955AECE30.dll
O_CC1DB5360109DE3B857654297D262CA1.dll
N_CA9EABEAB482524E5797C684398335D5
mrxnet.sys.livebin.exe
mrxnet.sys.593503354.mapped.livebin
mrxcls.sys.livebin.exe
mrxcls.sys.1278394761.mapped.livebin
memorymod-pe-0x10000000-0x10138000.1155327658.mapped.livebin
memorymod-pe-0x00090000-0x0010a000.1990061290.mapped.livebin
memorymod-0x006b0000-0x006b1000.450210202.mapped.livebin
maindll_dropper_memorymod-pe-0x10000000-0x10138000.livebin.exe
M_1E17D81979271CFA44D471430FE123A5
lsass.exe.1373553098.mapped.livebin
lsass2_memorymod-pe-0x00090000-0x0010a000.livebin.exe
lsass1_lsass.exe.livebin.exe
L_4589EF6876E9C8C05DCF4DB00A54887B
kernel32.dll.aslr.00013b86.1616636409.mapped.livebin
K_055A3421813CAF77E1387FF77B2E2E28
I_F8153747BAE8B4AE48837EE17172151E
H_A3844A1B6BEA3F6FAF9C276858F40960
G_F979C6A3E668C5073C4C6506461B034E
F_335707EABBE7FF256E0650432ACCEC9B
E_789F6F8DE3F140CF5D73BEF0B8ABAF78
desktop.ini
D_7A4E2D2638A454442EFB95F23DF391A1
C_016169EBEBF1CEC2AAD6C7F0D0EE9026
B_74DDC49A7C121A61B8D06C03F92D0C13
'A_30DF51C9F0D9B010350DC09ABE1E4E97.ex$'
-
INFECTEDIKNOWWHATIAMDOING
-
infected
-
Note: if you see a lot of $\textcolor{red}{\ then you need to enable javascript; it's basically just Red Text.