Shamoon's Story
%
- Shamoon 1 and 2 Details (writeup)
- Watch Shamoon overwriting MBR in real-time (Video)
- Watch Shamoon overwriting Binary files / executables in real-time (Video)
- Shamoon in Action (Video)
- Shamoon Cleanup && Shamoons past, present and future (writeup)
- Entry Point (writeup)
- Shamoon Cleanup (Video)
- Shamoon in few slides (Video)
SHAMOON KILL TIME
Shamoon has a concept of KILL-TIME. This means that attack will start on a specific date and specific time. KILL time is embedded statically into the first stage dropper. The value is encrypted. Once decoded, it looks like:
WANNA TEST SHAMOON???
Test scenario is very simple. Download all the files. Unzip the package (PASSWD: foo). You will find two folders.
TEST_SHAMOON_BIN
0xff
TEST_SHAMOON_BIN has the main binary. Right click on it and run as administrator. Please note that this binary is for testing purpose ONLY. I have made it in a way that wiper function won't overwrite yout MBR. Each time you initiate the binary, it will drop a payload with a different hash and execute it.
0xff folder has the binary that will show you if 2nd stage files are dropped && if service(s) are started. Binary is called RUNME.exe. You MUST open CMD as admin and run this command. Shamoon doesnt run if wiper service is already running. If you want to re-run, please remove the service first.
To download (PASSWORD: foo)
Here is the flow
Other tools you can download Password as usual: foo
(shamoonfinder4-1.exe)
(shamoon-q_1-1.exe)
README