The goal of this project is to document the different capabilities and functionality of the DanderSpirtz post-exploitation framework / application by examining the contents of the "resources" folder included in the ShadowBrokers leak and doing live testing of the system.
Note: This respository does not contain all of the FuzzBunch code, exploits, binaries, etc. The repository only contains the files found in the Windows/Resources/ directory included in the leak.
If you're interested in viewing the entire contents of the leak use this repo:
The original ShadowBrokers leak had most of the python scripts compiled into optimized bytecode (.pyo). In order to make this reversing / documentation effort easier I've decompiled the code and uploaded the "raw" python code to this repository
The original python bytecode files have been left intact
The sub-directories in the "Resources" directory contain different modules which are used by DanderSpirtz to provide capabilities such as packet capture, memory dumps, etc.
Below are the codenames that correspond to the differrent modules and the potentail capabilities based on examining the python code, comments, XML, available "command" txt files
Folder | Code Name | Description / Functionality |
---|---|---|
DSky | Darkskyline | PacketCapture tool |
DaPu | DarkPulsar | ?? |
Darkskyline | ?? | Contains tools to parse and filter traffic captured by DarkSkyline |
DeMI | ?? | ?? |
Df | DoubleFeature | ?? |
DmGZ | DoormanGauze | ?? |
Dsz | DanderSpritz | Several DanderSpritz specific files such as command descriptions (in XML), and several scripts with DSS (Debug script interface?) / DSI extensions?. They seem to be scripts run by DanderSpritz |
Ep | ExpandingPulley | - Implant similar to PeddleCheap. DanderSpirtz can communicate with this. Should investigate further |
ExternalLibraries | N/A | Well.. |
FlAv | FlewAvenue | Appears related to DoormanGauze (based on FlAv/scripts/_FlewAvenue.txt) |
GRDO | GreaterDoctor | Appears to parse / process from GreaterSurgeon (based on GRDO/Tools/i386/GreaterSurgeon_postProcess.py & analyzeMFT.py) |
GROK | ?? | Appears to be a keylogger (based on Ops/PyScripts/overseer/plugins/keylogger.py) |
GRcl | ?? | Appears to dump memory from a specific process (based on GRcl/Commands/CommandLine/ProcessMemory_Command.xml) |
GaTh | GangsterTheif | Appears to parse data gathered by GreaterDoctor to identify other (malicious) software that may be installed persistently (based on GaTh/Commands/CommandLine/GrDo_ProcessScanner_Command.xml) |
GeZU | ?? | Appears to dump memory (based on GeZu/Commands/CommandLine/GeZu_KernelMemory_Command.xml) |
Gui | N/A | Resources used by the DanderSpirtz GUI |
LegacyWindowsExploits | N/A | Well.. |
Ops | N/A | Contains a lot of awesome tools and python / dss scripts used by DanderSpritz. Deserves a lot of investigation. includes tools to gather data from Chrome, Skype, Firefox (ripper) and gather information about the machine / environment (survey) |
Pfree | Passfreely | Oracle implant that bypasses auth for oracle databases |
PaCU | PaperCut | ?? |
Pc | PeddleCheap | The main implant (loaded via DoublePulsar) that performs all of these actions and communciates with the C2 (DanderSpirtz) |
Pc2.2 | PeddleCheap | Resources for PeddleCheap including different DLLs / configs to call back to the C2 |
Python | N/A | Python Libraries / resources being used |
ScRe | ?? | Interacts with SQL databases (based on ScRe/Commands/CommandLine/Sql_Command.xml) |
StLa | Strangeland | Keylogger (based on StLa/Tools/i386-winnt/strangeland.xsl) |
Tasking | N/A | Handles the collection "tasks" that DanderSpritz has requested on the same (collection of windows, network data, etc) |
TeDi | TerritorialDispute | - Looks like it's a script to determine what other (malicious) software may be persistently installed (based on TeDi/PyScripts/sigs.py) |
Utbu | UtilityBurst | Appears to be a mechanism for persistence via a driver install unsure (based on UtBu/Scripts/Include/_UtilityBurstFunctions.dsi) |
ZBng | ZippyBang | Looking at this quickly, it appears to be the NSA's version of Mimikatz. It can duplicate tokens (Kerberos tokens?) and "remote execute commands" as well as logon as users (based on files in ZBng/Commands/CommandLine) |