API tools faq
paste
genBTC

Sidney Powell Kraken is Malware

genBTC
Nov 26th, 2020
192
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.54 KB | None | 0 0
raw download clone embed print report
  1. Be VERY Careful with these links if you are on Windows. They are full of malware, only reading this text file is safe.
  2.  
  3. Original Tweet:
  4. https://twitter.com/CodeMonkeyZ/status/1331830074350333953
  5. Disseminated by CodeMonkeyZ = Ron (ex-admin of 8kun (8chan) (4chan)) = a literal hacker.
  6. This is the "expert" person who appeared on Chanel Rion's 30 minute long Dominion Hacking expose - Which was Reposted by Donald J Trump himself on twitter and on youtube https://www.youtube.com/watch?v=746HTjhFifA
  7. Original PDF Link to the Kraken:
  8. https://defendingtherepublic.org/wp-content/uploads/2020/11/COMPLAINT-CJ-PEARSON-V.-KEMP-11.25.2020.pdf
  9.  
  10. Non-Windows+Firefox immediately popped up a "Print" dialog box when I opened it along with a yellow arning. Suss.
  11. Then I scanned it on virustotal, and I'm familiar with how to analyze Windows malware. It needs to be fully audited, decompiled or sandboxed. BUT: VirusTotal Virus Scan = MALWARE!!!
  12.  
  13. Adobe Acrobat Reader - Windows Type. Automatic Printing + w/ Embedded Javascript + Multiple nasty Windows Exploits
  14. Page 1:
  15. https://www.virustotal.com/gui/file/637a2f7b24b52034f457b9b7e52b31efc9aaf925e976c3aed40173871b204ac4/behavior/VirusTotal%20Jujubox
  16.  
  17. Its complicated but the words on top explain best:
  18. "autoaction checks-user-input detect-debug-environment direct-cpu-clock-access js-embedded long-sleeps pdf runtime-modules"
  19. + all the .dll's and Registry Keys and Runtime Modules "LSALookup"/CRYPTBASE.dll
  20. LSA = Local Security Authority Lookup (your username/password)
  21. Cryptbase = Cryptographic DLL
  22.  
  23. You can upload a normal PDF to virustotal - NONE OF THIS SHOULD EXIST - NO REASON FOR IT.
  24.  
  25. Click "Full Report" to the right of the "Jujubox" for full "System Calls", "Process Tree", "Screenshot" (of spanish auto-print) - spanish can select the internal print menus and still evade detection.
  26. This is too complicated to explain but just believe me, I know how to read this stuff.
  27. Its elevating its privelege through a vulnerable print function, accessing a lot of serious windows system dll's, making registry keys, making system files, creating system services, scheduled tasks, embedding itself permanently, and exploiting the entire system. For what purpose, I cant be certain but its NOT good.
  28.  
  29. Page 2:
  30. https://www.virustotal.com/gui/file/637a2f7b24b52034f457b9b7e52b31efc9aaf925e976c3aed40173871b204ac4/behavior/VirusTotal%20Sysmon
  31. Windows Media Player NSS\3.0\Servers\{...} = Set registry keys: WORK: admin: = set weak username/password to get in from outside
  32. UPNPHost - get onto the network
  33. Windows Media Player\wmpnetwk.exe = network
  34. dfdts.dll = Windows Disk Failure Diagnostic Module
  35. sdclt.exe = Windows Backup = duplicating/hiding in backup.
  36. taskhost.exe = System Tasks.
  37. wsqmcons.exe = Windows SQM Consolidator part of the Microsoft Customer Experience Improvement Program
  38.  
  39.  
  40. Sidney Powells actual website:
  41. https://defendingtherepublic.org/
  42. Virus Scan = CLEAN (cursory glance) - but curl index.html and note WordPress 5.5.3 and the style of coding
  43. https://www.virustotal.com/gui/url/070ee27102dc4f71204b7a361cd3d8d165c1a413f694034a69bf5c8ef11fb1fc/details
  44.  
  45. other Squatter site:
  46. http://defendingtherepublic.com/
  47. https://www.virustotal.com/gui/url/957335c87ef6073e0e9328ac4c70950407d66ba14d39ae8494cea443c03d4351/details
  48. Status = Trackers + Suspicious code.
  49. d1hi41nc56pmug (https://d1hi41nc56pmug.cloudfront.net/static/js/2.e394861c.chunk.js)
  50. d1hi41nc56pmug (https://d1hi41nc56pmug.cloudfront.net/static/js/main.0d0530da.chunk.js
  51.  
  52. main.0d0530da.chunk.js = RELATED TO MALWARE
  53.  
  54. https://www.virustotal.com/gui/file/725e3784a2f3fbc25f958a77505cc3cd6dfdce8749d5b88a926083f00db756d5/relations
  55. acrotray.exe (Acrobat system tray)
  56. cad0e40d6c564c286b12f6807f06a869f7835a02b13aefe82f0c5ce90de7c1d2 = BIG MALWARE
  57. https://www.virustotal.com/gui/file/cad0e40d6c564c286b12f6807f06a869f7835a02b13aefe82f0c5ce90de7c1d2/detection
  58. d0943d85772285ae1d1db251c6b8d210.virus = BIG MALWARE
  59. https://www.virustotal.com/gui/file/f5ca72eca50ee24a32e61b3363895bed6dce01d9678c3663a1da3e71bea7449d/detection
  60.  
  61. NON secure version
  62. http://defendingtherepublic.org/
  63. https://www.virustotal.com/gui/url/0abc67992b39fe6f7846db304ac1ed6a2695fa45c9bce7f121b5c3fbefad3ea1/details
  64.  
  65. HTTP Response
  66. Final URL = https://ldfftar.org
  67.  
  68. !!!!! IMPORTANT URL remember ldfftar.org its meaningful. !!!! - DO NOT GO HERE. MORE MAJOR MALWARE.
  69.  
  70. https://www.virustotal.com/gui/file/2390024bac144cf28ad2e1c04bd7a2e416e6abb35d117b19e43e6ec8c4ed02ed/details
  71.  
  72. curl ldfftar.org
  73. -------------------
  74. <script src="/_Incapsula_Resource?SWJIYLWA=5074a744e2e3d891814e9a2dace20bd4,719d34d31c8e3a6e6fffd425f7e032f3">
  75. </script>
  76.  
  77. curl ldfftar.org/_Incapsula_Resource?SWJIYLWA=5074a744e2e3d891814e9a2dace20bd4,719d34d31c8e3a6e6fffd425f7e032f3
  78. Obfuscated JS = #1
  79. ----------------------
  80. b="766172205f3078656238303d5b275c7834345c7836335c7834625c7833335c7837375c7837315c7833335c7834335c7836385c7834385c7835325c7833315c7835395c7835365c7834395c783364272c275c7834355c783464.........
  81. ;eval((function(){for (var i=0;i<b.length;i+=2){z+=String.fromCharCode(parseInt(b.substring(i,i+2),16));} return z;})());})();
  82. NOTICE the eval = execution and the fromcharcode every 2 chars = Hex Bytes. = obfuscation
  83. original file rehosted @ https://files.catbox.moe/mas0lv
  84.  
  85. Re-Decoded from that Obfuscated JS (by carefully running the "b" javascript into the "z" str without eval'ing it)
  86. ----------------------------------------
  87. #2 = MORE obfuscated JS
  88. "var _0xeb80=['\\x44\\x63\\x4b\\x33\\x77\\x71\\x33\\x43\\x68\\x48\\x52\\x31\\x59\\x56\\x49\\x3d','\\x45\\x4d\\x4b\\x39\\x77\\x71\\x30\\x6b\\x59\\x38\\x4f\\x6d\\x77\\x36\\x74\\x47\\x77\\x70\\x2f\\x43\\x69\\x32\\x42\\........................
  89. NOTICE this is shellcode, (executable exploit) 0xeb80 is a memory address and \\x44 etc are all hex ascii char codes
  90. Incapsula_resource_2 rehosted @ https://files.catbox.moe/dawicp
  91.  
  92. Re-Decoded from that Obfuscated JS = #3
  93. -----------------------------------------
  94. Now that this decodes to a metric fuckton of concatenated Base64 strings + mixed in Javascript with complicated execution path. I stopped at this point. Its super gnarly.
  95. €DcK3wq3ChHR1YVI=EMK9wq0kY8Omw6tGwp/Ci2B5w6bCmF7DvQbCvw==bSodb8KtMQ==woTDm8OSw5XDv8KSFDnCnMKQNw==wrImw5NQwqU=wpPCh8OaZQ==wpI0Jg==w7szJw==woUgDBbCgVbCisK6dsO9w4wswrZJTTvCs2suwrvCnlg3wp48KQrCqgjDpA==GsK9wrsla8Osw59wY8O6DA==XXXDlQ==wqw3PQY=w7FNeDDCgMK1w6Y=TyUfVcO+w4PCtVvCoAnDpMOAcQ==BncuFMKkwqI=wr00Qg==RsKHwofCn3pxf1Vqwqgmw6MSw6nDgcOAFcOgGcKAw5tYMsKkw63CjcOZwqvDjsK9wrx0wqFowroUw6/DuWXDhA==w4slLA==wqwkw5k=wrMiGA==woUFCg==H8K8wqclP8Kbwo3DrkHDu8OWwpoBwovCl8ORw5oKBi/CncKWKsONEAxSw6MZJULCjA==HTt1KgttEDUOK1fDukw=wpZawp5pacOhB8OJw7d1GlRkQGjCp8KeCWBNwqErUsORbsK9A1ZEwpDDl8OGwrUWBw==VTbCtBHCiMKzwoXClsO8Ig==OkIuMsK3woM=GDl1Jg==wqYzw4ttwrjCscO5XcO2wrPDg0TDusODwrsQw5rCjMObw51eRBJ1wrA8w5nDgMO3UHnDlg==w5vCv8OBCg==w7jCu8OBO8OSFTs=w5DDjMKuQ8KfIGrCq8Ktwr9Kb8OsM8O2TFY5CcKFwr0lF8OVworCl3TDizPDncOnw6XDgVE=aDYOUQ==OQfCpcKKN8OUBQ==wqd8w79pw7RVw4k6c8K9wqPDnzPDi8OtdcKuwp0=woLCssKIwq8yBA==LcK5wrrClA==EMKxwpI5E3rDlQ==w6pmVMOTwoPCiyURwpHCo1dtC8K+AMKOVkEhag==w74zw6B8w6lFw5gsw4AtEQ==WS3Dvw==bG7DtBc=wrITwqPCjz9Qw7s=QhrCgg==wqYFEwzDujc=GcK8wq0qc8Oqw5F6BcKxwooCG3M=IcKCwrI=w4cqHA==woU3w4tcacKIwocJbBQuw78JEMOYw6TDt3M=I8Oqw7c=YzLCoRA=wrxWwolPb8O/DQ==wqbDm1Urw6VLw67DoMOVwqZXw40=XcKkw7bCjSxsOFoswrh1w4Bww7DCg8OTVsOuQw==FX5Twq0+w5kLJArClg==w5HChgZINg==wq7CjcKpQw==DXbCghdswqLCjA==w4JcIA==KsK+wr/CicOwDzdawo8sWQJQw73Cv8KPwrp5wolTw4LDhwoLw759w6zCunPDu8KBwpLDgw3DuMKowr8iwoPCi8KRwqlWB8Kaw7DCh8KDIsKrKMOmw70NJQsCwqjCt19lw5/DthPDk0/Diw==MCxmw4DDlcK6w4BsHA==NTnDnA==w4wQw68=QTDCgw==üS|P?wì JE„ü
  96. 4ž
  97. ETC + MORE
  98.  
  99. Proves these sites are directly related to her.
  100. -----------------------------------------------
  101. https://duckduckgo.com/?q=ldfftar.org <--malware
  102. https://duckduckgo.com/?q=fftar.org
  103.  
  104. Youtube Account for FFTAR
  105. ---------------------------
  106. https://www.youtube.com/watch?v=iVqlYQHuwYQ = The Foundation for the American Republic (FFTAR) - Mission Video and Fundraising Ask! (FFTAR.ORG)
  107. 3 subscribers
  108. The Foundation for the American Republic was established to protect the vision of our forefathers and vision they had for a great nation. This video shows just how we do that and why the foundation needs your support!
  109.  
  110. Twitter Account for FFTAR
  111. ---------------------------
  112. The Foundation for the American Republic promotes and defends the ideals, principles, values and vision of America’s Founders.
  113. 96 Following, 318 Followers. common to my own friend list: LaraLogan, MillieWeaver, TracyBeanz, etc
  114. Account exists with 0 content except for doing 4 Likes: ElonMusk, DonaldJTrump "We are going to win 2020 Election BIG Maga" -July 30th, RichHigginsDC, LisaMarieBoothe
  115.  
  116.  
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!