{ "id": "746b913b-8ce6-400e-8582-4b02ac115127", "created_at": "2026-04-06T00:12:32.508523Z", "updated_at": "2026-04-10T03:29:45.3083Z", "deleted_at": null, "sha1_hash": "88654f3accec4e2ce5dd66588265caaa4bae2f55", "title": "A quick analysis of the latest Shadow Brokers dump", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 87231, "plain_text": "A quick analysis of the latest Shadow Brokers dump\r\nBy Nettitude Labs\r\nPublished: 2017-04-17 · Archived: 2026-04-05 14:19:04 UTC\r\nJust in time for Easter, the Shadow Brokers released the latest installment of an NSA data dump, which contained\r\nan almost overwhelming amount of content – including, amongst other things, a number of Windows exploits. We\r\nthought we’d run some quick analysis on various elements of said content.\r\nBefore we get started\r\nWe’re going to largely avoid the obvious elements of the dump because there’s already been a lot of very helpful\r\nanalysis of those elements. However, before we get to that, here’s what you need to know:\r\nPatch!  The majority of the high impact Microsoft vulnerabilities have recently been addressed in the\r\nMS17-010 patch.\r\nDisable SMBv1.\r\nRemove all Windows XP and 2003 machines from your network.  These contain vulnerabilities that will\r\nnot be patched.\r\nThe following table (raw data available at https://pastebin.com/5gkb6HLJ and courtesy of @etlow) contains some\r\nof the more pertinent information.\r\nShadow Brokers Exploit Table\r\nShadow Brokers Exploit Table\r\nWe can also recommend the following script by Luke Jennings, which is designed to sweep a network to find\r\nWindows systems compromised with the dumps DOUBLEPULSAR\r\nimplant: https://github.com/countercept/doublepulsar-detection-script\r\nWith that out of the way…\r\nMetadata, or a lack of\r\nThroughout the Equation Group leak via the Shadow Brokers, there are a number of different languages being\r\nused. One interesting element is how it appears that there was originally a preference for Perl, that was then\r\nreplaced with Python – we think that this mirrors how the offensive security industry has evolved, too.\r\nAs the age of the dump is pinned at some point in 2013, we would have expected to see a little bit of PowerShell;\r\nthis was really starting to come into favor around that time. Now, this post isn’t about dropping a new l33t\r\nPowerShell technique gained from the dump, but rather looking at what the capability was at the point in time.\r\nStaying with the timing of the dump for a minute, we are reminded of the following series of Tweets from Edward\r\nSnowden back in August last year, when the ShadowBrokers [6] first dropped.\r\nhttps://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/\r\nPage 1 of 15\n\nWe know we run the risk of taking these out of context, and it is entirely possible that his mind has been changed\r\nsince, however we find the following piece of information interesting. According to the time line from the\r\nGuardian [5], the first release of the material he took was on the 5th June 2013. It’s probable that other dumps\r\nhave since has contradicted this and the view of when the hacker/s were kicked off has been able to be narrowed,\r\nbut we am unaware of this (so please if you know different answers on a postcard).\r\nExamining of the tools makedmgd.exe, part of a toolkit DAMAGEDGOODS that is used within in a PowerShell\r\ndelivery framework ZIPO we see the following. One of the first things that we noticed is that yeah hmmm the\r\nbuild date is baked into the exe. Also some different implants not within the dump are\r\nthere “distantuncle” and “finkdiffernt”; some of the coders definitely have a certain sense of humor.\r\nUsing Sysinternals excellent sigcheck.exe [7] we could view the publisher, version and build date in order to\r\ncorrelate. Yes, it is one of the many ways to list a binarys metadata, but some of its other superb features are that,\r\nas the name implies, it will verify the signature if the binary has been signed using Authenticode and it is also able\r\nto send the binary straight to VirusTotal and look at all files within a directory tree recursively. Running sigcheck,\r\nhttps://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/\r\nPage 2 of 15\n\nunsurprisingly we get the following information or, some would say, a lack of.\r\nAny trace of publisher or company which, to be fair, will be set in Visual Studio (or your toolchain of choice have\r\neither been stripped or not set). The Link date is there, which correlates to the build date, which is also five weeks\r\nafter Snowden’s material was first dropped. It is entirely possible to mess with and edit these dates, of course,\r\nbefore releasing the dump. We do find it strange to go the level of stripping all other information but hard coding a\r\nbuild date, particularly in a tool that will be released to a workstation. The directory structure that this is in implies\r\nit may have been copied in rather than part of a release, as it was new and may not have been sanitised properly\r\n(although there is a real danger of reading too much into it).\r\nFirst steps into PowerShell\r\nAs stated above, we would have expected to see a reasonable amount of PowerShell considering the year, but\r\nactually there is very little. The only real example that we have found is a tool called ZiPo which can be found\r\nwithin the dump at /Resources/Ops/Tools/ZiPo. It contains the following tools\r\ndecryptor_downloader.base\r\nmakedmgd.exe\r\nZIPO.py\r\nps_base.txt\r\npowershellify.py\r\nIn order to run this tool we call ZIPO.py, which first asks you to select a “project” directory then presents a menu\r\nasking if we want to:\r\n1. Upload / Create Execute an Egg\r\n2. Upload/ Create PowerShell script\r\n3. Create Compressed script to be run manually\r\nNow Egg is a term that is used quite heavily throughout the dump and we’re not entirely sure what it means at this\r\npoint in time. Pretty sure it is an Equation Group term.\r\nhttps://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/\r\nPage 3 of 15\n\nChoosing PowerShell script we are then asking for the location of it, what the IP address and port of the\r\n“redirector” which we assume is a proxy and then the local IP address and proxy. This is so that the script can spin\r\nup a HTTPd listener to serve up the files that have been created.\r\nIn order to test, we created a very simple PowerShell script containing:\r\n[System.Reflection.Assembly]::LoadWithPartialName(\"System.Windows.Forms\")\r\n[System.Windows.Forms.MessageBox]::Show(\"Hey mate, do you wanna run some powershell?\", \"you know you\r\nhttps://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/\r\nPage 4 of 15\n\nIt has generated a public/private key pair, created an index.html \u0026 index.htm, provided us with a script to run on\r\nthe target and also started up a HTTPd so that we could download the payloads on the target. That’s not too bad\r\nfor a couple of commands.\r\nLooking at the command to run its pretty standard PowerShell from the time, in fact we find it really interesting\r\nthere is absolutely no attempt at obfuscating anything here. They are encrypting the payload and building a chain\r\nto download/decrypt etc, but no effort is made at hiding what the command is doing or where it is obtaining the\r\nscript from (of course we would be very interested to see what they are doing now).\r\nSo what is contained within the two index files? Well, index.html is base64 PowerShell script, which is why it was\r\nexecuted as an encodedCommand; decoding you get the output below. It encrypts a known “questionable”\r\npassword value using RSA, another WebClient is created which has the encrypted value set as a cookie. The\r\nindex.html is then downloaded and decrypted using the key, which is a SHA1 hash of the “questionable value”.\r\nThe payload is then executed and on the server the two files are then deleted. This is a lot of effort to hide the final\r\npayload and once again absolutely no effort to obfuscate any of the script.\r\nhttps://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/\r\nPage 5 of 15\n\nThis is how it looks when it is run:\r\nhttps://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/\r\nPage 6 of 15\n\nDAMAGEDGOODS\r\nThe next thing that we did was to just create a meterpreter payload; nothing special and wasn’t going to get to\r\nconnect back, but we felt that AV should still be able to pick it up.\r\nRunning Zipo again, we selected the third option. It asks you for a payload DLL and also the ordinal [8] that you\r\nwant to fire. This is where DAMAGEDGOODS comes into play; makedmged.exe is the exe that appears to do\r\nsome kind of shellcode encoding. In this case it takes the encoded binary with a script called ps_base.txt, then\r\ncompresses/base64 encodes and then builds a decompression payload around it.\r\nThe script that is output at the end of this using the name you supplied is the decode/decompression/execute\r\nmentioned above and is shown below.\r\nhttps://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/\r\nPage 7 of 15\n\nDecoding it you get the following, which is quite interesting; it’s a PowerShell script that allocates memory, writes\r\nthe shellcode into it, creates a thread and then executes the shellcode, all in memory. The shellcode in this case is\r\ngoing to be the meterpreter DLL that we originally used. Running it multiple times over the same DLL you get a\r\ndifferent version. There appears to be some kind of prologue in the shellcode that doesn’t change, but it is pretty\r\nshort, running the script multiple times and then diffing with Scooter Software’s excellent Beyond Compare you\r\nfind that the only section that has changed is the shellcode except for:\r\nhttps://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/\r\nPage 8 of 15\n\nThis series of bytes which appears to be some kind of prologue probably a decoder for the rest of the shellcode.\r\nWhat does it do, how does it work? Well that, we’re afraid, is for part 2 as we’ve spent too much time away from\r\nthe family already this easter ;o)\r\n0x68,0xc0,0x1e,0x00,0x00,0xe8,0x00,0x00,0x00,0x00,0x58,0x83,0xc0,0x0b,0x50,0xff,0xd0,0x83,0xc4,0x08,0\r\nThis kinda looks familiar….\r\nhttps://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/\r\nPage 9 of 15\n\nNow the great irony in a dump like this is finding code that appears to have come from GitHub but doesn’t appear\r\nto have the same licence or any at all for that matter [1]. This script is built from file called ps_base.txt. This is\r\nprimarily used to dynamically build a type that will eventually hold a function pointer to a native function. This is\r\nthen used to store the fp’s for native functions Win32 functions such as VirtualAlloc[2], GetProcessAddress[3] \u0026\r\nGetModuleHandle[4] that can be used to perform some actions such as allocating memory and looking up the\r\naddresses of exports within DLL’s. Further are shown in this screen shot:\r\nNow the method to create the delegate’s used in the above code is:\r\nProgrammers (ourselves included) can be utter sticklers for formatting, so it is conspicuous that there is such a big\r\ndifference in formatting between the code in ps_base.txt vs decryptor_downloader.base. It’s almost as if\r\nps_base.txt has come from somewhere else.\r\nhttps://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/\r\nPage 10 of 15\n\nWell funnily enough it bears more than just a striking resemblance to some code from Powersploit[1]; screenshots\r\nfrom GitHub are below. Surprisingly not too much effort has been made to change the method names.\r\nAnd also…\r\nhttps://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/\r\nPage 11 of 15\n\nThe commit date for this code is…\r\nAnd as stated above we have a built date of July 2013; does this mean we will find StackOverflow answer code\r\nwithin the dump at some point?\r\nBut anyway back to makedmg.exe running it we get this list of other implants that are not in this dump; obviously\r\nhttps://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/\r\nPage 12 of 15\n\nstill a lot out there.\r\nDOUBLEPULSAR\r\nFrom analysis we did on some implant configuration files, Darkpulsar appears to create a service called ‘dapu’ It\r\nalso seems that when it upgrades itself it drops the new file using the following path:\r\n‘c:\\windows\\system32\\sipauth32.tsp’.\r\nWe also had a look at tdip.sys driver.\r\n(sha256: A5EC4D102D802ADA7C5083AF53FD9D3C9B5AA83BE9DE58DBB4FAC7876FAF6D29)\r\nhttps://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/\r\nPage 13 of 15\n\nWe found same magic DWORDs as those mentioned by Kaspersky Labs in the following\r\nlink: https://securelist.com/blog/incidents/75812/the-equation-giveaway/ which contains information from a\r\nprevious ‘ShadowBrokers’ dump.\r\nThe following code snippet is taken from tdip.sys:\r\ntext:000130A0 push 31h\r\n.text:000130A2 lea eax, [ecx+4]\r\n.text:000130A5 movsd\r\n.text:000130A6 mov dword ptr [ecx], 0B7E15163h \u003c--------------\r\n.text:000130AC pop edx\r\n.text:000130AD\r\n.text:000130AD loc_130AD: ; CODE XREF:\r\nsub_13084+38\r\n.text:000130AD mov esi, [eax-4]\r\n.text:000130B0 sub esi, 61C88647h \u003c------------\r\n.text:000130B6 mov [eax], esi\r\n.text:000130B8 add eax, 4\r\n.text:000130BB dec edx\r\n.text:000130BC jnz short loc_130AD\r\nThis driver was most probably used to capture network traffic and it also accepts IOCTLs from userland. There is\r\nprobably a relation between this driver and “TrafficCapture_Target.dll” module that we found inside the recent\r\nShadowBrokers dump, which we noticed that it is able to communicate with a kernel driver via IOCTLs.\r\nConclusion\r\nKeeping in mind that this is a subset of the techniques that the Equation Group had in 2013, we still find it pretty\r\ninteresting that just like the rest of the world they were starting to wake up to the potential of offensive\r\nPowerShell. The lack of any obfuscation i.e attempt to hide any of the decryption/download code was another\r\nsurprise too considering how much “effort” has gone into encrypting the payload over the network at that\r\npoint. The source of some of the code is intriguing, too.\r\nBut back to the initial thoughts, we probably can be sure that this code was from 2013. Is it possible that Ed’s\r\nassertion the “hacker squatting lost access in June” may be flawed and they had access until at least the first\r\ncouple of weeks in July. Assuming SB and no one else has tampered with the metadata within\r\nDAMAGEDGOODS, then yes.\r\n[1] https://github.com/PowerShellMafia/PowerSploit/blob/a233…\r\n[2] https://msdn.microsoft.com/en-us/library/windows/desktop/aa366890(v=vs.85).aspx\r\n[3] https://msdn.microsoft.com/en-us/library/windows/desktop/ms683212(v=vs.85).aspx\r\n[4] https://msdn.microsoft.com/en-us/library/windows/desktop/ms683199(v=vs.85).aspx\r\n[5] https://www.theguardian.com/world/2013/jun/23/edward-snowden-nsa-files-timeline\r\n[6] https://twitter.com/snowden/status/765515087062982656?lang=en\r\n[7] https://technet.microsoft.com/en-gb/sysinternals/bb897441.aspx\r\n[8] https://msdn.microsoft.com/en-us/library/e7tsx612.aspx\r\n[9] https://www.scootersoftware.com/\r\nhttps://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/\r\nPage 14 of 15\n\nSource: https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/\r\nhttps://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/\r\nPage 15 of 15\n\n https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/ \nWell funnily enough it bears more than just a striking resemblance to some code from Powersploit[1]; screenshots\nfrom GitHub are below. Surprisingly not too much effort has been made to change the method names.\nAnd also… \n Page 11 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/" ], "report_names": [ "a-quick-analysis-of-the-latest-shadow-brokers-dump" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "08623296-52be-4977-8622-50efda44e9cc", "created_at": "2023-01-06T13:46:38.549387Z", "updated_at": "2026-04-10T02:00:03.020003Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "Tilded Team", "EQGRP", "G0020" ], "source_name": "MISPGALAXY:Equation Group", "tools": [ "TripleFantasy", "GrayFish", "EquationLaser", "EquationDrug", "DoubleFantasy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b", "created_at": "2024-05-01T02:03:08.144214Z", "updated_at": "2026-04-10T02:00:03.674763Z", "deleted_at": null, "main_name": "PLATINUM COLONY", "aliases": [ "Equation Group " ], "source_name": "Secureworks:PLATINUM COLONY", "tools": [ "DoubleFantasy", "EquationDrug", "EquationLaser", "Fanny", "GrayFish", "TripleFantasy" ], "source_id": "Secureworks", "reports": null }, { "id": "e0fed6e6-a593-4041-80ef-694261825937", "created_at": "2022-10-25T16:07:23.593572Z", "updated_at": "2026-04-10T02:00:04.680752Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "APT-C-40", "G0020", "Platinum Colony", "Tilded Team" ], "source_name": "ETDA:Equation Group", "tools": [ "Bvp47", "DEMENTIAWHEEL", "DOUBLEFANTASY", "DanderSpritz", "DarkPulsar", "DoubleFantasy", "DoubleFeature", "DoublePulsar", "Duqu", "EQUATIONDRUG", "EQUATIONLASER", "EQUESTRE", "Flamer", "GRAYFISH", "GROK", "OddJob", "Plexor", "Prax", "Regin", "Skywiper", "TRIPLEFANTASY", "Tilded", "UNITEDRAKE", "WarriorPride", "sKyWIper" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434352, "ts_updated_at": 1775791785, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/88654f3accec4e2ce5dd66588265caaa4bae2f55.pdf", "text": "https://archive.orkl.eu/88654f3accec4e2ce5dd66588265caaa4bae2f55.txt", "img": "https://archive.orkl.eu/88654f3accec4e2ce5dd66588265caaa4bae2f55.jpg" } }