{
	"id": "c4946d62-f688-432e-82d0-7989de06e706",
	"created_at": "2026-04-06T00:17:49.749963Z",
	"updated_at": "2026-04-10T03:30:33.529826Z",
	"deleted_at": null,
	"sha1_hash": "8f2dcfc3201d25f2a8723b0360ab7c3c579872ad",
	"title": "GitHub - stamparm/EternalRocks: EternalRocks worm",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 298833,
	"plain_text": "GitHub - stamparm/EternalRocks: EternalRocks worm\r\nBy stamparm\r\nArchived: 2026-04-05 22:41:04 UTC\r\nEternalRocks (a.k.a. MicroBotMassiveNet)\r\nEternalRocks is a network worm (i.e. self-replicating), emerged in first half of May 2017, with oldest known\r\nsample fc75410aa8f76154f5ae8fe035b9a13c76f6e132077346101a0d673ed9f3a0dd dating to 2017-05-03. It spreads\r\nthrough public (The Shadow Brokers NSA dump) SMB exploits: ETERNALBLUE , ETERNALCHAMPION ,\r\nETERNALROMANCE and ETERNALSYNERGY , along with related programs: DOUBLEPULSAR , ARCHITOUCH and\r\nSMBTOUCH .\r\nFirst stage malware UpdateInstaller.exe (got through remote exploitation with second stage malware)\r\ndownloads necessary .NET components (for later stages) TaskScheduler and SharpZLib from Internet, while\r\ndropping svchost.exe (e.g. sample) and taskhost.exe (e.g. sample). Component svchost.exe is used for\r\nhttps://github.com/stamparm/EternalRocks\r\nPage 1 of 8\n\ndownloading, unpacking and running Tor from archive.torproject.org along with C\u0026C\r\n( ubgdgno5eswkhmpy.onion ) communication requesting further instructions (e.g. installation of new components).\r\nSecond stage malware taskhost.exe (Note: different than one from first stage) (e.g. sample) is being\r\ndownloaded after a predefined period (24h) from http://ubgdgno5eswkhmpy.onion/updates/download?id=PC and\r\nrun. After initial run it drops the exploit pack shadowbrokers.zip and unpacks contained directories payloads/ ,\r\nconfigs/ and bins/ . After that, starts a random scan of opened 445 (SMB) ports on Internet, while running\r\ncontained exploits (inside directory bins/ ) and pushing the first stage malware through payloads (inside\r\ndirectory payloads/ ). Also, it expects running Tor process from first stage to get further instructions from C\u0026C.\r\nUpdate (2017-05-25)\r\nAuthor (\" tmc \") suddenly drops the whole campaign after a recent fuzz. C\u0026C page currently holds this moment\r\nthe following (new) message:\r\nAfter a successful registration, user can find following messages from malware author (\" tmc \") himself:\r\nIts not ransomware, its not dangerous, it just firewalls\r\nthe smb port and moves on. I wanted to play some games with\r\nthem, considering I had visitors, but the news has to much\r\nabout weaponized doomsday worm eternal rocks payload. much\r\nthought to be had... ps: nsa exploits were fun, thanks\r\nshadowbrokers!\r\nhttps://github.com/stamparm/EternalRocks\r\nPage 2 of 8\n\nbtw, all I did, was use the NSA tools for what they were\r\nbuilt, I was figuring out how they work, and next thing I\r\nknew I had access, so what to do then, I was ehh, I will\r\njust firewall the port, thank you for playing, have a nice\r\na day.\r\nAlso, malware doesn't update any more to the (shadowbrokers exploit pack) second stage, but to the dummy\r\nexecutable:\r\nHost Based indicators\r\nhttps://github.com/stamparm/EternalRocks\r\nPage 3 of 8\n\nPaths\r\nc:\\Program Files\\Microsoft Updates\\SharpZLib.zip # in newer variants\r\nc:\\Program Files\\Microsoft Updates\\svchost.exe\r\nc:\\Program Files\\Microsoft Updates\\installed.fgh\r\nc:\\Program Files\\Microsoft Updates\\ICSharpCode.SharpZipLib.dll # in newer variants\r\nc:\\Program Files\\Microsoft Updates\\Microsoft.Win32.TaskScheduler.dll\r\nc:\\Program Files\\Microsoft Updates\\SharpZLib\\ # in newer variants\r\nc:\\Program Files\\Microsoft Updates\\temp\\tor.zip\r\nc:\\Program Files\\Microsoft Updates\\temp\\Tor\\\r\nc:\\Program Files\\Microsoft Updates\\required.glo\r\nc:\\Program Files\\Microsoft Updates\\taskhost.exe\r\nc:\\Program Files\\Microsoft Updates\\TaskScheduler.zip\r\nc:\\Program Files\\Microsoft Updates\\TaskScheduler\\\r\nhttps://github.com/stamparm/EternalRocks\r\nPage 4 of 8\n\nc:\\Program Files\\Microsoft Updates\\torunzip.exe # in older variants\r\nPersistence\r\nTwo scheduled tasks ServiceHost and TaskHost having multiple triggers\r\nMutexes\r\n{8F6F00C4-B901-45fd-08CF-72FDEFF}\r\n{8F6F0AC4-B9A1-45fd-A8CF-72FDEFF}\r\n20b70e57-1c2e-4de9-99e5-69f369006912\r\nSamples\r\nFirst stage\r\ne049d8f69ddee0c2d360c27b98fa9e61b7202bb0d3884dd3ca63f8aa288422dc # UpdateInstaller.exe\r\n(captured)\r\n1ee894c0b91f3b2f836288c22ebeab44798f222f17c255f557af2260b8c6a32d # UpdateInstaller.exe\r\n(variant)\r\n64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15 # UpdateInstaller.exe\r\n(variant)\r\n94189147ba9749fd0f184fe94b345b7385348361480360a59f12adf477f61c97 # UpdateInstaller.exe\r\n(variant)\r\n9bd32162e0a50f8661fd19e3b26ff65868ab5ea636916bd54c244b0148bd9c1b # UpdateInstaller.exe\r\n(variant)\r\na7c387b4929f51e38706d8b0f8641e032253b07bc2869a450dfa3df5663d7392 # UpdateInstaller.exe\r\n(variant)\r\nad8965e531424cb34120bf0c1b4b98d4ab769bed534d9a36583364e9572332fa # UpdateInstaller.exe\r\n(variant)\r\nb2ca4093b2e0271cb7a3230118843fccc094e0160a0968994ed9f10c8702d867 # UpdateInstaller.exe\r\n(variant)\r\nc999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491 # UpdateInstaller.exe\r\n(variant)\r\nhttps://github.com/stamparm/EternalRocks\r\nPage 5 of 8\n\nd43c10a2c983049d4a32487ab1e8fe7727646052228554e0112f6651f4833d2c # UpdateInstaller.exe\r\n(variant)\r\nd86af736644e20e62807f03c49f4d0ad7de9cbd0723049f34ec79f8c7308fdd5 # UpdateInstaller.exe\r\n(variant)\r\nfc75410aa8f76154f5ae8fe035b9a13c76f6e132077346101a0d673ed9f3a0dd # UpdateInstaller.exe\r\n(variant)\r\nSecond stage\r\ncf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30 # taskhost.exe\r\n(captured)\r\n3b4497c7f8c89bf22c984854ac7603573a53b95ed147e80c0f19e549e2b65693 # taskhost.exe (variant)\r\na77c61e86bc69fdc909560bb7a0fa1dd61ee6c86afceb9ea17462a97e7114ab0 # taskhost.exe (variant)\r\n70ec0e2b6f9ff88b54618a5f7fbd55b383cf62f8e7c3795c25e2f613bfddf45d # shadowbrokers.zip\r\n(exploits)\r\nNetwork indicators\r\nC\u0026C server(s)\r\nubgdgno5eswkhmpy.onion\r\nDownloading required .NET components (first stage)\r\nhttp://api.nuget.org/packages/taskscheduler.2.5.23.nupkg\r\nhttp://api.nuget.org/packages/sharpziplib.0.86.0.nupkg # in newer variants\r\nAppendix\r\nDecompilation of an older sample\r\nC# source # 1ee894c0b91f3b2f836288c22ebeab44798f222f17c255f557af2260b8c6a32d\r\nhttps://github.com/stamparm/EternalRocks\r\nPage 6 of 8\n\nNetwork traffic capture (PCAP)\r\nWindows 7 x64 SP1 Honeypot # initial exploitation capture (2017-05-17)\r\nYara rules\r\nEternalRocks.yara\r\nDebug strings\r\nC:\\Program Files (x86)\\Microsoft Visual Studio\\VB98\\VB6.OLB\r\nC:\\Users\\tmc\\Documents\\DownLoader\\Project1.vbp\r\nC:\\Users\\tmc\\Documents\\TorUnzip\\Project1.vbp\r\nc:\\Users\\tmc\\Documents\\Visual Studio\r\n2015\\Projects\\MicroBotMassiveNet\\taskhost\\obj\\x86\\Debug\\taskhost.pdb\r\nC:\\Users\\tmc\\Documents\\Visual Studio 2015\\Projects\\WindowsServices\\svchost\\bin\\svchost.pdb\r\nIndicators of Compromise (IOC)\r\nSHA256\r\n1ee894c0b91f3b2f836288c22ebeab44798f222f17c255f557af2260b8c6a32d\r\n20240431d6eb6816453651b58b37f53950fcc3f0929813806525c5fd97cdc0e1\r\n2094d105ec70aa98866a83b38a22614cff906b2cf0a08970ed59887383ee7b70\r\n23eeb35780faf868a7b17b8e8da364d71bae0e46c1ababddddddecbdbd2c2c64\r\n3b4497c7f8c89bf22c984854ac7603573a53b95ed147e80c0f19e549e2b65693\r\n44472436a5b46d19cb34fa0e74924e4efc80dfa2ed491773a2852b03853221a2\r\n48b1024f599c3184a49c0d66c5600385265b9868d0936134185326e2db0ab441\r\n589af04a85dc66ec6b94123142a17cf194decd61f5d79e76183db026010e0d31\r\n64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15\r\n6bc73659a9f251eef5c4e4e4aa7c05ff95b3df58cde829686ceee8bd845f3442\r\n70ec0e2b6f9ff88b54618a5f7fbd55b383cf62f8e7c3795c25e2f613bfddf45d\r\n7b8674c8f0f7c0963f2c04c35ae880e87d4c8ed836fc651e8c976197468bd98a\r\n94189147ba9749fd0f184fe94b345b7385348361480360a59f12adf477f61c97\r\nhttps://github.com/stamparm/EternalRocks\r\nPage 7 of 8\n\n9bd32162e0a50f8661fd19e3b26ff65868ab5ea636916bd54c244b0148bd9c1b\r\na77c61e86bc69fdc909560bb7a0fa1dd61ee6c86afceb9ea17462a97e7114ab0\r\na7c387b4929f51e38706d8b0f8641e032253b07bc2869a450dfa3df5663d7392\r\nad8965e531424cb34120bf0c1b4b98d4ab769bed534d9a36583364e9572332fa\r\naedd0c47daa35f291e670e3feadaed11d9b8fe12c05982f16c909a57bf39ca35\r\nb2ca4093b2e0271cb7a3230118843fccc094e0160a0968994ed9f10c8702d867\r\nc4762489488f797b4b33382c8b1b71c94a42c846f1f28e0e118c83fe032848f0\r\nc999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491\r\ncf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30\r\nd43c10a2c983049d4a32487ab1e8fe7727646052228554e0112f6651f4833d2c\r\nd86af736644e20e62807f03c49f4d0ad7de9cbd0723049f34ec79f8c7308fdd5\r\ne049d8f69ddee0c2d360c27b98fa9e61b7202bb0d3884dd3ca63f8aa288422dc\r\ne77306d2e3d656fa04856f658885803243aef204760889ca2c09fbe9ba36581d\r\nf152ed03e4383592ce7dd548c34f73da53fc457ce8f26d165155a331cde643a9\r\nfc75410aa8f76154f5ae8fe035b9a13c76f6e132077346101a0d673ed9f3a0dd\r\nImphash\r\n8ef751c540fdc6962ddc6799f35a907c # older (VB6) variants of UpdateInstaller.exe\r\nMutexes\r\n{8F6F00C4-B901-45fd-08CF-72FDEFF}\r\n{8F6F0AC4-B9A1-45fd-A8CF-72FDEFF}\r\n{8F6F0AC4-B9A1-45fd-A8CF-727220DE8F}\r\n20b70e57-1c2e-4de9-99e5-69f369006912\r\nFile paths\r\nc:\\Program Files\\Microsoft Updates\\\r\nScheduled tasks\r\nServiceHost -\u003e C:\\Program Files\\Microsoft Updates\\svchost.exe # system start, log on, daily\r\nTaskHost -\u003e C:\\Program Files\\Microsoft Updates\\taskhost.exe # system start, log on, daily\r\nSource: https://github.com/stamparm/EternalRocks\r\nhttps://github.com/stamparm/EternalRocks\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/stamparm/EternalRocks"
	],
	"report_names": [
		"EternalRocks"
	],
	"threat_actors": [
		{
			"id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5",
			"created_at": "2022-10-25T16:07:24.561104Z",
			"updated_at": "2026-04-10T02:00:05.03343Z",
			"deleted_at": null,
			"main_name": "Shadow Brokers",
			"aliases": [],
			"source_name": "ETDA:Shadow Brokers",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "171b85f2-8f6f-46c0-92e0-c591f61ea167",
			"created_at": "2023-01-06T13:46:38.830188Z",
			"updated_at": "2026-04-10T02:00:03.114926Z",
			"deleted_at": null,
			"main_name": "The Shadow Brokers",
			"aliases": [
				"Shadow Brokers",
				"ShadowBrokers",
				"The ShadowBrokers",
				"TSB"
			],
			"source_name": "MISPGALAXY:The Shadow Brokers",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434669,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8f2dcfc3201d25f2a8723b0360ab7c3c579872ad.pdf",
		"text": "https://archive.orkl.eu/8f2dcfc3201d25f2a8723b0360ab7c3c579872ad.txt",
		"img": "https://archive.orkl.eu/8f2dcfc3201d25f2a8723b0360ab7c3c579872ad.jpg"
	}
}