{
	"id": "1a47cba7-98bd-4090-b03e-7dec951090b9",
	"created_at": "2026-04-06T00:08:21.253856Z",
	"updated_at": "2026-04-10T13:11:30.432103Z",
	"deleted_at": null,
	"sha1_hash": "da8dad620d4d9636c5ee912395a327dcdd02d04e",
	"title": "GitHub - TKCERT/winnti-nmap-script: Nmap Script to scan for Winnti infections",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 60536,
	"plain_text": "GitHub - TKCERT/winnti-nmap-script: Nmap Script to scan for\r\nWinnti infections\r\nBy sruester\r\nArchived: 2026-04-05 15:31:13 UTC\r\nThis Nmap script can be used to scan hosts for Winnti infections. It uses parts of Winnti's protocol as seen in the\r\nwild in 2016/2017 to check for infection and gather additional information.\r\nWinnti\r\nWinnti is a malware that is used by some APT groups.\r\nIt has been used since at least 2013 and has evolved over time. You can find some information here\r\nhttps://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-game-130410.pdf\r\nhttps://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf\r\nhttps://hitcon.org/2016/pacific/0composition/pdf/1201/1201%20R2%201610%20winnti%20polymorphism.pdf\r\nSecOps Warning\r\nWINNTI ONLY SUPPORTS ONE CONNECTION AT A TIME. IF YOU SCAN A HOST FOR WINNTI YOU WILL\r\nRESET THE CURRENT CONNECTION IF THERE IS ONE.\r\nRequirements\r\nThis script needs liblua 5.3 to work. You may want to download the latest Nmap version to get support out of the\r\nbox (confirmed working with Nmap 7.25BETA2 and 7.60).\r\nInstallation\r\nuser@mint ~/src $ wget https://raw.githubusercontent.com/TKCERT/winnti-nmap-script/master/winnti-detect.nse\r\nuser@mint ~/src $ wget https://nmap.org/dist/nmap-7.60.tar.bz2\r\nuser@mint ~/src $ tar xvf nmap-7.60.tar.bz2\r\nuser@mint ~/src $ cd nmap-7.60\r\nuser@mint ~/src/nmap-7.60 $ apt install build-essential\r\nuser@mint ~/src/nmap-7.60 $ ./configure \u0026\u0026 make\r\nuser@mint ~/src/nmap-7.60 $ ./nmap -sT 127.0.0.1 -p 80,631 --script ../winnti-detect.nse\r\nStarting Nmap 7.60 ( https://nmap.org ) at 2018-03-10 12:25 CET\r\nNmap scan report for localhost (127.0.0.1)\r\nhttps://github.com/TKCERT/winnti-nmap-script\r\nPage 1 of 3\n\nHost is up (0.0018s latency).\r\nPORT STATE SERVICE\r\n80/tcp closed http\r\n631/tcp open ipp\r\nHost script results:\r\n| winnti-detect:\r\n| PORTS\r\n|_ 631 clean\r\nNmap done: 1 IP address (1 host up) scanned in 0.33 seconds\r\nShow script help\r\n $ nmap --script-help winnti-detect.nse\r\nStarting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-09-26 17:00 CEST\r\nwinnti-detect\r\nCategories: malware safe\r\nhttps://nmap.org/nsedoc/scripts/winnti-detect.html\r\n The winnti-detect script checks if the host is backdoored by winnti rootkit. It\r\n sends a winnti command to the first three open TCP ports and checks the\r\n response. When the connection to one of these ports fails, the next port is\r\n chosen until three successful tries are completed. When a winnti infection is\r\n found the script gathers basic host information by sending a query to the\r\n backdoor and printing the response. Version 1.0, 2016-09-26\r\n *** SECOPS-WARNING ***\r\n Winnti only supports one connection at a time. If you scan a host for winnti\r\n you will reset the current connection if there is one.\r\n *** IMPORTANT ***\r\n Winnti installations may use different encryption keys. The default value\r\n included in this script is 0xABC18CBA (taken from a real sample).\r\n You can set a custom key with --script-args key=0x........\r\n The key must be given in big-endian.\r\nRun Detection\r\n $ nmap --script winnti-detect.nse 10.10.0.2\r\nStarting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-09-26 16:37 CEST\r\nhttps://github.com/TKCERT/winnti-nmap-script\r\nPage 2 of 3\n\nNmap scan report for 10.10.0.2\r\nHost is up (0.013s latency).\r\nNot shown: 991 closed ports\r\nPORT STATE SERVICE\r\n135/tcp open msrpc\r\n139/tcp open netbios-ssn\r\n445/tcp open microsoft-ds\r\n49152/tcp open unknown\r\n49153/tcp open unknown\r\n49154/tcp open unknown\r\n49155/tcp open unknown\r\n49156/tcp open unknown\r\n49157/tcp open unknown\r\nHost script results:\r\n| winnti-detect:\r\n| PORTS\r\n| 135 found WINNTI\r\n| 139 skipped\r\n| 445 skipped\r\n| 49152 skipped\r\n| 49153 skipped\r\n| 49154 skipped\r\n| 49155 skipped\r\n| 49156 skipped\r\n| 49157 skipped\r\n| HOSTINFO\r\n| Hostname: SRV1\r\n| Winnti-ID: NKASJ-OQMDA-NDKQP-AJNCK-MQLAI_\r\n| Hostname2 XXXXXXXXXX-t\r\n|_ Domain XXXXXX\r\nNmap done: 1 IP address (1 host up) scanned in 6.11 seconds\r\nWinnti static key\r\nWinnti installations may use different encryption keys. The default value included in this script is 0xABC18CBA\r\n(taken from a real sample). You can set a custom key with --script-args key=0x........ The key must be given in big-endian.\r\nSource: https://github.com/TKCERT/winnti-nmap-script\r\nhttps://github.com/TKCERT/winnti-nmap-script\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/TKCERT/winnti-nmap-script"
	],
	"report_names": [
		"winnti-nmap-script"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "4d5f939b-aea9-4a0e-8bff-003079a261ea",
			"created_at": "2023-01-06T13:46:39.04841Z",
			"updated_at": "2026-04-10T02:00:03.196806Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"WICKED PANDA",
				"BRONZE EXPORT",
				"Brass Typhoon",
				"TG-2633",
				"Leopard Typhoon",
				"G0096",
				"Grayfly",
				"BARIUM",
				"BRONZE ATLAS",
				"Red Kelpie",
				"G0044",
				"Earth Baku",
				"TA415",
				"WICKED SPIDER",
				"HOODOO",
				"Winnti",
				"Double Dragon"
			],
			"source_name": "MISPGALAXY:APT41",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2a24d664-6a72-4b4c-9f54-1553b64c453c",
			"created_at": "2025-08-07T02:03:24.553048Z",
			"updated_at": "2026-04-10T02:00:03.787296Z",
			"deleted_at": null,
			"main_name": "BRONZE ATLAS",
			"aliases": [
				"APT41 ",
				"BARIUM ",
				"Blackfly ",
				"Brass Typhoon",
				"CTG-2633",
				"Earth Baku ",
				"GREF",
				"Group 72 ",
				"Red Kelpie ",
				"TA415 ",
				"TG-2633 ",
				"Wicked Panda ",
				"Winnti"
			],
			"source_name": "Secureworks:BRONZE ATLAS",
			"tools": [
				"Acehash",
				"CCleaner v5.33 backdoor",
				"ChinaChopper",
				"Cobalt Strike",
				"DUSTPAN",
				"Dicey MSDN",
				"Dodgebox",
				"ForkPlayground",
				"HUC Proxy Malware (Htran)"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434101,
	"ts_updated_at": 1775826690,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/da8dad620d4d9636c5ee912395a327dcdd02d04e.pdf",
		"text": "https://archive.orkl.eu/da8dad620d4d9636c5ee912395a327dcdd02d04e.txt",
		"img": "https://archive.orkl.eu/da8dad620d4d9636c5ee912395a327dcdd02d04e.jpg"
	}
}