{"id":16894624,"url":"https://github.com/stamparm/eternalrocks","last_synced_at":"2026-01-25T09:34:11.275Z","repository":{"id":49820817,"uuid":"91684183","full_name":"stamparm/EternalRocks","owner":"stamparm","description":"EternalRocks worm","archived":false,"fork":false,"pushed_at":"2017-05-25T09:09:02.000Z","size":20677,"stargazers_count":453,"open_issues_count":1,"forks_count":151,"subscribers_count":66,"default_branch":"master","last_synced_at":"2025-03-20T10:19:23.435Z","etag":null,"topics":["exploits","intrusion","network","worm"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stamparm.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-05-18T11:12:47.000Z","updated_at":"2025-03-06T12:52:09.000Z","dependencies_parsed_at":"2022-09-22T11:40:51.876Z","dependency_job_id":null,"html_url":"https://github.com/stamparm/EternalRocks","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/stamparm/EternalRocks","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stamparm%2FEternalRocks","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stamparm%2FEternalRocks/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stamparm%2FEternalRocks/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stamparm%2FEternalRocks/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stamparm","download_url":"https://codeload.github.com/stamparm/EternalRocks/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stamparm%2FEternalRocks/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28750875,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-25T09:00:19.176Z","status":"ssl_error","status_checked_at":"2026-01-25T09:00:04.131Z","response_time":113,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["exploits","intrusion","network","worm"],"created_at":"2024-10-13T17:19:24.531Z","updated_at":"2026-01-25T09:34:11.251Z","avatar_url":"https://github.com/stamparm.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# EternalRocks (a.k.a. MicroBotMassiveNet)\n\nEternalRocks is a network worm (i.e. self-replicating), emerged in first half of May 2017, with oldest known sample `fc75410aa8f76154f5ae8fe035b9a13c76f6e132077346101a0d673ed9f3a0dd` dating to 2017-05-03. It spreads through public ([The Shadow Brokers NSA dump](https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation)) SMB exploits: `ETERNALBLUE`, `ETERNALCHAMPION`, `ETERNALROMANCE` and `ETERNALSYNERGY`, along with related programs: `DOUBLEPULSAR`, `ARCHITOUCH` and `SMBTOUCH`.\n\n![taskhost.exe properties](http://i.imgur.com/oKhSzFo.png)\n\nFirst stage malware `UpdateInstaller.exe` (got through remote exploitation with second stage malware) downloads necessary .NET components (for later stages) [TaskScheduler](http://api.nuget.org/packages/taskscheduler.2.5.23.nupkg) and [SharpZLib](http://api.nuget.org/packages/sharpziplib.0.86.0.nupkg) from Internet, while dropping `svchost.exe` (e.g. [sample](https://raw.githubusercontent.com/stamparm/EternalRocks/master/samples/589af04a85dc66ec6b94123142a17cf194decd61f5d79e76183db026010e0d31)) and `taskhost.exe` (e.g. [sample](https://raw.githubusercontent.com/stamparm/EternalRocks/master/samples/aedd0c47daa35f291e670e3feadaed11d9b8fe12c05982f16c909a57bf39ca35)). Component `svchost.exe` is used for downloading, unpacking and running [Tor](https://archive.torproject.org/tor-package-archive/torbrowser/4.0.1/tor-win32-tor-0.2.5.10.zip) from `archive.torproject.org` along with C\u0026C (`ubgdgno5eswkhmpy.onion`) communication requesting further instructions (e.g. installation of new components).\n\nSecond stage malware `taskhost.exe` (Note: different than one from first stage) (e.g. [sample](https://raw.githubusercontent.com/stamparm/EternalRocks/master/samples/cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30)) is being downloaded after a predefined period (24h) from `http://ubgdgno5eswkhmpy.onion/updates/download?id=PC` and run. After initial run it drops the exploit pack [shadowbrokers.zip](https://raw.githubusercontent.com/stamparm/EternalRocks/master/samples/70ec0e2b6f9ff88b54618a5f7fbd55b383cf62f8e7c3795c25e2f613bfddf45d) and unpacks contained directories `payloads/`, `configs/` and `bins/`. After that, starts a random scan of opened 445 (SMB) ports on Internet, while running contained exploits (inside directory `bins/`) and pushing the first stage malware through payloads (inside directory `payloads/`). Also, it expects running Tor process from first stage to get further instructions from C\u0026C.\n\n## Update (2017-05-25)\n\nAuthor (\"`tmc`\") suddenly drops the whole campaign after a recent fuzz. C\u0026C page currently holds this moment the following (new) message:\n\n![C\u0026C message](https://i.imgur.com/PU8kY44.png)\n\nAfter a successful registration, user can find following messages from malware author (\"`tmc`\") himself:\n\n```\nIts not ransomware, its not dangerous, it just firewalls \nthe smb port and moves on. I wanted to play some games with \nthem, considering I had visitors, but the news has to much \nabout weaponized doomsday worm eternal rocks payload. much \nthought to be had... ps: nsa exploits were fun, thanks \nshadowbrokers!\n```\n\n![Message 1](https://i.imgur.com/aXcaKBC.png)\n\n```\nbtw, all I did, was use the NSA tools for what they were \nbuilt, I was figuring out how they work, and next thing I \nknew I had access, so what to do then, I was ehh, I will \njust firewall the port, thank you for playing, have a nice \na day. \n```\n\n![Message 2](https://i.imgur.com/UZ0lDQP.png)\n\nAlso, malware doesn't update any more to the (shadowbrokers exploit pack) second stage, but to the [dummy](https://raw.githubusercontent.com/stamparm/EternalRocks/master/samples/48b1024f599c3184a49c0d66c5600385265b9868d0936134185326e2db0ab441) executable:\n\n![New sample](https://i.imgur.com/LA0wp8I.png)\n\n## Host Based indicators\n\n![Dropped files](http://i.imgur.com/LoP210P.png)\n\n### Paths\n\n* `c:\\Program Files\\Microsoft Updates\\SharpZLib.zip`  `# in newer variants`\n\n* `c:\\Program Files\\Microsoft Updates\\svchost.exe`\n\n* `c:\\Program Files\\Microsoft Updates\\installed.fgh`\n\n* `c:\\Program Files\\Microsoft Updates\\ICSharpCode.SharpZipLib.dll`  `# in newer variants`\n\n* `c:\\Program Files\\Microsoft Updates\\Microsoft.Win32.TaskScheduler.dll`\n\n* `c:\\Program Files\\Microsoft Updates\\SharpZLib\\`  `# in newer variants`\n\n* `c:\\Program Files\\Microsoft Updates\\temp\\tor.zip`\n\n* `c:\\Program Files\\Microsoft Updates\\temp\\Tor\\`\n\n* `c:\\Program Files\\Microsoft Updates\\required.glo`\n\n* `c:\\Program Files\\Microsoft Updates\\taskhost.exe`\n\n* `c:\\Program Files\\Microsoft Updates\\TaskScheduler.zip`\n\n* `c:\\Program Files\\Microsoft Updates\\TaskScheduler\\`\n\n* `c:\\Program Files\\Microsoft Updates\\torunzip.exe`  `# in older variants`\n\n### Persistence\n\n* Two scheduled tasks `ServiceHost` and `TaskHost` having multiple triggers\n\n![Scheduled tasks](https://i.imgur.com/3G7PgRQ.png)\n\n### Mutexes\n\n* `{8F6F00C4-B901-45fd-08CF-72FDEFF}`\n\n* `{8F6F0AC4-B9A1-45fd-A8CF-72FDEFF}`\n\n* `20b70e57-1c2e-4de9-99e5-69f369006912`\n\n## Samples\n\n### First stage\n\n* [e049d8f69ddee0c2d360c27b98fa9e61b7202bb0d3884dd3ca63f8aa288422dc](https://raw.githubusercontent.com/stamparm/EternalRocks/master/samples/e049d8f69ddee0c2d360c27b98fa9e61b7202bb0d3884dd3ca63f8aa288422dc)  `# UpdateInstaller.exe (captured)`\n* [1ee894c0b91f3b2f836288c22ebeab44798f222f17c255f557af2260b8c6a32d](https://raw.githubusercontent.com/stamparm/EternalRocks/master/samples/1ee894c0b91f3b2f836288c22ebeab44798f222f17c255f557af2260b8c6a32d)  `# UpdateInstaller.exe (variant)`\n* [64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15](https://raw.githubusercontent.com/stamparm/EternalRocks/master/samples/64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15)  `# UpdateInstaller.exe (variant)`\n* [94189147ba9749fd0f184fe94b345b7385348361480360a59f12adf477f61c97](https://raw.githubusercontent.com/stamparm/EternalRocks/master/samples/94189147ba9749fd0f184fe94b345b7385348361480360a59f12adf477f61c97)  `# UpdateInstaller.exe (variant)`\n* [9bd32162e0a50f8661fd19e3b26ff65868ab5ea636916bd54c244b0148bd9c1b](https://raw.githubusercontent.com/stamparm/EternalRocks/master/samples/9bd32162e0a50f8661fd19e3b26ff65868ab5ea636916bd54c244b0148bd9c1b)  `# UpdateInstaller.exe (variant)`\n* [a7c387b4929f51e38706d8b0f8641e032253b07bc2869a450dfa3df5663d7392](https://raw.githubusercontent.com/stamparm/EternalRocks/master/samples/a7c387b4929f51e38706d8b0f8641e032253b07bc2869a450dfa3df5663d7392)  `# UpdateInstaller.exe (variant)`\n* [ad8965e531424cb34120bf0c1b4b98d4ab769bed534d9a36583364e9572332fa](https://raw.githubusercontent.com/stamparm/EternalRocks/master/samples/ad8965e531424cb34120bf0c1b4b98d4ab769bed534d9a36583364e9572332fa)  `# UpdateInstaller.exe (variant)`\n* [b2ca4093b2e0271cb7a3230118843fccc094e0160a0968994ed9f10c8702d867](https://raw.githubusercontent.com/stamparm/EternalRocks/master/samples/b2ca4093b2e0271cb7a3230118843fccc094e0160a0968994ed9f10c8702d867)  `# UpdateInstaller.exe (variant)`\n* [c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491](https://raw.githubusercontent.com/stamparm/EternalRocks/master/samples/c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491)  `# UpdateInstaller.exe (variant)`\n* [d43c10a2c983049d4a32487ab1e8fe7727646052228554e0112f6651f4833d2c](https://raw.githubusercontent.com/stamparm/EternalRocks/master/samples/d43c10a2c983049d4a32487ab1e8fe7727646052228554e0112f6651f4833d2c)  `# UpdateInstaller.exe (variant)`\n* [d86af736644e20e62807f03c49f4d0ad7de9cbd0723049f34ec79f8c7308fdd5](https://raw.githubusercontent.com/stamparm/EternalRocks/master/samples/d86af736644e20e62807f03c49f4d0ad7de9cbd0723049f34ec79f8c7308fdd5)  `# UpdateInstaller.exe (variant)`\n* [fc75410aa8f76154f5ae8fe035b9a13c76f6e132077346101a0d673ed9f3a0dd](https://raw.githubusercontent.com/stamparm/EternalRocks/master/samples/fc75410aa8f76154f5ae8fe035b9a13c76f6e132077346101a0d673ed9f3a0dd)  `# UpdateInstaller.exe (variant)`\n\n\n### Second stage\n\n* [cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30](https://raw.githubusercontent.com/stamparm/EternalRocks/master/samples/cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30)  `# taskhost.exe (captured)`\n* [3b4497c7f8c89bf22c984854ac7603573a53b95ed147e80c0f19e549e2b65693](https://raw.githubusercontent.com/stamparm/EternalRocks/master/samples/3b4497c7f8c89bf22c984854ac7603573a53b95ed147e80c0f19e549e2b65693)  `# taskhost.exe (variant)`\n* [a77c61e86bc69fdc909560bb7a0fa1dd61ee6c86afceb9ea17462a97e7114ab0](https://raw.githubusercontent.com/stamparm/EternalRocks/master/samples/a77c61e86bc69fdc909560bb7a0fa1dd61ee6c86afceb9ea17462a97e7114ab0)  `# taskhost.exe (variant)`\n* [70ec0e2b6f9ff88b54618a5f7fbd55b383cf62f8e7c3795c25e2f613bfddf45d](https://raw.githubusercontent.com/stamparm/EternalRocks/master/samples/70ec0e2b6f9ff88b54618a5f7fbd55b383cf62f8e7c3795c25e2f613bfddf45d)  `# shadowbrokers.zip (exploits)`\n\n## Network indicators\n\n### C\u0026C server(s)\n\n* `ubgdgno5eswkhmpy.onion`\n\n![Example C\u0026C communication](https://i.imgur.com/Uyqw5an.png)\n\n### Downloading required .NET components (first stage)\n\n* `http://api.nuget.org/packages/taskscheduler.2.5.23.nupkg`\n* `http://api.nuget.org/packages/sharpziplib.0.86.0.nupkg`  `# in newer variants`\n\n## Appendix\n\n### Decompilation of an older sample\n\n* [C# source](https://raw.githubusercontent.com/stamparm/EternalRocks/master/misc/svchost.7z)  `# 1ee894c0b91f3b2f836288c22ebeab44798f222f17c255f557af2260b8c6a32d`\n\n![Globals](https://i.imgur.com/kBRing7.png)\n\n### Network traffic capture (PCAP)\n\n* [Windows 7 x64 SP1 Honeypot](https://raw.githubusercontent.com/stamparm/EternalRocks/master/misc/exploitation.pcap)  `# initial exploitation capture (2017-05-17)`\n\n### Yara rules\n\n* [EternalRocks.yara](https://raw.githubusercontent.com/stamparm/EternalRocks/master/EternalRocks.yara)\n\n### Debug strings\n\n* `C:\\Program Files (x86)\\Microsoft Visual Studio\\VB98\\VB6.OLB`\n\n* `C:\\Users\\tmc\\Documents\\DownLoader\\Project1.vbp`\n\n* `C:\\Users\\tmc\\Documents\\TorUnzip\\Project1.vbp`\n\n* `c:\\Users\\tmc\\Documents\\Visual Studio 2015\\Projects\\MicroBotMassiveNet\\taskhost\\obj\\x86\\Debug\\taskhost.pdb`\n\n* `C:\\Users\\tmc\\Documents\\Visual Studio 2015\\Projects\\WindowsServices\\svchost\\bin\\svchost.pdb`\n\n### Indicators of Compromise (IOC)\n\n#### SHA256\n\n```\n1ee894c0b91f3b2f836288c22ebeab44798f222f17c255f557af2260b8c6a32d\n20240431d6eb6816453651b58b37f53950fcc3f0929813806525c5fd97cdc0e1\n2094d105ec70aa98866a83b38a22614cff906b2cf0a08970ed59887383ee7b70\n23eeb35780faf868a7b17b8e8da364d71bae0e46c1ababddddddecbdbd2c2c64\n3b4497c7f8c89bf22c984854ac7603573a53b95ed147e80c0f19e549e2b65693\n44472436a5b46d19cb34fa0e74924e4efc80dfa2ed491773a2852b03853221a2\n48b1024f599c3184a49c0d66c5600385265b9868d0936134185326e2db0ab441\n589af04a85dc66ec6b94123142a17cf194decd61f5d79e76183db026010e0d31\n64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15\n6bc73659a9f251eef5c4e4e4aa7c05ff95b3df58cde829686ceee8bd845f3442\n70ec0e2b6f9ff88b54618a5f7fbd55b383cf62f8e7c3795c25e2f613bfddf45d\n7b8674c8f0f7c0963f2c04c35ae880e87d4c8ed836fc651e8c976197468bd98a\n94189147ba9749fd0f184fe94b345b7385348361480360a59f12adf477f61c97\n9bd32162e0a50f8661fd19e3b26ff65868ab5ea636916bd54c244b0148bd9c1b\na77c61e86bc69fdc909560bb7a0fa1dd61ee6c86afceb9ea17462a97e7114ab0\na7c387b4929f51e38706d8b0f8641e032253b07bc2869a450dfa3df5663d7392\nad8965e531424cb34120bf0c1b4b98d4ab769bed534d9a36583364e9572332fa\naedd0c47daa35f291e670e3feadaed11d9b8fe12c05982f16c909a57bf39ca35\nb2ca4093b2e0271cb7a3230118843fccc094e0160a0968994ed9f10c8702d867\nc4762489488f797b4b33382c8b1b71c94a42c846f1f28e0e118c83fe032848f0\nc999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491\ncf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30\nd43c10a2c983049d4a32487ab1e8fe7727646052228554e0112f6651f4833d2c\nd86af736644e20e62807f03c49f4d0ad7de9cbd0723049f34ec79f8c7308fdd5\ne049d8f69ddee0c2d360c27b98fa9e61b7202bb0d3884dd3ca63f8aa288422dc\ne77306d2e3d656fa04856f658885803243aef204760889ca2c09fbe9ba36581d\nf152ed03e4383592ce7dd548c34f73da53fc457ce8f26d165155a331cde643a9\nfc75410aa8f76154f5ae8fe035b9a13c76f6e132077346101a0d673ed9f3a0dd\n```\n\n#### Imphash\n\n`8ef751c540fdc6962ddc6799f35a907c`  `# older (VB6) variants of UpdateInstaller.exe`\n\n#### Mutexes\n\n```\n{8F6F00C4-B901-45fd-08CF-72FDEFF}\n{8F6F0AC4-B9A1-45fd-A8CF-72FDEFF}\n{8F6F0AC4-B9A1-45fd-A8CF-727220DE8F}\n20b70e57-1c2e-4de9-99e5-69f369006912\n```\n\n#### File paths\n\n```\nc:\\Program Files\\Microsoft Updates\\\n```\n\n#### Scheduled tasks\n\n`ServiceHost` -\u003e `C:\\Program Files\\Microsoft Updates\\svchost.exe`  ` # system start, log on, daily`\n\n`TaskHost` -\u003e `C:\\Program Files\\Microsoft Updates\\taskhost.exe`  ` # system start, log on, daily`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstamparm%2Feternalrocks","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstamparm%2Feternalrocks","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstamparm%2Feternalrocks/lists"}