F-Scrack-mimikatz – A bundle of tools

Recently when analyzing samples which attempt to bypass various applocking techniques we revisited an older bundle of various tools with the sole purpose to make money for the operators. Although the campaign seems to be long inactive it illustrates that creating malware capable of making money takes little to no writing original code and all that is needed is bundling existing tools together using publicly available snippets of code.

The chain starts with a self-extracting archive which contains two files – Xagent.exe and depszip. Depszip is a ZIP archive which contains various auxiliary files. Xagent.exe is a binary created using PyInstaller and set to automatically run after unpacking the SFX archive. The original Python script is called F-Scrack-mimikatz.py and suggests that the code was derived from the F-Scrack tool.


When executed it downloads and runs LaZagne from lazagne.cacheoffer[.]tk/Windows.zip. We cannot confirm whether it actually is the LaZagne tool as the URL is not active anymore, it is a guess based on the class name used, URL and expected result, also it fits within the scope of the general aim of this bundle. Collected credentials are uploaded to u.swb[.]one/upload/win.

As a next step Mimikatz is run. The archive depszip contains x86 and x64 versions mimi32.exe and mimi64.exe. Credentials found by Mimikatz are uploaded to u.swb[.]one/upload/win and used to build an attack list. This attack list is then used to run a script on the local computer using the tool wmiexec.vbs and a technique called Squiblydoo. This technique possibly allows bypassing detection by security tools and application whitelisting by using regsvr32.exe as a “proxy” for execution of code. The executed code was hosted at xmr.enjoytopic[.]tk/d/regxmr222.sct.

The Squiblydoo technique

The same attack list and Squiblydoo technique are used against other computers connected to the same LANs. The snippet below shows how are the IP addresses generated. However this time collected usernames are ignored and username “administrator” is used instead. The script ran on remote machines if the authentication is successful is the same as on local machine. Besides running script on remote machines, all IPs found this way are scheduled for a port scan for ports:

  • 445 (SMB),
  • 3306 (MySQL),
  • 6379 (Redis),
  • 5432 (PostgreSQL),
  • 9200 (Elasticsearch),
  • 27017 (MongoDB).

The queue of scheduled tasks is processed in other threads. This thread then continues executing an infinite loop where it retrieves a range of IP addresses from u.swb[.]one/cidir and queues them for a port scan using the same mechanism.

Generating list of IP addresses


ThreadNum is a class which is responsible for processing queued tasks. It takes tasks from the queue and executes appropriate function based on the type of the task. Supported tasks are portscan, eternalblue, mysql, postgresql, redis, elasticsearch and mongodb.

Portscan tasks attempt to connect to specified IP and port. If any data is received, the type of service is guessed according to a regular expression, if successful the task is then queued with name of the service (with the exception of SMB, which is queued as eternalblue). Other tasks are processed depending on their type.

The snippet contains regular expressions even for services which wouldn’t be discovered by the scanning done earlier. If queued as tasks, these tasks wouldn’t be processed either. This is probably another sign that existing code was repurposed.

Regular expression to determine the type of service


Checks if target is vulnerable and then attempts to exploit MS17-010 and inject payload using DoublePulsar. Uses Eternalblue-2.2.0.exe and Doublepulsar-1.3.1.exe leaked by the Shadow Brokers group. Injects eternal11.dll (x86) or eternal22.dll (x64). Both DLLs run the same command using the Squiblydoo technique, executed code is hosted at xmr.enjoytopic[.]tk/d/regxmr888.sct. IP address and port are sent back to u.swb[.]one/crack.

elasticsearch, mongodb, mysql, postgresql

The malware attempts to gain access to the service, takes advantage of poor configuration (no authentication) or use of default username and a weak password. A list of passwords is included in the malicious script. If it manages to access the database, it looks for databases of interest (keywords: trade, vip, bitcoin, monero, coin, ethereum, card, game, sms, mobile, creditcard). If a name of a database contains one of the keywords, it is sent to u.swb[.]one/crack together with credentials used to access the database (done for every service except for MongoDB). Other databases are dropped and a new entry containing request for ransom is created.

Default username used for each service

Following two pictures show snippets from function handling MongoDB. The first one shows that data is deleted without any backups being done. The second snippet shows the ransom note that is then inserted into the database.

MongoDB databases are dropped without any backups being made
Ransom note

The behavior is similar for other DB services. The victims will not get any data back even after paying the ransom because the operators do not have access to it after the databases are dropped.


In case of Redis servers, the malware looks for instances with no authentication or with a weak password. If it manages to access the service, the password is sent to u.swb[.]one/crack and it attempts to create a cron task. There are 3 variants of the task. Python and Shell variants download data from lnk0[.]com/BtoUt4 and pass it to shell to execute. Unfortunately we were not able to get the content. The third variant is targeted against Windows, again it uses the Squiblydoo technique, code is hosted at xmr.enjoytopic[.]tk/d/regxmr888.sct and it is a Startup task.


Searching VirusTotal revealed some possible missing pieces:


This file is probably one of the payloads hosted at:

  • xmr.enjoytopic[.]tk/d/regxmr888.sct,
  • xmr.enjoytopic[.]tk/d/regxmr999.sct.

It is a VBScript. It sets persistence using wmic.exe exactly as described in one of the leaked Vault 7 documents. Code executed in this way is hosted at xmr.enjoytopic[.]tk/d/regxmr999.sct and is executed using the Squiblydoo technique. This script also sets persistence using the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry. It creates two keys. One runs code from xmr.enjoytopic[.]tk/d/ps3.txt using mshta.exe. Unfortunately we do not have access to the file, however according to a urlquery.net report it appears to be a VBS dropper. The other key uses Squiblydoo to run code from xmr.enjoytopic[.]tk/d/regxmr999.sct.

Besides setting persistence this script downloads and runs XMRig on the infected machine. There are multiple versions of the XMRig binary. These binaries are custom made – besides running XMRig they also create a scheduled task, execute code at

  • xmr.enjoytopic[.]tk/d/regxmr222.sct,
  • down.cacheoffer[.]tk/d2/reg9.sct,
  • xmr.enjoytopic[.]tk/d/regxmr999.sct

using Squiblydoo and set persistence using wmic.exe.


This file is probably one of the payloads hosted at:

  • down.cacheoffer[.]tk/d2/reg9.sct,
  • xmr.enjoytopic[.]tk/d/regxmr222.sct,
  • xmr.enjoytopic[.]tk/d/regxmr888.sct.

It is a PowerShell script which downloads and runs XMRig miner from png.realtimenews[.]tk/m.png and also writes and executes itself every minute via a scheduled task “Update”. We have seen similar scripts with different scheduled task name and URLs.

Tools reuse and code similarity

The similarity between this tool and F-Scrack has already been mentioned. F-Scrack is a weak password scanner. The functionality of F-Scrack was extended with LaZagne and Mimikatz for stealing passwords, wmiexec.vbs to execute commands both locally and remotely and simple functions which delete data and insert ransom notes into various databases. Another addition is the possibility to create cron tasks on poorly secured Redis servers and executing code using Squiblydoo. Exploitation of SMB service is achieved by using binaries leaked by the Shadow Brokers group. Additional downloaded scripts use technique for setting persistence known from the Vault 7 leaks and the payload run is the publicly available XMRig miner.

There are more tools which share code with this bundle and with F-Scrack, for example The Patrol (巡风) or xunscan. The Patrol appears to be a vulnerability testing framework, xunscan appears to be more or less a clone of F-Scrack. Some code is also shared with the Xwo malware, which was the subject of several blog posts earlier this year in April and May.

Similarity with Xbash

Sizeable part of the code is similar to the Xbash malware. Big part of shared code is from the F-Scrack tool, additionally functions which perform the ransomware behavior are also similar, however there are some differences in implemented capabilities. This malware uploads database tables of interest back to the operators which Xbash does not do. Another thing present here which Xbash lacks is the ability to exploit other machines using the EternalBlue exploit. On the other hand advanced functionality like various exploits Xbash is known to use are not present here as the list of targeted services is smaller than in Xbash.

Making money

The goal of this writeup is not to provide an exhaustive analysis of the whole campaign therefore estimating how much money the operators managed to gain is not possible. However we can look at various parts collected. Mining pools and corresponding wallets were extracted from XMRig binaries and the BTC wallet comes from the ransom note written to breached databases.

Purpose/serviceAddressAmountAmount in USD
BTC wallet from ransom note1Kss6v4eSUgP4WrYtfYGZGDoRsf74M7CMr0.68813072 BTC5,400 USD
1.01672719 XMR90 USD
4.5212024077 XMR385 USD
1.7762915474 XMR150 USD

This limited set of wallets brought the operators about 6,000 USD. The biggest share appears to have come from ransom payments, which is probably to be expected, although the ransomware part lacks any implementation of data recovery. It is very likely that this is only the “tip of the iceberg” and the campaign is much broader earning the operators more money by simply bundling together existing tools and techniques.

Indicators of Compromise (IoC)


SFX archivefd5a462016f5a5c3afd0a642cebea42837edd3dc0c446c413770aaa70467c612
XMRig (x86)1d9fc5a423bd778769729c1d5c75c8b9dd694a9b8026bafa8cb18a93cbacb4aa
XMRig (x86)f38c4cfddf62ce50310b6bb65db3bf14b07c053724e01d8ddf492e38264562c3
XMRig (x64)0de09fae50bcb810943cff3d9882fd01766e85c94a2299e6d3f1f6205622f3a6
XMRig (x64)9464e66c0a666ea86194bf80afd9dbc3e303d120b687dba14a02914c0a804845
XMRig (x64)9ce588c9e3765232e56b41db86f10632659ee2eb68615c4f926d2ee31cdfa418
XMRig (x64)d7fbd2a4db44d86b4cf5fa4202203dacfefd6ffca6a0615dca5bc2a200ad56b6




Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.2 Safari/537.36
Ransom note
Send 0.02 BTC to this address and contact this email with your ip or db_name of your server to recover your database! Your DB is Backed up to our servers!