JavaScript is not available.

Many months later, Anydesk is also installed.

185

Anydesk log - interesting name on that incoming session request. Any "direct scam paid 3" on the connection flags?

208

Log files are a bit all over on Anydesk, but this inbound connection is from 103.220.18.194. Kolkata, India. shodan.io/host/103.220.1

211

The IP has Sonicwall exposed to the Internet which is a bit odd.

159

AweSun logs show another Kolkata IP with SonicWall. shodan.io/host/103.121.1

146

I believe ad.roster.items in user.conf for Anydesk are recent sessions made. That's a lot of sessions - is this a logged in account that lets us see what the scammers are doing?

132

Another sign they are trying to pretend to be Microsoft.

153

Unattended access password hash, maybe? Anyone know how you crack these?

143

Opened History SQLite3 DB from Edge. Lots of money transfer stuff being done.

150

They do seem to have stored a couple of passwords in Edge's password safe. Not sure how to trivially access that from an image, might need to boot from an image.

124

Deeply tempted to spin this up on a danktop with a keylogger installed and grab all the passwords they are using.

216

The Anydesk session appears to allow switch_sides and filetransfer both ways. High risk for them?

141

Jesus, Anydesk is just a massive monolithic binary in Windows... going to be a real pain to reverse that hash algorithm.

135

cheesedog123 gives this hash. Salt changes each time. ad.anynet.pwd_hash=c81e58dc07bfb2dc42e5bffd47f25d7d17d870e673895bee99b36d6c28bd3960 ad.anynet.pwd_salt=2170a3c5bfd1728bb098f4fdcabfd6ea

125

Ah, the Raspberry Pi Linux .deb looks like it's a lot easier going.

129

Ok, SHA256 constants. Yes, I am so sad that I can eyeball these now.

221

Surprised no one else has looked into this before. Annoying that it's a monotlithic binary, some imports would make this much easier.

118

Thanks to

and a memory dump into this function from Frida and we have the hash function worked out. It's sha256(password + null + salt) I thought I tried that but must have made a mistake.

138

I think we can coerce hashcat into doing this by putting a null at the beginning of the salt... One moment please.

113

Yep - just put the null on the start of the salt. hashcat --hex-salt -m 1410 anydesk.txt dict.txt

169

Ok - parallel to this, I've pulled the passwords from Edge. They are the same and of the form Word123. They used the user's email address on several money transfer platforms. The pass works.

152

I now have the Anydesk password as well. longerword123 This is falling apart quite quickly.

298