Updated Git :)

Docs/README.md

@@ -0,0 +1,12 @@
+# Docs
+
+
+*Special Note:*
+> 
+> Providing a copy of Alejandro and McDougall's research
+which includes stuxnet. Why stuxnet when this is a fanny repo? Well,
+in essence, knowing a bit about how stuxnet work, is a good way of understanding how fanny works. And vice versa.
+> 
+> Also, their report also explains how to setup a malware infection, and using tools to detect it. very neat report!
+
+Have a nice tea!

Media/README.md

@@ -0,0 +1,88 @@
+# PROOF OF CONCEPTS (aka testing)
+
+# Deep Dive
+### video_1
+>
+> just shows the malware test
+
+
+### video_2
+>
+>  shows a re-creation (or a custom exploit) based on the malware [GIST - MSG BOX](https://gist.github.com/loneicewolf/c588f95287c55454ef6a5c28e8babd30) is here:
+
+- If you prefer `Console Application`, I include that code!
+- Same if you prefer a `DLL`, including that!
+
+
+
+## Console Application
+```cpp
+// i686-w64-mingw32-gcc -o M msgbox.c
+#include <stdio.h>
+#include <windows.h>
+int main(int argc, char *argv[]){
+  if(argc != 3){
+    printf("usage: %s  MESSAGE  TITLE",argv[0]);
+  }
+  // MessageBox function (winuser.h)
+  //  Displays a modal dialog box that contains
+  //    a system icon,
+  //    a set of buttons,
+  //    and a brief application-specific message,
+  /// such as status or error information.
+  /// The message box returns an integer value that indicates which button the user clicked.
+  // ref https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-messagebox
+  MessageBox(
+              0,       /*   [in, optional] HWND    hWnd,      */
+              argv[2], /*   [in, optional] LPCTSTR lpText,    */
+              argv[1], /*   [in, optional] LPCTSTR lpCaption, */
+              1        /*   [in]           UINT    uType      */
+             );
+  return 0;
+}
+```
+
+
+
+
+# DLL
+```cpp
+#define WIN32_LEAN_AND_MEAN
+#include <windows.h>
+// __declspec(dllexport) THING
+__declspec(dllexport) BOOL APIENTRY DllMain(HMODULE hModule,
+											DWORD ul_reason_for_call,
+											LPVOID lpReserved
+											)
+{
+	switch(ul_reason_for_call){
+
+		case DLL_PROCESS_ATTACH:
+			{
+				// https://gist.github.com/loneicewolf/c588f95287c55454ef6a5c28e8babd30
+				// loneicewolf/win_msgbox.c 
+				MessageBox(
+				0,       /*   [in, optional] HWND    hWnd,      */
+				"TEXT", /*   [in, optional] LPCTSTR lpText,     */
+				"TITLE", /*   [in, optional] LPCTSTR lpCaption, */
+				1        /*   [in]           UINT    uType      */
+				);
+				break;
+			}
+		case DLL_PROCESS_DETACH:
+			{
+				break;
+			}
+		case DLL_THREAD_ATTACH:
+			{
+				break;
+			}
+		case DLL_THREAD_DETACH:
+			{
+				break;
+			}
+
+	}
+	return TRUE;
+}
+```

README.md

@@ -1,44 +1,172 @@
-# fanny.bmp
-FANNY BMP MALWARE SOURCE + BINARY
-- fanny.bmp malware Source
-- Binary
-- Decompiles as well as some other Details.
+### ⚠️ MALWARE AHEAD! — RESEARCH ONLY ⚠️
 
-Link to stuxnet: https://github.com/loneicewolf/Stuxnet-Source
+> **If you don’t know what this is, stop here.**
+>
+> This repository contains malware samples and research materials for **academic, reverse engineering, and forensics purposes only.**
+>
+> **Do NOT run anything outside of isolated environments (e.g., air-gapped VMs).**
 
-fanny.bmp malware sample (with lnk files, hexdumps and checksums)
+---
 
-Warning! Live Malware!
+## Fanny.BMP / DementiaWheel Overview
+
+* Related to `Brutal_Kangaroo`
+* Connected to [`nls_933w.dll`](https://github.com/loneicewolf/nls_933w_dll)
+* Infects via USB using [CVE-2010-2568](https://nvd.nist.gov/vuln/detail/CVE-2010-2568)
+* Shares DNA with Stuxnet and Flame, gauss and duqu respectievely
+
+- [modules LNK 1 RAPID7 fanny_bmp_check - By Me](https://www.rapid7.com/db/modules/post/windows/gather/forensics/fanny_bmp_check/)
+- [vulnerabilities LNK 2 RAPID7 fanny_bmp_check - By Me](https://www.rapid7.com/db/vulnerabilities/post/windows/gather/forensics/fanny_bmp_check/)
+- [metasploit-framework LNK 3 SRC of fanny_bmp_check - By Me](https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/forensics/fanny_bmp_check.rb)
+---
+
+##  Rootkit Demonstration
+
+### `shelldoc.dll` GUI Stealth Sample:
+![image](https://github.com/user-attachments/assets/66352a1f-99af-4e41-8138-559060cf560e)
+![runas demo](https://github.com/loneicewolf/fanny.bmp/assets/68499986/1839659e-adf7-4b3b-96e7-4f1b382f3a70)
+
+> ✔️ Demonstrates that the rootkit hides `.lnk` and keyword-matching files even from system UI dialogs. **Which demonstrates it's not just a simple file hider, it's a generalized rootkit that hides dirs(verify this claim)/files[x]/even strings[x]**
+
+---
+
+## Technical Report
+
+A full report was written, but will be rewritten soon for clarity and accuracy.
+The update will focus on:
+
+* Technical deep dives
+* Relationship to Equation Group tools
+* Ethical simulation techniques
+
+---
+
+## 🗂️ Project Contributions
+
+Fanny detection added to:
+
+* [Rapid7 Metasploit](https://blog.rapid7.com/2021/01/29/metasploit-wrap-up-96/)
+* [Metasploit Module: `fanny_bmp_check`](https://github.com/rapid7/metasploit-framework/tree/master/modules/post/windows/gather/forensics/)
+* [POC Video](https://www.youtube.com/watch?v=Uto_lcD2f38)
+
+---
+
+## 🧪 Basic Malware Info
+
+<details>
+<summary>Click to expand</summary>
+
+```
+Name:         Fanny.BMP (aka DementiaWheel)
+Type:         USB-propagating Worm
+Exploits:     CVE-2010-2568 (LNK exploit)
+Targets:      Windows XP → Windows 10
+Payloads:     Explorer rootkit, USB storage exfiltration, persistence via ACM driver
+
+CVE:          CVE-2010-2568
+Reference:    https://securelist.com/a-fanny-equation-i-am-your-father-stuxnet/68787/
+```
+
+</details>
+
+---
+
+## POCs & Hashes
+
+<details>
+<summary>Click to expand full list of samples + VirusTotal links</summary>
 
 Includes:
 
-    d.lnk
-    e.lnk
-    f.lnk
-    g.lnk
-    h.lnk
-    i.lnk
-    j.lnk
-    fanny.bmp
+* All `__*.lnk` USB autoloaders
+* `comhost.dll`, `mscorwin.dll`, `shelldoc.dll`, `ECELP4.ACM`, `agentcpd.dll`
+* Primary dropper (`fanny.bmp`)
+* Temporary file (`~DE1923.tmp`)
+
+Example:
+
+* `fanny.bmp` → [VT](https://www.virustotal.com/gui/file/0d9bb9a9e3a6f8836a1ef51862ae1c28f086da3a9006d1c7040fe57ed8c26231)
+* `shelldoc.dll` → [VT](https://www.virustotal.com/gui/file/6eb00b34d1daffa49b2f4c90841705b2c994563bde672bf35eb1c46cdb19a1ed)
+
+</details>
+
+---
+
+## Metasploit Integration
+
+> You can detect Fanny infections using the `fanny_bmp_check` module in Metasploit:
+
+```bash
+meterpreter > run post/windows/gather/forensics/fanny_bmp_check
+```
+
+Expected output:
+
+```
+[+] HKEY_LOCAL_MACHINE\SYSTEM\...\ECELP4\Driver found
+[+] HKEY_LOCAL_MACHINE\SYSTEM\...\ECELP4\filter2 found
+...
+```
+
+---
+
+## POC Videos
+
+* [Rootkit behavior demo](https://youtu.be/Uto_lcD2f38)
+* [Crash test from hiding corrupted .lnk files](https://github.com/loneicewolf/fanny.bmp/blob/main/SanUltra%20%28Fanny.bmp%20Bug%29.png)
+
+---
+
+## Reproduction Bugs & Notes
 
+> Creating `.lnk` files named `__e__.lnk` under XP with `shelldoc.dll` active may crash Explorer.
+>
+> ✔️ This has been captured and documented in video + screenshots.
 
+---
 
+## Future Plans
 
+* Improved USB C2 bridge w/ Metasploit
+* C+Lua tooling for USB backdoor command & control
+* Fully structured academic writeup
+* Screenshots and annotated source
 
-- https://www.wired.com/2015/02/nsa-firmware-hacking/
+---
 
+## Related Research
 
+* [Stuxnet Source](https://github.com/loneicewolf/Stuxnet-Source)
+* [Agent.BTZ Sample](https://github.com/loneicewolf/Agent.btz)
+* [DUQU](https://github.com/loneicewolf/DUQU)
+* [Gauss-Src](https://github.com/loneicewolf/Gauss-Src)
+* [flame-sourcecode V2](https://github.com/loneicewolf/flame-sourcecode) 
+* [MINI-FLAME-Skywiper](https://github.com/loneicewolf/MINI-FLAME-Skywiper) 
 
+---
 
+## Why Release This?
 
+> To help defenders, researchers, and detection engineers.
+> These files are hard to find. Collecting + analyzing them helps strengthen infosec.
 
-(Q) Why would you want to upload malware? You're literally providing CyberWeapons!
-(A) I believe in Open-Source, and that even though in this scenario, can hopefully help malware researchers provide better protection.
+---
 
+## References
 
+* [Securelist: Equation Group](https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/)
+* [Rapid7 Blog](https://blog.rapid7.com/2021/01/29/metasploit-wrap-up-96/)
+* [Fanny Detection Module](https://github.com/loneicewolf/metasploit_fanny_check_module)
 
-Urgent Contacts: (Malware Researchers)
-Discord: Ken-Kaneki#3978
-Mail:    william-martens@protonmail.ch
+---
 
+# MALWARE AHEAD # 
+**Branch of interest:**
+- [🔗 `only_malware` branch (live payloads)](https://github.com/loneicewolf/fanny.bmp/tree/only_malware)
 
+# Acknowledgements
+**Thanks to**
+- [Fyyre](https://github.com/Fyyre/) - for your [DrvMon](https://github.com/Fyyre/DrvMon)
+- [Hfiref0x](https://github.com/hfiref0x) - for your [KDU](https://github.com/hfiref0x/KDU)
+- [GPT(O3-PRO)](https://chatgpt.com/?model=o3-pro) For helping me check the formulation of this repo, like MarkDown, etc.
+- [FSU's 2 Students Alejandro Ugas and McDougall for their Research](https://github.com/loneicewolf/fanny.bmp/blob/main/Docs/handson-report-McDougall-Ugas-FINAL.pdf)