Mr Robot S02E01 easter egg

At the end of S02E01 of Mr Robot, there is a scene where Darlene generate a ransomeware with a modified SET toolkit. My fingers were itching for the IP address 192.251.68.254 which seems to be the C2 address for this malware. Not surprisingly, WHOIS resolved to NBC-UNIVERSAL. Lets see how deep this rabbit hole is.

The last page http://i239.bxjyb2jvda.net displays a message about “YOUR PERSONAL FILES ARE ENCRYPTED”. You may wait for 24hours or just check the javascript controlling the countdown timer, where you will find a base64 encoded string.

PGRpdiBjbGFzcz0ib3ZlciI+PGRpdj4iSSBzaW5jZXJlbHkgYmVsaWV2ZSB0aGF0IGJhbmtpbmcgZXN0YWJsaXNobWVudHMgYXJlIG1vcmUgZGFuZ2Vyb3VzIHRoYW4gc3RhbmRpbmcgYXJtaWVzLCBhbmQgdGhhdCB0aGUgcHJpbmNpcGxlIG9mIHNwZW5kaW5nIG1vbmV5IHRvIGJlIHBhaWQgYnkgcG9zdGVyaXR5LCB1bmRlciB0aGUgbmFtZSBvZiBmdW5kaW5nLCBpcyBidXQgc3dpbmRsaW5nIGZ1dHVyaXR5IG9uIGEgbGFyZ2Ugc2NhbGUuIjwvZGl2PjxkaXYgY2xhc3M9ImF1dGhvciI+LSBUaG9tYXMgSmVmZmVyc29uPC9zcGFuPjwvZGl2PjwvZGl2Pg==

This decodes to:
I sincerely believe that banking establishments are more dangerous than standing armies, and that the principle of spending money to be paid by posterity, under the name of funding, is but swindling futurity on a large scale.
– Thomas Jefferson

Edit:
By inspecting the SSL certificate for this webserver, I discovered plenty other Mr Robot related domains in the Subject Alternative Names field.

DNS Name=www.racksure.com
DNS Name=racksure.com
DNS Name=*.serverfarm.evil-corp-usa.com
DNS Name=www.e-corp-usa.com
DNS Name=iammrrobot.com
DNS Name=www.conficturaindustries.com
DNS Name=www.iammrrobot.com
DNS Name=*.seeso.com
DNS Name=*.evil-corp-usa.com
DNS Name=e-corp-usa.com
DNS Name=*.bxjyb2jvda.net
DNS Name=whoismrrobot.com
DNS Name=seeso.com
DNS Name=fsoc.sh
DNS Name=www.fsoc.sh
DNS Name=conficturaindustries.com
DNS Name=whereismrrobot.com
DNS Name=www.whoismrrobot.com
DNS Name=www.whereismrrobot.com
DNS Name=evil-corp-usa.com
DNS Name=www.seeso.com

At the beginning of S02E01 you will also notice Eliot logs in the bkuw300ps345672-cs30.serverfarm.evil-corp-usa.com by SSH.

As for the puzzle at https://fsoc.sh:
If you look at this page, you may notice that the cursor is blinking with random intervals.
It’s not really hard to see that this is morse code, but I’m terrible at solving these tings manually. So I’d rather do it the techie way.

https://www.fsoc.sh/assets/main.js

t.startCursor("MzkzMzUzNTM5NTMzMzk1Mzc5OTUzNzMzMzM1MzUzOTM1Mw==") is what controls the speed of the cursor clicking, this can be converted into ASCII, 3933535395333953799537333353539353.

3 is a dot “.”
5 separate letters ” ”
7 represent a space for morse “/”
and 9 is a dash “-”

3933535395333953799537333353539353
.-.. . .- ...- ./-- ./.... . .-. . == LEAVE ME HERE

46 Responses to “Mr Robot S02E01 easter egg”

  1. L0K1 says:

    Well done mate! I started to looking into this myself when I came across your post. Thanks for saving me the trouble, however I am sort a let down that I didn’t do the work myself.

    Later mate.
    “the quieter you become, the more you’re able to hear”

  2. Azaz3l says:

    That is a great find.
    I was wondering about the IP address as well, but did not have these skills to find things out myself.
    Given that last season they revealed an octet to be 300 something which was noticed by a lot of people, looks like the creators have done their homework.

    • LA_AZ says:

      I heard that the 300 was no mistake. It’s mentioned on the USA website, and it says it was basically the equivalent of shows using 555 phone numbers.

      I don’t know if that’s a good excuse/explanation, but I’d be somewhat willing to buy it given that the show gets so much right it’s hard to imagine something like that getting by.

  3. Alberto says:

    Great!

    Looks like I wasn’t the only one who paused the video to read what was happening.

  4. sandman says:

    appreciated. 🙂

  5. Uncleribbit says:

    I love the coding done and the fact checking. Can someone tell if the digital bar-code was of a real product and if so, of what?

  6. Tony says:

    There is a QR code in his diary that links to http://www.conficturaindustries.com

    • doughnut says:

      The filenames are also the md5sums of the file.

      $ md5sum 038dabd46abb838d76a5c299a8a3c548.png 7713fde0dcba171d095ffc09013f3934.jpg 593b4f17b89f32d47584b2c98627124a.png
      038dabd46abb838d76a5c299a8a3c548 038dabd46abb838d76a5c299a8a3c548.png
      7713fde0dcba171d095ffc09013f3934 7713fde0dcba171d095ffc09013f3934.jpg
      593b4f17b89f32d47584b2c98627124a 593b4f17b89f32d47584b2c98627124a.png

      I checked their exif data and saw nothing interesting. They do look like they could have some fun stenography in them but I’m no expert on that.

  7. m1k3h4x0r says:

    Interesting cert reuse, mixing mr robot with an actual product/project (Seeso) it looks like they’ll be launching soon

  8. InterestedParty says:

    To add on to the puzzle section, if you write down the numbers and letters the eye looks at, you will get 4C4F4F4B205550 which when translated from hex to ASCII reads LOOK UP. Thereby giving a clue to the morse code angle.

  9. voudras says:

    There is a handmade QR code at about 11:05 in his notebook – episode 1 iirc.

    anyone check that out yet?

  10. Peter S says:

    Interesting!

  11. Jsomontan says:

    That’s awesome! Nice find!

  12. Rick says:

    Those md5sums tend to lead to fsoc.sh (google them)

  13. MrAnon says:

    Hi,
    At fsoc.sh by writing leave me here in the box you get to a terminal where you Can insert your email and then access to a computer. There are images and video, check it out.

    MrAnon

  14. Rickb says:

    Wow man, good job! I love Mr Robot and apparently so do you! Lol

  15. Michael says:

    I feel cool because I also use the monokai theme for my text editor

  16. taaha says:

    Interesting…
    I would like to know if possible, more details about the part where you talked about inspecting the ssl certificate and got the related domains.

  17. Godthehamster says:

    Hack the Gibson is also at the end of the malware Darlene is writing.

  18. Tinman says:

    Did anyone else scan the QR code in Elliot’s notebook? It works.

  19. Luke says:

    This construction gif has an interesting domain in the exif comments:
    http://www.conficturaindustries.com/images/jfconbohrer_e0.gif – seems to link to a
    Animation yes
    Frames 11
    GIF Version 89a
    Has Color Map Yes
    Color Resolution Depth 5
    Bits Per Pixel 4
    Background Color 0
    Animation Iterations Infinite
    Frame Count 11
    Duration 1.07 s
    Image Size 100 × 113
    File Size 14 kB
    File Type GIF
    File Type Extension gif
    MIME Type image/gif
    Comment http://www.helpmaster.com/%01USSPCMT

    Unless it was maybe borrowed from the internet

  20. baccuss says:

    GREAT POST!!! I am SO GLAD it’s not just me. You all have made my day, both with this post and the comments. I only saw episode 1 season 1 two days ago and I just knew I had to check this series out.

  21. Just1 says:

    Anyone find the Kernel_Panic.log on the whoismrrobot.com site? double click on telnet (not telnet home) and type Ls. It gives you another directory. You can open and play the old school snake game. but if you type ‘open ch347c0d35’ it brings you to a Kernel file. I can’t decode it. Would love some help.

    • Torstein says:

      Code: 69 6e 69 74 20 64 65 63 6f 64 65 20 73 65 71 75 65 6e 63 65 2e 2e 2e 66 69 76 65 20 64 6f 77 6e 2c 20 6e 69 6e 65 20 61 63 72 6f 73 73 2e 2e 2e 73 6b 69 70 20 74 72 75 6e 63 61 74 69 6f 6e 2e 2e 2e
      = init decode sequence…five down, nine across…skip truncation…
      = 5-9 ? Probably multiple theories around this on google

  22. Greenoid says:

    Thanks for doing all the work. I started watching yesterday and stopped to note the IP address, wondering if and what would await me. Ok, so you sort of spoilered it, but I would have found the time anyways. Good work.

  23. DMITRY says:

    i240.bxjyb2jvda.net

  24. Muddassir says:

    I just don’t understand one thing. Why would an organization name itself as evil corp.
    I know people will call you evil behind your backs or on your face but including evil corp in your own ssh login host name is not understandable.

Leave a Reply

Your email address will not be published. Required fields are marked *