$2 MILLION DOLLARS STOLEN in Bitcoin/Ethereum - JScript Malware Analysis

hello everyone and welcome back welcome back to some original content from john hammond you know where we do it live we have the screenshot and we're all hanging out we're having a good time doing nerdy computer stuff . so I'm going to jump over to my desktop here and show you what we're looking at today. I am in this directory. I'm in this directory called spicy because this is spicy, it's a little bit. of an onion and uh, let's see what we have here. We have the original command that we're going to take a look at and stage1.js.

Now you know me. When you see a js extension you usually think, oh that's javascript and that would be fine, sometimes it's right, what's fine is whether this will end up being

malware

or whether it will be some malicious code that will end up on the end user's computer or the host and the victim's target machine that will typically end up running. Windows, so Windows has its own interpreter, wscript.exe or cscrip.exe, depending on whether or not you want it to be in the window or console C script, and these will end up running the typically basic visual script or mshta would be used as a A hypertext application that Microsoft and Windows have their own interpretation as an html language, kind of a horrible explanation, but

jscript

is Microsoft's dialect of JavaScript and uses some other features and functionality that come from Windows. that's enough repetition let's get into this we have stage1.js and let's take a look at what we have here now this is a big file it's

jscript

and it's javascript so it's going to have javascript as the syntax uh you can see a test statement here and take me to the end where I accidentally clicked on it, people keep yelling at me, John, you have to use word wrapping, so here you go, this is what it looks like. like with word wrapping with big, ginormous text and if you were to set the syntax here in javascript to sublime text, the line is so long that it doesn't like to render it or it doesn't recognize it and you end up doing it, uh so Obviously, there's a lot of obfuscated JavaScript in this code that we can see and it's all compressed into one minimized line, so we should finish beautifying this now.

I usually tend to do this and have seen me do it on others. videos I do this manually and use it as a means to understand and read the code as I go through it, a lot of people complain, you know, they write in the comments, which is great, stay committed to the youtube algorithm. uh, they say John, why don't you go ahead and use a beautifier or some tool to be able to beautify things? I mean, you are right, you are absolutely right, you are right, we can use some online tool like an online JavaScript beautifier.

I'm on beautifier.io right here and we could go ahead and paste the code and paste it right there and now it's beautified so we can make sense of this, so I'm going to copy it and go ahead. and put that in a new file that we'll call as stage one beautified dot js there we go and now we have our syntax highlighting it's all on different lines, it's not minimized, it's not compressed, etc. We have some random and seemingly random variable names. arbitrary base64 encoded comments that aren't useful and I don't think they actually decode to literally anything so I'll just throw them in there uh I'll pipe this to base64 trying to write the d tag and yeah it's a lot of nonsense so there's that , uh, let's go back to the code, it has this function, it deletes some string stuff, etc., clamp, where's the tip right? uh we have the zy2k 6m game etc, some functions with random names and some functions to handle strings etc etc, but eventually I started noticing some things like encryption, some cryptography stuff in the mix, so reading this and just getting an overview, we are working with blocks and as we scroll down there are more and more functions that will be set like a block size and an iv or an initialization vector and the key length , etc. so I think just looking at this with my eyes this will end up doing some type of encryption, most likely aes or I guess the advanced encryption standard is what that acronym, acronym, acronym means, so, yeah, you can see the key size, some hasher, some iterations, we have an algorithm that will end up using a few different names, but look at all of this and it will somehow figure things out. base64. key size iv size encryption and decryption modes stream encryption blah blah blah, we don't need to go into all this because when we get to the end we realize that there was a huge base64 here, huh The clever trick is that this base64 is inverted or, you know, written backwards.

Here's a telltale sign that the equals signs you normally use to identify base 64 are usually found at the end of the random array of uppercase letters, numbers, and lowercase letters. etc um, in this case, it's like in front, you still see the slash, you still see the plus, you still see more and more things that will indicate okay, this is most likely base64, it's using the same character set now If I scroll to the bottom, you'll notice there's a lot of base64 in there again. I'll turn on word wrapping and you can see the sidebar here that has a lot of base64. so we finally get to the end and do something peculiar, let me turn off word wrapping so we can make sense of this linearly.

Here we create all that base64 inside some wrapped function that apparently splits it to nothing and inverts it. As we said, base64 joins everything backwards, I think it has to do this because it probably has the reverse function in the functionality as an array or list, not just a string, so there's that and then you pass it after you create it. this variable to this ga5 g m n g z f a l and c n uh with other things using this function, I guess I'll end up figuring it out or doing whatever it takes and that's really something interesting if we were to play with this, I'll show it You let me weaken this line because this function that ga5g blah blah blah will end up being essentially eval.

It will basically execute the code passed to it as if it were a string, so you can see it directly in the function definition. takes the argument, but the argument will end up being converted to its own function and then called and executed correctly, so we know we'll end up having more jscript or javascript coming from this, uh, we don't want that to trigger, so we're not going to let that that runs, I think that's a good idea, right, uh, of course, I'm in a virtual machine, of course, I'm behind a proxy and a virtual private network and we're being safe, guys, no.

Don't worry about me, I'm fine, so let's try to show it and I'll use node to go ahead and run this. I will display the contents of this variable without doing anything else, trusting that there is nothing more to this. code here, but we've done our

analysis

, so now we have this stage one prettified and I guess we should rename it to like our sandbox, but if I were to use nodejs to run it, you would get all of this plus base64 correctly. a lot base64 now this is the base64 that we saw present in this original string and that code that we saw was a little bit inverted, we can take a look, I see that yes, so it is corrected, that is base 64.

If we tried it and I guess We decode this, what do we get? I'm running a base64 d attack command right there, non-printable characters, because we have this understanding that this is encrypted or something is done with it, let's read that we redirect that to a something file and that tells me oh, this is openssl encrypted with a salted password and you can verify that by just taking a look at that file and you can see the kind of salted header here, the signature right at the beginning of that file tells us that yes, it is indeed open SSL encrypted data, so what does this code that decodes or decrypts it correctly and then executes it?

That's why I'll call it gag 5 even though that's not what it is. called but but gag 5 function uses the calls to functions that are already defined with this variable of everything base64 includes it but finally does something specific to jscript finally does something specific to the Windows scope and that operating system because we I'm going to finish using the w script object and checking the arguments that are present now. I could jump to um. I think I have a Windows virtual machine here. I dragged that guy and clicked on Ubuntu like a fool. Power on that Windows 10 virtual machine.

Hopefully it won't take too long and I can explain and show you that that w script in argument zero is exactly what you think will end up being a list of arguments that are provided to this program. and you know it's going to do something with that specific plot, uh, if we wanted to examine what came out of this or what the code ended up being, we need to figure out what that is, because that could very well be the key to cracking it. this code now let's take that line, I'll comment it out here again and make a console.log for all of that with this comment again completely useless removing some of the parentheses here and making sure we don't actually run it. with this function that we know is evaluation that we know is executed, so let's weaken it and remove one of those parentheses here.

The problem is because I'm testing this on Ubuntu because I'm testing this on Linux, who knows what. w script is node.js, that interpreter that I was using to run this javascript jscript code uh, it doesn't know what it is, so if I tried to go ahead and run our node.js with our stage one prettified it doesn't do anything and it caught me by surprise for a second because this is all inside a try catch statement if we were to modify this and do some console.log, we made a mistake, I like all those suggested variable names absolutely meaningless and then we could in the console close the session from the e variable or from the error itself, it will tell us that we made a mistake and it doesn't know which script w is pretty fair, it's totally understandable, it's totally cool, so if we were to do this on Windows log in with a little password here awkward silence because I thought, oh let's do this random demonstration, you'll get the point, believe me, I'm sure you believe me on this point and it will end up being the argument. applied, but I'll pause the video and leave this so I can show that, oh geez, come on, Cortana, get out of here, whatever, I've already modified this a little bit, so I have this testing.js and yeah I had to remove this to be able to show you from the actual view, let's do a test, okay, remove my focus there testing.js by creating an empty file, let's edit it with notepad and dot echo of wscript to show. output wscript.arguments zero, if you were to try to just click on this and run it, it will fail because the subscript is out of range, no arguments were passed to it, so let's open the command prompt on the right and I'll jump to my desktop where I created that file and I will use wscript.exe to call testing.js again.

You will see a subscript out of range. This is what I was discussing about where to use wscript versus cscript w. the script creates that window while the c script displays it in the console uh and it has that error so let's provide an argument here um we will do a subscription and now that is displayed as well as that w script of course you can see it. as window, so we need to know what was the argument that was given to this malicious code in this javascript jscript file and remember we have our friendly original.cmd where we keep track of the original command prompt that ran this, so it calls to wscript. .exe and it's using the slash e tag to specify the language that it will end up using and if we take a look at the help file for w script, you can see that it's actually something that you can use w scripts.

I'll make a slash question mark and e-engine will specify to use the engine to run the script and you can specify the specific one. I'll do it with the c script to make it a little more visual. The engine uses the engine to run the script, it could be either. cscript or ws.exe as an interpreter, but the engine will be some kind of programming language to interpret and execute this from jscript, in our case, going back to the original command, we will execute jscript to execute this file which, interestingly, is called adobe color. cr extra settings 1 0 mul dot zip originally it was trying to fool us with the facade and deception disguised as a zip file it is not a compressed file it is not so wscript.exe e key hhz rtsm etc etc this thing is the argument is correct, yes We would take this original command, we would go back to our Windows playground, if I ran this, you can see there are errors and my new lines are getting in the way, so let's not do that and go back. to clear the screen paste all of this now we're going to finish up using the script w script ej for testing.js with that argument provided you can see this whole string wscript.exe etc etc etc appears again if we did. to do that with cscript, it will show it in the console, but it knows exactly how to do that, so there's our key, which is what we need to go ahead and replace inside our littlebeautified code here instead of using wscript's zero argument. soLet's nerf it and replace it with that chain that we know it's going to be.

Now we try to run this with node.js, it should behave and give us something new. Let's go ahead and find out that I'll be running node.js on what Heck, do we call this stage a beautified crank? Now we have more code, now we have more apparently base64, etc., etc., a lot of nonsense, let's just redirect that to a new file, we'll call it stage 2 dot js and open that. above and it's exactly the same kind of structure, of course, all compressed and minified, so let's take this to our good friend beautifier.io, slap it, take the beautifier code and create a new file where we call this stage 2 beautified dot js, okay. come on now if you notice this is the exact same functionality, this is the exact same structure and configuration with some different variable names here, uh, different randomness for those things that you're trying to hide and obfuscate, but at the end of the day it's all. exactly the same code again using some base64 encryption encoding, not encryption, but a yes or some kind of encryption that will hide and group this file, it turns out that if we go to the end of the file, something like Previously we checked it with exactly the same setup where we have a new function that will act as our evaluation to run the code and reverse base64. so let's do the exact same thing again, where we won't run this but we'll display it on the screen and instead of argument 0 of the w script, we'll end up using our original command key that we already have completed. here, slap it and now we can run this, so I switched to Windows when I didn't need it.

We want to return to our console in Linux. Let's run node.js on our stage to beautify.js. Here we go again redirecting. This in stage 3 dot js. I'm sure you can get the idea. Once again we will have the same obfuscated code that we deobfuscate and we will discover that it will again have exactly the same structure. windows get out of here I want to stay on linux please uh let's call this stage three beautified dot js and yeah you know what's coming, it's once again the same setup and structure, let's weaken this line, clean it up and show it on the screen. and fix the hyphen w in the arguments now, at this point, you might be thinking and I was thinking, oh, this is going to be something cool, you know, little matryoshka doll, right? or how many layers of this we are going to have to peel. before we move on to something more interesting or worthwhile, uh, and I thought, hey, at this point, we should probably start writing this script, we should probably start figuring out something that could do this on the fly, no matter how many layers had.

I'll be able to drill down and break this all down if I run this, although we ultimately have different results, so I'm wondering: hmm, maybe we're on to something? Are we doing something new here? So I redirected this to stage four dot js and now We're on stage four again compressed minimized, all in one line, pop it into our little beautifier. Here we now have a new syntax and structure. We should be excited to see that we're going to call that stage four beautified dot js and now we have this. okay, a little bit, a tiny little thing here, but of course this should stick out like a sore thumb.

We have a new function being defined where we take the arguments, treat it as code, wrap it with a function, and then run it. again, another evaluation setup and apparently this function is called, but it has some comments here, in fact, more comments were added to it, other comments that get in the way, so at that point I'm like, okay ,uh,we. I need to get rid of all these meaningless comments. The way we can do it is of course some regular expressions. Find and replace magic in sublime text. You can see I just used a forward slash and then an asterisk.

We'll have to escape from that. with a backslash to notice that we literally want to interpret that, then we'll use the dot star to globalize everything and make it right, so add the question mark so it doesn't eat up the entire line that you're starting. with the forward slash star, uh, just the minimum amount portion that you can get, so we'll have another literal star backslash in there and a closing forward slash, so replace them all with nothing now that we're done with that garbage that gets into the form of the code we are trying to execute even though this is already garbage code, so the eval function calls more code with another eval function that builds it from a character code of all these ascii values ​​that will represent the characters we need.

Let's figure out what they might be, uh, let's weaken them so this doesn't detonate again, but just show this so we take that string character code sequence and of course throw it into console.log so we can figure out what is supposed To come from this again, that line is too long, so the sublime text is not recorded and the syntax highlighting is not added, but that's okay, we can rely on it, we can know what that embellished stage four was, yeah, so let's beautify stage four of Nodejs. and we have this again, so let's redirect it to stage5.js, open that bad boy and now we have this, so let's give this one more time to the beautifier.

We should really get to a point where we can automate this. I'd love to. I'd love to build some kind of tool that could do this kind of thing. What is stage five now? Yeah, stage five beautifier, maybe take a katana, take our original engine type and change it to beautify it. things or unmasking and reverting things like languages ​​like this, but I might need some abstract syntax tree and other things that I just haven't had time to do particularly, but you know, in life everything gets in the way, so Now we have a new functionality, right, this is not exactly the same identical code that we saw earlier.

However, he still does things with chains. I'm going to assume that seeing this you're doing something interesting, like custom base64 encoding, just like with the language. which defines within this code, I thought it was pretty good to be able to correctly encrypt or encode some base64 functions and by scrolling down we have other convenient functions or other aids to encode and decode UTF-8, but finally we come to a legitimate evaluation . we get the direct evaluation function, cool, that's nice, that's great, but we have all these meaningless variables, uh, replacing, I guess what will end up being like yeah, they're faking padding by having extra garbage in here with equal signs. to replace that, remove the equals signs to replace that and all of this will go into evaluation after this function handles all this base64 so we know what to do, let's know the procedure, let's let the language let's the code adapt -obfuscate revert unravel all this on its own and see what comes up, so let's go back to our Linux shell, let's once again run node node.js in stage five beautify, I call that beautifier or rhythm beautify whatever and let's take that to stage six dot js here we go uh you can notice that this now becomes apparently readable code and you are absolutely right, I think at this point we have reached the end uh I was going to call that a PowerShell script my bad stage six dot js oh beautified beautified beautified not beautified but beautified there we go good and here we are, I'm assuming that in the final layer the final piece of the onion is here, so we define some activex objects so we can do window specific things with script dot object shell script file system a split or perhaps a delimiter character to annotate backslashes and then see ss which shows the soft 1.0.1.9 backend and getserial which looks like a function that will probably be defined later, it is a function that will take the app data environment variable and add the rest of the path to get to the home folder, same for all user profiles, which is quite useful, this will probably end up creating persistence, determine the temporary app data directory the desktop application and then you know the full name of the script, so Let's use the full name of this script and then the name of this script, there we go, udex is some kind of declared delay set to 20 powershell for the file powershell batch vbsf pss.

I haven't actually seen that extension before. I'm not one hundred percent sure what it could be. be l k of course a startup file and then modini sks is a function that we end up calling that's all in a try statement and then if we detect we fail okay we don't bother but then we continue with a Es probably a little do statement will be made while we're trying to send something with an http send and apparently we get some commands from there where we split those things, it looks like ex will evaluate and actually execute more jscript or javascript cmd code like some of these commands.

The messages this could end up using will go ahead and run a command like with w script.shell, it will run a program successfully. The name of this script would probably have been wn, so download the exe. I'm going to assume that dwnl downloads exe. will pull down the file, which is probably another function that will end up being called, adding it to the temp directory and then having command.exe start that, oh man, we really butchered it, we really weakened it when I ended up typing dw wn with uh, the name of the script is bad, oh dear, it's everywhere, why did we do this?

Let's replace this script name with wn, we'll just fix it instead of running it, we'll still save it whether you want it in the temp directory or on the desktop etc. if it's an exe then download the file and it will run it which is interesting auto remove unmonk sec uh another function we'll end up finding here maybe update the script because it looks like it will download something and overwrite itself or the path. to this potentially or just get a new script and update it and run it and then we have a funk cret functionality called let's see what it is, but before we start, we have this http send function that has the syntax and boilerplate. code to be able to send web requests directly within jscript or javascript, we'll end up using microsoft xml http and call this bad boy api backend.com 8880 connect ooh, okay, little compromised flag, there's something fun we can play with. in poke later we add our user agent from a small getuseragent method or function here adding the x header for vn and it looks like the getuseragent function checks if vbc exists and this is that basic visual compiler yes digital basic command line compiler So if you have a network framework, it most likely ends up being on your machine and you check if it doesn't make sense or not, and then we collect more information, like the computer name, the username, and then we get the version of the OS. get anti-v, I guess antivirus is perfect, get env, of course we will get an environment variable, get a serial, we will get the serial number of each hard drive, get system, we will get the name of the operating system or the title here. using wmi, windows management instrumentation, same with OS version and enav.

I'm not sure what enav enabled and disabled is, it's that av is enabled, maybe I think it makes sense to enable av because the defender could be in those two different states, uh, but this this feature I think is cool funk cret um it has this mizu variable has this etho variable and bch variable creates an html file object where it takes the text from the clipboard data and replaces things from it and then it looks like it's looking for a correct pattern, a regex pattern, it tests if inside the clipboard there is data that has that pattern if it has hey are we looking for results from et or pat bch looking for

bitcoin

cash bch reg or bch test if it finds these results it will send klib based on these variable names now you can probably already determine which is a

bitcoin

address which is an

ethereum

address and if it's working with the clipboard are you trying to do something like cryptocurrency hijacking?

Will it be replaced and modified? Hey, if you ended up walking or if you had bitcoin-like addresses in your clipboard, would you go ahead and replace them with these bad actors like these hackers and this threat actor here are trying to swipe, steal and gobble up bitcoins and cryptocurrencies and these are the addresses like right, cool, crazy, sendclib, this next function literally does that it will check the operating system with get system uh it will check if Windows 10 is present if Windows 10 is present within that string or sorry if it is not present I think it is true, I'm not exactly sure when I use clip on my Windows virtual machine, it takes care of the clipboard.

It will run PowerShell with SCB,which I believe is set as clipboard to whatever is passed as one of these addresses. or it will channel it and hide it in the clip, so let me show you. If I were to echo, hey, subscribe, channel it into the clip, there we go if I right click to paste it. We just modified the clipboard. content and this is how you can do it guys programmatically from the command line with those commands. Nice has a convenient function to get a hexadecimal string and continue searching for antivirus products with again wmi uh, look for instances of antivirus products that remove all of these and add them. in what you'll end up using inside that user agent with which you call back to the c2 server and this modaney sks or whatever it looks like you're setting up persistence here, you add the application data with the file name of this script like We know the wn variable is and has some other functionality here checking visual basics here, but this is commented out.

I'm not one hundred percent sure why, but you can see that code. and again, basically, it's just called and executed and then cleaned up by deleting that w shell object, so persistence is correct, if it exists, if that filesystem, if that file doesn't exist, it sleeps for a little while and then copies. that to add it to that directory inside the app data for your user, same with the odd shortcut, if it doesn't already exist, it will add in its own persistence the old modini sks again with the PowerShell script using the same type of start than the previously cleaned chain. like it replaced a literal backslash with something, uh, we noticed that how it was using some kind of backslash for the limiter when calling back with the user agent to the c2 server and then unmonk seg, as we saw, was going to end up being used if this wanted auto delete command then this is like kill switch this is like delete all that and clean your traces, try to remove your fingerprints by deleting that command, delete this script from app data, delete the link file. of the shortcut file and the full name of the script and the Visual Basic script file etc. of course we have the dead file as another function which will end up using some PowerShell syntax to download files it uses redirects which is cool, maybe we can do that. and know that when we take a look at that endpoint or the http, we download a file based on what was passed and expect to create the file, another convenient feature to write this into a file creation shortcut.

This is peculiar because you can literally see it checking it's the antivirus stuff hey, is Avast enabled, is it antivirus security on the internet? average, how many do we have here? Average internet security plus avast plus avast and that's it but Windows Defender is also checked which is peculiar and then I mentioned hey mshta or the engine and interpreter in Windows to be able to interpret and run hta files. This syntax is set up again here by creating the shortcut by adding its persistence by making and creating all the breadcrumbs that we already saw, you can literally see. the key again that would have encrypted and decrypted this code and all those layers and that rabbit hole that we went down in different stages and payloads is pretty neat, I like that it literally takes an icon, takes the shell 32 uh dll to take a The icon that comes out closes it and saves it very crazy and then you run it correctly or you run this code by running that shortcut boom, that's not much for this like what we went through in a couple of minutes and it's maybe less than 300 lines. but it hides with a hidden file trying to set the attributes to hidden and that's the end of that line, but I think the madness here obviously commands and controls, obviously a rat, a trojan where it can run and run commands based in like a cmd dot exe or a command prompt command or more jscrip code and I'm just impressed by this crypto coin theft technique or that as a small cryptocurrency theft so if we google this where is it located or is it seen?

Is this modani sks or some kind of these other function names? It is these things that are well known. So

malware

bytes has an ad for me. It seems that hybrid

analysis

has seen this before cc.vbs, so they saw the rendering of the basic visual script that tries to hide the WMI queries. um, I'm not sure about all that, what else is in the analysis, uh, okay, that has, oh, that it has all the functions to eliminate itself correctly or was it able to capture that and capture it, oh, and there's more, It's okay, there are many. much more yes, yes, yes, correcting the visual basics can be something interesting.

What else is here? Cyber ​​threat report tg soft uh cyber threat report january 2021 oh this is in a language i don't speak honestly um vipersoft x rat oh but this is exactly the same code, the obvious part closed, right, yes, yes, like a base64 dice game or those random comments there, oh, and it goes through different layers of obfuscation, right, original obfuscation layer, two layers, three layers, four layers, pilots. They had eight, do they have a difference? They must have a different sample. I guess I don't know, so they created this thing that, oh oh, has the exact same shell filesystem configuration var spl var ch, but their v-e-r-s-s says viper soft x when ours says backend soft, yeah, so once they beautify the code, yes, the same look as ours, but if they have the viper softx, then it is that v e v-e-r-s-s is like a legit version string, yes, there is the same modern key, control command and control with a do while loop funcret oh totally this has to be like this and it sends bitcoin and

ethereum

through the infected clipboard yeah yeah delay with the strange capital letter l the same kind of command functionality sends http uh this server callback is dry.vipers.pw88880 oh connect slash connect just as we saw that it is outside of France, we can go explore the direction we have with the clean structure, all of this, all of this looks very the same, it's like a different version , a different interpretation, all the exact same code.

Same code but it captures the bitcoin or ethereum, that's crazy, oh they have different addresses, is it bitcoin one prmm, etcetera, etcetera, what does ours look like? Cret, uh, let's get back to that feature, yeah, those are different directions, oh, finding some bad guys in action. and this is like a complete code, no, there's a conclusion here and other things, okay, oh twitter, what do we have here? Sorry, light mode, everyone cover your eyes, stinking vampires, fall, vipersoft more for that is vipersoftx as something known oh yes yes yes fortinet has some things jscript obfuscated malware variant vipersoft its funny uh ooh herm some kind of cnc running on api again in the app point behind cloudflare no less it looks like a variant of vipersoftx now uses soft user agent backend different version number but same version the same version chain backend fusek noob what did you see on March 10th this is April 5th at the time of recording what did you see who are you I have to comment on us, I have to be like me, friend, we have the same things, brother , let's go fishing, collectible card game, commercial malware game, I want to see this Fortinet article because Fortinet must have good things, yeah, except cookies, whatever, um, Windows recently, 40 guard labs leveraging adr Endpoint Protection detected and blocked highly sophisticated new malware and a large environment.

This recently discovered JavaScript-based remote access trojan, Steeler cryptocurrency, yes, cryptocurrency stealer due to an encrypted string used by its creator, became noticeably active in late 2019 and remains at the time of writing, well, look , we'll see it in April with uh back and back up soft, whatever it's called back end soft, not viper soft, in this case viper soft untangles eight layers of code obfuscation before actually executing it. payload yes, I saw the same thing uh not exactly eight in my case, maybe three different types of obfuscation techniques are being used. aes decryption yes, it was only used in the first layer, although we saw it through a couple more iterations when converting character arrays, we saw that utf decode the persistence of the most recurring deobfuscation layer, yes, it is added to the data of the application, as we saw, the rat functionality tries to go to that domain, bar, connection, just as we saw and adds everything that we saw as part of the user agent and the x header breakdown. the server does not return output of command function names.

Interesting note: the x command indicates a malware author and we continue to add additional JavaScript-based payloads. The developer is more comfortable using JavaScript as his preferred programming language. That's how it is. I'm kidding, JavaScript fans, you know, you know you have a special place, you know there's a special place in hell for you, replacing crypto wallets, yeah, then check to see if the concept matches regex patterns that match bitcoin or ethereum. address in case of a match and if the address is different from the address is encoded it sets the clipboard data to its own addresses which is literally like a crypto dragon click, that's so cool it's obviously evil and horrible, but it's so cool to change the clipboard data. made based on OS version, yes, Windows 10 uses PowerShell; otherwise run the old school command.

Well, after examining these bitcoin ethereum addresses encoded in the malware, oh that's a good idea, the current total of everything mentioned above is $32,000.

dollars

well this is not a significant amount and this is just the only campaign of the newly discovered threat that is only operating for a short time and may only be to start larger and more successful campaigns oh wow, takeaways from ethereum charts , yes, the functionality is quite simple, but it is stealing money like real money, I mean cryptocurrencies, so c2 domains bitcoin address ethereum address and those are different but they are the same ones that we saw in the other article, what are ours?

Let's use the bitcoin address, is there one? One way to look up a bitcoin address, yeah, that's something I'm not in any way a cryptocurrency guy, I'm not a guy, I haven't bought bitcoin yet, um, oh wow, this address has transacted eight times in bitcoin . cash blockchain has received a total of 72 bitcoins 44,000 ladies and gentlemen okay oh wow all the criminals out there oh wait these transactions are like 2020 December December 2020 December 2020. So this has to be it like a new direction and obviously it could be different because it's not viper soft out me, uh, ethereum address lookup is a slap thing, stick that in there, oh, I zoomed in too close sorry, sorry, eight aetherium, seventeen thousand

dollars

, okay, um, what are we doing on YouTube guys What are we doing here, why are we here?

I'm just kidding, I'm just kidding. I'm not advocating or implying any career change to this, I don't know what this mizu is. I have to be honest, mizu is that a cryptocurrency is that thing. uh stimulus checks mizuho j coin j coin mizu if I just slap the management. in people notice it's a cryptocurrency, I'm fine if I google cryptocurrency, I'm automatically cool, uh, that's not the address I typed in, but then it has it there, btc sniffer, click on that, click on that, Take me there, uh, where am I? the address you're checking is this one, yeah okay so that's the right address, but obviously you can say I don't know exactly what I'm doing, so bitcoin gets xp.org stuff that looks like the same link. my cookies, sorry they were not requested for this address, were sent 85 times and spent 94 times, leaving nine negative outputs unspent, a little graph here reports wrong hmm, might have to do that, not going to lie, avoid Let the bad guys be bad, um, me.

I don't know what else to put in this, oh, the vj worm, although I would like to see and I want to know about our little, uh, whatever the newbie was, Cerberus, guardian of malware, cool, that's cool, that's an awesome name , in fact I give it. Congratulations on that, it looks like you wrote about it in February of last year, oh with the responses we saw last year, where is our full segment? It was last year, oh no, so this is still gently relaxing, it's still in action, but um, there's already a bit of research on this, it seems like Fire or Fortiguard have somecool stuff, um, it's going around in hybrid analysis and I think it's like a sandbox of Joe, if I look for funk cret it's that getting the other hits um more of his posts on Twitter that's boring-o okay um, let's take a look at our good friend api.backendapp.com on port 88, this thing is you still know it's doing business, it's still open, right? guys working overtime oh, you answered right, what are the headings you come back with?

I thought I mentioned yeah, yeah, x powered by express, so node node.js, well, javascript, kind of a back end, um sus, now, if I'm going to plug in, what do we do? I understood it, it doesn't return anything, but it didn't give me that error. Help, I can't get help. Is there anything we would like? We could play with this. um, let's try to connect with the put because he did put something. That? If I were to test that username, I could make it really messy and add the username, but useragent will be getuseragent based on this, um, let's add that string and see if it behaves and it will add a user agent for me.

Yes, oh God, capital, that guy still doesn't respond. I'm not going to add all the code in there, like all the stuff I would have exfiltrated or tracked, but it still doesn't return anything. Okay, um, how, uh? How well is this known? If I go to virus total and try to put this in there, what do you have? Let's choose a file. Let's get our original spicy stage right from the start. A security provider flag. This is malicious. Well, it seems. In August 2020, yes, adobe color cr, additional settings, a multiple, exactly the same little zipper masked thing that we saw esat pick it up, although esat friend said that's always a big hitter in this game if we dig down to the stage six on your own lights up a little bit more please, as people should know.

Uh, I have to look into that vj worm or whatever it says it's called. Uh, ESET has it in the nano antivirus money, I don't think it's not. I'm not familiar with them. I'll be honest. Where is my boy? Defender Where is Windows Defender? Where is Microsoft Defender? You are with me? Let me squeeze the power to get people to give them their free antivirus engines. um Defender is a formidable stream now all the defeaters defenders defenders bit defender oh no, it hasn't gone through Windows Defender yet. still going on ah I've been talking for 50 seconds trying to cover your total virus people are going to fall asleep oh shit I'm going to pause the video and let this stinky thing finish.

Sorry, it has to be oh. Oh my gosh, okay, it's over, two, two security vendors flagged this as malicious, so we could, we could, we could do some work, we could try to amplify this, spread the word, everyone increase shares trying to try to show this video where We are diving into the back-end software which looks like a new version. This new version number is higher than the one we saw on Twitter in March 2020, but this is obviously going through a certain amount of nested onion material. payloads, working through all those different little launchers and stages to eventually get to this, which is clearly a little rat running the control server and a cryptocurrency thief and hey, now you know the addresses so be careful with them and make sure they don't get into your ledger or whatever.

I don't know, I don't know the words of Bitcoin and stuff, but that's it, I think we had a lot of fun on this. I hope you had fun. I know I did. It was fun, uh, I thought it was cool to literally see the functionality to swipe and slightly change Bitcoin addresses because it's something I've heard about, obviously, in conversations and in theory, but I like doing this kind of stuff. . the clipboard is clean again but it's scary and hey, it can be done right and that's the danger and that kind of thing, the thing about cryptocurrencies is that once you send something, once you make a payment, it's gone, is it replenished forever or has it been sent into the ether?

No, no pun intended, no emptiness, so who am I? Who I am? What am I saying? I don't know anything about cryptocurrency, so whatever you're joking about, I like to think I'm a bit professional I hope, but that beautifier is really helpful. You're right. You can use it when you want to do your own little obfuscation. You don't want to check everything by hand because obviously checking stage1.js manually would do that. It's been really cool to automate that and maybe we can have a little fun with some tools and stuff like that, but I hope you had fun in this video.

I've been talking for too long and we should probably log off, so thank you very much. I hope you guys enjoyed this video I hope we still had some fun energy and we had a good time here with some vipersoft x redux 2.0 remix uh malware for soft backend so thank you very much for watching everyone yeah Enjoyed this video, please. Do all that YouTube algorithm stuff. I would love to see that you like the video. Please thanks. I would love to see you. Leave a comment. Let me know what you think. Let me know what you thought of this now or if you have ever seen anything like this if you have malware of your own or any peculiar suspicious code that you would like to send, I have said it repeatedly and I will continue to say it, please send me malware like please and it will be on my Tombstone is my yearbook quote, please send me malware.

I have fun with this and it helps grow the YouTube content farm and hit the bell. Subscribe. I would be very grateful. I would love to see you like you are aware of the content and thank you very much. Thank you all so much, thank you so much for watching, I love you, see you in the next video, take care.