A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #27847  by 711PartTimeJob
 Wed Feb 10, 2016 9:38 pm
I found these files bundled with an installer of browserair. It seems to be by a fake tech support company...
During installation, it drops a few files to the C:\Winodws folder.

Scans:
bs1.exe
https://www.virustotal.com/en/file/3cb1 ... 455138949/
MD5 Hash- a050a6b258a30b2a6f3740024308639c
SHA256 Hash-3cb16dc12599fd70be6a0de232ae00b5866b2f4d157d6618f45d09c77f1267d1

HardwareInformation.exe
https://www.virustotal.com/en/file/4e40 ... 455139092/
MD5 Hash- dc3dc7337c50bd367967a5fbaeb15d3c
SHA256 Hash- 4e4016e3aa516c122dba7716099a6da90e7f5ce0aa606a00a4f90bff4074cc20

Mint.exe
https://www.virustotal.com/en/file/9591 ... 455139181/
MD5 Hash- b234ebf2a1e9ceaa31809bab8d1eaa6f
SHA256 Hash- 95913c9975a6fb0208ed8f78ebdd989bf540a393941793ffbb2ce5f8f3efdcc5

MyTrayApp.exe
https://www.virustotal.com/en/file/3246 ... 455139287/
MD5 Hash- 51b03492d7b2ef71e34abc4eff9c9248
SHA256 Hash- 32467f8d021456b5d08472c26f9e2a833a45766c87843d2a0df5a2ff706e7659

sc.bat
https://www.virustotal.com/en/file/c7ff ... 455139387/
MD5 Hash- ad0290aabc56183e1e3441188b3b8925
SHA256 Hash- c7ff1999e57a66a89b6c7b4be9575e305df65336eedba92a5540e687d81ec4e1

Wimboldon.exe
https://www.virustotal.com/en/file/52df ... 455139470/
MD5 Hash- bd2ce90b77785bd71b5a67712ecbb0d6
SHA256 Hash- 52dfef92ba844e4c6c8b838518c5c1af5e632009bd2ddaa0a8a3afec8ab1f884

winupd.exe
https://www.virustotal.com/en/file/0e05 ... 455139677/
MD5 Hash- 6acbac07bbae07a146650d5bd94a88ce
SHA256 Hash- 0e05a276ef1017d550eca077fea3d64edd5551d5896b04f1b2d6c6a6fa893f96

setup.exe
https://www.virustotal.com/en/file/efed ... 455139807/
MD5 Hash- 6265446fdb04a0c2975eafe0f1071484
SHA256 Hash- b8a9ab84f15821ebbe48f21443d69e2e0a49817d

Article by malwarebytes:
https://blog.malwarebytes.org/fraud-sca ... h-a-twist/
Attachments
The files that were dropped. PW=infected
(39.88 KiB) Downloaded 101 times
The installer that dropped the files. PW=BrowserAir
(827.6 KiB) Downloaded 125 times
 #27930  by 711PartTimeJob
 Wed Feb 24, 2016 6:13 am
I have found another sample that is apart of the Rogue.TechSupportScam family. This one poses as a youtube downloader. When the installer is run, it will drop a few files to the c:/windows directory. Afterwards, a file called "box.exe" will be run and display this:
Image

File: Installer.exe
Virustotal Scan- https://www.virustotal.com/en-gb/file/3 ... /analysis/
MD5- d1550649c3e2ebe1bf11949fa7a7d5f2
SHA1- a672c879062b8f1b6a84c12fecfc3b96883d36b8
SHA256- 384df588fa4fb60c4986a1156b21314ce7c66468f9f4c8fac1a6b3a3cde1fe58

File: box.exe
Virustota'l Scan: https://www.virustotal.com/en-gb/file/c ... /analysis/
MD5- ec1b21d44c7034380c4fbc1237b17d4f
SHA1- 531786f21139555239ec3fbaf476c8d1aab34bed
SHA256- cd2e3014f278774b55b4ab84c1bb93fcb2f6640b7ba16401c72ad78a4db74fde
Attachments
PW=infected
(390.54 KiB) Downloaded 96 times
 #27938  by slipstream-
 Wed Feb 24, 2016 8:48 pm
Malwarebytes classifies any winlocker or fakealert trojan that social engineers a user to call fake tech support under "Rogue.TechSupportScam".

This sample is from a different family to the first, and seems to be a newer version of what I called Trojan.FakeAlerts.FreeTube; this newer version contains live chat functionality (a form with WebBrowser control that gets hxxp://www.yeptalk.com/cs.html ).
 #28008  by 711PartTimeJob
 Sun Mar 06, 2016 8:31 pm
This program will drop files in the same directory as the file in the first post did, but this time it will install a fake disk cleaner called "Virus Defense". After it gets installed, different versions of the fake tech support programs from the first post will get dropped in the windows directory.
MyTrayApp.exe will work in this version, which displays a fake virus warning tray icon
Mint.exe now attempts to block all keyboard input, but still fails miserably. If the user presses the windows key, it will display the hidden close button.
sc.bat is updated and will attempt to add more services. One significant service is called "ieupp" which attempts to display a pop up every minute from http://mynightqueen.com/popup/test/test.html Most of the time, it will display an ad trying to get the user to install a "java update".
I believe all of the other files it drops are the same versions from the bundled browserair installer.

Setup.exe
https://www.virustotal.com/en/file/63cb ... /analysis/
MD5: 896a81b36ee378a1dee5c09002178aa8
SHA1: 89dc920f447e6cc3018793a3a6ea882ce42f8ef4
SHA256: 63cb378383d36b2e87ed34860c31a0a0fb3a84e8af75566d9e310375e06e3f2f

MyTrayApp.exe
https://www.virustotal.com/en/file/8d19 ... /analysis/
MD5: d0aa18c1c2e58b40010cbc7f74e797b9
SHA1: 16eab3e181155042a0e128dbe3724bb52a1b7106
SHA256: 8d19dd76aeb0810f0a4eec27fea358eae7121919a8c7674697ca625ca70a9f3b

Mint.exe
https://www.virustotal.com/en/file/9160 ... /analysis/
MD5: 1f4d9c34d33d52ebcb1b233c8f281a27
SHA1: 4bc3624c88bb0e4e7e292221cddd2b3e16e23322
SHA256: 91601f7fd71a44fa132e65e2fee97261f7d685201041b46e6a7d71e1f0d89a23

Sc.bat
https://www.virustotal.com/en/file/1f65 ... /analysis/
MD5: bb61da0926312b416ef9990faf23c57e
SHA1: 0b2e09df9db9ceef3c6c58998630192f9855ab03
SHA256: 1f6566965efe4f452a8a88a1ecd0efaa3321d9c45cf677b80922d1b92008f493
Attachments
PW=infected
(1.67 MiB) Downloaded 92 times
PW=infected
(783.69 KiB) Downloaded 89 times
 #28374  by 711PartTimeJob
 Fri Apr 22, 2016 10:47 pm
Using dotPEEK, i managed to grab the source code of mint.exe, which was the fake blue screen application. Seems to be coded in C#. Have no idea if it is possible to open the project, bur the source code is accurate. From the source code:
Code: Select all
 private void Form1_KeyDown(object sender, KeyEventArgs e)
    {
      if (!e.Control || !e.Shift || !e.Alt || e.KeyCode != Keys.X)
        return;
      foreach (Process process in Process.GetProcessesByName("Mytrayapp"))
        process.Kill();
      this.Close();
    }
This seems to kill the mytrayapp.exe process if the user presses ctrl shift alt on their keyboard.
Attachments
PW=infected
(11.95 KiB) Downloaded 63 times