19 days ago

## All Your Torrents Belong To Us

Important:
I don't know why, but some people are having trouble loading the web page correctly. In that case reload the page or use a computer instead of a mobile device. You should find some Virus Total screenshots and a Yara Rule at the end of this article. Thanks

Mirror post here - Working as expected -> https://reversingminds.github.io/ReversingMindsBlog/

A few days ago, a friend told me that something strange happened every time he tried to download a torrent from some spanish torrent sites...

Looking into the supposed zipped torrent file a .vbs file is found.

The .vbs file looks pretty obfuscated:

Playing with the obfuscated code, a script in "clear text" is obtained:

Steps in order to clean the script:

• Function OrvRu() decrypt the interesting strings.
• There are a lot of weird variable names like dEsFPZKKXwnYmBUDTqXe, KwxZCOQtvTSpXWawuUecfit, TyoGpdeMyLEpaOMXCkCBcbYBzv etc... those variables need to be renamed.
• There are a lot of interesting functions, szcRCjdYsgsUwhwlYoMxP looks like a string randomizer.
• This comment doesn't need to be deobfuscated... norton scantime-emulation fucker.

#### String Decryption

These are the functions that decrypt the strings:

jZKLbgjUlj is the same that Mid(string,start[,length]) function.

OrvRu perform XOR ops over the string in order to decipher the data.

Same function but legible:

##### Decoded Strings:

With these strings now is possible to deobfuscate the code.

#### Deobfuscated Code (without binaries)

As we can see the malware will create a folder in:

For example:

Then will drop 3 files:

• Autoit v3 with random name.
• pe.bin
• shell.txt
• test.au3

Then if C:\Program Files (x86)\Kaspersky Lab folder doesn't exist, the script will execute the AutoIT executable passing as parameter the file test.au3

#### Kaspersky Antidetection trick?

I don't know why, but if the script detects that the folder"C:\Program Files (x86)\Kaspersky Lab" exists:

It will add a new key in Run with the name MyAppin order to run when the computer boots.

Then force reboot.

Maybe this trick avoid the detection by Kaspersky AV??

#### AutoIT Script

This script read shell.txt and pe.bin in order to create a new executable.

Then the script will create vbc.exe process in suspended state:

Finally the script will inject the malicious payload into vbc.exe

Some of the functions used in this phase:

• NtWriteVirtualMemory
• NtProtectVirtualMemory
• NtFlushInstructionCache
• NtUnmapViewOfSection
• NtFreeVirtualMemory
• NtTerminateProcess

I have done a quick analysis and it has the following features:

##### Keylogger looking for Cryptocurrency Exchanges and Cryptowallet credentials

• litecoin core
• bitcoin core
• factores-binance (Second factor Binance)
• myether
• kucoin
• cryptopia
• hitbtc
• bittrex
• cryptopia
• coinEx
• bittrex.com
• litebit.eu
• binance
• hitbtc
• Blockchain Wallet
• Electrum Wallet
• Bitcoin Wallet
• Litecoin Wallet
• Exodus Wallet
• Jaxx Wallet
##### Ransomware?

This string is usual in ransomware but I haven't gone deep enough:

#### cpux86.bin (XMR Miner)

Looking for this strings the names are related mining software:

The content of cpux86.bin:

Looks like the content between startminer[CONTENT]startminerstartminer is base64.

Using:

File command:

Script to obtainuncompressed_zlib_decoded_base64_cpuix86:

The result is an XMR miner uncompressed_zlib_decoded_base64_cpuix86

Looking for MD5 73e4ad3d8ef1fdf60b785f330cdd10d7 in VT:

### Low detection rate in Virus Total

Looking for .torrent.zip you will be able to find a lot of similar .torrent.zips and the detection rate is very low.

If you look for .torrent.zip in VirusTotal you are going to find a lot of them.

For example, sample MD5 902df385e6598409cc09b074d2e43ecd with name Animales_Fantasticos_y_donde_Encontrarlos_MicroHD_1080p.torrent.zip has 2/59 detections in VT:

And the malicious embedded vbe MD5 4279becbd54aa66f4311dd9c6253358a has 2/56 detections in VT:

A sandbox should be able to detect those .vbe files as malicious, for that reason I don't understand that low detect ratio.

### Detection

IMPORTANT:

If you don't have experience dealing with malware, please don't delete anything on your computer, *I am not responsible of any damage *.

• Check if there is a program that runs when the computer boots.
• Check if there is a program that consumes a lot of CPU.
• Check if there is a folder in C:\ with a name with this pattern and delete it.

If you detect a program with this rule, check their path a delete it if you think that is malicious.

• If you don't have one, install an antivirus as soon as possible.

#### Analysed Samples

Name MD5 VirusTotal Detections
promesa-al-amanecer-blurayrip.torrent.zip fe41de203a01dfdd28ef129688fa9ce0 7/58
promesa-al-amanecer-blurayrip.torrent.vbe a1b2a2aa8eed485d09673de47e1858a1 8/56
test.au3 ba319ca5edf5c36c2c266ef870dbabe5 0/57
pe.bin 5181dc0732e74c030be5739ca56352c8 0/56
shell.txt 39eee04505d93c8af96d78f4d43b8f58 2/58

### Important note for researchers

And if you want to continue analysing this, I would appreciate that you share the info via Twitter using this hashtag: