Malware Analysis Sus files(2)

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
369
@struppigel @Trident @SeriousHoax @Andrew3000 @Kongo

I helped some guy remove them, and I'm curious what they actually were. for the second file, the .exe got caught by his AV(which is BD), so I can't actually provide it(does not seem to be in quarantine either).
 

Attachments

  • image.png
    image.png
    30.8 KB · Views: 103
  • 4.png
    4.png
    15.2 KB · Views: 112
  • 5.png
    5.png
    15 KB · Views: 108
  • 6.png
    6.png
    17.6 KB · Views: 104
  • 7.png
    7.png
    14.5 KB · Views: 102
  • 8.png
    8.png
    3.3 KB · Views: 105
  • 3.png
    3.png
    21.5 KB · Views: 104
Last edited by a moderator:

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
369
Download the zips from Triage as I cannot link the direct upload on the forum

 

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
661
Sorry, but I need to register for download. And this happens when I try to register for tria.ge:

1688992893819.png

File is not on VT either. If you upload it there, I can access it.
 

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
369
Sorry, but I need to register for download. And this happens when I try to register for tria.ge:

View attachment 277018

File is not on VT either. If you upload it there, I can access it.
I can link the. exe directly from VT, but I don't think the. exe works without the other files in its folder.

Here is the .exe: VirusTotal

here is the zip if you can download it: VirusTotal



As I said, there is no .exe for the lisk file (deleted by BD). But after some digging, it seems it's related to this: "Lisk is an open source blockchain application platform designed to provide developers with a simpler path to blockchain production. It also provides users with a diverse and easy-to-use ecosystem with many applications to explore." I downloaded the installer from a GitHub page, VT report below.




He mentioned that he had no idea what they were or where they came from.
 
Last edited:

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
369
@struppigel

Off topic, but I just happened to find the above analysis on reddit. Seems like your guide on extracting app.asar was useful? :D
 

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
661
I can link the. exe directly from VT, but I don't think the. exe works without the other files in its folder.

Here is the .exe: VirusTotal

here is the zip if you can download it: VirusTotal



As I said, there is no .exe for the lisk file (deleted by BD). But after some digging, it seems it's related to this: "Lisk is an open source blockchain application platform designed to provide developers with a simpler path to blockchain production. It also provides users with a diverse and easy-to-use ecosystem with many applications to explore." I downloaded the installer from a GitHub page, VT report below.




He mentioned that he had no idea what they were or where they came from.
The file that I cannot access is 89182337d39268acce8b9843af9c84ca00ba41a394e8ded1426f95d6d63964c3
But yeah, I can check the other sample.
 

SeriousHoax

Level 47
Verified
Top Poster
Well-known
Mar 16, 2019
3,654
I was able to download from Triage but it seems these are not the original exe file as you said BD had already detected and removed that on the system. But @struppigel should be able to investigate as it looks similar to the Electron based malware where the main culprit was hiding in the .asar file as he showed us in his analysis video.
 

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
661
It looks similar to Electron because it is also a Node.js application. But not Electron. It is also correct that the full folder's contents are necessary to run everything. But one could create a standalone executable by creating an SFX with 7zip. If you think this helps you with automatic analysis sandboxes, I can try to create one.

You find the entry point of the application in the package.json. This file mentions first_page.html as main.

1688998304654.png


The malicious code is inside: init/first_page.html
In first_page.html you see obfuscated JavaScript.

1688998159496.png


The application creates a folder in %LOCALAPPDATA%\Leading and saves a lot of data there.
You should delete this folder on your friend's system.

1688998084013.png


1688998382008.png


Looks like adware/spyware to me. The folder is full of affiliate and advertising related data.

Didn't have time to deobfuscate the code yet, it looks a bit nasty, and I do not think it is worth sinking hours into it because it does not seem to be a serious threat. It stems likely from a Potentially Unwanted Software download. Make sure to check the installed programs on the system for PUP.
 

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
369
It looks similar to Electron because it is also a Node.js application. But not Electron. It is also correct that the full folder's contents are necessary to run everything. But one could create a standalone executable by creating an SFX with 7zip. If you think this helps you with automatic analysis sandboxes, I can try to create one.

You find the entry point of the application in the package.json. This file mentions first_page.html as main.

View attachment 277024

The malicious code is inside: init/first_page.html
In first_page.html you see obfuscated JavaScript.

View attachment 277023

The application creates a folder in %LOCALAPPDATA%\Leading and saves a lot of data there.
You should delete this folder on your friend's system.

View attachment 277021

View attachment 277025

Looks like adware/spyware to me. The folder is full of affiliate and advertising related data.

Didn't have time to deobfuscate the code yet, it looks a bit nasty, and I do not think it is worth sinking hours into it because it does not seem to be a serious threat. It stems likely from a Potentially Unwanted Software download. Make sure to check the installed programs on the system for PUP.
Thanks, this is what I wanted. Is there any relation with "Lisk" zip?(sent it in DM)
 
  • Like
Reactions: SeriousHoax

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
661
Thanks, this is what I wanted. Is there any relation with "Lisk" zip?(sent it in DM)

The Lisk sample is an Electron application. So you can unpack the app.asar file as shown in the video. The executable seems to be missing, though. It is different JS code than Leading.

Edit: I somehow got to register on Tria.ge now. I uploaded the SFX for leading.exe
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top