Author

Topic: x (Read 209 times)

member
Activity: 77
Merit: 147
https://watchdominion.org
x
June 24, 2019, 07:56:47 AM
#13
If I was you I would still wipe down you can never be sure there is not something lurking on the system after infection.
Your best to DC from the internet and cleardown.

You could run some tools like malware bytes to check for additional infections but my advice would be to fully wipe down to be sure your not keeping anything that may be infected.

@bob123 good spot I think I will submit this EXE to virus total ect and report the repo to github for malware.

i used malware bytes and removed all the (only 1) thing it found
hero member
Activity: 1241
Merit: 623
OGRaccoon
June 24, 2019, 08:15:45 AM
#12
Full report is now ready..

https://www.hybrid-analysis.com/sample/c41c028d807d241027ce0c62e317f46cd68426c5ce1a3204bfc20a8b05ccd47f/5d10ca27038838004c83abab


Code:
Found potential URL in binary/memory

details
    Heuristic match: "iplogger.org"
    Heuristic match: "pastebin.com"
    Pattern match: "https://iplogger.org/templates/new/i/200x200.png"
    Pattern match: "https://maper.info/XuBf3"
    Pattern match: "https://iplogger.org/rules/"
    Heuristic match: "GET /raw/diuCKBNL HTTP/1.1
    Host: pastebin.com"
source
    String
relevance
    10/10


it also seems to contact a US server and a DE (german) server I will try do some more indepth on the EXE when I have some more time later.

Bob is correct the best thing to do is to wipe down.

You can look at something like DBAN  ( https://dban.org/ )
This will allow you to securely wipe the HD and make sure there is nothing left on the system..

Another things possibly you should check is your bios make sure nothing has been modified in the BIOS but from looking at this malware I don't think it's packed with a rootkit or bootkit.



Code:
Domain Address Registrar Country
iplogger.org
88.99.66.31
TTL: 1487 Regtime Ltd.
Name Server: NS1.FASTVPS.RU
Creation Date: Sun, 03 Apr 2011 15:52:04 GMT Flag of Germany Germany
pastebin.com
104.20.209.21
TTL: 233 ENOM, INC.
Organization: WHOISGUARD, INC.
Name Server: SUE.NS.CLOUDFLARE.COM
Creation Date: Tue, 03 Sep 2002 00:00:00 GMT Flag of United States United States
Contacted Hosts
IP Address Port/Protocol Associated Process Details
88.99.66.31
443
TCP ema20cross20bybit20v1.exe
PID: 2920 Flag of Germany Germany
104.20.209.21
443
TCP ema20cross20bybit20v1.exe
PID: 2920 Flag of United States United States
Contacted Countrie




Attack surface processing.  Seems to hook.
legendary
Activity: 1624
Merit: 2481
June 24, 2019, 08:12:40 AM
#11
i used malware bytes and removed all the (only 1) thing it found

Removing the file might be not enough.

The first step after infecting a system (from the attackers point of view) is to gain persistent access.
There are several methods of doing this. The most common is to simply migrate into another process (automatically on start up).


If the malware has been created by some 13 year old script kiddie, your computer is clean.
If that is not the first malware from the author and he knows what he is doing, it is still compromised.


The only way to be sure is to reinstall your OS. It is completely up to you if you do this or not. But if you want to be somewhat sure, you need to do this.
hero member
Activity: 1241
Merit: 623
OGRaccoon
June 24, 2019, 08:00:28 AM
#10
https://www.virustotal.com/gui/url/37a835c912cc5f98786ddf4f19b4d97398fb9aa76739aa89387e83a0bd268394/detection

Here is the report from VT on that file suspect it's crypted hence not being detected by AV scanners to I am surprised that Malware bytes actually removed it.

This is another reason to show that AV is basicly useless in the wild now since swapping a few bytes in the code seems to be enough to bypass most AV's out there now.

Bad times.


Edit*    Include Hybrid analysis report if you look at this report your will see it's detected by this platform more so than Virus total.

https://www.hybrid-analysis.com/sample/c41c028d807d241027ce0c62e317f46cd68426c5ce1a3204bfc20a8b05ccd47f
hero member
Activity: 1241
Merit: 623
OGRaccoon
June 24, 2019, 07:53:13 AM
#9
If I was you I would still wipe down you can never be sure there is not something lurking on the system after infection.
Your best to DC from the internet and cleardown.

You could run some tools like malware bytes to check for additional infections but my advice would be to fully wipe down to be sure your not keeping anything that may be infected.

@bob123 good spot I think I will submit this EXE to virus total ect and report the repo to github for malware.
legendary
Activity: 1624
Merit: 2481
June 24, 2019, 07:50:13 AM
#8
NICE! does that mean i dont have to format my pc and can get rid of it another way?

No, this means i can't say what the malware is exactly doing, since there is no source code.

The source code you are looking at is the code from the legit project gekko. But the author of this malicious version changed 1 file (executable file).
And THIS file contains the malware.
legendary
Activity: 1624
Merit: 2481
June 24, 2019, 07:44:29 AM
#7
You fell to a malicious fork of gekko (which itself is a legit trading bot).

The original trading bot can be found here: https://github.com/askmike/gekko


The malicious one, forked it from github and literally only made 1 commit: https://github.com/nodeoperate/gekko/commit/7474952aa05f80a3de0f244764702e8a3805e824.
The author of it replaced a binary file (EMA Cross ByBit v1.exe ). This most probably is the malware.

What it exactly does, can not be told without runtime analysis (can be circumvented by malware through multiple checks whether run in a sandbox etc.) or reverse engineering (very time consuming).

Honestly, i highly doubt the author put a lot of effort into the malware, therefore runtime analysis might be an option to see what it does.
If you are interested in checking what files it changes, what network connections it opens etc.. you might want to upload that file to https://any.run/.

This site requires an account (free), but i personally didn't use that site yet, but based on other opinions it should be pretty neat.


hero member
Activity: 1241
Merit: 623
OGRaccoon
June 24, 2019, 07:42:46 AM
#6

I have the code for the virus on pastebin, maybe you can check it and see what it does? Im no good at programming but im gonna try and see too

https://github.com/nodeoperate/gekko
https://pastebin.com/N8T2DZu8

I don't see anything in the pastebin that looks like a virus it seems to be a trading stratagy?
I'm guessing you got the virus when trying to run the bot from github?

My thoughts would be there is a downloader somewhere in the codebase and on runtime reaches to some server and downloads the payload.
hero member
Activity: 1241
Merit: 623
OGRaccoon
June 24, 2019, 07:36:04 AM
#5
On a second note your should also submit the URL and or file that contains the malware to places like Virus total or Hybrid-analysis as this will help to pass the infected file around AV company's and it may help others block this malware.

https://www.virustotal.com/gui/

https://www.hybrid-analysis.com/

legendary
Activity: 1624
Merit: 2481
June 24, 2019, 07:06:44 AM
#4
I scanned my pc and deleted the files, the av didn't find anything so I'm assuming it's clean now

Simply deleting files usually doesn't clean your computer.

Also AV's only find very well known threats (heuristics) or blatantly obvious malware (runtime analysis).


Properly coded malware is not being detected by any AV software. Do not assume it is clean just because one or multiple AV's didn't report anything.


I'd recommend to backup important files and reinstall your OS to be on the safe side.



also the address didn't have any funds so maybe its hoping new funds come in and then transfer them out?

Very well imaginable.
legendary
Activity: 1624
Merit: 2481
June 24, 2019, 06:19:19 AM
#3
[...] found out about the trojan and removed it successfully.

Removing malware completely can be quite hard.

What did you exactly do? Just deleted the file ? Using some AV ?
What were the steps you took ?



But now im wondering if the hacker got access to my bitcoin wallet private key (no funds but i used it to stake my account on bitcointalk) and any other things, any tips from the good folks here?

This fully depends on what kind of malware this was.
Maybe it just was some clipping malware, maybe your whole system if compromised and maybe it even was a root kit where formatting the drive doesn't help you clean your PC.

To be honestly, since it changed your clipping board, i doubt that it is a root kit. I also doubt (if your wallet is not empty yet) that it got access to your private keys (but still possible!).

Just.. if i would create such a malware i would either:
1) Change clipping board and instantly steal all funds or
2) Slowly gather as many private keys as possible and later steal everything (hoping that you will own more cryptos in the future)

Changing the clipping board instantly and still having your system compromised to wait for more funds doesn't make sense in my eyes.
Either your malware is hidden until it steals everything, or it reveals itself and instantly steals everything it has access to.


However, formatting the drive is still the preferred way.
If you don't want to risk losing more, reinstall your OS (please NOT a cracked windows version; EVERY cracked software is infected with malware, that's their business model).



Also should i do something about the staked address i have on bitcointalk now?

Preferably quote the post where you staked your address and sign 2 messages:
Sign one message with a new address and sign another message where you state that you change it due to the fact that it might be compromised (using your old address).
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
June 24, 2019, 05:48:06 AM
#2
This shouldn't be a question. The payload can consist of more than the clipboard malware by itself. Removing the virus doesn't guarantee that the other undetected malware would be gone too.

It isn't that much of a hassle to just get a new wallet on a separate computer and wipe the current computer after backing it up. You can't be too safe.
member
Activity: 77
Merit: 147
https://watchdominion.org
June 24, 2019, 05:18:04 AM
#1
x
Jump to: