🪴 Quartz 4.0

game-malware

Dec 16, 20243 min read

Malware analysis

I was made aware of a malware that was being distributed through a website called world-wars[dot]com. Threat actors were reaching out to users to try out the beta of their game. Going to this website would be the step to getting the malware onto the machine.

Setup

Going to use FlareVM. It is really nice to have so many tools at my disposal. Plus using debloat.vm just is so needed. To use flare you need to turn off Defender; this is pretty easy via local group policy.

Website

  • IPAddress is 104.71.21.246 - that is a cloudflare datacenter out of california
  • clicking on beta version directs to discord cdn where it looks that the resource is no longer available. The site is still up
  • Got the file from someone on discord.
  • it comes in .rar format
  • extracting that gives me a PE32 file which is meant for windows as a self extracting archive that uses Nullsoft Installer. Nullsoft Installer is used to setup and install 3rd party software and communicate with windows.

Manalyze

  • quick info says that it was compiled in 2018 and that the company is ‘Unity-Game’ lol
  • ran manalyze with -d all
  • found some interesting windowsapi libraries imported
  • no exports

Speakeasy

  • after using speakeasy to emulate running we got a few more interesting imports that are used
  • there was most likely other imports hiding and was brought out by getprocaddress

VirusTotal

  • I got the sha256 hash of the executable and put it into virustotal, there was no current entry for it being malicious. It did have an entry that said it makes wmi calls

Windows analysis

  • I ported the program over to my windows vm and used 7 zip to extract the contents of the NSIS executable. Found within was the [nsis].nsi and some other resource folders.
  • I looked through the .nsi script and didnt really see anything of note.
  • I looked through the folder and found another zipped archive to unzip. This archive contained resources, libraries, and the actual game executable. It also contains a tool called elevate.exe made by johannes passing. From what I can see this tool will allow elevated processes to be launched from the command line

Detonating

  • When it is run it errors out saying that some java script packages are missing. What it does in the background is more interesting - it looks through webbrowsers and steals cookies, it goes through file system and looks for interesting files, and then it looks through the system for “wallets” - I am assuming crypto wallets.

Network

  • Not really seeing any network activity on the first sample

Graph View

Backlinks

  • No backlinks found