Malware analysis
I was made aware of a malware that was being distributed through a website called world-wars[dot]com. Threat actors were reaching out to users to try out the beta of their game. Going to this website would be the step to getting the malware onto the machine.
Setup
Going to use FlareVM. It is really nice to have so many tools at my disposal. Plus using debloat.vm just is so needed. To use flare you need to turn off Defender; this is pretty easy via local group policy.
Website
- IPAddress is 104.71.21.246 - that is a cloudflare datacenter out of california
- clicking on beta version directs to discord cdn where it looks that the resource is no longer available. The site is still up
- Got the file from someone on discord.
- it comes in .rar format
- extracting that gives me a PE32 file which is meant for windows as a self extracting archive that uses Nullsoft Installer. Nullsoft Installer is used to setup and install 3rd party software and communicate with windows.
Manalyze
- quick info says that it was compiled in 2018 and that the company is ‘Unity-Game’ lol
- ran manalyze with -d all
- found some interesting windowsapi libraries imported
- no exports
Speakeasy
- after using speakeasy to emulate running we got a few more interesting imports that are used
- there was most likely other imports hiding and was brought out by getprocaddress
VirusTotal
- I got the sha256 hash of the executable and put it into virustotal, there was no current entry for it being malicious. It did have an entry that said it makes wmi calls