Jump to content
Tuts 4 You

fake crack sites


Recommended Posts

Xyl2k

So you want to download some releases from snd? alright let's see at snd.webscene.ir, the distribution section menu contain a link pointing at hxtps://keygens.pro/
Super, looks like there a lot of cracks over here! and the site is virus free, right?

9u2fgQ1.png

So let's pick something, i don't know, maybe 7-Data.Card.Recovery.1.1.keygen-SND hxtps://keygens.pro/crack/729775/

OFsCsqt.png

lol @ description on the page, didn't know reagan was from snd and born in russia :)
Anyway we got redirected on a download page after clicking 'Download only Keygen' button, we have to fill a captcha and agree to the conditions

aouJxXr.png

The archive is password protected and contain only one file "setup_pass-123.exe"
If we try to download some other random files from the keygens.pro collection, sometime we have variations.
e.g: Any.video.converter.Ultimate.keygen-URET hxtps://keygens.pro/crack/733508/ who contain a 'readme.txt' but we still have our suspicious setup_pass-123.exe inside.
antiviruses aren't really happy about the file when sent to virustotal, but hey, it's kind of normal it's a crack afterall.
The file in question is identified massively as 'remcos' (avira, kaspersky, f-secure,..) remcos is a know trojan, and this time they have right.

I've sent the file to my capev2 (like cuckoo sandbox but with python3) who also identified it as remcos, and even exactly version 2.7.0 Pro.

qkojsbT.png

The process tree:

  • path-pass-123.exe 1204
    • powershell.exe 764 powershell -w 1 -e cwB0AGEAcgB0AC0A [REDACTED]
      • mc.exe 588
      • mc.exe 2816
      • trading_bot.exe 2776
  • services.exe 484 C:\Windows\system32\services.exe

  • lsass.exe 2992 C:\Windows\system32\lsass.exe

mc.exe do a NtOpenMutant with mutex name 'Remcos_Mutex_Inj'
fews deletefile()

DeletedFile: C:\Users\PC\AppData\Local\Temp\g23cbt11.tv1.ps1
DeletedFile: C:\Users\PC\AppData\Local\Temp\rgmxlij1.zlj.psm1
DeletedFile: C:\Users\PC\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a5a4f0c9-7658-465a-89b7-50210e17552a
DeletedFile: C:\Users\PC\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_aa1cabc1-b688-4c89-bf51-d9e59fc195d8
DeletedFile: C:\Users\PC\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_33715418-423c-4ee6-9bfb-e19632c208c1
DeletedFile: C:\Users\PC\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d9fccf31-e642-45c3-b729-86cbf5ec234c
DeletedFile: C:\Users\PC\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_99c3bc19-136a-483f-a231-8276ab84ee13
DeletedFile: C:\Users\PC\AppData\Roaming\Microsoft\mc.exe
DeletedFile: C:\Users\PC\AppData\Local\Temp\webcam.png
DeletedFile: C:\Users\PC\AppData\Local\Temp\screenshot.jpg
DeletedFile: C:\Users\PC\AppData\Roaming\Mozilla\Firefox\Profiles\fuv0sisu.default-release\cookies.sqlite24628718
DeletedFile: C:\Users\PC\AppData\Roaming\Mozilla\Firefox\Profiles\fuv0sisu.default-release\formhistory.sqlite24628875

About the dropped files, it write a file 'logs.dat' into \AppData\Roaming\temp\, in my case:

[2020/10/15 05:31:33 Offline Keylogger Started]

[ Program Manager ]

[Following text has been copied to clipboard:]
h
[End of clipboard text]

{ User has been idle for 400 minutes }

And what's was the 'screenshot.png' he created and then deleted? this:
dQz4GG3.jpg

one of my capev2 vm, the malware have a bit oversized the screenshot tought.
The file sniff keystrokes, harvest/steal private information from browsers and messenger clients, take screenshots from pc and webcam if connected, and installs itself for autorun at startup, yep that not really what we where looking for.

Alright... let's search for another site then..
We type "download crack" on google and we are now on keygenninja.com (former KeygenGuru) according to them.
site is in second result in google main page, the authors of the sites play on search engine rankings, .. and are extremely well positioned (they pay Google for that)

vgZ1CoN.png

Let's try to download something, idk, maybe 'Panopticum IcePattern v1.2 for Adobe Photoshop' hxtps://keygenninja.com/serial/panopticum_icepattern_v1_2_for_adobe_photoshop.html

EOm1ik5.png

We click the 'Download Keygen' button and get redirected on another site hxtps://cracknet.net/d/a95b2bff8a272ss9p.html
Now we are on a page with 2 big 'download' buttons, the text indicate also that the archive password is 12345
When you click on the button the download is launched, but from another external site: hxtps://get.ziplink.xyz/

gO2cb9B.png

I've found also another site: serialms.com, this is just another 'showcase site'.
All the cracks point to the same address (cracknet.net). they also have the same db as keygenninja.com

YZ0x3OY.png

Well, we have 3 files in the archive, one executable, and unless keygens.pro, this time we have the info files (nfo and diz file), apparently a release from team inferno (a cracking group who disbanded in 2006)
The nfo says it was released in may 2020 and the files timestamp seem from 2020, is inferno back ? :)
Dq971a6.png

When extracting the executable from the archive, we got a suspicious 'rar sfx archive' icon, if we look for executable properties, windows will confirm it's a self-extracting archive.
Meaning we can also rename the file to .rar and open it with winrar to see what's going on.
btw that archive inside the archive [insert xzibit yo dawg meme here] is also password protected with '12345'

gCL8e2v.png

According to virustotal only 10 on 70 engines detect it as hostile.
Suspicious again huh? let's send this file to capev2 too.
When sending a password protected sfx archive, you need to fill the option field with: 'arguments=-p 12345' in capev2, so it will be able to run it with the password.
And.. here is the process tree.. yep a big one too, the sfx archive contain a sfx archive, who contain severals other sfx archives [insert again xzibit meme here] and execute everything, resulting a lot of new processes.

  • Panopticum.IcePatter.exe 172 -p12345
    •  cmd.exe 2696 C:\Windows\system32\cmd.exe /c ""C:\Users\PC\AppData\Local\Temp\RarSFX0\keygen.bat" "
      • intro.exe 816 intro.exe 1O5ZF
      • keygen-step-1.exe 3916 keygen-step-1.exe
      • keygen-pr.exe 3892 keygen-pr.exe -p83fsase3Ge
        • key.exe 1280
      • keygen-step-3.exe 3524 keygen-step-3.exe

        • cmd.exe 3804 cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\PC\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"

          • PING.EXE 2572 ping 1.1.1.1 -n 1 -w 3000

      • keygen-step-4.exe 2624 keygen-step-4.exe

        • file.exe 3896

        • 002.exe 4548

        • Setup.exe 4152

          • slic.exe 4148 1

            • 984D0A19445AA8C5.exe 1552 0011 installp1

            • 984D0A19445AA8C5.exe 1144 200 installp1

              • cmd.exe 3280 cmd.exe /c taskkill /f /im chrome.exe

            • msiexec.exe 2880 msiexec.exe /i "C:\Users\PC\AppData\Local\Temp\gdiview.msi"

      • services.exe 472 C:\Windows\system32\services.exe

        • svchost.exe 592 C:\Windows\system32\svchost.exe -k DcomLaunch

          • dllhost.exe 3832 C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

          • dllhost.exe 2064 C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

        • svchost.exe 3224 C:\Windows\system32\svchost.exe -k netsvcs

        • VSSVC.exe 3648 C:\Windows\system32\vssvc.exe

GqWcmLT.png

One file lead to many files :)
So what's going on? well, a lot of things.

This isn't remcos RAT like in keygens.pro, i don't know what exactly is all of this, my capev2 seem to detect it as Azorult (a know password stealer)
I thinks it's a false positive for 'azorult' malware familly but this one is also harvesting credentials from browsers, bitcoin wallets clients, FTP clients, email clients...

BTRSetp.exe seem packed with 'Eshelon revolution protector', it have also a mention to lenin.

// Module 

[module: SuppressIldasm]
[module: Glory_to_the_Great_Lenin_and_the_October_Revolution!!!("Eshelon Revolution Protector ")]
[module: EF58C16E8C("Discord Link :  v1.0.0-custom")]

The batch file keygen.bat unpack keygen-step-4.exe with password 83fsase3Ge
This archive contain key.exe and JOzWR.dat, when key.exe is executed it will look in the same folder for the file JOzWR.dat, who is later decoded by key.exe and loaded in memory a 'lzma decoder' screenshot here in memory

 

8cw972U.png

dumped JOzWR.dat is detected by 13 engines.

ASCII "-txt  -scanlocal -file:potato.dat"
potato.dat is a file that will be later created in %TEMP% and who contain harvested serial numbers from your applications, including windows license key.
exemple of what contain the file in my capev2:

Computer: PC-PC -  Main scan

Microsoft Office Professional Plus 2010 - License Key - REDACTED-REDACTED-REDACTED-REDACTED-REDACTED
Microsoft Office Professional Plus 2010 - Product ID - REDACTED-REDACTED-REDACTED-REDACTED
Microsoft Office Professional Plus 2010 - License Key - REDACTED-REDACTED-REDACTED-REDACTED-REDACTED
Windows 7 Ultimate - Extra info - Full product name: Windows 7 Ultimate Service Pack 1
Product ID match to CD Key data
Product Part No.: REDACTED
Installed from 'Full Packaged Product' media.
Is OEM: No
Windows 7 Ultimate - License Key - REDACTED-REDACTED-REDACTED-REDACTED-REDACTED
Windows 7 Ultimate - Product ID - REDACTED-REDACTED-REDACTED-REDACTED
Windows 7 Ultimate - User - PC


Computer: PC-PC - Deep scan

The guy who want free serials get his serials harvested, isn't that a paradox?

In conclusion: never open or visit crack sites if you don't have the knowledge to avoid infections, use common sense as some will even try to trick you with fake nfo/fake releases.
Maybe buy your softwares (or crack them yourself) to avoid that, and don't trust crack sites at all, even if they was 'legitimate' like keygens.pro, they can go rogue anytime.

Edited by Xyl2k
readability (see edit history)
  • Like 7
  • Thanks 2
  • Haha 1
Link to post

well i've also came across these files like setup_pass123.exe when i was going to rip some gfx from several groups like tPORt. (they weren't on tPORt's releases, but on other groups' releases)

i however accesed these sites through a VM (plus some vpn) so i won't have any risk of getting rogue'd on the real hardware. perhaps they put that file (setup_pass123.exe) only if the searched release isn't found, rather than saying "Deleted due to abuse" after entering that captcha.

plus the description from every release page is actually generated tho .

Link to post
Xyl2k

Well i haven't looked a lot on keygens.pro as remcos don't really interest me at all, but funny that "if crack not found then get a trojan"
i looked a bit more on cracknet.net, and when i was saying "I thinks it's a false positive for 'azorult' malware familly" yep. it appear to be Elysium Stealer/Zeromax Stealer/yahooylo.
some log from the vm, that was tried to be exfiltrated to the cnc:

UCF1UTc.png

related, datas from cnc or just "you got owned bro":
f1jCpRc.jpg VWN1fR6.jpg

jvHD6Bc.jpg XJDLvMd.jpg

some stolen logs from a pc, where you can see browser history and also running process with "keygen-step-5.exe" :)

google chrome default.txt
https://keygenninja.com/ds/indiafont+v2/ Indiafont v2 keygen,serial,crack,generator,unlock,key
https://keygenninja.com/serial/indiafont_v2.html Indiafont v2 serial key or number
https://cracknet.net/d/3c15acbca42738268.html? Get Indiafont v2 keygen here
https://keygencrackpatch.blogspot.com/2019/06/indiafont-v100-patch-174-mb.html APPLICATION CENTER - Full version, Latest Update N Direct Download Links - Crack, Patch, Keygen, Serial Keys, Patches, License keys for free
https://iplogger.org/1Hgx67 1Hgx67 (1×1)
https://www.zuketcreation.net/indiafont-v1-0-0-patch-174-mb IndiaFont v1.0.0 + Patch | 174 MB Application Full Version

information.txt:
[Processes]
---------- System [4]
------------------------------  Registry [96]
-  smss.exe [436]
-  csrss.exe [660]
-  wininit.exe [748]
---------- services.exe [892]
-  lsass.exe [916]
-  svchost.exe [400]
-  svchost.exe [600]
-  fontdrvhost.exe [608]
-  WUDFHost.exe [956]
-  svchost.exe [1064]
-  svchost.exe [1120]
-  WUDFHost.exe [1260]
-  svchost.exe [1380]
-  svchost.exe [1392]
-  svchost.exe [1408]
-  svchost.exe [1452]
-  svchost.exe [1568]
-  svchost.exe [1652]
-  svchost.exe [1676]
-  svchost.exe [1832]
-  igfxCUIService.exe [1876]
-  svchost.exe [1884]
-  svchost.exe [1932]
-  svchost.exe [1960]
-  svchost.exe [1808]
-  svchost.exe [2060]
-  svchost.exe [2108]
-  svchost.exe [2148]
-  svchost.exe [2156]
-  svchost.exe [2264]
-  svchost.exe [2324]
-  svchost.exe [2360]
-  svchost.exe [2456]
-  svchost.exe [2452]
-  svchost.exe [2500]
-  svchost.exe [2508]
-  svchost.exe [2564]
-  Memory Compression [2596]
-  svchost.exe [2688]
-  svchost.exe [2716]
-  svchost.exe [2888]
-  svchost.exe [2924]
-  svchost.exe [2984]
-  svchost.exe [2980]
-  svchost.exe [3136]
-  svchost.exe [3224]
-  spoolsv.exe [3312]
-  svchost.exe [3348]
-  svchost.exe [3528]
-  svchost.exe [3664]
-  AdminService.exe [3908]
-  IntelCpHDCPSvc.exe [3920]
-  svchost.exe [3936]
-  svchost.exe [3944]
-  svchost.exe [3960]
-  DAX3API.exe [3968]
-  svchost.exe [3984]
-  escsvc64.exe [3996]
-  esif_uf.exe [4020]
-  FMService64.exe [4076]
-  svchost.exe [4084]
-  svchost.exe [3280]
-  svchost.exe [3392]
-  RtkAudUService64.exe [4104]
-  svchost.exe [4136]
-  TeamViewer_Service.exe [4204]
-  svchost.exe [4216]
-  svchost.exe [4240]
-  svchost.exe [4256]
-  svchost.exe [4292]
-  svchost.exe [4412]
-  IntelCpHeciSvc.exe [4676]
-  svchost.exe [5184]
-  svchost.exe [5232]
-  svchost.exe [5940]
-  svchost.exe [6428]
-  WmiPrvSE.exe [6960]
-  PresentationFontCache.exe [6044]
-  Lenovo.Modern.ImController.exe [6608]
-  svchost.exe [2176]
-  svchost.exe [6844]
-  svchost.exe [7176]
-  SearchIndexer.exe [4284]
-  svchost.exe [8552]
-  SecurityHealthService.exe [1704]
-  svchost.exe [9156]
-  svchost.exe [9804]
-  jhi_service.exe [10304]
-  GoogleCrashHandler.exe [10340]
-  LMS.exe [10352]
-  GoogleCrashHandler64.exe [10372]
-  SgrmBroker.exe [11036]
-  svchost.exe [11124]
-  svchost.exe [10752]
-  svchost.exe [10848]
-  svchost.exe [4756]
-  svchost.exe [2088]
-  svchost.exe [4528]
-  svchost.exe [12100]
-  svchost.exe [8128]
-  svchost.exe [4276]
-  csrss.exe [10004]
-  svchost.exe [10084]
-  csrss.exe [4188]
-  svchost.exe [14536]
-  csrss.exe [3560]
-  MsMpEng.exe [9024]
-  AdobeUpdateService.exe [8088]
-  svchost.exe [10364]
-  AGSService.exe [4248]
-  AGMService.exe [5552]
-  unsecapp.exe [7572]
-  svchost.exe [16776]
-  servicehost.exe [16228]
-  AnyDesk.exe [2192]
-  svchost.exe [13356]
-  svchost.exe [3432]
-  dasHost.exe [10468]
-  svchost.exe [16176]
-  csrss.exe [12040]
-  usocoreworker.exe [3256]
-  MusNotification.exe [16784]
-  MusNotification.exe [17076]
-  UsoClient.exe [19348]
-  UsoClient.exe [3572]
-  taskhostw.exe [10116]
-  armsvc.exe [2204]
-  UsoClient.exe [1544]
-  dllhost.exe [17804]
-  UsoClient.exe [2392]
-  UsoClient.exe [15712]
-  UsoClient.exe [20924]
-  UsoClient.exe [756]
-  UsoClient.exe [19624]
-  UsoClient.exe [2852]
-  UsoClient.exe [20052]
-  svchost.exe [15972]
-  UsoClient.exe [20316]
-  UsoClient.exe [10528]
-  UsoClient.exe [5284]
-  UsoClient.exe [9532]
-  UsoClient.exe [5716]
-  UsoClient.exe [2844]
-  UsoClient.exe [5908]
-  UsoClient.exe [13548]
-  UsoClient.exe [408]
-  csrss.exe [2900]
-  winlogon.exe [2828]
---------- dwm.exe [16548]
-  fontdrvhost.exe [8828]
-  DAX3API.exe [10020]
---------- conhost.exe [13580]
-  dptf_helper.exe [15840]
-  uihost.exe [17652]
-  unsecapp.exe [17100]
-  ctfmon.exe [20632]
-  sihost.exe [16724]
-  svchost.exe [21104]
-  svchost.exe [1072]
-  taskhostw.exe [6080]
-  explorer.exe [20552]
-  svchost.exe [14568]
-  StartMenuExperienceHost.exe [1560]
-  RuntimeBroker.exe [10268]
-  dllhost.exe [13680]
-  RuntimeBroker.exe [5056]
-  SettingSyncHost.exe [1248]
-  SearchUI.exe [6904]
-  SecurityHealthSystray.exe [6872]
-  RtkAudUService64.exe [12328]
-  E_YATIUPE.EXE [18708]
-  Skype.exe [8044]
-  AnyDesk.exe [14352]
-  Creative Cloud.exe [1436]
-  CCXProcess.exe [17116]
---------- node.exe [14396]
------------------------------  conhost.exe [6652]
-  Skype.exe [19276]
-  Skype.exe [2968]
-  Skype.exe [19672]
-  Skype.exe [9980]
-  Adobe CEF Helper.exe [16216]
-  svchost.exe [8896]
-  HostAppServiceUpdater.exe [19324]
-  Adobe CEF Helper.exe [21376]
-  Adobe CEF Helper.exe [19716]
-  Creative Cloud Helper.exe [10876]
-  CoreSync.exe [16436]
-  RemindersServer.exe [13996]
-  YourPhone.exe [9456]
-  AdobeNotificationClient.exe [14372]
-  RuntimeBroker.exe [4236]
-  RuntimeBroker.exe [15880]
-  UsoClient.exe [16168]
-  ApplicationFrameHost.exe [9368]
-  SystemSettings.exe [12956]
-  UserOOBEBroker.exe [18064]
-  commsapps.exe [19960]
-  RuntimeBroker.exe [12668]
-  HxTsr.exe [4504]
-  Video.UI.exe [19924]
-  RuntimeBroker.exe [21156]
-  RuntimeBroker.exe [16580]
-  ShellExperienceHost.exe [10000]
-  RuntimeBroker.exe [7012]
-  CCLibrary.exe [5744]
---------- node.exe [12980]
------------------------------  conhost.exe [19340]
-  Microsoft.Photos.exe [7784]
-  RuntimeBroker.exe [20952]
-  svchost.exe [8772]
-  WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe [21036]
-  UsoClient.exe [4836]
-  SecurityHealthHost.exe [13896]
-  MpCmdRun.exe [5600]
-  WmiPrvSE.exe [14636]
-  keygen-step-5.exe [10256]
-  WmiPrvSE.exe [15036]
-  smartscreen.exe [7868]
-  svchost.exe [17932]
-  FB2B.tmp.exe [17260]
-  svchost.exe [15108]
-  svchost.exe [19700]
-  FF1C.tmp.exe [8244]
-  3C0.exe [17576]
-  convimage.exe [14528]
-  NisSrv.exe [16212]
-  3BD9.exe [20636]
-  8AB5.tmp.exe [17776]
-  explorer.exe [7320]
-  explorer.exe [8356]
-  explorer.exe [16624]
-  explorer.exe [8688]
-  powershell.exe [19404]
-  explorer.exe [8612]
-  explorer.exe [14944]
-  explorer.exe [14260]
-  conhost.exe [15188]
-  explorer.exe [13328]
-  svchost.exe [3400]
-  RegAsm.exe [20132]
-  explorer.exe [16236]
-  WerFault.exe [12020]
-  taskhostw.exe [14684]
-  backgroundTaskHost.exe [20296]
-  TrustedInstaller.exe [16464]
-  explorer.exe [13440]
-  TiWorker.exe [15312]
-  explorer.exe [12264]
-  explorer.exe [9032]
-  explorer.exe [18328]
-  explorer.exe [17444]
-  explorer.exe [9072]
-  explorer.exe [19640]
-  FileCoAuth.exe [884]
-  explorer.exe [1580]
-  explorer.exe [7160]
-  explorer.exe [11820]
-  explorer.exe [15652]
-  explorer.exe [7324]
-  explorer.exe [11296]

And here is a chaos mosaic i did with vt-graph, landscape map with cracknet and friends:
https://www.virustotal.com/graph/embed/g1eb67876dc2343c7bad3310f6dcd7db61d2ee76f7842479fbd19afea3dbaee8f

  • Thanks 2
Link to post
  • 4 weeks later...
Xyl2k

Tango down for 109.201.133.80 (keygens.pro, serials.be, crack.ms)
4jymqo1.png

Meanwhile, 54.36.184.139 (crackinns.com, torrentheap.com, crackheaps.com, cracknets.net, cracksnet.net, cracknet.net, keygenit.net, keygenom.net, cracksgurus.com, keygenninja.com, serialms.com, mackeygens.com, mediagetsite.com, get.ziplink.xyz, get.ziplink.stream) are still spreading malware.
Abuse sent too, but nothing followed for the moment, so here is some insight about their infra in the meantime (when all else fails, crowbar the fornicationer)

Embedded mini-admin panel to administrate the fake sites, allow them to disable links, blacklist keywords on site, redirect on affil, etc..
uTtOMqH.png jUSX0Df.png

Okay cool, you might want to see some numbers now?
The site with highest traffic is keygenninja with around 13k visits per day, and they infect/install roughly 10k per day.
4mffR99.png

As mentioned in previous post the end user get a bunch of crap (trojan.miner, password stealer, serial numbers stealer, PUPs..)
The exfiltrated passwords are sent to t4p.xyz, domain registered by alelolay[@]protonmail.com, who also own fews other domains (q1f.xyz, crypto-trad1ng.xyz , trading-solutions.xyz)
That all, for the moment!

  • Like 7
  • Thanks 2
Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...