wunkolo:

You know those youtube videos that say stuff like “XBOX LIVE KEY GENERATOR[WORKING]” “RUNESCAPE GOLD GENERATOR{LEGIT}-NO SURVEYS-” that are just ultimately viruses or keyloggers or adware. What I do when I don’t have an active reverse engineering project is download them anyways and reverse engineer them and dissect them to see what their shitty little .NET application is actually doing and calling them out on it so let’s dissect this one:

So here’s the video

image

Off to a good start here’s the payload

image

Lets look at that dll there

image

Ok so first of all they just renamed some other ijl15.dll into mh1337.dll to try and make their software seem more legitimate and big-time but it’s just the intel jpeg library renamed. Lets look at the bytecode of the .exe. It seems like the kid made it in Visual Basic with the usual Forms callback stuff. Code’s all really simple but here’s the kicker:

image

http://pastebin.com/raw/58Ynhuyz

So this dude’s program basically just emails your phished info to them but it includes the credentials of the sending email when it connects to the SMTP server soo I can just use these credentials and 

image

hijack their emailing account and

image

put an end to their entire phishing scheme

image

call em out and call it a day

Leave a Reply