You know those youtube videos that say stuff like “XBOX LIVE KEY GENERATOR[WORKING]” “RUNESCAPE GOLD GENERATOR{LEGIT}-NO SURVEYS-” that are just ultimately viruses or keyloggers or adware. What I do when I don’t have an active reverse engineering project is download them anyways and reverse engineer them and dissect them to see what their shitty little .NET application is actually doing and calling them out on it so let’s dissect this one:
So here’s the video
Off to a good start here’s the payload
Lets look at that dll there
Ok so first of all they just renamed some other ijl15.dll into mh1337.dll to try and make their software seem more legitimate and big-time but it’s just the intel jpeg library renamed. Lets look at the bytecode of the .exe. It seems like the kid made it in Visual Basic with the usual Forms callback stuff. Code’s all really simple but here’s the kicker:
http://pastebin.com/raw/58Ynhuyz
So this dude’s program basically just emails your phished info to them but it includes the credentials of the sending email when it connects to the SMTP server soo I can just use these credentials and
hijack their emailing account and
put an end to their entire phishing scheme
call em out and call it a day