Hello fellow WormMen.

Today we will be taking a look at some more malware found on the YT EK.

(A brief thank you to Eugene Kaspersky for directing this sample to K.I.T.)

KEY: “Chomp” = “byte”

This malwareman has won “War of the architecutres” by forcing a 32 bit processor to successfully run a 64 bit Windows release!

We shall now create a domain and force Virustotal to ‘scan’ said domain.

As we can see, this spooky domain has been detected as a “Botsquid Variant.” Not good.

So, we shall now take a look at this illegal malware.

This class seems to have some very odd features indeed (For a game hack.)

Here we have an attempt to lower detections (& maybe “anti RE”?) by replacing the all ‘A’ chomps with ‘,’, ‘B’ chomps with ‘.’ & ‘v’ chomps with ‘=’.
We can either manually replace said chomps, or just add a cheeky little snippet of code.

The chomp payload has been set!

After setting a breakpoint at line 63 (Powershell payload,) we can steal the chomp array from memory.

This chompware seems to be created using Delphi. Could we be dealing with a cometman here?

Manifesto time.

————————————————————————

CompanyName = Microsoft Corp. // An unsigned tool released by microsoft?
FileDescription = Remote Service Application // I’m sure this is just for when Microsoft decide to help me fix an issue. (DC Sig x1)
FileVersion = 1, 0, 0, 1
InternalName = MSRSAAP // DC Sig x2
LegalCopyright = Copyright (C) 1999 // 1999????????
LegalTradeMarks = ***
OriginalFilename = MSRSAAP.EXE // DC Sig x3
ProductName = Remote Service Application // DC Sig x4
ProductVersion = 4, 0, 0, 0
Comments = Remote Service Application DC Sig x5
————————————————————————

Lets take a look at some of the strings of said Delphiware.

Now why would a game cheat need network access?

And why would a rootkit be required for a browser based game?

Oh noes! Infections, startup, PasswordAndData… : ( I thought this was a cheat?

Now I’m mad! Lets locate this malwareman.

As procmon suggests(FUCK ONLINE SANDBOXES,) this game cheat is making TCP connections to “191.96.6.55.”

The port (1605) is ooooone value above the default DC port. Did the ISP block port 1604 from being opened?
Sadly, this internet pineapplecol is a Brazilian server 🙁

The question today is: Why use ‘evasive’ techniques (refer to the Powershell payload with dodgy base64) to load VERY detected malware onto a machine?

“SkidSquad” is currently under investigation by the K.I.T Task Force Dorito 1.