patate/Malware-Research
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added Twitch Patcher wiper

Browse Source
This commit is contained in:
ALittlePatate
2023-02-26 17:01:00 +01:00
parent a449b58407
commit 50fd0ef4f0
6 changed files with 194 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
Random/Twitch Patcher/Files/Twitcha.bin Normal file
View File

Binary file not shown.

5
Random/Twitch Patcher/Files/readme.md Normal file
View File

@@ -0,0 +1,5 @@
# List of the files here :
* twitch.bin --> First PE executed, extracted from the "setup"
* Twitcha.exe --> File executed by twitch.bin after clicking "INSTALL", actually just a RAR archive.

BIN
Random/Twitch Patcher/Files/twitch.bin Normal file
View File

Binary file not shown.

BIN
Random/Twitch Patcher/Screenshots/form1.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 64 KiB

124
Random/Twitch Patcher/readme.md Normal file
View File

@@ -0,0 +1,124 @@
# Twitch Booster/Patcher
This wiper is very popular amongst a French forum ("18-25"), people used to send this to a random streamer pretending it would "fix" their stream.<br>
Compilations of people getting infected by this can be found easily on Youtube.<br>
The original version released in 2017, the one we're looking at is from 2023 and is actually not destructive, a simple reboot and everything is fixed.
# Behaviour
[Any.run link](https://app.any.run/tasks/fbc94828-b391-4c33-90b3-c689db7f59bb)<br>
As you can see it is pretty impressive, with the screen melting and loud music in the background.
# Analysis
## twitch.bin
The ````twitch.bin```` file is unobfuscated .NET code. The code shows a simple form asking for your twitch username and password (optional) : <br>
![form1](Screenshots/form1.PNG) <br>
Before the form is showed, the field ````Form1.Twitcha```` is set to ````%temp%/Twitcha.exe```` :
````C#
MyProject.Computer.FileSystem.SpecialDirectories.Temp + "\\Twitcha.exe";
````
Then the ```Form1_Load``` method is called with the ```base.Load```.<br>
This function will write the content of the ressource ```DNOQSSJ``` into ```Twitcha.exe```. <br>
When the install button is pressed the function ```TwitchButton1_Click``` is called. This function will detonate the wiper by starting the ```Twitcha.exe``` file using ````Process.Start```` function.
## Twitcha.bin
This file is a RAR archive that will self-extract these files :
* 589.bat
* 660.vbs
* 4826.vbs
* 7458.vbs
* extension3.vbs
* extension4.bat
* extension5.vbs
* extension6.exe
* extension8.bat
* extension9.vbs
* extension110.vbs
* Twitch Booster sans l'installateur et les taskkill.vbs
* twitchbooster.mp3
* TwitchBooster.vbs
Then it will automatically start ```TwitchBooster.vbs```.
### TwitchBooster.vbs
This program will show two message boxes saying "Welcome on the network booster for twitch, do you want to start the installation ?", then "Installation was successful, you will not lag anymore on stream :) !"<br>
Afterwards it will create a shell and run ```660.vbs```, ```7458.vbs```, ```extension110.vbs```, ```extension5.vbs```, ```extension6.exe```, ```4826.vbs``` and ```extension3.vbs``` 66 times.<br>
#### 660.vbs
Uses ```SAPI.SpVoice``` to make a robotic voice say "hi, i'm just the little voice that says that the 18 25 just destroyed your computer, have fun fixing it son of r*pe, very happy. shoutout to the kheys of the 18 25"<br>
#### 7458.vbs
Starts ```extension4.bat```.
#### extension4.bat
Closes chrome.exe, firefox.exe and javaw.exe.
#### extension110.vbs
Starts ```589.bat```.
#### 589.bat
Closes explorer.exe
#### extension5.vbs
Plays the twitchbooster.mp3 file, which is [Risitas Issou Night Club](https://www.youtube.com/watch?v=ZRlPsHwrDvY).<br>
Probably pasted code (only file that has comments, in english but the people who made it were French).
#### extension6.exe
Only PE file of the archive, it is responsible for the melting screen effect.<br>
It is also pasted code as debug message boxes can still show up if ```CreateWindowEx``` failed for example :
````C
window_hwnd = CreateWindowExA(0, ClassName, 0, 0x80000000, 0, 0, nWidth, nHeight, 0, 0, hInstance, 0);
if ( !window_hwnd )
return MessageBoxA(0, cannot_create_window_error, 0, 0x10u);
````
Also note that they left over the possibility to exit the melting screen effect by pressing ESCAPE :
````C
if ( ((GetAsyncKeyState(VK_ESCAPE) >> 8) & 0x80u) != 0 )
DestroyWindow(window_hwnd);
````
#### 4826.vbs
This code will repeatedly open and close the CD/DVD drives if found.
#### extension3.vbs
This file is manually invoked 66 times, no idea why they didn't do a loop.<br>
It displays a messagebox saying "THE 18-25 F*CKED YOUR A** F*CKING MOTHER F*CKER", the title is "THE ELITE OF THE NATION".
#### extension9.vbs
This code is never called but is present in the archive.<br>
This code calls ```extension8.bat```.
#### extension8.bat
This code is never called but is present in the archive.<br>
This code registers a computer shutdown 300 seconds after it is called. The reason for the shutdown is "In 5 min, you will not have a pc anymore, son of r*pe. The virus of the youtuber Black f*cked your a** :)".
#### Twitch Booster sans l'installateur et les taskkill.vbs
This code is never called but is present in the archive.<br>
The filename translates to "Twitch Booster without the installer and the taskkill". THis is basically what it does, it's the same as ```TwitchBooster.vbs``` except that there is no prompt related to the installer. But it actually does taskkill chrome.exe and firefox.exe.