4.5 KiB
Twitch Booster/Patcher
This wiper is very popular amongst a French forum ("18-25"), people used to send this to a random streamer pretending it would "fix" their stream.
Compilations of people getting infected by this can be found easily on Youtube.
The original version released in 2017 used to delete the MBR partition so that you couldn't boot into Windows back, the one we're looking at is from 2023 and is actually not destructive, a simple reboot and everything is fixed.
Behaviour
Any.run link
As you can see it is pretty impressive, with the screen melting and loud music in the background.
Analysis
twitch.bin
The twitch.bin file is unobfuscated .NET code. The code shows a simple form asking for your twitch username and password (optional) :
Before the form is showed, the field Form1.Twitcha is set to %temp%/Twitcha.exe :
MyProject.Computer.FileSystem.SpecialDirectories.Temp + "\\Twitcha.exe";
Then the Form1_Load method is called with the base.Load.
This function will write the content of the ressource DNOQSSJ into Twitcha.exe.
When the install button is pressed the function TwitchButton1_Click is called. This function will detonate the wiper by starting the Twitcha.exe file using Process.Start function.
Twitcha.bin
This file is a RAR archive that will self-extract these files :
- 589.bat
- 660.vbs
- 4826.vbs
- 7458.vbs
- extension3.vbs
- extension4.bat
- extension5.vbs
- extension6.exe
- extension8.bat
- extension9.vbs
- extension110.vbs
- Twitch Booster sans l'installateur et les taskkill.vbs
- twitchbooster.mp3
- TwitchBooster.vbs
Then it will automatically start TwitchBooster.vbs.
TwitchBooster.vbs
This program will show two message boxes saying "Welcome on the network booster for twitch, do you want to start the installation ?", then "Installation was successful, you will not lag anymore on stream :) !"
Afterwards it will create a shell and run 660.vbs, 7458.vbs, extension110.vbs, extension5.vbs, extension6.exe, 4826.vbs, extension9.vbs and extension3.vbs 65 times.
660.vbs
Uses SAPI.SpVoice to make a robotic voice say "hi, i'm just the little voice that says that the 18 25 just destroyed your computer, have fun fixing it son of r*pe, very happy. shoutout to the kheys of the 18 25"
7458.vbs
Starts extension4.bat.
extension4.bat
Closes chrome.exe, firefox.exe and javaw.exe.
extension110.vbs
Starts 589.bat.
589.bat
Closes explorer.exe
extension5.vbs
Plays the twitchbooster.mp3 file, which is Risitas Issou Night Club.
Probably pasted code (only file that has comments, in english but the people who made it were French).
extension6.exe
Only PE file of the archive, it is responsible for the melting screen effect.
It is also pasted code as debug message boxes can still show up if CreateWindowEx failed for example :
window_hwnd = CreateWindowExA(0, ClassName, 0, 0x80000000, 0, 0, nWidth, nHeight, 0, 0, hInstance, 0);
if ( !window_hwnd )
return MessageBoxA(0, cannot_create_window_error, 0, 0x10u);
Also note that they left over the possibility to exit the melting screen effect by pressing ESCAPE :
if ( ((GetAsyncKeyState(VK_ESCAPE) >> 8) & 0x80u) != 0 )
DestroyWindow(window_hwnd);
4826.vbs
This code will repeatedly open and close the CD/DVD drives if found.
extension3.vbs
This file is manually invoked 66 times, no idea why they didn't do a loop.
It displays a messagebox saying "THE 18-25 FCKED YOUR A** FCKING MOTHER F*CKER", the title is "THE ELITE OF THE NATION".
extension9.vbs
This code calls extension8.bat.
extension8.bat
This code registers a computer shutdown 300 seconds after it is called. The reason for the shutdown is "In 5 min, you will not have a pc anymore, son of rpe. The virus of the youtuber Black fcked your a** :)".
Twitch Booster sans l'installateur et les taskkill.vbs
This code is never called but is present in the archive.
The filename translates to "Twitch Booster without the installer and the taskkill". THis is basically what it does, it's the same as TwitchBooster.vbs except that there is no prompt related to the installer. But it actually does taskkill chrome.exe and firefox.exe.