SHA1:
- 21d6f7980e6b1383c0cc813bfc003f2adf51eb74 (start.js)
- 52e021f47f487e58d9a8edfb887925e2e75be256 (update.js)
- 980f067ce3976a3f40e1a39e1bc8b74c3849f91e (startDll.dll)
- d337eeefdf45055a1e3fbf26abe7ca8eb5c2295a (updateDll.dll)
- b6a9db83a915494fa0b22cd116ec26cbe4d166ce (ESP чит для КС ГО.exe)
Description
One of the MonsterInstall trojan components. The malware is written in JavaScript and C++ and functions as a backdoor. js-scripts are launched by an executable Node.js file.
Operating routine
It installs itself in the system into the C:\Windows\Reserve Service directory and runs as a service.
ESP чит для КС ГО.exe
Located at: https://proplaying[.]ru/load/counter_strike_global_offensive/cs_go_chity/rage_chit_dlja_cs_go/27-1-0-1993
The trojan creates a mutual exclusion named "cortelMoney-suncMutex” on the user’s device and reads its parameters from the ([HKLM\Software\Microsoft\Windows Node]) registry. After that, it unzips the contents of the data.bin file to the %WINDIR%\WinKit\ directory and installs a service to launch start.js.
start.js
The trojan loads the startDll.dll library and calls its exported function “mymain”.
update.js
The trojan loads the updateDll.dll library and calls its exported function “mymain”.
starter.dll.dll
A library with one exported function called “mymain”.
The trojan creates a mutual exclusion named "cortelMoney-suncMutex” on the user’s device and reads its parameters from the ([HKLM\Software\Microsoft\Windows Node]) registry.
Then it launches %WINDIR%\WinKit\msnode %WINDIR%\WinKit\update.js, and stops the "Windows Node” service.
updateDll.dll
A library with one exported function called “mymain”. The trojan sends requests to google.com, yahoo.com, and facebook.com every 10 seconds until it receives “code 200” in response. It then sends a POST request to the http://s44571fu[.]bget[.]ru/CortelMoney/enter.php server with the following configuration data:
{"login":"NULL","mainId":"PPrn1DXeGvUtzXC7jna2oqdO2m?WUMzHAoM8hHQF","password":"NULL","source":[0,0,0,0],"updaterVersion":[0,0,0,0],"workerVersion":[0,0,0,0]} For basic authentication it uses the pair “cortel:money”, where the User-Agent is "USER AGENT".
The server’s response:
{
"login": "240797",
"password": "tdzjIF?JgEG5NOofJO6YrEPQcw2TJ7y4xPxqcz?X",
"updaterVersion": [0, 0, 0, 115],
"updaterLink": "http:\/\/s44571fu.bget.ru\/CortelMoney\/version\/0-0-0-115-upd.7z",
"workerVersion": [0, 0, 3, 0],
"workerLink": "http:\/\/s44571fu.bget.ru\/CortelMoney\/version\/0-0-3-0-work.7z"
}
For basic authentication of future requests the login:password provided by the server will be used. If the trojan’s current version is older than the one the server suggests, the trojan downloads the newest one using the provided link.
The trojan unzips the archive in the %WINDIR%\WinKit\<updaterVersion>\ directory where <updaterVersion> is the “updaterVersion” parameter from the first server response converted into a string.
The trojan stops and deletes the "Windows Node Guard” service. After that it creates it again and changes the executable file to a file of the "Windows Node” service. Then it stops and deletes the "Windows Node” service, creates its copy and changes the executable file to daemon\service.exe. The trojan creates it in the same directory file “service.xml”:
<service><id>service.exe</id><executable>C:\Windows\WinKit\0.0.0.115\msnode.exe</executable><arguments>"C:\Windows\WinKit\0.0.0.115\start.js"</arguments></service>
Then the trojan unzips the worker file into the %WINDIR%\WinKit\SystemNode\ folder and runs %WINDIR%\WinKit\SystemNode\sysnode %WINDIR%\WinKit\SystemNode\main.js.
service.exe
A build of the “winsw” utitily. It uses an xml-file with parameters.
