I just got a mail with a zip, gmail flagged it as virus, there was 1 javascript file in the zip.
This is the script:
http://pastebin.com/manWMYpM
I dont know javascript very well, but there where some base64 strings and using base64decode.org I found 2 links to exe files.
Virustotal link:
https://www.virustotal.com/en/file/2831210517e598212abe19328a0741ff32e116379beca98dae06977a1172cd0d/analysis/1453810937/
Anyone interested in revers engineering the virus or finding out who owns the website?
I would like to know but don't know how.
bro that's way over our heads this board is just for discussing cell phones, graphics cards, and gaming laptops
>>52631179
This. You overestimate /g/
>>52631179
>>52631219
I know /g/ is mostly memes now, but I thought there should be at least a few people who know this kind of stuff
On line 20 you see eval. All this procedure of decoding and fucking with it is unnessecary, just replace eval with alert (or console.log) to get original code.
http://pastebin.com/9gCP8AQV -> http://pastebin.com/WzJnsAR4
>>52631404
Oh, also this will download and exechXXp://helahhoast.net/93.exe.MALWARE
with backup host of belahhoastbil.com.MALWARE
This is classic, I should look up the exe, it's probably ransomware desu
I hate does faggots sending viruses to people.
VT Hash c33875e0c096292b27bd d17b2821d4c2cd8 9a6dbce97e7aede1 3a1de57462b84
helahhoast is long gone, but auxiliary domain is still active
>>52631179
>>52631219
>>52631337
Getting real sick of this bullshit we can't talk about more advanced technology because most of /g/ are consumer whores. If you want to improve /g/, talk about stuff that will attract people who want to talk about better technology.
This is one interesting exe... Seems like it's GUI, but all words in exe some kind of random
I would run it in VM, but I don't have it right now
Malware is made by a russian, despite domain belahhoastbil.com.MALWARE being registered in Portugal
https://en.wikipedia.org/wiki/Tatars
>>52632371
floorspace housekeeping footman
>>52631819
>https://en.wikipedia.org/wiki/Tatars
source on how you found this out anon?
>>52632461
>>52632485
Whats that?
>>52632626
ResEdit
>>52631179
3.5/4 star post.
OP here, nice to see some serious answers
>>52631404
Didn't know that, thanks
>>52631781
>>52631793
Nice to see some printscreens, did it actually do anything besides showing random gibberish?
>>52631819
>>52632485
>>52632641
Of course it was the Russians, thanks for finding out
>>52633037
>Nice to see some printscreens, did it actually do anything besides showing random gibberish?
If this thread will be alive by the time I will get onto my VM, I will run it on VM
Lol, albanian virus is real
>>52633055
some site runs it on a VM, google the link from helahhoast and you'll find it, it's on malwr dot cum (can't post link because spam)
pic related, it's ransomware
>>52633122
like i said
>>52633122Domain Name: BELAHHOAST.NET
Registrar: WEB COMMERCE COMMUNICATIONS LIMITED DBA WEBNIC.CC
Sponsoring Registrar IANA ID: 460
Whois Server: whois.webnic.cc
Referral URL: http://www.webnic.cc
Name Server: NS1.LOOSEMONGO.PW
Name Server: NS1.MARSIISAWA.PW
Status: ok https://www.icann.org/epp#OK
Updated Date: 24-jan-2016
Creation Date: 24-jan-2016
Expiration Date: 24-jan-2017
^ shit man shit's fresh
