Finding the author of malware using reverse engineering

Context: I administer a small development Discord server. And recently one of the users reported that someone was trying to force him to download an Exe file.

The first thing to find out was whether the user opened this, as it turned out, malicious file. And, unfortunately, he still opened it. According to the user, the application initiated the launch of the console and closed it after a few seconds. This is clearly not a good sign in the case of software downloaded from nowhere.

To understand the situation, I decided to download this file to my virtual machine. In which case, I would just delete it from my computer. Well, it’s time to investigate.

binary file

First I decided to find out what is in the executable. For this I used the following command:

> strings file.exe

This command finds data like PrintableString in a binary file. It’s good to know about any things like URLs or addresses embedded in a file.

For the most part, the result of this request consisted of various nonsense and slag, but I saw NodeRuntime in it. It turns out the executable file is associated with NodeJS.

In such files, we can find useful information at the end of the result of the strings command. Let’s take a look at it:

function a0_0x47b121(_0x44bb58,_0x4e9d60,_0x355d77,_0x4e9d34,_0x1a193e){return a0_0x1b80(_0x1a193e- -0x1e4,_0x44bb58);

So far, the code looks confusing. In order to understand it, I used the following method.


Since I knew that the file was distributed via Discord, I decided to find out if the source file contained the word “discord”. And I was able to find something.

The names of some functions have been associated with this word: listDiscords, startDiscord, killDiscord And pwnBetterDiscord. The last feature looks promising!

I decided to get on the Internet and look for the source of this function. And it showed up on GitHub:

Pirate Stealer

Let’s see the source code of the “pirate kidnapper”.

Apparently, this app is stealing all the information from the Discord user. It first breaks the Discord client and then “fixes” it with a malicious JavaScript file that secretly steals sensitive information, such as credit card information, through a Discord webhook (the URL where you can send a message to your Discord server) .

According to the author of this tool, it is intended for educational purposes only. Although at the same time, the author sells premium features and offers support. Somehow this doesn’t correlate with the “educational goals” statement.

Finding a URL in Code

The code of the executable is filled with many proxy functions that try to confuse the user. But still I managed to find a webhook:


Let’s try to figure it out. For the sake of brevity, I will rename all obfuscated functions to fn1, fn2… and their parameters to p1, p2…

a0_0x78da73(let’s call it fn1) takes 5 arguments, but its result is only related to the first and last:

function fn1(p1,p2,p3,p4,p5){return fn2(p5 - 0x26a,p1);}

fn2 is a more complex function with cryptographic methods (initialization vector, complex numbers). In order to understand it, I decided to call it directly.

I created a new file which copies the code needed to run fn2, console.log(fn2(0x324 — 0x26a, 0x331)), and … everything went smoothly! Thanks to her, I found out the URL censored for privacy reasons).

Script user search

I decided not to look for workarounds and used this URL to send a warning message to the attacker(s) asking them to PM me. And they wrote…

Unfortunately, our dialogue was not productive. But on the other hand, I found out about the shared servers with the attacker and could warn the administrators of these servers about the danger.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *