2023-05-15
alright, check it
So I was just chilling at school when all of a sudden, I get a message from my pal in Canada. It was a discord attachment named ClickMe.exe
Now I ain't no fool, so I decided to examine it in a closed environment, the events that happened are as follows in sequential order.
Ghidra is a software analysis and reverse engineering tool created by the NSA. Ghidra was made in Java, but don't put it down because of that; it is POWERFUL. As I was scrolling mindlessly through the assembly code, I noticed a repeated term in the function names.
"PYZ"
Now I looked this term up, and it belongs to a library of compiling python code into a single executable. Next I checked what internal libraries the application was using (he didn't strip symbols) and it was using the win32's network and file API's.
Next, I threw that shenaniganizer into a virtual machine to study its behavior. I had a few SysInternal tools up as I launched the program. So I gingerly double-clicked on its icon and...
An Error popped up. This wasn't entirely unexpected since I had the internet off, and it was using network protocols, but still. I examined the popup error and noticed that it was a Python trace-back. The trace-back essentially said that it couldn't access a website known for grabbing IP's and the geolocation of the IP.
Here's what we know so far:
The last thing I did was a bit of a desperate measure, I know I could've searched through the assembly or decompile back to python code (which I tried and failed to do) but it was a little too tedious. So I popped it into a text editor, I don't know what I was expecting, but I was glad I did it. Among the garbage of binary code being converted to UTF-8, there was a Discord webhook for the info they got from me, so they had a place to send it to. Below the link was a template for sending my information, based on the template they were grabbing my:
From here I kind of just said 'yipee!' and laid the software to rest...
I can provide a sample if you contact me through my email.