Advert from a parter:
"Free registration" look's weird for a black affiliate, but wait: you should talk with them in ticket to get your exe activated
chk4me.com and scan4you.net."
(can be downloaded from "Promo" section on our site) to the same folder you saved the file to.
Rename our software to whatever you like (Skype.exe, Setup.exe , Óñòàíîâêà.exe, etc)
Distribute these two files using your sites and receive money. (we recomend to archive both files with ZIP or RAR)"
How to hide the miner on a SFX archive (lol?):
Dear slave masters, check your wallets you should have received your shares now.
We are glad you're working with us.
Let's talk with them so.
Okay cool, what's about malware policy ?
When the exe is built we are redirected for download:
And it's also on vx.vault: http://vxvault.siri-urz.net/ViriList.php?IP=126.96.36.199
Another Bin: https://www.virustotal.com/en/file/865ee01f829539e0fc12178618de8e4c8191ded23919666599538e4a6fc7823d/analysis/1373969781/
After unpacking the lame cpp packer and upx, we have a lame Visual basic executable:
Just by looking at strings you can have a global idea of what the exe gonna do:
Installer not so silent when you run it 'extracted':
a vbs file is created and run, this vbs file create a registry entry:
Then it do two copy of the 'installer'
If we go to the pool for see wallet statistic:
There is a 'debug' feature if you create the file %APPDATA%/feodalcash.txt with some datas on it:
miner unpacked: https://www.virustotal.com/en/file/3637455a4ee0500d93e759ac6bbdaad1da32b62b43af8635a22abf1096c9e928/analysis/1373990984/
Some domain found on the exe:
Then it decode a string and call 'pastebin.com/raw.php?i=k5ckPmLv' (the decoded string)
Then do a CreateFile for 'lkfjl23j.db' and some others, call the affiliate with another decoded string
url structure: /in/open?hwid=70144646&s=115
gamesvk.org.ua is registered to feodalcash and known in VirusTotal with no surprise.
rundll32.exe is executed, this file have network activity with ICQ.
Open a socket and try to communicate with it but the port used is closed on the server
Anyway the IP is know on vx.vault: http://vxvault.siri-urz.net/ViriList.php?IP=188.8.131.52
Overall it's a pretty lame malware, and not really stealth at all, Win7:
Feodalcash is powered by Django.. hmm well, thank you.
Now that we got a view of the administrative panel, let's see from the affiliate interface.
Current Metabank rate: 98,5 $ per bitcoin
Already paid: 6873,390 outstanding 937,840 $
Totally mined: 140,234 BTC
User lists, Sub-accounts:
'partner apply tickets' are also interesting, we have some nice actors, for example: parmezan
Screenshot in case of delete:
BestAV Affiliate, not bad.