Hi! in this topic im going to explain you how Aeldra stealing people files from computer (.cpp files)
CREDITS:
xp123 (big credits, he spotted this in aeldra)
Seremo (some help in analyse packets)
Aeldra using TheMida protector to prevent from analyse thats why analyse is much harder than standard not virtualized / protected files!
1. What im using to analyse?
Static Analyse: IDA Pro (plugins: Class Informer / x86emulator / Auto RE / private scripts)
Debugging: x86dbg (plugins: HyperHide / edited TitanHide / edited ScyllaHide / OllyDumpEx )
And more private tools
2. How it works?
Aeldra search for .cpp folders on your PC when function is active (they can turn it on / off server-sided)
Packet header which sends file to Server: 0x9B
Structure:
Bitte melden Sie sich an, um dieses Bild zu sehen.
name = file name .cpp (Example: test.cpp)
data = file data (Example: #include "stdafx.h")
Now this function is turned off when we spammed this packet (using Clientless) with a lot of files and probably server crashed after we sent too much files with no disc space result
3. Analyse
RVA + Base = 3659A0 (RVA) + 00CD0000 (base dumped file) = 0x010359A0
As you can see this function sends File to Server and its not function who send guild logo
Bitte melden Sie sich an, um dieses Bild zu sehen.
if you more interested in this function find it yourself i dont want to add 100 screenshots in thread
----------------------------------------------------
WinAPI: FindFirstFileExW FindNextFile
They are trying to find folders with names: "xbot" / "hlbot"
Bitte melden Sie sich an, um dieses Bild zu sehen.
Bitte melden Sie sich an, um dieses Bild zu sehen.
[#] Then it send it to Server
Bitte melden Sie sich an, um dieses Bild zu sehen.
Bitte melden Sie sich an, um dieses Bild zu sehen.
Download Dumped aeldra_205_dump.exe ONLY FOR static analysis purposes!!!
Password to zip: INFECTED
Download: Bitte melden Sie sich an, um diesen Link zu sehen.
VT: Bitte melden Sie sich an, um diesen Link zu sehen.
Conclusions:
As you can see AV dont detect all malwares specially if its virtualized by for example: TheMida / VMProtect / Enigma it need manual analyse
AV mainly works on Heurisitc / Signature detections thats why its marked as undetected atm.
DONT TRUST ANYONE! especially private servers! no one know what owners can add inside and it's doesn't matter if they are big or small 🙂