Malware inside Angry Planes & Noclip Mod

[Alex106]

I did a scan with AVG and Malwarebytes and they found nothing

Then i searched in regedit and this is the situation

I'm fine?

[iOnlyEatCops]

You aren't supposed to remove userinit.exe from Registry.

https://technet.microsoft.com/en-us/library/cc939862.aspx

So am I clean? This is in my Registry:

 

[ZZCOOL]

 

 

PLEASE ANSWER, IF YOU CAN!

I don't want to take any chances, i'm not even going to check for the virus...i'm formatting my SSD and changing the passwords on an other PC.

I only have 2 important questions:

 

1- Is this virus capable of remaining in the hard disk (SSD) even after complete formatting? I know some viruses can

2- If that's the case, can the virus spread to other drives in the computer.

 

Anyway i find all the thread confusing.

If i wanted to check if i'm infected (for curiosity), how can i do it?

I have avast, but i can install an other antivirus if needed.

Thanks...i'm freaking out...really worried!!!!!!!!

you can be absolutely sure that formating is going to erase it

 

 

Ok thanks.

How to check for its presence?

Need to imput some special type of scan to my antivirus?

I also heard you can check for the fade.exe and others on your own, but how?

Simply using the "SEARCH" feature in windows?

 

Also last question. Can i move some files from documents (GTA V SAVEGAMES) to an other drive without transporting the virus.

I know...i'm a virus n00b but i'm super anxious right now :S

 

C:\Users\yourname\AppData\Local\Temp

 

check for the file here but i'd advise just to format and change passwords it's the safest route

[GooD-NTS]

Prehaps it's time for OpenIV to be open source.

Yeah, it would be great to have few OpenIV clones with malware inside.

No thanks.

[lewistair1]

I installed the planes mod and now I'm concerned. I deleted the files but have not found fade.exe nor has my anti virus picked up anything. I did find however that the registry files (userinit and shell) were there. Is there anything else i have to do to remove the virus on top of deleting trhe registry entries and the .asi file?

[loseruser]

Looks to be a pretty weak attempt to steal information. From what it looks like if you used the mod and never rebooted, the malicious files shouldn't be in Windows memory anymore, since the attempt to run the executable was from a lame Windows Shell hook. Pretty stupid of the mod developers, all they got out of it was their vilification from all GTA-related communities. Also assuming they weren't smart enough to hide their identity in any place the scripts were uploaded.

 

Also that angry planes mod was really sh*tty. The effect was funny, but the programming was absolutely amateur.

 

A lesson is learned, with a community as immature and malevolent as GTA's, you should never run obfuscated code downloaded from untrusted sources. Hopefully GTA5-Mods goes through with their plan for stricter mod reviewing. It'd be safest just to ban the upload of any pre-compiled code.

[ZZCOOL]

Is it possible that this malware was only added in later versions of the script? As I have the first release version and I can find no trace of the fade.exe, the game doesn't start in windowed mode, there is no csc.exe running in the background and there is no trace of the added "shell" that linked to it, as the op posted

 

 

So is it possible this was added in a later version? I never had the noclip mod installed so i cant say for that. But i run the game right after i read this to make sure that it wasnt running in the background and I've had it installed and running for a few weeks now

no that cannot be possible as fade.exe is in my quarantine since day 1 this was may 8th and i am usually quick with testing and showing mods

[iOnlyEatCops]

So what do you do if you do find Fade in your temp? What's the best way of deleting it?

[Silent]

you should never run obfuscated code downloaded from untrusted sources

This code is not obfuscated. Still, how would a regular user find out? Can't expect people to RE mods before they install them.

[lewistair1]

Well apparently deleting userinit means you cannot logon next time you try.

[ckck]

I'm going to chime in because I was also unwittingly infected on May 8th, by the Angry Planes ASI mod.

 

I was able to do a bit more sleuthing.

 

The initial code executed acts as a loader for another standard trojan (one of the many RAT trojans available out there).

 

The trojan that becomes resident in the system and appears as the csc.exe process is quite interesting.

It's very basic, but loads several modules that add capabilities to it. These modules can consist of pre-compiled DLLs or Visual C# and C# code which it will compile using the installed .NET Framework on the system.

 

The loader is highly obsfucated using Redgate SmartAssembly. The modules rolled out with the loader are included as an encrypted resource blob in the loader. Because of this analyzing the compile executable is very difficult. The easiest way to actually analyze the activity is to load the virus/malware into a virtual machine and capture memory dumps of the running process. This was you get most of the decoded dlls/code which remain resident in memory.

 

I can confirm what the OP said about logging and also confirm that I located the encryption key. However, I did not spend the time to determine the procedures to decrypt the log file as most of the contents were also unencrypted in memory

 

My first clue that something was going wrong, and the first memory dump I got of the process in action was when the administrator of the trojan sent a command to start UDP flooding an IP in Denmark at around 10AM EST on May 11th.

According to the log, shortly before this UDP Flood module was activated, he also activated a Twitch chat flooding module.

The target of these attacks was:

http://www.twitch.tv/brianthedanishviking

77.68.209.7

Further investigation revealed the following modules active:

Facebook spam/credential stealing module

Twitch spam/credential stealing module

Messenger.com spam/credential stealing module

A Steam spamming module

A Steam module that evaluates the items in your inventory and their value based on current market value

A Keylogger module that logs individual button presses in an XML like format, it also includes information about context switches (switching from one app/window to another)

A UDP flooding module

There were others I hadn't deciphered and didn't see in action.

All of the spam/credential stealing modules above will attempt to rip your session cookies for each of the above sites from IE/Chome/Firefox and use the credentials to do their thing.

It stores all this information in a Session#.bin file as described above and ships it to the RAT admin's server.

Now, here's the juciest and most useful bit.

The C&C server is apcrypt.duckdns.org which resolves to 45.58.121.105. It's a cheap windows VPS with a company called https://www.cloudieweb.com/which is utilizing dedicated server rented from Choopa.com

This server is running Remote Desktop on 3389 as well as a webserver, which I believe is acting as an endpoint/C&C server for the RAT. The RAT uses SSL to communicate with this server so I was unable to spy any of that activity in an meaningful way in the time I had available.

Tool used to investigate:

ProcessExplorer

WinDbg

Jetbrains DotPeek

Strings (https://technet.microsoft.com/en-us/sysinternals/bb897439.aspx)

Wireshark

IMPORTANT/TL;DR:

If you didn't read/understand all of the above the most important thing to take from this is that everything you typed while infected is in the malware admin's hands. Your active/logged in sessions to Facebook/Twitch/Youtube/Steam are in his hands. Change all your passwords, logout and log back in to every site mentioned above to invalidate the existing session.

p.s. I will include some strings from the modules referenced above in the following post.

[Darth_Clark]

asi shows clean because antivirus has no signature match , so it goes into dynamic analysis i.e. emulating library execution and finds still nothing because this stuff is called only when script starts ingame (no proper environment for antivirus) , so there will be signatures in av bases soon for the downloader function inside asi , signatures for logger which it is downloading are already in 1/4 of antiviruses

Is the downloader function working through GTA5.exe?

If so, is it means I won't be infected if I blocked GTA5.exe in my Windows firewall since the trojan couldn't get the keylogger exe from hacker's site?

I've made a cracked copy of the game for playing mods while keep my legal copy clean for playing Online. And I blocked the cracked GTA5.exe from reaching internet.

I didn't found either fade.exe or init..exe, and nothing in my AV history.

[Igor Bogdanoff]

And now let's call spiderman to get that douchebag!

[Falenone]

I didn't find any trace of the fade.exe nor registry keys in my computer. I only used the noclip. I uninstalled the mod.

 

Am I safe from it? I ran cCleaner few hous ago and I didn't know about it then. Even if the program was there and now gone, if there's no registry entries then I should be good? I use both Malwarebytes and ESET and they never alerted me.

[Silent]

p.s. I will include some strings from the modules referenced above in the following post.

Great analysis! Thank you

[BS_BlackScout]

That's some real, real, real f*cked up analysis.

Still, we need to go deeper xD

Great job

Edited May 14, 2015 by TrustedInstaller

[rappo]

p.s. I will include some strings from the modules referenced above in the following post.

 

@ckck Thank you for that information - I can confirm that both Angry Planes and No Clip were uploaded by IP addresses from Denmark.

Edited May 14, 2015 by rappo

[iOnlyEatCops]

Deleted the folder that Fade.exe was in. Is my registry good or do I need to delete anything?

 

[MarshallRawR]

 

IMPORTANT/TL;DR:

If you didn't read/understand all of the above the most important thing to take from this is that everything you typed while infected is in the malware admin's hands. Your active/logged in sessions to Facebook/Twitch/Youtube/Steam are in his hands.

 

 

If my antivirus picked it up before all my password changes, am I fine?

[Alex106]

I did a scan with AVG and Malwarebytes and they found nothing

Then i searched in regedit and this is the situation

I'm fine?

[ZZCOOL]

 

I'm going to chime in because I was also unwittingly infected on May 8th, by the Angry Planes ASI mod.

 

I was able to do a bit more sleuthing.

 

The initial code executed acts as a loader for another standard trojan (one of the many RAT trojans available out there).

 

The trojan that becomes resident in the system and appears as the csc.exe process is quite interesting.

It's very basic, but loads several modules that add capabilities to it. These modules can consist of pre-compiled DLLs or Visual C# and C# code which it will compile using the installed .NET Framework on the system.

 

The loader is highly obsfucated using Redgate SmartAssembly. The modules rolled out with the loader are included as an encrypted resource blob in the loader. Because of this analyzing the compile executable is very difficult. The easiest way to actually analyze the activity is to load the virus/malware into a virtual machine and capture memory dumps of the running process. This was you get most of the decoded dlls/code which remain resident in memory.

 

I can confirm what the OP said about logging and also confirm that I located the encryption key. However, I did not spend the time to determine the procedures to decrypt the log file as most of the contents were also unencrypted in memory

 

My first clue that something was going wrong, and the first memory dump I got of the process in action was when the administrator of the trojan sent a command to start UDP flooding an IP in Denmark at around 10AM EST on May 11th.

According to the log, shortly before this UDP Flood module was activated, he also activated a Twitch chat flooding module.

The target of these attacks was:

http://www.twitch.tv/brianthedanishviking

77.68.209.7

Further investigation revealed the following modules active:

Facebook spam/credential stealing module

Twitch spam/credential stealing module

Messenger.com spam/credential stealing module

A Steam spamming module

A Steam module that evaluates the items in your inventory and their value based on current market value

A Keylogger module that logs individual button presses in an XML like format, it also includes information about context switches (switching from one app/window to another)

A UDP flooding module

There were others I hadn't deciphered and didn't see in action.

All of the spam/credential stealing modules above will attempt to rip your session cookies for each of the above sites from IE/Chome/Firefox and use the credentials to do their thing.

It stores all this information in a Session#.bin file as described above and ships it to the RAT admin's server.

Now, here's the juciest and most useful bit.

The C&C server is apcrypt.duckdns.org which resolves to 45.58.121.105. It's a cheap windows VPS with a company called https://www.cloudieweb.com/which is utilizing dedicated server rented from Choopa.com

This server is running Remote Desktop on 3389 as well as a webserver, which I believe is acting as an endpoint/C&C server for the RAT. The RAT uses SSL to communicate with this server so I was unable to spy any of that activity in an meaningful way in the time I had available.

Tool used to investigate:

ProcessExplorer

WinDbg

Jetbrains DotPeek

Strings (https://technet.microsoft.com/en-us/sysinternals/bb897439.aspx)

Wireshark

IMPORTANT/TL;DR:

If you didn't read/understand all of the above the most important thing to take from this is that everything you typed while infected is in the malware admin's hands. Your active/logged in sessions to Facebook/Twitch/Youtube/Steam are in his hands. Change all your passwords, logout and log back in to every site mentioned above to invalidate the existing session.

p.s. I will include some strings from the modules referenced above in the following post.

 

what is fade.exe was detected and quarantined

[LoneMerc]

Epic analysis. How do we know whats wrong in the registry and what to remove?

[rappo]

Was someone using us to get more visitors to their Twitch page?

[Cysiek]

Delete all files in this folder C\Users\YOU\Appdata\Local\Temp and problem solved. Now scan your pc.

[Drkz]

According to what i saw and read it doesn't sound like a state of the art malware guys, actually it looks more like a first try with .asi in mind, like a test of potential / what could be done. Just remove that sh*t from your temp folder and registry and you will be fine.

Edited May 14, 2015 by Drkz

[ZZCOOL]

Was someone using us to get more visitors to their Twitch page?

i would think someone was using people to flood a twitch page to attack someones stream

Edited May 14, 2015 by ZZCOOL

[jippa_lippa]

Fellas, regarding the NOCLIP MOD only (i didn't use the other one) something doesn't feel right.

Is the mod ITSELF infected or is there a chance only the one uploaded to GTA5 MODS being infected?

 

I downloaded mine from here:

 

www.gtaall.com/gta-5/mods/60829-noclip.html

 

And i don't have any "fade.exe" in my temp folder

 

By the way i'm super pissed, because the noclip mod is actually very useful for recording videos!!! Might we see it one day in the Official Native Trainer?

Edited May 14, 2015 by jippa_lippa

[Zeynohh]

According to what i saw and read it doesn't sound like a state of the art malware guys, actually it looks more like a first try with .asi in mind, like a test of potential / what could be done. Just remove that sh*t from your temp folder and registry and you will be fine.

Can you tell me exactly which ones I shall remove?

[LoneMerc]

According to what i saw and read it doesn't sound like a state of the art malware guys, actually it looks more like a first try with .asi in mind, like a test of potential / what could be done. Just remove that sh*t from your temp folder and registry and you will be fine.

What should we look for in the registry? I've searched for both the types of .exe and found nothing, is there anything we should be looking out for? I'd like to be 1000% in knowing it's not running/removed + clean from the reg before changing all my passwords for obvious reasons

 

Does anyone else have an idea if this would steal PuTTY sessions?? I've been SSH'd on my servers/clients servers all day with bloody work...

Edited May 14, 2015 by LoneMerc

[ckck]

Strings from one of the running Twitch module:

 

 

<Module>

yuilgy0y.dll

EntryPoint

Bot

mscorlib

System

Object

_userAgentArray

_targetChannel

Main

.ctor

System.Net

CookieContainer

_cookieContainer

_channel

_randomUrl

_userAgent

Setup

Run

Get

channel

userAgent

url

System.Runtime.CompilerServices

CompilationRelaxationsAttribute

RuntimeCompatibilityAttribute

yuilgy0y

Random

Next

System.Threading

ThreadStart

Thread

Start

.cctor

String

ToLower

Concat

Console

WriteLine

Replace

System.Text.RegularExpressions

Regex

Match

Group

get_Success

GroupCollection

get_Groups

get_Item

Capture

get_Value

System.Web

HttpUtility

UrlEncode

RegexOptions

MatchCollection

Matches

get_Count

Int32

Sleep

Contains

WebRequest

Create

HttpWebRequest

set_CookieContainer

set_Timeout

set_ReadWriteTimeout

set_UserAgent

WebHeaderCollection

get_Headers

System.Collections.Specialized

NameValueCollection

Add

set_Referer

WebResponse

GetResponse

HttpWebResponse

System.IO

Stream

GetResponseStream

StreamReader

TextReader

ReadToEnd

Setup failed

Setup OK

Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1b2pre) Gecko/20081015 Fennec/1.0a1

Mozilla/5.0 (X11; Linux i586; rv:31.0) Gecko/20100101 Firefox/31.0

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36

Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0

brianthedanishviking

http://api.twitch.tv/api/channels/

/access_token

No access token response

"token":"(.*?)","sig":"(.*?)",

No token match

http://usher.twitch.tv/api/channel/hls/

.m3u8?token=

&sig=

No select response

http(s)?://([\w+?\.\w+])+([a-zA-Z0-9\~\!\@\#\$\%\^\&\*\(\)_\-\=\+\\\/\?\.\:\;\'\,]*)?

No URLs

{0} URLs

Update

#EXT-X-ENDLIST

X-Requested-With

ShockwaveFlash/16.0.0.235

http://www.twitch.tv/

<X W

z\V

WrapNonExceptionThrows

_CorDllMain

mscoree.dll

VS_VERSION_INFO

VarFileInfo

Translation

StringFileInfo

000004b0

FileDescription

FileVersion

0.0.0.0

InternalName

yuilgy0y.dll

LegalCopyright

OriginalFilename

yuilgy0y.dll

ProductVersion

0.0.0.0

Assembly Version

0.0.0.0

!This program cannot be run in DOS mode.

aOU

.text

`.rsrc

@.reloc

p*r

*BSJB

v4.0.30319

#Strings

#US

#GUID

#Blob

 

 

 

Strings from the running Steam Inventory evaluation module:

 

 

<Module>

02bjg5dv.dll

EntryPoint

Response

MemoryReader

ByteArrayRocks

mscorlib

System

Object

Main

Main2

Get

.ctor

System.Net

HttpWebResponse

HttpResponse

ResponseString

BlockSize

CloseHandle

OpenProcess

ReadProcessMemory

_processId

_handle

OpenHandle

System.Collections.Generic

List`1

FindPattern

Empty

Locate

IsMatch

IsEmptyLocate

url

cookie

hObject

processAccess

bInheritHandle

processId

hProcess

lpBaseAddress

buffer

System.Runtime.InteropServices

InAttribute

OutAttribute

size

lpNumberOfBytesRead

MemoryAddress

bytesToRead

bytesRead

pattern

self

candidate

array

position

System.Runtime.CompilerServices

CompilationRelaxationsAttribute

RuntimeCompatibilityAttribute

02bjg5dv

ToString

Exception

System.Diagnostics

Process

GetProcessesByName

System.Text

Encoding

get_UTF8

GetBytes

get_Id

Enumerator

GetEnumerator

get_Current

IntPtr

op_Explicit

GetString

Contains

Add

MoveNext

IDisposable

Dispose

get_Count

String

Concat

System.Text.RegularExpressions

Regex

Match

Group

get_Success

GroupCollection

get_Groups

get_Item

Capture

get_Value

Kill

System.Threading

Thread

Sleep

op_Inequality

op_Equality

MatchCollection

Matches

Int32

System.Collections

IEnumerator

WebRequest

Create

HttpWebRequest

WebHeaderCollection

get_Headers

HttpRequestHeader

Set

WebResponse

GetResponse

System.IO

Stream

GetResponseStream

StreamReader

TextReader

ReadToEnd

Close

DllImportAttribute

kernel32.dll

Zero

Byte

ToInt32

ToArray

.cctor

steamwebhelper

No process found

7656119??????????%7c%7c

No logins found

http://steamcommunity.com/home

steamLogin=

g_steamID = "(.*?)";

http://steamcommunity.com/profiles/

/inventory/json/730/2/

No inventory

"market_name":"(.*?)","name_color":"(.*?)","background_color":"(.*?)","type":"(.*?)","tradable":(.*?),

z\V

WrapNonExceptionThrows

_CorDllMain

mscoree.dll

VS_VERSION_INFO

VarFileInfo

Translation

StringFileInfo

000004b0

FileDescription

FileVersion

0.0.0.0

InternalName

02bjg5dv.dll

LegalCopyright

OriginalFilename

02bjg5dv.dll

ProductVersion

0.0.0.0

Assembly Version

 

 

 

 

Strings from the Facebook information stealing module:

 

 

wpcdrdeu.dll

EntryPoint

CookieHelper

CryptProtectPromptFlags

CRYPTPROTECT_PROMPTSTRUCT

DATA_BLOB

SQLiteHandler

record_header_field

sqlite_master_entry

table_entry

mscorlib

System

Object

Enum

ValueType

_currentCookie

Main

HttpGet

.ctor

System.Collections.Generic

List`1

GetCookieList

TryReadCookies

CryptUnprotectData

Decrypt

value__

CRYPTPROTECT_PROMPT_ON_UNPROTECT

CRYPTPROTECT_PROMPT_ON_PROTECT

cbSize

dwPromptFlags

hwndApp

szPrompt

cbData

pbData

db_bytes

encoding

field_names

master_table_entries

page_size

SQLDataTypeSize

table_entries

ConvertToInteger

CVL

GetRowCount

GetTableNames

GetValue

GVL

IsOdd

ReadMasterTable

ReadTable

ReadTableFromOffset

size

type

row_id

item_type

item_name

astable_name

root_num

sql_statement

content

url

allowedNames

browser

file

cookieList

pDataIn

szDataDescr

pOptionalEntropy

pvReserved

pPromptStruct

dwFlags

pDataOut

Datas

baseName

startIndex

Size

endIndex

row_num

field

value

Offset

TableName

System.Runtime.CompilerServices

CompilationRelaxationsAttribute

RuntimeCompatibilityAttribute

wpcdrdeu

Add

System.Text

StringBuilder

Enumerator

GetEnumerator

get_Current

String

IsNullOrEmpty

System.Text.RegularExpressions

Regex

MatchCollection

Matches

get_Count

Match

get_Item

GroupCollection

get_Groups

Group

Capture

get_Value

Replace

AppendFormat

MoveNext

IDisposable

Dispose

ToString

Exception

System.Net

WebRequest

Create

HttpWebRequest

set_Method

set_AllowAutoRedirect

WebHeaderCollection

get_Headers

System.Collections.Specialized

NameValueCollection

WebResponse

GetResponse

HttpWebResponse

System.IO

Stream

GetResponseStream

Encoding

get_UTF8

StreamReader

TextReader

ReadToEnd

.cctor

Environment

SpecialFolder

GetFolderPath

Path

Combine

Directory

Exists

DirectoryInfo

GetDirectories

FileSystemInfo

get_FullName

File

Console

WriteLine

Empty

ToLower

Contains

get_Length

get_Default

GetBytes

System.Runtime.InteropServices

DllImportAttribute

Crypt32.dll

GCHandle

GCHandleType

Alloc

AddrOfPinnedObject

Free

IntPtr

Zero

Byte

Marshal

Copy

GetString

Substring

FlagsAttribute

StructLayoutAttribute

LayoutKind

<PrivateImplementationDetails>{8BBC7D72-C61E-48B2-B139-18F84516FABA}

CompilerGeneratedAttribute

__StaticArrayInitTypeSize=10

$$method0x6000009-1

RuntimeHelpers

Array

RuntimeFieldHandle

InitializeArray

Microsoft.VisualBasic

FileSystem

OpenMode

OpenAccess

OpenShare

FileOpen

LOF

Strings

Space

FileGet

Int32

FileClose

CompareTo

Decimal

Compare

BitConverter

ToInt64

op_Equality

Microsoft.VisualBasic.CompilerServices

Utils

CopyArray

Convert

ToInt32

Subtract

ToUInt16

ToUInt64

Int64

Math

Round

get_Unicode

get_BigEndianUnicode

Multiply

IndexOf

Char

Split

LTrim

Conversions

c_user

https://m.facebook.com/settings/account/

<br /><span class="(.*?)">(.*?)</span>

@

[{0}] [Alias: {1}] [Email: {2}] [Cookies: {3}] [Language: {4}]

FacebookData

GET

Cookie

Google

Chrome

User Data

Cookies

Mozilla

Firefox

Profiles

cookies.sqlite

moz_cookies

cookies

host

host_key

.facebook.com

name

value

encrypted_value

{0}={1};

SQLite format 3

Not a valid SQLite 3 Database File

Auto-vacuum capable database is not supported

table

UNIQUE

z\V

WrapNonExceptionThrows

_CorDllMain

mscoree.dll

VS_VERSION_INFO

VarFileInfo

Translation

StringFileInfo

000004b0

FileDescription

FileVersion

0.0.0.0

InternalName

wpcdrdeu.dll

LegalCopyright

OriginalFilename

wpcdrdeu.dll

ProductVersion

0.0.0.0

Assembly Version

0.0.0.0

 

 

 

If you have any questions or requests let me know and I'll see if I can figure out more. I don't have a ton of time to spend on it as my lunch break is over.