E-mailaddress "from" is set to That doesn't mean that this account is owned by the hacker, just that the mails appear to be sent by The e-mails are sent to This is the e-mailaddress that the hacker itself is going to use to receive the mails upon.Since I do not have any respect for hackers, and since this information can be found in the malware itself, I am going to (partially) share this information:
I hope for this person that he uses a special Gmail account for this that can't be linked to his real account, since these credentials are up for grabs in the malware and with a hex-editor you can find them quite easily. That opens up more information and more perspective: you can't send mails using Gmail without authentication, so the person who wrote this, uses a Gmail account that is linked to this. So, in reality, all it does is send an e-mail using Gmail. It will then display a page with a button, which just gives an error when clicked upon. If the e-mail is send succesfully, it will display that the server was installed succesfully: Going through the code, I can confirm that the only thing it does, is to send an e-mail (more on that later). When you run the application, it initially doesn't do anything until you get to the login-page. In fact, it uses a plugin to handle the mail sending, which I suppose is the reason why this tool was chosen in the first place. Being built in AMS, it's far from real programming. There are some image files included, including Pyre Fierceshot renamed as "Kyle":Īt this point, we don't see anything special - however, with my unpacking, I was able to go through the code of the application. I went ahead and unpacked the malware, which is in reality just a AutoPlay Media Studio application which is used to build interactive CD-menus (when that was still relevant). This has been written with the single purpose of collecting login information about Guild Wars accounts. With my analyzing of the malware, I can verify that it doesn't contain anything else like a private server or does anything even close like it reports to. It also contains a few images, which you can see when the tool runs, and some that aren't used. The reason why this file is so large, is because it contains a video (containing a trailer for GW) which is 82.7 MB big.
The malware itself presents itself as a 92 MB file, but in reality it's about 10 MB big. So, this will be the final write-up I hope about the malware.
0 kommentar(er)
