Fake Manual Software

 Another variant of what I've been looking at over the past week caught my eye today. Just wanted to give a real quick review of this, showing the POST encoding/decoding process.

OpenMyManual.exe (9f948215b9ee7e7496ce3bc9e46fda56b50cc8905b88535225c7651007f660d5)

Drops a copy of node.exe as well as a malicious JS file (2cd68ea7f02e8cfaded52d64c2cb71b64560b3799c948960db37e827618ff22d)

Like in my last post, you can run this through a js deobfuscato, make a couple quick edits, and the run node.exe with the --insert-brk to set breakpoints and step through the program:

What you eventually get is the C2 (api.evil.com/nss), the POST data, and how that POST data is being encoded and sent out to the C2. The 16 byte buffer is the XOR key, the 176 byte buffer is what becomes the Base64 (shown here as _0xda4df9). 

To date, I have not got a response back from any of these C2's. I've looked at several of these, they all so far have a pattern like ^api.[a-zA-Z0-0]{18}\.com$

/nss has been consistent as well. In wireshark I get an RST back from these.