Fake Online Speedtest Application

Similar to my analysis of Fake Manual Reader and Fincder software

I stumbled upon a sereis of what appears to be fake online/internet speed test software applications. These all follow the same patternes as the manual finder/reader software. They are packed with inno packer, they drop node, run a obfscated JS file, and set persistence using a task.xml file.

Scheduled Task:

Obfuscated JS:

Just like previously mentioned manual reader/finder software applications, the decoded strings from the JS are the same.

Software\Microsoft\Cryptography
MachineGuid
0.2.1
Content-Type
text/plain
Content-Length
POST
utf8
data
end
error
base64
/log.txt
0.2.1
=_=
app
asdc
#version#
#a#
{ "ver": #version#, "a": #argString# }
exports
require
module
__filename
__dirname
//# sourceURL=
./temp.js
Function

You can get this by patching the decode return:

//return _0x4375f0.decode(_0xfca211);

return (() => { const r = _0x4375f0.decode(_0xfca211); console.log(r); return r; })();

Setting up a local listener, and pointing the c2 (cloud.appusagestats[.]com) to localhost, and generating a certificate, I can get the POST data:

Looking at the Malware itself there are a couple things we can do to pull strings out: For the POST data, there is a JSON.stringify that follows the URL section seen here:

Simply adding an attempt to write value of _0x4c2a32 to a file or to console right after the const is decalered, we can see what the POST was going to be:

{"0":"\"","1":"{","2":" ","3":"\\","4":"\"","5":"v","6":"e","7":"r","8":"\\","9":"\"","10":":","11":" ","12":"0","13":".","14":"2","15":".","16":"1","17":",","18":"

","19":"\\","20":"\"","21":"a","22":"\\","23":"\"","24":":","25":" ","26":"#","27":"a","28":"r","29":"g","30":"S","31":"t","32":"r","33":"i","34":"n","35":"g","36":"#","37":"

","38":"}","39":"\"","_0x54ff88":"app","_0x207b95":"f4f34c43-9bc1-4a9a-b55f-1d4dd97e0e88","_0x467b2c":"67492aa0-a9de-41ef-9107-3bc675d45663","_0x235f3c":"0.2.1","_0x2e9a79":"10.0.26100"}

I'm still working through this, I suspect I can get it to run abirtrat code from my local server, I will keep this updated. In the meantime.

Indicators

Indicator Type	Name	Value
Domain	C2	cloud.appusagestats.com
Domain	Download site	onlinespeedtestservice.com
Hash	onlinespeedtest.exe	77b85765b07954ac0ef88757cb87ac85
Hash	utils-api.js	8139f622af19e46bacef44a04890afac
Hash	internetconnectioncheck.exe	7feff78eaa5bc4b6986c7077b4c0bb82
Hash	measureinternetspeed.exe	5323dcab8dc8bd7e3282e75c0357eeab