Scurvy Malware
The file is an obfuscated batch snippet included as part of other scripts dropped during the cracking process. The exact details on when the malware is ran varies depending on the crack. It has basic anti-analysis in the batch itself, but the obfuscation is basic and easy to manually undo. It checks HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation
and HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current
, so to analyze it in a VM you just need to change the values there. It also creates HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Alu
, and if that value is found, it will not run. This ensures the payload runs only once per system, so delete that value to run it again. The malware will also not execute until a few days after release. This is implemented by comparing the current date to a list of dates included with a cnf
file that is dropped by the exe. An easy way to check for infected files is checking for the presence of this cnf
file in sfx EXEs.
The batch downloads another obfuscated script from a C&C server, which currently downloads a final payload from the same server, but this could change.
More analysis including partially deobfuscated script found on MAS discord at https://discord.com/channels/746721520931569757/1138942553220186172/1138942555418022010 or at https://forums.malwarebytes.com/topic/301182-script-malware-samples/
Samples
Less obfuscated version with comments by the dev: https://pixeldrain.com/u/9G1c5UVm https://pixeldrain.com/u/RT8MX91x
Stardock crack at https://filecr.com/windows/stardock-start11: https://pixeldrain.com/u/Nz92f2zv
https://filecr.com/windows/windows-activator-by-goddy: https://pixeldrain.com/u/HaCXAuw2 malware starts at line 414, rest of the file is useless garbage.
For KMS matrix the malware is included in a modified copy of MAS, the malware starts at line 4890 of %temp%\m_srv.cmd
which is dropped when the GUI opens.
If you find any more info about the malware please contact us.
Am I infected?
Check %temp% for files named cnf
, pb.bat
, pb.cmd
or NetFramework.4.0.7z
, and check %SYSTEMROOT% (C:\windows) for files named WUDFNet.exe
, WUDNet.exe
, Windows Driver Foundation (WDF).exe
, Windows Driver Foundаtion (WDF).exe
, or anything else suspicious. Also check for the key HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Alu
in the registry. If that key exists, you probably have been infected.
Because the payload is downloaded when the malware is executed, you might be infected with something different that we have not discovered yet. For example, the same malware seems to have been installing Bright VPN before the final payload was swapped.