View previous topic :: View next topic |
Author |
Message |
GreyPaws How do I cheat? Reputation: 0
Joined: 20 May 2016 Posts: 3
|
Posted: Fri May 20, 2016 2:26 am Post subject: Does this Trainer contain MaLware? |
|
|
Hi,
I was hoping you guys could take a look at this trainer and let me know if it contains malicious code. The trainer is an EXE, and after doing some light research on this forum I realized that I couldn't simply open the file using CE to check for bad code. After running this file on my own PC, I noticed minor changes were made to my browser settings. I ran a full system sweep using Kaspersky and found a bunch of stuff:
Trojan.WinLNK.StartPage.gena
AdWare.Win32.Shopper.xgf
Trojan.Win32.Generic
Trojan.Win32.Addrop.c
AdWare.MSIL.Agent.aabh
AdWare.MSIL.Agent.abud
AdWare.Win32.ConvertAd.bdhc
A few others, but im sure you get where i'm coming from. There were other signs something wasnt right, it looked like something tried modifying the proxy settings on the browser, and a custom DNS entry. Please be careful when looking at this trainer, and thanks in advance.
I tried attaching the file to this post, I guess .RAR and .EXE are not allowed. Please use the links below to get the file from cloud storage, i included two hosts:
Code: | Mega: https://mega.nz/#!K1hklCgK
UL: http://ul.to/u5ql3xoa |
|
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Fri May 20, 2016 10:04 am Post subject: Re: Does this Trainer contain MaLware? |
|
|
Trainer generated with official CE6.4 from 26 VI 2014.
I checked extracted folder. You can check it too here:
%TMP%\cetrainers\CET7D43.tmp\extracted
Launch trainer and use above path in file explorer. Both binaries properly signed (with DarkByte certificate).
Hack BBH v1.1.10.792_64Bit.exe - this is 64bit CE renamed
lua5.1-64.dll - this is Lua engine
defines.lua - a lua script which set variable constants
Also file "Hack BBH v1.1.10.792_64Bit.exe" in %TMP%\cetrainers\CET7D43.tmp\
is also a properly signed launcher.
About CET7D43.tmp folder name, yours will be different.
virustotal results:
https://www.virustotal.com/pl/file/ceef98de2a00034a24e049e740568bb3f964dbc1524063d070f8bdb4ccd6314b/analysis/1463757194/
Not bad. Only 17 / 56 hit ratio. I saw much bigger hit ratio for my own trainer generated with CE6.4 back then, trainer for STALKER:COP.
Those are true:
ESET-NOD32 - a variant of Win32/HackTool.CheatEngine.AF potentially unsafe
Malwarebytes - HackTool.CheatEngine
Yandex - HackTool.CheatEngine!h2lP7QG9eRI
The other scanner results are just false-positive, pure bullshit. Those scanners just detect launcher or CE itself, and don't give a fuck what script inside trainer really do.
trainer was generated with CheatEngine. If trainer was downloaded from other place than ce forums, it is potentially unsafe.
Are you sure you downloaded a trainer and not a uploaded.net file downloader.
_________________
|
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8517 Location: 127.0.0.1
|
Posted: Fri May 20, 2016 11:18 am Post subject: |
|
|
With the trainer fully dumped it uses:
Code: | <CheatTable CheatEngineTableVersion="18"> |
Code wise, all it has is some basic auto assembler scripts and some minor Lua. Nothing more than a simple select process and an advertisement link to their personal site.
(I am not posting code from the dumped trainer as it is not yours.)
So the trainer itself is not the issue. Like mgr.inz.Player said, it sounds like you downloaded the upload sites downloader instead of just directly downloading the trainer itself. Downloaders like that are full of adware and will cause issues. The trainer itself is not infected and is just a standard CE trainer file.
_________________
- Retired. |
|
Back to top |
|
|
GreyPaws How do I cheat? Reputation: 0
Joined: 20 May 2016 Posts: 3
|
Posted: Fri May 20, 2016 2:44 pm Post subject: |
|
|
Thanks for checking on that for me, I just wanted to make sure this thing didnt do anything strange or hidden. I'm not a PC noob, I originally got the trainer from a cloud storage site using my own download manager. The only thing I can think of is that I did visit the web site advertised on the bottom of the trainer just to see what it was all about, I didnt download or click on anything on that site tho, so I'm still at a bit of a loss as to where the spyware came from. The logs show that everything was fine before the time stamp of when I first ran the trainer to see if it actually worked.
If I figure anything out, I will post an update here. I also dont care about the code or source or whatever, as I'm not into programming and CE was just a novel thing to play with for me. I learned the basic stuff I wanted to learn, like how to find and change the value for money on certain single player PC games like Starpoint Gemeni and other space trading games like that.
Thanks again to all those who took the time to look
|
|
Back to top |
|
|
STN I post too much Reputation: 42
Joined: 09 Nov 2005 Posts: 2672
|
Posted: Fri May 20, 2016 3:00 pm Post subject: |
|
|
Easy to know if the site is suspicious/spreading malware.
Blog types site with no ability for users to comment
Download links hidden behind url shortners/click tracking url shortners e.g bitly. Spammers use these to track the success of their spam campaign.
Sites leeching off other trainer makers e.g a site that goes by flingtrainers. Not always though
No author info
Youtube videos - I don't want to say this because i do youtube videos as my main traffic source but these malware videos will ALWAYS have likes/dislikes hidden and link to bitly/click tracking url shortners again for track the success of their spam campaign. Good thing is these videos do not stick for long so a video with age > 1 month or even 1 week is always going to be legit
_________________
|
|
Back to top |
|
|
GreyPaws How do I cheat? Reputation: 0
Joined: 20 May 2016 Posts: 3
|
Posted: Fri May 20, 2016 4:35 pm Post subject: |
|
|
STN wrote: | Easy to know if the site is suspicious/spreading malware.
Blog types site with no ability for users to comment
Download links hidden behind url shortners/click tracking url shortners e.g bitly. Spammers use these to track the success of their spam campaign.
Sites leeching off other trainer makers e.g a site that goes by flingtrainers. Not always though
No author info
Youtube videos - I don't want to say this because i do youtube videos as my main traffic source but these malware videos will ALWAYS have likes/dislikes hidden and link to bitly/click tracking url shortners again for track the success of their spam campaign. Good thing is these videos do not stick for long so a video with age > 1 month or even 1 week is always going to be legit |
Excellent advice, and something I wholeheartedly agree with. The main culprit in my case seems to be:
SoftwareBundler:Win32/Mizenota
It installs the following:
BrowserModifier:Win32/SupTab
BrowserModifier:Win32/Sasquor
BrowserModifier:Win32/Smudplu
SoftwareBundler:Win32/Pokavampo
BrowserModifier:Win32/Shopperz
Adware:Win32/EoRezo
I'm still researching exactly where and how that initial file made it on to my system and if there is anything else to find. So far I think I've narrowed down the problem to Firefox not being up to date when I first ran the trainer to "inject" whatever the trainer does into the FlashPlugInContainer process that Firefox uses for flash games. There might have been a vulnerability in the version of Firefox that I was using, as it is not my main browser and I did not keep it up to date. It is possible that Firefox allowed a connection to a site with an invalid or self signed certificate without prompting me about the threat. Again, I will update this when I know for sure, if I ever figure it out that is.
|
|
Back to top |
|
|
|