[Warning] 9.6 Source based files backdoor

Musta² · 04/12/2020, 09:57

Hello all,

I've been monitoring the releases made lately, especially the one made by MohcenMaher [

] closely.

I've made an analysis of it on a "disposable" server, and the results are ugly. Very ugly.

As you can see from the video, the CaptainHerlockServer.exe file is a trojan horse, for two files (1. A clean captainherlockserver.exe, 2. a file that is downloaded from the internet via a VB Script, from a file on a website on a file /captainhook.txt)

Once the said CaptainHook.exe is downloaded, it is executed and it doesn't need a rocket scientist to determine what it does then.

For anyone asking for other proofs, I'll leave links to virustotal scans made by Mohcen prior to him settling on the released on, they all connect to the same domain name and to a dynamic DNS (supposedly for the RAT connection?).

You can check the communicating files from this scan, in addition to its registry information, and determine who's involved

It is very sad how low people with talent and good skills can go, that goes to say that you should always speculate whenever download things from the internet.

Finally, I'd advise anyone who downloaded it to delete the files immediately, and clean their temp directory, in addition to performing a system-wide scan to remove any potential persistent files.

- Musta.

ilyaslord36 · 04/12/2020, 18:02

We want clean files server 9.6 and not infected files with viruses. We are tired of waiting you ?

Musta² · 04/12/2020, 18:07

Quote:

Originally Posted by ilyaslord36

We want clean files server 9.6 and not infected files with viruses. We are tired of waiting you ?

I don't have them, yet.

アルカード · 04/12/2020, 18:13

Quote:

Originally Posted by MuStA2222

I don't have them, yet.

sad thing is that even on facebook,people are saying that first released files here are clean that don't have any backdoor...

Musta² · 04/12/2020, 19:59

Quote:

Originally Posted by アルカード

sad thing is that even on facebook,people are saying that first released files here are clean that don't have any backdoor...

I tested it and I can tell there isn't suspicious with it aside from a hardcoded IP (54.64.27.223) that attempts to connect on port 5000 once the server is finished loading.

That said, I cannot confirm that the files are 100% clean and that there might not be in-game bugs and/or backdoors hardcoded in the server itself.

Here's a comparision of the same part between a 9.5.2 official server, and DoseMove's release.

Edit:
As far as the IP is concerned, I'd assume people would be safe just nulling the IP using a hex editor.

SilentWisdom · 04/12/2020, 21:19

Quote:

Originally Posted by MuStA2222

I tested it and I can tell there isn't suspicious with it aside from a hardcoded IP (54.64.27.223) that attempts to connect on port 5000 once the server is finished loading.

That said, I cannot confirm that the files are 100% clean and that there might not be in-game bugs and/or backdoors hardcoded in the server itself.

Here's a comparision of the same part between a 9.5.2 official server, and DoseMove's release.

Edit:
As far as the IP is concerned, I'd assume people would be safe just nulling the IP using a hex editor.

This would not be an issue if lapdog @

would release source he built with, but since is Revolution worshipper all knows this will not happen.

Musta² · 04/12/2020, 21:23

Quote:

Originally Posted by SilentWisdom

This would not be an issue if lapdog @ would release source he built with, but since is Revolution worshipper all knows this will not happen.

a pdb file would have solved it at least, that's what I'm trying to point out here.
You can never trust a file that's missing pdb files for no obvious reason, especially if you've got a history of trying to RAT random people.

lilnani · 04/12/2020, 21:30

Quote:

Originally Posted by SilentWisdom

This would not be an issue if lapdog @ would release source he built with, but since is Revolution worshipper all knows this will not happen.

look who's talking the antichrist itself !! i'm not defending mohcen but it's not the others problems if all what you know is stealing the others codes imma sure that all what you desire right now is to steal some codes from mohcen

----
@

I'm not defending the ratted files too here but just for the public knowledge ..

If I'm correct you released a files before? no i don't remember which version .. but maybe it would be a perfect idea if you downloaded them and searched for the coordinator ip in the GS you released i'm 90% sure it's the same IP.

or just take a look at the sourcecode ..

SilentWisdom · 04/12/2020, 21:30

Quote:

Originally Posted by MuStA2222

a pdb file would have solved it at least, that's what I'm trying to point out here.
You can never trust a file that's missing pdb files for no obvious reason, especially if you've got a history of trying to RAT random people.

They will not release pdb because this gives people too much low level information on the gs/sframe they are releasing. It would also tell us just how true a 9.6 the files are, allow us to see every edit made to the original source files and it would also clear any chance of hidden code.

They do not refuse to release it for the hidden code I think, only for the ability to know things you all don't know. So they can remain superior and talk down to you, be your saviors. This is all RevolutionTeam wants, to be your hero with lies and deceit.

Anothers · 04/12/2020, 21:35

Coordinator Server connection Same IP

I just shared it to show.

sadda711 · 04/14/2020, 18:50

Thanks @

bubsui · 03/07/2021, 02:38

hi Musta² iam using the tool SlickEdit Pro 2020 but when i nulled it then i cant execute the gs anymore what iam doing wrong its like on the pic can you pls help me make the files clean from hidden ips and all else.

here a pic so you can see it