Quote:
Originally Posted by #HB
But yeah... Wow, looks like you're straight looking for Paypal accounts. Unfortunately, the Windows Defender caught you.
|
He's not into Paypal accounts in particular. It's a multi stage process. This javascript crap is only a pre-step to get access to the PC. Once your PC is infected with this glorious piece of crapware, he uploads (a matching?) trojan, usually NJRat, manually to your computer. Not sure if that differs depending on OS or AV (since the crap javascript gathers all this information).
Once NJRat is installed, he starts searching your PC for files. All by hand. He also made screenshots of my desktop. I had quite some fun with him.
I drew a lovely image for him. He blantly closed MSPaint without saving, so I disabled the function to close programs. Then he tried to uninstall NJRat, so I removed that function aswell. Then he tried to destroy my VM, so I ended up removing all functions from NJRat, just leaving the screenshot function, forcing him to just sit there and watch.
My best guess that he turned of his PC after that because I couldnt get a connection for the next day and the IP didn't answer to ping in the meanwhile.
I'm not sure if his PC is a VM or something. I can download any file I want, i just need to know its path.
I got his username (OnlyOne) from logs on his PC and found Google Chrome. I downloaded the entire chrome profile but it seemed to be quite unused. History was empty and no passwords saved whatsoever. However I (we, some friends I asked for help) found his facebook profile.
I also stole his background image, the calc.exe (to verify the windows version) and some log files to look for more paths and files.
I also noticed uploading files does not produce an error. I don't know where uploaded files are stored so I can't confirm the files actually being stored. But at least I tried uploading some gachi music ;D.
for sure.
