Cheat Engine

[Geri]

Hi,

We had a guy who was trying to spread malware on this forum. His forum account on this forum was FLING Releases. If you have downloaded his Borderlands 2 trainer, then delete it asap and also make sure to find and delete

- WMIService.exe
- pthreadGC2.dll
- wimihost.exe
- u-host.exe

The files were packed along with LEGIT and WORKING trainers from FLING.

It's unlikely that you have the file, because it was removed fairly quickly and he is already banned, but if someone saw it and run the exe, then make sure to look for those files that I have mentioned above. They will be in the Users folder (probably).

The infected trainers are having a txt file that comes with a text

Downloaded From: TrainersMasterdot tk
Uploaded by: T-Master.
Status: Verified.

If you have this, it's truly verified that you have malware on your computer. Make sure to avoid any trainer that is related to that site, because the sole purpose of the website is to spread malware.


This does NOT mean that all trainers from FLING are having malwares, it means that someone has modified some of the FLING trainers and packed malware next to it.

(And thanks for atom0s who has analyzed the file in details.)

[Geri]

Here is an update.

It has turned out that the guy who is spreading this malware has also repacked h4x0r's trainer on another forum and he has used the name Mr.ExA-MaN.

Be aware that all trainers that are connected to

Trainersmaster
and
exa-man

are malwares.

(Thanks to STN for the additional info.)

[atom0s]

Information regarding these trainers:

Each trainer is repacked into an extractor that dumps files from the executable's resources. (The files are managed, written in VB.NET.)

Each trainer dumps two files to the AppData folder:
- mT
- mM

mT is the actual original trainer file that appears to be unmodified and fine.
mM is the infected trojan / downloader that is used to infect peoples machines. (The actual file name is MemoryStr.exe upon extraction.)

MemoryStr.exe - mM
- File is an executable.
- File is managed, written in VB.NET
- File is obfuscated with CryptoObfuscator.

This file can be deobfuscated with de4dot (https://github.com/0xd4d/de4dot) to dissect the important data from it.
Once the file is deobfuscated, we can investigate the file further with ILSpy (http://ilspy.net/).

The file does the following upon being loaded:
- Connects to the site trainersmasterdot (dot) tk/api/ and downloads a base64 string.
- Decodes the base64 string and does some minor DES decryption using the key: DerLo (uses MD5 of this string)
- Decoded string is the address to download another file.
- The decoded file being downloaded is found at: exa-main (dot) site90 (dot) net/MyDB.db
- File is downloaded and stored where the original trainer was launched. This file is saved as WMIClient.exe
- File is then executed immediately after being launched.

WMIClient.exe / MyDB.db
- File is an executable.
- File is managed, written in VB.NET
- File is obfuscated with CryptoObfuscator.

This file contains 3 binaries inside its resources. (m32bit, m64bit, mDll)

Once this file is ran it attempts to download more junk from the internet. (I did not bother to analyze further for this file after the below.)
The file attempts to locate various registry information about your system to locate and determine any anti-virus running on your system.

It cans for the following (truncated from the full list since it looks for a lot of them):
- NOD32, AVG, Avira, AhnLab-v3, BitDefender, ByteHEro, ClamAV, F-Prot, F-Secure, GData, and much more.

It adds itself to your systems registry to ensure that it runs on startup of your machine.
It creates several more executables/binaries onto the disk:
- WMIService.exe
- pthreadGC2.dll
- wimihost.exe
- u-host.exe

It attempts to access info on your processor via:
- HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\ProcessorNameString

It attempts to access more downloadable files and junk:

[++METHOS]

Nice work on the analysis.

[STN]

[DDS]

Nice work atom0s