Update Jan 15, 2025: Both 1337x.to and TPB has cleaned the Heroskeep accounts, all torrents has been removed.
Below are solid proof that his repacks and other releases contains mining malware, with steps needed to reproduce.
To check the malware you need only two files from any of his latest repacks (actually this goes for about 10 months):
setup.exe (installer + malware dropper in one package) and Redist.bin (malware container, is always the same file of 298.1 MB)
So, you download selected files, let’s take his “FIFA 22-VOICES38 [v1.0.77.45722] [ALL DLCs] [Multi21]” for example:
magnet:?xt=urn:btih:83691C96A2E8E156EAEBA9014749F26BCE5970BB
After you download said files, DO NOT run the setup.exe, better rename it to setup.exe_ to not run it by mistake.
Get the Inno Unpacker from here: https://innounp.sourceforge.net/ and unpack innounp050.rar to the same folder where setup.exe_ is located.
Create a new text file (say, in Notepad), paste this string into it: innounp.exe -x -a -dUnpacked -m %1
and save as Unpacker.bat
Then drag and drop setup.exe_ on Unpacker.bat
The folder called “Unpacked” will be created with contents extracted from the said setup.exe
Inside that folder there is another folder called “embedded” and you need “CompiledCode.bin” file from it, which is a bytecode of all installation functions this setup.exe does.
“CompiledCode.bin” is not in human-readable format, so we need to convert it:
Download https://github.com/Wack0/IFPSTools.NET/releases
and unpack ifpstools-net_v2.0.4.zip to the folder where “CompiledCode.bin” resides.
Drag and drop “CompiledCode.bin” on “ifpsdasm.exe”, it will decode file to “CompiledCode.txt” which is an Assembler (machine) code.
While it’s much more human-friendly, it still contains encrypted strings to evade easy detection.
Primitive double base64 encoding is used to achieve that, so we just need to reverse that encoding.
I’ve made a simple Python script for that (you need Python, or get the full ZIP with proof from a link below):
After you run it something like “Python.exe _decode_base64_in_asm.py CompiledCode.txt CompiledCode.decoded.asm” you will get the same ASM-file but with comments on each string with encryption in it.
Commented lines will look like this: assign Var6, UnicodeString_3(“VW1Wa2FYTjBMbUpwYmc9PQ==”) ;DECODED STRING: Redist.bin
where “VW1Wa2FYTjBMbUpwYmc9PQ==” is a hidden string with double base64-encoding and decoding string in the end, in comment
Later on this article I will use strings numbers based on that particular “CompiledCode.decoded.txt” file.
Part 1: Malware Dropper
1.1 Evading Detection
The setup.exe takes certain measures to avoid easy detection by a human or antiviruses.
It checks the age of the windows installation and if it’s less than 90 days, it doesn’t drop payload, line 16246. It does so, as many on-request virtual machines are setting the Windows folder to a fresh date, the day of creation:
Then it checks if the setup.exe is running in a virtual machine or tools for process/network monitoring are used, which are usually used for malware analysis:
function loc_33a at line 29536 and below:
assign Var42, UnicodeString_3(“ZG1KdmVIUnlZWGt1WlhobA==”) ;DECODED STRING: vboxtray.exe
assign Var42, UnicodeString_3(“ZG0xMGIyOXNjMlF1WlhobA==”) ;DECODED STRING: vmtoolsd.exe
assign Var42, UnicodeString_3(“VTJGdVpHSnZlR2xsUkdOdmJVeGhkVzVqYUM1bGVHVT0=”) ;DECODED STRING: SandboxieDcomLaunch.exe
assign Var42, UnicodeString_3(“VUhKdlkyMXZiaTVsZUdVPQ==”) ;DECODED STRING: Procmon.exe
etc.
If those are found, no payload is dropped as well.
Then, for some reason, it kills most popular torrent clients it finds, lines 30297 and below:
When folder is created and exclusion is added, the script selects the file to drop.
It uses two functions for that, in line 16147:
.function(export) void INITIALIZEPAYLOADSIZE()
and in line 16190
.function(export) void INITIALIZERANDOMOFFSETS()
Those are selected randomly out of 40 variants.
Those payload files are located in the Redist.bin file. And setup.exe make several checks that this file is present and it’s not modified. This bin has a fake FreeArc header and can’t be extracted by any FreeArc.
Checks are done on lines 25857 and 26001. First one checks the presence of the file, and the second one verifies the MD5 hash for that file (which is 03cf23c41bc7468021826f7b897f8a7f).
Yes, it was this exact malware, but in the different repack from the same Heroskeep uploader.
When all those steps done, the actual file is dropped into the C:UsersYour UsernameAppDataRoamingMicrosoft folder along with some side files like readme.txt
To ensure persistance of the malware in the system, setup then adds a scheduler task, line 16695:
.function(export) void INITIALIZERANDOMSCHTASK()
where the path is also selected randomly and will look like some native Windows funtions is called:
All of those randomly chosen EXEs are slightly modified copies of each other. All of them are packed with Themida (consider it a lightweight copy of Denuvo, which main purpose is to hide what’s done inside the exe).
Each of those EXE is ~7 MB in size and with proper tools they unpack to ~21 MB each. And of course those are miners. Specifially, those are Monero/XMR miners.
I’ve made a Python script for extracting those exes from the Redist.bin file, you can find it in the ZIP at the bottom of this post.
I’ve uploaded two of those samples to hybrid-analysis.com
“SOFTWAREWireshark” in Source: 00000000-00007316.00000000.282950.40581000.00000002.mdmp
“SOFTWAREGlassWire” in Source: 00000000-00007316.00000000.282950.40581000.00000002.mdmp
“SOFTWAREPaessler” in Source: 00000000-00007316.00000000.282950.40581000.00000002.mdmp
“SOFTWARESolarWinds” in Source: 00000000-00007316.00000000.282950.40581000.00000002.mdmp
“SOFTWAREMicrosoftWindowsWindows Error ReportingLocalDumps” in Source: 00000000-00007316.00000000.282950.40581000.00000002.mdmp
“HARDWAREDESCRIPTIONSystemCentralProcessor%d” in Source: 00000000-00007316.00000000.282950.40581000.00000002.mdmp
“REGISTRYMACHINESOFTWAREClasses” in Source: 00000000-00007316.00000000.282950.40A3B000.00000020.mdmp
“RegistryMachineSoftwareClasses” in Source: 00000000-00007316.00000000.282950.40A3B000.00000020.mdmp
Shows ability to use execution guardrails
The analysis shows indicators which can be used as execution guardrails to ensure that payload only executes against intended targets/system. Matched sigs: Able to identify sandbox environment running process Matched sigs: Contains ability to delay execution by waiting for signal/timeout (API string)
Matched sigs: Contains ability to retrieve the time elapsed since the system was started (API string)
Matched sigs: Able to identify virtual environment by using API string
Matched sigs: The input sample contains the RDTSCP instruction
Tries to access non-existent files (non-executable)
“pe_0000.bad.dll.exe” trying to access non-existent file “C:INFO.TXT”
“pe_0000.bad.dll.exe” trying to access non-existent file “C:Users%USERNAME%..JSON”
“pe_0000.bad.dll.exe” trying to access non-existent file “%APPDATA%MicrosoftREADME.TXT” (which is dropped by original setup.exe)
Found potential IP address in binary/memory
Potential IP “1.3.101.110” found in string “X25519:1.3.101.110”
Potential IP “1.3.101.111” found in string “X448:1.3.101.111”
Potential IP “1.3.101.112” found in string “ED25519:1.3.101.112”
Potential IP “1.3.101.113” found in string “ED448:1.3.101.113”
Those IPs are located at some Chinese hosting provider. Probably used for C&C.
As for TPB – the site doesn’t have proper “report” function, they have a side forum for that. If you have time and will – you can report that user in there to so actions against him would be taken.
But be advised, that people like Heroskeep always return with a new name, and with more sophisticated malware. So be very cautious before downloading something from an unknown source, even if you trust the site itself.
