Closed ParzivalWolfram closed 2 years ago
You've given me... a password-protected RAR file. This is, potentially, the requested sample, but it's not exactly helpful.
あなたは私に...パスワードで保護されたRARファイルをくれました。これは、潜在的に要求されたサンプルですが、正確には役に立ちません。
rarpassword=1453
Ah, this is just the dropper. I've had this for a while, actually, I need the actual sample itself. According to the person using the email as listed, the code has been lost.
On Wed, Oct 13, 2021 at 4:37 AM himasugirubutti @.***> wrote:
あなたは私に...パスワードで保護されたRARファイルをくれました。これは、潜在的に要求されたサンプルですが、正確には役に立ちません。
rarpassword=1453
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Gork3m/MrsMajor-3.0/issues/2#issuecomment-942115238, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHE6CQPP3TXIMV332WUKABTUGVHNNANCNFSM4ZRHAHYA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
Where is the code in MrsMajor that verifies the key? I searched through every file here, and couldn't find it.
I got a key a while back, but the key doesn't work anymore. I emailed them again, and no response.
Where is the code in MrsMajor that verifies the key? I searched through every file here, and couldn't find it.
So, from disassembly, it tries to fetch the actual sample from an external server using the key you provide to authenticate. That server, however, is down, meaning what you type in doesn't matter. The actual file WAS hosted somewhere online, but has been removed. This dropper is now pointless.
_(THanks for quick response.) Oh, so am I never gonna be able to get it because the server is down?
Can I get around it by compiling the code that we already have?
Yeah, sadly, whoever thought it a good idea to add DRM to meme malware basically killed it for anyone but like 3 Youtubers.
On Wed, Oct 20, 2021 at 10:31 PM Etanomic @.***> wrote:
_(THanks for quick response.) Oh, so am I never gonna be able to get it because the server is down?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Gork3m/MrsMajor-3.0/issues/2#issuecomment-948227388, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHE6CQLXKSMKPGZ4DV2GKP3UH6CPJANCNFSM4ZRHAHYA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
Can I get around it by compiling the code that we already have?
Sadly, no. All you have here is the dropper, i think?
Oh.
Yes. And the public code that's here.
Oh, and this, in large bold letters on the front page. https://github.com/Gork3m/MrsMajor-3.0#do-not-try-to-build-your-own-mrsmajor---that-wont-work-though-ive-modified-the-code-in-a-way-so-it-will-not-work-when-its-built-into-an-exe
I see.
One could PROBABLY get around that, but that's more work than I wanna put in at this point. I also heavily despise Windows developer environments, as I shouldn't need many gigs of VS just for a compiler, etc. etc.
Ok.
I guess that wraps it up. Oh well /¯_(ツ)_/¯
I hate how it has it's own system that checks if you're inside of a VM(According to Siam), AND you need a key that only 4 people have access to.
It's actually 4 keys one person each has, and yes, it does do extensive checks to ensure you're in a VM.
that actually isn't true, Siam got 2 keys by mistake.
Wow, I can’t believe you know so much about such a mysterious malware.
I mean, like I said, I disassembled what I could. I even found a backed up, partial list of key hashes from the original server hardcoded into the dropper... in a format I can't recover the original keys from before the sun explodes.
(yes, that says "horserapistyandere.webhost.com".)
oh...
You’re a hacker.
You’re a hacker.
This is not a secret. I do, technically, fit into that category, yeah.
despite what the creator says, the code actually compilable and worked for me (using SharpDevelop, not tested with VS)
Very epic. Leo
On Sat, Dec 25, 2021 at 8:18 AM pankoza-pl @.***> wrote:
despite what the creator says, the code actually compilable and worked for me
— Reply to this email directly, view it on GitHub https://github.com/Gork3m/MrsMajor-3.0/issues/2#issuecomment-1001023282, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALLQTR5EARSVOLJ6SIJIP4LUSXHELANCNFSM4ZRHAHYA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you commented.Message ID: @.***>
despite what the creator says, the code actually compilable and worked for me (using SharpDevelop, not tested with VS)
how do i do that?
I mean, like I said, I disassembled what I could. I even found a backed up, partial list of key hashes from the original server hardcoded into the dropper... in a format I can't recover the original keys from before the sun explodes.
(yes, that says "horserapistyandere.webhost.com".)
Data in KeysDB.txt are in this format: $HASH$ENCRYPTED_TEXT$
Dropper looks for matching hash and tries to decrypt the data linked to that hash using the key you provide. Decrypted data is a direct link to google drive cdn to fetch the actual exe. Dropper saves the key on the disk for main executable to verify. (main exe again checks it in KeysDB.txt)
Unfortunately google removed my KeysDB.txt access (wtf?) and pretty much banned all main executables hosted on drive, therefore droppers don't work anymore. I might re build this soon so people can stop asking me for keys. (I've been getting 30 mails about it daily).
Also building current source won't work because it's missing a lot of stuff in runtime dir. They're originally created by the main dropper exe and are embedded resources that you cant find on this repo.
I mean, like I said, I disassembled what I could. I even found a backed up, partial list of key hashes from the original server hardcoded into the dropper... in a format I can't recover the original keys from before the sun explodes. (yes, that says "horserapistyandere.webhost.com".)
Data in KeysDB.txt are in this format: $HASH$ENCRYPTED_TEXT$
Dropper looks for matching hash and tries to decrypt the data linked to that hash using the key you provide. Decrypted data is a direct link to google drive cdn to fetch the actual exe. Dropper saves the key on the disk for main executable to verify. (main exe again checks it in KeysDB.txt)
Unfortunately google removed my KeysDB.txt access (wtf?) and pretty much banned all main executables hosted on drive, therefore droppers don't work anymore. I might re build this soon so people can stop asking me for keys. (I've been getting 30 mails about it daily).
Also building current source won't work because it's missing a lot of stuff in runtime dir. They're originally created by the main dropper exe and are embedded resources that you cant find on this repo.
- Federal#9999
Thanks guys for your comtribution.
Hi, my name is Parzival, I'm an admin for the Malware Wiki and I was wondering if you could send me a copy of MrsMajor v3? You can contact me using any method listed here. Thanks!