[WARNING] How private server AELDRA stealing your .cpp files?

  • Hi! in this topic im going to explain you how Aeldra stealing people files from computer (.cpp files)


    CREDITS:

    xp123 (big credits, he spotted this in aeldra)

    Seremo (some help in analyse packets)


    Aeldra using TheMida protector to prevent from analyse thats why analyse is much harder than standard not virtualized / protected files!


    1. What im using to analyse?



    Static Analyse: IDA Pro (plugins: Class Informer / x86emulator / Auto RE / private scripts)

    Debugging: x86dbg (plugins: HyperHide / edited TitanHide / edited ScyllaHide / OllyDumpEx )


    And more private tools



    2. How it works?


    Aeldra search for .cpp folders on your PC when function is active (they can turn it on / off server-sided)

    Packet header which sends file to Server: 0x9B

    Structure:

    Please login to see this picture.


    name = file name .cpp (Example: test.cpp)

    data = file data (Example: #include "stdafx.h")


    Now this function is turned off when we spammed this packet (using Clientless) with a lot of files and probably server crashed after we sent too much files with no disc space result


    3. Analyse


    RVA + Base = 3659A0 (RVA) + 00CD0000 (base dumped file) = 0x010359A0


    As you can see this function sends File to Server and its not function who send guild logo

    Please login to see this picture.


    if you more interested in this function find it yourself i dont want to add 100 screenshots in thread


    ----------------------------------------------------


    WinAPI: FindFirstFileExW FindNextFile


    They are trying to find folders with names: "xbot" / "hlbot"


    Please login to see this picture.

    Please login to see this picture.


    [#] Then it send it to Server



    Please login to see this picture.

    Please login to see this picture.


    Download Dumped aeldra_205_dump.exe ONLY FOR static analysis purposes!!!

    Password to zip: INFECTED

    Download: Please login to see this link.

    VT: Please login to see this link.



    Conclusions:

    As you can see AV dont detect all malwares specially if its virtualized by for example: TheMida / VMProtect / Enigma it need manual analyse


    AV mainly works on Heurisitc / Signature detections thats why its marked as undetected atm.



    DONT TRUST ANYONE! especially private servers! no one know what owners can add inside and it's doesn't matter if they are big or small 🙂

  • This threads contains 9 more posts that have been hidden for guests, please register yourself or log-in to continue reading.