Story Time

On December 3rd, 2024, good friend of mine sent me a video he randomly found among YouTube suggestions saying that "...its giving me code vibes. Give it a try..."

While nothing specific was found in the video, there was indeed a clue to next stage. At the end of the transcript of the video, an URL to GitHub repository called "fidde" published by javaotto.

This repository, contained executable "theend.exe" and message:

"run the program to enter the final stage. windows os required."

"There is no risk of malware, even if your computer says so."

The executable had 7.2MB, so naturally, before even thinking about running it, I analyzed it through Virus Total where 8 out of 70 security vendors flagged this file as malicious. Not yet being deeply proficient in Assembly language and malware analysis, I used Binja, but could figure out just basic behavior of the code. The code established some persistence, some privilege escalation, defense evasion, and communicated with command and control. It created IP Traffic with:

UDP 192.168.0.25:137

TCP 20.99.133.109:443

TCP 96.7.158.45:80 (www.microsoft.com)

TCP 173.222.198.144:443 (res.public.onecdn.static.microsoft)

Out of frustration that I could not come to any meaningfull conclusions, I decided, to run the executable to look how would the code behave. I did so in isolated virtual environment and got the single pop up window with a riddle:

While there was some background activity, nothing else could be witnessed within the virtual environment. The device was not encrypted, so I drew conclusion it is most likely not malware, at least not the kind that would encrypt the device straight away. I tried to get to the last stage by trying multiple passwords, but none of them worked. Few days later, the youtube channel released another video:

AFAIK

As of now, I am still not sure what exactly was the author's motivation with this code. Possibly, it could be recruiting method by some company or simple Easter egg. Another hypothesis, that the code was designed as RaaS or similar campaign seems less likely considering its weak delivery method, which generated only few viewer, and even less people who got through gamified funnel to very execution of the file. One way or another, the exercise helped me to understand difficulties of CTI and attribution on technical level.

• File HASH: 5c8f750c001f9dbba7037704a8043799e5c9d4c0d44e304736f3f746bd29c0cb
• Timeline
  • 2024-12-04 - "Yes, I have a good track" Video Released
  • 2024-11-29 - "PLAY ME" Video Released
  • 2024-11-28 - Architeuthis (@keytothenextstage) YouTube Channel Created
  • 2023-04-26 - Carl.ott (javaotto) GitHub Account Created

To be Continued...