I've found a sample yesterday downloaded via this url: skyways.co/play.exe, console application, and ugly code + scareware and third party FakeAV call center.
All the following was so lame that i need to talk about this.
![]()
At first the malware will try to see if he's dropped into %SYSTEMROOT%/system/
If it's not the case then he will create a file:
![]()
Then, you think he will write into the new file created but nope, he add a registry persistence, by using the api CreateProcess (oh god, why) instead of using RegCreateKey:
![]()
Wrote finally the file:
![]()
Wait 5 minutes then display a message box:
![]()
"Your computer's file system has encountered a serious error. Please restart the computer or call support at 1-866-286-6162"
After a reboot, a shutdown procedure is initialized:
![]()
![]()
And 5 minutes after, once again the messagebox:
![]()
I searched the phone number on google and found this:
![]()
"Technicion is an independent provider of on-demand tech support and not affiliated with any third party"
ok, what's about the payement page:
![]()
Just 99.99 without any explanation, even the currency symbol is unknown, what a serious site.
And for the story i tried to call 1-866-286-6162 to insult them and tell them how much i hate their ugly code etc.. but there was no available representatives..
All the following was so lame that i need to talk about this.
At first the malware will try to see if he's dropped into %SYSTEMROOT%/system/
If it's not the case then he will create a file:
Then, you think he will write into the new file created but nope, he add a registry persistence, by using the api CreateProcess (oh god, why) instead of using RegCreateKey:
Wrote finally the file:
Wait 5 minutes then display a message box:
After a reboot, a shutdown procedure is initialized:
And 5 minutes after, once again the messagebox:
I searched the phone number on google and found this:
ok, what's about the payement page:
And for the story i tried to call 1-866-286-6162 to insult them and tell them how much i hate their ugly code etc.. but there was no available representatives..