Skip to content

Instantly share code, notes, and snippets.

@IlluminatiFish
Created August 9, 2022 02:02
Show Gist options
  • Save IlluminatiFish/f1b0ebcb9d834f1a2c549b68a9e791d1 to your computer and use it in GitHub Desktop.
Save IlluminatiFish/f1b0ebcb9d834f1a2c549b68a9e791d1 to your computer and use it in GitHub Desktop.
A small write up of what the tjx6 stealer is and what it does.

Introduction

I was casually using my YouTube crawling bot (Kaelego) as I usually do to find new fake Hypixel Skyblock modifications that are present in YouTube video descriptions, when I stumbled upon this peculiar sample (Video: https://www.youtube.com/watch?v=akZl0ZajV-Y).

The channel from which the video was uploaded, "Tutpeter", has another video, uploaded July 23. The video shows a "duping mod", but the download links (MediaFire) showed that both files were uploaded from Germany on July 24 at 8:51 AM. Both files are also exactly the same size (756.3 KB). It is possible that the link was changed in the first video to a fresh link, with a new sample of tjx6.

The JAR file was very weird from the get go as neither Java decompilation software such as Recaf nor any ZIP libraries wanted to open it due to there being no Central Directory File header found.

So, me & my fellow analyst (@Angry-Pineapple3121) decided we should use another ZIP utility, and after trying several approaches, we finally got the JAR file to unzip itself using the following command zip -FF <FILENAME>.

Once that was out of the way, we decided to dive right into the code as even prior to unzipping I had identified very obvious class names such as Discord.class & Telegram.class which made me think that this was quite a new type of stealer, since neither me nor Angry have previously found a stealer that also targets Telegram credentials.

Once inside the code, we realised it was heavily obfuscated using an open source obfuscater called Bozar, since we know how to deobufscate this obfuscation, we had no issues in uncovering what was really inside.

Findings

The following information is what we found:

Important Classes:

  • me/caller/Starter.java: Initiates the stealer code only if launched with Forge from Minecraft
  • me/teejayx6/scammachine/Main.java: Main class of the stealer that runs all the stealing code

File Structure:

me/
├─ caller/
│  ├─ Starter.java
├─ teejayx6/
│  ├─ scammachine/
│  │  ├─ payloadz/
│  │  │  ├─ Autofill.java
│  │  │  ├─ Cookies.java
│  │  │  ├─ CreditCards.java
│  │  │  ├─ Crypto.java
│  │  │  ├─ Discord.java
│  │  │  ├─ FileZilla.java
│  │  │  ├─ Minecraft.java
│  │  │  ├─ Passwords.java
│  │  │  ├─ Steam.java
│  │  │  ├─ Telegram.java
│  │  ├─ util/
│  │  │  ├─ ArchiveUtil.java
│  │  │  ├─ FileUtils.java
│  │  │  ├─ TempFile.java
│  │  │  ├─ WindowsRegistry.java
│  │  ├─ Config.java
│  │  ├─ HttpRequest.java
│  │  ├─ Main.java

Description

The stealer dubbed tjx6 is a well-structured stealer, as seen by all the specific stealing classes being separated into their own dedicated folder (payloadz). tjx6 exfiltrates all this stolen data to the following C2 URL via simple HTTP POST request. The C2 URL is then appended with the attacker's configured API key from the me/teejayx6/scammachine/Config.java class in the following manner:

  • http://yoink.site/atlanta/<API_KEY>.php

The API key in this specific sample is set to 4a00522927dde661e1dc519671891d with the user agent used by the POST request being f4kc u //

Looking further into the domain name yoink.site it appears it was purchased on the 30th of September 2021 which is odd, however the WHOIS was updated not too far away (10th June 2022) from the date of the first sighting of a sample in the wild (23rd July 2022). From the WHOIS data we can tell that this domain seems to be registered with the registrar REGRU and that the technical contact for this domain is [email protected] which appears to be the email of the domain owner.

The Minecraft information and Passwords stolen are all appended to a big string which also includes the current date and time, it also seems to include a weird string with a real well-thought-out message, as seen below:

  • JuggMachine v1 Log-69g0fvcky0s3lf1337

All of this is then bundled into the info.txt file and added to the zip file to be exfiltrated.

NOTE: It will generate a zip file of the stolen data in the temp directory before sending it out to the aforementioned C2

tjx6 also has Windows Registry reading functionality, which it uses extensively to grab various information out of the registry from the victim's machine.

Information Grabbed

  • System:

    • Operating System Name
      • Username
      • IP (from https://checkip.amazonaws.com)
      • HWID
  • Discord:

    • Token:

      • Windows:
        • Discord
        • Discord PTB
        • Discord Canary
        • Opera
        • Chrome
        • Edge
        • Vivaldi
        • Yandex
        • Brave
      • Mac:
        • Discord
        • Discord PTB
        • Discord Canary
        • Firefox
        • Chrome
    • Saved Payment Methods

    • Email

    • Phone

    • ID

    • Username

  • Minecraft:

    • Username
    • Token
    • UUID
    • Session ID
  • Auto Fill Data, Credit Cards, Cookies, Passwords:

    • Google Chrome (Windows, Mac, Linux)
    • Opera (Windows, Mac, Linux)
    • Brave (Windows, Mac, Linux)
    • Yandex (Windows, Mac, Linux)
    • Edge (Windows, Mac, Linux)
  • Crypto Wallet Information:

    • Armory
    • Atomic
    • Electrum
    • Etherum
    • Exodus
    • Jaxx
    • Zcash
    • Bytecoin
    • Bitcoin (from Windows Registry)
    • Dash (from Windows Registry)
    • Litecoin (from Windows Registry)
    • Monero (from Windows Registry)
  • Steam:

    • All files with the .vdf extension found in the config folder of the Steam installation path
    • All files that include ssfn in the name found in the Steam installation path
  • Telegram:

    • Configuration Data
    • User Tags
    • Settings
    • Key Data
  • FileZilla:

    • Recent Servers (recentservers.xml)

IOCs

  • uesgomv (mod id)
  • JuggMachine v1 Log-69g0fvcky0s3lf1337 (found in exfiltrated data)
  • http://yoink.site/atlanta (C2 server URL)
  • f4kc u // (User Agent in exfiltration POST request)
  • 4a00522927dde661e1dc519671891d (C2 API key)
  • Weirdly named ZIP file in temporary directory
@cattyngmd
Copy link

The JAR file was very weird from the get go as neither Java decompilation software such as Recaf nor any ZIP libraries wanted to open it due to there being no Central Directory File header found.

Have you tried the latest 3X snapshot?

good morning sir

@IlluminatiFish
Copy link
Author

The JAR file was very weird from the get go as neither Java decompilation software such as Recaf nor any ZIP libraries wanted to open it due to there being no Central Directory File header found.

Have you tried the latest 3X snapshot?

At the time we did not, probably should've in hindsight

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment