I was casually using my YouTube crawling bot (Kaelego) as I usually do to find new fake Hypixel Skyblock modifications
that are present in YouTube video descriptions, when I stumbled upon this peculiar sample (Video: https://www.youtube.com/watch?v=akZl0ZajV-Y
).
The channel from which the video was uploaded, "Tutpeter", has another video, uploaded July 23. The video
shows a "duping mod", but the download links (MediaFire) showed that both files were uploaded from Germany
on July 24 at 8:51 AM. Both files are also exactly the same size (756.3 KB
). It is possible that the link was changed in the first video to a fresh link, with a new sample of tjx6
.
The JAR file was very weird from the get go as neither Java decompilation software such as Recaf nor any ZIP libraries wanted to open it due to there being no Central Directory File header found.
So, me & my fellow analyst (@Angry-Pineapple3121) decided we should use another ZIP utility, and after
trying several approaches, we finally got the JAR file to unzip itself using the following command zip -FF <FILENAME>
.
Once that was out of the way, we decided to dive right into the code as even prior to unzipping I had
identified very obvious class names such as Discord.class
& Telegram.class
which made me think that
this was quite a new type of stealer, since neither me nor Angry have previously found a stealer that also
targets Telegram credentials.
Once inside the code, we realised it was heavily obfuscated using an open source obfuscater called Bozar
,
since we know how to deobufscate this obfuscation, we had no issues in uncovering what was really inside.
The following information is what we found:
Important Classes:
me/caller/Starter.java
: Initiates the stealer code only if launched with Forge from Minecraftme/teejayx6/scammachine/Main.java
: Main class of the stealer that runs all the stealing code
File Structure:
me/
├─ caller/
│ ├─ Starter.java
├─ teejayx6/
│ ├─ scammachine/
│ │ ├─ payloadz/
│ │ │ ├─ Autofill.java
│ │ │ ├─ Cookies.java
│ │ │ ├─ CreditCards.java
│ │ │ ├─ Crypto.java
│ │ │ ├─ Discord.java
│ │ │ ├─ FileZilla.java
│ │ │ ├─ Minecraft.java
│ │ │ ├─ Passwords.java
│ │ │ ├─ Steam.java
│ │ │ ├─ Telegram.java
│ │ ├─ util/
│ │ │ ├─ ArchiveUtil.java
│ │ │ ├─ FileUtils.java
│ │ │ ├─ TempFile.java
│ │ │ ├─ WindowsRegistry.java
│ │ ├─ Config.java
│ │ ├─ HttpRequest.java
│ │ ├─ Main.java
The stealer dubbed tjx6
is a well-structured stealer, as seen by all the specific stealing classes being separated into their own dedicated folder (payloadz
).
tjx6
exfiltrates all this stolen data to the following C2 URL via simple HTTP POST request.
The C2 URL is then appended with the attacker's configured API key from the me/teejayx6/scammachine/Config.java
class in the following manner:
http://yoink.site/atlanta/<API_KEY>.php
The API key in this specific sample is set to 4a00522927dde661e1dc519671891d
with the user agent used by the POST request being f4kc u //
Looking further into the domain name yoink.site
it appears it was purchased on the 30th of September 2021 which is odd, however the WHOIS was updated not too far away (10th June 2022) from the date of the first sighting of a sample in the wild (23rd July 2022). From the WHOIS data we can tell that this domain seems to be registered with the registrar REGRU
and that the technical contact for this domain is [email protected]
which appears to be the email of the domain owner.
The Minecraft information and Passwords stolen are all appended to a big string which also includes the current date and time, it also seems to include a weird string with a real well-thought-out message, as seen below:
JuggMachine v1 Log-69g0fvcky0s3lf1337
All of this is then bundled into the info.txt
file and added to the zip file to be exfiltrated.
NOTE: It will generate a zip file of the stolen data in the temp directory before sending it out to the aforementioned C2
tjx6
also has Windows Registry reading functionality, which it uses extensively to grab various information out of the registry from the victim's machine.
-
System:
- Operating System Name
- Username
- IP (from
https://checkip.amazonaws.com
) - HWID
- Operating System Name
-
Discord:
-
Token:
- Windows:
- Discord
- Discord PTB
- Discord Canary
- Opera
- Chrome
- Edge
- Vivaldi
- Yandex
- Brave
- Mac:
- Discord
- Discord PTB
- Discord Canary
- Firefox
- Chrome
- Windows:
-
Saved Payment Methods
-
Email
-
Phone
-
ID
-
Username
-
-
Minecraft:
- Username
- Token
- UUID
- Session ID
-
Auto Fill Data, Credit Cards, Cookies, Passwords:
- Google Chrome (Windows, Mac, Linux)
- Opera (Windows, Mac, Linux)
- Brave (Windows, Mac, Linux)
- Yandex (Windows, Mac, Linux)
- Edge (Windows, Mac, Linux)
-
Crypto Wallet Information:
- Armory
- Atomic
- Electrum
- Etherum
- Exodus
- Jaxx
- Zcash
- Bytecoin
- Bitcoin (from Windows Registry)
- Dash (from Windows Registry)
- Litecoin (from Windows Registry)
- Monero (from Windows Registry)
-
Steam:
- All files with the
.vdf
extension found in theconfig
folder of the Steam installation path - All files that include
ssfn
in the name found in the Steam installation path
- All files with the
-
Telegram:
- Configuration Data
- User Tags
- Settings
- Key Data
-
FileZilla:
- Recent Servers (
recentservers.xml
)
- Recent Servers (
uesgomv
(mod id)JuggMachine v1 Log-69g0fvcky0s3lf1337
(found in exfiltrated data)http://yoink.site/atlanta
(C2 server URL)f4kc u //
(User Agent in exfiltration POST request)4a00522927dde661e1dc519671891d
(C2 API key)- Weirdly named ZIP file in temporary directory
At the time we did not, probably should've in hindsight