Background:
- The .top sites with a code giving by the scammers starts to download support.client.exe
- After executing the exe it connects to a remote server (sometimes referred to as command-and-control (C2) servers) and downloads the rest of the ScreenConnect files from there here’s an example:
After downloading support.client.ext from https://sehelp.top/ code 12345 (usually works) and starting it, it connects to the remote server https://molatoriora.icu/ and downloads some ScreenConnect files.
To be precise it uses this:
[https://molatoriora.icu/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=gotmiss30.stream&p=8880&s=87d3e98f-9b28-4f67-b972-aa6a172c6e71&k=BgIAAACkAABSU0ExAAgAAAEAAQCpKekJaOSnjcct7DZgb%2bbAU2aOSDn5nKAuZ31LFhTL1DEDD1cJ5L58aBvLE3RifYOm%2fTImLgo3IzsYQq5le2f%2bZZqYILREuAvG7bucCKUwvkT1AOVSJ%2bC4t6%2bGv5gu%2foUqB%2fpm3haqCBHgsOtaVGT12XnkvPnwlw7vUjY%2fuXpZw0Yn0Fy%](https://molatoriora.icu/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=gotmiss30.stream&p=8880&s=87d3e98f-9b28-4f67-b972-aa6a172c6e71&k=BgIAAACkAABSU0ExAAgAAAEAAQCpKekJaOSnjcct7DZgb%2bbAU2aOSDn5nKAuZ31LFhTL1DEDD1cJ5L58aBvLE3RifYOm%2fTImLgo3IzsYQq5le2f%2bZZqYILREuAvG7bucCKUwvkT1AOVSJ%2bC4t6%2bGv5gu%2foUqB%2fpm3haqCBHgsOtaVGT12XnkvPnwlw7vUjY%2fuXpZw0Yn0Fy%)
- Reporting and taking down the .top sites is a Sisyphus work as they have tons of them. Reporting and taking down the remote servers (C2) might be more successful so I was looking for a way to extract the remote servers from the exe files
Approach:
I created a first version of a python script that will extract the remote servers (C2) from various support.client.exe files.
I downloaded a couple of the files from links posted here and let the script run, these are the resulting remote servers (C2) identified:
- https://onmolatori.icu/
- https://qc3699.kafinora.cyou/
- https://molatoriora.icu/
- https://lf3699.loglink9.site/
- https://numolatori.icu/
- https://gajrokerist.icu/
- https://samolatori.cyou/
- https://gajrokerware.icu/
Script:
This is the current version. You will need to download Strings and add it to System PATH.
If you start the script you will be prompted to insert a folder containing the support.client.exe files (it can be several).
As a result the script will give you a txt file with all remote servers from the exe files.
import subprocess
import re
import os
from urllib.parse import urlparse
def extract_strings(file_path):
"""
Extracts strings from the given file using the 'strings' command.
"""
try:
if not os.path.isfile(file_path):
raise FileNotFoundError(f"The file '{file_path}' does not exist.")
# Use the 'strings' command to extract readable text
result = subprocess.run(
["strings", file_path],
text=True,
capture_output=True,
check=True
)
return result.stdout
except FileNotFoundError as e:
raise e
except subprocess.CalledProcessError as e:
raise RuntimeError(f"Error during strings extraction: {e}")
def extract_urls_and_domains(text):
"""
Extracts URLs and domain names from the given text using regex.
"""
# Regex for URLs or domain names
url_pattern = r"(https?://[^\s]+/Bin/ScreenConnect.Client.application)"
matches = re.findall(url_pattern, text)
return matches
def get_base_url(url):
"""
Extracts the base domain from a URL (e.g., https://example.com/).
"""
parsed_url = urlparse(url)
return parsed_url.scheme + "://" + parsed_url.hostname + "/"
def process_folder(folder_path, output_file):
"""
Processes all .exe files in the given folder to extract remote server information.
"""
if not os.path.isdir(folder_path):
print(f"Error: The folder '{folder_path}' does not exist.")
return
# List all .exe files in the folder
exe_files = [f for f in os.listdir(folder_path) if f.endswith(".exe")]
if not exe_files:
print("No .exe files found in the specified folder.")
return
remote_servers = set() # To store unique servers
for exe_file in exe_files:
exe_path = os.path.join(folder_path, exe_file)
print(f"Processing '{exe_file}'...")
try:
# Extract strings from the file
strings_output = extract_strings(exe_path)
# Extract URLs and domains
potential_urls = extract_urls_and_domains(strings_output)
# Extract base domains and add to the set
for url in potential_urls:
base_url = get_base_url(url)
remote_servers.add(base_url)
except FileNotFoundError as e:
print(f"Error: {e}")
except RuntimeError as e:
print(f"An error occurred while processing '{exe_file}': {e}")
# Save all remote servers to a single text file
if remote_servers:
with open(output_file, "w") as txt_file:
txt_file.write("\n".join(remote_servers))
print(f"All remote servers saved to '{output_file}'")
else:
print("No remote servers found.")
def main():
"""
Main function to process all .exe files in a folder.
"""
print("Enter the path to the folder containing .exe files:")
folder_path = input("> ").strip()
# Define output file name
output_file = os.path.join(folder_path, "remote_servers.txt")
process_folder(folder_path, output_file)
if __name__ == "__main__":
main()
Next I want to work on:
- Running a script automatically in the background during scambaiting to extract the remote servers (for reporting later)
- Preparing an automated mail to the host of the malicious remote server (to report afterwards)
- combining it with my script to block ConnectWise/ScreenConnect installers (usually they try different sites so you can collect several ones to report)
Please contact me if you have any other ideas (here or on Discord) especially on how to implement it during scambaiting (without too much work) and how to report those malicious remote servers hosting the files.
cheers
dubloox3