In addition to making manual analysis more difficult, this anti-analysis technique also avoids detection in dynamic automated analysis systems, such as Cisco Threat Grid. When the execution begins, after UPX unpacking, the execution may take two paths. The first one creates a text file "c:\windows\temp\setup_gitlog.txt" containing the text "PaiAuganMai Diag Utility - Setup" and then pings Google's DNS server 184.108.40.206 followed by the sysinfo.exe command to save the output of both commands to the file c:\Windows\Temp\sysinfo.txt.
During our research, we found two main C2 servers: bk1.bitspiritfun2[.]net and p1.feefreepool[.]net. The first one was active until June 8 when the IP address of the server changed to 75.2.37[.]224, owned by Amazon. The response from the server, "403 Forbidden," may indicate successful takeover of the botnet. The previous two addresses were located in Germany and France.
Svchost first attempts to delete several files and then download executables required to download a 7-Zip archive that contains all components of the Nvstub branch. The 7-Zip archive is extracted by a previously downloaded 7z.exe utility. The Nvstub archive, _agent.7z, is password-protected with the password "horhor123". Once the agent is extracted in C:\Windows\dell folder, the main botnet module launches nvstub.exe, the first module of the second branch, with the single command line parameter that contains the IP address of the C2 and its password.
The parameters for child processes are first encrypted with RC4 and then encoded using Base64. The RC4 passphrase "param error user," used for encrypting parameters for child processes is decrypted from a hardcoded Base64 encoded string "T9FLs3QS45JuVnTAljDz4Q==" and the initial passphrase "Data param error."
The first module attempts to log onto TCP port 445 using the NTLM authentication protocol. Every successful connection confirms the validity of credentials for the target IP address and the credentials are confirmed with C2 server by nvsync.exe module.
Socks.exe RDP communication capabilities depend on the open-source and free RDP client libraries freerdp2.dll and freerdp-client.dll. The application first processes the parameters, which include the IP address and the port of the host, as well as the main part of the filename, without the extension, containing credentials to be attempted for logging into the target system. The supplied name of the file is generated by base64-encoding the RC4-encrypted combination of the ip_address:port of the target.
Master Quest was first made available for the Nintendo GameCube on a special bonus disc that also contained the original Ocarina of Time. This disc was given out in limited quantities with pre-orders of The Wind Waker. Additionally, it was sold packaged with The Wind Waker in some regions. It is also available as a mode in Ocarina of Time 3D after first completing the regular game.
Master Quest for Ocarina of Time 3D is not available from the start. To unlock it, the main quest has to be completed first. Upon doing so, the player will have an option to choose between the Main Quest or the Master Quest after starting up the game, allowing a second playthrough of the game with redesigned dungeons.
In the late 1990s, Nintendo developed an add-on peripheral for the Nintendo 64 called the Nintendo 64DD. The Nintendo 64DD used magnetic disks, with a larger memory capacity than the cartridges used for the Nintendo 64, allowing for additional content and improved models and textures. While Nintendo hoped that the Nintendo 64DD would attract third-party developers, they also began developing several first-party titles, one of which was Ocarina of Time. Struggling to attract interest to the platform, Nintendo moved development of Ocarina of Time to the Nintendo 64, which was ultimately released on a cartridge. At the time of this change, the game featured more content than the cartridges could hold and so parts of the game had to be removed