Let me give a brief on what has occurred
-Nerd from Lizard Squad set up a host
-He then got into the puush server and uploaded a fake update
-That fake update logged every single browser cookie/saved password you have.
-He then took down the site after a bit, but someone was able to who.is it before, which led to who the person was. Seeing as it's one of them, there are high chances of everything being pastebin'd and sent out to the public tomorrow/soon/eventually.
-The malware was also a keylogger. anything you typed from the time you got the update to the time he took down the server was logged.
both daemon process files were located in \AppData\Roaming\puush\
from start to end:
\program files (x86)\puush\puush-old.exe created process \program files (x86)\puush\puush.exe
\program files (x86)\puush\puush.exe modified file \program files (x86)\puush\puush.daemon.exe
\program files (x86)\puush\puush.exe modified registry key \HKUS\S-[...]-1000\Software\Microsoft\Windows\CurrentVersion\Run\puush
\program files (x86)\puush\puush.exe created process \AppData\Roaming\puush\puush.daemon.exe
\AppData\Roaming\puush\puush.daemon.exe created process \AppData\Roaming\puush\puush.daemon.exe
\AppData\Roaming\puush\puush.daemon.exe accessed memory of \AppData\Roaming\puush\puush.daemon.exe
\AppData\Roaming\puush\puush.daemon.exe modified registry key \HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
four seconds later:
puush.daemon.exe wanted to connect through port 61127 to 95.213.162.50:42069
Ive confirmed that the EXE stole passwords.
The inital exe dropped was a vb6 executable that was a crypter to conceal it from anti-viruses. I extracted the encrypted file an decrypted it.
Analysis file can be found here: https://malwr.com/analysis/Zjg1MDc0MjNiNzZmNGQxMGE1MjRjMTg4MWEzOGI0NmE/
If you click static and go to strings you can see a couple fun strings
>herd.suid.at:42069
Hostname and port at which the malware operated
>mozcrt19.dll
>sqlite3.dll
>nspr4.dll
>mozutils.dll
>mozglue.dll
>mozsqlite3.dll
All of these are DLL's that are part of the firefox password management system
>%s\Opera\Opera\wand.dat
>%s\Opera\Opera\profile\wand.dat
These are opera password management files
>%s\.purple\accounts.xml
This is where pidgin stores passwords
><protocol>
><name>
><password>
This is the format for filezillas logs
>WindowsLive:name=*
Windows live messenger profile stealing
>POP3 User
>POP3 Server
>POP3 Password
>IMAP User
>IMAP Server
>IMAP Password
>HTTP User
>HTTP Server
>HTTP Password
>SMTP User
>SMTP Server
>SMTP Password
Formatting for solen files
>%s\Google\Chrome\User Data\Default\Login Data
>%s\Chromium\User Data\Default\Login Data
Chrome and Chromium passwords
>Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
Outlook passwords
>Software\Microsoft\Internet Explorer\IntelliForms\Storage2
Internet explorer passwords
>[Enter]
>[Arrow Left]
>[Arrow Up]
>[Arrow Right]
>[Arrow Down]
>[Home]
>[Page Up]
>[Page Down]
>[Break]
>[Delete]
Common strings that are part of keylogger data
Cred to some nerds on /g/ for the quotes.
Anyways, he was doing a hit and run, but if you updated to r94 (reminder that puush automatically updates), and had puush.daemon.exe running, you more than likely got logged.
Make sure you clean out your reg's, make sure puush.daemon.exe is gone (delete the puush folder in roaming, too), and change any password you had saved in every browser you use. Also use a program like KeePass for passwords, shit's great.
Spent 14 hours today on this shit, thanks puush.