Skid OSINT Investigation

2023-07-28 782 words 4 minutes

Contents

Skid OSINT Investigation

On Going very WIP!

Starting with AlexxModder

I received a Discord message from the user AlexxModder asking me to be a developer for their malware project. I was not inclined to participate but rather to analyze the code. So I stated Send me the source code, I then received the source code as ELYSc2.zip (Figure placeholder).

Figure placeholder: AlexModder sending botnet source code.

Next, we investigated the next persona, which was obtained by visiting the site https[:]//elys.mysellix.io. Which is website managed by Sellix, which is an eCommerce platform.

Once on this Sellix eCommerce site, we observed sales for Anubis V7, DaVinci + HWID_GEN + installation, ELYS Figglet Wallet and Windows license keys. Additionally, more social accounts were found linked at the bottom of the page (Figure placeholder).

Figure placeholder. Sellix eCommerce site for Elys

In the following subsections we look into each of these social sites.

Facebook

On this Facebook profile, there are post for IPTV with the posts being in French. Take note of the logo, which matches the Twitter account PinkilyCash.

TikTok

For this account the alias libelluleadmin is used. On this profile there are many videos showcasing the tools being sold. From this we were able to find the GitHub Account AeX03, which will be covered here later (it’s important).

Discord

On the Discord server, we can see AlexxModder again with the role of ELYS and one developer with the username CliffV2, take note of the profile picture (Figure placeholder).

Figure placeholder. Discord Server for eLys | Support

In this case, it appears AlexxModder operates the Discord server.

At the time of writing, there were 26 online accounts and 271 members in the Discord server (Figure placeholder).

Figure placeholder. Discord Server User Count

Twitter

Looking that the Twitter account PinkilyCash, we found a link to the site https[:]//www.elysiane[.]eu, which purports to be a cryptocurrency called ELYS Token (0x90E24EB24B5e61748bAfA90B09c42F79e49ADeD6) (Figure placeholder).

Figure placeholder. PinkilyCash Twitter Account for ELYS Token

The logo on the Discord server, the Twitter account and Facebook account all point to the name ELYS.

Interestingly, further down the page on this website we find pricing the ELYS BOTNET, JOYCE and ELYS TV. All of which are likely malware asides from ELYS TV.

Figure placeholder. ELYS Token Website Advertised Products

The site describes the ELYS Token as follows…

Elys Token is a token that will be needed to make payments on our website that will allow you to buy or rent goods such as a maid to share tv channels, projects being created etc…

The cryptocurrency token has a very minimal whitepaper, which can be found on GitBooks.

Investigating AeX03 and the CameLys GitHub Organization

The profile contains a link to the same domain for ELYS Token and is also part of the CameLys GitHub organization, which was taken down during our live stream resulting in a 404 from GitHub. The GitHub organization was likely removed by AeX03 as this account is the most involved in all the projects on GitHub (Figure placeholder).

Figure placeholder. The User AeX03 Showing Link to eLysiane[.]eu

In addition to this we found the account cryptobuks on GitHub, which contains again more code pushed by AeX03, which is likely the start of the ELYS Token as commits on this repository end on January 4, 2023. Where as, the GitHub organization CameLys, which has the same main.js file was on May 18, 2023. Indicating that AeX03 moved the code from cryptobuks, over to the new organization likely within a 4 month period at some point.

Figure placeholder. GitHub Repository for ELYS Token from cryptobuks being worked on by AeX03

Investigating AeX03 and leducax (Le Duc)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
origin	https://github.com/leducax/l-hash.git (fetch)
Author: AeX03 <133485038+leducax@users.noreply.github.com>
Author: Le Duc <133485038+leducax@users.noreply.github.com>
---
origin	https://github.com/leducax/FVL.git (fetch)
Author: AeX03 <133485038+leducax@users.noreply.github.com>
Author: Le Duc <133485038+leducax@users.noreply.github.com>
---
origin	https://github.com/leducax/VansRose.git (fetch)
Author: AeX03 <elyscorp@hotmail.com>
Author: Le Duc <133485038+leducax@users.noreply.github.com>
---
origin	https://github.com/leducax/VSX.git (fetch)
Author: Le Duc <133485038+leducax@users.noreply.github.com>
---
origin	httpsAeX03 Persona://github.com/leducax/leducax.github.io.git (fetch)
Author: AeX03 <133485038+leducax@users.noreply.github.com>
Author: Le Duc <133485038+leducax@users.noreply.github.com>
---
origin	https://github.com/leducax/conversepy.git (fetch)
Author: Le Duc <133485038+leducax@users.noreply.github.com>
---
origin	https://github.com/leducax/nalice-IA.git (fetch)
Author: Le Duc <133485038+leducax@users.noreply.github.com>
---
origin	https://github.com/leducax/leducax.git (fetch)
Author: github-actions[bot] <41898282+github-actions[bot]@users.norepAeX03ly.github.com>
Author: Le Duc <133485038+leducax@users.noreply.github.com>
---
origin	https://github.com/CameLys/ELYSc2.git (fetch)
Author: AeX03 <103602164+AeX03@users.noreply.github.com>
Author: AeX03 <elyscorp@hotmail.com>
Author: Le Duc <133485038+leducax@users.noreply.github.com>
---
origin	https://github.com/CameLys/ELYSc2.git (fetch)
Author: AeX03 <103602164+AeX03@users.noreply.github.com>
Author: AeX03 <elyscorp@hotmail.com>
Author: Le Duc <133485038+leducax@users.noreply.github.com>
---

Figure placeholder. AeX03 Overlap in Git Logs for Le Duc

Technical Analysis

Placeholder

Panel

Ongoing very WIP

Indicators

Type	Indicator	Description
Username	AeX03	GitHub Username
Username	CameLys	GitHub Organization