STEAM GROUP
Sentinels of the Store StoreSents
Join Group
STEAM GROUP
Sentinels of the Store StoreSents
3,767
MEMBERS
149
IN-GAME
1,135
ONLINE
Founded
January 17, 2017
Language
English
Overview Announcements Discussions Events Members Comments Curator
Sweetzel666 Feb 9, 2019 @ 8:23pm
Possible Malware/PUP in 'Little hidden city'??
First off, I've been following this group for a long while and, after my little incident, I decided this would be the first stop for potential reporting. Second, I am currently using a secondary account as I do believe I had information potentially exposed as part of the incident and want to protect my primary account with nearly 1K games. The game in question is 'Little hidden city' by 3dinvis games. Before digging into this, I want to state upfront that I am a very technical user, been an expert at all kinds of technology and OSes for far too long, and do this kind of analysis on a routine basis.

https://store.steampowered.com/app/706490

I am a sucker for hidden object games. I saw this on the current sale and said nice $.50! I knew not to expect much even after the obvious knockoff marketing of Hidden Folk. Once you start playing, it becomes quite obvious that the game is super barebones; I had a couple minutes of fun doing the scenes.

The next part is important. I am no expert in malware analysis but I know enough to get the job done. The game was still running while I alt-tabbed to go do something else until I noticed some CPU, Disk, and network spiking. I was not doing anything else on the machine except looking at a notepad text entry and nearly all applications that could be turned off were. Also, this machine is Windows 10. I ran multiple Security products with no positive hits.

I first started Process Hacker to poke around what was going on. Unfortunately, I didn't get a grab of all the processes in PH but I did get Strings and Handles. I started looking at handles first and red flags just started popping out. After a couple minutes of that, I shut the game down and verified the processes exited (and they seemed to). I then tried to remove %HOMEPATH%\AppData\Local\Litl_Hiden_Siti, which was one of the directories the game created, and Windows wouldn't let me. I saved off as much as I could and uninstalled the game and rebooted. Fortunately, I was able to delete that directory after reboot, however, I still didn't know what else was touched.

There are still a lot more things to look at but here is a snippet of my static analysis. The biggest thing to remember is this game is SUPER basic; no options menu, no saving, no interactions aside from clicking. As such, the handles and types of functions the game leverages are FAR too advanced for such a simpleton game. From what I've been able to determine, the game is basically a series of web pages rendered within a custom packaged Chromium with the main two areas for open handles:

%HOMEPATH%\AppData\Local\Litl_Hiden_Siti\User Data
Program Files (x86)\Steam\steamapps\common\Little hidden city\

+++ More interesting Open File Handles +++
Program Files (x86)\Steam\steamapps\common\Little hidden city\nw_elf.dll (I believe this is the custom wrapper NWJS/chromium DLL) Program Files (x86)\Steam\steamapps\common\Little hidden city\shape_detection.service.exe Program Files (x86)\Steam\steamapps\common\Little hidden city\device.service.exe Program Files (x86)\Steam\steamapps\common\Little hidden city\cdm.service.exe Program Files (x86)\Steam\steamapps\common\Little hidden city\media.service.exe Program Files (x86)\Steam\steamapps\common\Little hidden city\data_decoder.service.exe Program Files (x86)\Steam\steamapps\common\Little hidden city\video_capture.service.exe Program Files (x86)\Steam\steamapps\common\Little hidden city\chrome.service.exe Program Files (x86)\Steam\steamapps\common\Little hidden city\profiling.service.exe Program Files (x86)\Steam\steamapps\common\Little hidden city\network.service.exe Program Files (x86)\Steam\steamapps\common\Little hidden city\content_packaged_services.service.exe Program Files (x86)\Steam\steamapps\common\Little hidden city\resource_coordinator.service.exe Program Files (x86)\Steam\steamapps\common\Little hidden city\ffmpeg.dll Windows\System32\drivers\etc Windows\System32\en-US\kernel32.dll.mui Windows\System32\en-US\KernelBase.dll.mui Windows\System32\en-US\MMDevAPI.dll.mui Windows\System32\en-US\user32.dll.mui Windows\System32\en-US\wdmaud.drv.mui Windows\System32\en-US\wscapi.dll.mui

+++ Pipes and stuff handles +++
\Device\CNG \Device\DeviceApi \Device\DeviceApi \Device\DeviceApi \Device\KsecDD \Device\MMCSS \Device\NamedPipe\chrome.sync.8780.13812.1853592940 \Device\NamedPipe\mojo.8780.13812.106068279039406520 \Device\NamedPipe\mojo.8780.13812.11206032230317607272 \Device\NamedPipe\mojo.8780.13812.4491268184462843744 \Device\NamedPipe\mojo.8780.3568.13890071009111355274 \Device\Nsi Directory, \KnownDlls ALPC Port, \RPC Control\OLE6FCCC2E2B7AC3D869BD93A9B3169

+++ Open Registry Key Handles +++
HKLM\SYSTEM\ControlSet001\Services\Tcpip HKLM\SYSTEM\ControlSet001\Services\WinSock2

+++ Basic Flow +++

I believe NWJS is used as the main application (https://github.com/nwjs/nw.js), which is based on Chromium and node.js; is launched internally with the following flags

"c:\program files (x86)\steam\steamapps\common\little hidden city\little hidden city.exe" --type=gpu-process --field-trial-handle=1856,10742641791834495510,11530208060031720229,131072 --no-sandbox --ignore-gpu-blacklist --user-data-dir="%HOMEPATH%\appdata\local\litl_hiden_siti\user data" --nwapp-path="%HOMEPATH%\appdata\local\temp\nw8780_16996" --disable-breakpad --start-stack-profiler --gpu-vendor-id=0x1002 --gpu-device-id=0x67df --gpu-driver-vendor="advanced micro devices, inc." --gpu-driver-version=25.20.15011.1004 --gpu-driver-date=1-9-2019 --user-data-dir="%HOMEPATH%\appdata\local\litl_hiden_siti\user data" --nwapp-path="%HOMEPATH%\appdata\local\temp\nw8780_16996" --start-stack-profiler --service-request-channel-token=c3dbd078066927f21b40f96381ce6117 --mojo-platform-channel-handle=1872 /prefetch:2

The first file that is loaded is file://%HOMEPATH%\AppData\Local\Temp\nw8780_16996\index.html. Then individual pages are loaded and cached.

+++ Thoughts +++

Again, I could be way off base, but it just doesn't feel right. Too many complex things going on for such a dead simple game. Why network, crypto, security, and device libraries? Setting all of the interesting NWJS/Chomium stuff aside, even the EXEs that are created in the main install directory are just suspiciously named.

This is about all the time I have to check this out right now but hopefully this is an indicator. If I am wrong, I do apologize to the developer. If I am not, you deserve all the bad press. :)
Last edited by Sweetzel666; Feb 9, 2019 @ 8:28pm
A moderator of this forum has marked a post as the answer to the topic above.
Click here to jump to that post.
Originally posted by Ratchet:
Your AppData directory is a standard directory used for simple file storage. I use it with many engines to store savedata as well as user configs, so AppData is not at all concerning.
Also the Appdata Temp is web based so we can assume its using Node JS.

The interesting File Handles are not particularly interesting at all, they're mostly stock standard stuff that most engines run through, strange that its running so many EXE's but if you're concerned run it through Virus Total.

Why Network?
If its using something like Chromium and NodeJS it requires a simple level of networking to host a local server on.
Why Crypto and Security?
Most engines run crypto to stop users datamining and then stealing/modding their content.

Also the EXE's aren't really suspiciously named.
device.service - Should find the GPU and CPU
media.service - Runs media files (hence FFMpeg)
data_decoder.service - Decodes game data for use (hence cryptography)

My point being that if you're concerned with programs then run them through a site like VirusTotal and contact the developer to check with them as well. I also recommend you do this scan on any AAA game that is meant to be single-player. You should find some direct references in the way of DLLs and read/write directories.
< >
Showing 1-2 of 2 comments
talgaby Feb 9, 2019 @ 11:15pm 
Isn't it using one of the basic free engines? Dead simple Unity games can eat up a ton of system resources since newbie coders don't know how to optimise it properly.
#1
A moderator of this forum has indicated that this post answers the original topic.
Ratchet Feb 10, 2019 @ 3:34am 
Your AppData directory is a standard directory used for simple file storage. I use it with many engines to store savedata as well as user configs, so AppData is not at all concerning.
Also the Appdata Temp is web based so we can assume its using Node JS.

The interesting File Handles are not particularly interesting at all, they're mostly stock standard stuff that most engines run through, strange that its running so many EXE's but if you're concerned run it through Virus Total.

Why Network?
If its using something like Chromium and NodeJS it requires a simple level of networking to host a local server on.
Why Crypto and Security?
Most engines run crypto to stop users datamining and then stealing/modding their content.

Also the EXE's aren't really suspiciously named.
device.service - Should find the GPU and CPU
media.service - Runs media files (hence FFMpeg)
data_decoder.service - Decodes game data for use (hence cryptography)

My point being that if you're concerned with programs then run them through a site like VirusTotal and contact the developer to check with them as well. I also recommend you do this scan on any AAA game that is meant to be single-player. You should find some direct references in the way of DLLs and read/write directories.
#2
< >
Showing 1-2 of 2 comments
Per page: 1530 50

All Discussions > Fraudulent Activity/Scams > Topic Details
Date Posted: Feb 9, 2019 @ 8:23pm
Posts: 2
Start a New Discussion

Discussions Rules and Guidelines