First off, I've been following this group for a long while and, after my little incident, I decided this would be the first stop for potential reporting. Second, I am currently using a secondary account as I do believe I had information potentially exposed as part of the incident and want to protect my primary account with nearly 1K games. The game in question is 'Little hidden city' by 3dinvis games. Before digging into this, I want to state upfront that I am a very technical user, been an expert at all kinds of technology and OSes for far too long, and do this kind of analysis on a routine basis.

https://steamhost.cn/app/706490

I am a sucker for hidden object games. I saw this on the current sale and said nice $.50! I knew not to expect much even after the obvious knockoff marketing of Hidden Folk. Once you start playing, it becomes quite obvious that the game is super barebones; I had a couple minutes of fun doing the scenes.

The next part is important. I am no expert in malware analysis but I know enough to get the job done. The game was still running while I alt-tabbed to go do something else until I noticed some CPU, Disk, and network spiking. I was not doing anything else on the machine except looking at a notepad text entry and nearly all applications that could be turned off were. Also, this machine is Windows 10. I ran multiple Security products with no positive hits.

I first started Process Hacker to poke around what was going on. Unfortunately, I didn't get a grab of all the processes in PH but I did get Strings and Handles. I started looking at handles first and red flags just started popping out. After a couple minutes of that, I shut the game down and verified the processes exited (and they seemed to). I then tried to remove %HOMEPATH%\AppData\Local\Litl_Hiden_Siti, which was one of the directories the game created, and Windows wouldn't let me. I saved off as much as I could and uninstalled the game and rebooted. Fortunately, I was able to delete that directory after reboot, however, I still didn't know what else was touched.

There are still a lot more things to look at but here is a snippet of my static analysis. The biggest thing to remember is this game is SUPER basic; no options menu, no saving, no interactions aside from clicking. As such, the handles and types of functions the game leverages are FAR too advanced for such a simpleton game. From what I've been able to determine, the game is basically a series of web pages rendered within a custom packaged Chromium with the main two areas for open handles:

%HOMEPATH%\AppData\Local\Litl_Hiden_Siti\User Data
Program Files (x86)\Steam\steamapps\common\Little hidden city\





I believe NWJS is used as the main application (https://github.com/nwjs/nw.js), which is based on Chromium and node.js; is launched internally with the following flags


The first file that is loaded is file://%HOMEPATH%\AppData\Local\Temp\nw8780_16996\index.html. Then individual pages are loaded and cached.


Again, I could be way off base, but it just doesn't feel right. Too many complex things going on for such a dead simple game. Why network, crypto, security, and device libraries? Setting all of the interesting NWJS/Chomium stuff aside, even the EXEs that are created in the main install directory are just suspiciously named.

This is about all the time I have to check this out right now but hopefully this is an indicator. If I am wrong, I do apologize to the developer. If I am not, you deserve all the bad press. :)