Sends the data collected by the keylogger.Īdds a value to the subkey HKCU\Software\050ed846adcc1b8729af0a70a0fefe4d\ The following table explains some of them: The sample responds to the commands sent from its C&C.It also includes functions to decompress zip files and obtain MD5 hashes.Deletes the keys and files related to the infection.Uses the function capGetDriverDescriptionA to find out if the infected computer has a webcam installed.When all the necessary information has been collected, the sample generates a string with the data coded in base64, and with this structure:Ĭreate dump of server.exe: Q3JlYXRlIGR1bXAgb2Ygc2VydmVyLmV4ZQA=.Gets information about the C: drive, particularly the volume serial number.Uses GetWindowText to copy the text of the active window's title bar to later send to the remote server coded in base64.Checks the value of HKCU\Software\050ed846adcc1b8729af0a70a0fefe4d\ because the keylogger stores what it captures in this registry key, to later send to its C&C.įigure 5.Copies server.exe in the Startup folder.Command used by the sample to create a firewall rule Creates a rule to allow the process server.exe on the Windows firewall.įigure 4.Creates an environment variable called “SEE_MASK_NOZONECHECKS” and sets its value to 1.The file server.exe is a copy of the sample. Otherwise, the file is created and executed. ![]() Checks whether a file called server.exe already exists in C:\Users\ \AppData\Local\Temp\.If the mutex already exists, the sample calls ProjectData.EndApp to close all related files and stop the process. ![]() Part of a malicious executable stored as data The strings in b88ece4c04f706c9717bbe6fbda49ed2 reference No-IP’s Dynamic Update Client (DUC) that automatically updates the IP address if it changes, but also contain lines like “SELECT * FROM moz_logins” to obtain Firefox’s stored credentials.įigure 3.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |