Sends the collected keylogger data as an email body to the attacker’s email box with the subject, “KL_ user-name/computer-name”. ThisĮnables the hook function to collect the victim’s input from the keyboard, along with the name of the software it was input to. It starts its keylogger function by setting a keyboard hook function (by calling the API SetWindowsHookEx(13, hook_fun, …)). It then submits this screenshot as anĮmail attachment to the attacker’s email address with the subject, “SC_ user-name/computer-name”.Ħ. It starts a thread to capture and keep a screenshot of the victim’s screen into a jpeg image. It can restart the victim’s Windows by executing "Shutdown -r -t 5".ĥ. It uses a timer function to ask its server every 60 seconds if it should uninstall this malware from the victim’s system.Ĥ. Figure 11 shows a group of my saved email account information that the malware just harvested from the system registry and added into a variable of “list”.ģ. Once one sub-key is found to exist, it goes through all its sub-keys to pull out the values of "IMAP Password", "POP3 Password", "HTTP Password", and "SMTP Password". Usually, one of the sub-keys is used by Outlook, depending on the version. "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" It tries to access four sub-keys from the system registry, which are: Let’s take a look at how it collects Microsoft Outlook credentials from the system registry. This malware not only collects credentials from files, but also from the system registry. OpenVPN, FileZilla, Ipswitch WS_FTP, WinSCP, CoreFTP, FTP Navigator, FlashFXP, SmartFTP, CFTP, FTPGetter, DownloadManager and Coowon jDownloader. Microsoft Outlook, Mozilla Thunderbird, Aerofox Foxmail, Opera Mail, IncrediMail, Pocomail, Qualcomm Eudora, The Bat! Email, Postbox, Claws Mail, Becky! Internet Mail, Trillian Messenger and ICQ Transport. Google Chrome, Mozilla Firefox, Microsoft IE & Edge, Apple Safari, Tencent QQBrowser, Opera Browser, Yandex Browser, 360 Browser, Iridium Browser, Comodo Dragon, CoolNovo, Chromium, Torch Browser, 7 Star Browser, Amigo Browser, Brave, CentBrowser, Chedot, Coccoc, Elements Browser, Epic Privacy, Kometa, Orbitum, Sputnik, Uran, Vivaldi, Citrio, Liebao Browser, Sleipnir 6, QIP Surf Browser, Coowon Browser, SeaMonkey, Flock Browser, UCBrowser, BlackHawk Browser, CyberFox Browser, KMeleon Browser, IceCat Browser, IceDragon Browser, PaleMoon Browser, WaterFox Browser and Falkon Browser. Through my analysis, the list below includes all of the software targeted by this malware: ("Opera Browser", "C:\Users\\AppData\Roaming\Opera Software\Opera Stable". It then collects the credentials from files under the folder path if they exist, with each credential added into “list” as well.Įach item added in “list3” contains data similar to the example below: All items in “list3” will be enumerated later. The bottom part adds groups of software names and their credentials file folder paths into another List object called “list3”. ![]() It then adds them into the List object “list”. This function calls many sub-functions, including kpa_Chrome(), kpm_Mozilla(), and so on, to collect saved credentials. A shellcode is also part of this function, which will be in charge of performing the actual process injection.įigure 12 is a screenshot of the code snippet of function jfd_collect_credentials(), which is very easy to see now because I have removed the obfuscation code, which I mentioned in Figure 11. The second parameter is a copy of the variable that holds the embedded. The first parameter passes a variable with the location of the “RegSvcs.exe”. It also sets the target program & "\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v7\\\\RegSvcs.exe") as well as the data of an embedded. However, this function acts as a wrapper to the dpubfytzxt() function. This function does not receive parameters. ![]() NET executable, and a security key that will be used during the decryption process. It receives three parameters, including the variable pointing to the binary data of the embedded. Processes the binary data from the previous step. Concatenates binary data in a variable that will be used in subsequent function calls.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |