L
LabZero
Thread author
Hello.
I decided to analyze a strange file found in a folder on my external HDD
Used tools:
- Pestudio,application that performs Malware Initial Assessment of any executable file (*.exe, *.dll, *.sys, *.cpl, etc...). winitor
- ILSpy, exellent open-source .NET assembly browser and decompiler: ILSpy
- Detect It Easy, application that has been built as a packer identifier in order to help define a file type. It’s a utility that is easy to handle, quick on its feet and provides a wide range of tools: Detect It Easy Download
The rar file contains an executable called setup.exe and according to DiE, our file is Microsoft Cabinet file. It contains two files, one of them is the malware executable and the other one is config file.
The core file is written in .net:
The main routine looks like this after decompilation:
Calling SetStartup() function, application registers itself in windows startup:
Here StartupKey is Base64 encoded of “SOFTWARE\Microsoft\Windows\CurrentVersion\Run” which reffers to startup at registry.
Malware gets .net framework version and according to that decides to copy one of its resources to %appdata%\MSI93153 and renames it to “MS-SecurityUpdate-93153U.dll”.
Application creates a thread for Keylogging
Here malware collects some information and then encrypts them by calling EncodeBuffer() function. Here is the main encryption routine which is AES in CBC mode:
Application calls some functions to steal browsers data, including cookies, saved username and passwords,…
And finally application deletes some microsoft application data, by doing this, it forces user to re-enter the information, so malware can steal these information too.
After collecting data, application sends it via encrypted mode.
Here Malwr analysis: Malwr - Malware Analysis by Cuckoo Sandbox
Thanks to all members for reading this thread
I decided to analyze a strange file found in a folder on my external HDD
Used tools:
- Pestudio,application that performs Malware Initial Assessment of any executable file (*.exe, *.dll, *.sys, *.cpl, etc...). winitor
- ILSpy, exellent open-source .NET assembly browser and decompiler: ILSpy
- Detect It Easy, application that has been built as a packer identifier in order to help define a file type. It’s a utility that is easy to handle, quick on its feet and provides a wide range of tools: Detect It Easy Download
The rar file contains an executable called setup.exe and according to DiE, our file is Microsoft Cabinet file. It contains two files, one of them is the malware executable and the other one is config file.
The core file is written in .net:
The main routine looks like this after decompilation:
Calling SetStartup() function, application registers itself in windows startup:
Here StartupKey is Base64 encoded of “SOFTWARE\Microsoft\Windows\CurrentVersion\Run” which reffers to startup at registry.
Malware gets .net framework version and according to that decides to copy one of its resources to %appdata%\MSI93153 and renames it to “MS-SecurityUpdate-93153U.dll”.
Application creates a thread for Keylogging
Here malware collects some information and then encrypts them by calling EncodeBuffer() function. Here is the main encryption routine which is AES in CBC mode:
Application calls some functions to steal browsers data, including cookies, saved username and passwords,…
And finally application deletes some microsoft application data, by doing this, it forces user to re-enter the information, so malware can steal these information too.
After collecting data, application sends it via encrypted mode.
Here Malwr analysis: Malwr - Malware Analysis by Cuckoo Sandbox
Thanks to all members for reading this thread
Last edited by a moderator: