Malware Analysis Gen:variant_kazy_keylogger static analisys

L

LabZero

Thread author
Hello.

I decided to analyze a strange file found in a folder on my external HDD


Used tools:

- Pestudio,application that performs Malware Initial Assessment of any executable file (*.exe, *.dll, *.sys, *.cpl, etc...). winitor

- ILSpy, exellent open-source .NET assembly browser and decompiler: ILSpy

- Detect It Easy, application that has been built as a packer identifier in order to help define a file type. It’s a utility that is easy to handle, quick on its feet and provides a wide range of tools: Detect It Easy Download

The rar file contains an executable called setup.exe and according to DiE, our file is Microsoft Cabinet file. It contains two files, one of them is the malware executable and the other one is config file.

Cattura.PNG


Cattur2.PNG

Cattura3.PNG


The core file is written in .net:

Cattura4.PNG


The main routine looks like this after decompilation:

Cattura5.PNG

Cattura6.PNG

Calling SetStartup() function, application registers itself in windows startup:

Cattura7.PNG

Here StartupKey is Base64 encoded of “SOFTWARE\Microsoft\Windows\CurrentVersion\Run” which reffers to startup at registry.

Malware gets .net framework version and according to that decides to copy one of its resources to %appdata%\MSI93153 and renames it to “MS-SecurityUpdate-93153U.dll”.

Cattura8.PNG

Application creates a thread for Keylogging

Cattura9.PNG

Cattura10.PNG


Here malware collects some information and then encrypts them by calling EncodeBuffer() function. Here is the main encryption routine which is AES in CBC mode:

Cattura11.PNG

Application calls some functions to steal browsers data, including cookies, saved username and passwords,…

Cattura12.PNG


And finally application deletes some microsoft application data, by doing this, it forces user to re-enter the information, so malware can steal these information too.
After collecting data, application sends it via encrypted mode.

Here Malwr analysis: Malwr - Malware Analysis by Cuckoo Sandbox

Thanks to all members for reading this thread :)
 
Last edited by a moderator:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top