Skip to main content
  1. Classwork/

Keylogger Malware

·980 words·5 mins

Together with my friend Liam from Lusky.dev, I performed a static and dynamic analysis of 2 malicious binaries. This analysis was part of DFOR 761, the malware reverse engineering class at GMU.

Executive Summary
#

We determined that malware sample #1 was a Trojan Dropper, which is a piece of malware that attackers use to deploy further malware execution. This sample would constantly beacon out to a .biz domain in order to pull down additional malware or instructions.

Malware sample #2 was determined to be an infostealer, specifically a keylogger that also recorded screenshots of the Victim’s computer once per second. We believe that this malware would then attempt to send the resulting screenshots and logged keys to the attacker, although we were not able to determine the destination or mechanism for this functionality.

Analysis Techniques Utilized
#

The following programs were used to conduct the analyses of the malware: Process Monitor (ProcMon), 010 Editor, Cutter, RegShot, ProcDot, and INetSim. The general analytic process followed the following workflow:

First, we took snapshots of the registry using RegShot and then took a snapshot of the Virtual Machine prior to malware execution. Simultaneously, another VM with INetSim running was placed into a virtual network with the malware analysis VM. After this, ProcMon was loaded up in capture mode, and the malware was executed. The ProcMon logs were analyzed, converted into CSV, and passed into ProcDot for visual and timeline analysis. A second registry snapshot was taken and compared to the first. During our analysis, we separately conducted static analysis on our Remux virtual machine using Cutter, the peframe tool, and 010 Editor.

Technical Analysis of Malware 2
#

Dynamic Analysis
#

We began this analysis by performing a dynamic analysis of the binary. Upon initially running the malware, no activity was observed. As we later discovered; due to this malware’s age, it has to be run as an administrator. After running the malware with administrator, we discovered with Process Monitor that the malware created the following files:

A screenshot of created files by the malware.
A screenshot of Process Monitor showing the malware executable creating files.
A screenshot of files in the \SysWOW64 directory
A screenshot of files created by the malware.
Notably, the DPBJ.009 file is signficantly larger than the other files in this directory.

We also observed the malware2.exe process with PID 2500 spawning a process named DPBJ.exe with a PID of 4188.

A screenshot of the malware creating another process.
A screenshot of the malware creating a new process

Within a few minutes of running the malware, the directory located at C:\Windows\SysWOW64\28463\ folder looked as it did below. Each of the photos in the preview shown below is a screenshot of the desktop of the VM, taken at one second intervals.

The folder \28463 filling up with screenshots.
The folder \28463 filling up with screenshots.

Interestingly, on a schedule that appeared to be about once a minute, the screenshots of the desktop in this folder all appeared to dissapear, and the DPBJ.009 file would increase in size. This lead us to suspect that the photos were being embedded inside that file. As shown below, carving of that file revealed the hex headers of a JPEG file (FF D8 to begin a file and FF D9 to end a file). Using HxD, we were able to sucessfully carve a screenshot from that file, confirming our suspicions.

A screenshot of the beginning of a JPEG file carved from DPBJ.009
A screenshot of the beginning of a JPEG file carved from DPBJ.009
A screenshot of a JPEG file ending indicator, carved from DPBJ.009
A screenshot of a JPEG file ending indicator, carved from DPBJ.009

Using INetSim, we were able to detect a DNS request for smtp.mail.yahoo.com, which is the only DNS request or network traffic we detected from the malware. I imagine that the malware has the ability to send it’s screenshots and captured keystrokes, and this is the mechanism the malware would use to accomplish that. If we had more time for this assignment, I would’ve searched for hardcoded email credentials and used a disassembler to look through the section of this malware that has this SMTP address.

A screenshot of DNS traffic from the malware.
A screenshot of DNS traffic from the malware.

A screenshot of the registry key that allows persistence.
A screenshot of the registry key that creates persistence.
A screenshot from Process Monitor of the malware setting the autorun registry key.
A screenshot from Process Monitor of the malware setting the autorun registry key.
Note: The “AutoRuns” program from the SysInternals suite was also utilized and was not able to find any startup or persistence activity of the malware, which was unexpected. We believe that this is due to the \Run being located in the WOW6432Node registry location, which predates the creation of the Autoruns program.

We also utilized ProcDot to create an execution timeline, but I personally did not get much value from this program. It was finnicky to set up, and by the time we got the program working, we already had a solid understanding of how what the program did. Perhaps with a more complicated malware sample, or after having the program set up correctly, it would provide more value. Nevertheless, I have included the screenshot of the ProcDot graph in this writeup. The text is illegible because scrolling out in ProcDot (necessary to capture the entire image) reduces the text size.

A screenshot of ProcDot’s execution graph.
A screenshot of ProcDot’s execution graph.

Static Analysis
#

We used 010 Editor to get strings from @D607.tmp, created by malware2.exe and located in the C:\Users\USER\AppData\Local\Temp directory. This analysis revealed several mentions to the Ardamax Keylogger. OSINT of this software gave us the understanding that this was originally legitmate software that was later hijacked by threat actors.

A screenshot of strings from a keylogger
A screenshot of strings from the keylogger file.
This keylogger also had a license file, with the contents shown below. The file this key was located in was the key.bin file. It is unclear if this registration is tied to the specific threat actor, or a commonly shared license file distributed with the keylogger. This is another area of this investigation I would have spent more time.
A screenshot of the keylogger license file.
A screenshot of the keylogger license file.

Using the malware’s Sha256 hash of 041411c41e5bbca3760e3cd7f9fb7f8e2fb14973bc8178bf056c3694baf9da04 we were able to find it’s detections on VirusTotal.

A screenshot of VirusTotal detections for the malicious file.
A screenshot of VirusTotal detections for the malicious file.

Hiller Hoover
Author
Hiller Hoover