Table of Contents
Together with my friend Liam from Lusky.dev, I performed a static and dynamic analysis of 2 malicious binaries. This analysis was part of DFOR 761, the malware reverse engineering class at GMU.
Executive Summary#
Malware sample #2 was determined to be an infostealer, specifically a keylogger that also recorded screenshots of the Victim’s computer once per second. We believe that this malware would then attempt to send the resulting screenshots and logged keys to the attacker, although we were not able to determine the destination or mechanism for this functionality.
Analysis Techniques Utilized#
First, we took snapshots of the registry using RegShot and then took a snapshot of the Virtual Machine prior to malware execution. Simultaneously, another VM with INetSim running was placed into a virtual network with the malware analysis VM. After this, ProcMon was loaded up in capture mode, and the malware was executed. The ProcMon logs were analyzed, converted into CSV, and passed into ProcDot for visual and timeline analysis. A second registry snapshot was taken and compared to the first. During our analysis, we separately conducted static analysis on our Remux virtual machine using Cutter, the peframe tool, and 010 Editor.
Technical Analysis of Malware 2#
Dynamic Analysis#
We began this analysis by performing a dynamic analysis of the binary. Upon initially running the malware, no activity was observed. As we later discovered; due to this malware’s age, it has to be run as an administrator. After running the malware with administrator, we discovered with Process Monitor that the malware created the following files:

DPBJ.009 file is signficantly larger than the other files in this directory.
We also observed the malware2.exe process with PID 2500 spawning a process named DPBJ.exe with a PID of 4188.
Within a few minutes of running the malware, the directory located at C:\Windows\SysWOW64\28463\ folder looked as it did below. Each of the photos in the preview shown below is a screenshot of the desktop of the VM, taken at one second intervals.
Interestingly, on a schedule that appeared to be about once a minute, the screenshots of the desktop in this folder all appeared to dissapear, and the DPBJ.009 file would increase in size. This lead us to suspect that the photos were being embedded inside that file. As shown below, carving of that file revealed the hex headers of a JPEG file (FF D8 to begin a file and FF D9 to end a file). Using HxD, we were able to sucessfully carve a screenshot from that file, confirming our suspicions.

Using INetSim, we were able to detect a DNS request for smtp.mail.yahoo.com, which is the only DNS request or network traffic we detected from the malware. I imagine that the malware has the ability to send it’s screenshots and captured keystrokes, and this is the mechanism the malware would use to accomplish that. If we had more time for this assignment, I would’ve searched for hardcoded email credentials and used a disassembler to look through the section of this malware that has this SMTP address.


We also utilized ProcDot to create an execution timeline, but I personally did not get much value from this program. It was finnicky to set up, and by the time we got the program working, we already had a solid understanding of how what the program did. Perhaps with a more complicated malware sample, or after having the program set up correctly, it would provide more value. Nevertheless, I have included the screenshot of the ProcDot graph in this writeup. The text is illegible because scrolling out in ProcDot (necessary to capture the entire image) reduces the text size.
Static Analysis#
We used 010 Editor to get strings from @D607.tmp, created by malware2.exe and located in the C:\Users\USER\AppData\Local\Temp directory. This analysis revealed several mentions to the Ardamax Keylogger. OSINT of this software gave us the understanding that this was originally legitmate software that was later hijacked by threat actors.

Using the malware’s Sha256 hash of 041411c41e5bbca3760e3cd7f9fb7f8e2fb14973bc8178bf056c3694baf9da04 we were able to find it’s detections on VirusTotal.
