Quick Key Logger break down


Hello,

I had a simple malware sample (keylogger) I could show  to reinforce what my previous posts touched on.
https://tntrex77.blogspot.com/2018/10/quick-tip-sysinternals.html
https://tntrex77.blogspot.com/2018/12/how-i-use-sysinternals.html

This was an executable file (.exe) hanging out in the startup folder, trying to be all innocent named "msdefender.exe".   "I don't believe you, more like bsdefender.exe!"


https://www.virustotal.com/gui/file/0fd7513668d18c2c6be2ed2eed170b86217734d0af0385bca8eddb94404f05f5/detection
There were also a few detections from VirusTotal, (VT blog entry)

First thing I usually do is blast a file with sigcheck:  sigcheck -h -v <File>   (Hash and VT switches)
(Similar output to the VT website, use what you like)

Then I pop the file into DIE (Detect It Easy) just to verify file type and quick entropy and strings check.


A .rar archive? "But you said you were msdefender.exe!"  Let's pop it into WinRAR to see what we got.


"PSKILL!", "EXEC.BAT!", "BOBA FETT!"  This is not looking good.  Let's glance at that batch script (exec.bat).


Looks like it really wants to start "conhosts.exe".

This is my favorite part!  Lets oblige and run "conhosts.exe" ourselves, while we watch to see what happens.  (This should be done from the relative safety of a VM(bombshelter), see POST)

Lets setup our instrumentation first. (procmon)
I copy and rename the "conhosts.exe" to "sampley.exe"
I run procmon and set filters to; "Process Name" "Contains" "sampley" > Apply
Disconnect VM network or ensure "host-only"
Detonate the sample !*BANG*!
Examine procmon


Why the hell is this thing messing with "C:\Users\Matt\AppData\Local\winpfontcache1.dat"?!  And WTF is "winpfontcache1.dat"?!  These timestamps are fresh!   Let's see if we can find .dat money!


"And we do!"  You can see that "winpfontcache1.dat" is a text file containing my previous keystrokes.  This dirty "msdefender.exe" is actually a key stroke logger!

By honing in on the "conhosts.exe" I was able to determine the main malicious mechanism in this malware.  (alliteration obliteration!)  The "msdefender.exe" was hanging out in the startup folder to ensure this key-logger was run upon startup.

Nothing exotic or unique here but something I thought would be easy to follow and understand.    More posts to come!

Notepad++ > https://notepad-plus-plus.org/
DIE tool > http://ntinfo.biz/index.html

Comments

Post a Comment

Popular posts from this blog

A magic-wormhole!

Image
Have you ever struggled to get a file from one computer to another?  What if the file surpasses the size limits of Google Drive or Dropbox? Yes, you can SSH/SCP, FTP, HTTP, USB, script the hell out of it but isn't there something that allows us to transfer large files easily? And is "securely" too much to ask too? https://github.com/warner/magic-wormhole TL;DR, The concept is; you and your recipient would have another secure means to transfer a secure pass-phrase.  The sender would tell the receiver what pass-phrase accesses the package.  The odds somebody else entering the same phrase into the wormhole at the right time is approximately 3720 to 1! (I don't know the exact math but its really hard to MitM)  "The package is at whisky-tango-foxtrot." Here's the -help,  Magic Wormhole supports multiple modes; # Wormhole send                     # Activates prompt for a message to send, Text mes...
Read more

Quick Tip -Sysinternals-

Image
I been slacking on this blogging thing.  Anyway I wanted to show a quick tip that I want to build off going forward with more posts. Sysinternals is a great free tool that can help you with numerous computer issues. https://docs.microsoft.com/en-us/sysinternals/ Another cool thing is Sysinternals Live , basically a website that hosts all the Sysinternals Tools. https://live.sysinternals.com/ The really cool feature I wanted to go over, is mounting this website as a local drive, or calling these tools straight from the command line. P$> \\live.sysinternals.com\tools\procmon.exe This command will fire up procmon.exe. (I got a post coming up for procmon) Syntax= \\live.sysinternals.com\tools\ TOOL.EXE It may take a moment but all the Sysinternals tools are available to you, over the wire.  Pretty neat.  Another way to demonstrate this is by mapping that entire web directory to a location on your computer. Click "This PC" > "Compute...
Read more

How I use Sysinternals

Image
Hey, In my previous post I demonstrated how to add the Sysinternals tools to your computer from  https://live.sysinternals.com/ .  "Neat, now what?"  This is not a comprehensive guide to Sysinternals merely how I use these tools to increase my cyber safety. If you browsed to  https://live.sysinternals.com  you'll notice there is numerous tools.  I just want to quickly show a few of the tools I have found most useful and how I use them. 1.) Sigcheck  - " Sigcheck is a command-line utility that shows file version number, timestamp information, and digital signature details, including certificate chains." You can run it via: PS C:\Users\Matt> \\live.sysinternals.com\tools\sigcheck.exe -h -v "C:\Users\Matt\Downloads\pro cesshacker-3.0.1424-setup.exe" >> sigchecktest.txt This command is run against a "file", usually something you just downloaded/received.  You are unsure about it's safety.  You can run "Sigcheck...
Read more