Clicky

Pages

Tuesday, July 27, 2010

APT Activity Monitor / keylogger

Here is a small piece of APT type malware, which records all user activities and keystrokes, including passwords. The attacker needs to execute it and it will create a hidden folder in the same directory named mssvr and a text log file called Updaterinfo.dat. The log can be sent or downloaded later using other means (look for a file named send1.exe, for example  - never mind, send1.exe does not appear to have any sending abilities). There are usually many other files associated with the attack - backdoors, misc installers, command interpreters, etc.  The Anubis report is brief and clear - see it posted below in full. The binary and mssvr folder can be anywhere, in some temp folder, for example.
 
mssvr 
mssvr\UpdaterInfo.dat ]

Fixed the archive, re-download it if you could not open it before
Download  dc281590aa9153000e983622f0559ea1 Adobeinfo.exe  ac as a password protected archive (please contact me for the password if you need it)
Two name variants known (but there can be an endless list) are Adobeinfo.exe and lognoreg.exe.

VT
http://www.virustotal.com/analisis/459441e13e339640e0c34530a9b5dcdf959c573f638258073882756d90b8e612-1280034705
 File AdobeInfo.exe received on 2010.07.25 05:11:45 (UTC)
Current status: finished
Result: 0/42 (0.00%)
Additional information
File size: 16384 bytes
MD5   : dc281590aa9153000e983622f0559ea1


Example of a log UpdaterInfo.dat in mssvr folder, note the way passwords are captured - in the bottom of this log.

--- 20100727 13:07:47 ----------------
11:06:47 The Active Windows Title: PC21330
11:06:03 The Active Windows Title: Inbox - Microsoft Outlook
11:06:05 The Active Windows Title: RE: Meeting tomorrow : Budget 2011- Message (HTML)
Let's meet before the meeting, maybe around 3 pm today. By the way I am still waiting for Brian's reply, he never called me back, do you have his secretary's number?

11:06:48 The Active Windows Title: Microsoft Access - Events_Records : Database (Access 2000 file format)
I will send you the agenda in a minute
11:06:55 The Active Windows Title: Find and Replace
[CTRL]f
July 23
11:06:07 The Active Windows Title: Find and Replace
....
12:06:37 The Active Windows Title: Microsoft Excel - InvitationListDetails.xlsx
12:06:06 The Active Windows Title: Microsoft Excel - invoicelist.xlsx
12:06:10 The Active Windows Title: Microsoft Excel - invoicelist.xlsx.xlsx
$16,000
 item
.....
12:06:11 The Active Windows Title: Save As
12:06:15 The Active Windows Title: Microsoft Excel - InvidtationListDetails
12:06:56 The Active Windows Title: \\FILESRV002\DATA\DEPARTMENTS\STRATCMD-S
[CTRL]c.xlsx
12:06:27 The Active Windows Title: Windows Internet Explorer
Taxi 20006
12:06:52 The Active Windows Title: taxi phone number zip code 20001 - Google Search - Microsoft Internet Explorer
12:06:04 The Active Windows Title: @@To Do list - Microsoft Outlook
oil production
12:06:10 The Active Windows Title: Untitled - Message (Plain Text)
12:06:16 The Active Windows Title: Amanda Smith
Jenn
12:06:56 The Active Windows Title: Untitled - Message (Plain Text)
15:06:36 The Active Windows Title: Google - Microsoft Internet Explorer
https://mail.acme.com
AJohnson
Summer2010WorldCup$$

Or this is from a VM


Some strings

GetModuleHandleA
GetStartupInfoA
[Up]
[Num Lock]
[Down]
[Right]
[UP]
[Left]
[PageDown]
[End]
[Del]
[PageUp]
[Home]
[Insert]
[Scroll Lock]
[Print Screen]
[WIN]
[CTRL]
[TAB]
[F12]
[F11]
[F10]
[F9]
[F8]
[F7]
[F6]
[F5]
[F4]
[F3]
[F2]
[F1]
[ESC]
---- %04d%02d%02d %02d:%02d:%02d ----------------
\UpdaterInfo.dat
\mssvr
The Active Windows Title: %s
%02d:%02d:%02d
%s
%s

Unicode Strings:



Anubis Report
http://anubis.iseclab.org/?action=result&task_id=110a3a724ca9ad1e4250755391cf1e4bf

[#############################################################################]
    2. AdobeInfo..exe
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: Primary Analysis Subject
        Filename:        AdobeInfo..exe
        MD5:             dc281590aa9153000e983622f0559ea1
        SHA-1:           9945f8bf55a81b0e201fad167577d49b37079bd4
        File Size:       16384 Bytes
        Command Line:    "C:\AdobeInfo..exe" 
        Process-status
        at analysis end: alive
        Exit Code:       0

[=============================================================================]
    Load-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
               Base Address: [0x7C900000 ], Size: [0x000AF000 ]
        Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
               Base Address: [0x7C800000 ], Size: [0x000F6000 ]
        Module Name: [ C:\WINDOWS\system32\USER32.dll ],
               Base Address: [0x7E410000 ], Size: [0x00091000 ]
        Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
               Base Address: [0x77F10000 ], Size: [0x00049000 ]
        Module Name: [ C:\WINDOWS\system32\MSVCRT.dll ],
               Base Address: [0x77C10000 ], Size: [0x00058000 ]

[=============================================================================]
    2.a) AdobeInfo..exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], 
             Value Name: [ TSAppCompat ], Value: [ 0 ], 2 times


[=============================================================================]
    2.b) AdobeInfo..exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\mssvr ]
        File Name: [ C:\mssvr\UpdaterInfo.dat ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\mssvr\UpdaterInfo.dat ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\mssvr\UpdaterInfo.dat ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Directories Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Directory: [ C:\\mssvr ]

[=============================================================================]
    2.c) AdobeInfo..exe - Other Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Keyboard Keys Monitored:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Virtual Key Code: [ VK_SHIFT (16) ], 70585 times
        Virtual Key Code: [ VK_BACK (8) ], 743 times
        Virtual Key Code: [ VK_RETURN (13) ], 743 times
        Virtual Key Code: [ VK_ESCAPE (27) ], 743 times
        Virtual Key Code: [ VK_F1 (112) ], 743 times
        Virtual Key Code: [ VK_F2 (113) ], 743 times
        Virtual Key Code: [ VK_F3 (114) ], 743 times
        Virtual Key Code: [ VK_F4 (115) ], 743 times
        Virtual Key Code: [ VK_F5 (116) ], 743 times
        Virtual Key Code: [ VK_F6 (117) ], 743 times
        Virtual Key Code: [ VK_F7 (118) ], 743 times
        Virtual Key Code: [ VK_F8 (119) ], 743 times
        Virtual Key Code: [ VK_F9 (120) ], 743 times
        Virtual Key Code: [ VK_F10 (121) ], 743 times
        Virtual Key Code: [ VK_F11 (122) ], 743 times
        Virtual Key Code: [ VK_F12 (123) ], 743 times
        Virtual Key Code: [ VK_OEM_3 (192) ], 743 times
        Virtual Key Code: [ VK_1 (49) ], 743 times
        Virtual Key Code: [ VK_2 (50) ], 743 times 











  


        Virtual Key Code: [ VK_3 (51) ], 743 times
        Virtual Key Code: [ VK_4 (52) ], 743 times
        Virtual Key Code: [ VK_5 (53) ], 743 times
        Virtual Key Code: [ VK_6 (54) ], 743 times
        Virtual Key Code: [ VK_7 (55) ], 743 times
        Virtual Key Code: [ VK_8 (56) ], 743 times
        Virtual Key Code: [ VK_9 (57) ], 743 times
        Virtual Key Code: [ VK_0 (48) ], 743 times
        Virtual Key Code: [ VK_OEM_MINUS (189) ], 743 times
        Virtual Key Code: [ VK_OEM_PLUS (187) ], 743 times
        Virtual Key Code: [ VK_TAB (9) ], 743 times
        Virtual Key Code: [ VK_Q (81) ], 743 times
        Virtual Key Code: [ VK_W (87) ], 743 times
        Virtual Key Code: [ VK_E (69) ], 743 times
        Virtual Key Code: [ VK_R (82) ], 743 times
        Virtual Key Code: [ VK_T (84) ], 743 times
        Virtual Key Code: [ VK_Y (89) ], 743 times
        Virtual Key Code: [ VK_U (85) ], 743 times
        Virtual Key Code: [ VK_I (73) ], 743 times
        Virtual Key Code: [ VK_O (79) ], 743 times
        Virtual Key Code: [ VK_P (80) ], 743 times
        Virtual Key Code: [ VK_OEM_4 (219) ], 743 times
        Virtual Key Code: [ VK_OEM_6 (221) ], 743 times
        Virtual Key Code: [ VK_A (65) ], 743 times
        Virtual Key Code: [ VK_S (83) ], 743 times
        Virtual Key Code: [ VK_D (68) ], 743 times
        Virtual Key Code: [ VK_F (70) ], 743 times
        Virtual Key Code: [ VK_G (71) ], 743 times
        Virtual Key Code: [ VK_H (72) ], 743 times
        Virtual Key Code: [ VK_J (74) ], 743 times
        Virtual Key Code: [ VK_K (75) ], 743 times
        Virtual Key Code: [ VK_L (76) ], 743 times
        Virtual Key Code: [ VK_OEM_1 (186) ], 743 times
        Virtual Key Code: [ VK_OEM_7 (222) ], 743 times
        Virtual Key Code: [ VK_Z (90) ], 743 times
        Virtual Key Code: [ VK_X (88) ], 743 times
        Virtual Key Code: [ VK_C (67) ], 743 times
        Virtual Key Code: [ VK_V (86) ], 743 times
        Virtual Key Code: [ VK_B (66) ], 743 times
        Virtual Key Code: [ VK_N (78) ], 743 times
        Virtual Key Code: [ VK_M (77) ], 743 times
        Virtual Key Code: [ VK_OEM_COMMA (188) ], 743 times
        Virtual Key Code: [ VK_OEM_PERIOD (190) ], 743 times
        Virtual Key Code: [ VK_OEM_2 (191) ], 743 times
        Virtual Key Code: [ VK_OEM_5 (220) ], 743 times
        Virtual Key Code: [ VK_CONTROL (17) ], 743 times
        Virtual Key Code: [ VK_LWIN (91) ], 743 times
        Virtual Key Code: [ VK_SPACE (32) ], 743 times
        Virtual Key Code: [ VK_RWIN (92) ], 743 times
        Virtual Key Code: [ VK_SNAPSHOT (44) ], 743 times
        Virtual Key Code: [ VK_SCROLL (145) ], 743 times
        Virtual Key Code: [ VK_INSERT (45) ], 743 times
        Virtual Key Code: [ VK_HOME (36) ], 743 times
        Virtual Key Code: [ VK_PRIOR (33) ], 743 times
        Virtual Key Code: [ VK_DELETE (46) ], 743 times
        Virtual Key Code: [ VK_END (35) ], 743 times
        Virtual Key Code: [ VK_NEXT (34) ], 743 times
        Virtual Key Code: [ VK_LEFT (37) ], 743 times
        Virtual Key Code: [ VK_UP (38) ], 743 times
        Virtual Key Code: [ VK_RIGHT (39) ], 743 times
        Virtual Key Code: [ VK_DOWN (40) ], 743 times
        Virtual Key Code: [ VK_NUMLOCK (144) ], 743 times
        Virtual Key Code: [ VK_DIVIDE (111) ], 743 times
        Virtual Key Code: [ VK_MULTIPLY (106) ], 743 times
        Virtual Key Code: [ VK_SUBTRACT (109) ], 743 times
        Virtual Key Code: [ VK_ADD (107) ], 743 times
        Virtual Key Code: [ VK_NUMPAD0 (96) ], 743 times
        Virtual Key Code: [ VK_NUMPAD1 (97) ], 743 times
        Virtual Key Code: [ VK_NUMPAD2 (98) ], 743 times
        Virtual Key Code: [ VK_NUMPAD3 (99) ], 743 times
        Virtual Key Code: [ VK_NUMPAD4 (100) ], 743 times
        Virtual Key Code: [ VK_NUMPAD5 (101) ], 743 times
        Virtual Key Code: [ VK_NUMPAD6 (102) ], 743 times
        Virtual Key Code: [ VK_NUMPAD7 (103) ], 743 times
        Virtual Key Code: [ VK_NUMPAD8 (104) ], 743 times
        Virtual Key Code: [ VK_NUMPAD9 (105) ], 743 times
        Virtual Key Code: [ VK_DECIMAL (110) ], 743 times
        Virtual Key Code: [ VK_CAPITAL (20) ], 2 times















Posted by
Mila


at
8:27 AM




Tags:
,

























No comments:















Post a Comment


















        

      









Subscribe to:
Post Comments (Atom)








Home