The executable sample can be found at app.any.run.
Hash of the executable sample :
Indicators of Compromise (IOC):
- Drops file in C:\User\admin\AppData\Local\Temp\sample.exe
- Creates persistence using HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- Connects to a URL using unusual port suggesting a command and control server.
The malicious sample loads the dynamic link library and required API’s in traditional way using LoadLibraryExA, FindResource, and LoadResource as shown below
The sample checks the presence of debugger and throws an exception if found using the following code segment.
It retrieves the path designated for temporary files and drops payload file in temp directory and a batch file.
It then uses command line to execute “cmd.exe “%TEMP%\aMCqY4E8M8.bat”” and delete batch file as “cmd.exe /c del “%TEMP%\aMCqY4E8M8.bat””
It queries registry to identify Language configurations, settings, windows version, computer name, installed applications, compatibility.
The sample also creates registry to achieve start-up persistence which allows it to auto-execute during system start-up.
Command Structure Analysis
The sample uses following code segment to create Imagelist of screenshots taken on a regular time interval to create a bitmap. It captures screen and transmits it on real time to the connected command and control server.
It also has ability to query, create, update database tables and contains some potential query strings in the sample.
The sample uses switch statement to parse the command received from command and control server which has more than 100 cases.
The following table shows the some command ability associated with the malware. The attacker can run any of these commands on an infected machine using command and control server and the sample returns the results back to the command and control server.
Stay tuned for more analysis and other amazing stuff. If you love and support my work use the below link to buy me a coffee and help me with my research.