Reverse Engineering Monday (Part 1)

Inspired by this thread in the Facepunch programming forum, I thought I’d try my hand in reverse engineering some kid’s shitty key logger.

Since running maliacious programs on my main PC would be a really stupid idea, I set up a virtual machine running Windows 7 and loaded it with:

Also make sure to take snapshots or whatever of your VM before you start.

With all of that out of the way, let’s get to the good stuff!

Finding a victim

victims

Finding one of these trojans on YouTube isn’t hard at all. The hard part about it is finding one that doesn’t make you fill out a fucking survey to download or get the password to the zip file. Tricking people into downloading malware AND profiting from it? That’s pretty harsh man.

Finally I manage to find one that doesn’t require a survey to download.

dontLeakBro

Don’t leak this you guys!!!

sadChrome

Even Google Chrome is not too happy about this file. I’m sure if I was running MSE in the VM that would be going off right about now.

Analysis

For this part, we’re going to break rule #1 (don’t run malware you idiot) for science. Discovering what the program does be beneficial to ultimately reverse engineering it. To do that we’re going to open up Process Monitor to log what the application does.

filter

I’ll say this one last time. All of this is running inside of a closed environment. Running malicious code on your main PC or even a PC connected to your home network is a very bad idea. Don’t fucking do that.

Time to run it!

And nothing happens. Must be a bad application, I guess we’ll try another one right?

stillRunning

Wrong. The application is still running in the background and has a whole slew of events in procmon. I’ve attached the process monitor log file if you’d like to follow along. Let’s take a look to see if we find anything of interest, shall we?

dotNetLoading

Okay, it’s loading .NET libraries so it must be a .NET app.

readFile

Reading its own exe this late into execution? There must be something of value tacked on at the end.

childSpawn

This one is a bit interesting and I noticed this happen while watching Process Explorer. It seems to start another process of itself and then close the initial one.

moreReads

More self reads, this time by the child process.

defenseless

This one is my favorite. If you look closely you can see it replacing windows defender (if it was installed) with itself and adding it to the startup list. Nice.

cookies

Stealing cookies (from the cookie jar). Nice.

Other interesting things found in this log:

  • A (failed) attempt to write to the hosts file
  • Windows Version and computer name fetched from the registry
  • A load of thread creations and exits

But most importantly

phoneHome

We now know how it phones home. Great. Where exactly is that data going? Well,

  • 173.194.75.109 belongs to Google
  • Port 587 is encrypted SMTP

I betcha can’t figure out what that means! (It’s sending email to gmail ya dingus)

Also,

oops

If you’re writing malware, make sure it doesn’t error like this. To keep it fair I’m going to ignore this message box although it does give me some good clues.

That’s all for now

I’m going to be splitting this series up into separate posts so I can release it quicker. In the next part we’ll actually get into reverse engineering and less detective work like in this article.

Please let me know what you think of my posts so far.

Advertisements
Posted in Uncategorized | Leave a comment

Hello, World!

This is my blog, I will write things here.

Posted in Uncategorized | Leave a comment