[unixfreaxjp]

Is a .NET new FUD key logger. It is new and worked properly so worth to be award of.
A bit slowdown all process..
Made small post about it in here, a share, not a promotion: http://malwaremustdie.blogspot.jp/2014/ ... n-mmd.html

The campaign:


FUD PoC:

VT: https://www.virustotal.com/en/file/6f03 ... /analysis/

For identification:

This kind of pop ups appeared:


Process name after infected and auto started:

Is daemonized.

Registrry modified:

Code: Select all

HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1094da8-30a0-11dd-817b-806d6172696f}\ New Value: [ Drive ]
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1094daa-30a0-11dd-817b-806d6172696f}\ New Value: [ Drive ]
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders New Value: [ C:\Documents and Settings\Administrator\Application Data ]
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ]
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders New Value: [ C:\Documents and Settings\Administrator\Cookies ]
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ New Value: [ 1 ]
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ New Value: [ 1 ]
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ New Value: [ 1 ]
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Run New Value: [ gens = C:\​Documents and Settings\​Administrator\​Local Settings\​Temp\​breakfast.exe ]

Memory mapped libs:

Code: Select all

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\culture.dll 
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll 
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll 
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll 
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll 
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll 
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 
C:\WINDOWS\WindowsShell.Manifest 
C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp 
C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp 
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\c91f68c2920882e02aec00eeabb6b415\System.Drawing.ni.dll 
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\0c70e5d82578be2f6c0dde89182261c5\System.Windows.Forms.ni.dll 
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\36dbfcf62e07d819b3de533898868ecf\System.ni.dll 
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\642534209e13d16e93b80a628742d2ee\mscorlib.ni.dll 
C:\WINDOWS\system32\CLBCATQ.DLL 
C:\WINDOWS\system32\COMRes.dll 
C:\WINDOWS\system32\MSCTF.dll 
C:\WINDOWS\system32\RichEd20.dll 
C:\WINDOWS\system32\SETUPAPI.dll 
C:\WINDOWS\system32\WININET.dll 
C:\WINDOWS\system32\cmd.exe 
C:\WINDOWS\system32\comctl32.dll 
C:\WINDOWS\system32\imm32.dll 
C:\WINDOWS\system32\l_intl.nls 
C:\WINDOWS\system32\mscoree.dll 
C:\WINDOWS\system32\rpcss.dll 
C:\WINDOWS\system32\shdocvw.dll 
C:\WINDOWS\system32\shell32.dll 
C:\WINDOWS\system32\urlmon.dll 
C:\Windows\AppPatch\sysmain.sdb

Stacks used per loaded modules:

Code: Select all

mscorwks.dll!CreateApplicationContext+0x6d4
mscorwks.dll!CorExeMain+0xa54
mscorwks.dll!ClrCreateManagedInstance+0x8aea
KERNEL32.dll!GetModuleFileNameA+0x1b4
 
ntoskrnl.exe!ExReleaseResourceLite+0x1a3
ntoskrnl.exe!PsGetContextThread+0x329
ntoskrnl.exe!FsRtlInitializeFileLock+0x83f
ntoskrnl.exe!FsRtlInitializeFileLock+0x87e
win32k.sys+0x2f52
win32k.sys+0x3758
win32k.sys+0x3775
ntdll.dll!KiFastSystemCallRet
USER32.dll!GetCursorFrameInfo+0x1cc
USER32.dll!SoftModalMessageBox+0x677
USER32.dll!MessageBoxIndirectA+0x23a
USER32.dll!MessageBoxTimeoutW+0x7a
USER32.dll!MessageBoxExW+0x1b
USER32.dll!MessageBoxW+0x45
System.Windows.Forms.ni.dll+0x2b5cd3
System.Windows.Forms.ni.dll+0x2b58e8
 
ntoskrnl.exe!ExReleaseResourceLite+0x1a3
ntoskrnl.exe!PsGetContextThread+0x329
ntoskrnl.exe!FsRtlInitializeFileLock+0x83f
hal.dll+0x2c35
mscorwks.dll!CorExeMain+0x17b3
mscorwks.dll!InitializeFusion+0x118ab
mscorwks.dll!InitializeFusion+0xf65b
mscorwks.dll!InitializeFusion+0xfa44
mscorwks.dll!InitializeFusion+0xf855
mscorwks.dll!InitializeFusion+0xfcba
mscorwks.dll!GetCLRFunction+0xe4b2
mscorwks.dll!CorLaunchApplication+0x24aa9
mscorwks.dll!NGenCreateNGenWorker+0x2f12f
mscorwks.dll!InstallCustomModule+0x8697
mscorwks.dll!InstallCustomModule+0x853d
mscorlib.ni.dll+0x2a31b3

Might be helpful, .Net components in memory:


The actor

The boo boo who coded this:


Sample

Sample download is here, usual old password: http://www.mediafire.com/download/myac2 ... /logger.7z

Happy New Year 2014! Wish the best for KM! /thx to @wirehack7

[TETYYSs]

6/47 now.

[dn5]

Interesting share. Anyone else have other samples from same keylogger? If so, care to share? I've tried looking for some on virusshare but I got positive 0 result. Detection rate goes up every few days.

Happy new year! :)

[unixfreaxjp]

The coder. Gameover.

See this innocent face? How sad..using his programming skill for this purpose.. Judging by his look, you can guess how old is he.
If he is not arrested now, I don't want to guess what keylogger that he will code in his 30 - 40years old.

We presented the case as good as it can be with tons of evidence added here: http://malwaremustdie.blogspot.jp/2014/ ... n-mmd.html
Please kindly help to initiate legal / law investigation (the coder's country is Sweden) to your known Europe Law Enforcement contact.
Just stop this kid making more mess, we had more than enough professional threat to give all of us big headache already,..

[unixfreaxjp]

28 / 48 now, good work friends! Salute!

Code: Select all

Antivirus       Result                      Update 
----------------------------------------------------
AVG             PSW.MSIL.KNO              20140107
Ad-Aware        Trojan.GenericKD.1485223    20140108
AntiVir         TR/Dropper.MSIL.21049       20140107
Avast           Win32:Malware-gen           20140108
Baidu           Trojan.MSIL.Agent.aQh       20131213
BitDefender     Trojan.GenericKD.1485223    20140108
Bkav            W32.DropperArtemis.Trojan   20140108
DrWeb           BackDoor.Comet.731          20140108
ESET-NOD32      variant of MSIL/Kryptik.QZ  20140108
Emsisoft        Trojan.GenericKD.1485223(B) 20140108
F-Secure        Trojan.GenericKD.1485223    20140108
Fortinet        W32/Agent.DFZR!tr           20140108
GData           Trojan.GenericKD.1485223    20140108
Ikarus          Trojan-PWS.MSIL             20140108
K7AntiVirus     Trojan (0001140e1)          20140107
K7GW            Trojan (0001140e1)          20140107
Kaspersky       Trojan.MSIL.Agent.dfzr      20140108
Kingsoft        Win32.Troj.Agent.xh(kcloud) 20130829
Malwarebytes    Trojan.MSIL                 20140108
McAfee          RDN/Generic.dx!cwd          20140108
McAfee-GW-Ed.   Artemis!9E5848B5CE98        20140108
eScan           Trojan.GenericKD.1485223    20140108
Panda           Trj/CI.A                    20140107
Sophos          Mal/Generic-S               20140108
Symantec        Trojan Horse                20140107
TrendMicro      TROJ_GEN.R0CBC0EA814        20140108
TrendMicroHouse TROJ_GEN.R0CBC0EA814        20140108
nProtect        Trojan.GenericKD.1485223    20140108

[cra1g321]

28 / 48 now, good work friends! Salute!

Comodo also detects it :)