Usually I used to search in Google for some malware/hack tools left by malware authors, defacers etc. I saw a website containing some executable files which looks suspicious to me. Firstly, they were in double extension like .jpg.exe and secondly presence of well-known remote shell c99.php. This file is not working on that server but it’s sure that bad guy has put other malware/hack related
files.
Now it could be either hacked website or his own site to have some stuff. I got the WHOIS information.
canonical name
aliases
addresses
64.136.20.52
Domain Whois record
Queried whois.internic.net with "dom cvak36a1.com"…
Domain Name: CVAK36A1.COM
Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Whois Server: whois.melbourneit.com
Referral URL: http://www.melbourneit.com
Name Server: NS1.SJ1.NORTHSKY.COM
Name Server: NS2.SJ1.NORTHSKY.COM
Status: ok
Updated Date: 21-may-2009
Creation Date: 21-may-2009
Expiration Date: 21-may-2010
Domain Name………. cvak36a1.com
Creation Date…….. 2009-05-21
Registration Date…. 2009-05-21
Expiry Date………. 2010-05-21
Organisation Name…. Mike Koehler
Organisation Address. 3061 County Road 220
Organisation Address.
Organisation Address. Findlay
Organisation Address. 45840
Organisation Address. OH
Organisation Address. UNITED STATES
Admin Name……….. Dung Le
Admin Address…….. ThaiNguyen VietNam
Admin Address……..
Admin Address…….. Thai Nguyen
Admin Address…….. 23999
Admin Address…….. Thai Nguyen
Admin Address…….. VIET NAM
Admin Email………. dunggttn2009@gmail.com ——>>>>>> Note this ID
Admin Phone………. +84985081369
Admin Fax…………
Tech Name………… Mike Koehler
Tech Address……… 3061 County Road 220
Tech Address………
Tech Address……… Findlay
Tech Address……… 45840
Tech Address……… OH
Tech Address……… UNITED STATES
Tech Email……….. dunggttn2009@gmail.com
Tech Phone……….. 4192993235
Tech Fax………….
Name Server………. ns1.sj1.northsky.com
Name Server………. ns2.sj1.northsky.com
By looking /analyzing some other stuff I concluded that VIET NAM guy own this website. There is also SQL injection related stuff at .
http://cvak36a1.com/3/
http://cvak36a1.com/2/
I downloaded following latest files from this site
File: anhdep.jpg.exe
Size: 298042 Bytes
MD5: 748128B6B977D352E4EC412C4E303050
File: mu.jpg.exe
Size: 247353 Bytes
MD5: 9297D8E7BB3B5E78968A9C96544E8558
My first step in analysis is to looking at the file strings as it reveals lots of information about the file in question. In the case of this file ,anhdep.jpg.exe , the strings are
!This program cannot be run in DOS mode.
Rich
.text
`.data
.rsrc ———————————–->>Resource section ( may be having other files if it is dropper kind of malware)
MSVBVM60.DLL ——————->> Presence of this DLL indicates probably this is written in VB (in 99% files)
@*\AC:\Documents and Settings\Admin\My Documents\New Folder\stub\stub.vbp –> Adding some stub to file means (a packer, binder or keylogger)
.exe
\decrypted.exe ————————>> Original file name is Intel.exe and having this decrypted.exe !!
VS_VERSION_INFO
StringFileInfo
040904B0
ProductName
intel
Signature analysis with PEiD
My local AV is dectecting this malware as “ Trojan.Dropper.WIN32.VB.acjs”. I got some clue by this name . So it is a dropper file written in VB . I executed this file in my Lab Machine . As like others malware it drops some files into TEMP directory from there it is dispalying one image file and simultaneously executing other, (decrypted.exe) keylogger server file , resulting bpk.exe and other files into system32 folder, in registry “RUN” modification, Browser Helper Objects setting for bpkwb.dll.
Image on execution
bpk.exe is well known for “Blazing tools Perfect Keylogger” software. So anhdep.jpg.exe is result of binding of Image file and keylogger file. I scanned the dropped files with the same AV and to my surprise it is not detecting any of keylogger files. This particular file is storing all information in system32/dt folder in snapshots images , means at regular interval it is taking snapshots of screen as well. It is also having some network activity i.e it is trying to reach 69.89.30.141 . So my AV is having the detection of binder tool not keylogger. I was also thinking for code analysis using VB decompiler or ollydbg however I moved to other file.
File: mu.jpg.exe
This file is not having VB signature but I found names related to same keylogger as in previous file.
inst.dat$ ———————->>>Installation Instructions
u:}T
Q"UT
YZU-MH
~EO’
=v;y
gSRk
qd{F
-t8F
mc.dat ————->> Some info (Later i found it is “ Mouse Click config “ file
bpkhk.dll ————>>Blazing Tools perfect keylooger HooK DLL file
cvk_
O}KwRl
_{cq
So this file is also dropping same keylogger but using different crypter/binder and to my surprise my AV is not detecting it at all !!
Again I executed this file in my LAB machine and found same results but different image and different configuration files (related to same keylogger) but pointing to same IP 69.89.30.141. None of the file related to keylogger is detected by my AV . This time the image is
Image
So before doing code analysis of bpk.exe or bpkhk.dll , I decided to find how user data is uploaded to remote location. You know this is very interesting part and love to see that finally I got access to remote server and fully registered Blazing tools Perfect Keylogger as well!!
Most of the keyloggers are having some configuration wizards to create remote server files. So I checked their default configuration and found hot key to show/hide program icon.
So I pressed Ctrl+Alt+L and it showed a popup for password
This password is the key of all locks.
How to crack this password ?
Crack the software or analyze network traffic to see uploading of keylogged data?
There are other options as well from code analysis to simply analysis of network traffic. Code analysis would be complex and is useful when all the keylogger configuration is embedded in same file. As in some cases they store the configuration (like password, delivery method etc) in separate files or in registry . Definitely network traffic will give useful information but not that password required to unlock this keylogger. So I decided to analyze other supporting files and in registry.
These are the registry modification
HKEY_CLASSES_ROOT\PK.IE "(Default)"
Type: REG_SZ
Data: IE Class
HKEY_CLASSES_ROOT\PK.IE\CLSID "(Default)"
Type: REG_SZ
Data: {1E1B2879-88FF-11D3-8D96-D7ACAC95951A}
HKEY_CLASSES_ROOT\PK.IE\CurVer "(Default)"
Type: REG_SZ
Data: PK.IE.1
HKEY_CLASSES_ROOT\PK.IE.1 "(Default)"
Type: REG_SZ
Data: IE Plugin Class
HKEY_CLASSES_ROOT\PK.IE.1\CLSID "(Default)"
Type: REG_SZ
Data: {1E1B2879-88FF-11D3-8D96-D7ACAC95951A}
HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0 "(Default)"
Type: REG_SZ
Data: BPK IE Plugin Type Library
HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32 "(Default)"
Type: REG_SZ
Data: C:\WINDOWS\system32\bpkwb.dll
HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS "(Default)"
Type: REG_SZ
Data: 0
HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR "(Default)"
Type: REG_SZ
Data: C:\WINDOWS\system32\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} "(Default)"
Type: REG_SZ
Data: PK IE Plugin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "bpk"
Type: REG_SZ
Data: C:\WINDOWS\system32\bpk.exe
and these are file modifications
Files Added:
c:\WINDOWS\system32\bpk.dat c:\WINDOWS\system32\bpk.exe
Size: 186 bytes Size: 405,504 bytes
c:\WINDOWS\system32\bpkhk.dll c:\WINDOWS\system32\bpkr.exe
Size: 24,576 bytes Size: 7,680 bytes
c:\WINDOWS\system32\bpkwb.dll c:\WINDOWS\system32\inst.dat
Size: 40,960 bytes Size: 996 bytes
c:\WINDOWS\system32\mc.dat c:\WINDOWS\system32\pk.bin
Size: 82 bytes Size: 3,944 bytes
So other than the executable files I tried to read other dat and bin files.
Look at following strings
File: mc.dat—————>>>>>>>>>>>>>>>>>>>>>>>>>> This file is having some keywords to trigger some sction !!
MD5: abe8b9f8f0419682b947c95fac3808c0
Size: 82
Ascii Strings:
—————————————————————————
con duong to lua
gunbound
dot kich
crossfire
vo lam truyen ky
kiem the
________________________________________________________________________________
File: inst.dat ———–>>>>>>>>>>>>>>>>>>>>>>>>>Best name to guess is “Instalation config.
MD5: 958302daa5e4fcd93fba2964eec66906
Size: 996
Ascii Strings:
—————————————————————————
Type folder path here or click "Next" to install to "System" folder
http://
bpk.exe
bpkr.exe
bpkhk.dll
wbpkwb.dll
pk.bin
c?wapps.dat
^?w8K
titles.dat
mc.dat
winst.dat
wkw.dat
mu.jpg
f?wB
_________________________________________________________________________________
File: bpk.dat————>>>>>>>>>>>>>>>>>>>>>>>>>>>>NO visible strings !!
MD5: 6945c380c6514e1bd2a5ee7a5813a298
Size: 664 Bytes
Ascii Strings:
—————————————————————————
___________________________________________________________________________________
File: pk.bin ———–>>>>>>>>>>>>>>>>>>>>>>>>>>>>> NO visible strings !! size ~ 4 KB
MD5: e5deabf400692fed8394bf3fdd756f2e
Size: 3944 Bytes
Ascii Strings:
—————————————————————————
Unicode Strings:
—————————————————————————
The files bpk.dat and pk.bin are not having any readable strings . So I analyzed them with hex-editor.
XOR this file with some byte, it gives some pattern that you can use to decode it fully.
I also XORed the other file pk.bin in Hex-editor.
So after doing Hex analysis of both files I found the password to unlock this keylogger installed on my Lab Machine !
Press Ctrl+Alt+L
type that password
and after OK you’ll see icon in right side in system tray. Right Click –>Options
Now you can see the delivery configuration for this particular file.
You can also view FTP server IP, where it is uploading the keylogged data with server login credential ! At the time of analysing it is still active.
While looking at the keylogged data at the server I noticed that their own machine are also infected with this keylogger ( May be for test purpose) . I got the domain name for this IP and infamous remote shell c99.php .
canonical name
aliases
addresses
69.89.30.141
Domain Whois record
Queried whois.melbourneit.com with "congtinhocvn.com"…
Domain Name………. congtinhocvn.com
Creation Date…….. 2009-06-26
Registration Date…. 2009-06-26
Expiry Date………. 2011-06-26
Organisation Name…. Steven Witt
Organisation Address. TN citi
Organisation Address.
Organisation Address. TN citi
Organisation Address. 23000
Organisation Address. TN
Organisation Address. VIET NAM
Admin Name……….. Dung Le Trung
Admin Address…….. TN citi
Admin Address……..
Admin Address…….. TN citi
Admin Address…….. 23000
Admin Address…….. TN
Admin Address…….. VIET NAM
Admin Email………. adamgravesusa@yahoo.com
Admin Phone………. 8059182572
Admin Fax…………
you can access that site using ( Use at your own risk !)
http://congtinhocvn.com/c99.php
If you want to remove infection from your machine just uncheck “Enable Logging” and now you can also create remote keylogger using this fully registered software.
But what if you want to register it manually.
Here is the solution .. registration keys are also present in above mentioned files.
So put all these files into one folder
bpk.exe
bpkhk.dll
bpkwb.dll
On execution of bpk.exe it’ll ask for the registration code . Enter the required name and code .
Now you have the fully registered , undetected Blazing Tools Perfect Keylogger . (Note the User Name)
PDF Download : http://rapidshare.com/files/345876715/HackMalware.pdf.html
– By ZinX
http://www.annysoft.com