Google Chrome, Mozilla Firefox, Microsoft IE & Edge, Apple Safari, Tencent QQBrowser, Opera Browser, Yandex Browser, 360 Browser, Iridium Browser, Comodo Dragon, CoolNovo, Chromium, Torch Browser, 7 Star Browser, Amigo Browser, Brave, CentBrowser, Chedot, Coccoc, Elements Browser, Epic Privacy, Kometa, Orbitum, Sputnik, Uran, Vivaldi, Citrio, Liebao Browser, Sleipnir 6, QIP Surf Browser, Coowon Browser, SeaMonkey, Flock Browser, UCBrowser, BlackHawk Browser, CyberFox Browser, KMeleon Browser, IceCat Browser, IceDragon Browser, PaleMoon Browser, WaterFox Browser and Falkon Browser. Through my analysis, the list below includes all of the software targeted by this malware: ("Opera Browser", "C:\Users\\AppData\Roaming\Opera Software\Opera Stable". It then collects the credentials from files under the folder path if they exist, with each credential added into “list” as well.Įach item added in “list3” contains data similar to the example below: All items in “list3” will be enumerated later. The bottom part adds groups of software names and their credentials file folder paths into another List object called “list3”. It then adds them into the List object “list”. This function calls many sub-functions, including kpa_Chrome(), kpm_Mozilla(), and so on, to collect saved credentials. A shellcode is also part of this function, which will be in charge of performing the actual process injection.įigure 12 is a screenshot of the code snippet of function jfd_collect_credentials(), which is very easy to see now because I have removed the obfuscation code, which I mentioned in Figure 11.
The second parameter is a copy of the variable that holds the embedded. The first parameter passes a variable with the location of the “RegSvcs.exe”. It also sets the target program & "\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v7\\\\RegSvcs.exe") as well as the data of an embedded. However, this function acts as a wrapper to the dpubfytzxt() function.
This function does not receive parameters. NET executable, and a security key that will be used during the decryption process. It receives three parameters, including the variable pointing to the binary data of the embedded. Processes the binary data from the previous step. Concatenates binary data in a variable that will be used in subsequent function calls.
0 kommentar(er)
