Through my analysis, the list below includes all of the software targeted by this malware: ("Opera Browser", "C:\Users\\AppData\Roaming\Opera Software\Opera Stable".
It then collects the credentials from files under the folder path if they exist, with each credential added into “list” as well.Įach item added in “list3” contains data similar to the example below: All items in “list3” will be enumerated later.
#Coowon portable software#
The bottom part adds groups of software names and their credentials file folder paths into another List object called “list3”.
It then adds them into the List object “list”. This function calls many sub-functions, including kpa_Chrome(), kpm_Mozilla(), and so on, to collect saved credentials.
#Coowon portable code#
A shellcode is also part of this function, which will be in charge of performing the actual process injection.įigure 12 is a screenshot of the code snippet of function jfd_collect_credentials(), which is very easy to see now because I have removed the obfuscation code, which I mentioned in Figure 11. The second parameter is a copy of the variable that holds the embedded. The first parameter passes a variable with the location of the “RegSvcs.exe”. It also sets the target program & "\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v7\\\\RegSvcs.exe") as well as the data of an embedded. However, this function acts as a wrapper to the dpubfytzxt() function. This function does not receive parameters. NET executable, and a security key that will be used during the decryption process. It receives three parameters, including the variable pointing to the binary data of the embedded. Processes the binary data from the previous step. Concatenates binary data in a variable that will be used in subsequent function calls.
0 kommentar(er)
