Tip:
Highlight text to annotate it
X
We will now use IDA pro to look at the assembly codes of the malware.
Drag the malware into the IDA pro and a few screens will appear
Just click ok and close them
This is the assembly codes of the malware
This is part of the malware in graph view
The actual start of the malware is here!
This is the malware and it's subroutines, pretty messy eh?
The start is in green, the pink boxes are the functions of the malware, and the black boxes are the subroutines.
We will now jump to one of the main subroutines of the malware
This line creates a new folder in the victim's computer
This is where it is located!
Aha! The malware is going to create a mutex!
It is also going to use sockets!
Keylogging malware eh?
This subroutine probably creates a folder in the windows system, it then connects to the internet and waits to capture keystrokes!
Let's now get to the second subroutine!
Could this be where the captured keystrokes are stored?
Private message?
Aha! The keylogger starts at this point!
It logs to the victim and it's output is DCC chat
Keylogging stopped!
It opens the victim's cmd
This is the end of the second subroutine!
This subroutine probably opens up the victim's cmd and uses it to capture his keystrokes and store it somewhere
Now going to our third subroutine!
The malware is trying to open a file!
This line allows the malware to use a string IP address as a normal IP address!
Ah the malware completes a file transfer! Probably using this from just now?
Finally, it closed the socket!
This subroutine probably listens for a connection, goes into it with a fake IP, and then transfer files!
These are the functions of the malware!
A lot huh?
The exports and imports!
Strings of the malware!
That's all for IDA!