![]() ![]() We have not detected an execution of the second stage payload and believe that its activation is highly unlikely. The second stage payload is received as a custom base64-encoded string, further encrypted by the same xor-based encryption algorithm as all the strings in the first stage code. The code then read a reply from the same IP address, providing it with the functionality to download a second stage payload from the aforementioned IP address. There was also a reference to “Host: ” in communication. ![]() ![]() The encoded information was subsequently submitted to an external IP address .x (this address was hardcoded in the payload, and we have intentionally masked its last two octets here) via a HTTPS POST request. MAC addresses of first three network adaptersĪdditional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.Īll of the collected information was encrypted and encoded by base64 with a custom alphabet. List of installed software, including Windows updates TCID: timer value used for checking whether to perform certain actions (communication, etc.)īesides that, it collected the following information about the local system: Possibly also to be used as communication encryption key. MUID: randomly generated number identifying a particular system. It stored certain information in the Windows registry key HKLM\SOFTWARE\Piriform\Agomo: The suspicious code was performing the following actions: The code executed within that thread was heavily obfuscated to make its analysis harder (encrypted strings, indirect API calls, etc.). Illustration of patched CRT code (see the added call to a payload-decryption routine in the modified version):
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |