Hussein Adel

Hussein Adel

Full Stack .Net Developer
--------------- And ----------------
Malware Analyst

Analysis A Keylogger

1 minute read

Keylogger

Keyloggers are a particularly insidious type of spyware that can record and steal the user’s keystrokes on a device. They are Software that logs what you type on your keyboard.

Sample overview

md5 : A7F21E412022554D187D6A876A3C08AC

sha1 : 70E39BDFCAA4BCF0021311E8298266E527CF7C97

sha256 : 9B683D2FDA7CA7ADCC043E4412271009A0E115CA55F9A718C385A3F46B57AE6B

Virustotal

Unpacked

This sample is unpacked. It was checked by DIE & EXEINFO & PEID

Strings

How it works?

By examining the main function for this sample we found that it calls the ‘SetWindowsHookExA’ that installs the hook which is the type of ‘WH_KEYBOARD_LL’ that is specific to keyboard events then it points to the Hooking Function ‘Hooking_Keyboard_Fun’ as shown in the following picture:-



inside this function ‘Hooking_Keyboard_Fun’ we can find that calls ‘KeyLogging_Fun’ as shown in the following picture:-



By examining this function ‘KeyLogging_Fun’ we can find :-

First : it creates a file called ‘practicalmalwareanalysis.log’ by calling ‘CreateFileA’ function to recode everything that you write on the keyboard then as shown in the following picture:-



Inside this file ‘practicalmalwareanalysis.log’ it recodes the window name that you open by calling this fun ‘GetForegroundWindow’ as shown in the following picture:-



It recodes the window name as the folloing pattern “ [Window: New Tab - window name]” as shown in the following picture:-



Then it recodes eveything that you write on the keyboard but it first make a comparission in some case by its switch cases to check if you cleck on ‘BackSpace’,’Crtl’ or numbers etc. Then it recodes these Keystrokes as shown in the following picture:-



Then it close the Handle for the file ‘practicalmalwareanalysis.log’ by calling ‘CloseHandle’ funcion as shown in the following picture:-


IOCs

####——–

Hashes

sha256 : 9B683D2FDA7CA7ADCC043E4412271009A0E115CA55F9A718C385A3F46B57AE6B

Functions

WriteFile

GetForegroundWindow

SetWindowsHookExA

Strings

practicalmalwareanalysis.log

[SHIFT]

[TAB]

[BACKSPACE]

[CAPS LOCK]

Sumerization

This malware called ‘Keylogger’, creates a file called ‘practicalmalwareanalysis.log’ then it records everything that you write on the keyboard and this is a picture that shows the functionality after running this malware