FAKE Antivirus? Malware Analysis of Decoy 'kaspersky.exe'
Jun 01, 2021Oh, I'm sorry, what's wrong? Everyone, welcome back. My name is John Hammond and you know I love some
malware
analysis
and it seems like you do too, so we'll do it a little bit one more time. I'm going to jump to my computer screen. This is where all the good stuff is happening on my computer, boy, and I have this folder. Here I am in this Kaspersky directory. I think this one is fun. I think it's a good story. It's a little peculiar, but. uh we'll play and we'll play well so there was this little shortcut of Kaspersky orkaspersky
.lnk and whatever in the comments you can complain if it's Kasper Skye or Kaspersky or whatever.
That shortcut file linked to this Kaspersky.exe now that was in the c directory colon backslash backslash of windows
kaspersky
, which by the way is not the actual default installation path for kaspersky theantivirus
program and you can check that by simply searching on Google, you can see how I was looking to buy ielts for take that and play with that a little bit, but if we just search what is the Kaspersky installation path, pass the hash like that acronym pth there you can change the Kaspersky installation path, By default, applications installed in the program folder. kaspersky lab files kaspersky endpoint security etc, normally it's not in c windows kaspersky, so that was a little suspicious, you know, kaspersky is sus in this case, uh, not sure, hey, what is that thing? and we want to investigate it.
More Interesting Facts About,
fake antivirus malware analysis of decoy kaspersky exe...
I also saw in that C Windows Kaspersky directory an update.ei and inside the directory were also all these other files. I just put them in a related folder so we know they were in that current directory so I'm safe. You can already see from some of these file names, they look peculiar and not actually all of them are here, some of these other main DLL folders, main files, DLLs, other DLL libraries, I didn't actually end up entering all of them, but I do . I want to show some of these here and I'm doing it a little bit differently so you can see I'm in a virtual machine.
I have just a flat Ubuntu here and I also have another machine that just runs Windows. here so we can move back and forth and I'm on the new platform, I'm on the new machine so luckily I can run some virtual machines side by side and do some other cool stuff so what do I want to do ? The first thing to do is take a look at the files we have here, so kaspersky.exe is of course a Windows executable, but it's also a mono.net assembly, which means we can take a look and peel off behind the layers.
Look behind the curtain and see what that thing is made of in something like dnspy or il spy, so, I actually wanted to have iel spy on this Linux machine and then it's like, oh no, you actually need to end up using and avalanchia o I honestly don't remember what it's called or pronounced uh but that's the cross platform version of iel spy so I like it okay let's roll it up on windows because we have that and maybe we can do some other cool fun . things with that, so excuse me, I hit my desk there, I don't know if you heard that, let's jump into that Windows virtual machine and uh, I have this terminal here, my laptop, which you may have cut into the corner. it's actually hosting a web server right now so we can download that kaspersky.exe and those other files so that the laptop desktop works in harmony, you know, good, good stuff, let's go to my desktop so we can do some interesting things and To note this down, I'll go to my laptop's IP address which was 10.0. so something local here should be on port 8000 because it's just a simple python http server and I want to grab that kaspersky.exe and it works okay we need to use the basic parsing parameter so basic parsing should be used for to extract. download it no problem, it should just make that full screen, sorry, here we go, um, oh, but I wouldn't have saved it because I didn't specify an output file, so let's run the w get command one more time, let's specify an output file and we will call it kaspersky.exe.
Okay, that should download fine and I also want to get that update.exe because we're going to explore and see what's perfect and they both should be. on my desk now oh what is that? What is that icon? I feel like I've seen that icon before. um. I'm going to open it in file explorer so it's behind a white Kaspersky background with a description of the file b and the version number is. 1.0.0.0 oh okay, fascinating, let's steal that image and see if we can do a reverse image search on Google. I'll save it with paint, I'll hit it like whatever on my desk, I don't care. if it's called untitled, that's totally fine, there we go, but I want to know where that comes from, it's really a thing, Google image search, yeah, okay, cool, search by image, uh, let's load that image and It was on my desk with no title. .png oh, it's literally the Kaspersky logo or something.
I find it quite interesting, that's funny, so you can probably say that, hey, I'm riding this train, that, actually, this might not be Kaspersky, right, it's a facade. it's a
decoy
, it's a hoax, eh, let's look at what update.exe is first before we dive into our creepy little Kaspersky thing, but that update is apparently very small, so if I'm right again, there's no a lot there, oh. that's the update.exe image, I didn't even download the right thing, you guys should have told me, you should have let me know, okay, let's delete that old update.exe and we don't need that image anymore either. um, but we'll download it one more time and get the right file there, let's take the update.I wondered why the length is why the size is exactly the same in both files. No, no, this update is much smaller, so let's go. Open that up, we have spy open here and let's go ahead and open up on my desktop that update.exe and see that it has a different icon because it's a different binary. Okay, so this is using some reflection library interop services. things that might do some peculiar things, let's open it up and explore some of those other libraries or things that might not include anything apparently in metadata. I guess it's something like the library headers and everything related to the resources of the file itself.
If there's something here that's not showing up for me, it will refresh and update the properties resources that don't seem to be all that interesting code. Let's go to the update form and see what this does. I guess I can expand all of these. and we just initialize a component, so this is a GUI right where we could run this and in fact, a popup window will probably appear and it could do that once we're done looking around and analyzing this. It's a GUI so get rid of it we'll just remove it I think it's boilerplate stuff for when you end up having similar Windows Forms and just set a font so the program is probably where the fun stuff really happens let's see what Here we check some arguments and the argument given is that arg0 will be the program itself, it will get the process by id and parse rx to zero or it will be like what you provide, it's a bit strange that it's not like that. do something more than that try, although that catch does nothing, I might be misunderstanding it, but we get the path that is given as the other argument and the text that is given is another argument, so we look for files with a string path which apparently is will just be passed as text and the extensions that will be provided are exe and dll, so for each of those items that we find, each of those files we will delete, okay, and then path two is set to an empty string, uh, so both. of these we end up checking correctly, but in the file list we get everything that applies in the other argument, all the exes or dlls and then we combine them, oh sorry, bring me back, the destination file name will be the path , it combines the original text that we deleted with an exe, if it's an exe, then we save it and what would have been path two and then we try to copy it there, okay, and we run the process start on that process start information, which will now be that new thing, so it's not really like updating that much, it's not like it's downloading from the Internet or something, but it's taking any files that might be in the current directory, so if for some reason we got another dll or if we got another exe maybe that was doing something. to bring it in, I think this is just a definition for that getfile function we were apparently calling earlier.
We just take that information from the list and take it into extensions, okay, so they're actually using the actual files to get there now. apparently and check if the extension matches and the return is fine so I don't think this will do much else honestly let's stop the system expansion because that's taking up a lot of space but that update just seems like the program does these things with files exe and they like to copy them and delete them, let's try to run it, you know, just to have a little fun, I'm going to copy this, uh, kaspersky.exe, I guess I can download it. from the other computer, if I need it again, but uh uh, just to be safe, let's disconnect from the Internet, not that it's not doing something, let's just disable this, okay, and try to run that update even though I checked it and I saw that I could do some weird things with that other exe.
Something happened. Literally something happened. Clicking on it frequently, but we could probably take a look at Sysmon or Sysinternals or anything to examine that kind of process. or see it, make sure it's actually running, but how about I make another one? I mean, will they all be in the same directory, right working directory? Uh oh, it needs the arguments, so we need to provide text and look up the path. Let's simulate what this looked like to start with, um, I'll go to C, let's do, I mean, we already have a Windows directory and I'm in a virtual machine, so I can pop this for whatever.
Why is it complicated, let's make a small Kaspersky directory and you won't let me because I'm not an administrator. I don't mind. I will start Windows Terminal as administrator. Let me do what I want. Am I really an administrator now? It doesn't actually tell me, let's try to create that directory again, let's see how it looks, yeah, okay, great, I did it, so let's copy everything from my desktop, all those exe files, let's put them in this Kaspersky directory and now? Do I have the touch command? I don't foolishly use Power Shell. um, let's just echo nonsense like a
fake
exe because apparently it's just looking for file extensions and I got lost in a PowerShell prompt.Okay, let's try to update the
fake
one that's on. c windows kaspersky, do I understand that? I don't know, the path should apparently be the third argument, the text should be what I've provided as that filename. Do I need to include the exe extension here for some reason? No, I'm going down. a rabbit hole, honestly, this is obviously not where the creepy stuff happens, so we can put this off. I think we've had fun messing around with this update, but it doesn't do much more than copy files. and I might be getting into the weeds here and not following exactly what's going on because I'm dumb, so let's do something else, let's delete this update and try to add it and yes, we've already weakened the Internet, so I'm not worried about that, let's just introduce that kaspersky.exe and let's see what we have, ladies and gentlemen, kaspersky.exe 1.0.0.0, assembly title is b, assembly product is b, copyright 2015, um, yeah, okay, so the metadata we know will win.There won't be anything more interesting, uh, the references that it includes, however, I think they are peculiar, so you saw those dlls in my Linux folder here, if I go back to that, you may have seen a net.dll, it is possible have you seen a hello -labo or heglabo to newtonsoft json.dll s22, so let me google what these things are in case you are not familiar with them because to tell the truth, I didn't know, newtonsoft json.net is a high performance json framework for net, so it will allow us to use json within the code that we will end up running, serializing it, working with it, deserializing it, etc., etc., so we can see how it is used and the other one was hey glabbo higulabo converter, come on Google that guy and see what this thing does or what's just higglabo on its own because I just entered just that converter, but there was like a core, there were other bits of the library, but it provides client functions mail for smtp pop3 and imap, so our little Kaspersky program could be sending some emails, it's fair to say we have json, we have mail functionality, what is this sassl, what is this sassel.dll, let's grab it and see what are you doing?
This supports authentication methods,this hash. It's a hash that looks like a hash. The following IP. list file name deposited time send mail counter done try count total try count good IP count yeah that makes sense and the IP list int is exactly what we saw when we counted all of those. Wow, okay, it was great putting them together. go to the current position in the file that should take everything we've seen so far and jump to that part when starting the invocation when stopping the invocation we start invoking some delegate actions uh well that's runtime so may not, oh, on stopping and on starting, although they are called on each of them, so the robot, if it starts, doesn't need to start anymore, so what if it doesn't need to continue?
Oh God, stop please, where did I go? no, I went to the top of the document again, okay, sorry, we'll come back to that. We're trying to figure out what this starter guy does. It will remove the following list of IP addresses, load the default settings of the default IP addresses. good download IP, I don't know what it could be exactly, but I loaded the default configuration. It's something we already saw. Temp good servers log.txt, clears them and then we get the number of IP addresses, how many we need to pass. go to the current position file and load the good servers so we delete the ones that aren't needed apparently set up some threads to see how long we're going to end up waiting, I think it's best to give it a little time so it doesn't seem so creepy. it doesn't look so incomplete and every time the timer goes off it does some other task by stopping ok yeah it stops completely reset the robot state to default cfg oh that's new what will that file end up being ?used for initial configuration, the robot state is started, we get a binary writer and we write the configuration data that is passed as an argument, but that is a string of bytes, what's in that uh, what's in that default.cfg which is called again in onget config when we read the data into the binary reader, we read that data, sorry, I realized my face was in the form, uh, base stream length, we read it and then send the configuration on our smtp robot, so we should completely check that smtp robot, um.
We check all URLs or IP addresses once we have connected to a master and then start a monitoring loop. Ah ok, master disconnected server IP import, what's that response message from http client? uh, fetch the URL from the server, make sure we have a successful status code, I'm going to jump to that real quick just to see what it looks like, yeah, it looks like it's fine, it's just checking to see if it got like 200 or something and , if we did, we get the results of that and then we figure it out. them with a chain cipher with Shangwei forest foresight 1988 what is that is that something I like exists is that thing uh let me go back to google google I know I'm already on google but I'm on image search and I don't want to, no I have internet, damn, okay, uh, take me back to my adapter settings, please enable it, come on, come on, we're getting intense here, okay, okay, let's see what this is, let's go to Google. .com, upload cool slap in Shanghui Forest forecast no, no results, not so many good ones, that's sad, what if I check for
malware
?Is it like something known? There is some? It's our totally random key or something I don't even know what this is being used for yet, so let's just introduce that for now, um, and let's go back to look at what's passed to the decryption method that's inside the encryption. string calling um. we parse the empty entries, they are separated and outlined by colons, so we get an ipo server that supports like this, yeah, oh, what does that mean? So the servers that are passed here we remove, no, no, the chain server URL is going to end up being different than that, uh, we have a server that will return a list of other servers that will be used for, oh wow, so will be used for that communication with smtp, maybe the master connection thread will end up trying to get something. of these things, it'll wait 10 seconds to do it over and over again to see how many times we can get it and then we'll keep reconnecting and checking, okay, that's evil, that's nefarious.
The low default setting will accept the default settings like that. oh yeah, we still have to look at that default IP address, extract all that stuff and check if iplist ends with a slash or dot text, oh oh, in case there are other directories, it's the correct iplist url file. I'm kind of navigating this, so I may not have actually fully understood it on oh get public IP address, it's just going to oh get public IP address, it's just checking itself, it comes back, it's just going to check ip.dinddns .org, that's a However, isn't that what will give you a real IP address?
I'm going to have to delete this, so I show my IP, just yeah, yeah, I confirmed that it gives you your IP address, your public IP address, well, um, okay and we. We're almost done, we're at the end of this main smtp form, connect.dat is entered and again it's using this forecast shangwei 1988227 to decrypt it, so we need to check it and please make sure it's a valid connection. dat, this thing will die if I try to run it because I don't have that file on this machine and then the timers in the registry tick uh, you can't see that because my face is in the way and I just moved the screen.
I'm so sorry, it's just getting it from the log and temporary servers, as we saw before. The delete and initialize component will be what we have seen before. Let me put that screen back where it should be and let's explore. that default configuration file because we have it, there we go, we don't need to be here anymore, let's see we do have a default configuration, so let's delete that default cfg which is just a bunch of base64, what is it, there's only base64. There's a lot here guys, how long is this file? uh, let's address that 5337 okie dokie, let's do a little bit like wow, read the line so we can repeat that line.
I'm pretty sure you could do this with arguments ah, non-printable characters, bytes that humans cannot understand. Imagine that makes sense, even though it's true, because this is this. The default configuration file was supposedly decrypted, so let's see what else we have network data. What is network data? This is the next one. This is another class I'm checking out in this SMTP sender namespace. They seem to send packages. That makes sense considering what. Excuse me, let's see what, let's see what that thing is, come on, let's explore, let's do some Google translation, oh yeah, slap, that signature over there doesn't match the Korean language detected, um, okay, I'm not from the ones they like. hey attribution, I don't care about that stuff, I'm not one to point fingers, it was him, he stole my lunch money, um, I won't invite him to my birthday party anymore, I don't do that, I don't care. um it's pretty cool to at least see the traces to at least walk through all of these each of these is the number of pieces of material that you were trying to get is not correct what does that mean?
Oh, it's trying to get a certain amount of data, all these exceptions I'm just trying to understand them, although I just want to know what there is no data here, yes, more, this is something homegrown, although as if they were adding your own exceptions here like writing this on your own slap that just like pop has the exact same result, are there any other exceptions that might be interesting? Korean strings here this looks like creepy wookie slap that in the data type is wrong it should be a byte array okay so they are leaving some notes for themselves.
Network data event that looks like a delegate um it's kind of like one of those tasks that are being added now message code parse element enum parse random enum oh gosh, the program, oh, ooh, oh, this is pretty cool, it's like it ends up calling correctly, so it will check if.net is installed, it has functions to check the registry and see, do we have v4? apparently if it's not net and maybe I'm going too fast with that but yeah yeah it checks fine if.net is installed if not you need to install it to run this program it starts a robot state with the small time of scanner starting right now. enable visual styles messages show if there are any errors ok the state of the robot has a lot of things defined the time span is the time to get up wait i'm just trying to see how long this robot has been alive how long has the c2 been active connection status of a couple of smtp robot getters and setters we are on the server connected right now so the server connection will connect apparently with a socket connection it will connect to the server on connection we will try and if we get a connected connection , we will get the main one. instance and explain that we have connected to the master connection, we will call it on receive on receive um, does that do something creepy?
No, I can't click on it, I can't see it, parsing the packet is going to terminate. invoking some of the network data and our network data did something type code binary data write network message code what is this so these are the control codes apparently to do a certain thing, but it only sends records and sends the data that do you know update status check server, have we ever seen that check server 1004 is said to say that it saved the configuration and got to the configuration starting the communication totally c2, but I don't see it do anything to execute the code?
I don't see it doing anything like However, run commands but invoke does something and that data event that we apparently don't know about okay, let's go to our server status, that's just another smtp enum account that we parse from the smtp account is parsed with an id and a password and it's just coming out again with a colon separation two strings obviously two strings smtp configuration well we knew we were seeing some weird things in this because this is in relation to that default.cfg so what do we have here? string constant string configuration password is that way shanghai i don't know how to foresee that something should continue with auto threads str i get a lot here smtp configuration reset and it calls reset and ah the string configuration file name is the default default.cfg smtp ports port 25 we have a timeout configured and we are trying to keep track of headers and counts and that's it so the stream reader payload is reading the data and it looks like this has breadcrumbs of what that configuration file might actually look like, like if we have headers defined here smtp. accounts and the final tags for them, so it has its own structure and schema, it has how to understand that configuration file and this just looks like the function to parse all that data.
Great, we get the auto threads, recipient, from smdb, thread connection time ip list file everything is included in that default config file okay so load the result of the config file encrypt the write line ah so that the string encryption can be encrypted with that line which is passed to this function with the same key again. thing with decrypt line and save the file, we'll just spit it all out there, general recipient, okay, that's what it would look like, but all of this data will end up being pulled from that master server or whatever we end up reaching.
Let's go with our kaspersky.exe, so the smtp robot has an encryption key. The smtp mode was just another enumeration so I didn't want to drill through that, but the smtp bot apparently does things and is probably like the agent or the bot. that's going to be the tasker thing when I'm assuming I'm doing the nefarious acts doing the c2 get the first list of IP addresses the smtp robot adds all these proc codes get registration yes, get the instance and load send data connect to the server start com we have our good servers pulled out, sending data should be for message codes, connect to the server we saw or at least we understand that basic functionality, although the monitoring loop, ooh, the monitoring loop every five seconds tries to connect and send data, it begins with just begins. communication and it sends it yeah yeah yeah okay just send hey we're talking now having a conversation hello sun data and heartbeat these are all the network message codes that were added in the settings sending and saving, so what this looks like honestly just looks like it's still in communication, it's still talking back and forth sharing the data and information that's being received or gotten, but I don't see anything that looks like running commands, but isit has a hash code and then some bytes that could be included receiving the parkit length inbox okay, so that has to be like a mail obviously we're looking at here, um, the other one probably has a very similar id code, that hash is that hash code, something for the instance, yeah, because it does the converter.getinstance and we have, oh, we have a converter down here and a server sock, so let's not receive. that still generates errors, it's a long message, longer message than usual, I think not, no, just the number of bytes in its own encryption, more records.
I'm curious if any of these will end up being the same, even though I send data on submit. close ok, log file ooh, puts it in a socket register. I don't think we've ever seen those directories with a socket underscore log file and it just copies everything. It also has a date and year. The messages could not leave the log. file, eh, okay, what our converter does is it ends up doing something peculiar or just converting bytes. It looks like it's just a bunch of overloaded functions for the byte getter function with different parameters being passed in, so yeah, it looks like it's just trying. to understand how to interpret that un64 data oh, there's encryption and decryption, and that's just xor, it's literally just xoring with the deck key and the end key, those are those defined anywhere, um, encoding format, process package , not included, server sock and that looks kind of the Same thing we just saw except for the server and the key is one, two, three, four, nice, yeah, yeah, yeah, IP address parsing, connecting to a server, just buy a socket, receive on receive, disconnect, send data, parse the packet, ok, that's all there is to do.
Of course, we could have expected this to work like a network connection. Great, let's see if the program, let's see if our little fake
antivirus
program actually does anything, so let's turn off the Internet for the fourth time and this will probably complain. I don't have that default config file set if it actually runs. Here we are going to double click on our fake antivirus kaspersky.exe. That's really anticlimactic. I'm not going to lie if I have a default.cfg. Do something? Not yet. running in the background no performance, I think the details are what has Kaspersky doing anything, I don't see it, so something must be wrong.I could download all the files and see what I could do, but I don't think it will really be worth it, so we have fun, we analyze, we explore, I think it's okay to leave it here, maybe we needed all the other files, although we try and everything is okay, you convinced me, let's see if we can download. everything and see what happens just to review everything uh that's listening on port 8000 for my local okay so we have all the related things let's download, download, download, this file can harm your computer, the default cfg of Chrome tried to stop it, that's something like that. cool, um, yeah, let's save that, let's get that dll, let's keep, let's see if the defender actually triggers with any of these things, ah, log.txt didn't save, save it, save it anyway, save it anyway, give me all the dlls, oh actually I don't have them yet.
I don't have all the others that I didn't incorporate maybe it just doesn't work maybe it just doesn't work let's do it for the lulls, let's do it for the internet memes, let's do it for the youtube algorithm gods. just do it uh so i put all that in my downloads yaga okay good luck kaspersky do it oh yeah turn off the internet don't do it yet. Actually, I was just joking, I was jumping the gun with that, uh, let's turn that off. adapter okay internet no longer exists kasperskyNow you can infect my computer, wait, did I click Don't run?
It's in downloads. Holy shit, click run. We could kick it into some uh like Joe's Sandbox or something or throw it into Virustotal and see what other weirdness comes out of it. but I don't see it starting on my machine, it's probably because it's missing those dlls, okay, okay, we'll go ahead and enable it one more time, let's kick it into virustotal and see if it sees any nito benito. things and then I'm going to leave it, so I'm going to finish this video, so Kaspersky did it. An engine detected it viper trojan 132 generic cobra, what is it supposed to be?
Am I infected? What I do? Hello. I just ran a scan and got this program with great harmful power to completely mess up the system. I need a simple malware scan. Is there anything in the community section? Anonymous negative 32 voting details okay, okay, everything else is not at all great, look, maybe so. I don't know, I don't know if that's really what I should be doing, let's see what this guy thinks. I believe this balloon is a batch of spam emails that has been distributing a variant of the poisonous Zlob Trojan on your computer. Send pizza-themed emails.
Don't know. What is this balloon? Don't know. I do not know if. that's it, I don't think that's it, I don't think it's the right malware family, it's not exactly positive, so I think that's all the research or other post-mortem I want to do, it looks like my virtual machine is, oh, that Chrome was just didn't want to play nice, but I think we could start to wrap up, you know, we've done our
analysis
, we've done some fun things. I'll be back to the exit, thank you all, I appreciate it, but wow, look. on all those usernames and passwords that are just set up for dummy accounts and will be traced across all those different IP addresses, the 73,000 find some good ones that we see in all those different areas of the world and send monitoring status or information through smtp.I don't know if I could say it's command and control right. I don't know if I could say c2 because I didn't see anything running commands or running code on the victim or from this target, but that doesn't mean there couldn't be anything else happening or anything else that's configured and maybe I could be completely wrong, I could be completely wrong, I hope you watched this video like, hey, I did. I'm browsing through il spy, I would look through dan spy, I want to explore all these different files, see what I can understand, but look, I'm still learning too, so if there's anything you can teach me, if there's anything you can. can you tell me I'm aware of this I want to hear it please put it in the comments uh please help not only me learn but help everyone learn and that's what it's all about so it was fun I hope it was great.
I hope I don't know how this compares to the other malware analysis videos we've been doing, but I think using c-sharp and using line cube pad or link pad to be able to figure out the things that we see. defined here, that's pretty neat and cool, it took a little bit of fixing, I made a couple trips and tripped and hit my head on the wall, but I hope it was fun, so thank you all so much for tuning in to this video. I hope you enjoyed it, I hope you're enjoying all of these others and hopefully we can continue to do more of this because it seems to be very, very well received, it's helping the channel grow and you know what else helps the channel grow is your interaction? the YouTube algorithm, so hit the like button, leave a little comment, hit the subscribe button, hit the bell, destroy, literally delete the bell, which really helps to get notified when I produce another video, like that That's okay, that's it, that's my way out.
I had all the fun, I hope you did too, I love you all, see you in the next video, take care.
If you have any copyright issue, please Contact
