NET cryptor and invites Zemotįiesta EK on ASUS ROG Forums targets Internet Explorer Users Wait it's a fake!Īpple ID phishing campaign exploits Google Search Open Redirect Selena Gomez And Justin Bieber Sex Tape Video hits the Internet. In this DLL we see a new reference to a DLL called. This time we don't see a hardcoded IP in the strings, there might be one hidden or encrypted though, I haven't checked.
#Wowmatrix trojan password#
Strings from the keylogger / password stealer DLL - 223801.dll By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP). %System% is a variable that refers to the System folder.By default, this is C:\Documents and Settings\\Local Settings\Temp\ (Windows NT/2000/XP). %Temp% is a variable that refers to the temporary folder in the short path form.Bit of a lazy programming here, why compare a path + filename against a filename? You've got functions to return a substring or extract a filename. The malicious DLL also checks if the newly created process is Wow.exe.
The DLL will be loaded under Internet Explorer, Process Explorer for example but not under notepad or any operating system files. The keylogger / password stealer DLL, 223801.dll in our example, will NOT hook itself under all processes. I think this technique might only partially work, most kernel32.dll functions call ntdll.dll and end up in kernel mode.
I suspect it will call functions inside kabaker.dll to evade HIPS detection. Next it will drop the keylogger / password stealer DLL, followed by copying kernel32.dll as kabaker.dll.īoth DLL's are loaded under the Google process. Reference: Working with the AppInit_DLLs registry value. Google.exe starts by creating an entry under the AppInit_DLLs value in the registry so that the randomly named DLL loads under every application.
The file kabaker.dll is a CLEAN copy of kernel32.dll.
#Wowmatrix trojan windows#
Unfortunately Vista is of no use when it comes to file details, we need our good ol' Windows XP for a quick verification. I got curious when I saw the file details "Windows NT BASE API Client DLL", Microsoft Corporation, File Version. We also notice the creation of a DLL called kabaker.dll in the %System% folder. The DLL is randomly named, usually 6 or 7 numbers long. It will drop the keylogger / password stealer DLL in the %temp% folder. Google.exe is responsible for installing the keylogger / password stealer on the victim's computer. This file will be launched by wowmatrix.exe once the WoWMatrix AddOn Manager is installed and after you did exit the freshly installed program. We've got the official WowMAtrix 3.0 installer Matrix.exe and a file called Google.exe.
0 kommentar(er)
