Hi all,
Thank you for visiting this page. This is part of my personal project to try to reverse malicious programs in an effort to develop my malware analysis skills. In this blog, I will explain my findings when I tried to analyze a popular commercial keylogger named Ardamax.
Hash of original keylogger:
8C870EEC48BC4EA1ACA1F0C63C8A82AAADAF837F197708A7F0321238DA8B6B75
Of the bat, Virustotal recognize it as a known trojan sample.
Dissecting it!
By wearing the hat of a malware analyst, I loaded the sample in x32dbg tool to get a glimpse of what all Windows API functions it is using. Below is the screenshot of the functions it was loading:
I was expecting Windows API calls like SetWindowsHookExA, GetKeyBoardState, GetAsyncKeyState, etc. However, based on the list I see, it looked like the sample is hiding the usual functions in further execution. From the list, I see the sample is using API GetProcAddress which is basically used to get the address of the exported function from a DLL. So I am assuming the sample might be loading a DLL when it runs.
My next step is now to run the program up to a breakpoint on API GetProcAddress. As shown below, the sample loaded a function named ‘sfx_main’ from the DDL whose address is in EAX:
As you can see, the highlighted part 1 in the screenshot shows the handle argument being passed to API GetProcAddress and the highlighted part 2 shows the dump from EAX.I dumped this memory section and fixed its Import Address Table (IAT) using Scylla plugin. Luckily, everything worked without any errors. Somehow, in the past I was not able to fix IAT that easily. Lucky me!
I tried to load the extracted DLL in IDA. I see hundreds of other APIs which I did not see in the original executable. I was able to find all the weird and obvious functions a keylogger can use in the list. You can find the list of all functions in this file:
Let it load buddy!
Performing some behavior analysis on the original executable reveals that it creates another process name ‘DPBJ.exe’ and is executed as a service. This probably indicates the stealthiness of the keylogger. I ran the sample several times to see if the file name changes every time, however it remains same at each fresh execution.
Using the procmon tool, I observed an interesting operation being performed by the executable. I saw three registry value set events by the process. Looking closely at the folder location, the process is trying to set some value in the folder named ‘ASProtect’.
Conducting some OSINT, I found that ASProtect is an EXE packing tool. Ahan! I think I might have found the tool which was used to pack this executable. Or the other logic could be that the author has used this tool to protect the application from copy right issues. However, based on the profile of the sample, I think it was used just to protect the executable from analysis, disassemblers and debuggers. Lastly, I was observing network traffic on Wireshark while running the sample. Nothing interesting stands out on wire. My assumption is its creates traffic when the sample is properly configured on how it can send logs and the stolen data back to the actor.
Thank you for reading. Hope you find it interesting. Please let me know if you have any questions!
