![]() The entire directory of stolen files is compressed into a password-protected 7-Zip archive (wherein 7z.dll and 7z.exe are included as resources), and the archive password is md5. The stealer runs a Windows Events Command-Line Utility and lists the dates of events 6005 (when the event log service was started) and 6006 (when the event log service was stopped), and saves these output to eventlog.txt file. ![]() We also noticed embedded files DLL7Z and EXE7Z, which contain all the stolen data in one archive compressed with 7-Zip. The stealer contains a resource utility called FFNSS332 for a 32-bit system (or FFNSS364 for a 64-bit system), which parses the logins.json and prints its results on the command-line output. Steam: It searches for “config” file with the settings in a number of locations being discussed here.įirefox stores its saved logins encrypted in a logins.json file.Elements: It looks for “IndexeDB” directory where the messenger app stores information such as access tokens.Discord: It looks for “userDataCache.json” file.Telegram: The stealer scans for “tdata” folder wherein all data such as sessions, messages, and images are stored. ![]() The stealer copies all the important files with settings and configurations and sends them back to the command-and-control (C&C) server: These file names are self-explanatory of the data stolen from the infected system, as follows:Īside from stealing web browser data, the stealer also gathers user data from online messenger platforms Telegram, Discord, and Elements, game distribution service Steam, and email clients Outlook and Thunderbird. The stealer starts taking the data, creates directories labeled “browsers” and “cookies” in the directory named MachineGuid, and stores the stolen data in the said directories based on the file content. This encrypted and encoded value is then saved to a file named. We analyzed this encrypted value to be base64-encoded, then DES-encrypted with key “loadfa1d” and IV “unsigned”, followed by another base64-encoding. For that purpose, the stealer reads os_crypt and encrypted_key from the file, decrypts the key, and stores its encrypted value. The cookies in Chromium-based browsers are encrypted. It then searches for and steals cookies from the following browsers: ![]() The browser stealer then extracts a “MachineGuid” value from and uses this string value as the name of the directory where it stores all the stolen data. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |