The main goal of the malware authors is to spy on user's banking activities.
#WHATSAPP WEB FFMPEG DLL CODE#
We can see the fragment of code responsible for downloading the ffmpeg application:
#WHATSAPP WEB FFMPEG DLL SOFTWARE#
In case the bot detected a software for e-Carte Bleue (a French payment card), it adds the corresponding string to the identifier, and also sends additional information to the server:Įach module runs independently, started in a new thread: The victim name is copied from the binary and saved in the registry key: It contains hardcoded data used for the malware installation and the address of the CnC server: The class Form1 is the main module, responsible for communicating with the CnC and coordinating actions. ProtectMe, ScreemCapture, SocketClient.Īt the first sight, we can see the purpose of this malware: spying the user and backdooring the infected machine. We can see some classes with descriptive names, i.e. It is not further obfuscated, so we can easily decompile it (i.e. The unpacked payload is the layer containing all the malicious features. Then, decrypted executable is loaded in the memory with the help of the RunPE technique (also known as ProcessHollowing). Just like in the previous case, it decrypts the payload using the custom algorithm and the key supplied in the configuration. It is the same protector that was used in some other cases that we analyzed earlier (read more here). The sample is packed with the help of CloudProtector - (thanks to MalwareHunterTeam for the tip). sending the text from the title bars encoded in Base64:Īwt||UHJvY2VzcyBFeHBsb3JlciAtIFN5c2ludGVybmFsczogd3d3LnN5c2ludGVybmFscy5jb20gW3Rlc3RtYWNoaW5lXHRlc3Rlcl0=djamel The bot reports to the server about the running applications, i.e. The Facebook like button points to the account "AnonymousBr4zil": The ffmpeg application is downloaded from the URL (pointed by the CnC):įollowing the address we can see some dummy page, that may possibly be owned by the attackers. Malicious plugins are identified by "djamelplugin".ĭownloading a plugin - remotedesktop.dll ( e907ebeda7d6fd7f0017a6fb048c4d23): The non-malicious helper binaries cab be identified by the keyword: "djamelreference". The content of each file is prepended by its name. list of the targeted banks.īot saves the configuration in the registry:Īfter that, the CnC sends a set of Base64 encoded PE files. After the beaconing, the server sends to the client the configuration, i.e. The server sends to the client a command "idjamel" and the client responds with the basic info collected about the victim machine, such as machinename/username, the operating system installed, and a list of running processes. The malware communicates with the CnC server over TCP using port 98. ProcessExplorer and baretail from the attacked machine. The malware has been observed closing and deleting some applications while it is running. File content is not encrypted and if we look inside we can notice that it is saving keystrokes and logging the running applications:Īnother interesting thing we noted is, that the malware downloads legitimate applications: Rar.exe, ffmpeg.exe and related DLLs: DShowNet.dll, tmp files inside it's installation folder. Additional copy of the malware is also dropped in the startup folder:ĭuring it's run, the executable creates. Persistence is achieved with the help of run key. The executable installs itself under the random name, creating its own folder in %APPDATA%. The JS file drops the contained executable inside the %TEMP% folder and then runs it. The mentioned malware family was first discovered in 2015 by MalwarHunterTeam. In this post, we will have a look at this and the other threats possessed by this sample.
#WHATSAPP WEB FFMPEG DLL FULL#
This malware goes a step further and records full videos, spying on user activities. Most of the malware is sufficient with sending screenshots, made periodically on the infected machine. Using this application, this simple spyware written in.
![whatsapp web ffmpeg dll whatsapp web ffmpeg dll](https://files.readme.io/18e5f83-WSP-Delete-Configuration.gif)
This time, we analyzed a malware downloading a legitimate ffmpeg. There is a growing trend among malware authors to incorporate legitimate applications in their malicious package.