Malware Analysis [#4] —Eternity Project — Eternity Stealer

https://www.flaticon.com/free-icons/infinity
  • Eternity Stealer — $260 annual subscription.
  • Eternity Miner — $90 annual subscription.
  • Eternity Worm — $390.
  • Eternity Ransomware — $490.
  • Eternity Clipper — $110.
  • Eternity DDoS Bot — (Still in development).

Eternity Stealer Malware:

General Info:

before using de4dot
After using de4dot
deobfuscation functions
pointers functions

Analyzing Obfuscation Methods:

  • Takes two string arguments.
  • Remove the first and last character from second string argument then decode from base64 and the result will be used as a secret key in the AES decryption.
  • Decode the first string argument from base64 and use it as IV in the AES decryption.
  • After decryption it returns UTF8 string.
  • Takes a string and long arguments.
  • Convert the string argument to char array.
  • Use a for loop to convert both arguments to and int32 and then check if the two argument Combined are between 0 and 256 and if it is it will sub first argument from the second argument and convert it to char, then convert uppercase char to lowercase and lowercase to uppercase.
  • Reverse the char array and return it as a string.

Main Method:

  • UnhandledException (Occurs when an exception is not caught).
  • ProcessExit(Occurs when the default application domain’s parent process exits).
  • DomainUnload(Occurs when an AppDomain is about to be unloaded).
  • chcp 65001 .
  • ping 127.0.0.1 .
  • DEL /F /S /Q /A \”{0}” “C:\path\to\file.exe” .
  • CreateNoWindow.
  • UseShellExecute
cme.exe
procmon.exe
  • Expect100Continue: Gets or sets a Boolean value that determines whether 100-Continue behavior is used. The HTTP 100 Continue informational status response code indicates that everything is OK and that the client should continue with the request or ignore it if it is already finished. The malware here gave it “1“ by getting the size of float which is 4 bytes then subs 3 from it, the result is 1 which means true.
  • DefaultConnectionLimit: Gets or sets the maximum number of concurrent connections allowed by a “ServicePoint” object. The value of this property is 9999, also by getting the size of float and add 9995 to it.
  • SecurityProtocol: Gets or sets the security protocol used by the “ServicePoint” objects managed by the “ServicePointManager” object. The security type protocol is “Tls12” which has the value 3072 as mentioned in MS documents, the same process again get the size of float then add 3068.
  • HandleAccount.
  • HandleCookie.
  • HandleAutoFill.
  • HandleCreditCard.
  • Hostname.
  • Username.
  • Password.
  • Application.
  • Profile.
  • Name.
  • Path.
  • Value.
  • HostKey.
  • ExpiresUTC.
  • Application.
  • Profile.
  • Name.
  • Value.
  • Number.
  • Holder.
  • CardName.
  • ExpYear.
  • ExpMonth.
  • Application.
  • Profile.

Create Method:

  • Executable Path.
  • Start Date.
  • Stub Version.
  • Stub Location.
  • Username.
  • ComputerName.
  • OSName.
  • UILang.
  • Hardware.
  • CPUName.
  • GPUName.
  • RAMAmount.
  • DiskSize.
  • Model.
  • Manufacturer.
  • ScreenResolution.
  • Geolocation.

Thread[0] (System)

  • Using “vaultcli.dll” which is a command-line equivalent to the Credential Manager, the functions called from this dll:
  • Defines if it will use VAULT_ITEM_WIN7 or VAULT_ITEM_WIN8 struct.
  • The data collected is:
  • The result will be written in a file named “System\Vault.txt”.
  • Executing the command (“netsh wlan show profile | findstr All”) to list profiles configured on the system.
  • Executing the command (“netsh wlan show profile name=\”) if the previous step succeeded.

Thread[1] (Gaming)

  • Get Steam directory by opening registry key “Software\Valve\Steam”.
  • If it succeed it will retrieves the value associated with the specified name “UvgcoRcvj”.
  • Get a file list from the directory with search pattern “ssfn*” and use a search option with value (0) to includes only the current directory in a search operation.
  • Each file data in the Steam directory with specification in the previous step will be stored in “Gaming\Steam\<file name>” file.
  • Get a file list from the directory with search pattern “config\*vdf” and use a search option with value (0) to includes only the current directory in a search operation.
  • Each file in the Steam directory with specification in the previous step will be stored in “Gaming\Steam\eqphki <file name>” file.
  • Get an array of directories in the current system with search pattern “Twitch*” and use a search option with value (0) to includes only the current directory in a search operation.
  • Get a file list from each directory with search pattern “Electron9\Cookies” and use a search option with value (0) to includes only the current directory in a search operation.
  • Each file with the specification in the previous step will be stored in “Gaming\<directory name>\Fmfduspo:\<file name>” file.
  • Set up path to the OBS directory “C:\Users\<user>\AppData\Roaming\obs-studio\basic\profiles”.
  • Get a file list from the directory with search pattern “*.*” and use a search option with value (1) to Includes the current directory and all its subdirectories in a search operation. This option includes reparse points such as mounted drives and symbolic links in the search.
  • Each file with the specification in the previous step will be stored in the “Gaming\ObsStudio\<directory name>\<file name>” file.
  • Set up path to the OBS directory “C:\Users\<user>\AppData\Roaming\slobs-client\Local Storage\leveldb”.
  • Get a file list from the directory with search pattern “*.|??” and use a search option with value (0) to includes only the current directory in a search operation.
  • Each file with the specification in the previous step will be stored in the “Gaming\StreamlabsOBS\Local Storage\leveldb\<file name>” file.

Thread[2] (FTP)

  • search for these files “sitemanager.xml” “recentserver.xml” in this path “C:\Users\<user>\AppData\Roaming\Filezilla\” .
  • The data from these files will be stored in “FTP\FileZilla\Servers.txt”.
  • Open registry subkey “Software\Martin Prikry1\WinSCP 2\Sessions” to get the session.
  • Get the values of “HostName”, “UserName” and “Password” for each session.
  • Decrypt the password for each session.
  • The credentials will be stored in “FTP\WinSCP\Servers.txt”.
  • Open registry subkey “Software\FTPWare\CoreFTP\Sites” to get sites.
  • Get the values of “Host”, “Port”, “User” and “PW” for each site.
  • Decrypt the password with key “hdfzpysvpzimorhk”.
  • The credentials will be stored in “FTP\CoreFTP\Servers.txt”.
  • Get file “session-store.json” from Snowflake path “C:\Users\<user>\snowflake-ssh\” and parse it to get the values of hosts, ports, usernames, passwords and folders, the password in snowflake stored in clear text.
  • The credentials will be stored in “FTP\Snowflake\Servers.txt”.

Thread[3] (VPN)

  • Get path to NordVPN Directory “C:\Users\<user>\AppData\Local\NordVPN”.
  • Search for “user.config” file in all directories.
  • Decrypt the data from base64.
  • The credentials will be stored in “VPN\NordVPN\Account.txt” file.
  • Open registry key “Software\EarthVPN”.
  • Get “SavePass” value.
  • The credentials will be stored in “VPN\EarthVPN\Account.txt” file.
  • Open registry key “Software\Windscribe”.
  • Get subkey names (Installer, Windscribe, Windscrib2).
  • Get “userId ”, “authHash” values form “Windscribe” subkey.
  • Get “userId ”, “authHash” values form “Windscribe2” subkey.
  • The credentials will be stored in “VPN\WindscribeVPN\Account.txt” file.
  • Get path to AzireVPN directory “C:\Users\<user>\AppData\Local\AzireVPN”.
  • Search for file “token.txt” and read data from the file.
  • The credentials will be stored in “VPN\AzireVPN\Account.txt” file.

Thread[4] (Browsers)

  • Browsers:
  • Enumerated Information:

Thread[5] (Messengers)

  • Get Telegram process name.
  • Get Telegram directory “C:\Users\<user>\AppData\Roaming\Telegram Desktop\tdata” if it did not find it it will open registry key “Software\Classes\tdesktop.tg\DefaultIcons1” and get directory path.
  • Get a file list from the directory with search pattern “*s” and use a search option with value (0) to includes only the current directory in a search operation.
  • Get a list of all directories.
  • Get a file list from each directory with search pattern “map?” and use a search option with value (0) to includes only the current directory in a search operation.
  • Each file found will be written as “Messengers\Telegram\<file name>” file .
  • Get two sets of regex:
  • Create array list with (Discord — Discord PTB — Discord Canary)
  • Get file “C:\Users\<user>\AppData\Roaming\Discord\Local State” which holds an encrypted key, and convert it from base64.
  • Get directory “C:\Users\<user>\AppData\Roaming\Discord\Local Storage\leveldb”.
  • Get a file list from the directory with search pattern “*.l??”.
  • Get directory “C:\Users\<user>\AppData\Roaming\Discord PTB\Local Storage\leveldb” and do the same steps above.
  • Get directory “C:\Users\<user>\AppData\Roaming\Discord Canary\Local Storage\leveldb” and do the same steps above.
  • The credentials will be stored in “Messengers\Discord\Tokens.txt” file.
  • Get path to directory “C:\Users\<user>\AppData\Roaming\.purple”.
  • Get file “accounts.xml”.
  • The credentials will be stored in “Messengers\Pidgin\Accounts.txt” file.
  • Open Subkeys:
  • Get (“IMAP Password”, “POP3 Password”, “HTTP Password”, “SMTP Password”) and decrypt the passwords.
  • The credentials will be stored in “Messengers\Outlook\Accounts.txt” file.
  • Open subkey “SOFTWARE\Classes\Foxmail.url.mailto\Shell\open\command” to get FoxMail directory path.
  • Get file “C:\FoxMail7.2\Storage” to enumerate credentials.
  • Decrypt credentials.
  • The credentials will be stored in “Messengers\FoxMail\Accounts.txt” file.
  • Get path to directory “C:\Users\<user>\AppData\Local\Mailbird\Store”.
  • Get file “Store.db” from the directory, which is in SQLite format.
  • Get Table named “OAuth2Credentials” from the file for enumeration.
  • The credentials will be stored in “Messengers\MailBird\Accounts.txt” file.
  • Get path to directory “C:\Users\<user>\AppData\Roaming\ViberPC”.
  • Enumerate directory and subdirectoies for files with search pattern “*.db”.
  • The files will be stored as “Messengers\Viber\<directory name>\<file name>”.
  • Get path to directory “C:\Users\<user>\AppData\Roaming\WhatsApp\Local Storage\leveldb”.
  • Enumerate directory and subdirectoies for files with search pattern “*.|??”.
  • The files will be stored as “Messengers\WhatsApp\Local Storage\leveldb\<file name>”.
  • Get path to directory “C:\Users\<user>\AppData\Roaming\Signal”.
  • Get file “config.json
  • Get subdirectory “sql”.
  • Config file will be stored as “Messengers\Signal\config.json”.
  • Database file will be stored as “Messengers\Signal\sql\db.sqlite”.
  • Get path to directory “C:\Users\<user>\AppData\Roaming\rambox”.
  • Get file “config.json”.
  • Get subdirectory “Partitions”.
  • Config file will be stored as “Messengers\Rambox\config.json”.
  • For each Partition directory it get “Cookies” file
  • Cookies files will be stored as “Messengers\Rambox\<directory name>\Cookies”.
  • Get path to directory “C:\Users\<user>\AppData\Roaming\rambox\Partitions\Local Storage\leveldb”.
  • Enumerate directory with search pattern “*.|??”.
  • Each file will be stored as “Messengers\Rambox\Partitions\<directory name>\Local Storage\leveldb\<file name>”.

Thread[6] (Wallets)

  • Get path to directory “C:\Users\<user>\AppData\Roaming\Binance”.
  • Get a file list from the directory with search pattern “*-stor*.json” and use a search option with value (0) to includes only the current directory in a search operation.
  • The search pattern will get “app-store.json” and “simple-storage.json”.
  • The credentials will be stored as “Wallets\Binance\<file name>”.
  • Open registry subkey “SOFTWARE\ monero-project\monero-core”.
  • Get wallet directory path from the subkey.
  • Get all files with search pattern “*.*” .
  • Files will be stored as “Wallets\MoneroCore\<directory name>\<file name>”.
  • Open registry subkey “SOFTWARE\ Bitcoin\Bitcoin-Qt”.
  • Get wallet directory path.
  • Get files with search pattern “*wallet*dat” .
  • Files will be stored as “Wallets\BitcoinCore\<file name>”.
  • Open registry subkey “SOFTWARE\Dash\Dash-Qt”.
  • Get wallet directory path.
  • Get files with search pattern “*wallet*dat” .
  • Files will be stored as “Wallets\DashcoinCore\<file name>”.
  • Open registry subkey “SOFTWARE\Dogecoin\Dogecoin-Qt”.
  • Get wallet directory path.
  • Get files with search pattern “*wallet*dat” .
  • Files will be stored as “Wallets\DogecoinCore\<file name>”.
  • Open registry subkey “SOFTWARE\Litecoin\Litecoin-Qt”.
  • Get wallet directory path.
  • Get files with search pattern “*wallet*dat” .
  • Files will be stored as “Wallets\LitecoinCore\<file name>”.
  • Search for directory with search pattern “*Electr*
  • Search each directory for file “@lkcfd
  • If it finds the file it will get the value of “recently_open” element.
  • Each file will be stored as “Wallets\<directory name>\<file name>”.
  • Get path to directory “C:\Users\<user>\AppData\Roaming\Exodus\exodus.wallet\”.
  • Search for file “exodus.conf.json”.
  • File will be stored as “Wallets\Exodus\exodus.wallet\exodus.conf.json”.
  • Get a file list from the directory with search pattern “*.seco” and use a search option with value (0) to includes only the current directory in a search operation.
  • Each file will be stored as “Wallets\Exodus\exodus.wallet\<file name>”.
  • Get path to directory “C:\Users\<user>\AppData\Roaming\atomic\Local Storage\leveldb”.
  • Get a file list from the directory with search pattern “*.|??”.
  • Each file will be stored as “Wallets\Atomic\Local Storage\leveldb\<file name>”.
  • Checks if “SOFTWARE\TONWallet” registry exist.
  • Search for “data” directory.
  • Look for “tonlib_log.txt” file in it.
  • Checks if “db” directory exist in TON Wallet directory.
  • Files in “db” directory will be stored as “Wallet\TonWallet\<file name>”.
  • Checks if “lib” directory exist in TON Wallet directory.
  • Files in “lib” directory will be stored as “Wallet\TonWallet\<file name>”.
  • Get file name “salt”.
  • The file will be stored as “Wallet\TonWallet\salt”.
  • Get path to directory “C:\Users\<user>\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb.
  • Get all files in the directory and store it as “Wallets\JaxxClassic\<file name>
  • Get path to directory “C:\Users\<user>\AppData\Local\Coinomi\Coinomi\wallets.
  • Get a file list from the directory with search pattern “*.wallet” and use a search option with value (0) to includes only the current directory in a search operation.
  • Each file in the directory will be stored as “Wallets\Coinomi\<file name>”.
  • Get path to directory “C:\Users\<user>\AppData\Roaming\Daedalus Mainnet\wallet”.
  • Get a file list from the directory with search pattern “*.sqlite” and use a search option with value (0) to includes only the current directory in a search operation.
  • Each file with the specification in the previous step will be stored in the “Wallets\Daedalus\<file name>” file.
  • Get path to directory “C:\Users\<user>\AppData\Roaming\Zcash”.
  • Get a file list from the directory with search pattern “*wallet*dat” and use a search option with value (0) to includes only the current directory in a search operation.
  • Each file with the specification in the previous step will be stored in the “Wallets\Zcash\<file name>” file.
  • Get path to directory “C:\Users\<user>\AppData\Roaming\Guarda\Local Storage\leveldb”.
  • Get a file list from the directory with search pattern “*.|??” and use a search option with value (0) to includes only the current directory in a search operation.
  • Each file with the specification in the previous step will be stored in the “Wallets\Guarda\Local Storage\leveldb\<file name>” file.
  • Get path to directory “C:\Users\<user>\AppData\Roaming\WalletWasabi\Client\Wallets”.
  • Get a file list from the directory with search pattern “*.json” and use a search option with value (0) to includes only the current directory in a search operation.
  • Each file with the specification in the previous step will be stored as “Wallets\Wasabi\<file name>” file.

Thread[7] (PasswordManagers).

  • Get path to directory “C:\Users\<user>\AppData\Roaming\Bitwarden”.
  • Get a file list from the directory with search pattern “data*.json” and use a search option with value (0) to includes only the current directory in a search operation.
  • Each file with the specification in the previous step will be stored as “PasswordManagers\BitWarden\<file name>” file.
  • Get path to file “C:\Users\<user>\AppData\Roaming\KeePass\KeePass.config.xml” which is for versions before “2.51.1”.
  • Load xml file and get element “ConnectionInfo” which holds path to the database file “Database.kdbx”.
  • Store the file as “PasswordManagers\KeePass2\databases”.
  • get element “KeyFilePath” which holds path to the key file.
  • Store the file as “PasswordManagers\KeePass2\keys”.
  • Get path to file “C:\Users\<user>\AppData\Local\KeePassXC\keepassxc.ini”.
  • Initialize regex string “LastDatabases=(.*?)\n” to parse some information.
  • Store the data as “PasswordManagers\KeePassXC\<filename>”.
  • Get path to directory “C:\Users\<user>\AppData\Roaming\NordPass”.
  • Get a file list from the directory with search pattern “*.conf”.
  • Each file with the specification in the previous step will be stored as “PasswordManagers\NordPass\<file name>” file.
  • Get path to directory “C:\Users\<user>\AppData\Local\1Password\data”.
  • Get a file list from the directory with search pattern “*.sqlite”.
  • Each file with the specification in the previous step will be stored as “PasswordManagers\1Password\data\<file name>”.
  • Get path to directory “C:\Users\<user>\AppData\Local\RoboForm\Profiles”.
  • Get a file list from the directory with search pattern “*.rfo”.
  • Each file with the specification in the previous step will be stored as “PasswordManagers\RoboForm\<file name>”.

Thread[8] (Grabber)

  • Desktop.
  • Documents.
  • AppData\Roaming\DropBox.
  • AppData\Roaming\OneDrive.

Back to Main method:

--

--

Malware Analyst & Reverse Engineer

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xM3H51N

0xM3H51N

Malware Analyst & Reverse Engineer