Keylogger Malware Analysis

John Hammond · Beginner ·🔐 Cybersecurity ·7mo ago

Key Takeaways

The video analyzes keylogger malware written in PowerShell with B64 encoding, using tools like Tor and wind32 API, and demonstrates how to decode and analyze the malware in a lab environment.

Full Transcript

This is a teeny tiny piece of malware. It's a key logger written in PowerShell. Granted, you might not be able to make too much sense of it right now because it's all encoded. It's B64 encoding, just a different representation of the data, but inside of my Kali Linux virtual machine, I can open up a terminal with Ctrl Alt T, F11 to full screen, and zoom in a little bit so the text is bigger for us. And if I were to use a simple command that's accessible like B 64 and -ash D to decode, we could actually redirect in this entire payload just as a string. We could use single quotes or double quotes back to our B 64 blob. We could start to highlight, select, and copy this entire thing and then just paste it into the B 64 command. And it will then spit out the actual PowerShell. There's a lot here, so I'll zoom out. And actually, we could redirect that to a file. Now, this is much more readable PowerShell code. There are a couple parameters defined at the top as to what it could take for arguments or options with some defaults for server address, server port, proxy address, and proxy port. Looks like they're using an onion address, a little bit clever, using some communication over tour, the onion router, or all those dark web things, and an IP address for a proxy address and the ports associated. 9050 is the usual proxy port for the onion router or tour. So that's cool. Down below though, they actually pour in a little bit of C sharp. Now this is the real power with PowerShell, right? Is that you could always call back to other managed code. This is all defined as a string. Of course, in the quotes here, you can see all the yellow text. And they use the add type commandlet to have this functionality accessible even in the rest of the PowerShell code they might use. It looks like this is a stub just to be able to make the connection to the proxy. And there are some other functions defined like cap-sc reading in some other assemblies that they use. Presumably, it's going to grab the width and height of your computer screen, take a screenshot, and then save it to a file with a random temporary name. They save that file, return it for the function value, and that's that. They have some other convenience functions to encode and decode B 64 data, execute a command in memory with the invoke expression commandlet, basically eval. And some other functions to get system info. Really just retrieving different environment information like the operating system, host name, running username, and their IP address. Down beneath that though, we see the functionality for our key logger. Couple global variables for whether or not the key logger is active and what keys we have captured. And there is a start key logger function looks like this. Uses even more C syntax to kind of pull in other DLS or dynamic link libraries. Now these are wind32 API functions that they might be able to call things specific to the core of Windows maybe some methods like get async key state, get keyboard state, map virtual key to unicode. So what they do is they define these function delegates kind of like a prototype as to how you would invoke that function. They use this signature variable with the dollar sign prefix as part of a now API variable where they're using add type once again to pull in a little bit more of that power. Then it starts a job. That means it can run asynchronously. It's not going to block or wait for further things to happen, but it is going to infinitely loop with the while true condition. sleeps for about 40 milliseconds and then tries to loop through all of these asy values. Beginning with the number nine less than or beginning with the number nine, while it's less than or equal to 254, it checks the key state like each and every one of the keys on your keyboard. It basically determines it checks if based off the keyboard state that keyboard key is pressed and if it is then it ends up adding that to a key log.ext file. They hide that in your temporary directory based off the environment variable, but it is writing and logging all of the keys that are pressed. A key logger, other convenience functions to stop the key logger based off that job, checking for key log data based off of that key log.ext file, and then the functionality to make the connections where it would actually try to exfiltrate this out to their command and control like the server address that we saw in those variables. It looks like it's actually able to read some info from that C2 server. So, it could provide other commands whether or not it'll exit, stop the running program, stop the key logger, or take a screenshot or even run or execute other PowerShell commands or shell commands. Then there's other rat or remote access Trojan functionality like upload and download files or of course start the key logger. There is even another cutesy persist command apparently but it doesn't do anything yet. Uh there are some notes and a comment here literal PowerShell comments implement the logic for persistence as necessary. Uh that will need to be done I guess in the future like that's a to-do. There aren't any actual persistence mechanisms implemented in this. It just runs forever asynchronously with PowerShell jobs. It'll keep trying to connect to or establish a connection with the provided arguments, server address, proxy address, and it does this over and over and over again every minute. So, tiny little sliver of malware, right? A PowerShell key logger. But let me tell you, this PowerShell malware sample actually came from another awesome online cyber security training and learning environment. This came from Let's Defend. It's their PowerShell key logger module. And while you're getting smarter and sharper in your whole cyber security career journey in the industry, they give you this prompt. Look, say you're a malware analyst investigating a suspected PowerShell malware sample. Just as we saw, the malware is designed to establish a connection with remote server, execute different commands, and potentially exfiltrate data. We want to figure out what it's doing and how it's doing it. And for your learning, Let's Defend gives you a handful of questions to check your understanding and work through this module, this challenge, and this lesson. And in case you haven't seen the news recently, Let's Defend actually joined Hack the Box, another awesome cyber security training, cyber range labs, and exercises to get better, sharper in your cyber security career. Let's Defend officially signed the agreement to be acquired by Hack the Box, but Let's Defend has always been about blue team training. They love to focus on the security operation center or the sock. So, let's defend built out a simulated security operation center and whole environment that offers that hands-on realistic training. And Hack the Box does have some blue team and defensive focused content, but they always seem to lean a little bit more towards the offensive security. So, this is pretty awesome. Big congrats to both teams. This is a community milestone. I really like how they put that. But I realized I don't think I've showcased a lot of Let's Defend before in other videos. I've never gotten a chance to show off some of the sweet stuff that they have. So, I'm here on their website and there'll be a link below in the video description if you wanted to follow along. But, they love to showcase education in a path. Give you something where you could move from one A to B, from one step and then the next and then another, and then all the things that make progress, make some momentum, and help you keep moving along in your career. Let me show you some of these paths. There are a lot of them and this is awesome. Making a career switch into cyber security. Maybe learning specifically digital forensics, incident response, security information event management, programming, AWS, Google, malware analysis, and the sock analyst learning path. I know a lot of folks probably going to see a lot of jobs in the security operations center. So, there's a lot to cover here. Learn the technical skills necessary for a career in the security operations center. and they break it down, give you the fundamentals, tell you about all the things you need to know. And then it's awesome because you'll have questions, quizzes, challenges, practice labs, and environments all along the way. And by the way, from their learn section, you could, of course, drill down into any of the specific courses or lessons or challenges or quizzes. And they have this all accessible for you. And you could easily right up at the very top, we could toggle or use any filters that we might like for any job that you're interested in, like a security analyst, like an instant responder, like a detection engineer. Like this is all to help jumpstart you on your work. If you wanted to follow along or even try some more of these on your own, different challenges, different courses, different education paths, lessons, quizzes, even some prep for different certifications, look, there's a link in the video description. And of course, Let's Defend is always offering a sweet free tier, but of course, there is an awesome Black Friday deal where they're doing 50% off, literally half off. That discount code is Black Friday with the A and I letters removed. AI removed. I like that. You can use that for VIP, VIP Plus, and I believe there is even toggling that to monthly. You could use Black Friday 35. So, you could get either a monthly or annual plan if you are a student. However, they already always offer a 50% discount for students, which is wild. They verify with your student email address and then you could get 50% off and 50% off Black Friday based off of the student discount code and the Black Friday deals. Kind of neat. I also have my own sweet little discount code. If you were going to snag an annual plan, you could use a discount code. And let me uh rightclick, change the text here. You'll be fine. John55. That one will get you 55% off an annual plan. And I believe that's active for at least I think two weeks after this video releases. So, please jump at it. And they have a full-blown security operation center like sock simulation. If you jump over to the practice tab, you can see in the monitoring section I'm in all these different alerts with their severity, with their details. Maybe we could drill down into anything that we're curious about and understand a little bit more as to what would we go triage and analyze and understand what to track down next. If you wanted to see even more telemetry, the log management section shows you all the different things that it could pull some info from and of course drill down into this. So you've got a similar interface to what you're probably going to be working with in the real security operation center, even making up different cases for specific incidents, looking at things from a specific endpoint. And this is really cool. We could actually drill down into, hey, what's happening on the SharePoint server? What's going down on any of the other boxes that we really want to see? what processes are running where and when and how. Toggle that to network action, terminal history, maybe browser history, all the things that help triage and analyze in an incident. Here I jumped over to the email security section and maybe we're getting an idea for oh some of the threats, some of the other info that could come through. And these are all things just to get you acquainted and familiar with what's the security operation center analyst like daily routine. So that could help in different interviews or different employment opportunities out there for your career. Looking at indicators of compromise, working inside of a sandbox, you could even spin up these labs, which is super cool. Well, this one spins up. In fact, you might have noticed the PowerShell key logger that we started with actually includes its own lab environment as part of the challenge. And we'll roll through a little capture here. Once that is done, then we'll spin up our own machine. So you don't have to download anything when you're walking through any of the Let's Defend material. It's all in the browser and makes it super easy to spin up. All right. So my lab has spun up and we can see we can interact with a Windows virtual machine here. I do have the challenge file or the folder on my desktop. And that was the sample sevenzip that we could go ahead and extract. Might as well extract it here. The password they told us above was infected. Just the usual malware sample standard password. And this file cha or chaw was that PowerShell key logger that we were exploring. Opening this with Notepad++. Yep. Exact same syntax that we saw previously. Wasn't B 64 encoded. I just kind of put that in so we have a little bit more cutesy fireworks for the start of the video. Whatever, you know. So, let's roll through some of the questions here. It asks, what is the proxy port used by the script? Well, we saw 9050. Correct. Excellent. That's correct. What function method is used for starting the key logger? Well, I think that was pretty simply called start key logger. Right, submit that. Correct. What is the name of the file used by the script to store the key log data? We saw that in like the temporary directory under the file name key log.ext, I believe. What is the command used by the script to achieve persistence? Uh, we saw that in like the strings that were kind of interpreted based off of what the command and control or C2 server sent us, right? It was persist. Yep. Did I get the other one above? Good. What is the command used by the script to upload data? I think that was just upload. Okay. So, small simple stuff getting us grooving here. Oh, you're very close to the right answer. What did I miss? Looking back at this syntax, I could have sworn it was upload. What am I misremembering? Oh, there's a colon at the end. That's all. Is that all it needs? Upload colon. How about that? Yeah. What is the reax or the regular expression used by the script to filter IP addresses? Oh, I remember seeing that. But we do have a get unstuck option here in case you ever needed a little bit more help. Or a hint, you could ask in the forum or in Discord or even just click the button. Oh, view the hint for this question. Focus on the script section that checks for specific IP ranges. Okay, we saw that previously, didn't we? Yeah, it was in the beginning for get system info. This function here, they use this PowerShell command get net IP address where the address family is equal to IPv4 and the address does not match this regular expression. So, special magic syntax carrot symbol for the very start of a string. Inside of parenthesis, we have a group where there are options. The first option is a 127 literal characters and a backslash to escape out a dot or a period for literal representation of a dot. And then 169 dot literal 254 literal dot. So it's this this is the regular expression that we're looking for. But that's to determine oh is this a local IP address or something kind of like within the network. Let's go ahead and paste that there. Good. What is the DL imported by the script to call key logging APIs? Oh, we saw that in the start key logger function just the very beginning. That was that user 32.dll like the dynamic link library, right? That is the Windows natural installed library that's part of the file system, part of your path. They could import it easily with this little header DLL import and user 32. DLL is the answer that we want. Good. How many seconds does the script wait before reestablishing connection? Wasn't it just 40? But it was like 40 milliseconds, right? Am I misremembering? It tries to establish a connection, but the actual call for that is here in that main loop. Yeah. Okay. No, just 60 seconds. It's It's a minute. I was looking at like 40. I could have sworn it was milliseconds. Yeah. Okay. Different part of the code. The establish connection down here. Start sleep for 60 seconds. So 60. How about that? All right. We did it. All righty. Simple showcase today. Just a little PowerShell malware, PowerShell key logger that still ties itself back to some sweet learning, more education that you might be able to take some good advantage of during the holiday season. Hope you snag that Black Friday deal. Hope you go check out Let's Defend. Big congrats to them on the acquisition and joining up with Hack the Box. Super cool stuff. Please do give them some love. Link below in the video description. Thanks so much for watching. I'll see you in the next video.

Original Description

https://jh.live/letsdefend || Snag the LetsDefend (now part of Hack The Box!) Black Friday discounts, and you can use code JOHN55 for 55% off! https://jh.live/letsdefend Learn Cybersecurity and more with Just Hacking Training: https://jh.live/training See what else I'm up to with: https://jh.live/newsletter ℹ️ Affiliates: Learn how to code with CodeCrafters: https://jh.live/codecrafters Host your own VPN with OpenVPN: https://jh.live/openvpn Get Blue Team Training and SOC Analyst Certifications with CyberDefenders: https://jh.live/cyberdefense
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from John Hammond · John Hammond · 0 of 60

← Previous Next →
1 Code Commentaries? PHP to JavaScript in Bash and PHP!
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
2 Tutorials? MySQL connection with PHP and Bash!
Tutorials? MySQL connection with PHP and Bash!
John Hammond
3 Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
4 JavaScript Splits The URL!
JavaScript Splits The URL!
John Hammond
5 HTML Tables in Python!
HTML Tables in Python!
John Hammond
6 HTML, Net Shares, GML!
HTML, Net Shares, GML!
John Hammond
7 Python 08 Programming Style and Comments
Python 08 Programming Style and Comments
John Hammond
8 Python 26 Object Oriented Programming
Python 26 Object Oriented Programming
John Hammond
9 75 Python Tutorials, Out Now!
75 Python Tutorials, Out Now!
John Hammond
10 Batch 14 Mathematical Expressions
Batch 14 Mathematical Expressions
John Hammond
11 Batch 85 Array Append
Batch 85 Array Append
John Hammond
12 Batch 86 Array Count
Batch 86 Array Count
John Hammond
13 Batch 87 Array Index
Batch 87 Array Index
John Hammond
14 Batch 88 Array Insert
Batch 88 Array Insert
John Hammond
15 Batch 89 Array Remove
Batch 89 Array Remove
John Hammond
16 Batch 90 Array Reverse
Batch 90 Array Reverse
John Hammond
17 Python [colorama] 00 Installing on Linux
Python [colorama] 00 Installing on Linux
John Hammond
18 Python [colorama] 09 Cursor Position
Python [colorama] 09 Cursor Position
John Hammond
19 Python [hashlib] 02 Algorithms
Python [hashlib] 02 Algorithms
John Hammond
20 Python 00 Installing IDLE on Linux
Python 00 Installing IDLE on Linux
John Hammond
21 Python [pygame] 11 Rectangular Collision Detection
Python [pygame] 11 Rectangular Collision Detection
John Hammond
22 Python [pygame] 12 Platforming Rectangular Collision Resolution
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
23 Python [XML-RPC] 01 Research
Python [XML-RPC] 01 Research
John Hammond
24 Python [pyenchant] 03 Personal Word Lists
Python [pyenchant] 03 Personal Word Lists
John Hammond
25 FancyURLopener Authentication and User-Agent [urllib] 03
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
26 Python 04: PEP8 Coding
Python 04: PEP8 Coding
John Hammond
27 Python Challenge! 17 COOKIES
Python Challenge! 17 COOKIES
John Hammond
28 Google CTF 2016: Ernst Echidna
Google CTF 2016: Ernst Echidna
John Hammond
29 Google CTF 2016: Spotted Quoll
Google CTF 2016: Spotted Quoll
John Hammond
30 Google CTF 2016: Can you Repo It?
Google CTF 2016: Can you Repo It?
John Hammond
31 Google CTF 2016: No Big Deal
Google CTF 2016: No Big Deal
John Hammond
32 Google CTF 2016: In Recorded Conversation
Google CTF 2016: In Recorded Conversation
John Hammond
33 Homemade CTF Challenge: 01 "Orchestra"
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
34 Homemade CTF Challenge: 02 "Bae's Base"
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
35 Homemade CTF Challenge: 03 "Web Hunt"
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
36 Homemade CTF Challenge: 04 "UPX"
Homemade CTF Challenge: 04 "UPX"
John Hammond
37 Homemade CTF Challenge: 05 "The Assumption Song"
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
38 Homemade CTF Challenge: 06 "A Brisk Stroll"
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
39 Homemade CTF Challenge: 06 "I lost my password!"
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
40 web25 :: Mr. Robot : EKOPARTY CTF 2016
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
41 web50 : RFC 7230 :: EKOPARTY CTF 2016
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
42 misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
43 Hack The Vote 2016 CTF: Sander's Fan Club [web100]
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
44 Hack The Vote 2016 CTF Warpspeed [forensics150]
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
45 Juniors CTF 2016 :: Black Suprematic Square
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
46 Juniors CTF 2016 :: Six Strange Tales
Juniors CTF 2016 :: Six Strange Tales
John Hammond
47 Juniors CTF 2016 :: Lost Code
Juniors CTF 2016 :: Lost Code
John Hammond
48 Juniors CTF 2016 :: Here Goes!
Juniors CTF 2016 :: Here Goes!
John Hammond
49 Juniors CTF 2016 :: Southern Cross
Juniors CTF 2016 :: Southern Cross
John Hammond
50 Juniors CTF 2016 :: Clone Attack
Juniors CTF 2016 :: Clone Attack
John Hammond
51 Juniors CTF 2016 :: Dirty Repo
Juniors CTF 2016 :: Dirty Repo
John Hammond
52 Juniors CTF 2016 :: Hackers Blog
Juniors CTF 2016 :: Hackers Blog
John Hammond
53 Juniors CTF 2016 :: Voting!!!
Juniors CTF 2016 :: Voting!!!
John Hammond
54 Juniors CTF 2016 :: The Good, The Bad and The Junkman
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
55 Juniors CTF 2016 :: Stop Thief!
Juniors CTF 2016 :: Stop Thief!
John Hammond
56 Juniors CTF 2016 :: ROFL
Juniors CTF 2016 :: ROFL
John Hammond
57 Juniors CTF 2016 :: Restriced Area
Juniors CTF 2016 :: Restriced Area
John Hammond
58 Juniors CTF 2016 :: Oh SSH!
Juniors CTF 2016 :: Oh SSH!
John Hammond
59 HackCon CTF 2017 TRIVIA and BONUS Challenges
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
60 HackCon CTF 2017 "Bacche" Challenges
HackCon CTF 2017 "Bacche" Challenges
John Hammond

This video teaches how to analyze keylogger malware written in PowerShell with B64 encoding, and demonstrates how to decode and analyze the malware in a lab environment. The video covers various tools and techniques used in malware analysis, including Tor, wind32 API, and PowerShell jobs.

Key Takeaways
  1. Decode B64 encoded malware using B64 command
  2. Redirect decoded payload to a file
  3. Use add type commandlet to call back to C# code
  4. Use wind32 API functions to get keyboard state and map virtual keys to unicode
  5. Start a job to run asynchronously and infinitely loop through keyboard keys
  6. Spin up virtual machine in browser without downloading anything
  7. Analyze indicators of compromise and work inside a sandbox
  8. Use regular expression to filter IP addresses in PowerShell script
💡 The keylogger malware uses PowerShell with B64 encoding to communicate over Tor and exfiltrate data, and can be analyzed and detected using various tools and techniques.

Related Reads

📰
How Does a Login System Verify You If the Salt is Always Random?
Learn how a login system verifies users despite using random salts for password hashing
Medium · Cybersecurity
📰
Top Certification Courses to Launch Your IT Career in 2026
Learn about top certification courses to launch your IT career in 2026 and stay ahead in the industry
Medium · Cybersecurity
📰
Penetration Testing, Explained Properly: How You Break Into a System to Prove It Can’t Be Broken…
Learn the basics of penetration testing, including its purpose, importance of permission, and the process of simulating a cyber attack to strengthen system security
Medium · Cybersecurity
📰
The Alert That Almost Everyone Ignores (Until It’s Too Late)
Learn to prioritize security alerts to avoid ignoring critical warnings
Medium · Python
Up next
NordVPN Vs ExpressVPN 2026 | Which VPN Should You Choose?
Tutorial Stack
Watch →