Trojan Enosch3 minutes read
File type: Win32 EXE
Let’s open in ProtectionID:
From imports, it seems like malware uses Windows crypto API:
Very interesting strings in the file:
Chilkat is a cross-language, cross-platform API providing 90+ classes for many Internet protocols, formats, and algorithms. Maybe malware uses this library to provide some high-level abstraction.
It’s possible Crypto API is used by
Based on SSMA there are two possible emails, maybe
Chilkat is used to send emails.
Instead of running in our sandbox, let’s use hybrid-analysis report to guide us on the deeper analysis.
From the analysis, the malware uses
Run key as persistence method and requests two domains:
I think to get an idea how to works the malware we even don’t need to run it (debug it), just open in
IDA and disassemble it.
First, it checks
Run key and sets it if there is no
…executes two threads with same
sub_401710 and waits for them, that’s all:
Let’s see what’s inside
The malware loops until successful internet connection and gets a list of drives:
After this for each drive malware searches and sends
docx to an attacker using mail, I renamed function accordingly:
If the entry is directory function is called recursively:
Check if file’s extension is
….and send the file using mail, there are many unknown functions, maybe they are from third-party library
Yahoo mail and
GetComputerNameA function, after running with
fakenet it seems like
Yahoo is recipient’s mail and result of
GetComputerNameA is subject of mail:
That’s all. I’m new to reversing malware and any kind of feedback will be helpful for me.