-
Source: MalwareBazaar
Stage1
-
Notes:
-
Password + DNS
-
Virustotal Scan on DNS
-
Regedit + Antivirus check (?)
-
Entrypoint: .data
-
Only 2 .data sections (Where's the rest of the malware? Probably pulls a payload)
-
PEStudio Indicators
-
What's this? (Probably downloads due to synchro tag)
-
Tdb found in Ghidra after data with Thread Environment Block (TEB) data inside of it. Used [this](Navigating the Thread Environment Block _TEB | Tom's Reversing) to navigate the section
-
Teb size: 0x1000
-
Teb Version: 10.0 - 2004 (See table)
-
Capacart.dll download this?
-
Creates new Exe file; this is not the real executable
Stage 2
-
-
Notes:
-
[CartCapa Backdoor - JoeSandbox](Automated Malware Analysis Report for capacart.dll - Generated by Joe Sandbox)
-
Capacart.dll Backdoor - VirusTotal Scan
-
Stage 1 - Detonation
-
Notes:
-
Why does this change the help file?
-
Capacart.dll - New DLL file (File doesn't exist after finished)
Stage 2
-
-
Notes:
-
File system size keeps slightly randomly fluctuating after infection
-
After Reboot, this process stopped. Couldn't capture Capacart.dll
-
Solved this by running the original infected file with Admin privileges. It was an access denial problem due to not having elevated privileges
-
-
Finder of the original sample beat me to extracting the dll by around an hour: capacart.dll
-
Checksum Match
-
