This file contains only three bytes: meh. We would like to mention one file that is also created by the Meh dropper: At this stage it also removes its installation folder C:\programdata\intel\wireless. These processes are used by Meh for later PE injections. Specifically, it attempts to terminate several processes: But we will get to that later.įurthermore, the dropper also tries to clean up the environment from previous installations of the Meh password stealer, which we’ll discuss in depth in the next part of this blog series. pe.bin is an encrypted Meh password stealer binary. After these files are downloaded, they are saved into the C:\testintel2\ directory and the file 3 is executed (i.e.This binary is a very simple dropper written in Borland Delphi which makes several HTTP POST requests to the C&C server in order to download three additional files: MehCrypter dropperįrom the script described above, we can manually extract the binary. Note that up to this point, the crypter is very generic and we have seen at least five different families using it so far, with the most known being Agent Tesla and XMRig. First, let’s take a look at a snippet of what the actual crypter looks like from a high level view: But to get there, we need to chew through several layers of the MehCrypter. MehCrypterįirst and foremost, Meh is a password stealer/keylogger. We will focus on the password stealer in our next blog post. Nearly all of its functionalities are performed in subthreads, executed from injected processes. It is capable of stealing clipboard contents, keylogging, stealing cryptocurrency wallets, downloading additional files via torrents, and much more. The stealer is the core of the malware and holds many functionalities. The second part is a password stealer, called Meh. This string sequence is skipped by the AutoIt interpreter that scans for the magic bytes that determine the file format and effectively obfuscates the file without influencing its functionality. The first part is a crypter, we named MehCrypter, that consists of multiple stages, and is distributed as a compiled AutoIt script prepended with a randomly generated string sequence. In this blog series, we will describe how we peeled away at Meh’s obfuscation and what we found thereafter. It all started when we came across large amounts of files with randomly generated strings at their beginning, followed by a compiled AutoIt script… and what a ride it has been since. For some time now, we’ve been monitoring a new strain of malicious programs that we are referring to as “Meh” (we will explain why later on).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |