August 29th, 2017 By Malwarebytes Labs
In the previous part of the Kronos analysis, we took a look at the installation process of Kronos and explained the technical details of the tricks that Kronos uses in order to remain more stealthy. Now we will move on to look at the malicious actions that Kronos can perform.
Analyzed samples
- ede01f7431543c1fef546f8e1d693a85 – downloader (a .doc with a malicious macro)[list]
- 2a550956263a22991c34f076f3160b49 – main bot (packed)
Configuration and targets
Kronos is known as a banking Trojan. For the purpose of enabling and configuring this feature, the bot may download from its CnC additional configuration file. After being fetched, it is stored in the installation folder in encrypted form. (It is worth to notice that when the config is sent over the network it is encrypted using AES CBC mode – but when it is stored on the disk, AES in ECB mode is used.)
Full Article.