K7

K7Blog

须知少年凌云志 曾许人间第一流.
proton
telegram

Beware of unfamiliar software when analyzing Telegram Trojan programs!

I came across a Trojan program in a Telegram group chat. It was simply a compressed package containing an exe file. The Trojan programs I had seen before were not so obvious. Most people would recognize these as Trojan files, but some may still be tempted to click on them or are simply unaware.

I checked the profile of the person who shared this program and found that they had a premium membership and their personal description mentioned a change in payment address. It seems like a friend who had their account stolen by this program.

Trojan sample: Google Drive
Habo analysis: https://habo.qq.com/file/showdetail?pk=ADcGb11qB2cIOVs6U2I%3D
Kaspersky: https://opentip.kaspersky.com/C667BE786A5A67A74331E1FA7E2CEF2BC33B55739AD31B5456A3697623C6BACF/results?tab=upload

Snipaste_2023-04-28_23-49-27

From the screenshot above, it is clear that this is a Trojan file without a doubt. Its main function is to monitor user activities electronically (intercepting keyboard inputs, capturing screenshots, capturing a list of active applications, etc.) and send the collected information to hackers through various means. It also employs various methods to avoid detection and gain complete control over the computer.

However, I believe any antivirus software should be able to detect this program. I scanned it with Huorong Security and found it to be dangerous!
Then, I ran it in a virtual machine to capture its activities. I'm not very knowledgeable about technology, so please don't laugh.

Initially, when I opened the software, nothing was displayed. After running in the background for a while, it closed. At this point, it sent requests to note.youdao.com:443 and bucket-ynote-online-cdn.note.youdao.com:443.

Snipaste_2023-04-28_23-22-16

I used the tun mode in Clash for Windows and monitored it in the Clash client. I wanted to ensure that my IP address was not leaked, and using the virtual machine as a system proxy might not be followed.

Then, a popup window appeared, and I'm not sure what it was for. It generated an exe file in the user directory.

Snipaste_2023-04-28_23-17-32

I uploaded the exe file to Kaspersky and found no issues: https://opentip.kaspersky.com/C9A1C52F5F5C8DEEF76B8E989C6A377F00061FA369CBD1CEE7F53F8F03295F5C/results?tab=upload

Then, I noticed that it always sent requests to two addresses: 38.45.120.226:7076 and jlbhm.one:5688. I found that the jlbhm.one domain was recently registered.

Snipaste_2023-04-28_23-37-29
Snipaste_2023-04-28_23-37-38

Furthermore, the jlbhm.one domain is not resolved, and the connection to 38.45.120.226:7076 remains active, while the connection to jlbhm.one:5688 connects, disconnects, and reconnects.

I used a webmaster tool to ping this IP: https://ping.chinaz.com/38.45.120.226. Can you guess what the result was?

The IP is shown as Cogent in Hong Kong, China. I recognized this IP starting with 38. I remembered seeing someone recommend a Hong Kong CMI server on YouTube before, and I had purchased an IP from them starting with 38. Most of their Hong Kong CMI IPs also start with 38, and when I pinged it using the webmaster tool, it showed China Hong Kong Cogent.

I found the contact information of this webmaster and inquired about the following:

Snipaste_2023-04-29_00-16-12

Alright, that's the end of the story. I don't understand much about these things, and it has been a while since I tinkered with anything. My blog has also been neglected for a long time, so I just randomly experimented.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.