{
	"id": "05a85933-ddfe-40d0-a2d3-5bcbeeef819e",
	"created_at": "2026-04-06T00:07:38.866401Z",
	"updated_at": "2026-04-10T03:19:56.656878Z",
	"deleted_at": null,
	"sha1_hash": "1a1b8794ff1d7a4a55c7042fbc6b725e6642c3a9",
	"title": "A .NET malware abusing legitimate ffmpeg",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1413984,
	"plain_text": "A .NET malware abusing legitimate ffmpeg\r\nBy Malwarebytes Labs\r\nPublished: 2017-07-11 · Archived: 2026-04-05 21:21:31 UTC\r\nThere is a growing trend among malware authors to incorporate legitimate applications in their malicious package.\r\nThis time, we analyzed a malware downloading a legitimate ffmpeg. Using this application, this simple spyware\r\nwritten in .NET got a powerful feature. Most of the malware is sufficient with sending screenshots, made\r\nperiodically on the infected machine. This malware goes a step further and records full videos, spying on user\r\nactivities. In this post, we will have a look at this and the other threats possessed by this sample.\r\nThe mentioned malware family was first discovered in 2015 by MalwarHunterTeam. Recently a new wave is\r\nbeing spread.\r\nAnalyzed samples\r\n2a07346045558f49cad9da0d249963f1 – dropper (JS)\r\n049af19db6ddd998ac94be3147050217 – dropped executable (C#)\r\n9c9f9b127becf7667df4ff9726420ccb – loader\r\n85d35dd33f898a1f03ffb3b2ec111132 – final payload\r\nDownloaded plugins:\r\ne907ebeda7d6fd7f0017a6fb048c4d23 – remotedesktop.dll\r\nd628d2a9726b777961f2d1346f988767 – processmanager.dll\r\nBehavioral analysis\r\nThe JS file drops the contained executable inside the %TEMP% folder and then runs it. The executable installs\r\nitself under the random name, creating its own folder in %APPDATA%. Persistence is achieved with the help of\r\nrun key. Additional copy of the malware is also dropped in the startup folder:\r\nDuring it’s run, the executable creates .tmp files inside it’s installation folder. File content is not encrypted and if\r\nwe look inside we can notice that it is saving keystrokes and logging the running applications:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/\r\nPage 1 of 13\n\nAnother interesting thing we noted is, that the malware downloads legitimate applications: Rar.exe, ffmpeg.exe\r\nand related DLLs: DShowNet.dll, DirectX.Capture.dll\r\nThe malware has been observed closing and deleting some applications while it is running. During the tests, it\r\nremoved i.e. ProcessExplorer and baretail from the attacked machine.\r\nNetwork communication\r\nThe malware communicates with the CnC server over TCP using port 98.\r\nThe server sends to the client a command “idjamel” and the client responds with the basic info collected about the\r\nvictim machine, such as machinename/username, the operating system installed, and a list of running processes.\r\nAfter the beaconing, the server sends to the client the configuration, i.e. list of the targeted banks.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/\r\nPage 2 of 13\n\nBot saves the configuration in the registry:\r\nAfter that, the CnC sends a set of Base64 encoded PE files. The content of each file is prepended by its name. The\r\nnon-malicious helper binaries cab be identified by the keyword: “djamelreference”. Malicious plugins are\r\nidentified by “djamelplugin”.\r\nDownloading DShowNET.dll:\r\nDownloading a plugin – remotedesktop.dll (e907ebeda7d6fd7f0017a6fb048c4d23):\r\nThe ffmpeg application is downloaded from the URL (pointed by the CnC):\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/\r\nPage 3 of 13\n\nFollowing the address we can see some dummy page, that may possibly be owned by the attackers. The Facebook\r\nlike button points to the account “AnonymousBr4zil”:\r\nThe bot reports to the server about the running applications, i.e. sending the text from the title bars encoded in\r\nBase64:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/\r\nPage 4 of 13\n\nExample:\r\nawt||UHJvY2VzcyBFeHBsb3JlciAtIFN5c2ludGVybmFsczogd3d3LnN5c2ludGVybmFscy5jb20gW3Rlc3RtYWNoaW5lXHRlc3Rl\r\nDecoded:\r\nProcess Explorer - Sysinternals: www.sysinternals.com [testmachinetester]\r\nInside\r\nUnpacking\r\nThe sample is packed with the help of CloudProtector – (thanks to @\r\nMalwareHunterTeam for the tip). It is the same protector that was used in some other cases that we analyzed\r\nearlier (read more here). Just like in the previous case, it decrypts the payload using the custom algorithm and the\r\nkey supplied in the configuration. Then, decrypted executable is loaded in the memory with the help of the RunPE\r\ntechnique (also known as ProcessHollowing).\r\nThe core\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/\r\nPage 5 of 13\n\nThe unpacked payload is the layer containing all the malicious features. It is not further obfuscated,\r\nso we can easily decompile it (i.e. using dnSpy) and read the code.\r\nWe can see some classes with descriptive names, i.e. ProtectMe, ScreemCapture, SocketClient.\r\nAt the first sight, we can see the purpose of this malware: spying the user and backdooring the infected machine.\r\nThe class Form1 is the main module, responsible for communicating with the CnC and coordinating actions. It\r\ncontains hardcoded data used for the malware installation and the address of the CnC server:\r\n37.187.92.171:98\r\nThe victim name is copied from the binary and saved in the registry key:\r\nIn case the bot detected a software for e-Carte Bleue (a French payment card), it adds the corresponding string to\r\nthe identifier, and also sends additional information to the server:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/\r\nPage 6 of 13\n\nEach module runs independently, started in a new thread:\r\nVideo recording\r\nWe can see the fragment of code responsible for downloading the ffmpeg application:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/\r\nPage 7 of 13\n\nThe main goal of the malware authors is to spy on user’s banking activities. That’s why, the video recording event\r\nis triggered when the victim opens a particular site, related to online banking. The list of targets is supplied by the\r\nCnC and saved in the registry under the key “ve”, for example:\r\nPeriodically, the check is made, whether the target from the list has been open in the browser. In case if it was\r\ndetected, the malware deploys video recorder:\r\nThe function “VeifyingTime” compares the title bar with the supplied string.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/\r\nPage 8 of 13\n\nVideos are recorded with the help of the ffmpeg application:\r\nAfter that they are sent to the CnC, encoded in Base64:\r\nThe malware also has a feature of making simple screenshots, saved as JPG. The pictures and the captured logs\r\nare periodically compressed by the Rar application, and then also sent to the CnC:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/\r\nPage 9 of 13\n\nKeylogger\r\nThe kyl class name stands for keylogger:\r\nIt has also the ability to enumerate opened windows:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/\r\nPage 10 of 13\n\nThis is the class responsible for creating the .tmp file that was mentioned before:\r\nProtect Me\r\nThis class is responsible for disabling the applications that may be used to monitor malware’s\r\nactivity:\r\nPlugins\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/\r\nPage 11 of 13\n\nThe basic functionality of the bot can be extended by additional plugins, downloaded from the CnC:\r\nIn the observed case, the bot downloaded two plugins, giving to it capabilities typical for a RAT:\r\nprocessmanager.dl, written in 2015:\r\nand remotedesktop.dll, written in 2016:\r\nIn contrary to the main module and the previous plugin, the remotedesk.dll is obfuscated. Names of its classes and\r\nvariables are no longer meaningful:\r\nConclusion\r\nThis malware is prepared by an unsophisticated actor. Neither the binary nor the communication\r\nprotocol is well obfuscated. The used packer is well-known and easy to defeat. However, the\r\nmalware is rich in features and it seems to be actively maintained. It’s capabilities of spying on the\r\nvictim and backdooring the attacked machine should not be taken lightly because even a simple\r\nthreat actor can cause a lot of damage when neglected.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/\r\nPage 12 of 13\n\nThis malware is detected by Malwarebytes as Backdoor.DuBled.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/"
	],
	"report_names": [
		"malware-abusing-ffmpeg"
	],
	"threat_actors": [],
	"ts_created_at": 1775434058,
	"ts_updated_at": 1775791196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1a1b8794ff1d7a4a55c7042fbc6b725e6642c3a9.pdf",
		"text": "https://archive.orkl.eu/1a1b8794ff1d7a4a55c7042fbc6b725e6642c3a9.txt",
		"img": "https://archive.orkl.eu/1a1b8794ff1d7a4a55c7042fbc6b725e6642c3a9.jpg"
	}
}