{
	"id": "a85c6f50-9e01-4e49-baae-48bff8f216e6",
	"created_at": "2026-04-06T03:37:09.998837Z",
	"updated_at": "2026-04-10T03:20:32.93399Z",
	"deleted_at": null,
	"sha1_hash": "7051176575d72caf1b0396be291d0dd5e70f8ca9",
	"title": "TROJAN.GTALK | Cyber Engineering Services",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 93555,
	"plain_text": "TROJAN.GTALK | Cyber Engineering Services\r\nPublished: 2011-12-15 · Archived: 2026-04-06 03:12:22 UTC\r\nhello_kitty\r\nToday I am going to write about an interesting Trojan, whose concept (controlling malware via instant messaging) has\r\nbeen used for some time. However Christmas came early this year and during one of our recent engagements we came\r\nacross the C2 portion of this Trojan (screen shots are located at the end of this article).\r\nThe Trojan itself utilizes gloox, which is a free and publicly available jabber/XMPP client. Jabber if you are unaware is\r\nan open standard for instant messaging, which is employed by the instant messaging portion of Google Talk. This\r\nsample will connect to Google Talk with hard coded credentials. The C2 portion of this Trojan family will also connect\r\nto Google Talk using credentials provided at run time via the GUI. Once the two components have successfully\r\nauthenticated with Google Talk all of the communication between the components and the Google Servers will be\r\nencrypted by means of TLS and SASL. The C2 portion can then gather system information, run the pslist and pskill\r\ncommand, upload and download files, issue sleep commands, and obtain a reverse shell.\r\nThe Trojan and the C2 have an additional layer of encoding, which to me was the interesting part of both of these\r\nsamples. The hard coded credentials, the commands and responses for this sample are all encoded/decoded in the same\r\nmanner. So that this article doesn’t go from technical to soul crushingly boring only a high level explanation of the\r\nencoding/decoding will be provided below. The actual credentials are not provided in this document, however similar\r\ndata was used as examples.\r\nTrojan.GTalk Analysis\r\nFile Name: Trojan.GTalk.exe\r\nFile Size: 353792 bytes\r\nMD5: 8845cb5b4e450cb10a3b6ca41a9b4319\r\nSHA1: bd224865730ff72d960a8ea49be315fdc615edb3\r\nPE Time: 0x4E4A32CF [Tue Aug 16 09:05:19 2011 UTC]\r\nPEID Sig: Microsoft Visual C++ 8\r\nSections (5):\r\nName Entropy MD5\r\n.text 6.58 bfb2e60a800996224698f5a81b80e8d1\r\n.rdata 4.95 dbd4ac5000eda9e6e9124d72858d29b7\r\n.data 4.46 54c204495e80764a21da3decd330cbb3\r\n.rsrc 4.51 ffb05bcee52f5e69168029d4ffa5ccf1\r\n.reloc 4.35 e6cfc56984a9068e2e5d3ca27cf67919\r\n AV: 2/43 (4.7%) [VIRUS TOTAL]\r\nIt should be noted that the hash values above do not match the hash values listed in Virus Total. The log on credentials\r\nwere removed from the sample that was submitted to Virus Total. The hash values above are the correct hashes for the\r\nhttps://web.archive.org/web/20141226203328/http://www.cyberengineeringservices.com/2011/12/15/trojan-gtalk/\r\nPage 1 of 5\n\nsample with the encoded credentials still in place.\r\nThis sample does not entrench itself on the compromised system. Most likely the Trojan is entrenched on the\r\ncompromised system either manually or by a dropper/installer file.\r\nDecoding Credentials\r\nThis sample will take care of some basic housekeeping before it begins to decode the credentials that will be used to\r\nauthenticate to the Google Talk servers. The credentials can be located in the file at offset 0x42d84. An example of the\r\nlog on credentials (username in blue and password in red) can be seen below and are both null terminated strings.\r\nOffset 0 1 2 3 4 5 6 7 8 9 A B C D E F\r\n00042D80 00 00 00 00 2B 34 71 4B 69 51 64 35 4D 2B 6F 4F +4qKiQd5M+oO\r\n00042D90 70 66 4E 62 6A 37 75 2F 75 71 6A 61 4D 78 73 57 pfNbj7u/uqjaMxsW\r\n00042DA0 31 50 58 37 46 6D 75 39 4E 4C 6D 7A 5A 48 4E 58 1PX7Fmu9NLmzZHNX\r\n00042DB0 62 66 63 3D 00 00 00 00 00 00 00 00 00 00 00 00 bfc=\r\n00042DC0 00 00 00 00 2B 34 71 4B 49 56 6F 50 2B 56 54 6A +4qKIVoP+VTj\r\n00042DD0 71 4C 79 4B 78 44 39 41 2F 67 65 39 38 4F 6F 2F qLyKxD9A/ge98Oo/\r\n00042DE0 63 48 47 4B 69 67 3D 3D 00 00 00 00 00 00 00 00 cHGKig==\r\nThis sample will Base64 decode the first string using a custom alphabet mapping. An example of the first string,\r\nin its decoded form, can be seen below.\r\nOffset 0 1 2 3 4 5 6 7 8 9 A B C D E F\r\n00000000 FB 8A 8A 8A A6 F9 33 E3 A8 A5 F3 5B 8F BB BF B9 ûŠŠŠ¦ù3㨥ó[ »¿¹\r\n00000010 A8 EA 33 1B 16 D4 F5 F7 16 6B B4 34 B9 B3 C4 73 ¨ê3 Ôõù k¹4¹³ds\r\n00000020 57 6D F7 Wm÷\r\nThis sample will then use a hard coded table that is located at offset 0x4e208 to further decode the above string.\r\nThis step is just a large substitution cipher. The table located at the referenced offset is concealed in a larger\r\nportion of code, which is not used by the Trojan. The table (0x100 bytes in length and in black) can be seen\r\nbelow.\r\nOffset 0 1 2 3 4 5 6 7 8 9 A B C D E F\r\n0004E1E0 54 60 3C 50 1F 20 97 A8 37 04 21 FF 06 17 DC AF T`\u003cP —¨7 !ÿ ܯ\r\n0004E1F0 A9 09 42 D1 B5 8B 3B 2D AC 47 8C 86 3D 29 B8 84 © Bѵ‹;-¬GŒ†=)¸„\r\n0004E200 10 7B 96 A6 1B E8 33 F3 41 9C 83 34 E1 D1 E4 B0 {–¦ è3óAœƒ4áÑä°\r\n0004E210 1C E9 3C 70 80 0E 4A 93 F8 2A 06 B4 4C 55 7C E5 é\u003cp€ J“ø* ´LU|å\r\n0004E220 53 2D 5B FC 49 79 67 DC DD E2 38 44 A2 66 6F 5A S-[üIygÜÝâ8D¢foZ\r\n0004E230 A9 F5 A0 62 AC EF 57 73 C8 A6 BE FE CD 97 4D E0 ©õ b¬ïWsȦ¾þÍ—Mà\r\n0004E240 78 14 48 EE DA F4 0D 1F 8F D6 EA AF D0 25 74 F1 x HîÚô Öê¯Ð%tñ\r\n0004E250 28 4E 86 2E 15 9D C2 BB DB 98 76 99 D8 27 3F CA (N†. Â»Û˜v™Ø'?Ê\r\n0004E260 A7 4F 47 03 8D A3 A8 46 D9 0B 58 9A D5 8A 18 22 §OG £¨FÙ XšÕŠ \"\r\n0004E270 1A CE 37 CB AA B6 6B C0 8C 95 91 8B 68 CC D2 B1 Î7˪¶kÀŒ•‘‹hÌÒ±\r\n0004E280 59 2B 4B F9 87 89 BF 12 0A 7A 77 7B F7 52 F3 61 Y+Kù‡‰¿ zw{÷Róa\r\n0004E290 B7 29 00 ED F2 96 69 13 63 45 17 5D 51 C4 FA DE ·) íò–i cE ]QÄúÞ\r\n0004E2A0 7D 35 88 84 56 C1 B2 82 90 6D B9 AB A5 D7 FB BC }5ˆ„VÁ²‚m¹«¥×û¼\r\nhttps://web.archive.org/web/20141226203328/http://www.cyberengineeringservices.com/2011/12/15/trojan-gtalk/\r\nPage 2 of 5\n\n0004E2B0 DF E8 43 11 F0 32 9B E7 64 C7 33 AD 30 EC 24 31 ßèC ð2›çdÇ3\r\n0ì$1\r\n0004E2C0 F6 7F 6E 07 C6 36 BA 75 C3 08 23 AE 50 0C BD 81 ön Æ6ºuà #®P ½\r\n0004E2D0 1B 0F 8E 3E 42 9F 5F 71 1E EB A1 21 40 2C 02 C5 Ž\u003eBŸ_q ë¡!@, Å\r\n0004E2E0 B8 72 3A 3D E6 19 CF 65 92 20 10 9E 6C 54 39 01 ¸r:=æ Ïe’ žlT9\r\n0004E2F0 FD 04 85 B5 05 5C C9 94 D4 6A 09 FF B3 2F 16 60 ý …µ \\É”Ôj ÿ³/ `\r\n0004E300 3B 7E 26 1D D3 A4 5E E3 ;~\u0026 Ó¤^ã\r\nAn example of how the substitution cipher works is as follows. The Trojan will use the first byte of the string\r\n(0xFB or decimal 251) and take the value located in that position and replace the original value of the string.\r\nThis will occur for each byte of the string.\r\nPosition D0 D1 D2 D3 D4 D5 D6 D7 D8 D9 DA DB DC DD DE DF\r\nValue 92 20 10 9E 6C 54 39 01 FD 04 85 B5 05 5C C9 94\r\nPosition F0 F1 F2 F3 F4 F5 F6 F7 F8 F9 FA FB FC FD FE FF\r\nValue D4 6A 09 FF B3 2F 16 60 3B 7E 26 1D D3 A4 5E E3\r\nOriginal String:\r\nOffset 0 1 2 3 4 5 6 7 8 9 A B C D E F\r\n00000000 FB 8A 8A 8A A6 F9 33 E3 A8 A5 F3 5B 8F BB BF B9 ûŠŠŠ¦ù3㨥ó[ »¿¹\r\n00000010 A8 EA 33 1B 16 D4 F5 F7 16 6B B4 34 B9 B3 C4 73 ¨ê3 Ôõù k¹4¹³ds\r\n00000020 57 6D F7 Wm÷\r\nDecoded String:\r\n00000000 1D 00 00 00 FB 5E FE 9E AF D7 FF 33 13 07 75 7F ...û~þžß3×ÿ\r\n00000010 DF 82 FE FC 7D 40 2F 7E 7C CB 7F 32 7F AD D5 8B ß…þü|@/~|Ë2ÍÕ‹\r\n00000020 CA B6 60\r\nThe next part of the decoding scheme is explained, for brevity, at a very high level. From my research I could not\r\ndetermine that this is a standard or well-known algorithm. Fully explaining how this algorithm works could be a blog\r\nunto itself. In the future, if time allows, I will write an article covering all the details of how this algorithm works and\r\nhow to decode/encode data using the algorithm. The algorithm creates a 4,392 byte table of values. During the\r\ndecoding process the position of values (specifically the ones used to decode) are exchanged with other values in the\r\ntable, adding another layer of protection.\r\nThe first Dword of the decoded string is the length of the final decoded string after the next stage of decoding.\r\nhttps://web.archive.org/web/20141226203328/http://www.cyberengineeringservices.com/2011/12/15/trojan-gtalk/\r\nPage 3 of 5\n\nThe final stage involves an algorithm that encodes and decodes data on the bit level. This bit stream encoding\r\ncomprises a series of instructions which breaks each byte down into its binary equivalent (0xFB would be 1111\r\n1011) . Each one of these binary values are treated as an integer and added to a hard coded starting value. The\r\nsum of the two pieces will act as an offset into the previously referenced 4,392 byte table. This table is created in\r\nmemory at run time, from another set of instructions.\r\nThe offset into the table will point to a word value, which will be added to the next integer representation of the\r\nbinary data. This technique continues until the sum of the word value and the binary value exceeds the hard\r\ncoded value 0×273. Once this criteria has been met the algorithm branches into another set of instructions. These\r\ninstructions will perform some simple math to determine a pointer into the table. The value at this pointer is the\r\ndecoded value, which will be written into memory. The algorithm then branches into another set of instructions\r\nthat scrambles and alters (by means of addition) values in the 4,392 byte table, by exchanging several word\r\nvalues that were used to decode the previous byte of data. The algorithm will then continue with the steps\r\noutlined above until it reaches another value above 0×273.\r\nThe result is the decoded string. The Trojan will then complete the sames steps to decode the password used to\r\nauthenticate with the Google Talk servers.\r\nTrojan Communication\r\nThe Trojan communication portion of this sample involves authenticating to Google Talk servers. This is accomplished\r\nwith the credentials that were decoded above. Once an attacker has authenticated to the Google Talk Servers (via the\r\nGUI C2 node), the two pieces can begin communicating. The C2 node will issue commands, which are transmitted as\r\ninteger values. These values are encoded in the steps above reversed (bit stream encoded, substitution cipher, and then\r\nBase64 encoded) and transmitted to the Trojan, via a secured conduit provided unwittingly by Google . The Trojan will\r\ndecode the message it receives and send a response to the C2 in the same manner. If the C2 node establishes a reverse\r\nshell or uploads/downloads files, that data will also be encoded in the same manner.\r\nOnce you get past the encoding/decoding portion of this sample everything else, including the commands, are straight\r\nforward and have been seen before in previously analyzed samples. Below is a screen shot of how this sample\r\ndetermines the commands sent.\r\ncommands1-1024x354\r\nI have included screen shots relating to the functionality of the GUI C2 portion of this family.\r\nfirst\r\nInitial Screen\r\nlogon2\r\nLog On Prompt\r\nI provided a set of credentials that I created for the analysis of this sample.\r\nloggedon\r\nLogged On, showing available compromised machine and embedded username\r\nhttps://web.archive.org/web/20141226203328/http://www.cyberengineeringservices.com/2011/12/15/trojan-gtalk/\r\nPage 4 of 5\n\nThe sample that was analyzed was patched with another set of credentials that I created for the analysis of this sample.\r\nThe two google accounts were paired or connected prior to the analysis.\r\ntalk\r\nInitial Command Screen for available compromised machine\r\ninfo\r\nInfo Command\r\npslist\r\nPslist Command\r\npskill\r\nPskill Command\r\nputfile\r\nUploading a file to the compromised machine\r\ngetfile\r\nDownloading a file from the compromised machine\r\ncmd.exe\r\nReverse shell to the compromised machine\r\nSource: https://web.archive.org/web/20141226203328/http://www.cyberengineeringservices.com/2011/12/15/trojan-gtalk/\r\nhttps://web.archive.org/web/20141226203328/http://www.cyberengineeringservices.com/2011/12/15/trojan-gtalk/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://web.archive.org/web/20141226203328/http://www.cyberengineeringservices.com/2011/12/15/trojan-gtalk/"
	],
	"report_names": [
		"trojan-gtalk"
	],
	"threat_actors": [],
	"ts_created_at": 1775446629,
	"ts_updated_at": 1775791232,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7051176575d72caf1b0396be291d0dd5e70f8ca9.pdf",
		"text": "https://archive.orkl.eu/7051176575d72caf1b0396be291d0dd5e70f8ca9.txt",
		"img": "https://archive.orkl.eu/7051176575d72caf1b0396be291d0dd5e70f8ca9.jpg"
	}
}