# Malware Analysis: Kardon Loader **[engineering.salesforce.com/kardon-loader-malware-analysis-adaaaab42bab](https://engineering.salesforce.com/kardon-loader-malware-analysis-adaaaab42bab)** Vishal Thakur July 13, 2021 [Vishal Thakur](https://malienist.medium.com/?source=post_page-----adaaaab42bab--------------------------------) [Follow](https://medium.com/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2F_%2Fsubscribe%2Fuser%2Fbacf5a190f41&operation=register&redirect=https%3A%2F%2Fengineering.salesforce.com%2Fkardon-loader-malware-analysis-adaaaab42bab&user=Vishal+Thakur&userId=bacf5a190f41&source=post_page-bacf5a190f41----adaaaab42bab---------------------follow_byline-----------) Jun 22, 2018 4 min read Kardon is a new malware that has just hit the market. At this moment, the developers are advertising it as a new Trojan Downloader — which has the capabilities of delivering and executing any payload that the actor wants to use in a campaign. The malware is fully functional and is ready to be deployed with custom or commodity malware. Let’s take a look at its binary and analyze it to extract some usable IOC but mostly the execution flow, as this malware is still in development. ## Quick Analysis First of all, let’s take a quick look at the PE and list some of the basic information about the malware. As we can see from the image below, the PE is a VC++ build. Quite small in size, which sets it apart from most of the loaders available on the market today (which could change as it is fine-tuned and functionality is added to it in the future). The PE is a VC++ build and quite small in size Following is the list of OS versions this malware runs on: ----- Now, let s take a quick look (statically) at the DLLs that this malware loads on execution: To dig out more interesting DLLs, let’s start the dynamic analysis of this malware. Once launched and suspended, we look into the memory and see that some more interesting DLLs (Anti-VM and Anti-AV) have now been launched. Take a look at the image below: ----- Ant-VM and Anti-AV functions listed from the memory We can also see more Anti-VM features in the code as we dig deeper: These strings are passed into the memory for Virtual Machine detection. As we can see, most of the common platforms have been taken into account. Let’s have a look at the execution now. We start with looking into the CPU. CPU view And then the values are passed on to the stack as variables. Stack view ----- The malware has a list of common AV and VM DLLs that it checks for — if they re loaded or not. This is to detect the AV running on the machine or if the machine is a VM — which can then be used to alter the execution flow as required. Let’s have a look at the CPU and the Disassembler to see how this looks like in execution and code. CPU view of the DLL list Code showing the list of DLLs ## Network IOC At this time, what would end up being the URI for the final payload (malware to be distributed by this loader) can be seen hardcoded into the loader itself. We can have a look at the strings output and see it. We will also have a look at the disassembler output and also in the debugger to show different ways of looking up the URI. Process Strings ----- Disassembler view CPU view of the URI ready to go into the stack So, as seen above, this is the URI that is supposed to serve the final payload for download, execution and infection: kardon.ddns[.]net/kardon/gate.php There are different URIs found on different samples of this malware at this time, which will change as it goes into distribution and the URIs start serving active (live) payloads. Let’s also quickly take a look at the POST request (which is likely to remain the same for the next version). CPU view of the POST request Lastly, we can also see some features where the malware extracts information about the machine and it looks like this information will be posted back to the admin once this malware is in distribution. ----- And here we can see the function that will be used to download the payload ultimately. ## Conclusion Kardon is a new loader that is being marketed for sale at this time. We will surely see it being used in active campaigns soon, with more features enabled/added and downloading secondary payloads for further infection of the victim machines. Kardon is a basic, simple and lightweight Loader Malware. We will keep an eye on this malware and see how it evolves and progresses in the future. Sample used for this analysis: https://www.virustotal.com/#/file/fd0dfb173aff74429c6fed55608ee99a24e28f64ae600945e15 bf5fce6406aee/detection -----