# Stop Malvertising **[stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html](http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html)** Analysis of the Predator Pain Keylogger [Written by Kimberly on Sunday, 27 April 2014. Posted in Malware Reports Viewed 11403](https://stopmalvertising.com/malware-reports/) times The Predator Pain Keylogger incorporates Browser, Messenger, FTP and File stealers and is able of Clipboard and Screenhot logging, Bitcoin Wallet theft. Predator Pain targets Steam, MineCraft and World of WarCraft usernames and passwords. A Runescape Pin Stealer is also available. Predator Pain can disable several Windows features and spread via USB or P2P. **KazyLoader, also known as Karagany, is used as the file downloader in this sample.** The Predator Pain Keylogger is advertised for 35$ on underground forums and comes with its own crypter. [Predator Pain is the payload of an unsolicited email from the IRS with the subject line](http://techhelplist.com/index.php/spam-list/549-swift-transfer-confirmation-google-docs-malware) "Swift Transfer Confirmation". No money at the horizon in this fake email but a swift transfer of all logins and passwords the Predator Pain Keylogger can possibly grab. **Predator Pain Keylogger** Upon execution SWIFTTRANSFERRECEPTS_FDP.EXE will display an error message stating that the application failed to initialize properly. The warning is a fake error **message and part of the Predator Pain builder options.** ----- In meanwhile SWIFTTRANSFERRECEPTS_FDP.EXE will create a copy of itself as WINLOGON.EXE in the %AppData%\Roaming folder and start the newly created process. WINLOGON.EXE will also create a global Low Level Keyboard hook and display the same fake error as above. WINLOGON.EXE creates the following files in the %AppData%\Roaming folder: **pid.txt: contains the PID of the Predator Pain Keylogger process - e.g. 1628** **pidloc.txt: contains the path to the Predator Pain logger executable - e.g.** %AppData%\Roaming\winlogon.exe ----- Predator Pain will also create a copy of itself as WINDOWSUPDATE.EXE in the %AppData%\Roaming folder. Predator Pain checks periodically for the existence of WindowsUpdate.exe. If the file is deleted a new copy is written to the HDD. The following registry keys are created to ensure persistence: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Windows Update" Type: REG_SZ Data: C:\Users\MxAngel\AppData\Roaming\WindowsUpdate.exe HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" Type: REG_SZ Data: explorer.exe, C:\Users\MxAngel\AppData\Roaming\winlogon.exe Before we go any further there are a few things that need clarification. When the Predator Pain binary - winlogon.exe in our analysis - is running, we can dump the strings contained in the different memory regions. The list is quite huge but for now we will focus on the three following elements: **WebBrowserPassView: WebBrowserPassView.exe** **Mail PassView: mailpv.exe** **CMemoryExecute: CMemoryExecute.dll** WebBrowserPassView [WebBrowserPassView, developed by Nir Sofer, is a tool to recover lost passwords stored](http://www.nirsoft.net/utils/web_browser_password.html) in your web browser. WebBrowserPassView supports Internet Explorer,Mozilla, Google Chrome, Safari, and Opera and can be used to recover lost / forgotten passwords of any website, including Facebook, Yahoo, Google, and GMail, as long as the password is stored by the browser. The passwords can be saved to text / html / csv / xml files. Mail PassView [Mail PassView, developed by Nir Sofer, allows extracting lost email passwords from the](http://www.nirsoft.net/utils/mailpv.html) following email clients: Outlook Express Microsoft Outlook 2000 (POP3 and SMTP Accounts only) Microsoft Outlook 2002/2003/2007/2010/2013 (POP3, IMAP, HTTP and SMTP Accounts) Windows Mail Windows Live Mail IncrediMail Eudora ----- Netscape 6.x/7.x (If the password is not encrypted with master password) Mozilla Thunderbird (If the password is not encrypted with master password) Group Mail Free Yahoo! Mail - If the password is saved in Yahoo! Messenger application. Hotmail/MSN mail - If the password is saved in MSN/Windows/Live Messenger application. Gmail - If the password is saved by Gmail Notifier application, Google Desktop, or by Google Talk. CMemoryExecute - CMemoryExecute.dll CMemoryExecute, written by Affixiate, is used to run a non .NET executable from memory without storing it on the hard-disk first. It uses the native WinAPI and the executable needs to be injected in VBC.EXE, the Visual Basic Command Line Compiler. The syntax is as follows: ``` CMemoryExecute.Run(IO.File.ReadAllBytes("C:\run_me_in_memory.exe"), "C:\inject_me_in_memory.exe", "(Optional) Command Line Parameters To Be Passed To C:\run_me_in_memory.exe") ``` Predator Pain is thus able to harvest logins and passwords from several mail and browser clients with the help of two incorporated legit programs: WebBrowserPassView and Mail PassView. Predator Pain will start up VBC.EXE, the Visual Basic Command Line Compiler, which is one of the requirements to run a PE from memory. The Predator Pain Keylogger will: ----- Run MAILPV.EXE from memory via VBC.EXE and dump the results to HOLDERMAIL.TXT. WINLOGON.EXE checks if HOLDERMAIL.TXT exists. WINLOGON.EXE reads HOLDERMAIL.TXT and uploads the harvested email credentials via mail - to This e-mail address is being protected from spambots. You need JavaScript enabled to view it in our analysis. The same tasks will be performed using WEBBROWSERPASSVIEW.EXE & VBC.EXE to harvest stored passwords in browsers. ----- Below is a screenshot illustrating the flow of processes and services started by Predator Pain. The Protected Storage and Credential Manager services are started by the injected VBC.EXE process. ----- Besides harvesting various logins and passwords, Predator Pain reports the local Date and Time, the OS and the OS language, the internal and external IP address, installed antivirus and / or firewall. The external IP is obtained by querying whatismyipaddress.com. In this sample all harvested information is send to This e-mail address is being protected from spambots. You need JavaScript enabled to view it . The interval and the chosen method (FTP / PHP / MAIL) can be set in the Predator Pain builder’s options. Predator Pain is also a Bitcoin Stealer. It steals the WALLET.DAT file that holds the users bitcoin currency. After a while the WINLOGON.EXE process stopped working. It’s hard to tell whether this is on purpose or simply because the logger is unstable. ----- When the WINLOGON.EXE process runs, the code in memory is unencrypted and its strings can be dumped from the different memory regions. I've posted a small snippet on our [Pastebin.](http://pastebin.com/RBt3M3hq) **VirusTotal Results** ----- swifttransferrecepts_fdp.exe **Additional information** **MD5: 8ce71e40eda2d9304c1e127c60500e0c** **SHA1: 93ef97529dcaa047d023456103827b6f97345caf** **SHA256: e63b24adf9119f7d500167a62d62d3b8a35f4694f8488fc764523fd322fb2dce** **File size: 612.0 KB ( 626688 bytes )** **Detection ratio: 16 / 51** **Analysis date: 2014-04-26 08:52:43 UTC** **Antivirus** **Result** **Update** Ad-Aware Gen:Variant.Zusy.69824 20140426 AegisLab 20140426 Agnitum 20140425 AhnLab-V3 Trojan/Win32.Inject 20140425 AntiVir 20140425 Antiy-AVL 20140426 Avast Win32:VB-AHWF [Trj] 20140426 AVG 20140426 Baidu-International 20140426 BitDefender Gen:Variant.Zusy.69824 20140426 Bkav 20140425 ByteHero 20140426 CAT-QuickHeal 20140425 ----- ClamAV 20140426 CMC 20140424 Commtouch 20140426 Comodo 20140426 DrWeb 20140426 Emsisoft Gen:Variant.Zusy.69824 (B) 20140426 ESET-NOD32 a variant of MSIL/Injector.CUZ 20140426 F-Prot 20140426 F-Secure Gen:Variant.Zusy.69824 20140426 Fortinet MSIL/Injector.CSZ!tr 20140426 GData Gen:Variant.Zusy.69824 20140426 Ikarus 20140426 Jiangmin 20140426 K7AntiVirus 20140425 K7GW 20140425 Kaspersky Trojan.Win32.Fsysna.zcf 20140426 Kingsoft 20140426 Malwarebytes Spyware.Zbot 20140426 McAfee Artemis!8CE71E40EDA2 20140426 McAfee-GW-Edition Heuristic.LooksLike.Win32.Suspicious.E 20140425 Microsoft 20140426 MicroWorld-eScan Gen:Variant.Zusy.69824 20140426 NANO-Antivirus 20140426 Norman 20140426 nProtect 20140425 Panda 20140425 ----- Qihoo-360 Win32/Trojan.53c 20140426 Rising 20140425 Sophos 20140426 SUPERAntiSpyware 20140426 Symantec 20140426 TheHacker 20140425 TotalDefense 20140426 TrendMicro 20140426 TrendMicro-HouseCall TROJ_GEN.F47V0425 20140426 VBA32 20140425 VIPRE 20140425 ViRobot 20140426 -----