![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2020\/02\/01_VersionInfo.png\")
On execution, this file creates a copy of itself in following directory:<\/p>\n
C:\\Users\\<USER>\\AppData\\Local\\Microsoft\\Windows\\mshtinr.exe<\/i><\/em><\/p>\n It also drops a DLL at same location as \u2018mshtinr.dll\u2019. <\/i><\/em>Then it creates a process \u2018svchost.exe\u2019<\/i><\/em>\u00a0using \u2018CreateProcessA\u2019<\/i><\/em>\u00a0windows API in suspended state. Further,\u00a0it decrypts a DLL code in memory and that DLL is injected in target process i.e. \u2018svchost.exe\u2019. <\/i><\/em>Using multiple \u2018WriteProcessMemory\u2019\u00a0<\/i><\/em>API calls, it imports required modules and APIs in the newly created process and finally transfers the control to the DLL. Before that,\u00a0the sample sets values in the following registry key:<\/p>\n HKCU\\Software\\Microsoft\\Internet Explorer\\Prefs<\/i><\/em><\/p>\n Later these values are accessed by the target process i.e. \u2018svchost.exe\u2019.<\/i><\/em><\/p>\n The \u2018svchost.exe\u2019<\/i><\/em>\u00a0process drops couple of files at following location:<\/p>\n C:\\Users\\<USER>\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\gjs.tmp<\/i><\/em><\/p>\n C:\\Users\\<USER>\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\<Number>.tmp<\/i><\/em><\/p>\n The \u2018gjs.tmp\u2019<\/i><\/em>\u00a0file contains multiple functions\u00a0for handling SQLite database and latter is the copy of Google Chrome user login data file,\u00a0generally found at following location:<\/p>\n “C:\\Users\\<USER>\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data”<\/i><\/em><\/p>\n The .tmp file (named with some numerical values) contains the login information for the portals accessed through Chrome. This file is a\u00a0SQLite database having credentials information in it.<\/p>\n This SQLite database contains following tables related to login information and other metadata information:<\/p>\n Below is an example of login information and credential captured in database.<\/p>\n The dropped file \u2018gjs.tmp\u2019<\/i><\/em>\u00a0is loaded in the memory and control is then transferred to it. This shared library queries the data to the SQLite DB i.e. copy of Login Data. Once the required information is retrieved, it deletes the database file.<\/p>\n We have also found keylogging activity in the svchost.exe process. It uses APIs like KeyboardType, KeyboardLayout, GetKeystate, etc. for the same.<\/p>\n All the keylogging output is stored in a file:<\/p>\n “C:\\Users\\<USER>\\AppData\\Local\\Microsoft\\Windows\\mshtiner.ihg\u201d<\/i><\/em><\/p>\n This information is stored in encrypted form. Further it copies this file to \u2018elmshtinr.ihg\u2019 <\/i><\/em>at same location and deletes the original one.<\/p>\n Once all the data collection process is done, it sends the data to pre-defined email-id that is found in the process memory. The e-mail is composed using Microsoft\u2019s CDO library over port 465 which is generally used for SMTPS protocol. The email-id to which data is sent was on gmail and source email-id was on \u2019totallyanonymous.com<\/i><\/em>\u2019<\/i><\/em>\u00a0with pre-defined credentials. Email-ids and FTP on \u2019totallyanonymous.com<\/i><\/em>\u2019<\/i><\/em>\u00a0were often observed\u00a0previously\u00a0during malware analysis cases.<\/p>\n Also, the sample changes the last modified date for all the created files to \u201820-Nov-2010 7:24 PM\u2019. So, in case we observed these files, the last modification date may confuse us\u00a0regarding the genuineness of these files.<\/p>\n IOCs:<\/b><\/strong><\/p>\n Summary:<\/b><\/strong><\/p>\n <\/p>\n Subject Matter Expert:<\/b><\/strong><\/p>\n Rahul Sharma, Quick Heal Security Labs.<\/p>\n","protected":false},"excerpt":{"rendered":" Phishing email still remains one of the top malware propagation medium. Recently,\u00a0we came across an interesting phishing email containing couple of Jumpshare links pointing to malicious components. Jumpshare is an\u00a0online file sharing service and often cyber criminals abuse\u00a0these kind of file sharing services. Upon clicking on one of the links\u00a0in phishing mail, an executable file […]<\/p>\n","protected":false},"author":47,"featured_media":88489,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1529,21,24,773,303,842,5,293],"tags":[1709,1713,1704,1705,1703,1702,1707,207,1710,1706,1714,1715,1711,1712,1708],"class_list":["post-88475","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-data-breach","category-email","category-malware","category-online-privacy-2","category-phishing","category-privacy","category-security","category-spam","tag-90daydemopurplecdr2019-analysis-software-exe","tag-cdo-library","tag-exfiltration","tag-gjs-tmp","tag-info-stealer","tag-information-stealer","tag-jumpshare","tag-keylogger","tag-mshtinr-dll","tag-mshtinr-exe","tag-port-465","tag-smtps-protocol","tag-stp-media","tag-stpmedia-exe","tag-totallyanonymous-com"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/88475"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/47"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=88475"}],"version-history":[{"count":7,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/88475\/revisions"}],"predecessor-version":[{"id":88496,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/88475\/revisions\/88496"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/88489"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=88475"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=88475"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=88475"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2020\/02\/02_registry-650x110.png\")
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2020\/02\/04_SQLite-schema-for-Chrome-Login-Data.png\")
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2020\/02\/05_Stored-credential-in-SQLite.png\")
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2020\/02\/07_SQLite-query-execution.jpg\")
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2020\/02\/08_keylogging.png\")
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2020\/02\/09_Interesting-strings.jpg\")
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2020\/02\/10_Modified-dates-of-newly-created-files.png\")
\n\n
\n Filename<\/td>\n MD5<\/td>\n<\/tr>\n \n 90DayDemoPurpleCDR2019-Analysis-Software.exe<\/td>\n EE279BB854CA338BF50A3A682830C4E5<\/td>\n<\/tr>\n \n mshtinr.exe<\/td>\n EE279BB854CA338BF50A3A682830C4E5<\/td>\n<\/tr>\n \n mshtinr.dll<\/td>\n D3EAEC2B55A2D24289B03EB86EA2166D<\/td>\n<\/tr>\n \n gjs.tmp<\/td>\n 1023DF7ABD2D9B7F0BDC77024C978F0B<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n \n