Hello World.
I don't have an attribution for this malware yet, other than it's a trojan time tracker that has keylogging capabilities.
Today, while hunting for new suspicious electron based applications I ran across daily time tracker. While hunting, I noticed these trackers appear to talk to app.dailytimetrack[.]com. The applications in question also appear to drop a lot of python files. Take this file for example: dailytimetracker.exe.
Well, that's interesting. So, I decided, why not got to dailytimetrack[.]com and download this application and start looking at it.
Wouldn't you know it though, to my surprise, the version I got from there wasn't a python based malware, but rather, JS based malware wrapped inside an electron application!
The downloaded installer is NSIS installer, which can be extracted easily enough with 7Zip.
This has an app-64.7z file which then unpacks all the electron based app data. At a glance, there isn't to much super intersting about the main.js/preload.js files. Some oddities, like code to not actually close the app when you close it, and a ton of commented out code.
I initially ran this, like I do with many electron/JS based apps, through the command line with --inspect. Wouldn't you know it, I was instantly greeted with what looks like a keylogger!
As I continued to dig, I found, through Process Hacker, that WinKeyServer.exe was also running from Daily Time Tracker. This appears to be a known keylogger. This also appeared to possibly save keyloag data to AppData\Roaming\app_daily_time_tracker
Here is a screenshot of some of the network traffic:
At this point, I'm still investigating, and I'm not
100% sure what the connection is between the version I have and the python versions I found through VirusTotal Hunting, other than the app.dailytimetrack[.]com domain.I don't have an attribution for this malware yet, other than it's a trojan time tracker that has keylogging capabilities.
Comments
Post a Comment