Predator Pwned

Note: this is a blogpost I wrote somewhere mid 2017 on my old site. I recovered it using archive.org.

What is the easiest way to find a malware sample to mess around with? Just search on YouTube for "minecraft force op hack", "habbo free money hack download", "clash of clans gems hack", etc. I do this quite a lot when I'm bored: just download some virus, run it in a VM, analyze it (get the IP of a potential C&C; server and report it to their ISP), report the YouTube video with a VirusTotal scan as proof...

Today, however, I ran into a keylogger. Apparently it's called "predator pain v13". The nice thing about this keylogger is that it's made in .NET, which means it's really easy to decompile it (get the actual code). I quickly found some encrypted variables: encryptedemailstring, encryptedpassstring and encryptedsmtpstring. These are used to send the stolen passwords via an email to the "creator" (predator pain is a premade keylogger for script kiddies). There were some other encrypted variables (for uploading the keylogs to an FTP server and passing them as a GET request to a PHP page), but in this case, they just contained placeholder text (which I found out after decrypting them).

Screenshot of decompiled source code showing the variables encryptedemailstring, encryptedpassstring and encryptedsmtpstring (and a bunch of other stuff)

Now I was like "Shit. They are encrypted. It will probably take quite a while to find the key, as it's probably obfuscated and burried somewhere in the code." But of course not. I just searched for "decrypt" using CTRL + F and... robot voice Key acquired.

Screenshot of the Decrypt() function being run with the decryption key "PredatorLogger"

So I copied the decryption function from the decompiled code because I'm lazy. I made a simple console program for it that decrypts a string (by the way, the key was "PredatorLogger", how original).

Screenshot of the decryption program I wrote to decrypt the obfuscated variables

Finally, I logged into the email account, deleted all the logs and changed the password, to make sure if other computers get infected, they at least can't send the logs (because it will try to send them with the old password). The password now is a 12 character long random generated password (that site didn't allow me to use a password longer than 12 characters for some reason). And if the "hacker" somehow manages to do a password reset, there will be quite a lot of daily bible quotes waiting for him.

Predator pain? More like...
Puts on sunglasses
Predator pwned.