Below is the ‘Video’. It’s a RAR archive actually containing two executable files. These two files are almost the same except the icon.
The malware will connect to a remote server via TCP port 80 and download a new file packed by Themida.
That’s very simple Downloader/Backdoor behavior and we are only interested in looking for key logging code for Diablo III so we didn’t pay much attention to it.
But an astonishing scene staged at this time. A chatting dialog popped up with a text message (translated from the image below):
Hacker: What are you doing? Why are you researching my Trojan?
Hacker: What do you want from it?
The dialog is not from any software installed in our virtual machine. On the contrary, it’s an integrated function of the backdoor and the message is sent from the hacker who wrote the Trojan. Amazing, isn’t it? It seems that the hacker was online and he realized that we were debugging his baby.
We felt interested and continued to chat with him. He was really arrogant. (Translated from the image below):
Chicken: I didn’t know you can see my screen.
Hacker: I would like to see your face, but what a pity you don’t have a camera.a
He is telling the truth. This backdoor has powerful functions like monitoring victim’s screen, mouse controlling, viewing process and modules, and even camera controlling.
We then chatted with hacker for some time, pretending that we were green hands and would like to buy some Trojan from him. But this hacker was not so foolish to tell us all the truth. He then shut down our system remotely.
Regarding this malware, no Diablo III key logging code was captured. What it really wants to steal is dial up connection’s username and password.