Ways of sending stolen data
The detected keyloggers use the following methods for sending the stolen information.
Using SMTP: Sends stolen data to mail by using SMTP server on port 587
FTP upload: Uploads file to FTP server.
Web Request/PHP: Sends data as web requests to web servers.
Each keylogger sends stolen information to a predetermined email in the following format
Keylogger First Run Data Stolen
Predator Predator Pain v13 – Server Ran – [ComputerName] Predator Pain v13 | Stealer Log – [ComputerName]
Knight Logger FIRST RUN Knight Logger first run Username@ComputerName [ACCOUNT] Knight Logger of [Username]@[ComputerName]
iSpy iSpy Keylogger – Notification – ComputerName\UserName iSpy Keylogger – WebCam- ComputerName\UserName
iSpy Keylogger – Screenshot – ComputerName\UserName
iSpy Keylogger – Password Recovery – ComputerName\UserName
iSpy Keylogger – Clipboard – KeyStroke – ComputerName\UserName
Activity of iSpy logger
iSpy Logger, when executed, disables Command Prompt, Task Manager and Registry Editor by setting values of the following registry keys:
Software\\Policies\\Microsoft\\Windows\\System-
“DisableCMD” = 1
“DisableTaskMgr” = 1
“DisableRegistryTools” = 1
Preventing antivirus programs process from working
To evade detection by antivirus programs, the malware disables their processes by using debugger settings in the registry:
“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[ProcessName]\Debugger”
iSpy sets this value to “rundll32.exe”
ProcessName is from the below list:
rstrui.exe AvastSvc.exe avconfig.exe AvastUI.exe
instup.exe mbam.exe mbamgui.exe mbampt.exe
mbamservice.exe hijackthis.exe spybotsd.exe ccuac.exe
avguard.exe avgnt.exe avgui.exe avgcsrvx.exe
avgrsx.exe avgwdsvc.exe egui.exe zlclient.exe
keyscrambler.exe avp.exe wireshark.exe ComboFix.exe
MpCmdRun.exe msseces.exe MsMpEng.exe avscan.exe
mbamscheduler.exe avcenter.exe avgidsagent.exe bdagent.exe
Communication via email
Screenshot Capturing
iSpy takes screenshots of the victim’s desktop and uploads it to the web server hxxp://sm.uploads.im/[Filename.png]. This link is sent as an email with the following subject line:
“iSpy Keylogger – Screenshot – ComputerName\UserName”