Home / malwarePDF  

TrojanSpy:Win32/Skygofree


First posted on 26 January 2018.
Source: Microsoft

Aliases :

There are no other names known for TrojanSpy:Win32/Skygofree.

Explanation :

This threat is a trojan comes in a form of an android spyware which gives the malicious hacker or cybercriminals full remote access to your mobile device. It uses techniques previously unseen in the wild to record the activity of WhatsApp users.

This threat facilitates the attacker with 12 commands to perform malicious activities on any given android smartphone and tablets. The attackers have now developed a windows variant.

When installed, the spyware constitutes of various components on windows platform:

  • Audio.exe
  • keylogger.exe
  • Msconf.exe
  • Network.exe
  • REcodin_2.exe
  • ScreenShot.exe



The above components are written in Python language and compiled with PY2exe tool. This allows them to run without Python supporting environment in OS, except REcodin_2.exe which is a .NET compiled executable used for monitor Skype calls.

This threat also creates creates a Run entry (Software\Microsoft\Windows\CurrentVersion\Run) for starting up on system reboot.

Payload

Connects to a remote host

We have seen this threat connect to a remote host, including the following Command and Corntrol (C2) servers:
  • 79.3.197.89
  • 217.194.13.133
  • negg1.ddns.net
  • url.plus
Malware connects to a remote host to allow backdoor access and control of and send stolen information from your mobile device to the malicious hacker or cybercriminal for nefarious purposes.



Allows backdoor access and control

This threat can give a malicious hacker access and control of your PC. They can then perform a any of the following different actions without your consent:
  • Executing arbitrary commands such as taking pictures or recording audio
  • Gathering personal information such as your user names, passwords, card number, messages, and other important information
  • Changing some of your device settings such as periodically sending system notifications, setting itself as your favorite app, mornitoring popular apps - Facebook Messenger, Skype, Viber, and WhatsApp.
This analysis was published using the following sample file SHA256:

Windows samples:
  • 012966cc1b714531790dd3f5f6cc040b2232fea98b0dbe56a24b13ae72160be5
  • 74b1d9c27313dd8a266bf3011896cc9673653a84c2475bed483fa72a1dfb9361
  • 5f567844bd0da47426d14426d8acbfefad6426c1139648969e3b0dd5352d3ed5
  • c74108a74a9afd47eee894921784fd1ea26a80627afd2fe2103b388abafdc2cc
  • 7a35a20bb3fc5d879b99a71d9c5c5475752b900a3082aa5c4f2d6d23aa78dee2
  • 48477ffcc2cf57e34fbc45599efa830620dc18139dbbb8dfe59d56fd87728b25


Android samples:

  • f241af9ba7501e28974729c229b445ee709a7ef438448b6e9f88ff7ff7228cb2
  • e6aba7629608a525b020f4e76e4694d6d478dd9561d934813004b6903d66e44c
  • af848999a4b8df0e33f5a05a618c83d1f3052d4026ab77b2acf66def71df754e
  • 2d087d89364b22d180a7e8e923a6dca5fd6d131dad12db9dd2a2ae5c4b9d9675
  • 1fa0d2414e029c042eb78d4f53010c3af161edb815e97a021c24f8a03033a07
  • 78a81cc9b7caac10a7c68be8496d948121abc5f4df9a098f2e1469ddbea55be0
  • 2d087d89364b22d180a7e8e923a6dca5fd6d131dad12db9dd2a2ae5c4b9d9675

Last update 26 January 2018

 

TOP

Malware :