HKTL_KEYFINDER

October 09, 2012
 Analysis by: Sabrina Lei Sioting
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Hacking Tool

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This hacking tool is used to retrieve the product key (CD key) used to install Windows from the registry. It also has a community-updated configuration file that retrieves product keys for other applications. It can also retrieve product keys from unbootable Windows installations.

This hacking tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

1,004,072 bytes

File Type:

EXE

Memory Resident:

No

Initial Samples Received Date:

06 Apr 2011

Arrival Details

This hacking tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This hacking tool drops the following files:

  • %System Root%\Documents and Settings\All Users\Start Menu\Programs\KeyFinder\KeyFinder on the Web.url
  • %System Root%\Documents and Settings\All Users\Start Menu\Programs\KeyFinder\KeyFinder.lnk
  • %System Root%\Documents and Settings\All Users\Start Menu\Programs\KeyFinder\Uninstall KeyFinder.lnk
  • %Program Files%\Magical Jelly Bean\keyfinder.cfg
  • %Program Files%\Magical Jelly Bean\keyfinder.exe
  • %Program Files%\Magical Jelly Bean\unins000.dat
  • %Program Files%\Magical Jelly Bean\unins000.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %Program Files% is the default Program Files folder, usually C:\Program Files.)

It creates the following folders:

  • %System Root%\Documents and Settings\All Users\Start Menu\Programs\KeyFinder
  • %Program Files%\Magical Jelly Bean

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %Program Files% is the default Program Files folder, usually C:\Program Files.)

Other System Modifications

This hacking tool adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Magical Jelly Bean

HKEY_LOCAL_MACHINE\SOFTWARE\Magical Jelly Bean\
OpenCandy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
KeyFinder_is1

It adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
KeyFinder_is1
Inno Setup: App Path = "%Program Files%\Magical Jelly Bean"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
KeyFinder_is1
InstallLocation = "%Program Files%\Magical Jelly Bean\"

NOTES:
This hacking tool is used to retrieve the product key (CD key) used to install Windows from the registry. It also has a community-updated configuration file that retrieves product keys for other applications. It can also retrieve product keys from unbootable Windows installations.