Kr4ken is a worm/stealer-type malware in C# designed to maintain persistence on infected systems, evade security defenses, steal sensitive information, and exfiltrate that data to command-and-control (C2) servers.
Main Execution Flow
The program follows this general sequence:
Detects sandboxed or analysis environments.
Generates a unique machine identifier.
Derives a system-specific encryption key.
Attempts to disable AMSI and ETW.
Generates C2 server addresses using a domain generation algorithm (DGA).
Establishes persistence on the host.
Tries to disable antivirus and Windows Defender.
Spreads via USB devices.
Executes process hollowing techniques.
Initiates data theft, exfiltration, and watchdog routines.
In short: it hides itself, installs deeply, steals data, and sends it out.
Key Components
1. Anti-Analysis
Detects suspicious environments by checking for:
Virtual machine indicators (VMware, VirtualBox, etc.)
Analysis tool processes (Wireshark, IDA, x64dbg, etc.)
Debuggers, low system entropy, and time-based anomalies
2. Evasion
Performs in-memory patching of amsi.dll and ntdll.dll
Bypass inspection (AMSI) and avoid traceability (ETW)
3. C2 and DGA
Generates dynamic domain names based on the current date, seed values, and the machine ID. This avoids reliance on fixed infrastructure.
4. Encryption
Uses PBKDF2 with SHA-256 and AES-CBC
Encryption keys are derived from a password combined with machine-specific data, ensuring that exfiltrated data is both encrypted and tied to the compromised host.
5. Process Hollowing
Injects malicious code into legitimate processes such as svchost.exe or explorer.exe to run covertly and evade detection.
6. Persistence
Achieves persistence through:
- Registry keys (Run, RunOnce)
- Scheduled tasks
- A self-recovery watchdog mechanism
7. USB Propagation
Copies the malicious binary to removable drives using decoy filenames (e.g., fake PDFs).
It also hides files and uses an autorun.inf file.
8. Information Theft
Includes several data-gathering modules:
- Keylogger (global hook)
- Browser data theft (Chrome, Edge, Firefox)
- Clipboard monitoring
- Periodic screenshots
9. Exfiltration
Roughly every 35 minutes:
- Collects stolen data
- Compresses and encrypts it
- Sends it via HTTP(S) to the C2 server
- Uses fake User-Agent strings and rotates through multiple servers
SOURCE CODE:
Kr4ken.csproj
To see this hidden content, you need to
"Reply & React" with one of the following reactions:
Like,
Love,
Wow
Kr4ken.cs
To see this hidden content, you need to
"Reply & React" with one of the following reactions:
Like,
Love,
Wow