• Demystifying zfkeymonitor.exe

    by  • February 2, 2012 • Uncategorized

    Update: Upon further analysis of this and other files that appeared releated, this dropper appears to be a modified version of zxshell. 

    Thanks to Binjo for the translation help and Nick Bloor for assisting with testing and analyzing zfkeymonitor.exe. 

    A couple weeks back I did a write-up on one of the CVE-2011-2462 files that used AESV3 and dropped zfkeymonitor.exe (3765ea5a84df0240f550648a512205fd) along with svchost.exe (5d8d3373f1ded2ee3c0edf9e4dbf117a) and a couple DLLs. At the time it was unclear what role, if any, zfkeymonitor played in the exploit, but more importantly, it was unclear what this exe was or where it came from.

    Below is a detailed technical analysis of the files dropped on the system, how they work together and a bit about the malware itself. In between the analysis will be some information on zfkeymonitor and a bit of background behind the file and its true use. 

    After executing the PDF file, svchost.exe is dropped on the system and executed. If we disassemble and view the imports and strings a couple details stick out. Specifically the use of WinRar in the executable and the call made to ShellExecuteExW.

    After walking through several of the subroutines that branch from the main switching cases, the following functionality appears to be present.

    • spawn command shell
    • restart the host
    • shutdown the host
    • uninstall all files from the host
    • capture user screens
    • record and transmit video
    • record keyboard events

    When transmitting back to the C2, it appears that the malware writes to HostID.dat as a temporary location to store the data and then deletes the file. 


    At present, the only vendor to mention or even try to associate this dropper to a class of malware is Microsoft. Unfortunately, they classify this entire threat as “zfkeymonitor” which does not appear accurate.


    Dropped files on the system:

    • scvhost.exe (core dropper)
    • DAT files (used to construct EXE and DLLs)
    • zfulib.dll (deleted)
    • zfulibblock.dll (failed to delete)
    • ini.ini (main configuration)
    • exit.log (never used)
    • zfkeymonitor.exe (deleted)
    • clean PDF document
    • rundll32.dll

    DAT files are XOR encoded using 0x05 as the key and decode to reveal the following:

    • zblock – zfkeymonitor.exe
    • iblock – install.dll (registry settings and loading)
    • mblock – mydll.dll (malware functionality)

    Command and Control

    • Windows Server 2003 Enterprise Edition (Chinese language pack)