Almost a year after Operation SNOWGLOBE was publicly mentioned for the first time by the famous French newspaper Le Monde, security experts have now laid hands on malware samples that match the descriptions made by the Communication Security Establishment Canada (CSEC). The following analysis is the first report about the espionage malware dubbed Babar, which the whole computer security community searched for. After the disclosure about EvilBunny [1], Babar is now a second component identified to be related to Operation SNOWGLOBE and is believed to be coded by the same developers. Babar’s feature set includes keystroke logging, clipboard logging and, most interesting, the possibility to log audio conversations – the elephant has big ears!
https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.htmlThis is an interesting article and sample. The malware contains a good load of code, which is directly visible in an hex editor, making that part a good example for beginners too. You can already get lots of information with just static analysis.
The similarities to EvilBunny are striking. Same spelling mistakes (e.g. Failled), same queries, same error messages.
Also: Lots of authors seem to forget to disable saving debug information in their binaries, which is sometimes quite funny.
The full path
C:\Documents and Settings\admin\Desktop\Babar64\Babar64\obj\DllWrapper Release\Release.pdb
Is the path to debug info.
