We will now use IDA pro to look at the 
assembly codes of the malware.
Drag the malware into the IDA pro and a few 
screens will appear
Just click ok and close them
This is the assembly codes of the malware
This is part of the malware in graph view
The actual start of the malware is here!
This is the malware and it's subroutines, pretty 
messy eh?
The start is in green, the pink boxes are the 
functions of the malware, and the black boxes 
are the subroutines.
We will now jump to one of the main 
subroutines of the malware
This line creates a new folder in the victim's 
computer
This is where it is located!
Aha! The malware is going to create a mutex!
It is also going to use sockets!
Keylogging malware eh?
This subroutine probably creates a folder in the 
windows system, it then connects to the 
internet and waits to capture keystrokes!
Let's now get to the second subroutine!
Could this be where the captured keystrokes 
are stored?
Private message?
Aha! The keylogger starts at this point!
It logs to the victim and it's output is DCC chat
Keylogging stopped!
It opens the victim's cmd
This is the end of the second subroutine!
This subroutine probably opens up the victim's 
cmd and uses it to capture his keystrokes and 
store it somewhere
Now going to our third subroutine!
The malware is trying to open a file!
This line allows the malware to use a string IP 
address as a normal IP address!
Ah the malware completes a file transfer! 
Probably using this from just now?
Finally, it closed the socket!
This subroutine probably listens for a 
connection, goes into it with a fake IP, and 
then transfer files!
These are the functions of the malware!
A lot huh?
The exports and imports!
Strings of the malware!
That's all for IDA!
