Keyhole Analysis

By: Joshua Platt, Jonathan McCay and Jason Reaves

Keyhole is a multi-functional VNC/Backconnect component used extensively by IcedID/Anubis. While the malware contains functionality that has been previously reported on as typical VNC and HDESK capabilities, a general lack of technical information appears to exist around some of the expanded functionality currently present. In fact, the functionality we mapped out for the main Keyhole component rivals that of IcedID itself:

• Collect system information


• VNC


• HDESK


• Socks/Backconnect


• Console command detonation via cmd.exe …

analysis anubis capabilities fact general icedid information jason malware technical vnc