The calls CreateDesktopA("LuckyMouse") and SwitchDesktop move the process to a private desktop, which blanks your screen and hides any UI on a black/empty desktop.
The call NtSetInformationThread(..., 17), an anti-debug tactic that blocks first-chance exceptions and debugging events from reaching WinDbg/IDA.
To debug and analyze, I NOP’d these anti-debug sections.
Patched version
Dynamic Analysis (Procmon)
Setup
Configure Procmon to monitor MouseTrap.exe.
Findings
Run the malware
The malware tries to open C:\creds.txt. If it doesn’t exist, it exits.
Create C:\creds.txt and run again
Run the malware again
The malware reads the file via ReadFileEx, encrypts the content, and attempts to connect to 127.0.0.1:13337 to send the encrypted data (the same traffic seen in the PCAP).
Dynamic Analysis (IDA/WinDbg)
Catching the crypto
Initial setup
Set a breakpoint on kernel32!ReadFileEx, continue, and configure the debugger not to break on exceptions.
After resuming execution, the ReadFileEx breakpoint triggered.
Based on the stack arguments, lpBuffer is 0x005853B0 in .data (dword_5853B0); 0x005853B0 holds the content.
Set a hardware read breakpoint on dword_5853B0 and continue.
A read triggers inside a routine at sub_401000 function (Encryption)
Identifying the algorithm
Search the constants used by the routine
Searching these leads to SPC(a tweakable Lai-Massey block cipher using a SipHash-like core). The implementation matches the public reference (SPC over 64-bit words, 128-bit key, 128-bit block, 56-bit tweak folded into a 64-bit word).
Decrypt the PCAP Traffic
I reproduced the SPC round function in Python via GPT 5 and used the key/tweak lifted from .data section.
Export the TCP stream from the PCAP as hex and feed it to the script to obtain the plaintext.
