Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ======================================
- Malicious/Suspected Reversing Data
- #MalwareMustDie- Case UPS drops Malware (from Spain Network)
- @unixfreaxjp /malware]$ date
- Sat Nov 24 19:10:22 JST 2012
- ======================================
- // set SystemTimeAsFileTime
- loc_405F93:
- push esi
- lea eax, [ebp+SystemTimeAsFileTime]
- push eax ; lpSystemTimeAsFileTime
- call ds:GetSystemTimeAsFileTime
- mov esi, [ebp+SystemTimeAsFileTime.dwHighDateTime]
- xor esi, [ebp+SystemTimeAsFileTime.dwLowDateTime]
- call ds:GetCurrentProcessId
- xor esi, eax
- call ds:GetCurrentThreadId
- xor esi, eax
- call ds:GetTickCount
- xor esi, eax
- lea eax, [ebp+PerformanceCount]
- push eax ; lpPerformanceCount
- call ds:QueryPerformanceCounter
- mov eax, dword ptr [ebp+PerformanceCount+4]
- xor eax, dword ptr [ebp+PerformanceCount]
- xor esi, eax
- cmp esi, edi
- jnz short loc_405FD9
- //Get module mscoree.dll
- .text:0040146C mov edi, edi
- .text:0040146E push ebp
- .text:0040146F mov ebp, esp
- .text:00401471 push offset ModuleName ; "mscoree.dll"
- .text:00401476 call ds:GetModuleHandleW
- .text:0040147C test eax, eax
- .text:0040147E jz short loc_401495
- .text:00401480 push offset ProcName ; "CorExitProcess"
- .text:00401485 push eax ; hModule
- .text:00401486 call ds:GetProcAddress
- .text:0040148C test eax, eax
- .text:0040148E jz short loc_401495
- .text:00401490 push [ebp+arg_0]
- //InitializeCriticalSectionAndSpinCount
- .text:00403097 loc_403097:
- .text:00403097 push 0Ah
- .text:00403099 call sub_4030F6
- .text:0040309E pop ecx
- .text:0040309F mov [ebp-4], ebx
- .text:004030A2 cmp [esi], ebx
- .text:004030A4 jnz short loc_4030D1
- .text:004030A6 push 0FA0h ; dwSpinCount
- .text:004030AB push edi ; lpCriticalSection
- .text:004030AC call ds:InitializeCriticalSectionAndSpinCount
- // EnterCriticalSection
- .text:0040311E loc_40311E:
- .text:0040311E push dword ptr [esi] ; lpCriticalSection
- .text:00403120 call ds:EnterCriticalSection
- .text:00403126 pop esi
- .text:00403127 pop ebp
- .text:00403128 retn
- .text:00403128 sub_4030F6 endp
- // check debugger...
- .text:0040348F call ds:IsDebuggerPresent
- .text:00403495 push 0 ; lpTopLevelExceptionFilter
- .text:00403497 mov edi, eax
- .text:00403499 call ds:SetUnhandledExceptionFilter
- .text:0040349F lea eax, [ebp+ExceptionInfo]
- .text:004034A5 push eax ; ExceptionInfo
- .text:004034A6 call ds:UnhandledExceptionFilter
- //get & terminate process...
- .text:004034E3 push esi ; uExitCode
- .text:004034E4 call ds:GetCurrentProcess
- .text:004034EA push eax ; hProcess
- .text:004034EB call ds:TerminateProcess
- .text:004034F1 pop esi
- .text:004034F2 retn
- .text:004034F2 sub_4034CE endp
- :
- .text:0040387D push esi
- .text:0040387E mov esi, ds:GetProcAddress
- .text:00403884 push offset aFlsalloc ; "FlsAlloc"
- .text:00403889 push edi ; hModule
- .text:0040388A call esi ; GetProcAddress
- .text:0040388C push offset aFlsgetvalue ; "FlsGetValue"
- .text:00403891 push edi ; hModule
- .text:00403892 mov dword_412E70, eax
- .text:00403897 call esi ; GetProcAddress
- .text:00403899 push offset aFlssetvalue ; "FlsSetValue"
- .text:0040389E push edi ; hModule
- :
- .text:004038B1 call esi ; GetProcAddress
- .text:004038B3 cmp dword_412E70, 0
- //grab file attribs...
- .text:00405587 loc_405587: ; CODE XREF: sub_405560+Bj
- .text:00405587 test [ebp+arg_4], 0FFFFFFF9h
- .text:0040558E jnz short loc_40556D
- .text:00405590 push [ebp+lpFileName] ; lpFileName
- .text:00405593 call ds:GetFileAttributesA
- .text:004055AB
- ↓
- .idata:0040E0A8 ; DWORD __stdcall GetFileAttributesA(LPCSTR lpFileName)
- .idata:0040E0A8 extrn GetFileAttributesA:dword ; DATA XREF: sub_405560+33r
- //get modules filename...
- text:00405BC6 loc_405BC6: ; CODE XREF: sub_405BAC+13j
- .text:00405BC6 push 104h ; nSize
- .text:00405BCB mov esi, offset byte_4134B8
- .text:00405BD0 push esi ; lpFilename
- .text:00405BD1 push ebx ; hModule
- .text:00405BD2 mov byte_4135BC, bl
- .text:00405BD8 call ds:GetModuleFileNameA
- .text:00405BDE mov eax, dword_414A68
- .text:00405BE3 mov dword_412CD4, esi
- .text:00405BE9 cmp eax, ebx
- .text:00405BEB jz short loc_405BF4
- .text:00405BED mov [ebp+var_4], eax
- .text:00405BF0 cmp [eax], bl
- .text:00405BF2 jnz short loc_405BF7
- ↓
- .idata:0040E0AC ; DWORD __stdcall GetModuleFileNameA(HMODULE hModule,LPSTR lpFilename,DWORD nSize)
- .idata:0040E0AC extrn GetModuleFileNameA:dword ; DATA XREF: sub_405BAC+2Cr
- // Writes File...
- .text:004040CE loc_4040CE: ; CODE XREF: sub_403F55+16Fj
- .text:004040CE push ebx ; lpOverlapped
- .text:004040CF lea eax, [ebp+NumberOfBytesWritten]
- .text:004040D5 push eax ; lpNumberOfBytesWritten
- .text:004040D6 lea eax, [ebp+Buffer]
- .text:004040DC push eax
- .text:004040DD mov [ebp+var_5], bl
- .text:004040E0 call sub_4070F0
- .text:004040E5 pop ecx
- .text:004040E6 push eax ; nNumberOfBytesToWrite
- .text:004040E7 lea eax, [ebp+Buffer]
- .text:004040ED push eax ; lpBuffer
- .text:004040EE push esi ; hFile
- .text:004040EF call ds:WriteFile
- ↓
- .idata:0040E098 ; BOOL __stdcall WriteFile(HANDLE hFile,LPCVOID lpBuffer,DWORD nNumberOfBytesToWrite,LPDWORD lpNumberOfBytesWritten,LPOVERLAPPED lpOverlapped)
- .idata:0040E098 extrn WriteFile:dword ; DATA XREF: sub_403F55+19Ar
- .idata:0040E098 ; sub_40BF48+249r ...
- //startup info...get...
- .text:00405CFE sub_405CFE proc near ; CODE XREF: start-CFp
- .text:00405CFE
- .text:00405CFE StartupInfo = _STARTUPINFOW ptr -4Ch
- .text:00405CFE var_8 = dword ptr -8
- .text:00405CFE var_4 = dword ptr -4
- .text:00405CFE
- .text:00405CFE mov edi, edi
- .text:00405D00 push ebp
- .text:00405D01 mov ebp, esp
- .text:00405D03 sub esp, 4Ch
- .text:00405D06 push esi
- .text:00405D07 lea eax, [ebp+StartupInfo]
- .text:00405D0A push eax ; lpStartupInfo
- .text:00405D0B call ds:GetStartupInfoW
- ↓
- .idata:0040E040 ; void __stdcall GetStartupInfoW(LPSTARTUPINFOW lpStartupInfo)
- .idata:0040E040 extrn GetStartupInfoW:dword ; DATA XREF: start-15Dr
- //env..get..
- .text:00405C67 sub_405C67 proc near ; CODE XREF: start-B3p
- .text:00405C67 ; sub_408A93+10Fp
- .text:00405C67
- .text:00405C67 cchWideChar = dword ptr -0Ch
- .text:00405C67 cchMultiByte = dword ptr -8
- .text:00405C67 lpMem = dword ptr -4
- .text:00405C67
- .text:00405C67 mov edi, edi
- .text:00405C69 push ebp
- .text:00405C6A mov ebp, esp
- .text:00405C6C sub esp, 0Ch
- .text:00405C6F push ebx
- .text:00405C70 push esi
- .text:00405C71 call ds:GetEnvironmentStringsW
- ↓
- .idata:0040E0B8 ; LPWSTR GetEnvironmentStringsW(void)
- .idata:0040E0B8 extrn GetEnvironmentStringsW:dword
- .idata:0040E0B8 ; DATA XREF: sub_405C67+Ar
- // set env...
- .text:0040D297 call ds:SetEnvironmentVariableA
- .text:0040D29D test eax, eax
- .text:0040D29F jnz short loc_40D2B0
- .text:0040D2A1 or [ebp+var_C], 0FFFFFFFFh
- .text:0040D2A5 call sub_403A1D
- .text:0040D2AA mov dword ptr [eax], 2Ah
- ↓
- .idata:0040E130 ; BOOL __stdcall SetEnvironmentVariableA(LPCSTR lpName,LPCSTR lpValue)
- .idata:0040E130 extrn SetEnvironmentVariableA:dword
- // load DLL..
- .text:00407C68 push offset LibFileName ; "USER32.DLL"
- .text:00407C6D call ds:LoadLibraryW
- .text:00407C73 mov ebx, eax
- .text:00407C75 test ebx, ebx
- .text:00407C77 jz loc_407D8D
- ↓
- .idata:0040E060 ; HMODULE __stdcall LoadLibraryW(LPCWSTR lpLibFileName)
- .idata:0040E060 extrn LoadLibraryW:dword ; DATA XREF: sub_407C32+3Br
- // drops...(I saw 4 of create functions... below is one of em)
- .text:0040DF24 sub_40DF24 proc near ; CODE XREF: sub_40DE0D+36p
- .text:0040DF24 xor eax, eax
- .text:0040DF26 push eax ; hTemplateFile
- .text:0040DF27 push eax ; dwFlagsAndAttributes
- .text:0040DF28 push 3 ; dwCreationDisposition
- .text:0040DF2A push eax ; lpSecurityAttributes
- .text:0040DF2B push 3 ; dwShareMode
- .text:0040DF2D push 0C0000000h ; dwDesiredAccess
- .text:0040DF32 push offset aConin ; "CONIN$"
- .text:0040DF37 call ds:CreateFileW
- .text:0040DF3D mov hConsoleHandle, eax
- .text:0040DF42 retn
- ↓
- .idata:0040E13C ; HANDLE __stdcall CreateFileW(LPCWSTR lpFileName,DWORD dwDesiredAccess,DWORD dwShareMode,LPSECURITY_ATTRIBUTES lpSecurityAttributes,DWORD dwCreationDisposition,DWORD dwFlagsAndAttributes,HANDLE hTemplateFile)
- .idata:0040E13C extrn CreateFileW:dword ; DATA XREF: sub_40DC7A+13r
- .idata:0040E13C ; sub_40DF24+13r
- //writeConsole..
- .text:0040D7F1 loc_40D7F1: ; CODE XREF: sub_40D7CC+1Cj
- .text:0040D7F1 push 0 ; lpReserved
- .text:0040D7F3 lea ecx, [ebp+NumberOfCharsWritten]
- .text:0040D7F6 push ecx ; lpNumberOfCharsWritten
- .text:0040D7F7 push 1 ; nNumberOfCharsToWrite
- .text:0040D7F9 lea ecx, [ebp+Buffer]
- .text:0040D7FC push ecx ; lpBuffer
- .text:0040D7FD push eax ; hConsoleOutput
- .text:0040D7FE call ds:WriteConsoleW
- .text:0040D804 test eax, eax
- .text:0040D806 jz short loc_40D7EA
- .text:0040D808 mov ax, word ptr [ebp+Buffer]
- .text:0040D80C leave
- .text:0040D80D retn
- .text:0040D80D sub_40D7CC endp
- ↓
- .idata:0040E134 ; BOOL __stdcall WriteConsoleW(HANDLE hConsoleOutput,const void *lpBuffer,DWORD nNumberOfCharsToWrite,LPDWORD lpNumberOfCharsWritten,LPVOID lpReserved)
- .idata:0040E134 extrn WriteConsoleW:dword ; DATA XREF: sub_40D7CC+32r
- ----
- #MalwareMustDie
- @unixfreaxjp /malware]$ date
- Sat Nov 24 19:10:22 JST 2012
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement