#MalwareMustDie Postal_Receipt.exe Malicious Act Reversed

1. ======================================
2. Malicious/Suspected Reversing Data
3. #MalwareMustDie- Case UPS drops Malware (from Spain Network)
4. @unixfreaxjp /malware]$ date
5. Sat Nov 24 19:10:22 JST 2012
6. ======================================
7. // set SystemTimeAsFileTime
8.  
9. loc_405F93:
10. push esi
11. lea eax, [ebp+SystemTimeAsFileTime]
12. push eax ; lpSystemTimeAsFileTime
13. call ds:GetSystemTimeAsFileTime
14. mov esi, [ebp+SystemTimeAsFileTime.dwHighDateTime]
15. xor esi, [ebp+SystemTimeAsFileTime.dwLowDateTime]
16. call ds:GetCurrentProcessId
17. xor esi, eax
18. call ds:GetCurrentThreadId
19. xor esi, eax
20. call ds:GetTickCount
21. xor esi, eax
22. lea eax, [ebp+PerformanceCount]
23. push eax ; lpPerformanceCount
24. call ds:QueryPerformanceCounter
25. mov eax, dword ptr [ebp+PerformanceCount+4]
26. xor eax, dword ptr [ebp+PerformanceCount]
27. xor esi, eax
28. cmp esi, edi
29. jnz short loc_405FD9
30.  
31. //Get module mscoree.dll
32.  
33. .text:0040146C mov edi, edi
34. .text:0040146E push ebp
35. .text:0040146F mov ebp, esp
36. .text:00401471 push offset ModuleName ; "mscoree.dll"
37. .text:00401476 call ds:GetModuleHandleW
38. .text:0040147C test eax, eax
39. .text:0040147E jz short loc_401495
40. .text:00401480 push offset ProcName ; "CorExitProcess"
41. .text:00401485 push eax ; hModule
42. .text:00401486 call ds:GetProcAddress
43. .text:0040148C test eax, eax
44. .text:0040148E jz short loc_401495
45. .text:00401490 push [ebp+arg_0]
46.  
47. //InitializeCriticalSectionAndSpinCount
48.  
49. .text:00403097 loc_403097:
50. .text:00403097 push 0Ah
51. .text:00403099 call sub_4030F6
52. .text:0040309E pop ecx
53. .text:0040309F mov [ebp-4], ebx
54. .text:004030A2 cmp [esi], ebx
55. .text:004030A4 jnz short loc_4030D1
56. .text:004030A6 push 0FA0h ; dwSpinCount
57. .text:004030AB push edi ; lpCriticalSection
58. .text:004030AC call ds:InitializeCriticalSectionAndSpinCount
59.  
60. // EnterCriticalSection
61.  
62. .text:0040311E loc_40311E:
63. .text:0040311E push dword ptr [esi] ; lpCriticalSection
64. .text:00403120 call ds:EnterCriticalSection
65. .text:00403126 pop esi
66. .text:00403127 pop ebp
67. .text:00403128 retn
68. .text:00403128 sub_4030F6 endp
69.  
70. // check debugger...
71.  
72. .text:0040348F call ds:IsDebuggerPresent
73. .text:00403495 push 0 ; lpTopLevelExceptionFilter
74. .text:00403497 mov edi, eax
75. .text:00403499 call ds:SetUnhandledExceptionFilter
76. .text:0040349F lea eax, [ebp+ExceptionInfo]
77. .text:004034A5 push eax ; ExceptionInfo
78. .text:004034A6 call ds:UnhandledExceptionFilter
79.  
80. //get & terminate process...
81.  
82. .text:004034E3 push esi ; uExitCode
83. .text:004034E4 call ds:GetCurrentProcess
84. .text:004034EA push eax ; hProcess
85. .text:004034EB call ds:TerminateProcess
86. .text:004034F1 pop esi
87. .text:004034F2 retn
88. .text:004034F2 sub_4034CE endp
89. :
90. .text:0040387D push esi
91. .text:0040387E mov esi, ds:GetProcAddress
92. .text:00403884 push offset aFlsalloc ; "FlsAlloc"
93. .text:00403889 push edi ; hModule
94. .text:0040388A call esi ; GetProcAddress
95. .text:0040388C push offset aFlsgetvalue ; "FlsGetValue"
96. .text:00403891 push edi ; hModule
97. .text:00403892 mov dword_412E70, eax
98. .text:00403897 call esi ; GetProcAddress
99. .text:00403899 push offset aFlssetvalue ; "FlsSetValue"
100. .text:0040389E push edi ; hModule
101. :
102. .text:004038B1 call esi ; GetProcAddress
103. .text:004038B3 cmp dword_412E70, 0
104.  
105.  
106. //grab file attribs...
107.  
108. .text:00405587 loc_405587: ; CODE XREF: sub_405560+Bj
109. .text:00405587 test [ebp+arg_4], 0FFFFFFF9h
110. .text:0040558E jnz short loc_40556D
111. .text:00405590 push [ebp+lpFileName] ; lpFileName
112. .text:00405593 call ds:GetFileAttributesA
113. .text:004055AB
114. 　　↓
115. .idata:0040E0A8 ; DWORD __stdcall GetFileAttributesA(LPCSTR lpFileName)
116. .idata:0040E0A8 extrn GetFileAttributesA:dword ; DATA XREF: sub_405560+33r
117.  
118. //get modules filename...
119.  
120. text:00405BC6 loc_405BC6: ; CODE XREF: sub_405BAC+13j
121. .text:00405BC6 push 104h ; nSize
122. .text:00405BCB mov esi, offset byte_4134B8
123. .text:00405BD0 push esi ; lpFilename
124. .text:00405BD1 push ebx ; hModule
125. .text:00405BD2 mov byte_4135BC, bl
126. .text:00405BD8 call ds:GetModuleFileNameA
127. .text:00405BDE mov eax, dword_414A68
128. .text:00405BE3 mov dword_412CD4, esi
129. .text:00405BE9 cmp eax, ebx
130. .text:00405BEB jz short loc_405BF4
131. .text:00405BED mov [ebp+var_4], eax
132. .text:00405BF0 cmp [eax], bl
133. .text:00405BF2 jnz short loc_405BF7
134. ↓
135. .idata:0040E0AC ; DWORD __stdcall GetModuleFileNameA(HMODULE hModule,LPSTR lpFilename,DWORD nSize)
136. .idata:0040E0AC extrn GetModuleFileNameA:dword ; DATA XREF: sub_405BAC+2Cr
137.  
138.  
139. // Writes File...
140.  
141. .text:004040CE loc_4040CE: ; CODE XREF: sub_403F55+16Fj
142. .text:004040CE push ebx ; lpOverlapped
143. .text:004040CF lea eax, [ebp+NumberOfBytesWritten]
144. .text:004040D5 push eax ; lpNumberOfBytesWritten
145. .text:004040D6 lea eax, [ebp+Buffer]
146. .text:004040DC push eax
147. .text:004040DD mov [ebp+var_5], bl
148. .text:004040E0 call sub_4070F0
149. .text:004040E5 pop ecx
150. .text:004040E6 push eax ; nNumberOfBytesToWrite
151. .text:004040E7 lea eax, [ebp+Buffer]
152. .text:004040ED push eax ; lpBuffer
153. .text:004040EE push esi ; hFile
154. .text:004040EF call ds:WriteFile
155. ↓
156. .idata:0040E098 ; BOOL __stdcall WriteFile(HANDLE hFile,LPCVOID lpBuffer,DWORD nNumberOfBytesToWrite,LPDWORD lpNumberOfBytesWritten,LPOVERLAPPED lpOverlapped)
157. .idata:0040E098 extrn WriteFile:dword ; DATA XREF: sub_403F55+19Ar
158. .idata:0040E098 ; sub_40BF48+249r ...
159.  
160.  
161.  
162. //startup info...get...
163.  
164. .text:00405CFE sub_405CFE proc near ; CODE XREF: start-CFp
165. .text:00405CFE
166. .text:00405CFE StartupInfo = _STARTUPINFOW ptr -4Ch
167. .text:00405CFE var_8 = dword ptr -8
168. .text:00405CFE var_4 = dword ptr -4
169. .text:00405CFE
170. .text:00405CFE mov edi, edi
171. .text:00405D00 push ebp
172. .text:00405D01 mov ebp, esp
173. .text:00405D03 sub esp, 4Ch
174. .text:00405D06 push esi
175. .text:00405D07 lea eax, [ebp+StartupInfo]
176. .text:00405D0A push eax ; lpStartupInfo
177. .text:00405D0B call ds:GetStartupInfoW
178. ↓
179. .idata:0040E040 ; void __stdcall GetStartupInfoW(LPSTARTUPINFOW lpStartupInfo)
180. .idata:0040E040 extrn GetStartupInfoW:dword ; DATA XREF: start-15Dr
181.  
182. //env..get..
183.  
184. .text:00405C67 sub_405C67 proc near ; CODE XREF: start-B3p
185. .text:00405C67 ; sub_408A93+10Fp
186. .text:00405C67
187. .text:00405C67 cchWideChar = dword ptr -0Ch
188. .text:00405C67 cchMultiByte = dword ptr -8
189. .text:00405C67 lpMem = dword ptr -4
190. .text:00405C67
191. .text:00405C67 mov edi, edi
192. .text:00405C69 push ebp
193. .text:00405C6A mov ebp, esp
194. .text:00405C6C sub esp, 0Ch
195. .text:00405C6F push ebx
196. .text:00405C70 push esi
197. .text:00405C71 call ds:GetEnvironmentStringsW
198. ↓
199. .idata:0040E0B8 ; LPWSTR GetEnvironmentStringsW(void)
200. .idata:0040E0B8 extrn GetEnvironmentStringsW:dword
201. .idata:0040E0B8 ; DATA XREF: sub_405C67+Ar
202.  
203.  
204. // set env...
205.  
206. .text:0040D297 call ds:SetEnvironmentVariableA
207. .text:0040D29D test eax, eax
208. .text:0040D29F jnz short loc_40D2B0
209. .text:0040D2A1 or [ebp+var_C], 0FFFFFFFFh
210. .text:0040D2A5 call sub_403A1D
211. .text:0040D2AA mov dword ptr [eax], 2Ah
212. ↓
213. .idata:0040E130 ; BOOL __stdcall SetEnvironmentVariableA(LPCSTR lpName,LPCSTR lpValue)
214. .idata:0040E130 extrn SetEnvironmentVariableA:dword
215.  
216.  
217. // load DLL..
218.  
219. .text:00407C68 push offset LibFileName ; "USER32.DLL"
220. .text:00407C6D call ds:LoadLibraryW
221. .text:00407C73 mov ebx, eax
222. .text:00407C75 test ebx, ebx
223. .text:00407C77 jz loc_407D8D
224. ↓
225. .idata:0040E060 ; HMODULE __stdcall LoadLibraryW(LPCWSTR lpLibFileName)
226. .idata:0040E060 extrn LoadLibraryW:dword ; DATA XREF: sub_407C32+3Br
227.  
228.  
229. // drops...（I saw 4 of create functions... below is one of em）
230.  
231. .text:0040DF24 sub_40DF24 proc near ; CODE XREF: sub_40DE0D+36p
232. .text:0040DF24 xor eax, eax
233. .text:0040DF26 push eax ; hTemplateFile
234. .text:0040DF27 push eax ; dwFlagsAndAttributes
235. .text:0040DF28 push 3 ; dwCreationDisposition
236. .text:0040DF2A push eax ; lpSecurityAttributes
237. .text:0040DF2B push 3 ; dwShareMode
238. .text:0040DF2D push 0C0000000h ; dwDesiredAccess
239. .text:0040DF32 push offset aConin ; "CONIN$"
240. .text:0040DF37 call ds:CreateFileW
241. .text:0040DF3D mov hConsoleHandle, eax
242. .text:0040DF42 retn
243. ↓
244. .idata:0040E13C ; HANDLE __stdcall CreateFileW(LPCWSTR lpFileName,DWORD dwDesiredAccess,DWORD dwShareMode,LPSECURITY_ATTRIBUTES lpSecurityAttributes,DWORD dwCreationDisposition,DWORD dwFlagsAndAttributes,HANDLE hTemplateFile)
245. .idata:0040E13C extrn CreateFileW:dword ; DATA XREF: sub_40DC7A+13r
246. .idata:0040E13C ; sub_40DF24+13r
247.  
248.  
249. //writeConsole..
250.  
251. .text:0040D7F1 loc_40D7F1: ; CODE XREF: sub_40D7CC+1Cj
252. .text:0040D7F1 push 0 ; lpReserved
253. .text:0040D7F3 lea ecx, [ebp+NumberOfCharsWritten]
254. .text:0040D7F6 push ecx ; lpNumberOfCharsWritten
255. .text:0040D7F7 push 1 ; nNumberOfCharsToWrite
256. .text:0040D7F9 lea ecx, [ebp+Buffer]
257. .text:0040D7FC push ecx ; lpBuffer
258. .text:0040D7FD push eax ; hConsoleOutput
259. .text:0040D7FE call ds:WriteConsoleW
260. .text:0040D804 test eax, eax
261. .text:0040D806 jz short loc_40D7EA
262. .text:0040D808 mov ax, word ptr [ebp+Buffer]
263. .text:0040D80C leave
264. .text:0040D80D retn
265. .text:0040D80D sub_40D7CC endp
266. ↓
267. .idata:0040E134 ; BOOL __stdcall WriteConsoleW(HANDLE hConsoleOutput,const void *lpBuffer,DWORD nNumberOfCharsToWrite,LPDWORD lpNumberOfCharsWritten,LPVOID lpReserved)
268. .idata:0040E134 extrn WriteConsoleW:dword ; DATA XREF: sub_40D7CC+32r
269.  
270. ----
271. #MalwareMustDie
272. @unixfreaxjp /malware]$ date
273. Sat Nov 24 19:10:22 JST 2012