After spending sometime debugging/looking at the code/asking for directions I finally reached what seems like the "main" function of this malware. Let's have a look at it then.
The function starts by setting a new exception handler and then calling GetTickCount. The return value in EAX is divided by 0x3E8 and the quotient is stored in a variable:
seg016:00402786 mov esi, GetTickCount seg016:0040278C call esi ; kernel32_GetTickCount seg016:0040278E xor edx, edx seg016:00402790 mov ecx, 3E8h seg016:00402795 div ecx seg016:00402797 mov ticCountDiv0x3E8, eax
Afterwards there is another call to GetTickCount. The value is stored in a previously alloced memory region through the call to sub_422630. The address (0x341ED4) is retrieved from the thread's TLS.
Following this, there is a call to loadDLLsAndInitalizeWinINetApplicationHandle (rather verbose name).
This function will load and retrieve the address of the following procedures (from the respective dll's).
Finally, after some libraries have been loaded, and the functions' addresses looked up, a call to InternetOpenA("Mozilla/4.0 (compatible)",0,0,0,0). The reason for this still escapes me.
(The complete list of libraries and functions can be found here)
Afterwards there is a call to SetErrorMode(SEM_NOGPFAULTERRORBOX). I am guessing this is to prevent the malware from crashing and letting it's exception handler deal with any future exception.
Next, a mutex is created and the process waits for it to be in a signaled state, and WSAStartup is called.
Once this is done, there is a call to extractExtension( ModuleFileName_0, 0, 0, ptr_nameWOExtension, ptr_extension). After the call nameWOExtension will hold "malware" and extension will hold ".exe".
Following this there is a call to concatenateNameExtension(with format string "%s%s"), and we will have "malware.exe" in a variable (named nameWExtension).
Afterwards there is a call to unkown_sub1, which, as the name indicates, I haven't yet figured out exactly what it does.
The tick count previously saved is retrieved, multiplied by 0x343FD, then 0x269EC3 is added to it, the result is shifted right 0x10. The final value is stored in EAX, and saved in the memory location where the tick count was.
With this new value the string "winlolx" will be changed:
for each byte in "winlolx" the value V will be obtained as described above and the given byte will be set with (V % 0x1A + 'a')
seg028:004028AB call sub_422640 seg028:004028B0 push 1Ah seg028:004028B2 cdq seg028:004028B3 pop ecx seg028:004028B4 idiv ecx seg028:004028B6 push esi seg028:004028B7 add dl, 'a' seg028:004028BA mov byte ptr aWinlolx_exe[edi], dl ; "winlolx.exe" seg028:004028C0 inc edi seg028:004028C1 call strlen? seg028:004028C6 sub eax, 4 seg028:004028C9 cmp edi, eax seg028:004028CB pop ecx seg028:004028CC jb short generateAlternateName
The resulting string will be appended to the system directory (resulting in the string "C:\WINDOWS\System32\vmchqzo.exe"). The binary will check for the existence of this file through a call to GetFileAttributes, and if the call fails our file (malware.exe) will be copied to the file specified by the resulting string.
Afterwards, the file explorer.exe will be opened and it's time attributes will be read through a call to GetFileTime, and these values will be copied to our newly created file (through SetFileTime). In addition to this, the file attributes of the new file will be set to FILE_ATTRIBUTE_READONLY | FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM.
This is it so far. Tomorrow I will continue the analysis.
No comments:
Post a Comment