DLL sample
Size: 4.096 Bytes
Timestamp: 2013-05-30 03:54:37
MD5: 17e3e09c27d26c81c9f33882279d6319
SHA1: c467f59cddba2d029044f6f2b22b6b2123b341b6
Report: https://www.virustotal.com/en/file/5b011ebdf1a5a0fd93a933cb40b59fcb8c35667529e28cf0c9d63f92985c4d5d/analysis/
Download: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2690&p=19700#p19700
The DLL has no export table, so we start at the DLL Entry Point (DllMain). At first the malware checks if it was loaded by the current process or by a call to API function LoadLibrary (fdwReason = DLL_PROCESS_ATTACH). If this was not the case the DLL exits without doing anything harmful. Otherwise the malware continues with resolving the API addresses of the functions it is going to use.
 |
| Figure 1: DLL Entry Point |
 |
| Figure 2: Resolving API function addresses |
Before the function addresses are to be resolved (LoadLibrary + GetProcAddress), the library and function names have to be decrypted. The decryption algorithm is a simple substitution cipher with key 0x04. The decryption isn't done in a whole, instead every library/function name is decrypted before the call to LoadLibrary/GetProcAddress.
 |
| Figure 3: String decryption algorithm |
By looking at the decrypted API function names we can get an idea of the malware's intentions.
 |
| Figure 4: Comparison of encrypted and decrypted data |
After successful decrypting and resolving all API function addresses, the main Thread is started (CreateThread). At first it renames itself from "SXS.dll" to "pbn.dll" by using MoveFile API function with parameters "c:\Program Files\Internet Explorer\SXS.dll" and "c:\Program Files\Internet Explorer\pbn.dll". The hardcoded path names tell us that the DLL was written to disk before it was loaded. Thereafter the hardcoded URL string "http://augustine.co.kr/bbs/img/icon_03.gif" is written into memory. Then a second string is build (C:\<TempPath>
 |
| Figure 5: Main threads entry point |
 |
| Figure 6: Varifying for PE and file execution |
0 Kommentare:
Post a Comment