Source: Xylitol’s great analysis
Goal: Reverse this modular backdoor with the FindResource binary storage, process injection & military operation keywords.
=== IMPORTS ===
MODULE_NAME HINT ORD FUNCTION_NAME
kernel32.dll 0 GetProcAddress
kernel32.dll 0 GetModuleHandleA
kernel32.dll 0 LoadLibraryA
user32.dll 0 wsprintfW
advapi32.dll 0 RegEnumValueA
shlwapi.dll 0 PathFileExistsA
oleaut32.dll 0 VariantChangeTypeEx
kernel32.dll 0 RaiseException
# StringTable 041204b0:
FileDescription : “HncUpdate MFC 응용 프로그램”
FileVersion : “1.0.0.1”
InternalName : “HncUpdate.exe”
LegalCopyright : “Copyright (C) 2003”
OriginalFilename : “HncUpdate.exe”
ProductName : “HncUpdate 응용 프로그램”
ProductVersion : “1.0.0.1”
VarFileInfo : [ 0x412, 0x4b0 ]
=== Packer / Compiler ===
ASProtect 1.33 – 2.1 Registered (Alexey Solodovnikov)
Imported libraries and Windows API calls:
Kernel32, LoadLibraryW, LoadLibraryA, SchedServiceMain kernel32.dll
Imported DLLs: p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px}
\samsvc.dll,\dllcache\schedsvc.dll, \schedsvc.dll, mfc80u.dll, c_0605.nls
Registry:
SOFTWARE\Microsoft\IE Config\PackageSoftware\Microsoft\Windows\CurrentVersion\Internet Settings.Software\Microsoft\Internet Settings
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}
Instruction Debug strings:
AdjustTokenPrivileges fAiled: %dOpenProcessToken fAiled: %dLookupPrivilegeVAlue fAiled: %dSeDebugPrivilege
Injected targeted process:
spoolsv.exe via mfc80u.dll
Self-delete cmd script via ud[.]bat:
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}
echo off.:start.if not exist “%s” goto done.del “%s”.del /AH “%s”.goto start.:done.del c:\windows\system32\hncupdate.exe.del %%
Filesystem process:
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}
FAT32, NTFS, FILE, $EFS, $I30, INDX
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica} p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}
Extracted payload aka “BsDll[.]pdb” as DLL from Resource.
MD5:
636501DB299D5F63772205755D4AA10F
=== Packer / Compiler ===
MS Visual C++ 7.0
===================
Name VirtAddr VirtSize RawSize MD5 Entropy
——————————————————————————————
.text 0x1000 0x21e52 0x22000 c3930593c3c8ef81a07a4360d48e50a1 6.687287
.rdata 0x23000 0x41e4 0x5000 ad617b413e70f1e37ac6c6e5e39c7e73 5.054147
.data 0x28000 0x4b4c 0x3000 8059c57e286035979d292029c7752b0a 4.099338
.plugins 0x2d000 0xb34 0x1000 36234221ea257e7ca55b1a4622f4a4dc 0.485867 [SUSPICIOUS]
.rsrc 0x2e000 0x10 0x1000 620f0b67a91f7f74151bc5be745b7110 0.000000
.reloc 0x2f000 0x1d92 0x2000 e4167c88184fa8d240732352db5a23f9 5.141479
Imports:
[1] KERNEL32.dll
[2] USER32.dll
[3] ADVAPI32.dll
[4] SHLWAPI.dll
[5] WININET.dll
[6] urlmon.dll
[7] WS2_32.dll
PDB:
g:\mail\pc-util\back\backdoor1\Release\BsDll[.]pdb
Military keywords:
army
Army
ARMY
Military
military
MILITARY
weapon
Weapon
WEAPON
battle
Battle
BATTLE
munition
missile
Missile
MISSILE
Aircraft
Figther
Resolve
resolve
Operation
operation
OPERATION
Air Force
AirForce
airforce
AF Portal
AFPortal
EMAIL
AIRFORCE
AIR FORCE
email
NIPR
nipr
SIPR
sipr
SNAP
KORCOM
CENTRIX
GCCS
KR/FE
SMIL
Intranet
intranet
RCIO
TNOSC
RIPR
COMSEC
PACCOM
USFK
PENTAGON
CJCS
cassifi
securet
CASSIFI
Cassifi
Certificat
CERTIFICAT
Pentagon
pentagon
usfk
RSOI
xfdl
Self-delete batch script routine:
@echo off
:start
if not exist %WINDIR%\system32\ipv6ld.dll goto done
del %WINDIR%\system32\ipv6ld.dll
goto start
:done
del %0
Backdoor commands:
|
|
|
|
|
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}
Like this:
Like Loading...
Related
Reverse Engineering, Malware Deep Insight 