Name: Trojan:Win32/Generic.78682e8f
Compilation: Compiler: EP:Microsoft Visual C/C++(6.0 (1720-9782))[EXE32]
This is extended version of Lab 6-2 with one more function insode:
.text:00401210 sub_401210 proc near ; CODE XREF: start+AF↓p
.text:00401210
.text:00401210 var_8 = byte ptr -8
.text:00401210 var_4 = dword ptr -4
.text:00401210 arg_4 = dword ptr 0Ch
.text:00401210
.text:00401210 push ebp
.text:00401211 mov ebp, esp
.text:00401213 sub esp, 8
.text:00401216 call connect_check
.text:0040121B mov [ebp+var_4], eax
.text:0040121E cmp [ebp+var_4], 0
.text:00401222 jnz short loc_401228
.text:00401224 xor eax, eax
.text:00401226 jmp short loc_40126D
.text:00401228 ; ---------------------------------------------------------------------------
.text:00401228
.text:00401228 loc_401228: ; CODE XREF: sub_401210+12↑j
.text:00401228 call command_extraction
.text:0040122D mov [ebp+var_8], al
.text:00401230 movsx eax, [ebp+var_8]
.text:00401234 test eax, eax
.text:00401236 jnz short loc_40123C
.text:00401238 xor eax, eax
.text:0040123A jmp short loc_40126D
.text:0040123C ; ---------------------------------------------------------------------------
.text:0040123C
.text:0040123C loc_40123C: ; CODE XREF: sub_401210+26↑j
.text:0040123C movsx ecx, [ebp+var_8]
.text:00401240 push ecx
.text:00401241 push offset aSuccessParsedC ; "Success: Parsed command is %c\n"
.text:00401246 call sub_401271
.text:0040124B add esp, 8
.text:0040124E mov edx, [ebp+arg_4]
.text:00401251 mov eax, [edx]
.text:00401253 push eax ; lpExistingFileName
.text:00401254 mov cl, [ebp+var_8]
.text:00401257 push ecx ; char
.text:00401258 call malware_install
.text:0040125D add esp, 8
.text:00401260 push 0EA60h ; dwMilliseconds
.text:00401265 call ds:Sleep
.text:0040126B xor eax, eax
.text:0040126D
.text:0040126D loc_40126D: ; CODE XREF: sub_401210+16↑j
.text:0040126D ; sub_401210+2A↑j
.text:0040126D mov esp, ebp
.text:0040126F pop ebp
.text:00401270 retn
.text:00401270 sub_401210 endp
.text:00401270Instead of doing printf for command it will call sub.00401258
Here is new function signature:
.text:00401130 malware_install proc near ; CODE XREF: sub_401210+48↓p
.text:00401130
.text:00401130 var_8 = dword ptr -8
.text:00401130 phkResult = dword ptr -4
.text:00401130 arg_0 = byte ptr 8
.text:00401130 lpExistingFileName= dword ptr 0ChNew function will perfom some actions on filysystem, and arguments are used for it. lpExistingFileName Will be used for filename creation
Function contains switch statement for multiple commands/activities:
.text:00401153 jmp ds:jpt_401153[edx*4] ; switch jump
.text:0040115A ; ---------------------------------------------------------------------------
.text:0040115A
.text:0040115A loc_40115A: ; CODE XREF: malware_install+23↑j
.text:0040115A ; DATA XREF: .text:jpt_401153↓o
.text:0040115A push 0 ; jumptable 00401153 case 97
.text:0040115C push offset PathName ; "C:\\Temp"
.text:00401161 call ds:CreateDirectoryA
.text:00401167 jmp loc_4011EE
.text:0040116C ; ---------------------------------------------------------------------------
.text:0040116C
.text:0040116C loc_40116C: ; CODE XREF: malware_install+23↑j
.text:0040116C ; DATA XREF: .text:jpt_401153↓o
.text:0040116C push 1 ; jumptable 00401153 case 98
.text:0040116E push offset Data ; "C:\\Temp\\cc.exe"
.text:00401173 mov eax, [ebp+lpExistingFileName]
.text:00401176 push eax ; lpExistingFileName
.text:00401177 call ds:CopyFileA
.text:0040117D jmp short loc_4011EE
.text:0040117F ; ---------------------------------------------------------------------------
.text:0040117F
.text:0040117F loc_40117F: ; CODE XREF: malware_install+23↑j
.text:0040117F ; DATA XREF: .text:jpt_401153↓o
.text:0040117F push offset Data ; jumptable 00401153 case 99
.text:00401184 call ds:DeleteFileA
.text:0040118A jmp short loc_4011EE
.text:0040118C ; ---------------------------------------------------------------------------
.text:0040118C
.text:0040118C loc_40118C: ; CODE XREF: malware_install+23↑j
.text:0040118C ; DATA XREF: .text:jpt_401153↓o
.text:0040118C lea ecx, [ebp+phkResult] ; jumptable 00401153 case 100
.text:0040118F push ecx ; phkResult
.text:00401190 push 0F003Fh ; samDesired
.text:00401195 push 0 ; ulOptions
.text:00401197 push offset SubKey ; "Software\\Microsoft\\Windows\\CurrentVe"...
.text:0040119C push 80000002h ; hKey
.text:004011A1 call ds:RegOpenKeyExA
.text:004011A7 push 0Fh ; cbData
.text:004011A9 push offset Data ; "C:\\Temp\\cc.exe"
.text:004011AE push 1 ; dwType
.text:004011B0 push 0 ; Reserved
.text:004011B2 push offset ValueName ; "Malware"
.text:004011B7 mov edx, [ebp+phkResult]
.text:004011BA push edx ; hKey
.text:004011BB call ds:RegSetValueExA
.text:004011C1 test eax, eax
.text:004011C3 jz short loc_4011D2
.text:004011C5 push offset aError31CouldNo ; "Error 3.1: Could not set Registry value"...
.text:004011CA call sub_401271
.text:004011CF add esp, 4
.text:004011D2
.text:004011D2 loc_4011D2: ; CODE XREF: malware_install+93↑j
.text:004011D2 jmp short loc_4011EE
.text:004011D4 ; ---------------------------------------------------------------------------
.text:004011D4
.text:004011D4 loc_4011D4: ; CODE XREF: malware_install+23↑j
.text:004011D4 ; DATA XREF: .text:jpt_401153↓o
.text:004011D4 push 186A0h ; jumptable 00401153 case 101
.text:004011D9 call ds:Sleep
.text:004011DF jmp short loc_4011EE
.text:004011E1 ; ---------------------------------------------------------------------------
.text:004011E1
.text:004011E1 def_401153: ; CODE XREF: malware_install+1A↑j
.text:004011E1 push offset aError32NotAVal ; jumptable 00401153 default case
.text:004011E6 call sub_401271
.text:004011EB add esp, 4For each block of switch statement we can observe following "features":
CreateDirectoryAto create "C:\Temp" directoryCopyFileAin order to drop a file in the filesystem: into "C:\Temp\cc.exe" - it means copy himself to this locationDeleteFileA- Remove target file from the systemRegSetValueExA- Set new key in the windows registry- Sleep
.text:0040118C lea ecx, [ebp+phkResult] ; jumptable 00401153 case 100
.text:0040118F push ecx ; phkResult
.text:00401190 push 0F003Fh ; samDesired
.text:00401195 push 0 ; ulOptions
.text:00401197 push offset SubKey ; "Software\\Microsoft\\Windows\\CurrentVe"...
.text:0040119C push 80000002h ; hKey
.text:004011A1 call ds:RegOpenKeyExA
.text:004011A7 push 0Fh ; cbData
.text:004011A9 push offset Data ; "C:\\Temp\\cc.exe"
.text:004011AE push 1 ; dwType
.text:004011B0 push 0 ; Reserved
.text:004011B2 push offset ValueName ; "Malware"
.text:004011B7 mov edx, [ebp+phkResult]
.text:004011BA push edx ; hKey
.text:004011BB call ds:RegSetValueExA
.text:004011C1 test eax, eax
.text:004011C3 jz short loc_4011D2
.text:004011C5 push offset aError31CouldNo ; "Error 3.1: Could not set Registry value"...
.text:004011CA call sub_401271
.text:004011CF add esp, 4Simple creates new entry in the registry for dropped file
Indicators:
- Registry change
Software\Microsoft\Windows\CurrentVersion\Runwith valueMalwareand data "C:\Temp\cc.exe" - Malware executable
C:\\Temp\\cc.exe
Extended version of 6-2 with command execution feature that includes:
CreateDirectoryAto create "C:\Temp" directoryCopyFileAin order to drop a file in the filesystem: into "C:\Temp\cc.exe" - it means copy himself to this locationDeleteFileA- Remove target file from the systemRegSetValueExA- Set new key in the windows registry- Sleep 100 seconds
It looks more like a real trojan
Total score 10/10