Alright lets get started.
Now that we have our DEFINEBITS section and found the decryption part, well how do i know that it is the start of the code? The answer is, the first chunk of the code makes no sense ... meaning the disassembled code reported by IDA in those part does n0t do anything relevant, so most probably the exploit may have pointed the Instruction Pointer (IP sometimes Intellectual Property ehheh) to the decryption part, specifically in the CALL instruction. So that one makes sense for me, if I am wrong I am more than happy if you will correct me.
As you can see in the decryption code it
1. pop ebx -> saves the value of the stack in ebx
2. xor ecx, ecx -> initializes ecx to zero, the counter
3. mov ax, 2943 -> moved 2943 to ax
4. xor [ebx+ecx*2], ax -> now this instruction decrypts the rest of the shellcode using the value in ax as the key
5. inc eax -> increments the key by one
6. inc ecx -> counter plus one
7. cmp cx, 164h -> checks if the counter is already 164h
8. go back to #4
so we will do the same using hiew, i will just change the eax register to edx because in hiew it puts the bytes in eax when doing the cryptset thing [F3 -> Ctrl+F7].
One more thing is we will start decrypting in the instruction after the CALL instruction. The reason for this is after the CALL, the value pushed in the stack is the address of the next instruction, in this case it is the STOSB instruction (offset EC), and that is the value of our EBX.
So this is how it will look.
then after that you can execute the cryptset and you will get this
you can see some readable strings in there and it is a URL ... most likely another malware.
Now save the file [F9], and I will explain the decrypted code ... maybe tomorrow.
I downloaded the file and the result is here
Threat Expert Report
Virustotal Report
Low AV detection 10/32 (31.25%)
Okay tomorrow I will show what the decrypted code do in the system.
Enjoy your day.
Hmnnn.. I also need to construct my resignation letter so I can pass it tomorrow. LOLz.
No comments:
Post a Comment