Anyway this is a superficial analysis of the file I found. I don't go in much detail here because of time constraints. If you want the sample feel free to contact me.
The file is execute through rundll32.exe calling the exported function ProUpdate. It's a multi-stage dropper with some part of the malware in the resources.
First it creates a thread responsible for the unpacking of the malware.
It reads the some of the malware from the resources
Then it allocates 0x1519 bytes through VirtualAlloc and memcpys the 0x1515 bytes of the loaded resource to it's allocced destination
It decrypts the resource byte per byte
and then the location allocced is called. The malware employs a couple of anti-debugging techniques that are easily avoided with the right plug-ins.
The malware now starts to dynamically loads the required functions:
RegOpenKeyExA, RegQueryInfoKeyA, RegEnumKeyA, RegQueryValueExA, RegCloseKey, VirtualAlloc, GetModuleHandleA, LoadLibrary, GetProcAddress, VirtualFree, lstrcmpA, lstrcatA, lstrcpynA, lstrlenA, GetTickCount, GlobalAlloc, Sleep, srand, time, rand, memmove, strstr, atoi, memset, memcmp, memcpy, wsprintfA, recv, closesocket, socket, setsockopt, inet_addr, gethostbyname, ntohs, connect, send, WSAStartup.Reg functions are used to verify the use of proxies by the system. When a proxy is detected the malware tries to connect to it's server through the proxy.
Now that everything is setup the malware tries to connect to a especified server in the port 443.
It keeps trying to connect every few seconds. Once connected, the communication employs a kinda of "encryption" to avoid analysis.
The malware downloaded will be analyzed as soon as I have more time.
See you all.
