Páginas

domingo, 10 de abril de 2011

aspnet_gh.mst

While working in a computer infected with a unknown version of TROJ_QDDOS I came accross a couple of "modules" that differ from the analysis made by Trend Micro. The thing is I'm not sure if this "module" is part of TROJ_QDDOS or just another new unknown malware.

Anyway this is a superficial analysis of the file I found. I don't go in much detail here because of time constraints. If you want the sample feel free to contact me.

The file is execute through rundll32.exe calling the exported function ProUpdate. It's a multi-stage dropper with some part of the malware in the resources.

First it creates a thread responsible for the unpacking of the malware.


It reads the some of the malware from the resources

 

Then it allocates 0x1519 bytes through VirtualAlloc and memcpys the 0x1515 bytes of the loaded resource to it's allocced destination


It decrypts the resource byte per byte


and then the location allocced is called. The malware employs a couple of anti-debugging techniques that are easily avoided with the right plug-ins.


The malware now starts to dynamically loads the required functions:
RegOpenKeyExA, RegQueryInfoKeyA, RegEnumKeyA, RegQueryValueExA, RegCloseKey, VirtualAlloc, GetModuleHandleA, LoadLibrary, GetProcAddress, VirtualFree, lstrcmpA, lstrcatA, lstrcpynA, lstrlenA, GetTickCount, GlobalAlloc, Sleep, srand, time, rand, memmove, strstr, atoi, memset, memcmp, memcpy, wsprintfA, recv, closesocket, socket, setsockopt, inet_addr, gethostbyname, ntohs, connect, send, WSAStartup.
Reg functions are used to verify the use of proxies by the system. When a proxy is detected the malware tries to connect to it's server through the proxy.


Now that everything is setup the malware tries to connect to a especified server in the port 443.


It keeps trying to connect every few seconds. Once connected, the communication employs a kinda of "encryption" to avoid analysis.


When connection is succesfull, a encrypted malware is downloaded, decrypted and executed in memory.

The malware downloaded will be analyzed as soon as I have more time.

See you all.

Nenhum comentário: