flyerlkp.blogg.se

The RC4 key used for encryption is 128-bits long and its address is stored at. With an IDA python script, one can easily find cross-references to this function, identify the string's number as the last pushed argument, and thus perform decryption.Įxecuting this script reveals interesting strings such as DLL or function names: Thus, in order to decrypt a string, the malware uses a function that pushes the number of the encrypted string within the array of structs, from which its address and length can be deduced. The struct contains the following fields: data+0x30, an array of structs with one entry per encrypted string is identified. Most of them are DLLs or functions' names and parameters related to web-browser injection, and used to dynamically resolve imports using LoadLibraryA() and GetProcAddress(). In order to delay reverse-engineering and probably to defeat static analysis detection-based methods, the malware implements the RC4 algorithm to encrypt strings. If the magic value isn't the expected one (0圆66), then the malware stops its execution. Thus, it can be drawn that the first function executed by the malware takes 2 input parameters: Push ebx base address of the unpacked PEĬall eax leads to the unpacked PE original entry point

Following few calls to VirtualAlloc(), the end of the second unpacking stage can by identified with the following instructions: push 0圆66 magic value checked after unpacking It also involves a small de-obfuscation routine which performs XOR operations with a one byte key (0x0F), used to output decrypted PE sections, within buffers allocated with VirtualAlloc(). The second one is quite simple as well, it implements a small anti-debug trick which reads the 'BeingDebugged' flag within the PEB. The first one is based on the well-known packer UPX and can be easily defeated. The sample analyzed is packed with 2 layers. Due to the lack of information about this malware, the propagation method of this threat is unknown. Xylitol, a security researcher, has shared a sample of this malware on Virus Total at the end of 2012, but no public analysis seems to be available on the Internet. However, as we will see throughout this blog-post, it is still effective against latest browsers (running in 32-bit mode). The malware is pretty old, its compilation time-stamp points out that it may have been used during November, 2012. In this article I'll try to present a detailed analysis of this malware, with emphasis on the web-browser injection part.