A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19655  by Horgh
 Sat Jun 15, 2013 1:23 pm
OEP @ 00401414? Is that correct?
Nope, OEP is 004020C1.
Code: Select all
004020C1  |.  55            PUSH EBP
004020C2  |.  8BEC          MOV EBP,ESP
004020C4  |.  81EC 0C020000 SUB ESP,20C
004020CA  |.  53            PUSH EBX
004020CB  |.  56            PUSH ESI
004020CC  |.  8B35 44304000 MOV ESI,DWORD PTR DS:[403044]            ;  kernel32.GetModuleFileNameA
004020D2  |.  57            PUSH EDI
004020D3  |.  BF 03010000   MOV EDI,103
004020D8  |.  57            PUSH EDI                                 ; /BufSize => 103 (259.)
004020D9  |.  8D85 F8FEFFFF LEA EAX,DWORD PTR SS:[EBP-108]           ; |
004020DF  |.  33DB          XOR EBX,EBX                              ; |
004020E1  |.  50            PUSH EAX                                 ; |PathBuffer
004020E2  |.  53            PUSH EBX                                 ; |hModule => NULL
004020E3  |.  895D FC       MOV DWORD PTR SS:[EBP-4],EBX             ; |
004020E6  |.  FFD6          CALL ESI                                 ; \GetModuleFileNameA
Is this custom cryption part?
http://msdn.microsoft.com/en-us/library ... s.85).aspx
"Creates a private heap object that can be used by the calling process. The function reserves space in the virtual address space of the process and allocates physical storage for a specified initial portion of this block."
Attached what I THINK is the proper dump + IAT fix (dumped_.exe). Where do I go from here (if even on the right track) to view interesting/decrypted strings? Thank you :)

EDIT: Added dumped2_.exe. SEEMS a bit more complete and reveals program written in Delphi v2.25. Please correct if wrong.
Your first dump is wrong, you're still in the packer code. Your second dump doesn't even start. And the FakeAv is written in VC++.
It's really easy to unpack, set a bp on VirtualFree, Alt+F9, trace a bit and you'll land here :
Code: Select all
003F0CDB    83F8 01         CMP EAX,1
003F0CDE    75 04           JNZ SHORT 003F0CE4
003F0CE0    6A 00           PUSH 0
003F0CE2    FFD1            CALL ECX
003F0CE4  - FFE1            JMP ECX                                  ; (fakeAv).004020C1
This is the jump to the OEP.

In attach a crappy dump I made.
pwd : infected
(821 KiB) Downloaded 79 times
 #19656  by thisisu
 Sat Jun 15, 2013 2:29 pm
Hi and thanks for your response. :)

I think we are looking at different files. It is my fault, I didn't mention at first that I ran the malware in VM and gathered the btdefender.exe from %allusersprofile%. Attached is that file. Sorry for the confusion. This is the one I've been trying to analyse.
Attachments
pass: infected
(797.74 KiB) Downloaded 88 times
 #19657  by EP_X0FF
 Sat Jun 15, 2013 3:03 pm
Yes this software is written in CodeGear RAD studio, so thisisu correct.

It is multustaged dropper using TDL3 style spooler inject, self-decryption and antiemulation.

1 layer - dumb crypter, break on NtFreeVirtualMemory and dump container
2 layer - dropper written in C++ and using TDL3 injection, force 00401D84 to be executed, it will decrypt .inst section and transfer control to the next level.
.inst section is block of data+executable. Data is the following:
Code: Select all
btdefender.exe Internet Security Plus 
hxxp://twinkcam.net/images/s.php?id=214
hxxp://cinnamyn.com/images/s.php?id=214  
Name of malware + C&C as I understand.

3. Next stage dropper written in C++, purpose - decrypt 4 stage malware body
4. MPRESS compressed actual FakeAV body.

Maybe I missed something, just did quick looking.

If you need any layers from this crap let me know.
 #19659  by EP_X0FF
 Sat Jun 15, 2013 4:29 pm
Last stage mpress with not fixed iat, doesn't matter, resources and other crap readable.

2stage.exe_bin - TDL3 style injector with 3 stage in .inst section encrypted
3stage.exe_bin - decrypted .inst executable, next dropper with encrypted mpress executable inside
4stage_mpress.exe_bin - mpress itself, will work if simple launched
dumped_finalstage_noiatfix.exe_bin - name say it all (resources readable, you can extract all delphi forms etc)
For MPRESS generic, execute first instruction and goto esp value, set hardware breakpoint on access first dword, break on, follow jmp <address>, you are at OEP.

IDE used: CodeGear RAD Studio, version 11.0.2709.7128

And this is Win32/FakeRean.

Also if you are interested this FakeAV is VM aware. It detect presense of VMWare (using VMX backdoor) and VirtualPC (using invalid instruction). For more info see code at offset 0016BC25 in last stage dump.
Attachments
pass: infected
(3.94 MiB) Downloaded 99 times
  • 1
  • 4
  • 5
  • 6
  • 7
  • 8
  • 15