Thank you. Bamital stores its payload code in infected file (previously it was standalone file in system32 folder). Infection is system dependent, because it uses hardcoding of VirtualAlloc function address, probably it calculates by dropper-infector. That's why it was required to look at system libraries from infected machine.
So infection works like this -> patched OEP of svchost.exe/explorer/winlogon -> VirtualAlloc + copy main payload data to allocated region -> decrypt sensitive data with xor -> execute decrypted data.
Dump of sensitive strings from infection payload
dwmapi.dll ntmarta.dll /a /c vu open http://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) GET HTTP/1.0
Host: Content-Length: Pragma: no-cache
User-Agent: Host: type=renderer ntdll.dll kernel32.dll
shell32.dll ws2_32.dll
ole32.dll Imagehlp.dll Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry
Software\Microsoft\Windows NT\CurrentVersion\Temp
SYSTEM\CurrentControlSet\Services\sr\Parameters
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
FirstRun DisableSR \user32.dll /m.php
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup [%subid] <d> </d> <u> </u> <a> </a> <c> </c> google.com Date: X55Fut2999 ?subid= &id= \user32.dll TimeGetWork Uses32 Domen Data / & \ PROCESSOR_IDENTIFIER ? &os= &flg= &ver= &pr= \MicrosoftNT \winserver.exe 11expl22 11svch22 19792079 sfc_os.dll win winlogon.exe dllcache\winlogon.exe svchost.exe dllcache\svchost.exe explorer.exe dllcache\explorer.exe user32.dll opera.exe \SysWoW64 \wbem\ C: \ s y s p r e p \ c r y p t b a s e . d l l c r y p t b a s e . d l l cryptbase.dll \sysprep sysprep.exe elev.exe
decryption routine
Code: Select all00000021 decryption_loop:
00000021 xor [edi], dl
00000023 inc edx
00000024 cmp edx, 0FFh
0000002A jbe continue
0000002C mov edx, 0
00000031
00000031 continue:
00000031 add edi, 1
00000034 loop decryption_loop
