var_4
) and modify the contents of a buffer (arg_0
) by XOR’ing the original contents with 0x3B
. The other argument (arg_4
) is the length of the buffer that should be XOR’ed. The simple function sub_401190
, which we’ll rename xorEncode
, implements a single-byte XOR encoding with the static byte 0x3B
, taking the buffer and length as arguments. shows the FindResourceA
function at ❶.
0x3B
to each byte. The figure clearly shows that the resource stores the string www.practicalmalwareanalysis.com
in encoded form.Of the two strings that we suspected might be encoded, we’ve found the domain, but not the GET
request string (aG9zdG5hbWUtZm9v
in our example). To find the GET
string, we’ll use PEiD’s KANAL plug-in, which identifies a Base64 table at 0x004050E8. shows the output of the KANAL plug-in.
base64index
is related to Base64 encoding, because =
is used for padding in Base64 encoding.The function that calls base64index
is the real base64_encode
function located at 0x004010B1. Its purpose is to divide the source string into a 3-byte block, and to pass each to base64index
to encode the 3 bytes into a 4-byte one. Some of the clues that make this apparent are the use of strlen
at the beginning of the function to find the length of the source string, the comparison with the number 3 (cmp [ebp+var_14], 3
) at the start of the outer loop (code block loc_401100
), and the comparison with the number 4 (cmp [ebp+var_14], 4
) at the start of the inner write loop that occurs after base64index
has returned results. We conclude that base64_encode
is the main Base64-encoding function that takes as arguments a source string and destination buffer to perform Base64 translation.
Using IDA Pro, we find that there is only one cross-reference to base64_encode
(0x004000B1), which is in a function at 0x004011C9 that we will refer to as beacon
. The call to base64_encode
is shown in at ❶.
o
. If the first character is o
, then beacon
returns 1
; otherwise, it returns 0. The main
function is composed of a single loop with calls to Sleep
and beacon
. When beacon
(0x004011C9) returns true (by getting a web response starting with o
), the loop exits and the program ends.To summarize, this malware is a beacon to let the attacker know that it is running. The malware sends out a regular beacon with an encoded (and possibly truncated) hostname identifier, and when it receives a specific response, it terminates.