Книга: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Назад: Lab 13-3 Solutions
Дальше: Lab 14-2 Solutions

.

.

.

is preparing arguments %s and %c to be passed into the sprintf function. The line at 0x004011D7 is pushing the %c argument onto the stack, and the line at 0x004011DB is pushing the %s argument onto the stack.

The earlier code (0x004011AC–0x004011CA) represents the copying of the last character of %s into %c. First, strlen is used to calculate the end of the string (0x004011AC–0x004011B8). Then the last character of %s is copied to a local variable var_214 used for %c (0x004011BE–0x004011CA). Thus, in the final URI, the filename %c is always the last character of the string %s. This explains why the filename in both examples is a, since it matches the last character.

To figure out the string input, we navigate to the calling function, which is actually main. shows an overview of main, including the Sleep loop and a reference to the downloadNRun function.

shows one of the forks where the Base64 encoding function (0x401000) may choose either an encoding character or a padding character. The path at the right in the figure shows the assignment of a as the padding character, rather than the typical =.

. The result is 41:73:7E:29:93:56-John Smith\x06\x9a. Remember from earlier that this malware uses standard Base64 encoding with the exception of the padding character, for which it uses a. The extra characters in the result after “John Smith” come from using the standard Base64 decoder, which interprets the aa at the end of the string as regular characters instead of identifying them as replacement padding characters.

Having identified the source of the beacon, let’s see what happens when some content is received. Returning to the URLDownloadToCacheFileA function (0x004011A3, labeled downloadNRun), we see that the success fork of the function is the command CreateProcessA, which takes as a parameter the pathname returned from URLDownloadToCacheFileA. Once the malware downloads a file, it simply executes that file and quits.

shows how those characters are translated, as well as the pattern to target.

) and the fact that the malware downloads an executable. Combining signatures is often an effective strategy. For example, a malware signature that produces regular false positives may still be effective if combined with a signature that triggers on an executable download.

Назад: Lab 13-3 Solutions
Дальше: Lab 14-2 Solutions

sss
sss

© RuTLib.com 2015-2018