%s
and %c
to be passed into the sprintf
function. The line at 0x004011D7 is pushing the %c
argument onto the stack, and the line at 0x004011DB is pushing the %s
argument onto the stack.The earlier code (0x004011AC–0x004011CA) represents the copying of the last character of %s
into %c
. First, strlen
is used to calculate the end of the string (0x004011AC–0x004011B8). Then the last character of %s
is copied to a local variable var_214
used for %c
(0x004011BE–0x004011CA). Thus, in the final URI, the filename %c
is always the last character of the string %s
. This explains why the filename in both examples is a, since it matches the last character.
To figure out the string input, we navigate to the calling function, which is actually main
. shows an overview of main
, including the Sleep
loop and a reference to the downloadNRun
function.
a
as the padding character, rather than the typical =
.41:73:7E:29:93:56-John Smith\x06\x9a
. Remember from earlier that this malware uses standard Base64 encoding with the exception of the padding character, for which it uses a
. The extra characters in the result after “John Smith” come from using the standard Base64 decoder, which interprets the aa
at the end of the string as regular characters instead of identifying them as replacement padding characters.Having identified the source of the beacon, let’s see what happens when some content is received. Returning to the URLDownloadToCacheFileA
function (0x004011A3, labeled downloadNRun
), we see that the success fork of the function is the command CreateProcessA
, which takes as a parameter the pathname returned from URLDownloadToCacheFileA
. Once the malware downloads a file, it simply executes that file and quits.