.
The User-Agent string is generated by adding 1 to each letter and number in the hostname (Z and 9 are rotated to A and 0).
The program looks for the string Bamboo:: in the page it requested.
at address 0x0040115A.
jnz and jz means that the countermeasure does not depend on a specific state of the zero flag as either set or unset in order to hit the target code. In this case, the target is in the middle of the call instruction on line 0x0040126D at ❸. Convert this instruction to data by pressing the D key on the keyboard. Then put your cursor on line 0x0040126E to convert it to code with the C key.Continue reading the code until you reach the next countermeasure at line 0x004012E6, which is shown in .
jz at ❶. This jumps into the middle of the mov instruction at ❷.It is impossible to have the disassembler show all the instructions that are executed in this case because the opcodes are used twice, so just follow the code logically and convert each instruction to code as you reach it. When you are finished with this countermeasure, it should look like the code in . At ❶, we see the middle of the mov instruction from the previous listing converted to a proper jmp instruction.
retn instruction on line 0x0040130E to the beginning of the function at 0x00401000, and press the P key. To view the resulting function graphically, press the spacebar.The two functions (sub_40130F and sub_401386) immediately follow the main function. Each builds a string on the stack, duplicating it to the heap with strdup, and returns a pointer to the heap string. The malware author crafted this function to build the string so that it will not show up as a plaintext string in the binary, but will appear only in memory at runtime. The first of these two functions produces the string http://www.practicalmalwareanalysis.com/bamboo.html, and the second produces the string Account Summary.xls.exe. Having defeated all the anti-disassembly countermeasures in the main function, these functions should show cross-references to where they are called from the main function. Rename these functions buildURL and buildFilename by putting your cursor on the function name and pressing the N key on the keyboard.
shows the call to buildURL (our renamed function) at ❶.
0040115F push 0 00401161 push 0 00401163 push 0 00401167 push 0 0040116C call buildURL ❶ 0040116D push eax 00401173 mov edx, [ebp+var_10114] 00401174 push edx 0040117A call ds:InternetOpenUrlA ❷
Reading the code further, we see that it attempts to open the URL returned from buildURL at ❷ using InternetOpenUrlA. In order to determine the User-Agent string used by the malware when calling the InternetOpenUrlA function, we need to first find the InternetOpen function call and determine what data is passed to it. Earlier in the function, we see InternetOpenA called, as shown in .
name location at ❶.Following the call to InternetOpenA and the first call to InternetOpenUrlA, the data (an HTML web page) is downloaded to a local buffer with a call to InternetReadFile, as shown in at ❶. The buffer to contain the data is the second argument, which has been named automatically by IDA Pro as Str at ❷. A few lines down in the function, we see the Str buffer accessed again at ❸.
ShellExecute on line 0x00401300.
Войти в систему
Войти с помощью соц. сетей:
