d0ne
July 12th, 2010, 06:56
Hi,
I had the fun getting access to an somewhat unknown packed exe.
The AV's recognize it as Zbot, but none of the identifications match on the target system.
I tried to unpack it to get to the core, but failed more or less miserable :/
There's first the simple UPX decryption:
just set a breakpoint at:
after 0044794B you're at OEP.
a bit later after another VirtualAlloc and Loadlibrary call
you'll end up in a crypto routine
In this function it will load additional DLL's like MSASN1 etc,
There the weirdness starts (at least for me). there's something loop happening with virtualloc and LoadLibrary calls, but that's where I failed as the process seems to terminate itself all the time and I didn't figured out yet what is making it to terminate.
If someone has the time to take a look and possibly extract the last stage binary, that would be awesome, I'm trying since days to get this done
UPDATE:
I forgot to add the joebox output as well.
2313
MALWARE/BIOHAZARD
Remark:
I have the feeling this exe is broken or possibly cleaned by an AV, maybe that explains why it doesn't really do much, not sure yet 100% tough.
Best regards
d0ne
pw:infected
2312
MALWARE/BIOHAZARD
I had the fun getting access to an somewhat unknown packed exe.
The AV's recognize it as Zbot, but none of the identifications match on the target system.
I tried to unpack it to get to the core, but failed more or less miserable :/
There's first the simple UPX decryption:
Code:
004477C0 > $ 60 pushad
004477C1 . BE 00904200 mov esi,ehaca.00429000
004477C6 . 8DBE 0080FDFF lea edi,dword ptr ds:[esi+FFFD8000]
just set a breakpoint at:
Code:
0044793D . 61 popad
0044793E . 8D4424 80 lea eax,dword ptr ss:[esp-80]
00447942 > 6A 00 push 0
00447944 . 39C4 cmp esp,eax
00447946 .^ 75 FA jnz short ehaca.00447942
00447948 . 83EC 80 sub esp,-80
0044794B .- E9 BF98FBFF jmp ehaca.0040120F
\
after 0044794B you're at OEP.
a bit later after another VirtualAlloc and Loadlibrary call
you'll end up in a crypto routine
Code:
77A86567 FFD6 call esi
77A86569 68 FC65A877 push CRYPT32.77A865FC ; ASCII "CryptSignHashW"
77A8656E FF35 3063B077 push dword ptr ds:[77B06330]
77A86574 A3 3463B077 mov dword ptr ds:[77B06334],eax
77A86579 FFD6 call esi
77A8657B 68 E465A877 push CRYPT32.77A865E4 ; ASCII "CryptVerifySignatureW"
77A86580 FF35 3063B077 push dword ptr ds:[77B06330]
77A86586 A3 3863B077 mov dword ptr ds:[77B06338],eax
77A8658B FFD6 call esi
77A8658D 68 D065A877 push CRYPT32.77A865D0 ; ASCII "CryptSetProviderW"
77A86592 FF35 3063B077 push dword ptr ds:[77B06330]
77A86598 A3 3C63B077 mov dword ptr ds:[77B0633C],eax
77A8659D FFD6 call esi
77A8659F 68 BC65A877 push CRYPT32.77A865BC ; ASCII "CryptEnumProvidersW"
77A865A4 FF35 3063B077 push dword ptr ds:[77B06330]
In this function it will load additional DLL's like MSASN1 etc,
There the weirdness starts (at least for me). there's something loop happening with virtualloc and LoadLibrary calls, but that's where I failed as the process seems to terminate itself all the time and I didn't figured out yet what is making it to terminate.
If someone has the time to take a look and possibly extract the last stage binary, that would be awesome, I'm trying since days to get this done
UPDATE:
I forgot to add the joebox output as well.
2313
MALWARE/BIOHAZARD
Remark:
I have the feeling this exe is broken or possibly cleaned by an AV, maybe that explains why it doesn't really do much, not sure yet 100% tough.
Best regards
d0ne
pw:infected
2312
MALWARE/BIOHAZARD
ff_4011D0 ; getcommandline