Need help analyzing injected code [Archive] - RCE Messageboard's Regroupment

Sunk

July 29th, 2012, 11:11

I've done some unpacking and extracted a malicious .dll file that is injected from memory into Internet Explorer. Because of the lack of exports, this seems more like an exe, but in either case I'm having trouble analyzing it in Olly. I tried converting it to an exe and it runs for a little while and then crashes and I can't figure out why. Is it anti-debugging code or is it because it's not in Internet Explorer? This is the core of the malware and I've reached a dead end.

I've included the original .dll in the zip if anyone wants to check it out... The password is "infected".

Kayaker

July 29th, 2012, 23:11

It seems to run OK under Olly when loaded as a regular dll (loaddll.exe). If you let it execute it creates a secondary thread, and I found that if you wait quitely for a minute or two it will load a few more net related dlls and create another 2 threads.

I have no idea what it actually does, but it does appear to "behave" normally under Olly. Was there some particular sticking point you found?

blabberer

July 30th, 2012, 07:58

well like kayaker said this dll seems to be ok as far as running is considered

yes it creates a thread

it creates a file drm.ocx in c:\windows if you cheat a bit by providing bogus inputs to its GetWindowText Apis after it creates a socket to (device\afd) to some webcrap.......org yes it seems to be centered on internet explorer

doesnt seem to have much of antidebugging looks like straight (borland embarcadero ?? ) code

uses a wtimer (timer proc) to repeat its work and you need to cheat every time the callback is called

set up some fake network blah blah and you should be able to run amok with this dll

so what exactly are you struck at ???

btw its imagebase is 0x400000 so it clashes with Loaddll and gets relocated

so i rebased it to 0x1000000 before running and trapping it (so you know why my paste below contains address at 0x100....range also rebasing should
help if you plan to use ida and dump a map from it for ollydbg)

below is a paste of some apis i saw it invoking before i quit playing with it

Code:





0006F514              008F0254  |FileName = "C:\WINDOWS\drm.ocx"

0006F518              00000002  \FileAttributes = HIDDEN





01002AF4  |.  6A >PUSH    0                              ; /hTemplateFile = NULL

01002AF6  |.  68 >PUSH    80                             ; |Attributes = NORMAL

01002AFB  |.  51  PUSH    ECX                            ; |Mode = 7C91003D

01002AFC  |.  6A >PUSH    0                              ; |pSecurity = NULL

01002AFE  |.  52  PUSH    EDX                            ; |ShareMode = 80608

01002AFF  |.  50  PUSH    EAX                            ; |Access = 100

01002B00  |.  8D4>LEA     EAX, DWORD PTR DS:[ESI+48]     ; |

01002B03  |.  50  PUSH    EAX                            ; |FileName = 00000100 ???

01002B04  |.  E8 >CALL    <rebased_.CreateFileA>         ; \CreateFileA













0006F4E8              0006F5BC  |FileName = "C:\WINDOWS\drm.ocx"

0006F4EC              C0000000  |Access = GENERIC_READ|GENERIC_WRITE

0006F4F0              00000001  |ShareMode = FILE_SHARE_READ

0006F4F4              00000000  |pSecurity = NULL

0006F4F8              00000003  |Mode = OPEN_EXISTING

0006F4FC              00000080  |Attributes = NORMAL

0006F500              00000000  \hTemplateFile = NULL





01002B24  |.  6A >PUSH    0                              ; /pFileSizeHigh = NULL

01002B26  |.  FF3>PUSH    DWORD PTR DS:[ESI]             ; |hFile = 00000100 (window)

01002B28  |.  E8 >CALL    <rebased_.GetFileSize>         ; \GetFileSize



0006F4FC              00000100  |hFile = 00000100 (window)

0006F500              00000000  \pFileSizeHigh = NULL







Handles, item 63

 Handle=00000100

 Type=File

 Refs=   2.

 Access=0012019F SYNCHRONIZE|READ_CONTROL|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|READ_ATTRIBUTES|WRITE_ATT RIBUTES

 Name=c:\WINDOWS\drm.ocx





01002B3D >|> \6A >PUSH    0                              ; /Origin = FILE_BEGIN

01002B3F  |.  6A >PUSH    0                              ; |pOffsetHi = NULL

01002B41  |.  50  PUSH    EAX                            ; |OffsetLo = 0

01002B42  |.  FF3>PUSH    DWORD PTR DS:[ESI]             ; |hFile = 00000100 (window)

01002B44  |.  E8 >CALL    <rebased_.SetFilePointer>      ; \SetFilePointer



0006F4F4              00000100  |hFile = 00000100 (window)

0006F4F8              00000000  |OffsetLo = 0

0006F4FC              00000000  |pOffsetHi = NULL

0006F500              00000000  \Origin = FILE_BEGIN



01002B54  |.  6A >PUSH    0                              ; /pOverlapped = NULL

01002B56  |.  52  PUSH    EDX                            ; |pBytesRead = 0006F6C0

01002B57  |.  68 >PUSH    80                             ; |BytesToRead = 80 (128.)

01002B5C  |.  8D9>LEA     EDX, DWORD PTR DS:[ESI+14C]    ; |

01002B62  |.  52  PUSH    EDX                            ; |Buffer = 0006F6C0

01002B63  |.  FF3>PUSH    DWORD PTR DS:[ESI]             ; |hFile = 00000100 (window)

01002B65  |.  E8 >CALL    <rebased_.ReadFile>            ; \ReadFile



0006F4EC              00000100  |hFile = 00000100 (window)

0006F4F0              0006F6C0  |Buffer = 0006F6C0

0006F4F4              00000080  |BytesToRead = 80 (128.)

0006F4F8              0006F500  |pBytesRead = 0006F500

0006F4FC              00000000  \pOverlapped = NULL





01002A20 >|> \6A >PUSH    0                              ; /pOverlapped = NULL

01002A22  |.  8D4>LEA     EAX, DWORD PTR SS:[ESP+4]      ; |

01002A26  |.  50  PUSH    EAX                            ; |pBytesWritten = 00000100

01002A27  |.  56  PUSH    ESI                            ; |nBytesToWrite = 64 (100.)

01002A28  |.  8B4>MOV     EAX, DWORD PTR DS:[EBX+14]     ; |

01002A2B  |.  50  PUSH    EAX                            ; |Buffer = 00000100

01002A2C  |.  8B0>MOV     EAX, DWORD PTR DS:[EBX]        ; |

01002A2E  |.  50  PUSH    EAX                            ; |hFile = 00000100 (window)

01002A2F  |.  E8 >CALL    <rebased_.WriteFile>           ; \WriteFile







0006F4EC              00000100  |hFile = 00000100 (window)

0006F4F0              0006F6C0  |Buffer = 0006F6C0

0006F4F4              00000064  |nBytesToWrite = 64 (100.)

0006F4F8              0006F500  |pBytesWritten = 0006F500

0006F4FC              00000000  \pOverlapped = NULL



0006F6C0  5B 4F 6C 6C 79 44 62 67 20 2D 20 72 65 62 61 73  [OllyDbg - rebas

0006F6D0  65 64 5F 6D 61 6C 77 61 72 65 2E 64 6C 6C 20 2D  ed_malware.dll -

0006F6E0  20 5B 43 50 55 20 2D 20 6D 61 69 6E 20 74 68 72   [CPU - main thr

0006F6F0  65 61 64 2C 20 6D 6F 64 75 6C 65 20 72 65 62 61  ead, module reba

0006F700  73 65 64 5F 5D 5D 20 33 30 20 4A 75 6C 79 20 32  sed_]] 30 July 2

0006F710  30 31 32 2C 20 31 37 3A 34 31 0D 0A 5B 46 39 5D  012, 17:41..[F9]

0006F720  0D 0A 0D 0A 00 00 00 00 00 00 00 00 00 00 00 00  ................

0006F730  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................





010086EB  |.  E8 >CALL    <rebased_.closesocket>                        ; \closesocket



0006F704      000000F0  \Socket = F0







Handles, item 59

 Handle=000000F0

 Type=File (pipe)

 Refs=   2.

 Access=001F01FF SYNCHRONIZE|WRITE_OWNER|WRITE_DAC|READ_CONTROL|DELETE|READ_DATA|WRITE_DATA|CREATE_PIPE_INSTANCE|READ _ATTRIBUTES|WRITE_ATTRIBUTES

 Name=\Device\Afd



010085BE  |.  6A >PUSH    0                                             ; /Protocol = IPPROTO_IP

010085C0  |.  6A >PUSH    1                                             ; |Type = SOCK_STREAM

010085C2  |.  6A >PUSH    2                                             ; |Family = AF_INET

010085C4  |.  E8 >CALL    <rebased_.socket>                             ; \socket



0006F6D0      00000002  |Family = AF_INET

0006F6D4      00000001  |Type = SOCK_STREAM

0006F6D8      00000000  \Protocol = IPPROTO_IP



01008098  |.  E8 >CALL    <rebased_.htons>                              ; \htons



0006F694      008F01BB  \NetShort = 8F01BB



010082C7  |.  50  PUSH    EAX                                           ; /Events = FD_CONNECT|FD_CLOSE|FD_QOS|FD_GROUP_QOS

010082C8  |.  56  PUSH    ESI                                           ; |Msg = 401

010082C9  |.  57  PUSH    EDI                                           ; |hWnd = 001A0106 (class='TPUtilWindow')

010082CA  |.  8B4>MOV     EAX, DWORD PTR DS:[EBX+4]                     ; |

010082CD  |.  50  PUSH    EAX                                           ; |Socket = F0

010082CE  |.  E8 >CALL    <rebased_.WSAAsyncSelect>                     ; \WSAAsyncSelect



0006F630      000000F0  |Socket = F0

0006F634      001A0106  |hWnd = 001A0106 (class='TPUtilWindow')

0006F638      00000401  |Msg = 401

0006F63C      00000033  \Events = FD_READ|FD_WRITE|FD_CONNECT|FD_CLOSE



01008396  |.  6A >PUSH    10                                            ; /AddrLen = 10 (16.)

01008398  |.  8D4>LEA     EAX, DWORD PTR DS:[EBX+18]                    ; |

0100839B  |.  50  PUSH    EAX                                           ; |pSockAddr = 000000F0

0100839C  |.  8B4>MOV     EAX, DWORD PTR DS:[EBX+4]                     ; |

0100839F  |.  50  PUSH    EAX                                           ; |Socket = F0

010083A0  |.  E8 >CALL    <rebased_.connect>                            ; \connect



0006F648      000000F0  |Socket = F0

0006F64C      008F018C  |pSockAddr = 008F018C

0006F650      00000010  \AddrLen = 10 (16.)







0102FE36 >|> /53  /PUSH    EBX                                                      ; /pMsg = WM_TIMER ID = 6C70 Callback = 102FCB8

0102FE37  |. |E8 >|CALL    <rebased_.TranslateMessage>                              ; \TranslateMessage

0102FE3C  |. |53  |PUSH    EBX                                                      ; /pMsg = WM_TIMER ID = 6C70 Callback = 102FCB8

0102FE3D  |. |E8 >|CALL    <rebased_.DispatchMessageA>                              ; \DispatchMessageA

0102FE42 >|> |6A > PUSH    0                                                        ; /MsgFilterMax = 0

0102FE44  |. |6A >|PUSH    0                                                        ; |MsgFilterMin = 0

0102FE46  |. |6A >|PUSH    0                                                        ; |hWnd = NULL

0102FE48  |. |53  |PUSH    EBX                                                      ; |pMsg = rebased_.0103D740

0102FE49  |. |E8 >|CALL    <rebased_.GetMessageA>                                   ; \GetMessageA

0102FE4E  |. |85C>|TEST    EAX, EAX

0102FE50  |.^\75 >\JNZ     SHORT <rebased_.loc_102FE36>

Sunk

July 30th, 2012, 09:06

You guys are right, it works. It's actually malware I was analyzing a while ago and gave up on because I couldn't get it working, and it has been bugging me for a while now. I just tried it again in a different lab VM and it's working fine. Not sure what the heck was wrong earlier, but thanks for the help!

Kayaker

July 30th, 2012, 11:21

<entice>

C:\WINDOWS\drm.ocx being the keylogger logfile...

</entice>