![]() ![]() It is common to find out the author using one-byte key in algorithms like XOR, ROT, ROR, etc. In the above URL, we see a parameter encode=5b which might be the key the author is using to obfuscate the contents. We will get around this, but first, we need to decode the response from the specimen which we saw earlier that it is encrypted. However, since our web server does not hold any ads.php, the specimen was not able to complete the action or receive any command back from the server. These are the indeed the contents of the. Remember ads.php? Yeah, it was the URL the specimen was trying to ask through a GET. Looking at the stack for these, we find out the following ASCII text. Why eax? Because eax holds the return value of the function and as per Documentation of CryptDecrypt, if the function succeeds then the function returns a non-zero value, which is exactly our case. Below is the CryptDecrypt function, we need to see what this function returns, so we will place the breakpoint in the instruction right after the cryptdecrypt function where the function is checking for the value in eax and make a respective jump. tmp file.įind out CryptDecrypt function(easy way is to go to Names window > look for references and then follow in disassembler). Remember we have seen a function call CryptDecrypt which might reveal the content of this. tmp file is encrypted, and thus we do not know what malware is doing in the underlying system. Let’s look at the handles and see what does this handle resolves to:īingo, this is what we were expecting it to read the. After placing a breakpoint, we ran the sample and below are the contents of the stack.Īs per Microsoft ReadFile function documentation, hFile is “A handle to the device (for example, a file, file stream, physical disk, volume, console buffer, tape drive, socket, communications resource, mailslot, or pipe).” This means this is a pointer to a file. We need to look at what is ReadFile reading, so we need to place a breakpoint at this statement. To see if our understanding is correct or not, let’s see ReadFile referencesīelow what we can see is the ReadFile reference in the code. If you recall, we saw an encrypted version of a. This looks like specimen is trying to read some file and also call Windows decryption function. Nice we see references to ReadFile and CryptDecrypt. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |