pma7-3exe Analysis

Executive Summary

Installation

This malware is a standalone executable that can be run in a variety of ways.

Behavior

This malware creates a backdoor that can recieve a number of commands. It is very difficult to remove.

Persistence

This malware alters every executable on the system to import the malware.

Removal

You should probably throw away your hard drive if you run this malware. There is the signature kerne132.dll. There is also a mutex named SADFHUHF. One way to neutralize the malware is to replace kerne132.dll with something benign.


File Information

Field Data
Filename Lab07-03.exe
File Size 16384 bytes
MD5 bd62dab79881bc6ec0f6be4eef1075bc
SHA1 c2f24c592d0a8e0e6bcaff8710ac6cde7819d151
SHA256 3475ce2e4aaa555e5bbd0338641dd411c51615437a854c2cb24b4ca2c048791a
Architecture x86
Compiler
Statically linked False
Stripped False

Strings

Address String XRefs
0x40304c C:\windows\system32\kerne132.dll main
0x403070 Kernel32. main
0x40307c Lab07-03.dll main
0x40308c C:\Windows\System32\Kernel32.dll main
0x4030b0 WARNING_THIS_WILL_DESTROY_YOUR_MACHINE main

Imports

Address Import XRefs
0x40200c MapViewOfFile CreateFile[10,1,large], main
0x402014 CreateFileA CreateFile[10,1,large], main
0x402024 CopyFileA main

Important Functions


Analysis

The main function contains the following calls.

0x004014ac call edi
0x004014c3 call ebx
0x004014d4 call ebp
0x004014f0 call edi
0x004014fd call dword [sym.imp.MSVCRT.dll_exit]
0x0040150c call ebx
0x00401515 call dword [sym.imp.MSVCRT.dll_exit]
0x00401525 call ebp
0x00401532 call dword [sym.imp.MSVCRT.dll_exit]
0x00401547 call call_section..text fcn.00401040
0x0040155d call call_section..text fcn.00401040
0x0040156e call call_section..text fcn.00401040
0x00401581 call call_section..text fcn.00401040
0x00401597 call call_section..text fcn.00401040
0x004015b0 call fcn.00401070[2,1] fcn.00401070[2,1]
0x004016c1 call call_section..text fcn.00401040