pma7-3dll Analysis

Executive Summary

Installation

This malware is a standalone executable that can be run in a variety of ways.

Behavior

This malware creates a backdoor that can recieve a number of commands. It is very difficult to remove.

Persistence

This malware alters every executable on the system to import the malware.

Removal

You should probably throw away your hard drive if you run this malware. There is the signature kerne132.dll. There is also a mutex named SADFHUHF. One way to neutralize the malware is to replace kerne132.dll with something benign.


File Information

Field Data
Filename Lab07-03.dll
File Size 163840 bytes
MD5 290934c61de9176ad682ffdd65f0a669
SHA1 a4b35de71ca20fe776dc72d12fb2886736f43c22
SHA256 f50e42c8dfaab649bde0398867e930b86c2a599e8db83b8260393082268f2dba
Architecture x86
Compiler
Statically linked False
Stripped False

Strings

Address String XRefs
0x10026028 127.26.152.13 InternetStuff[16,1,large]
0x10026038 SADFHUHF InternetStuff[16,1,large]

Imports

Address Import XRefs
0x10002004 CreateProcessA InternetStuff[16,1,large]
0x10002008 CreateMutexA InternetStuff[16,1,large]
0x1000200c OpenMutexA InternetStuff[16,1,large]

Important Functions

InternetStuff: undefined4 InternetStuff16,1,large

First this function connects to a host and port. Then it sends a "hello" to the server and waits for a response. It then disables the socket and gets a command. The sleep command causes the malware to sleep. The exec command causes it to execute some command. The malware then loops.


Analysis

The internet open function contains the following calls.

0x10001015 call fcn.10001220[1,1,leaf] fcn.10001220[1,1,leaf]
0x10001059 call dword [sym.imp.KERNEL32.dll_OpenMutexA]
0x1000106e call dword [sym.imp.KERNEL32.dll_CreateMutexA]
0x1000107e call dword [sym.imp.WS2_32.dll_WSAStartup]
0x10001092 call dword [sym.imp.WS2_32.dll_socket]
0x100010af call dword [sym.imp.WS2_32.dll_inet_addr]
0x100010bb call dword [sym.imp.WS2_32.dll_htons]
0x100010ce call dword [sym.imp.WS2_32.dll_connect]
0x10001101 call dword [sym.imp.WS2_32.dll_send]
0x10001113 call dword [sym.imp.WS2_32.dll_shutdown]
0x10001132 call dword [sym.imp.WS2_32.dll_recv]
0x1000114b call ebp
0x10001159 call dword [sym.imp.KERNEL32.dll_Sleep]
0x10001170 call ebp
0x100011af call ebx