Executive Summary
Installation
This malware is a standalone executable that can be run in a variety of ways.
Behavior
This malware creates a backdoor that can recieve a number of commands. It is very difficult to remove.
Persistence
This malware alters every executable on the system to import the malware.
Removal
You should probably throw away your hard drive if you run this malware. There is the signature kerne132.dll. There is also a mutex named SADFHUHF. One way to neutralize the malware is to replace kerne132.dll with something benign.
File Information
| Field | Data |
|---|---|
| Filename | Lab07-03.dll |
| File Size | 163840 bytes |
| MD5 | 290934c61de9176ad682ffdd65f0a669 |
| SHA1 | a4b35de71ca20fe776dc72d12fb2886736f43c22 |
| SHA256 | f50e42c8dfaab649bde0398867e930b86c2a599e8db83b8260393082268f2dba |
| Architecture | x86 |
| Compiler | |
| Statically linked | False |
| Stripped | False |
Strings
| Address | String | XRefs |
|---|---|---|
| 0x10026028 | 127.26.152.13 | InternetStuff[16,1,large] |
| 0x10026038 | SADFHUHF | InternetStuff[16,1,large] |
Imports
| Address | Import | XRefs |
|---|---|---|
| 0x10002004 | CreateProcessA | InternetStuff[16,1,large] |
| 0x10002008 | CreateMutexA | InternetStuff[16,1,large] |
| 0x1000200c | OpenMutexA | InternetStuff[16,1,large] |
Important Functions
InternetStuff: undefined4 InternetStuff16,1,large
First this function connects to a host and port. Then it sends a "hello" to the server and waits for a response. It then disables the socket and gets a command. The sleep command causes the malware to sleep. The exec command causes it to execute some command. The malware then loops.
Analysis
The internet open function contains the following calls.
0x10001015 call fcn.10001220[1,1,leaf] fcn.10001220[1,1,leaf]
0x10001059 call dword [sym.imp.KERNEL32.dll_OpenMutexA]
0x1000106e call dword [sym.imp.KERNEL32.dll_CreateMutexA]
0x1000107e call dword [sym.imp.WS2_32.dll_WSAStartup]
0x10001092 call dword [sym.imp.WS2_32.dll_socket]
0x100010af call dword [sym.imp.WS2_32.dll_inet_addr]
0x100010bb call dword [sym.imp.WS2_32.dll_htons]
0x100010ce call dword [sym.imp.WS2_32.dll_connect]
0x10001101 call dword [sym.imp.WS2_32.dll_send]
0x10001113 call dword [sym.imp.WS2_32.dll_shutdown]
0x10001132 call dword [sym.imp.WS2_32.dll_recv]
0x1000114b call ebp
0x10001159 call dword [sym.imp.KERNEL32.dll_Sleep]
0x10001170 call ebp
0x100011af call ebx