This program is packed using UPX and can be easily unpacked.
- Lab01-02.exe – https://virustotal.com/en/file/8bcbe24949951d8aae6018b87b5ca799efe47aeb623e6e5d3665814c6d59aeae/analysis/
At the start we see a call to âStartServiceCtrlDispatcherâ which is used to implement a service and the service control manager will call the service entry point provided. In here I have labeled the service entry point as âServiceMainâ. The name of the service created would be âMalserviceâ.
âStartServiceCtrlDispatcherâ API takes an pointer to the array of âSERVICE_TABLE_ENTRYâ structure.
BOOL WINAPI StartServiceCtrlDispatcher( _In_ const SERVICE_TABLE_ENTRY *lpServiceTable );
The âSERVICE_TABLE_ENTRYâ structure looks something like this. âlpServiceNameâ contains the name of the service and âlpServiceProcâ contains the pointer to the service entry point.
The pseudo code of the main function of this malware would look something like this.
int _tmain (int argc, TCHAR *argv[]) { SERVICE_TABLE_ENTRY ServiceTable[] = { {LâMalserviceâ, (LPSERVICE_MAIN_FUNCTION) ServiceMain}, {NULL, NULL} }; StartServiceCtrlDispatcher (ServiceTable); return 0; }
In the service entry point we see API calls to âOpenMutexâ and âCreateMutexâ. This is to make sure only one instance is running. This snippet creates a new mutex as âHGL345â. If âOpenMutexâ succeeds the program will exit.
if (OpenMutex(MUTEX_ALL_ACCESS, NULL, LâHGL345â)) ExitProcess(0); CreateMutex(NULL, FALSE, LâHGL345â);
Next the malware calls the âOpenSCManagerâ API which will open a handle to the service control manager which allows it to add or modify services. We can see the malware uses âCreateServiceâ API to create a new service as âMalserviceâ. The âGetModuleFileNameâ API is used to get the location of the malware and it is passed as the âlpBinaryPathNameâ parameter.
Furthermore we can see the âdwServiceTypeâ as âSERVICE_WIN32_OWN_PROCESSâ and âdwStartTypeâ as âSERVICE_AUTO_STARTâ. This service will run in itâs own process and will be started automatically by the service control manager.
The pseudo code will look something like this.
TCHAR lpszBinaryPathName[1000]; LPCTSTR lpszServiceName = "Malservice"; GetModuleFileName(NULL, lpszBinaryPathName, sizeof lpszBinaryPathName); SC_HANDLE schSCManager = OpenSCManagerA(NULL, NULL, SC_MANAGER_ALL_ACCESS); CreateService( schSCManager, // SCManager database lpszServiceName, // name of service lpszServiceName, // lpszDisplayName service name to display SC_MANAGER_CREATE_SERVICE , // desired access SERVICE_WIN32_OWN_PROCESS, // service type SERVICE_AUTO_START, // start type SERVICE_ERROR_IGNORE, // error control type lpszBinaryPathName, // service's binary NULL, // no load ordering group NULL, // no tag identifier NULL, // no dependencies NULL, // LocalSystem account NULL // no password );
In the above disassembly we can lots of code dealing with system time. We see an API call to âSystemTimeToFileTimeâ which will convert system time to file time. You can check MSDN for more details on this API. We can see the structures âSystemTimeâ and âFileTimeâ. They look something like this.
At the start we see edx is being zeroed out and the âSystemTimeâ structureâs fields are initialized with â0â except the âwYearâ field.
.text:004010BC xor edx, edx
The âSystemTime.wYearâ will contain the value â2100â.
.text:004010D8 mov [esp+40Ch+SystemTime.wYear], 834h
This malware uses the midnight time of January 1st 2010.
We can see API calls to âCreateWaitableTimerâ, âSetWaitableTimerâ and âWaitForSingleObjectâ.
The pseudo code will look something like this.
HANDLE hTimer = CreateWaitableTimer(NULL, TRUE, NULL); SetWaitableTimer(hTimer, (LARGE_INTEGER *) &FileTime, 0, NULL, NULL, 0); if(WaitForSingleObject(hTimer, INFINITE)) { } else { }
With the usage of these API calls the malware will wait till the midnight of January 1st 2010 and on that day it will create 20 threads and call the function at â00401150â in which I have renamed as âDoSâ.
.text:0040111B mov esi, 14h
The counter will be stored in esi which is 20.
If we check this function at â00401150â we can see it uses âInternetOpenUrlâ and will download the index page of âhttp://www.malwareanalysisbook.comâ. This function will loop infinitely âInternetOpenUrlâ causing to download the page resulting in a DoS attack.
00401180 .^\EB EB JMP SHORT Lab01-02.0040116D
After infection we can see the installed service. Notice the constants we saw before to the âCreateServiceâ API call.
We can also check the registry for the newly installed malicious service.
HKLM\SYSTEM\CurrentControlSet\Services\
As a conclusion this malware will install a malicious service and wait till midnight of 1st of January 2100 and perform a DDoS attack to âhttp://www.malwareanalysisbook.comâ which will create 20 threads and each thread will loop infinitely.