I felt bored and thought of having a look at this exe. These are my rough notes on this one.
Every 5 seconds the function ‘401851’ is called.
Basically, this malware takes screenshots and encrypts them and stores them in the current directory starting with “temp%08x” % GetTickCount().
I found this post by Alex Ionescu pretty interesting. I recreated the poc and wrote position independent shellcode. It’s more like executing shellcode directly by the windows loader.
One could develop complete malware by dynamically locating the base address of kernel32.dll and once you locate the functions LoadLibraryA and GetProcAddress, you can load any library in the system and find the exported symbols, in which you have complete access to the win32 API.
You don’t need to specifically write position independent code using assembly. You can directly code in C/C++ and extract the opcodes.
For example using the ‘InMemoryOrderModuleList’ LDR_DATA_TABLE_ENTRY located in the PEB->LDR we can get the base address of kernel32.dll. Usually kernel32.dll can be found in the third LDR_MODULE in the double linked list. If you have done shellcoding under Windows these things should be familiar.
This program is packed using UPX and can be easily unpacked.
At the start we see a call to ‘StartServiceCtrlDispatcher’ which is used to implement a service and the service control manager will call the service entry point provided. In here I have labeled the service entry point as ‘ServiceMain’. The name of the service created would be ‘Malservice’.
In my leisure time I like reading the book Practical Malware Analysis and I thought of sharing my analysis in the practical sections. You can find detailed answers in the book as well.
If we have a look at the “Lab01-01.dll” file’s imports we can see that it uses network functions from “ws2_32.dll”. We can suspect that this file is responsible for network communications to the attacker.
But if we have a look at the exports section we see nothing, which is strange.
I haven’t done any malware analysis before and this would be my first post related to malware. I’m really interested but still quite a lot of things to learn 🙂 so I thought of starting off somewhere and this is the analysis of the ransomware named “Satana” by me. Obviously I hope you know who is Satan 👿
As soon as you run this the main executable will be deleted and a new sample will be created inside the %temp% folder.
The following is the disassembly corresponding to this event.