Open in app

Sign in

Write

Sign in

Quick analysis note about DealPly (Adware)

m4n0w4r
tradahacking
Published in
13 min readMay 11, 2021

--

Overview

Some information about DealPly can be found here:

The post focuses on the following main sections:

  • Unpack wrapper/loader to get main Dll payload.
  • Decrypt C2url and strings are used in the malware code.

Sample:

SHA-256: 40584f79d109a18b1c4ea7e75a945324978652b6afcc9efbe62241717f0b4685

Unpacking wrapper/loader to get main DLL payload

Most of the DealPly loaders are coded in Delphi. When it runs without parameter, it only shows the following form:

When executing with parameters, it unpacks a DLL to allocated memory. This DLL will be mainly responsible for connecting and interacting with C2. For unpacking, place breakpoint at VirtualAlloc, execute the program and follow the allocated memory region. Keep watching until the loader unpack a new PE ( which is a dll), but it was destroyed all relevant information about DOS_HEADERand NT_HEADERS:

Dump and fix DOS_HEADERand NT_HEADERSwill get the correct main Dll:

Analysis of DLL payload

Decrypt C2Url

Load the above dumped Dll file into IDA, go to the code of the Run function. Here, it calls f_main_procfunction. The f_main_procaccepts the passed parameters, in which the third parameter is encoded C2.

Diving into the code of f_main_procwill find the function responsible for performing the decoding of the malware’s C2:

The code at the f_tranform_c2Url function will recalculate the bytes of enC2Url:

After completing the transform process, call to f_decrypt_c2Url function to perform decoding to C2. In essence, the function f_decrypt_c2Url function will perform to decrypt, xor_keyis calculated from the last 2 bytes of the transformed enC2Urlabove:

With all the above information and pseudo-code, I rewrote the code that performs decoding C2 in Python as follows:

Execute the above script and check the results. As the result, this sample will connect to buluw[.]com:

Decrypt strings

All strings used by malware are encrypted and only decrypt when needed. Through the analysis of the code will find the function responsible for decoding:

The code at this function is as follows:

As above picture, f_decrypt_string function will take as the argument of the address that contains the pointer to the encrypted string (ex: off_41C174). The function responsible for performing the decryption is f_decrypt_str , which takes an additional parameter g_calc_tbl- this is table contains 256 elements, used for the calculation. The code at f_decrypt_str function looks like this:

Based on the pseudo-code analyzed above, I rewrote the idapython script that decodes all the strings as follows:

Executing the above script:

All the strings are decrypted:

org_addr: 0x405529, decrypted string: IPHLPAPI.dllorg_addr: 0x40555f, decrypted string: GetIfTableorg_addr: 0x40558e, decrypted string: GetAdaptersInfoorg_addr: 0x4055bd, decrypted string: GetNetworkParamsorg_addr: 0x4059a1, decrypted string: 00155Dorg_addr: 0x4059c7, decrypted string: 0003FForg_addr: 0x4059ed, decrypted string: 0050F2org_addr: 0x405a13, decrypted string: 000D3Aorg_addr: 0x405a38, decrypted string: AZRorg_addr: 0x405a51, decrypted string: 123139org_addr: 0x405a77, decrypted string: 22000Aorg_addr: 0x405a9c, decrypted string: AMZorg_addr: 0x405ab5, decrypted string: 000C29org_addr: 0x405adb, decrypted string: 000569org_addr: 0x405b01, decrypted string: 001C14org_addr: 0x405b27, decrypted string: 005056org_addr: 0x405b4c, decrypted string: VMWorg_addr: 0x405b65, decrypted string: 001C42org_addr: 0x405b8a, decrypted string: PRLorg_addr: 0x405ba3, decrypted string: 00163Eorg_addr: 0x405bc8, decrypted string: XENorg_addr: 0x405be1, decrypted string: 080027org_addr: 0x405c0c, decrypted string: VBXorg_addr: 0x405cbd, decrypted string: VMWorg_addr: 0x405ce2, decrypted string: XENorg_addr: 0x405d80, decrypted string: 00059A3C7800org_addr: 0x405da4, decrypted string: 000000org_addr: 0x405dc1, decrypted string: 000000org_addr: 0x405de6, decrypted string: 005345000000org_addr: 0x405e0a, decrypted string: 00F1D000F1D0org_addr: 0x405e2e, decrypted string: 00A0C6000000org_addr: 0x405e52, decrypted string: 000000000010org_addr: 0x405e76, decrypted string: 000000000030org_addr: 0x405e9a, decrypted string: 028037EC0200org_addr: 0x405ebe, decrypted string: FFFFFFForg_addr: 0x405edb, decrypted string: FFFFForg_addr: 0x406355, decrypted string: ldr1org_addr: 0x406398, decrypted string: ldr2org_addr: 0x406444, decrypted string: ShellExecuteAorg_addr: 0x406461, decrypted string: shell32.dllorg_addr: 0x4064d4, decrypted string: ShellExecuteExAorg_addr: 0x4064f1, decrypted string: shell32.dllorg_addr: 0x4069c6, decrypted string: wininet.dllorg_addr: 0x4069fa, decrypted string: http://org_addr: 0x406a20, decrypted string: https://org_addr: 0x406a46, decrypted string: InternetOpenAorg_addr: 0x406a72, decrypted string: InternetConnectAorg_addr: 0x406a9e, decrypted string: HttpOpenRequestAorg_addr: 0x406aca, decrypted string: HttpAddRequestHeadersAorg_addr: 0x406af6, decrypted string: HttpSendRequestAorg_addr: 0x406b22, decrypted string: HttpQueryInfoAorg_addr: 0x406b4e, decrypted string: InternetReadFileorg_addr: 0x406b7a, decrypted string: InternetCloseHandleorg_addr: 0x407369, decrypted string: POSTorg_addr: 0x4073a0, decrypted string: GETorg_addr: 0x4074bb, decrypted string: Host:org_addr: 0x4074f8, decrypted string: Accept: */*org_addr: 0x407575, decrypted string: Host:org_addr: 0x4075ca, decrypted string: Accept:org_addr: 0x409145, decrypted string: kernel32.dllorg_addr: 0x40916e, decrypted string: VirtualAllocorg_addr: 0x409235, decrypted string: $SIGorg_addr: 0x409495, decrypted string: kernel32.dllorg_addr: 0x4094be, decrypted string: VirtualAllocorg_addr: 0x409585, decrypted string: $SIGorg_addr: 0x409700, decrypted string: Runorg_addr: 0x409947, decrypted string: RunEXorg_addr: 0x409982, decrypted string: https://org_addr: 0x40999d, decrypted string: http://org_addr: 0x4099fe, decrypted string: Runorg_addr: 0x409af4, decrypted string: $UpdateSRVorg_addr: 0x409b21, decrypted string: $UpdateLTRorg_addr: 0x409c53, decrypted string: Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\org_addr: 0x409c73, decrypted string: Hiddenorg_addr: 0x409cd0, decrypted string: HideFileExtorg_addr: 0x409d2a, decrypted string: ShowSuperHiddenorg_addr: 0x409e5c, decrypted string: CD_UIDCorg_addr: 0x409e80, decrypted string: CD_ins_guidorg_addr: 0x409ea4, decrypted string: CD_host_guidorg_addr: 0x409ec8, decrypted string: CD_ivorg_addr: 0x409eec, decrypted string: CD_afltorg_addr: 0x409f16, decrypted string: aorg_addr: 0x409f40, decrypted string: afltorg_addr: 0x409f64, decrypted string: uidporg_addr: 0x409f88, decrypted string: IDTorg_addr: 0x409fbd, decrypted string: UID=org_addr: 0x409ff3, decrypted string: &UID2=org_addr: 0x40a02c, decrypted string: &UIDC=org_addr: 0x40a067, decrypted string: &mguid=org_addr: 0x40a0b0, decrypted string: &uidp=org_addr: 0x40a0eb, decrypted string: &AppName=org_addr: 0x40a116, decrypted string: &State=org_addr: 0x40a151, decrypted string: &ins_guid=org_addr: 0x40a17c, decrypted string: &host_guid=org_addr: 0x40a1b7, decrypted string: &iv=org_addr: 0x40a1e2, decrypted string: &aflt=org_addr: 0x40a21d, decrypted string: &IDT=org_addr: 0x40a248, decrypted string: &IRTYP=org_addr: 0x40a286, decrypted string: &IRVER=org_addr: 0x40a2c3, decrypted string: &OS=org_addr: 0x40a308, decrypted string: &SV=org_addr: 0x40a359, decrypted string: &lptp=1org_addr: 0x40a38b, decrypted string: &lptp=0org_addr: 0x40a3c1, decrypted string: &btry=1org_addr: 0x40a3f3, decrypted string: &btry=0org_addr: 0x40a426, decrypted string: &VMC=org_addr: 0x40a46f, decrypted string: &REG=org_addr: 0x40a4a0, decrypted string: CDATAorg_addr: 0x40a4da, decrypted string: SOFTWARE\org_addr: 0x40a564, decrypted string: &Src=org_addr: 0x40a5b6, decrypted string: src.datorg_addr: 0x40a642, decrypted string: &Lang=org_addr: 0x40a690, decrypted string: &Lang=org_addr: 0x40a6de, decrypted string: &ADVF=org_addr: 0x40a734, decrypted string: &FS=org_addr: 0x40a79f, decrypted string: &sha=org_addr: 0x40a7f6, decrypted string: &st_dt=org_addr: 0x40a867, decrypted string: &ParamALL=org_addr: 0x40a9e9, decrypted string: UnNMorg_addr: 0x40accc, decrypted string: Date:org_addr: 0x40af23, decrypted string: &Admin=1org_addr: 0x40af49, decrypted string: &Admin=0org_addr: 0x40af70, decrypted string: &Idle=org_addr: 0x40afac, decrypted string: &TDY=org_addr: 0x40afe3, decrypted string: &LTDY=org_addr: 0x40b028, decrypted string: &TDYC=org_addr: 0x40b0c3, decrypted string: https://org_addr: 0x40b0e4, decrypted string: http://org_addr: 0x40b158, decrypted string: Location:org_addr: 0x40b377, decrypted string: scriptorg_addr: 0x40b3ac, decrypted string: Flags=org_addr: 0x40b3ed, decrypted string: CHECKorg_addr: 0x40b589, decrypted string: DFNorg_addr: 0x40b81a, decrypted string: UpdTask.exeorg_addr: 0x40b840, decrypted string: SynHelper.exeorg_addr: 0x40b866, decrypted string: Updane.exeorg_addr: 0x40b892, decrypted string: Sync.exeorg_addr: 0x40b8be, decrypted string: ProductUpdt.exeorg_addr: 0x40b8ea, decrypted string: SyncTask.exeorg_addr: 0x40b913, decrypted string: SyncVersion.exeorg_addr: 0x40b956, decrypted string: .exeorg_addr: 0x40ba7e, decrypted string: https://org_addr: 0x40ba99, decrypted string: http://org_addr: 0x40bae0, decrypted string: CRorg_addr: 0x40bb1a, decrypted string: CDorg_addr: 0x40bb94, decrypted string: &uid=org_addr: 0x40bbc3, decrypted string: &ins_guid=org_addr: 0x40bbf2, decrypted string: &host_guid=org_addr: 0x40bc21, decrypted string: &iv=org_addr: 0x40bc59, decrypted string: &AL=org_addr: 0x40bc8e, decrypted string: aorg_addr: 0x40bcc4, decrypted string: afltorg_addr: 0x40bcf4, decrypted string: CD_UIDCorg_addr: 0x40bd27, decrypted string: CD_ins_guidorg_addr: 0x40bd5a, decrypted string: CD_host_guidorg_addr: 0x40bd8d, decrypted string: CD_ivorg_addr: 0x40bdc0, decrypted string: CD_afltorg_addr: 0x40bdf3, decrypted string: CD_ALorg_addr: 0x40be3b, decrypted string: CDorg_addr: 0x40be8a, decrypted string: Local_Inst_DTorg_addr: 0x40bebb, decrypted string: SNR_FAILorg_addr: 0x40bef0, decrypted string: URLorg_addr: 0x40bf23, decrypted string: AppNameorg_addr: 0x40bf59, decrypted string: uidporg_addr: 0x40bf9c, decrypted string: UDAT0org_addr: 0x40bfee, decrypted string: UDAT0org_addr: 0x40c021, decrypted string: RKLorg_addr: 0x40c06c, decrypted string: RVLorg_addr: 0x40c0ad, decrypted string: RKLorg_addr: 0x40c0e0, decrypted string: RVLorg_addr: 0x40c113, decrypted string: RLMorg_addr: 0x40c158, decrypted string: RLMorg_addr: 0x40c1eb, decrypted string: Inst_DTorg_addr: 0x40c221, decrypted string: IRVERorg_addr: 0x40c26d, decrypted string: IRBVERorg_addr: 0x40c2b5, decrypted string: IRTYPorg_addr: 0x40c2f4, decrypted string: TodayFNorg_addr: 0x40c327, decrypted string: TodayCntFNorg_addr: 0x40c906, decrypted string: SDTorg_addr: 0x40c9c2, decrypted string: Srcorg_addr: 0x40c9fc, decrypted string: src.datorg_addr: 0x40cad5, decrypted string: .delorg_addr: 0x40cbb2, decrypted string: nosctorg_addr: 0x40cd96, decrypted string: nounorg_addr: 0x40cde6, decrypted string: /Uninstallorg_addr: 0x40ce13, decrypted string: DelSelfDirorg_addr: 0x40ce40, decrypted string: /GID=org_addr: 0x40ce9d, decrypted string: ProdNameorg_addr: 0x40cefd, decrypted string: prod.datorg_addr: 0x40d01e, decrypted string: BkScriptorg_addr: 0x40d13f, decrypted string: Flags=org_addr: 0x40d19c, decrypted string: Installorg_addr: 0x40d52b, decrypted string: URegorg_addr: 0x40d610, decrypted string: UFileorg_addr: 0x40d6a8, decrypted string: UDATorg_addr: 0x40d749, decrypted string: UExFileorg_addr: 0x40d8e2, decrypted string: Uninstallorg_addr: 0x40d918, decrypted string: Update Serviceorg_addr: 0x40d93a, decrypted string: Uninstall completed successfully. Please restart your computer to clean up files.org_addr: 0x40d9a3, decrypted string: &APN=org_addr: 0x40d9cb, decrypted string: &S=Uninstall&IDT=org_addr: 0x40d9f3, decrypted string: IDTorg_addr: 0x40da3c, decrypted string: &DT=org_addr: 0x40da67, decrypted string: &IRTYP=org_addr: 0x40daa5, decrypted string: &IRVER=org_addr: 0x40dad2, decrypted string: &UID=org_addr: 0x40db49, decrypted string: BkScriptorg_addr: 0x40dba9, decrypted string: config.datorg_addr: 0x40dd1c, decrypted string: DelSelfDirorg_addr: 0x40dea9, decrypted string: Update Serviceorg_addr: 0x40decb, decrypted string: Uninstallorg_addr: 0x40defd, decrypted string: update process?org_addr: 0x40df56, decrypted string: Uninstall must Reboot your computer to delete files.org_addr: 0x40df75, decrypted string: Continue with uninstall?org_addr: 0x40dfec, decrypted string: Uninstall necessario riavviare il computer per eliminare i file.org_addr: 0x40e00b, decrypted string: Continuare con la disinstallazione?org_addr: 0x40e02f, decrypted string: Désinstaller devez redémarrer votre ordinateur pour supprimer les fichiers.org_addr: 0x40e04e, decrypted string: Continuer la désinstallation?org_addr: 0x40e072, decrypted string: Uninstall müssen Starten Sie Ihren Computer, um Dateien zu löschen.org_addr: 0x40e091, decrypted string: Fahren Sie mit dem deinstallieren?org_addr: 0x40e0b5, decrypted string: Uninstall deve reiniciar o computador para apagar arquivos.org_addr: 0x40e0d4, decrypted string: Continue com a desinstalação?org_addr: 0x40e0f5, decrypted string: Desinstalación debe reiniciar el equipo para eliminar archivos.org_addr: 0x40e114, decrypted string: Continúe con la desinstalación?org_addr: 0x40e135, decrypted string: Desinstalación debe reiniciar el equipo para eliminar archivos.org_addr: 0x40e154, decrypted string: Continúe con la desinstalación?org_addr: 0x40e17b, decrypted string: Update Serviceorg_addr: 0x40e1e0, decrypted string: nounorg_addr: 0x40e210, decrypted string: GIDorg_addr: 0x40e2a9, decrypted string: /DoUninstallorg_addr: 0x40e2d2, decrypted string: /Uninstallorg_addr: 0x40e497, decrypted string: $UpdateSRVorg_addr: 0x40e4e1, decrypted string: $UpdateLTRorg_addr: 0x40e66d, decrypted string: scriptorg_addr: 0x40e6a2, decrypted string: Flags=org_addr: 0x40e6e3, decrypted string: CHECKorg_addr: 0x40eac4, decrypted string: Updateorg_addr: 0x40eadf, decrypted string: Installorg_addr: 0x40eaf8, decrypted string: Flags=org_addr: 0x40eb50, decrypted string: IDTorg_addr: 0x40ec04, decrypted string: https://org_addr: 0x40ec1f, decrypted string: http://org_addr: 0x40ec41, decrypted string: /sanity/org_addr: 0x40ef16, decrypted string: Verorg_addr: 0x40ef38, decrypted string: DT:org_addr: 0x40ef69, decrypted string: Ver:org_addr: 0x40ef9f, decrypted string: BVer:org_addr: 0x40efd5, decrypted string: Typ:org_addr: 0x40f14e, decrypted string: nxorg_addr: 0x41045c, decrypted string: user32.dllorg_addr: 0x41048e, decrypted string: OemToCharAorg_addr: 0x41092a, decrypted string: kernel32.dllorg_addr: 0x410966, decrypted string: GetVersionExAorg_addr: 0x410a6b, decrypted string: ProductNameorg_addr: 0x410a93, decrypted string: \Software\Microsoft\Windows NT\CurrentVersion\org_addr: 0x410e2c, decrypted string: kernel32.dllorg_addr: 0x410e54, decrypted string: GetFileSizeorg_addr: 0x411055, decrypted string: <?xml version="1.0" encoding="UTF-16"?>org_addr: 0x411075, decrypted string: <Task version="1.1" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">org_addr: 0x4110ae, decrypted string: <RegistrationInfo>org_addr: 0x4110dd, decrypted string: <Description><#DESC#></Description>org_addr: 0x41110c, decrypted string: </RegistrationInfo>org_addr: 0x41113a, decrypted string: <#DESC#>org_addr: 0x411171, decrypted string: <#TRIGGERS#>org_addr: 0x4111a0, decrypted string: <Principals>org_addr: 0x4111cf, decrypted string: <Principal id="Author">org_addr: 0x411202, decrypted string: <UserId>SYSTEM</UserId>org_addr: 0x411233, decrypted string: <LogonType>InteractiveToken</LogonType>org_addr: 0x411260, decrypted string: <RunLevel>HighestAvailable</org_addr: 0x411291, decrypted string: <RunLevel>LeastPrivilege</RunLevel>org_addr: 0x4112c0, decrypted string: </Principal>org_addr: 0x4112ef, decrypted string: </Principals>org_addr: 0x411327, decrypted string: <Settings>org_addr: 0x411362, decrypted string: <Enabled>true</Enabled>org_addr: 0x41139d, decrypted string: <Hidden>false</Hidden>org_addr: 0x4113d8, decrypted string: <RunOnlyIfIdle>false</RunOnlyIfIdle>org_addr: 0x411413, decrypted string: <WakeToRun>false</WakeToRun>org_addr: 0x41144e, decrypted string: <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>org_addr: 0x411489, decrypted string: <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>org_addr: 0x4114c4, decrypted string: <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>org_addr: 0x4114ff, decrypted string: <Priority>5</Priority>org_addr: 0x41153a, decrypted string: </Settings>org_addr: 0x411575, decrypted string: <Actions Context="Author">org_addr: 0x4115b0, decrypted string: <Exec>org_addr: 0x4115eb, decrypted string: <Command><#PROGRAM#></Command>org_addr: 0x411626, decrypted string: <Arguments><#PARAMS#></Arguments>org_addr: 0x411661, decrypted string: </Exec>org_addr: 0x41169c, decrypted string: </Actions>org_addr: 0x4116d7, decrypted string: </Task>org_addr: 0x411729, decrypted string: <#PROGRAM#>org_addr: 0x41176f, decrypted string: <#PARAMS#>org_addr: 0x411833, decrypted string: <Triggers>org_addr: 0x411854, decrypted string: <CalendarTrigger>org_addr: 0x411899, decrypted string: <Repetition>org_addr: 0x4118ca, decrypted string: <Interval>PTorg_addr: 0x4118f3, decrypted string: M</Interval>org_addr: 0x411924, decrypted string: <Duration>P1D</Duration>org_addr: 0x411955, decrypted string: <StopAtDurationEnd>false</StopAtDurationEnd>org_addr: 0x411986, decrypted string: </Repetition>org_addr: 0x4119ab, decrypted string: <StartBoundary><#YEAR#>-<#MONTH#>-<#DAY#>T<#HOUR#>:<#MIorg_addr: 0x4119dc, decrypted string: <Enabled>true</Enabled>org_addr: 0x411a17, decrypted string: <ScheduleByDay>org_addr: 0x411a4e, decrypted string: <DaysInterval>1</DaysInterval>org_addr: 0x411a88, decrypted string: </ScheduleByDay>org_addr: 0x411ac5, decrypted string: </CalendarTrigger>org_addr: 0x411b02, decrypted string: </Triggers>org_addr: 0x411c13, decrypted string: <#HOUR#>org_addr: 0x411c5d, decrypted string: <#MIN#>org_addr: 0x411ca7, decrypted string: <#SEC#>org_addr: 0x411cf1, decrypted string: <#YEAR#>org_addr: 0x411d3b, decrypted string: <#MONTH#>org_addr: 0x411d85, decrypted string: <#DAY#>org_addr: 0x411de6, decrypted string: <#TRIGGERS#>org_addr: 0x411e94, decrypted string: SYSTEMorg_addr: 0x411f7a, decrypted string: Tasks\org_addr: 0x411fd5, decrypted string: *.joborg_addr: 0x412461, decrypted string: /interactiveorg_addr: 0x4124af, decrypted string: at.exeorg_addr: 0x412551, decrypted string: Tasks\org_addr: 0x4125a8, decrypted string: ATorg_addr: 0x4125d3, decrypted string: .joborg_addr: 0x41292f, decrypted string: .xmlorg_addr: 0x41296e, decrypted string: /create /F /tnorg_addr: 0x412992, decrypted string: " /xml "org_addr: 0x4129c7, decrypted string: schtasks.exeorg_addr: 0x412a25, decrypted string: /create /F /tnorg_addr: 0x412a52, decrypted string: " /tr "org_addr: 0x412a97, decrypted string: /sc DAILY /STorg_addr: 0x412aea, decrypted string: /RU SYSTEMorg_addr: 0x412b29, decrypted string: /ITorg_addr: 0x412b62, decrypted string: schtasks.exeorg_addr: 0x412d34, decrypted string: /query /xmlorg_addr: 0x412d51, decrypted string: schtasks.exeorg_addr: 0x412d9c, decrypted string: </Task>org_addr: 0x412e04, decrypted string: </Command>org_addr: 0x412e21, decrypted string: <Command>org_addr: 0x412ea5, decrypted string: /delete /F /TN "org_addr: 0x412eda, decrypted string: schtasks.exeorg_addr: 0x412f28, decrypted string: </Task>org_addr: 0x413074, decrypted string: SHGetSpecialFolderPathWorg_addr: 0x413091, decrypted string: shell32.dllorg_addr: 0x413c5a, decrypted string: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\org_addr: 0x413d72, decrypted string: SOFTWARE\Microsoft\Windows\CurrentVersion\org_addr: 0x413d8e, decrypted string: Uninstallorg_addr: 0x413e1b, decrypted string: DisplayIconorg_addr: 0x413e6a, decrypted string: DisplayNameorg_addr: 0x413eb9, decrypted string: UninstallStringorg_addr: 0x413f20, decrypted string: Publisherorg_addr: 0x414108, decrypted string: cmd.exe /Q /D /c del "org_addr: 0x414178, decrypted string: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceorg_addr: 0x4141ad, decrypted string: cmd.exe /Q /D /c del "org_addr: 0x41421d, decrypted string: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceorg_addr: 0x414636, decrypted string: GetPwrCapabilitiesorg_addr: 0x414824, decrypted string: openorg_addr: 0x4163d5, decrypted string: 000000000000org_addr: 0x416449, decrypted string: 000000org_addr: 0x4164cd, decrypted string: FFFFFFFForg_addr: 0x4169f5, decrypted string: dirorg_addr: 0x416a16, decrypted string: /S "org_addr: 0x416a35, decrypted string: *.*org_addr: 0x416a6b, decrypted string: TIMEOUTorg_addr: 0x416bc2, decrypted string: cmd.exeorg_addr: 0x416bf3, decrypted string: /d /corg_addr: 0x416c1c, decrypted string: & cmd /d /c delorg_addr: 0x416c71, decrypted string: CreateProcessAorg_addr: 0x416c9a, decrypted string: kernel32.dllorg_addr: 0x416dad, decrypted string: cmd.exeorg_addr: 0x416dde, decrypted string: /d /corg_addr: 0x416e0d, decrypted string: & cmd /d /c rd /S /Qorg_addr: 0x416e6e, decrypted string: CreateProcessAorg_addr: 0x416e97, decrypted string: kernel32.dllorg_addr: 0x4170a7, decrypted string: MachineGuidorg_addr: 0x4170cf, decrypted string: Software\Microsoft\Cryptographyorg_addr: 0x417116, decrypted string: MachineGuidorg_addr: 0x41713e, decrypted string: Software\Microsoft\Cryptographyorg_addr: 0x417253, decrypted string: user32.dllorg_addr: 0x41727f, decrypted string: GetLastInputInfoorg_addr: 0x41734c, decrypted string: GetUserDefaultUILanguageorg_addr: 0x417369, decrypted string: kernel32.dllorg_addr: 0x417a58, decrypted string: .iniorg_addr: 0x417ab4, decrypted string: .txtorg_addr: 0x417ad7, decrypted string: .txtorg_addr: 0x4182d5, decrypted string: cmd.exeorg_addr: 0x418376, decrypted string: 1.datorg_addr: 0x4183a9, decrypted string: 2.datorg_addr: 0x418448, decrypted string: /d /corg_addr: 0x4184a3, decrypted string: cmd /d /c copy /B /Y /Vorg_addr: 0x4184fd, decrypted string: & cmd /d /c del "org_addr: 0x418528, decrypted string: " & cmd /d /c del "org_addr: 0x41857b, decrypted string: CreateProcessAorg_addr: 0x4185a4, decrypted string: kernel32.dllorg_addr: 0x41878f, decrypted string: psapi.dllorg_addr: 0x4187ce, decrypted string: GetModuleFileNameExAorg_addr: 0x4187f6, decrypted string: EnumProcessModulesorg_addr: 0x418d30, decrypted string: mnprstghklbcdforg_addr: 0x418d56, decrypted string: iuaaooeeorg_addr: 0x41a1e7, decrypted string: kernel32.dllorg_addr: 0x41a20d, decrypted string: FreeLibraryorg_addr: 0x41a237, decrypted string: EnterCriticalSectionorg_addr: 0x41a261, decrypted string: LeaveCriticalSectionorg_addr: 0x41a28b, decrypted string: WaitForSingleObjectorg_addr: 0x41a2b5, decrypted string: CloseHandleorg_addr: 0x41a2df, decrypted string: GetExitCodeProcessorg_addr: 0x41a309, decrypted string: GetSystemDirectoryWorg_addr: 0x41a333, decrypted string: GetModuleFileNameWorg_addr: 0x41a35d, decrypted string: DeleteFileAorg_addr: 0x41a387, decrypted string: CreateFileWorg_addr: 0x41a3b1, decrypted string: CreateFileAorg_addr: 0x41a3db, decrypted string: ReadFileorg_addr: 0x41a405, decrypted string: WriteFileorg_addr: 0x41a42f, decrypted string: SetFilePointerorg_addr: 0x41a459, decrypted string: MoveFileWorg_addr: 0x41a48c, decrypted string: MoveFileAorg_addr: 0x41a4c2, decrypted string: FindFirstFileWorg_addr: 0x41a4f8, decrypted string: FindNextFileWorg_addr: 0x41a52e, decrypted string: FindCloseorg_addr: 0x41a564, decrypted string: CreateProcessWorg_addr: 0x41a59a, decrypted string: CreateProcessAorg_addr: 0x41a5d0, decrypted string: GetStartupInfoAorg_addr: 0x41a606, decrypted string: CopyFileWorg_addr: 0x41a63c, decrypted string: GetTempPathAorg_addr: 0x41a6cf, decrypted string: PeekNamedPipeorg_addr: 0x41a705, decrypted string: CreatePipeorg_addr: 0x41a73b, decrypted string: GetFileAttributesWorg_addr: 0x41a771, decrypted string: GetShortPathNameAorg_addr: 0x41a7a7, decrypted string: GetShortPathNameWorg_addr: 0x41a7dd, decrypted string: GetComputerNameAorg_addr: 0x41a813, decrypted string: CreateDirectoryAorg_addr: 0x41a849, decrypted string: CreateDirectoryWorg_addr: 0x41a87f, decrypted string: RemoveDirectoryAorg_addr: 0x41a8b5, decrypted string: GetCurrentProcessorg_addr: 0x41a8eb, decrypted string: SetFileTimeorg_addr: 0x41a921, decrypted string: GetVolumeInformationAorg_addr: 0x41a957, decrypted string: GetTickCountorg_addr: 0x41a98d, decrypted string: ExitThreadorg_addr: 0x41a9c3, decrypted string: CreateThreadorg_addr: 0x41a9f9, decrypted string: ResumeThreadorg_addr: 0x41aa2f, decrypted string: GetLocalTimeorg_addr: 0x41aa65, decrypted string: OpenProcessorg_addr: 0x41aa9b, decrypted string: GetSystemPowerStatusorg_addr: 0x41aad1, decrypted string: GetWindowsDirectoryWorg_addr: 0x41ab07, decrypted string: SetFileAttributesWorg_addr: 0x41ab3d, decrypted string: Sleeporg_addr: 0x41ab73, decrypted string: TerminateProcessorg_addr: 0x41ac02, decrypted string: advapi32.dllorg_addr: 0x41ac28, decrypted string: RegCloseKeyorg_addr: 0x41ac52, decrypted string: RegOpenKeyExWorg_addr: 0x41ac7c, decrypted string: RegDeleteKeyWorg_addr: 0x41aca6, decrypted string: RegCreateKeyExWorg_addr: 0x41acd0, decrypted string: RegSetValueExWorg_addr: 0x41acfa, decrypted string: RegQueryValueExWorg_addr: 0x41ad24, decrypted string: RegDeleteValueWorg_addr: 0x41ad4e, decrypted string: RegEnumValueWorg_addr: 0x41ad78, decrypted string: RegEnumKeyWorg_addr: 0x41ae05, decrypted string: user32.dllorg_addr: 0x41ae2b, decrypted string: GetWindowThreadProcessIdorg_addr: 0x41ae55, decrypted string: EnumWindowsorg_addr: 0x41ae7f, decrypted string: WaitForInputIdleorg_addr: 0x41afaa, decrypted string: kernel32.dllorg_addr: 0x41afeb, decrypted string: LoadLibraryAorg_addr: 0x41b01c, decrypted string: GetProcAddress

End.

m4n0w4r

Dealply
Ida
Malware Analysis
Reverse Engineering

--

--

m4n0w4r
tradahacking

Written by m4n0w4r

545 Followers

Malware Analysis/IR

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams