Examining a piece of malware for strings (sequences of printable characters) can reveal a few clues about what the malware does, or what it is capable of doing. Part two demonstrates one way of finding the functions that reference the strings, and uses this information to hazard a guess at what those functions do.
Part one demonstrated how you can get an inkling about what a piece of (non-obfuscated) malware may do, by looking at the strings contained within it. In this part, I will take this a bit further and use a debugger to find which functions reference the various strings. From this, I will then have a stab at what the purpose of each function is. The next part (part three) will go one step further and disassemble the functions to see how accurately the string based predictions reflect each function’s actual functionality.
The debugger I chose to use was the free edition of IDA Pro. IDA Pro automatically generates a ‘Strings’ sub-view, however, I would like to select all of strings (doing each string individually will be quite annoying, and won’t generate the nice graph which makes it easy to see what is going on). To do this, I opened the ‘Segments’ sub-view, and from there, opened the ‘.data’ segment (section) by double-clicking it.
I then selected the range of recognisable strings, and the memory locations containing the offsets of the recognisable strings, and generated a ‘Xrefs to’ graph. This showed, quite nicely, the strings referenced by each function.
From the ‘Xrefs to’ graph, I saw the following functions referencing the strings:
- _WinMain@16()
PHIME2008 Software\Microsoft\Windows\CurrentVersion\Run /SYNC
- sub_401C40()
lg1=%s&lg2=%s&lg3=%s&lg4=%s&lg5=%s&lg6=%s&lg7=%d GET /updata/TPDB.php? NONE HTTP/1.1 1.003 125.206.117.59
- sub_401AE0()
lg1=%s&lg2=%s&lg3=%s&lg4=%s&lg5=%s&lg6=%s GET /updata/TPDA.php? HTTP/1.1 1.003 125.206.117.59
- sub_402100()
%20 %s%s
- sub_401A70()
%04d%02d%02d%02d%02d%02d
- sub_401EB0()
URLDownloadToFileA DeleteUrlCacheEntry http://[censored].jp/updata/ACCl3.jpg urlmon.dll wininet.dll \msupd.exe
- sub_401870()
\\%s %d.%d.%d.%d .
- sub_401150()
.
- sub_4012B0()
%s\ipc$
- sub_401430()
"!" (offset of '!')
- sub_401490()
at cp %s TaskOK %s %s %s dnsapi.exe %s CopyOK %s %s %s %s\admin$\system32\dnsapi.exe (looks like share name and file name) %s %s LoginOK %s %s %s
From that then, I suggest the functions do the following:
- _WinMain@16()
Installs the malware in the registry ‘Run’ key, as ‘PHIME2008’. - sub_401C40()
Requests /updata/TPDB.php?lg1=%s&lg2=%s&lg3=%s&lg4=%s&lg5=%s&lg6=%s&lg7=%d from 125.206.117.59 ([censored].jp). - sub_401AE0()
Requests /updata/TPDA.php?lg1=%s&lg2=%s&lg3=%s&lg4=%s&lg5=%s&lg6=%s from 125.206.117.59 ([censored].jp). - sub_402100()
Appends another string to URL using ‘%20’ (encoded space) as separator. - sub_401A70()
Spits out a time stamp string in the format yyyyMMddhhmmss. - sub_401EB0()
May download http://[censored].jp/updata/ACCl3.jpg to ‘msupd.exe’ somewhere. - sub_401870()
May construct start of UNC name using IP address as server name. - sub_401150()
Is a little vague! - sub_4012B0()
May connect to IPC$ share, or append it to UNC name from sub_401870(). - sub_401430()
Also a little vague! - sub_401490()
‘at’ and ‘cp’ look like commands. The ‘TaskOK’, ‘CopyOK’, and ‘LoginOK’ look like log messages or command responses. %s\admin$\system32\dnsapi.exe looks like it could be either the target or the source of a copy. This function may implement the commands.
IDA Pro couldn’t find any references to the strings of day names, nor to the strings of month names.
That seems like a logical place to end this part. Part three will use IDA Pro (free edition) to disassemble the functions and see how accurate the strings based predictions are.