hxxp://5.196.121[.]163/connection.jpg
https://twitter.com/pollo290987/status/950736382485499904
Remember that extensions can lie. This connection.jpg is clearly an executable once you load it into PEStudio or even just a text editor and see it starting with MZ.
I opened in x32dbg, identified a windows API call to GetProcAddress coming up in this executable.
mov byte ptr ds:[42926D],61
mov word ptr ds:[42926A],7472
lea eax,dword ptr ds:[<&GetProcAddress>]
call dword ptr ds:[eax]
So I stepped through it. Initially strings showed you that there was an obfuscated string, that perhaps could be deciphered as VirtualAlloc
Let's see how the assembly code converts it to the readable/usable string VirtualAlloc
It's done in 3 simple move statements
mov byte ptr ds:[429268],56
mov byte ptr ds:[42926D],61
mov word ptr ds:[42926A],7472
If you were to go to ASCII table ( http://www.asciitable.com/ )
you'd see that
56 = 'V'
61 = 'a'
74 = 't'
72 = 'r'
That original obfuscated string was "liiiu_lAlloc" located on the data segment (ds:) at 00429268
See how it replaces the 'l' with a 'V'
Now we have "Viiiu_lAlloc"
Then it replaces the '_' with an 'a'
Now we have "ViiiualAlloc"
Then it replaces the 'ii' with an 'rt' (remember little endian will make the hex chars show backwards)
Now we have "VirtualAlloc"
Then it makes the call to the GetProcAddress to find the VirtualAlloc method inside kernel32
lea eax,dword ptr ds:[<&GetProcAddress>]
call dword ptr ds:[eax]
call dword ptr ds:[eax]
No comments:
Post a Comment