![]() ![]() The integrity check structure was defined as follows: See Figure 3 for the pseudo code to decrypt Data Section.Īfter the data section was decrypted, a number of bot related data (an array of integrity check structures located within the data section) was further decrypted using RC4 with a 32-byte key “ 27 84 23 64 63 34 04 27 C0 27 A3 99 D6 16 58 32 BE 38 F9 EB 10 46 E1 3C E3 77 E6 1C D0 84 60 03“. After the data section had been identified, the entire section content was decrypted using RC4 with a 5-byte key “ haxer“. Hence, it was obvious that the malware was looking for Data Section. As it was DWORD comparison, “tad.” should be read as “.dat” because of the little endian. ![]() It was identified that the section headers were iterated until the first four bytes (of the section name) was found to be 0x7461642E (or “tad.”). The image base location (retrieved at 8 bytes off Process Environment Block (PEB)) of the loaded executable module was then used to locate the beginning of the executable module. ![]() See Figure 2 for the pseudo code to decrypt Data Section and perform malware integrity check. Encryption and Tampering Detection Mechanismĭuring execution, the Data Section was decrypted to reveal malicious data to be used and an integrity check was performed to ensure that the malware had not been tampered with. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |