This sample is from Practical Malware analysis Lab 11-02. Mainly it’s doing inline hooking.

Quick Background


So let’s talk about inline hooking first. According to the PMA, inline hooking changes the actual function code. Basically, it replace the start of the code with a jump to the malicious code from the rootkit. After that, it will return back to the normal function to make sure everything goes well. PMA gives a good example for this. But I am pretty sure after reading this sample, we will have a really deep understanding of inline hook.

Static Analysis


Let’s check our file first. The .ini file just contains a string which we don’t know what it means. You can probably assume it’s a password or something. But we can just head to the .dll now. Let’s use string.exe to check whether there are some interesting strings. We see some interesting ones:

SOFTWARE\Microsoft\Widows NT\CurrentVersion\Windows
AppInit_DLLs
This two must have something to do with the registry. Probably help the malware to stay persistence.
Spoolvxx32.dll
Send wsock32.dll
This two might do something with internet.
Lab11-02.ini
It must do something with that mysterious string, right?
THEBAT.EXE OUTLOOK.EXE MSIMN.EXE
Might be some applications.

Ok, then we use CFF to see the PE structure.
We find that the .dll has an export function named installer. For the import directory we see that ReadFile, CreateFile. Not too much information here.

Dynamic Analysis


Let’s use the regshot and process monitor. Well, according to the regshot, we see there is a value modified:
HKLM\SOFTWARE\Microsoft\WidowsNT\CurrentVersion\Windows\AppInit_DLLs

And the value added is spoolvxx32.dll.Ok, this is how the malware manage to stay persistence. AppInit_DLLs will be loaded into every process that loads User32.dll. Normally, malware authors need to check the process name to determine they will run their payload. In this case, you probably will know that the string that we found, “THEBAT.EXE OUTLOOK.EXE MSIMN.EXE”, might be that check process. But if you don’t, no need to worry. To be honest, I didn’t figure it out when I am at this stage.

Then, what is the spoolvxx32? Ok, through Process monitor we can probably find something. We see this log:
CreateFile C:\Windows\system32\spoolvxx32.dll
So this is the one added to AppInit_DLL. We can use the winmd5 to examine the spoolvxx32.dll and the Lab11-02.dll. And it turns out they have the same md5 value.

Ok, until now, there are still something that we are not clear. We have this “send wsock32.dll” and “THEBAT.EXE OUTLOOK.EXE MSIMN.EXE”. We don’t know what is that doing. So let’s go to a more advanced analysis which will show us the inline hooking it does!

Advanced analysis


Let’s use the IDA to open that .dll file. At the DLLmain, we can see this branch.

The code highlighted with yellow is the Getsystemdirectory call which will give us the system32 path. And we see that ‘strncat’ which add the ‘\lab11-02.dll’ to the system32 path. After that, it calls CreateFile. Actually, we have to make it clear that here CreateFile is not what we mean by create file. Here it’s creating an object in kernel which is more like open a file. This is something that really bothers me at first.

After it opens the file, it just reads the string in the file and do something. There is a function here which is sub_100010B3, after we double click the function, we see some complicated code. But what I would assume is that it’s some kind of decoding function.

Let’s examine it in OllyDbg. But before doing this, make sure that we put the .ini file in the system directory. We see that the address for this call is 100016CA so set a breakpoint at this address. And after we run the call we can see that in eax, there is a string which is an email address.

Therefore, our assumption is right. The call is just a decoding function and you guys can try to reverse that function if you want.

Ok, now let’s go deeper. We see that after the readfile and closehandle, it calls sub_100014B6. This must the place that the malware actually do something. Double click it. We come to this place.

First, there are two calls, Sub_10001075 and Sub_10001104, which gets the process the name that the malicious dll attached to. So in our case, this should be LOADDLL.EXE because we are using the OllyDbg. So later, this malware checks whether the process name is any of “THEBAT.EXE OUTLOOK.EXE MSIMN.EXE”. If it’s any of this, it will jump to this piece of code.

There are 3 calls here. For the sub_100013BD, if you dig deeper into it, you will find a function call for suspendthread. And for the sub_10001499, you will find a function call for resumethread. You can even dig much deeper to see how it suspend and resume the threads. But for now, we will stop here and turn to the call sub_100012A3.

And according to the four arguments that it pass in, we change the names of the variables at first which will show like this.

This will definitely give you a lot convenience. In this piece of code, it mainly use the GetProcessAddress to get the address of send function. Then it goes to this piece of code.

Oh,it finally pass in this send_address, it must be doing something real now!!! Otherwise, I will break down!!!

Oh, what’s it doing here? No annotation at all! Don’t worry. We change the variable name to make it more clearly. It just calculate the difference between the address of sub_1000113D and the send_address. It then subtract it by 5 and move it into var_4. Here 5 is the size of the code of jump *. Then later it must add the opcode of the “jump” and the address of the hook function to the original send function. So let’s scroll down and find it.

I use two rectangles to make it clear. How you can’t just change that 5 bytes, right? You must make sure that 5 bytes are still there when we later do something malicious and come back. So it can operate well otherwise it will break down and the victim will know he is attacked! So the malware must save that first 5 bytes somewhere. Before we come to that, we change the var_8 to trampoline. This is what PMA did, because var_8 stores the start of the code that solve the problem we just mentioned.

Hi, hold on, dude. We are nearly done. Clearly, the first part is to set out a place for the trampoline function. The second part is to copy the first 5 bytes of send function into the trampoline. The third part is to pass the address if the trampoline into the variable dword_10003484. Ok, then let’s see the hook function which is at 1000113D.

Actually what happens here is much easier. It just check whether there is the “RCPT TO:” in memory. If it’s there. it will add the email that we just find to the recipient list.

Ok, now, we are finalllllllllllllllly done!!!!!!!

Any question, please contact me at xudong_shao@hotmail.com