Recently while analyzing a virus family, I found an interesting way to introduce delay before invoking the malicious code. It also helps in not making evident the location of the malicious code. This can be obfuscated further though.
After unpacking the malware, the first thing it does is to register a Window Class with the name, "Runtime Check" with the Window Procedure subroutine at address, 00402680. It then creates the Window. During the creation of the Window, the Window Procedure is invoked which handles the initial window messages like WM_CREATE.
After the Window is created, it retrieves the message from the Thread's queue using GetMessage() and dispatches it to the Window Procedure using DispatchMessage().
Inside the Window Procedure, it reads the code of the Window Message from the stack and stores it in the EAX register. It then checks whether the window message code is greater than 0xF. If it is equal to 0x113, then it sets up a Timer that elapses after 1 second. Since the last parameter to the SetTimer() function is NULL, the system will post a WM_TIMER message to the queue every time the timer elapses. Each time a WM_TIMER message is retrieved from the application thread's message queue using GetMessage(), it increments a counter. Once the counter is equal to 5, it calls the malicious subroutine. Since the timer is set to elapse after 1 second, so overall delay introduced is approximately, 5 seconds.
Below are the corresponding sections of code:
and here is the code rewritten in C:
if(wind_code > 0xF)
{
if(wind_code == 0x113)
{
counter++;
if(counter == 0x5)
{
call malicious_code;
}
}
}
else if(wind_code == 0xF)
{
// code for handling the WM_PAINT message
}
else if(wind_code == 0x1)
{
SetTimer(hWnd, 1, 0x3e8, 0)
}
After unpacking the malware, the first thing it does is to register a Window Class with the name, "Runtime Check" with the Window Procedure subroutine at address, 00402680. It then creates the Window. During the creation of the Window, the Window Procedure is invoked which handles the initial window messages like WM_CREATE.
After the Window is created, it retrieves the message from the Thread's queue using GetMessage() and dispatches it to the Window Procedure using DispatchMessage().
Inside the Window Procedure, it reads the code of the Window Message from the stack and stores it in the EAX register. It then checks whether the window message code is greater than 0xF. If it is equal to 0x113, then it sets up a Timer that elapses after 1 second. Since the last parameter to the SetTimer() function is NULL, the system will post a WM_TIMER message to the queue every time the timer elapses. Each time a WM_TIMER message is retrieved from the application thread's message queue using GetMessage(), it increments a counter. Once the counter is equal to 5, it calls the malicious subroutine. Since the timer is set to elapse after 1 second, so overall delay introduced is approximately, 5 seconds.
Below are the corresponding sections of code:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; Below are the first few lines of code of the Window Procedure: | |
| 00402680 55 PUSH EBP | |
| 00402681 8BEC MOV EBP,ESP | |
| 00402683 83E4 F8 AND ESP,FFFFFFF8 | |
| 00402686 83EC 4C SUB ESP,4C | |
| 00402689 A1 04A04000 MOV EAX,DWORD PTR DS:[40A004] | |
| 0040268E 33C4 XOR EAX,ESP | |
| 00402690 894424 48 MOV DWORD PTR SS:[ESP+48],EAX | |
| 00402694 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] ; window message code | |
| 00402697 56 PUSH ESI | |
| 00402698 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8] | |
| 0040269B 83F8 0F CMP EAX,0F | |
| 0040269E 77 75 JA SHORT 249be839.00402715 ; if wind_code > 0xF | |
| 004026A0 74 47 JE SHORT 249be839.004026E9 ; WM_PAINT | |
| 004026A2 8BC8 MOV ECX,EAX | |
| 004026A4 49 DEC ECX | |
| 004026A5 74 1E JE SHORT 249be839.004026C5 ; if wind_code == 0x1 (WM_CREATE) | |
| ; The below code will setup the timer when the WM_CREATE window message is received by the Window Procedure: | |
| 004026C5 6A 00 PUSH 0 | |
| 004026C7 68 E8030000 PUSH 3E8 | |
| 004026CC 6A 01 PUSH 1 | |
| 004026CE 56 PUSH ESI | |
| 004026CF FF15 5C714000 CALL DWORD PTR DS:[40715C] ; USER32.SetTimer | |
| ; The below code will check if the window message code is 0x113 (WM_TIMER) and call the corresponding code to handle this window message: | |
| 00402715 8BC8 MOV ECX,EAX | |
| 00402717 81E9 11010000 SUB ECX,111 | |
| 0040271D 74 57 JE SHORT 249be839.00402776 | |
| 0040271F 83E9 02 SUB ECX,2 | |
| 00402722 74 22 JE SHORT 249be839.00402746 ; if wind_code == 0x113 (WM_TIMER) | |
| 00402746 A1 C4C64400 MOV EAX,DWORD PTR DS:[44C6C4] | |
| 0040274B 40 INC EAX ; increment the counter | |
| 0040274C A3 C4C64400 MOV DWORD PTR DS:[44C6C4],EAX | |
| 00402751 83F8 05 CMP EAX,5 ; check if counter == 0x5 | |
| 00402754 75 67 JNZ SHORT 249be839.004027BD | |
| 00402756 E8 75FBFFFF CALL 249be839.004022D0 ; call malicious subroutine. |
and here is the code rewritten in C:
if(wind_code > 0xF)
{
if(wind_code == 0x113)
{
counter++;
if(counter == 0x5)
{
call malicious_code;
}
}
}
else if(wind_code == 0xF)
{
// code for handling the WM_PAINT message
}
else if(wind_code == 0x1)
{
SetTimer(hWnd, 1, 0x3e8, 0)
}
0 comments: