Continuing the theme of trojan in Odnoklassniki
Getting here: vilgeforce.habrahabr.ru/blog/43746.html
Anyway, the WinNt32.dll file appeared on the victim's computer, which was loaded into memory and thus its code was executed. This file downloaded two encrypted files from the network, one of which started and the second injected into svchost (let's call it Injected).
Analysis of the first file (dropper) showed the following. The first stages of his work are identical to those for WinNt32.dll - Sysenter, decryption, loading into memory and execution. Only in this case 3 files were encrypted. The first is the payload itself, and the second and third are used by the payload. What is the payload? The functionality is simple and uncomplicated - to throw off two previously decrypted files to disk, one of them - under the name WinNt32.dll, and the second under the random name with the extension Sys. Register both files in the registry, and * .sys is prescribed by the service. Then start the corresponding service and call one of the DLL functions. I did not explore the functionality of the driver - alas, this is a complicated matter. But the dropped DLL is the one with which it all started! That is, the Downloader downloads the Dropper, and the Dropper saves and runs the Downloader. Such is the "vicious circle."
')
The file that is injected into svchost (Injected) is not encrypted, unlike Downloader and Dropper and even without understanding its work, only by text lines, you can understand that it works with mail. Most likely, sends spam. The file has several mail servers, both domestic and foreign, and even a google server.
Thus, the spam mailing was most likely intended to create an army of spambots, and not only Odnoklassniki users could suffer from it, but everyone else as well.
Anyway, the WinNt32.dll file appeared on the victim's computer, which was loaded into memory and thus its code was executed. This file downloaded two encrypted files from the network, one of which started and the second injected into svchost (let's call it Injected).
Analysis of the first file (dropper) showed the following. The first stages of his work are identical to those for WinNt32.dll - Sysenter, decryption, loading into memory and execution. Only in this case 3 files were encrypted. The first is the payload itself, and the second and third are used by the payload. What is the payload? The functionality is simple and uncomplicated - to throw off two previously decrypted files to disk, one of them - under the name WinNt32.dll, and the second under the random name with the extension Sys. Register both files in the registry, and * .sys is prescribed by the service. Then start the corresponding service and call one of the DLL functions. I did not explore the functionality of the driver - alas, this is a complicated matter. But the dropped DLL is the one with which it all started! That is, the Downloader downloads the Dropper, and the Dropper saves and runs the Downloader. Such is the "vicious circle."
')
The file that is injected into svchost (Injected) is not encrypted, unlike Downloader and Dropper and even without understanding its work, only by text lines, you can understand that it works with mail. Most likely, sends spam. The file has several mail servers, both domestic and foreign, and even a google server.
Thus, the spam mailing was most likely intended to create an army of spambots, and not only Odnoklassniki users could suffer from it, but everyone else as well.
Source: https://habr.com/ru/post/26746/
All Articles