1. Overview of the sample
1.1 Sample information
Virus name | P2P-Worm.Win32.Delf.aj |
 Type of virus | Worm virus |
MD5 | 0c6b7ccfc0069bf2bae75eae4a006a73 |
SHA-1 | d72b4885ae3d8903e9aeafad9cdf23cd4fd2dd79 |
SHA-256 | 95f5936234787ec09e3c89d237c438776588080e70d0679c89f8ebc19a5b58ce |
Import Table MD5 | ec76897ebac5cc7223f5be81d6f630e3 |
BagarBubba | Infection Indicator |
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000042616761724275626261 | Signature Code (Tail Offset - 40h) |
1.2 Test Environment and Tools
Test Environment | Virtual Machine Windows 10 64-bit |
Test Tools | FireEye, PEiD, xdbg, IDA, stud_PE |
1.3 Overview of Sample Behavior
This is an infection worm virus, the behavior after the sample runs:
Traverse the directory to find files with extensions exe, scr, com, pif, cmd, bat, and perform infection operations.
2 Malicious Code Analysis
The location of this function is 0x403174, which mainly saves the host file and its size after the virus file, deletes the host, and renames the virus to the host name.
The following figure shows the tail of the infected file. The part excluding the infection indicator is a 280-byte structure. 0x00947C57 is the offset pointing to a structure that stores the size and path of the host file. BagarBubba is the infection indicator of the virus.
The size of this structure is 280 bytes, which stores the size and path of the host, where 0030C1F0 is the size of the host file.
3 File Recovery
3.1 Approach
- Check if there is a BagarBubba infection indicator at the end of the file and if the crc32 at the fixed position is the same.
- Determine the host file size and calculate the location of the host by referring to the offset at the end of the file where the host PE file is located.
- Start reading and saving the content of the host PE file from the host offset position.
3.2 Reference Code
long func_long_clear(unsigned char* puchar_src_buf, uint32_t u32_src_size, unsigned char* puchar_dst_buf, uint32_t* pu32_dst_size)
{
long long_ret = 0, long_last_ret = 0;
if (puchar_src_buf == NULL || puchar_dst_buf == NULL || pu32_dst_size == NULL)
{
long_last_ret = -1;
long_ret = -1; // parameter error
{}
int32_t i32_struct_size = 280;
int32_t i32_infect_flag_off = -10;
int32_t i32_end_struct_off = (int32_t)(u32_src_size + i32_infect_flag_off - i32_struct_size);
int32_t i32_bge_struct_off = 0;
int32_t i32_orig_file_size = -13;
int32_t i32_orig_file_off = 0;
uint32_t i32_struct_flag = *(uint32_t *)(puchar_src_buf + i32_end_struct_off);
unsigned char auchar_infect_flag[10] = { 0 };
uint32_t u32_orig_file_off = 0;
uint32_t u32_orig_file_size = 0;
if (i32_struct_flag != STRUCT_FLAG)
{
long_last_ret = -1;
{}
if (long_last_ret == 0)
{
i32_bge_struct_off = *(int32_t *)(puchar_src_buf + i32_end_struct_off + 8);
{}
if (i32_bge_struct_off == 0)
{
long_last_ret = -1;
{}
i32_struct_flag = *(int32_t *)(puchar_src_buf + i32_bge_struct_off);
if (i32_struct_flag != STRUCT_FLAG)
{
long_last_ret = -1;
{}
if (long_last_ret == 0)
{
u32_orig_file_size = *(uint32_t *)(puchar_src_buf + i32_bge_struct_off + 8);
{}
if (u32_orig_file_size == 0)
{
long_last_ret = -1;
{}
if (long_last_ret == 0)
{
u32_orig_file_off = (uint32_t)(i32_bge_struct_off + i32_struct_size);
{}
if (long_last_ret == 0)
{
memcpy(auchar_infect_flag, puchar_src_buf + u32_src_size + i32_infect_flag_off, 10);
//u32_orig_file_off = *(uint32_t*)(puchar_src_buf + u32_src_size + i32_orig_file_off);
//u32_orig_file_size = *(uint32_t*)(puchar_src_buf + u32_src_size + i32_orig_file_size);
if (u32_orig_file_off > u32_src_size || u32_orig_file_size > u32_src_size || u32_orig_file_off + u32_orig_file_size > u32_src_size )
{
long_last_ret = -1;
long_ret = -5;
{}
{}
if (long_last_ret == 0)
{
memcpy(puchar_dst_buf, puchar_src_buf + u32_orig_file_off, u32_orig_file_size);
memcpy(puchar_dst_buf + u32_orig_file_size, auchar_infect_flag, 10);
*pu32_dst_size = u32_orig_file_size + 10;
long_ret = 1;
{}
return long_ret;
{}
评论已关闭