Update Star includes support for many languages such as English, German, French, Italian, Hungarian, Russian and many more.

Get System Directory A, Get Temp File Name A, Get Temp Path A: Related to the thoughts above regarding replacement of a legitimate file.

I wonder if something happens like: 1) copy legitimate file to a temp path 2) replacement legitimate file with malicious file 3) malicious file receives input from system first before passing on to the legitimate file now residing in the temp directory so that nothing seems amiss.

I ended up dumping the file three ways – used each of Olly’s methods of reconstructing the PE header, and then also without reconstructing it.

What I ended up with was a somewhat unpacked file from the section and then the file from the section that was created after patching the code to follow that branch (which is what I had originally gotten from the section running Resource Hacker). I’ll go through some of what I find the most interesting, with the full set of strings at the end.

The smaller block of libraries and functions at the end just appears to be a repeat of what we’ve seen earlier.

Below the large block of functions, we see an interesting set of strings: Looks like the first two are some error messages specific to this sample.

I can’t say I’m too surprised, but I figured I would give it a try. Load Library W which showed that a couple of libraries were loaded (GDI32 and imm32).

I tried running the original malware and then patching the code to force the branch where the file is loaded and executed, but the file that drops is just the packed file from (in this case, dropped as %system%\system32\LSASvc.exe). However, the binary keeps failing shortly after the calls to Get Proc Address for various functions from imm32 and GDI32 complete.

I’m going to try to get this to run and see what happens dynamically.

Looking at the malware in the debugger, after the file is written from the section, there is a call to Create Process with these parameters: Stepping through the parameters with the help of MSDN: p Process Info: Pointer to a PROCESS_INFORMATION struct that receives info about the new process. Pstartup Info: Pointer to a STARTUPINFO or STARTUPINFOEX struct. We also see this string: Current Dir: The path to the current directory for the process.

Find First File A, Find Next File A: Looks like this thing will look for a specific file.