Interesting "Downloader"

Get it offensivecomputing: "f5c3bf7be349b36983d2a07b917f4bb7"

It uses a rather simple walking XOR decryption with a single byte that decrements at each iteration. This is used to decrypt code and data.

Next, it will setup a Vectored Exception Handler and execute INT 3. So, if you're debugging and don't pass this to the code then nothing happens.

Another interesting aspect is that for every API name which it calls, obtained through PEB structures, is hashed. Thus, to call an API it calls an internal function with a predetermined hash of the API, this function traverses all current exports and hashes each one to compare. Once found, the API's address is returned in EAX, which is followed by "call eax".

Moreover, all data blocks are XORed with a different key and the moment this data is used the decrypted memory is cleared.

No comments: