The file is not packed. It has been written in MSVC (Possibly 2010). Following are the headers present in the PE structure.

Below is the PEDUMP of the Trojan

PE signature found
             14C machine (x86)
               4 number of sections
        518EF109 time date stamp Sun May 12 07:01:53 2013
               0 file pointer to symbol table
               0 number of symbols
              E0 size of optional header
             102 characteristics
                   32 bit word machine
             10B magic # (PE32)
            9.00 linker version
           16000 size of code
            9E00 size of initialized data
               0 size of uninitialized data
            1E80 entry point (00401E80)
            1000 base of code
           17000 base of data
          400000 image base (00400000 to 00421FFF)
            1000 section alignment
             200 file alignment
            5.00 operating system version
            0.00 image version
            5.00 subsystem version
               0 Win32 version
           22000 size of image
             400 size of headers
               0 checksum
               2 subsystem (Windows GUI)
            8000 DLL characteristics
                   Terminal Server Aware
          100000 size of stack reserve
            1000 size of stack commit
         6400000 size of heap reserve
            1000 size of heap commit
               0 loader flags
              10 number of directories
               0 [       0] RVA [size] of Export Directory
           1C10C [      DC] RVA [size] of Import Directory
               0 [       0] RVA [size] of Resource Directory
               0 [       0] RVA [size] of Exception Directory
               0 [       0] RVA [size] of Certificates Directory
           21000 [     E44] RVA [size] of Base Relocation Directory
               0 [       0] RVA [size] of Debug Directory
               0 [       0] RVA [size] of Architecture Directory
               0 [       0] RVA [size] of Global Pointer Directory
               0 [       0] RVA [size] of Thread Storage Directory
               0 [       0] RVA [size] of Load Configuration Directory
               0 [       0] RVA [size] of Bound Import Directory
           17000 [     21C] RVA [size] of Import Address Table Directory
               0 [       0] RVA [size] of Delay Import Directory
               0 [       0] RVA [size] of COM Descriptor Directory
               0 [       0] RVA [size] of Reserved Directory
   .text name
   15E35 virtual size
    1000 virtual address (00401000 to 00416E34)
   16000 size of raw data
     400 file pointer to raw data (00000400 to 000163FF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
60000020 flags
         Execute Read
  .rdata name
    5B54 virtual size
   17000 virtual address (00417000 to 0041CB53)
    5C00 size of raw data
   16400 file pointer to raw data (00016400 to 0001BFFF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
40000040 flags
         Initialized Data
         Read Only
   .data name
    31D0 virtual size
   1D000 virtual address (0041D000 to 004201CF)
     C00 size of raw data
   1C000 file pointer to raw data (0001C000 to 0001CBFF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
C0000040 flags
         Initialized Data
         Read Write
  .reloc name
     F76 virtual size
   21000 virtual address (00421000 to 00421F75)
    1000 size of raw data
   1CC00 file pointer to raw data (0001CC00 to 0001DBFF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
42000040 flags
         Initialized Data
         Read Only
        4000 .data
        6000 .rdata
        1000 .reloc
       16000 .text

  1. It is a stealer. It steals the password from major FTP clients. The list will be mentioned below
  2. It also acts as a TCP / UDP proxy service allowing redirection of traffic.
  3. It also contains a downloader module, which downloads executables from c2c.
  4. This malware is configuration-specific which means certain main features can be turned off using a config mask.

Persistence and Presence

In the initial phase, it starts a thread for mutex creation. The mutex name is formatted using an inbuilt string and a version number in a %s_%d format.

In this case, the mutex and version was “5629186B-0207-4659-AE5D-B09282932A86_519.” It checks continuously for this mutex, and if present, it terminates itself.

Main Configuration and Communication

Static config is decoded using a simple XOR algorithm using a 4 byte XOR key. After decoding static config, various masks and structures are revealed – for example, IP Address or Exfil HTTP server.

In this sample XOR key was 96A534F0h, and after XORing, the following information is revealed:

  1. IP address
  2. Exfil HTTP server
  3. Socket Ports
  4. Mask value for config.

It also adds a firewall exception rule and masquerades it as Microsoft Office:

In the next subroutine, three manual reset events are created. These events will be later used to trigger c2 connection set.

It also generates a 16byte bot ID based on system parameters or random numbers.

It is either taken from software\microsoft\windows\currentversion\vendorid or generated random using UID create using XOR and MOD.

Main Thread Modules

Ethical Hacking Training – Resources (InfoSec)

IP Update Thread

This thread connects to c2 which is present in the binary. It will continuously connect to c2 ip and will try to update a DWORD used later in the initialization packet. This DWORD is saved in Network Byte order.

Now we will discuss different configuration masks used.

ConfigMask: bit 4 (Init packet thread)

After the call to c2thread, it checks a DWORD value extracted from the configuration buffer which is known as the ConfigMask variable. If the 4th bit is set from the mask value, then it starts another thread which will continuously send initialization packets to the c2 and a constant port number using the following format for the value generated from BOTID generation subroutine as mentioned below.


This subroutine encodes data using a base64 algorithm and connects to c2 from the base packet using port number again obtained from variable InitPacketPort TCP:23407.

Configmask: bit 1 (Registry persistence thread)

If bit 1 is set, then it will start a thread which keeps the malware persistent thought-out using a well know registry value to run on start: Software\Microsoft\Windows\CurrentVersion\Run.

ConfigMask: Bit 3 (Create a TCP proxy tunnel)

In this subroutine a critical section is created which is shared for synchronization between two threads created in this subroutine. Data Shared using Critical section is 128 bytes long.


This thread binds a TCP port named as ListenPort: 1080 and binds over it . When a connection is accepted an IP address of connecting machine is checked against a 128byte array with the following validation.

((unsigned __int8)(128 >> (unsigned __int8)(hostlonga >> (32 – (8 * i + 8))) % 8) & (unsigned __int8)*(&_80hBytes[32 * i] + (unsigned __int8)((signed int)(unsigned __int8)(hostlonga >>

(32 – (8 * i + 8))) >> 3))) != 0;

where hostlonga = Ipaddress of connecting machine

After that it receives one bye from socket which is used to check for what type of proxy it is supposed to be created.

value 4 = Ip based proxy ( received response will contain a raw ip address)

value 5 = Host name based proxy ( response will contain a printable domain name )

For Ip based proxy

8 bytes are received again from c2 which are formatted as

struct _8bytepacket


BYTE Unused;

BYTE Type1; // Should be 1 otherwise fails

WORD PortNumber ;

DWORD Ipaddress;/ IP of target system (HOST order )


If type == 1 . then (0x005b || 0x000000) DWORD is sent as failure packet to c2

otherwise (0x005A || 0x000000 ) is sent as success packet


This thread which receives a 128-byte buffer from c2 connecting to port ProxyInfoPort:23404

Configmask: bit 5 (download executable)

If bit 5 is set it will connect to all c2 using a specified port number and will send some data / a placeholder ‘SgrC’ to c2 and will download an executable

ConfigMask: bit 2 and Configmask2 bit 1

If these bits are set, it will start a routine for capturing email addresses from all files in root drive. However, it will skip from following extensions as mentioned below