Qq Trojan analysis (counterfeit dll)

Author: ycmint
Attachment: the veteran is wandering. If you are a newbie, you can check it out .....
Principle: Counterfeit Technology, very old technology. Review this trojan sample to use the counterfeit msimg32.dll technology to review the register under the directory. db gets qq chat records and related qq information (I didn't see the password... haha)

Provider: x-man, I mean I am a dish)

Trojan: web24 upx modification shelling

Analysis part: Subject Analysis (closely focused)

1. Get this horse, check the shell, upx rebuild and shelling, and hand off dumped_.exe
**************************************** **********
2.

User call:
Loc_402376:; code xref: CODE: 00402127j
CODE: 00402376 83 F8 01 cmp eax, 1
CODE: 00402379 75 0D jnz short loc_402388
CODE: 0040237B E8 B0 04 00 call sub_402830; view the User call process here only

Three key calls:
DE: 00402830
CODE: 00402830 sub_402830 proc near; code xref: CODE: 0040237Bp
CODE: 00402830 E8 0B fd ff call sub_402540; mutex settings
CODE: 00402835 E8 36 fe ff call sub_402670; traverse the process to find qq
CODE: 0040283A E8 71 fd ff call sub_4025B0
CODE: 0040283F A1 48 36 40 00 mov eax, hWnd
CODE: 00402844 50 push eax; hWnd
CODE: 00402845 FF 15 C4 30 41 00 call ds: CloseWindow
CODE: 0040284B E8 90 fe ff call sub_4026E0; Continue to start
CODE: 00402850 6A 00 push 0; uExitCode
CODE: 00402852 FF 15 10 30 41 00 call ds: ExitProcess

 

The first call is easy to restore.
Second call: sub_402670 if qq.exe is in the running state, directly traverse and locate it, find the corresponding execution directory of the first execution module, and infect the db under the Directory and the target dll. If it is not running, find the paths for obtaining registry information of various qq versions and execute the infection
Traverse qq pid
CODE: 00401000 81 EC 50 01 00 00 sub esp, 150 h
CODE: 00401006 53 push ebx
CODE: 00401007 55 push ebp
CODE: 00401008 56 push esi
CODE: 00401009 57 push edi
CODE: 0040100A 33 C0 xor eax, eax
CODE: 0040100C B9 49 00 00 00 mov ecx, 49 h
CODE: 00401011 8D 7C 24 3C lea edi, [esp + 160 h + pe. cntUsage]
CODE: 00401015 50 push eax; th32ProcessID
CODE: 00401016 F3 AB rep stosd
CODE: 00401018 6A 02 push 2; dwFlags
CODE: 0040101A C7 44 24 40 28 01 + mov [esp + 168 h + pe. dwSize], 128 h
CODE: 00401022 E8 61 18 00 00 call createconlhelp32snapshot
CODE: 00401027 8B E8 mov ebp, eax
CODE: 00401029 83 fd ff cmp ebp, 0 FFFFFFFFh
CODE: 0040102C 75 0D jnz short loc_40103B
CODE: 0040102E 5F pop edi
CODE: 0040102F 5E pop esi
CODE: 00401030 5D pop ebp
CODE: 00401031 33 C0 xor eax, eax
CODE: 00401033 5B pop ebx
CODE: 00401034 81 C4 50 01 00 00 add esp, 150 h
CODE: 0040103A C3 retn
CODE: 0040103B ;---------------------------------------------------------------------------
CODE: 0040103B
CODE: 0040103B loc_40103B:; code xref: sub_401000 + 2Cj
CODE: 0040103B 8D 44 24 38 lea eax, [esp + 160 h + pe]
CODE: 0040103F 50 push eax; lppe
CODE: 00401040 55 push ebp; hSnapshot
CODE: 00401041 E8 3C 18 00 00 call Process32First
CODE: 00401046 85 C0 test eax, eax
CODE: 00401048 75 0B jnz short loc_401055
CODE: 0040104A 5F pop edi
CODE: 0040104B 5E pop esi
CODE: 0040104C 5D