"Pdf file": Trojan Horse also uses cloud Technology

Source: Internet
Author: User

"Pdf file": Trojan Horse also uses cloud Technology

Recently, when downloading a PDF file, we found a simple malicious Downloader (a virus type ). Unlike other malicious loaders, this malware adds PE Loader to its binary.

Is the zombie online?

Once executed, the loader captures the system information of the local user, generates a URL, and connects to a server.

In the preceding example, AVA ***** 5 (the first masked part) is the computer name of the victim. Next, the 51-SP is the system version.

Analysis of Li Gui

Although the file downloaded by the loader is a PDF extension, the content in the file is very different from that in the PDF file.

This loader embeds 0x74E7E1C8 into this fake PDF file to conceal it. After decryption, if the length is the same as that of the entire fake PDF, the loader checks the offset 0 × 12 dubyte value. If it is the same as the hardcoded signature 0x2E0F1567, another dubyte value located at offset 4 is detected.

The loader Bootstrap code calls the cloud Loader

In the above Code, esi contains the starting offset of the "pdf file". call eax will actually execute the cloud loader.

We can see that offset 0 × 1134 is the address of the RtlDecompressBuffer API. after calling the API, this malicious PE file will appear, and the cloud loader will use a small trick to detect the MZ Header Signature.

During our analysis, we found that this malware was downloading some other malware, such as W32/Battdil. I! Tr and W32/Kryptik. CWIM! Tr.

Summary

Why does this malware remove the loader from its binary file? We believe that this malware aims to help attackers reduce their targets, and the cloud loader also facilitates malicious software authors to add more features in the future.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.