Static Analysis: Advanced
Deploying we missed it our love “Ghidra” capabilities in analyzing the sample thus we deployed our fav. Cutter and IDA Pro.
First thing first: Reversing main .dll with Cutter.
Main .dll comes with only few functions , nearly around 13 functions.
Opens the registry key for modification.
This particular function fetch the module handle if address is mapped into memory and returns the large integer value.
Registry Key Set:
Registry Key Deleted:
Imports of .dll by this .dll:
Debugging the .dll in shown that this .dll created the three other .dlls . One of the .dll name differ every time the main .dll is being opened in debugger. Going through the code in IDA PRO of these 3 .dll it strikes me that all the 3 .dlls are being having same code.
Static Analysis of one of the 3 .dll’s:
This .dll also uses anti-debug technique as it imports RtlUnwind from KERNAL32.dll.
That’s all for today.