hckf.exe
PACKER:FSG 2.0 -> bart/xt easily unpacked withhttp://ap0x.jezgra.net/RL!deFSG 2.0.rar
creates files:
C:/DOCUME~1/username/LOCALS~1/Temp/022171f8.bat
I set a break point on WriteFile() in Ollydbg andafter passing an exception I found:
0012F00C 0012F088 ASCII ":a/r/n@del %1/r/n@if exist %1 goto a/r/n@del %0"
After advancing it a bit the file haddata which when edited shows:
:a@del %1@if exist %1 goto a@del %0
So this is the "delete yourself" routine.
Im wondering if this has a vmware detection featurebecause it doesnt seem to doanything other than delete itself.
I do however see a cmd.exe process spawned so I set a breakpoint on CreateProcessA():
0012EFE0 0040165D /CALL to CreateProcessA0012EFE4 00000000 |ModuleFileName = NULL0012EFE8 0012F0CC |CommandLine = "cmd.exe /c/"/"C://DOCUME~1//username//LOCALS~1//Temp//02397659.bat/"/"C://Documents and Settings//username//Desktop//hckf.exe/"/""0012EFEC 00000000 |pProcessSecurity = NULL0012EFF0 00000000 |pThreadSecurity = NULL0012EFF4 00000000 |InheritHandles = FALSE0012EFF8 00000000 |CreationFlags = 00012EFFC 00000000 |pEnvironment = NULL0012F000 00000000 |CurrentDir = NULL0012F004 0012F014 |pStartupInfo = 0012F0140012F008 0012F058 /pProcessInfo = 0012F058
STRINGS:
000001F2 004001F2 0 KERNEL32.dll00001CAA 00401CAA 0 CreateMutexA00001CBA 00401CBA 0 OpenMutexA00001CC8 00401CC8 0 LoadLibraryA00001CD8 00401CD8 0 SetUnhandledExceptionFilter00001CF6 00401CF6 0 GetModuleHandleA00001D0A 00401D0A 0 GetLastError00001D1A 00401D1A 0 Sleep00001D22 00401D22 0 GetTempPathA00001D32 00401D32 0 GetTickCount00001D42 00401D42 0 ExitProcess00001D50 00401D50 0 GetModuleFileNameA00001D66 00401D66 0 lstrcmpiA00001D72 00401D72 0 FreeLibrary00001D80 00401D80 0 GetProcAddress00001D92 00401D92 0 LocalAlloc00001DA0 00401DA0 0 LocalFree00001DAC 00401DAC 0 CreateProcessA00001DBE 00401DBE 0 CreateFileA00001DCC 00401DCC 0 WriteFile00001DD8 00401DD8 0 CloseHandle00001DE6 00401DE6 0 SetFileAttributesA00001DFC 00401DFC 0 lstrlenA00001E08 00401E08 0 GetVersion00001E16 00401E16 0 lstrcpyA00001E20 00401E20 0 KERNEL32.dll00001E30 00401E30 0 wsprintfA00001E3A 00401E3A 0 USER32.dll00006188 00406188 0 LoadLibraryA00006196 00406196 0 GetProcAddress0000703D 0040703D 0 KERNEL32.dll0000704A 0040704A 0 USER32.dll00007057 00407057 0 CreateMutexA00007066 00407066 0 OpenMutexA00007073 00407073 0 LoadLibraryA00007082 00407082 0 SetUnhandledExceptionFilter000070A0 004070A0 0 GetModuleHandleA000070B3 004070B3 0 GetLastError000070C2 004070C2 0 Sleep000070CA 004070CA 0 GetTempPathA000070D9 004070D9 0 GetTickCount000070E8 004070E8 0 ExitProcess000070F6 004070F6 0 GetModuleFileNameA0000710B 0040710B 0 lstrcmpiA00007117 00407117 0 FreeLibrary00007125 00407125 0 GetProcAddress00007136 00407136 0 LocalAlloc00007143 00407143 0 LocalFree0000714F 0040714F 0 CreateProcessA00007160 00407160 0 CreateFileA0000716E 0040716E 0 WriteFile0000717A 0040717A 0 CloseHandle00007188 00407188 0 SetFileAttributesA0000719D 0040719D 0 lstrlenA000071A8 004071A8 0 GetVersion000071B5 004071B5 0 lstrcpyA000071C0 004071C0 0 wsprintfA
