One of the files that was dropped was hcp.dll signed with certificate.
File Header
File compiled with visual studio 6.0 at 30/08/2010 23:49:52.
and it was captured by Mila on 07/09/2010. Looks like it was undetected and unknown 0-day only for one week.
In resource system lang
Child Type: VarFileInfo
Translation: 1042/1200
VarFileInfo
Language is Korean Unicode.
File Write on C++ with MFC.
Exported functions are:
and from shellcode called function StartUp.
Decompiled hcp.dll
http://pastebin.com/vEzKptHN
An my opinion :
1. The file loader hcp.dll and the exploit were written by different people because of the difference in the quality of programming. Loader hcp.dll was written by a programmer with much lower skills, 'cos its writen on C++ with MFC and does not use any Firewall bypass Technique.
2. Looks like hcp.dll had digital signature only to bypass AV.
3. If the loader file made on a system with default Korean language (Korean Windows), then it was not from China but from Korea.
Nice analysis =)
ReplyDelete