Post infection

The shutdown function is executed as follows:

0040211F  /. 55    PUSH EBP
00402120  |. 8BEC  MOV EBP,ESP
00402122  |. 83EC >SUB ESP,10
00402125  |. 56    PUSH ESI
00402126  |. 8B75 >MOV ESI,DWORD PTR SS:[EBP+8]
00402129  |. 57    PUSH EDI
0040212A  |. 33FF  XOR EDI,EDI
0040212C  |. 57    PUSH EDI
0040212D  |. 8D86 >LEA EAX,DWORD PTR DS:[ESI+58E]
00402133  |. 50    PUSH EAX
00402134  |. FF96 >CALL DWORD PTR DS:[ESI+394]
;kernel32.WinExec

With parameters:

Nopping that part out (select the code area in the CPU window, press space, type nop in the dialog box, and then press Enter), so that it does not execute, we reach:

0040213A |. 68 10>PUSH 2710 0040213F |. FF96 >CALL ...

Get Windows Malware Analysis Essentials now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Windows Malware Analysis Essentials by Victor Marak

Post infection

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly