Description: A chain is only as strong as its weakest link
It has bin a while since my last post so I figured it’s time to write something. Recently I Stumbled on a piece of malware called Ponmocup which is a interesting strain of malware, but since there is plenty written about it I wont go into it’s details. While analyzing the malware I noticed that all the strings it uses are encrypted and decrypted at runtime. The decryption loops are all over the code(inline) and it seems to use various methodes to decrypt the strings, where other malware use the same routine
String decryption loop
1000B7C1 > \B9 30897B61 MOV ECX,617B8930 1000B7C6 . 898D 90F1FFFF MOV DWORD PTR SS:[EBP-E70],ECX 1000B7CC . 33C0 XOR EAX,EAX 1000B7CE > 8985 88F1FFFF MOV DWORD PTR SS:[EBP-E78],EAX 1000B7D4 . 83F8 1D CMP EAX,1D 1000B7D7 . 73 1E JNB SHORT 1100_300.1000B7F7 1000B7D9 . 81C1 5F6BA82E ADD ECX,2EA86B5F 1000B7DF . 898D 90F1FFFF MOV DWORD PTR SS:[EBP-E70],ECX 1000B7E5 . 33D2 XOR EDX,EDX 1000B7E7 . 8A1445 14070110 MOV DL,BYTE PTR DS:[EAX*2+10010714] 1000B7EE . 03D1 ADD EDX,ECX 1000B7F0 . 885405 C4 MOV BYTE PTR SS:[E