Remember we have seen a function call CryptDecrypt which might reveal the content of this. tmp file is encrypted, and thus we do not know what malware is doing in the underlying system. Let’s look at the handles and see what does this handle resolves to:īingo, this is what we were expecting it to read the. After placing a breakpoint, we ran the sample and below are the contents of the stack.Īs per Microsoft ReadFile function documentation, hFile is “A handle to the device (for example, a file, file stream, physical disk, volume, console buffer, tape drive, socket, communications resource, mailslot, or pipe).” This means this is a pointer to a file. We need to look at what is ReadFile reading, so we need to place a breakpoint at this statement. To see if our understanding is correct or not, let’s see ReadFile referencesīelow what we can see is the ReadFile reference in the code.
If you recall, we saw an encrypted version of a. This looks like specimen is trying to read some file and also call Windows decryption function.
Nice we see references to ReadFile and CryptDecrypt.
0 kommentar(er)
