The program process-injects the default web browser, Internet Explorer.
The shellcode buffer is located at 0x407030.
The shellcode is XOR’ed with the byte 0xe7.
The shellcode manually imports the following functions:
The shellcode connects to IP 192.168.200.2 on TCP port 13330.
The shellcode provides a remote shell (cmd.exe).
The malware starts by determining the default web browser by reading the registry value
HKCR\http\shell\open\command. The browser is created as a new
StartupInfo.wShowWindow value is set to
SW_HIDE, so the process is hidden from the user interface. Process-injecting the default web ...