Using binee to test the malware with md5 dcb14f117a32b786ff1506dc80f23370, the execution crashed with the following error:
[1] 0x212fc5d0: F kernel32.dll:GetSystemTimeAsFileTime(lpSystemTimeAsFileTime = 0xb7feffec) = 0xb7feffec
[1] 0x21303350: P kernel32.dll:GetCurrentProcessId() = 0x0
[1] 0x201233e0: P kernelbase.dll:GetCurrentProcessId() = 0x0
[1] 0x212f5c80: P kernel32.dll:GetCurrentThreadId() = 0x1001
[1] 0x21302950: F kernel32.dll:GetTickCount() = 0x5e68b40c
[1] 0x212fad70: F kernel32.dll:QueryPerformanceCounter(lpPerformanceCount = 0xb7feffe4) = 0x1
[1] 0x212fe750: F kernel32.dll:GetStartupInfoA(lpStartupInfo = 0xb7feff90) = 0xb7feff90
[1] 0x212ff1c0: F kernel32.dll:GetModuleHandleA(lpModuleName = '') = 0x400000
[1] 0x2370f600: P msvcrt.dll:__set_app_type(appType = 0x2) = 0x2
[1] 0x200eadd0: F kernelbase.dll:GetModuleHandleW(lpModuleName = '') = 0x400000
[1] 0x236eddb0: F msvcrt.dll:__p__fmode(mode = 0x406bfa) = 0x4000
Invalid Write unmapped: address = 0x4000, size = 0x4, value = 0x0
This happens because the function_p_fmode (and_p_commode) returns a static value 0x4000 and, since this address is unmapped, the execution halts.
I'm too new to emulation and malware analysis in general to give a concrete solution to this problem, but I think it is enough to always return an address that is mapped in memory.
Using binee to test the malware with md5
dcb14f117a32b786ff1506dc80f23370, the execution crashed with the following error:This happens because the function
_p_fmode(and_p_commode) returns a static value0x4000and, since this address is unmapped, the execution halts. I'm too new to emulation and malware analysis in general to give a concrete solution to this problem, but I think it is enough to always return an address that is mapped in memory.