Wow! You’ve actually managed to complete this. Nice!
So is this the original DLL that would be executed after the decryption process? Or perhaps injected after memory is mapped and a suitable process is found to be injected into?
I’m interested to know what this does… And where it calls back.
Further investigation pulls up a few more things. I firstly looking inside the DLL grepped for IP addresses with a regex, and found these
Obviously the last one doesn’t work as an IP, 840 is > 255.
Now the first two appear to be very obscure and simple as IP’s. Since we are not looking in any context, it is impossible to know what they do. A GeoIP lookup of the IP’s maps
126.96.36.199 to Taiwan, Tapei,
188.8.131.52 to Guangdong, Guangdong
Both Asian IP’s, with the same timezone, geographically they’re fairly near. I could be reading too much into this. But it feels a large coincidence that two IP addresses are both located in Asia.
Looking more into those strings I am finding:
Some other IP looking things:
What seems to be an opensource licence include...
/* This is an independent implementation of the encryption algorithm: */
/* RIJNDAEL by Joan Daemen and Vincent Rijmen */
/* which is a candidate algorithm in the Advanced Encryption Standard */
/* programme of the US National Institute of Standards and Technology. */
/* Copyright in this implementation is held by Dr B R Gladman but I */
/* hereby give permission for its free direct or derivative use subject */
/* to acknowledgment of its origin and compliance with any conditions */
/* that the originators of the algorithm place on its exploitation. */
/* Dr Brian Gladman ([email protected]) 14th January 1999 */
Links to trial and activation?
And another link to Enigma...
Looking through this. I’d like to run it and see what’s going on in a sandbox. But I am afraid it will escape and/or notice and change it’s behaviour.
Perhaps we need some bare metal with a firewall on a switch… This could get interesting… Who wants to try it?