Quick analysis note about DealPly (Adware)
Published: 2021-05-11 · Archived: 2026-04-10 03:19:04 UTC
3 Votes
Overview
Some information about DealPly can be found here:
DealPly adware abuses Microsoft, McAfee services to evade detection
Adware.DealPly
The post focuses on the following main sections:
Unpack wrapper/loader to get main Dll payload.
Decrypt C2url and strings are used in the malware code.
Sample:
SHA-256: 40584f79d109a18b1c4ea7e75a945324978652b6afcc9efbe62241717f0b4685
Unpacking wrapper/loader to get main DLL payload
Most of the DealPly loaders are coded in Delphi. When it runs without parameter, it only shows the following
form:
https://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/
Page 1 of 20
When executing with parameters, it unpacks a DLL to allocated memory. This DLL will be mainly responsible for
connecting and interacting with C2. For unpacking, place breakpoint at VirtualAlloc , execute the program and
follow the allocated memory region. Keep watching until the loader unpack a new PE (which is a dll), but it was
destroyed all relevant information about DOS_HEADER and NT_HEADERS :
Dump and fix DOS_HEADER and NT_HEADERS will get the correct main Dll:
https://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/
Page 2 of 20
Analysis of DLL payload
Decrypt C2Url
Load the above dumped Dll file into IDA, go to the code of the Run function. Here, it calls f_main_proc
function. The f_main_proc accepts the passed parameters, in which the third parameter is encoded C2.
Diving into the code of f_main_proc will find the function responsible for performing the decoding of the
malware’s C2:
https://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/
Page 3 of 20
The code at the f_tranform_c2Url function will recalculate the bytes of enC2Url :
After completing the transform process, call to f_decrypt_c2Url function to perform decoding to C2. In essence,
the function f_decrypt_c2Url function will perform xor to decrypt, xor_key is calculated from the last 2
bytes of the transformed enC2Url above:
https://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/
Page 4 of 20
With all the above information and pseudo-code, I rewrote the code that performs decoding C2 in Python as
follows:
import numpy as np
#----------------------------------------------------------------------
def calc_value(c, val_0x2C):
""""""
tmp = val_0x2C - 0x2B
if tmp:
tmp2 = tmp - 2
if tmp2:
if (tmp2 == 1):
c = c + 0x85
else:
c = c & 0xFF
else:
c = c + 0x4B
else:
c = c - 0x30
if (c < 0 or c > 0xFF):
c = 0x3F
return c
#----------------------------------------------------------------------
def int_to_bytes(value, length):
""""""
https://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/
Page 5 of 20
result = []
for i in range(0, length):
result.append(value >> (i * 8) & 0xff)
return result
#----------------------------------------------------------------------
def decrypt_c2url(encUrl, xor_tbl):
""""""
c2_url = ""
dec_c2 = []
j = 0
len_c2 = len(encUrl)
if len_c2 >= 4:
i = len_c2 / 4
if (len_c2/4 -1 >= 0):
counter = len_c2/4
while counter:
for k in range(len(xor_tbl)):
dec_c2.append(encUrl[j] ^ xor_tbl[j%len(xor_tbl)])
j+=1
counter-=1
j = 0
if (len_c2 >= 4 *i +1):
counter = len_c2 - 4 * i
idx = 4 * i + 1
while counter:
dec_c2.append(encUrl[idx-1] ^ xor_tbl[j])
j = (j + 1) % 4
idx +=1
counter-=1
for i in dec_c2:
c2_url += chr(i)
return c2_url
#----------------------------------------------------------------------
def main():
""""""
C2_transform = [0] * len(encC2)
tmp_tbl = []
val_0x2C = 0x2C
https://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/
Page 6 of 20
i = 1
j = 1
while j <= len(encC2):
c = encC2[j -1]
j+=1
if ((c - 0x2B) >= 4):
calced_val = calc_value(c, val_0x2C)
C2_transform[i-1] = calced_val
i+=1
elif (c == val_0x2C):
if (j > len(encC2)):
break
C2_transform[i-1] = encC2[j-1]
i+=1
j+=1
else:
val_0x2C = c
C2_transform = np.trim_zeros(C2_transform)
tmp_tbl = C2_transform[len(C2_transform)-2:len(C2_transform)]
C2_transform = C2_transform[:len(C2_transform)-2]
tmp_val = ((tmp_tbl[1] + (tmp_tbl[0] << 8)) & 0xF) + 0x10 * (tmp_tbl[1] & 0xF0) + (((tmp_tbl[1] +
xor_tbl = int_to_bytes(tmp_val, 4)
print decrypt_c2url(C2_transform, xor_tbl)
Execute the above script and check the results. As the result, this sample will connect to buluw[.]com :
Decrypt strings
All strings used by malware are encrypted and only decrypt when needed. Through the analysis of the code will
find the function responsible for decoding:
The code at this function is as follows:
https://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/
Page 7 of 20
As above picture, f_decrypt_string function will take as the argument of the address that contains the pointer to
the encrypted string (ex: off_41C174 ). The function responsible for performing the decryption is
f_decrypt_str , which takes an additional parameter g_calc_tbl – this is table contains 256 elements, used for
the calculation. The code at f_decrypt_str function looks like this:
Based on the pseudo-code analyzed above, I rewrote the idapython script that decodes all the strings as follows:
import idc
import idautils
https://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/
Page 8 of 20
dec_routine = 0x00414AA8
calc_tbl = [0x00, 0xD3, 0xBA, 0x30, 0xD7, 0xD8, 0xC1, 0xC9, 0xEB, 0x84, 0xAD, 0x88, 0x9C, 0x47, 0x74
#----------------------------------------------------------------------
def get_encrypted_bytes(addr):
""""""
enc_bytes = []
enc_bytes_addr = idc.get_wide_dword(idc.get_operand_value(addr,1))
while idc.get_wide_byte(enc_bytes_addr) != 0x0:
enc_bytes.append(idc.get_wide_byte(enc_bytes_addr))
enc_bytes_addr += 1
return enc_bytes
#----------------------------------------------------------------------
def decrypt(enc_str):
""""""
plaint_t = ""
decStr = [0] * len(enc_str)
calc_tbl_val = calc_tbl[enc_str[0]]
tmp1 = calc_tbl_val % 7
tmp2 = calc_tbl_val % 9
strLen = len(enc_str) - 1
j = 2
for i in range(strLen):
c = calc_tbl[enc_str[j-1]] - tmp2 * (j - 1)
decStr[j-1] = c & 0xFF
j+= 1
for i in decStr[tmp1+1:]:
plaint_t+= chr(i)
return plaint_t
#----------------------------------------------------------------------
def decrypt_strings(func_addr):
""""""
for x in idautils.XrefsTo(func_addr, 0):
org_addr = x.frm
curr_addr = x.frm
addr_minus_20 = curr_addr - 20
while curr_addr >= addr_minus_20:
curr_addr = idc.prev_head(curr_addr)
if 'edx' in idc.print_operand(curr_addr, 0) and idc.get_operand_type(curr_addr, 1) == idc
https://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/
Page 9 of 20
enc_bytes = get_encrypted_bytes(curr_addr)
dec_str = decrypt(enc_bytes)
print("org_addr: %s, decrypted string: %s" % (hex(org_addr), dec_str))
idc.set_cmt(org_addr, dec_str, 0)
elif 'eax' in idc.print_operand(curr_addr, 0) and idc.get_operand_type(curr_addr, 1) == i
enc_bytes = get_encrypted_bytes(curr_addr)
dec_str = decrypt(enc_bytes)
print("org_addr: %s, decrypted string: %s" % (hex(org_addr), dec_str))
idc.set_cmt(org_addr, dec_str, 0)
#----------------------------------------------------------------------
def main():
""""""
decrypt_strings(dec_routine)
if __name__ == '__main__':
main()
Executing the above script:
All the strings are decrypted:
org_addr: 0x405529, decrypted string: IPHLPAPI.dll
org_addr: 0x40555f, decrypted string: GetIfTable
org_addr: 0x40558e, decrypted string: GetAdaptersInfo
org_addr: 0x4055bd, decrypted string: GetNetworkParams
https://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/
Page 10 of 20
org_addr: 0x4059a1, decrypted string: 00155D
org_addr: 0x4059c7, decrypted string: 0003FF
org_addr: 0x4059ed, decrypted string: 0050F2
org_addr: 0x405a13, decrypted string: 000D3A
org_addr: 0x405a38, decrypted string: AZR
org_addr: 0x405a51, decrypted string: 123139
org_addr: 0x405a77, decrypted string: 22000A
org_addr: 0x405a9c, decrypted string: AMZ
org_addr: 0x405ab5, decrypted string: 000C29
org_addr: 0x405adb, decrypted string: 000569
org_addr: 0x405b01, decrypted string: 001C14
org_addr: 0x405b27, decrypted string: 005056
org_addr: 0x405b4c, decrypted string: VMW
org_addr: 0x405b65, decrypted string: 001C42
org_addr: 0x405b8a, decrypted string: PRL
org_addr: 0x405ba3, decrypted string: 00163E
org_addr: 0x405bc8, decrypted string: XEN
org_addr: 0x405be1, decrypted string: 080027
org_addr: 0x405c0c, decrypted string: VBX
org_addr: 0x405cbd, decrypted string: VMW
org_addr: 0x405ce2, decrypted string: XEN
org_addr: 0x405d80, decrypted string: 00059A3C7800
org_addr: 0x405da4, decrypted string: 000000
org_addr: 0x405dc1, decrypted string: 000000
org_addr: 0x405de6, decrypted string: 005345000000
org_addr: 0x405e0a, decrypted string: 00F1D000F1D0
org_addr: 0x405e2e, decrypted string: 00A0C6000000
org_addr: 0x405e52, decrypted string: 000000000010
org_addr: 0x405e76, decrypted string: 000000000030
org_addr: 0x405e9a, decrypted string: 028037EC0200
org_addr: 0x405ebe, decrypted string: FFFFFFF
org_addr: 0x405edb, decrypted string: FFFFF
org_addr: 0x406355, decrypted string: ldr1
org_addr: 0x406398, decrypted string: ldr2
org_addr: 0x406444, decrypted string: ShellExecuteA
org_addr: 0x406461, decrypted string: shell32.dll
org_addr: 0x4064d4, decrypted string: ShellExecuteExA
org_addr: 0x4064f1, decrypted string: shell32.dll
org_addr: 0x4069c6, decrypted string: wininet.dll
org_addr: 0x4069fa, decrypted string: http://
org_addr: 0x406a20, decrypted string: https://
org_addr: 0x406a46, decrypted string: InternetOpenA
org_addr: 0x406a72, decrypted string: InternetConnectA
org_addr: 0x406a9e, decrypted string: HttpOpenRequestA
org_addr: 0x406aca, decrypted string: HttpAddRequestHeadersA
org_addr: 0x406af6, decrypted string: HttpSendRequestA
org_addr: 0x406b22, decrypted string: HttpQueryInfoA
https://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/
Page 11 of 20
org_addr: 0x406b4e, decrypted string: InternetReadFile
org_addr: 0x406b7a, decrypted string: InternetCloseHandle
org_addr: 0x407369, decrypted string: POST
org_addr: 0x4073a0, decrypted string: GET
org_addr: 0x4074bb, decrypted string: Host:
org_addr: 0x4074f8, decrypted string: Accept: */*
org_addr: 0x407575, decrypted string: Host:
org_addr: 0x4075ca, decrypted string: Accept:
org_addr: 0x409145, decrypted string: kernel32.dll
org_addr: 0x40916e, decrypted string: VirtualAlloc
org_addr: 0x409235, decrypted string: $SIG
org_addr: 0x409495, decrypted string: kernel32.dll
org_addr: 0x4094be, decrypted string: VirtualAlloc
org_addr: 0x409585, decrypted string: $SIG
org_addr: 0x409700, decrypted string: Run
org_addr: 0x409947, decrypted string: RunEX
org_addr: 0x409982, decrypted string: https://
org_addr: 0x40999d, decrypted string: http://
org_addr: 0x4099fe, decrypted string: Run
org_addr: 0x409af4, decrypted string: $UpdateSRV
org_addr: 0x409b21, decrypted string: $UpdateLTR
org_addr: 0x409c53, decrypted string: Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
org_addr: 0x409c73, decrypted string: Hidden
org_addr: 0x409cd0, decrypted string: HideFileExt
org_addr: 0x409d2a, decrypted string: ShowSuperHidden
org_addr: 0x409e5c, decrypted string: CD_UIDC
org_addr: 0x409e80, decrypted string: CD_ins_guid
org_addr: 0x409ea4, decrypted string: CD_host_guid
org_addr: 0x409ec8, decrypted string: CD_iv
org_addr: 0x409eec, decrypted string: CD_aflt
org_addr: 0x409f16, decrypted string: a
org_addr: 0x409f40, decrypted string: aflt
org_addr: 0x409f64, decrypted string: uidp
org_addr: 0x409f88, decrypted string: IDT
org_addr: 0x409fbd, decrypted string: UID=
org_addr: 0x409ff3, decrypted string: &UID2=
org_addr: 0x40a02c, decrypted string: &UIDC=
org_addr: 0x40a067, decrypted string: &mguid=
org_addr: 0x40a0b0, decrypted string: &uidp=
org_addr: 0x40a0eb, decrypted string: &AppName=
org_addr: 0x40a116, decrypted string: &State=
org_addr: 0x40a151, decrypted string: &ins_guid=
org_addr: 0x40a17c, decrypted string: &host_guid=
org_addr: 0x40a1b7, decrypted string: &iv=
org_addr: 0x40a1e2, decrypted string: &aflt=
org_addr: 0x40a21d, decrypted string: &IDT=
org_addr: 0x40a248, decrypted string: &IRTYP=
https://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/
Page 12 of 20
org_addr: 0x40a286, decrypted string: &IRVER=
org_addr: 0x40a2c3, decrypted string: &OS=
org_addr: 0x40a308, decrypted string: &SV=
org_addr: 0x40a359, decrypted string: &lptp=1
org_addr: 0x40a38b, decrypted string: &lptp=0
org_addr: 0x40a3c1, decrypted string: &btry=1
org_addr: 0x40a3f3, decrypted string: &btry=0
org_addr: 0x40a426, decrypted string: &VMC=
org_addr: 0x40a46f, decrypted string: ®=
org_addr: 0x40a4a0, decrypted string: CDATA
org_addr: 0x40a4da, decrypted string: SOFTWARE\
org_addr: 0x40a564, decrypted string: &Src=
org_addr: 0x40a5b6, decrypted string: src.dat
org_addr: 0x40a642, decrypted string: &Lang=
org_addr: 0x40a690, decrypted string: &Lang=
org_addr: 0x40a6de, decrypted string: &ADVF=
org_addr: 0x40a734, decrypted string: &FS=
org_addr: 0x40a79f, decrypted string: &sha=
org_addr: 0x40a7f6, decrypted string: &st_dt=
org_addr: 0x40a867, decrypted string: &ParamALL=
org_addr: 0x40a9e9, decrypted string: UnNM
org_addr: 0x40accc, decrypted string: Date:
org_addr: 0x40af23, decrypted string: &Admin=1
org_addr: 0x40af49, decrypted string: &Admin=0
org_addr: 0x40af70, decrypted string: &Idle=
org_addr: 0x40afac, decrypted string: &TDY=
org_addr: 0x40afe3, decrypted string: <DY=
org_addr: 0x40b028, decrypted string: &TDYC=
org_addr: 0x40b0c3, decrypted string: https://
org_addr: 0x40b0e4, decrypted string: http://
org_addr: 0x40b158, decrypted string: Location:
org_addr: 0x40b377, decrypted string: script
org_addr: 0x40b3ac, decrypted string: Flags=
org_addr: 0x40b3ed, decrypted string: CHECK
org_addr: 0x40b589, decrypted string: DFN
org_addr: 0x40b81a, decrypted string: UpdTask.exe
org_addr: 0x40b840, decrypted string: SynHelper.exe
org_addr: 0x40b866, decrypted string: Updane.exe
org_addr: 0x40b892, decrypted string: Sync.exe
org_addr: 0x40b8be, decrypted string: ProductUpdt.exe
org_addr: 0x40b8ea, decrypted string: SyncTask.exe
org_addr: 0x40b913, decrypted string: SyncVersion.exe
org_addr: 0x40b956, decrypted string: .exe
org_addr: 0x40ba7e, decrypted string: https://
org_addr: 0x40ba99, decrypted string: http://
org_addr: 0x40bae0, decrypted string: CR
org_addr: 0x40bb1a, decrypted string: CD
https://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/
Page 13 of 20
org_addr: 0x40bb94, decrypted string: &uid=
org_addr: 0x40bbc3, decrypted string: &ins_guid=
org_addr: 0x40bbf2, decrypted string: &host_guid=
org_addr: 0x40bc21, decrypted string: &iv=
org_addr: 0x40bc59, decrypted string: &AL=
org_addr: 0x40bc8e, decrypted string: a
org_addr: 0x40bcc4, decrypted string: aflt
org_addr: 0x40bcf4, decrypted string: CD_UIDC
org_addr: 0x40bd27, decrypted string: CD_ins_guid
org_addr: 0x40bd5a, decrypted string: CD_host_guid
org_addr: 0x40bd8d, decrypted string: CD_iv
org_addr: 0x40bdc0, decrypted string: CD_aflt
org_addr: 0x40bdf3, decrypted string: CD_AL
org_addr: 0x40be3b, decrypted string: CD
org_addr: 0x40be8a, decrypted string: Local_Inst_DT
org_addr: 0x40bebb, decrypted string: SNR_FAIL
org_addr: 0x40bef0, decrypted string: URL
org_addr: 0x40bf23, decrypted string: AppName
org_addr: 0x40bf59, decrypted string: uidp
org_addr: 0x40bf9c, decrypted string: UDAT0
org_addr: 0x40bfee, decrypted string: UDAT0
org_addr: 0x40c021, decrypted string: RKL
org_addr: 0x40c06c, decrypted string: RVL
org_addr: 0x40c0ad, decrypted string: RKL
org_addr: 0x40c0e0, decrypted string: RVL
org_addr: 0x40c113, decrypted string: RLM
org_addr: 0x40c158, decrypted string: RLM
org_addr: 0x40c1eb, decrypted string: Inst_DT
org_addr: 0x40c221, decrypted string: IRVER
org_addr: 0x40c26d, decrypted string: IRBVER
org_addr: 0x40c2b5, decrypted string: IRTYP
org_addr: 0x40c2f4, decrypted string: TodayFN
org_addr: 0x40c327, decrypted string: TodayCntFN
org_addr: 0x40c906, decrypted string: SDT
org_addr: 0x40c9c2, decrypted string: Src
org_addr: 0x40c9fc, decrypted string: src.dat
org_addr: 0x40cad5, decrypted string: .del
org_addr: 0x40cbb2, decrypted string: nosct
org_addr: 0x40cd96, decrypted string: noun
org_addr: 0x40cde6, decrypted string: /Uninstall
org_addr: 0x40ce13, decrypted string: DelSelfDir
org_addr: 0x40ce40, decrypted string: /GID=
org_addr: 0x40ce9d, decrypted string: ProdName
org_addr: 0x40cefd, decrypted string: prod.dat
org_addr: 0x40d01e, decrypted string: BkScript
org_addr: 0x40d13f, decrypted string: Flags=
org_addr: 0x40d19c, decrypted string: Install
https://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/
Page 14 of 20
org_addr: 0x40d52b, decrypted string: UReg
org_addr: 0x40d610, decrypted string: UFile
org_addr: 0x40d6a8, decrypted string: UDAT
org_addr: 0x40d749, decrypted string: UExFile
org_addr: 0x40d8e2, decrypted string: Uninstall
org_addr: 0x40d918, decrypted string: Update Service
org_addr: 0x40d93a, decrypted string: Uninstall completed successfully. Please restart your computer
org_addr: 0x40d9a3, decrypted string: &APN=
org_addr: 0x40d9cb, decrypted string: &S=Uninstall&IDT=
org_addr: 0x40d9f3, decrypted string: IDT
org_addr: 0x40da3c, decrypted string: &DT=
org_addr: 0x40da67, decrypted string: &IRTYP=
org_addr: 0x40daa5, decrypted string: &IRVER=
org_addr: 0x40dad2, decrypted string: &UID=
org_addr: 0x40db49, decrypted string: BkScript
org_addr: 0x40dba9, decrypted string: config.dat
org_addr: 0x40dd1c, decrypted string: DelSelfDir
org_addr: 0x40dea9, decrypted string: Update Service
org_addr: 0x40decb, decrypted string: Uninstall
org_addr: 0x40defd, decrypted string: update process?
org_addr: 0x40df56, decrypted string: Uninstall must Reboot your computer to delete files.
org_addr: 0x40df75, decrypted string: Continue with uninstall?
org_addr: 0x40dfec, decrypted string: Uninstall necessario riavviare il computer per eliminare i file
org_addr: 0x40e00b, decrypted string: Continuare con la disinstallazione?
org_addr: 0x40e02f, decrypted string: Désinstaller devez redémarrer votre ordinateur pour supprimer
org_addr: 0x40e04e, decrypted string: Continuer la désinstallation?
org_addr: 0x40e072, decrypted string: Uninstall müssen Starten Sie Ihren Computer, um Dateien zu lös
org_addr: 0x40e091, decrypted string: Fahren Sie mit dem deinstallieren?
org_addr: 0x40e0b5, decrypted string: Uninstall deve reiniciar o computador para apagar arquivos.
org_addr: 0x40e0d4, decrypted string: Continue com a desinstalação?
org_addr: 0x40e0f5, decrypted string: Desinstalación debe reiniciar el equipo para eliminar archivos
org_addr: 0x40e114, decrypted string: Continúe con la desinstalación?
org_addr: 0x40e135, decrypted string: Desinstalación debe reiniciar el equipo para eliminar archivos
org_addr: 0x40e154, decrypted string: Continúe con la desinstalación?
org_addr: 0x40e17b, decrypted string: Update Service
org_addr: 0x40e1e0, decrypted string: noun
org_addr: 0x40e210, decrypted string: GID
org_addr: 0x40e2a9, decrypted string: /DoUninstall
org_addr: 0x40e2d2, decrypted string: /Uninstall
org_addr: 0x40e497, decrypted string: $UpdateSRV
org_addr: 0x40e4e1, decrypted string: $UpdateLTR
org_addr: 0x40e66d, decrypted string: script
org_addr: 0x40e6a2, decrypted string: Flags=
org_addr: 0x40e6e3, decrypted string: CHECK
org_addr: 0x40eac4, decrypted string: Update
org_addr: 0x40eadf, decrypted string: Install
org_addr: 0x40eaf8, decrypted string: Flags=
https://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/
Page 15 of 20
org_addr: 0x40eb50, decrypted string: IDT
org_addr: 0x40ec04, decrypted string: https://
org_addr: 0x40ec1f, decrypted string: http://
org_addr: 0x40ec41, decrypted string: /sanity/
org_addr: 0x40ef16, decrypted string: Ver
org_addr: 0x40ef38, decrypted string: DT:
org_addr: 0x40ef69, decrypted string: Ver:
org_addr: 0x40ef9f, decrypted string: BVer:
org_addr: 0x40efd5, decrypted string: Typ:
org_addr: 0x40f14e, decrypted string: nx
org_addr: 0x41045c, decrypted string: user32.dll
org_addr: 0x41048e, decrypted string: OemToCharA
org_addr: 0x41092a, decrypted string: kernel32.dll
org_addr: 0x410966, decrypted string: GetVersionExA
org_addr: 0x410a6b, decrypted string: ProductName
org_addr: 0x410a93, decrypted string: \Software\Microsoft\Windows NT\CurrentVersion\
org_addr: 0x410e2c, decrypted string: kernel32.dll
org_addr: 0x410e54, decrypted string: GetFileSize
org_addr: 0x411055, decrypted string:
org_addr: 0x411075, decrypted string:
org_addr: 0x411202, decrypted string: SYSTEM
org_addr: 0x411233, decrypted string: InteractiveToken
org_addr: 0x411260, decrypted string: HighestAvailableLeastPrivilege
org_addr: 0x4112c0, decrypted string:
org_addr: 0x4112ef, decrypted string:
org_addr: 0x411327, decrypted string:
org_addr: 0x411362, decrypted string: true
org_addr: 0x41139d, decrypted string: false
org_addr: 0x4113d8, decrypted string: false
org_addr: 0x411413, decrypted string: false
org_addr: 0x41144e, decrypted string: PT0S
org_addr: 0x411489, decrypted string: false
org_addr: 0x4114c4, decrypted string: false
org_addr: 0x4114ff, decrypted string: 5
org_addr: 0x41153a, decrypted string:
org_addr: 0x411575, decrypted string:
org_addr: 0x4115b0, decrypted string:
org_addr: 0x4115eb, decrypted string: <#PROGRAM#>
org_addr: 0x411626, decrypted string: <#PARAMS#>
https://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/
Page 16 of 20
org_addr: 0x411661, decrypted string:
org_addr: 0x41169c, decrypted string:
org_addr: 0x4116d7, decrypted string:
org_addr: 0x411729, decrypted string: <#PROGRAM#>
org_addr: 0x41176f, decrypted string: <#PARAMS#>
org_addr: 0x411833, decrypted string:
org_addr: 0x411854, decrypted string:
org_addr: 0x411899, decrypted string:
org_addr: 0x4118ca, decrypted string: PT
org_addr: 0x4118f3, decrypted string: M
org_addr: 0x411924, decrypted string: P1D
org_addr: 0x411955, decrypted string: false
org_addr: 0x411986, decrypted string:
org_addr: 0x4119ab, decrypted string: <#YEAR#>-<#MONTH#>-<#DAY#>T<#HOUR#>:<#MI
org_addr: 0x4119dc, decrypted string: true
org_addr: 0x411a17, decrypted string:
org_addr: 0x411a4e, decrypted string: 1
org_addr: 0x411a88, decrypted string:
org_addr: 0x411ac5, decrypted string:
org_addr: 0x411b02, decrypted string:
org_addr: 0x411c13, decrypted string: <#HOUR#>
org_addr: 0x411c5d, decrypted string: <#MIN#>
org_addr: 0x411ca7, decrypted string: <#SEC#>
org_addr: 0x411cf1, decrypted string: <#YEAR#>
org_addr: 0x411d3b, decrypted string: <#MONTH#>
org_addr: 0x411d85, decrypted string: <#DAY#>
org_addr: 0x411de6, decrypted string: <#TRIGGERS#>
org_addr: 0x411e94, decrypted string: SYSTEM
org_addr: 0x411f7a, decrypted string: Tasks\
org_addr: 0x411fd5, decrypted string: *.job
org_addr: 0x412461, decrypted string: /interactive
org_addr: 0x4124af, decrypted string: at.exe
org_addr: 0x412551, decrypted string: Tasks\
org_addr: 0x4125a8, decrypted string: AT
org_addr: 0x4125d3, decrypted string: .job
org_addr: 0x41292f, decrypted string: .xml
org_addr: 0x41296e, decrypted string: /create /F /tn
org_addr: 0x412992, decrypted string: " /xml "
org_addr: 0x4129c7, decrypted string: schtasks.exe
org_addr: 0x412a25, decrypted string: /create /F /tn
org_addr: 0x412a52, decrypted string: " /tr "
org_addr: 0x412a97, decrypted string: /sc DAILY /ST
org_addr: 0x412aea, decrypted string: /RU SYSTEM
org_addr: 0x412b29, decrypted string: /IT
org_addr: 0x412b62, decrypted string: schtasks.exe
org_addr: 0x412d34, decrypted string: /query /xml
org_addr: 0x412d51, decrypted string: schtasks.exe
https://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/
Page 17 of 20
org_addr: 0x412d9c, decrypted string:
org_addr: 0x412e04, decrypted string:
org_addr: 0x412e21, decrypted string:
org_addr: 0x412ea5, decrypted string: /delete /F /TN "
org_addr: 0x412eda, decrypted string: schtasks.exe
org_addr: 0x412f28, decrypted string:
org_addr: 0x413074, decrypted string: SHGetSpecialFolderPathW
org_addr: 0x413091, decrypted string: shell32.dll
org_addr: 0x413c5a, decrypted string: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
org_addr: 0x413d72, decrypted string: SOFTWARE\Microsoft\Windows\CurrentVersion\
org_addr: 0x413d8e, decrypted string: Uninstall
org_addr: 0x413e1b, decrypted string: DisplayIcon
org_addr: 0x413e6a, decrypted string: DisplayName
org_addr: 0x413eb9, decrypted string: UninstallString
org_addr: 0x413f20, decrypted string: Publisher
org_addr: 0x414108, decrypted string: cmd.exe /Q /D /c del "
org_addr: 0x414178, decrypted string: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
org_addr: 0x4141ad, decrypted string: cmd.exe /Q /D /c del "
org_addr: 0x41421d, decrypted string: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
org_addr: 0x414636, decrypted string: GetPwrCapabilities
org_addr: 0x414824, decrypted string: open
org_addr: 0x4163d5, decrypted string: 000000000000
org_addr: 0x416449, decrypted string: 000000
org_addr: 0x4164cd, decrypted string: FFFFFFFF
org_addr: 0x4169f5, decrypted string: dir
org_addr: 0x416a16, decrypted string: /S "
org_addr: 0x416a35, decrypted string: *.*
org_addr: 0x416a6b, decrypted string: TIMEOUT
org_addr: 0x416bc2, decrypted string: cmd.exe
org_addr: 0x416bf3, decrypted string: /d /c
org_addr: 0x416c1c, decrypted string: & cmd /d /c del
org_addr: 0x416c71, decrypted string: CreateProcessA
org_addr: 0x416c9a, decrypted string: kernel32.dll
org_addr: 0x416dad, decrypted string: cmd.exe
org_addr: 0x416dde, decrypted string: /d /c
org_addr: 0x416e0d, decrypted string: & cmd /d /c rd /S /Q
org_addr: 0x416e6e, decrypted string: CreateProcessA
org_addr: 0x416e97, decrypted string: kernel32.dll
org_addr: 0x4170a7, decrypted string: MachineGuid
org_addr: 0x4170cf, decrypted string: Software\Microsoft\Cryptography
org_addr: 0x417116, decrypted string: MachineGuid
org_addr: 0x41713e, decrypted string: Software\Microsoft\Cryptography
org_addr: 0x417253, decrypted string: user32.dll
org_addr: 0x41727f, decrypted string: GetLastInputInfo
org_addr: 0x41734c, decrypted string: GetUserDefaultUILanguage
org_addr: 0x417369, decrypted string: kernel32.dll
org_addr: 0x417a58, decrypted string: .ini
https://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/
Page 18 of 20
org_addr: 0x417ab4, decrypted string: .txt
org_addr: 0x417ad7, decrypted string: .txt
org_addr: 0x4182d5, decrypted string: cmd.exe
org_addr: 0x418376, decrypted string: 1.dat
org_addr: 0x4183a9, decrypted string: 2.dat
org_addr: 0x418448, decrypted string: /d /c
org_addr: 0x4184a3, decrypted string: cmd /d /c copy /B /Y /V
org_addr: 0x4184fd, decrypted string: & cmd /d /c del "
org_addr: 0x418528, decrypted string: " & cmd /d /c del "
org_addr: 0x41857b, decrypted string: CreateProcessA
org_addr: 0x4185a4, decrypted string: kernel32.dll
org_addr: 0x41878f, decrypted string: psapi.dll
org_addr: 0x4187ce, decrypted string: GetModuleFileNameExA
org_addr: 0x4187f6, decrypted string: EnumProcessModules
org_addr: 0x418d30, decrypted string: mnprstghklbcdf
org_addr: 0x418d56, decrypted string: iuaaooee
org_addr: 0x41a1e7, decrypted string: kernel32.dll
org_addr: 0x41a20d, decrypted string: FreeLibrary
org_addr: 0x41a237, decrypted string: EnterCriticalSection
org_addr: 0x41a261, decrypted string: LeaveCriticalSection
org_addr: 0x41a28b, decrypted string: WaitForSingleObject
org_addr: 0x41a2b5, decrypted string: CloseHandle
org_addr: 0x41a2df, decrypted string: GetExitCodeProcess
org_addr: 0x41a309, decrypted string: GetSystemDirectoryW
org_addr: 0x41a333, decrypted string: GetModuleFileNameW
org_addr: 0x41a35d, decrypted string: DeleteFileA
org_addr: 0x41a387, decrypted string: CreateFileW
org_addr: 0x41a3b1, decrypted string: CreateFileA
org_addr: 0x41a3db, decrypted string: ReadFile
org_addr: 0x41a405, decrypted string: WriteFile
org_addr: 0x41a42f, decrypted string: SetFilePointer
org_addr: 0x41a459, decrypted string: MoveFileW
org_addr: 0x41a48c, decrypted string: MoveFileA
org_addr: 0x41a4c2, decrypted string: FindFirstFileW
org_addr: 0x41a4f8, decrypted string: FindNextFileW
org_addr: 0x41a52e, decrypted string: FindClose
org_addr: 0x41a564, decrypted string: CreateProcessW
org_addr: 0x41a59a, decrypted string: CreateProcessA
org_addr: 0x41a5d0, decrypted string: GetStartupInfoA
org_addr: 0x41a606, decrypted string: CopyFileW
org_addr: 0x41a63c, decrypted string: GetTempPathA
org_addr: 0x41a6cf, decrypted string: PeekNamedPipe
org_addr: 0x41a705, decrypted string: CreatePipe
org_addr: 0x41a73b, decrypted string: GetFileAttributesW
org_addr: 0x41a771, decrypted string: GetShortPathNameA
org_addr: 0x41a7a7, decrypted string: GetShortPathNameW
org_addr: 0x41a7dd, decrypted string: GetComputerNameA
https://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/
Page 19 of 20
org_addr: 0x41a813, decrypted string: CreateDirectoryA
org_addr: 0x41a849, decrypted string: CreateDirectoryW
org_addr: 0x41a87f, decrypted string: RemoveDirectoryA
org_addr: 0x41a8b5, decrypted string: GetCurrentProcess
org_addr: 0x41a8eb, decrypted string: SetFileTime
org_addr: 0x41a921, decrypted string: GetVolumeInformationA
org_addr: 0x41a957, decrypted string: GetTickCount
org_addr: 0x41a98d, decrypted string: ExitThread
org_addr: 0x41a9c3, decrypted string: CreateThread
org_addr: 0x41a9f9, decrypted string: ResumeThread
org_addr: 0x41aa2f, decrypted string: GetLocalTime
org_addr: 0x41aa65, decrypted string: OpenProcess
org_addr: 0x41aa9b, decrypted string: GetSystemPowerStatus
org_addr: 0x41aad1, decrypted string: GetWindowsDirectoryW
org_addr: 0x41ab07, decrypted string: SetFileAttributesW
org_addr: 0x41ab3d, decrypted string: Sleep
org_addr: 0x41ab73, decrypted string: TerminateProcess
org_addr: 0x41ac02, decrypted string: advapi32.dll
org_addr: 0x41ac28, decrypted string: RegCloseKey
org_addr: 0x41ac52, decrypted string: RegOpenKeyExW
org_addr: 0x41ac7c, decrypted string: RegDeleteKeyW
org_addr: 0x41aca6, decrypted string: RegCreateKeyExW
org_addr: 0x41acd0, decrypted string: RegSetValueExW
org_addr: 0x41acfa, decrypted string: RegQueryValueExW
org_addr: 0x41ad24, decrypted string: RegDeleteValueW
org_addr: 0x41ad4e, decrypted string: RegEnumValueW
org_addr: 0x41ad78, decrypted string: RegEnumKeyW
org_addr: 0x41ae05, decrypted string: user32.dll
org_addr: 0x41ae2b, decrypted string: GetWindowThreadProcessId
org_addr: 0x41ae55, decrypted string: EnumWindows
org_addr: 0x41ae7f, decrypted string: WaitForInputIdle
org_addr: 0x41afaa, decrypted string: kernel32.dll
org_addr: 0x41afeb, decrypted string: LoadLibraryA
org_addr: 0x41b01c, decrypted string: GetProcAddress
End.
m4n0w4r
Source: https://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/
https://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/
Page 20 of 20