{
	"id": "d33e655c-4862-49ad-ab11-85b6d19b46fb",
	"created_at": "2026-04-29T08:21:07.125059Z",
	"updated_at": "2026-04-29T10:41:51.793495Z",
	"deleted_at": null,
	"sha1_hash": "b6f4be145b6c5bb9e9554eced3b82cbaaf1af557",
	"title": "When a malware is more complex than the paper.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5397452,
	"plain_text": "When a malware is more complex than the paper.\r\nBy Sebdraven\r\nPublished: 2018-08-29 · Archived: 2026-04-29 08:00:34 UTC\r\n8 min read\r\nAug 28, 2018\r\nFireye has published a paper of the backdoor Felixroot after using two vulnerabilities CVE-2017–0199 and CVE-2017–11882. The RTF document drops an executable.\r\nAnd the Analyst explains:\r\nThe dropped executable (MD5: 78734CD268E5C9AB4184E1BBE21A6EB9) contains the compressed\r\nFELIXROOT dropper component in the Portable Executable (PE) binary overlay section. When it is executed, it\r\ncreates two files: an LNK file that points to %system32%\\rundll32.exe, and the FELIXROOT loader component.\r\nThe LNK file is moved to the startup directory. Figure 5 shows the command in the LNK file to execute the loader\r\ncomponent of FELIXROOT.\r\nBut it’s no so easy. The dropper copies two PE files after using RC4 and a decompression function custom in\r\nmemory.\r\nThe two PE file are an installer and the backdoor Felixroot.\r\nThe installer puts on the disk the backdoor and after decrypting strings, it creates the persistance (a lnk in startup\r\nfolder) and execute run32dll with Felixroot and uses some technics anti forensic to change the timestamps of the\r\nbackdoor.\r\nNow all technical details !\r\nEncryption and decompression\r\nload the overlay in memory\r\nAfter a look with Pestudio, the overlay is 53% of the dropper and the entropy is 7,994. it’s too high for a\r\ncompression.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257\r\nPage 1 of 23\n\nOverlay of the dropper\r\nto dump the overlay, two lines of python are enough. The overlay starts at 0xD800 in the file.\r\noverlay = open(‘573ea78afb50100f896185164da3b8519e2e0f609a34a7c70460eca5b4ae640d’,’rb’).read()\r\n[0xD800:]\r\nopen(‘overlay.dump’,’wb’).write(overlay)\r\nSo launch the debugger to understand how this overlay is used by the dropper.\r\nThe dropper starts to read itself.\r\nPress enter or click to view image in full size\r\nRead itself\r\nThe file handler is in EAX as value 288.\r\nIf we check in IDA, this part is badly interpreted by IDA. It’s patched at runtime.\r\nPress enter or click to view image in full size\r\nerro in IDA\r\nSo the best way, it’s to set a breakpoint at the CreateFile and ReadFile.\r\nSo it reads and stores the result in [ebp + C].(here 194408)\r\nhttps://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257\r\nPage 2 of 23\n\nAnd the dropper seeks to D800 to set EAX at the start of the overlay.\r\nRC4 and Custom decompression\r\nPress enter or click to view image in full size\r\nOverlay in memory\r\nif we check in IDA where we are.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257\r\nPage 3 of 23\n\nsub_406681\r\nIf we check the the graph overview,this function is in a huge function with many jmp.\r\nIt seems this function is like a packer.\r\nIn the second step, it reads 40 bytes ( from C08 to C30)\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257\r\nPage 4 of 23\n\nThe loop is made by the the jmp to go to the start of the function if the 40bits are not read.\r\nAfter reading the 40 bits, we have a loop of 256 steps, to store 01 to 256 on the stack.\r\nhttps://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257\r\nPage 5 of 23\n\ninit of RC4\r\nAnd it manipulates the 40 bytes and stores the result on the stack in a loop of 256 steps.\r\nhttps://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257\r\nPage 6 of 23\n\nInit of RC4\r\nPress enter or click to view image in full size\r\nAnd a third function with aritmethic operations works on the overlay with the results of the two lasted functions\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257\r\nPage 7 of 23\n\n[EBP+C] store F9D8. Remember !? It’s the size of file.\r\nThe result of this function is stored at the same place of the overlay in C30.\r\nOk, everybody has recognized the three steps of RC4.\r\nif we do a comparaison using python langage, the first functions is:\r\nself.state = list(range(256))\r\nThe second function is:\r\ndef init(self, key):\r\n for i in range(256):\r\n self.x = (ord(key[i % len(key)]) + self.state[i] + self.x) \u0026 0xFF\r\n self.state[i], self.state[self.x] = self.state[self.x], self.state[i]\r\n self.x = 0\r\nAnd the third function is:\r\ndef decrypt(self, input):\r\n output = [None]*len(input)\r\n for i in range(len(input)):\r\n self.x = (self.x + 1) \u0026 0xFF\r\n self.y = (self.state[self.x] + self.y) \u0026 0xFF\r\n self.state[self.x], self.state[self.y] = self.state[self.y], self.state[self.x]\r\n output[i] = chr((ord(input[i]) ^ self.state[(self.state[self.x] + self.state[self.y]) \u0026 0\r\n return ''.join(output)\r\nSo here, the key of the RC4 is the first 40 bytes of the overlay.\r\n1B 73 B4 17 5E 5F 14 59 AF F7 BA AF DA 75 AB F5 19 4D 32 50 36 01 46 30 09 AB 9C 09 4D B2 74 01 9E C0\r\nC0 9E FD B9 ED E5\r\nhttps://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257\r\nPage 8 of 23\n\nThe result seems to be a PE file but not totally.\r\nAfter that, the dropper increases the stack from 12F000 to 12C000 before launching the decompression function\r\n(seemly custom after many searches, but if it’s not that, write a comment at the end of this post !)\r\nthe dropper puts the three bytes [AB,CD,EF] in the stack.\r\nThe algorithm used in the first AB,C and secondly D, EF in this function sub_004055FC.\r\nhttps://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257\r\nPage 9 of 23\n\nAB,C\r\nD,EF\r\nIf C or D == 0 then the dropper writes AB or EF.\r\nIf C != 0 then the dropper writes 0 and the number of 0 depends on AB\r\nif D!= 0 then the dropper write 0 and the number of 0 depends on EF\r\nGet Sebdraven’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nWe develop many examples to better understand:\r\n4D 00 5A -\u003e 4D 5A\r\n90 00 00 -\u003e 90 00\r\n03 00 00 -\u003e 03 00\r\n51 10 04 -\u003e 00 00 04\r\nThe result is stored in a buffer. The address of the buffer is stored by EAX.\r\nhttps://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257\r\nPage 10 of 23\n\nPress enter or click to view image in full size\r\nThe dropper decodes two PE Files: another dropper which we name drop and the backdoor Felixroot.\r\nFelixroot is copyied to 378C38.\r\ndrop is copied after a Virtualloc at 20000 and drop is executed in 00021964.\r\nInstallation\r\ndrop verifies if it’s executed after the dropper by checking a mutex.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257\r\nPage 11 of 23\n\nhttps://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257\r\nPage 12 of 23\n\nIf it’s ok, drop checks if it’s executed on a 64bits systems to correctly set the parameters of decoding strings\r\nhttps://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257\r\nPage 13 of 23\n\nDrop decodes the first string depending on if it’s 64bits or not.\r\nhttps://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257\r\nPage 14 of 23\n\noffset unk_ is the key of the decode functions.\r\nThe function is a XOR with a and with FF.\r\nThe data to decrypt is in drop ressources.\r\nThe result is the stored the result in a buffer.\r\nhttps://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257\r\nPage 15 of 23\n\nThe result of the first decoding function is \\\\System32.\r\nPress enter or click to view image in full size\r\nrundll32.exe is the result of the second decoding.\r\nPress enter or click to view image in full size\r\ndrop drops the backdoor after decoding strings to set in which folder the backdoor is dropped.\r\nin first it decodes the pattern of the path L”%lS\\\\%lS\\\\%lS.dbf”\r\nIt chooses the special folder: %APPDATA%/Roaming/Microsoft/\r\nIn 32bits, this folder is not used so it’s very easy to hide a malware.\r\nAnd the path of file is: ”C:\\\\Users\\\\IEUser\\\\AppData\\\\Roaming\\\\Microsoft\\\\{22B4CEF1–633C-4F94–824E-0C207AC4F2DF}.dbf”\r\nThe name of file changes at each execution.\r\ndrop writes the backoor in the disk from 378C38in sub 210E5.\r\nhttps://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257\r\nPage 16 of 23\n\nPress enter or click to view image in full size\r\ndrop decodes a string to have the path: c:\\\\windows\\\\system32\\\\msvcrt.dll\r\nhttps://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257\r\nPage 17 of 23\n\nin sub_00021845, drop catches the creation date of c:\\\\windows\\\\system32\\\\msvcrt.dll\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257\r\nPage 18 of 23\n\ndrop changes the attributes of the timestamps (creation date of the file, last modified…) of the backdoor switching\r\nthe value with L”c:\\\\windows\\\\system32\\\\msvcrt.dll” in sub_000218AF\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257\r\nPage 19 of 23\n\nthe persistance is created. The first step is the decoding of the name of file in 00021A1A. the result is .lnk\r\nAfter ther create the persistance of the backdoor in sub_000211D7. It’s a shortcut installed in startup folder and\r\ncreate a copy in roaming folder.\r\nPress enter or click to view image in full size\r\nin sub_216D1, drop installs the shortcut in the Startup Folder and copies the shorcut and execute with the function\r\nShellExecute.\r\n0012DC84 0012DCA0 L”C:\\\\Windows\\\\system32\\\\cmd.exe”\r\n0012DC88 0012E6C8 L”/c move \\”C:\\\\Users\\\\IEUser\\\\AppData\\\\Roaming\\\\ .lnk\\”\r\n\\”C:\\\\Users\\\\IEUser\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\ .lnk\\””\r\nhttps://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257\r\nPage 20 of 23\n\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257\r\nPage 21 of 23\n\nShortcut to restart\r\nThe lnk runs run32dll.exe with the .dbf and ordinal 1 of the export of the dll.\r\nPress enter or click to view image in full size\r\nFew words about Threat Intel\r\nIt’s strange that FireEye hasn’t published a full paper with the analysis of the dropper and the backdoor.\r\nThe dropper uses many very interesting techniques:\r\nhttps://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257\r\nPage 22 of 23\n\nrc4 encryption\r\ndecompression function custom\r\nrun32dll to bypass applocker and AV\r\nchange timestamps of the installed files\r\ndecrypting strings to install the backdoor\r\ndecrypting strings for the persistance settings\r\nThe function sub_406681 is very interesting and it’s very difficult to make a yara rules on it because there are\r\nmany jump to have enough binaries to make a rule. the rc4 encryption and a decompression function are in this\r\nfunction.\r\nThanks\r\nthank to the zone de confort to try to understand this f… decompression function and thank to @FliegenEinhorn to\r\nfind the sample !\r\nSource: https://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257\r\nhttps://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257\r\nPage 23 of 23\n\n https://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257  \nPress enter or click to view image in full size\ndrop decodes a string to have the path: c:\\\\windows\\\\system32\\\\msvcrt.dll \n   Page 17 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257"
	],
	"report_names": [
		"when-a-malware-is-more-complex-than-the-paper-5822fc7ff257"
	],
	"threat_actors": [],
	"ts_created_at": 1777450867,
	"ts_updated_at": 1777459311,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b6f4be145b6c5bb9e9554eced3b82cbaaf1af557.pdf",
		"text": "https://archive.orkl.eu/b6f4be145b6c5bb9e9554eced3b82cbaaf1af557.txt",
		"img": "https://archive.orkl.eu/b6f4be145b6c5bb9e9554eced3b82cbaaf1af557.jpg"
	}
}