PowerLoaderV2 Full Code Analysis | Understanding the main registry key [Part5]

9 min readJan 16, 2023

This is the most important part

In part 4, we analyzed the other condition which is the SID = 1000h and now we will analyze the other condition, let’s StrCpyWithMachineGuid.

So here we have another function GetMachineGUID [ which I called ] and has 1 argument Data, let’s see this function:

We have 3 local variables [ IDA defined them ] and a Data argument that pushed.

it calls RegOpenKeyExA API which will open the Software\\Microsoft\\Cryptography key and the handle of this key will be in hKey value:

LSTATUS RegOpenKeyExA(
  [in]           HKEY   hKey,
  [in, optional] LPCSTR lpSubKey,
  [in]           DWORD  ulOptions,
  [in]           REGSAM samDesired,
  [out]          PHKEY  phkResult
);
//Which in our case will be
LSTATUS RegOpenKeyExA(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Cryptography",0,KEY_WOW64_64KEY | KEY_QUERY_VALUE,hKey);

So the value 0x80000002 is HKLM -> HKEY_LOCAL_MACHINE and samDesired 101h which 100h+1h which 100h=KEY_WOW64_64KEY for Indicates that an application on 64-bit Windows should operate on the 64-bit registry view. This flag is ignored by 32-bit Windows. And 1h = KEY_QUERY_VALUE for querying values. [MDSN]

The Malware opens this key for querying a value and let’s see what is it:

Then calls RegQueryValueExA API which here in our case will get the MachineGuid value from HKLM\\Software\\Microsoft\\Cryptography key.

LSTATUS RegQueryValueExA(
  [in]                HKEY    hKey,
  [in, optional]      LPCSTR  lpValueName,
                      LPDWORD lpReserved,
  [out, optional]     LPDWORD lpType,
  [out, optional]     LPBYTE  lpData,
  [in, out, optional] LPDWORD lpcbData
);
//which in our case will be
LSTATUS RegQueryValueExA(hKey,"MachineGuid",0,REG_SZ,Data,260)

hKey -> the handle returned from RegOpenKeyExA API and the value of MachineGuid type is string[REG_SZ] will be in the Data variable in 260 lengths as maximum.

GUID is A globally unique identifier is a unique number created by Microsoft applications to identify components, hardware, files, user accounts, etc.

So let’s see why The malware needs machine GUID:

The return value will be 1 if it gits the MachineGuid, so here the malware will call lstrcpyA to copy the MachineGuid to “sacfsfdsf”, if not copy to “abcxvcxvx”.

Let’s see the x64 Debugger:

After executing it EAX will have the final string:

So now we have the string $MachineGuid+”sacfsfdsf” stored in EAX , now we have a unique string related to your machine, let’s back:

let’s step into the OpenMutex [which I named]:

int _snprintf( char *buffer, size_t count, const char *format [, argument] … ); [MDSN]

based on our analysis it will be:

int _snprintf( Dest, 260, “%d__%s”,-3,$machineGuid);

Dest will be -3__$machineguid.

Here is the result from x64 Debugger:

Then EDX will include this value and push it as a 3rd argument to OpenMutexA API , So now we understood why malware use machine guid.

So the mutex of the infected machine is “-3__$MachineGUIDsacfsfdsf” or “abcxvcxvx” [maybe]

But let’s back to see what if we didn’t give the malware our machineguid:

aaah, Here if cannot open the Cryptography key it will add the 2 strings together, let’s continue:

So here our second MachineGuid name will be “abcxvcxvxsacfsfdsf”

So always see the second condition to get more info, let’s continue:

So now the mutex name is: “-3__abcxvcxvxsacfsfdsf” , that’s our 4th IOC.

First: “%temp%/logs123.txt” as a file.

second: “C://ProgramData/AA.exe [randomly]” as a file.

third: -3__”$YouMachineGuid”+”sacfsfdsf” as a mutex.

fourth: “-3__abcxvcxvxsacfsfdsf” as a mutex.

let’s continue:

So here if the mutex exists, bl will be 1 and EAX will take the handle of the mutex and that means the malware already run before if it creates the same mutex.

That’s why the malware uses mutex for checking if the machine is infected or not.

Let’s back:

So now it’s clear if one of two mutexes exist to take the error message “Entry(): System already infected “ and write it to the log file, then exit:

Let’s continue if the machine is not infected:

It calls the same function StrCpyWithMachineGuid which we analyzed but now it will exit and then call CreatingMutex which I called with ECX=-1:

because already have the Data if not, do the same process we analyzed:

This function CreatingMutex calls CreateMutexA API with the name:

“-1_cc_-3__abcxvcxvxsacfsfdsf” if not exist machine guid.

“-1_cc_-3__MachineGuid+”sacfsfdsf” if the machine guid exists.

We know what can _scprintf do and we won’t analyze any API again if we analyzed it before.

that’s our mutex, let’s run:

After running the CreateMutexA API and going to ProcessHacker for the Malware, you will see the mutex created under the mutant name in handles.

So now it checks also if these mutexes exist go to the log file to print its infected if not continue, now we have 6th IOCs which we have added 2 mutexes, let’s step into SetKetValue_CurrentPath111 [ which I named ].

The filename is the full path of the malware and we got it from part 3.

IDA defined these variables as usual, and we have “TFOS”, “ERAW” and ‘\’ which are malware data.

And if you step into this data by x64 Debugger:

yes, it’s SOFTWARE\\ [ sorted in vise versa ].

And then memset the dst value with zeros:

Then push var_104 into the StrCpyWithMachineGuid which we analyzed before and the result will be “abcxvcxvxsacfsfdsf” or “MachineGuid”+”sacfsfdsf” , but also it will return without continuing because we have this value:

let’s step into WorkingWithStr function which I called it:

So EDI referees to our that string, let’s see the debugger:

after looping the EAX will contain the length of the string [12h = 18].

Then in another loop, push every char in the string to isalpha API to check if its an alpha or not

then tolower API to make it lowercase

let’s run:

So this function checks if the string is alpha or not, let’s run another process with another mutex name which includes the machineguid:

To see what can do with numbers:

it skips the -1 because it adds 1 to the string:

let’s continue :

As you can see, it removes numbers and the final string is all chars in the machineguid+”sacfsfdsf”, so let’s rename this function GetAllCharsFromInputStr or any name you want.

Let’s continue:

It then creates registry key with this name by RegCreateKeyExA API

So it adds TFOS+ERAW+\\ to the string to become SOFTWARE//abcxvcxvxsacfsfdsf [ if machineguid does not exist].

What can do?

LSTATUS RegCreateKeyExA(
  [in]            HKEY                        hKey,
  [in]            LPCSTR                      lpSubKey,
                  DWORD                       Reserved,
  [in, optional]  LPSTR                       lpClass,
  [in]            DWORD                       dwOptions,
  [in]            REGSAM                      samDesired,
  [in, optional]  const LPSECURITY_ATTRIBUTES lpSecurityAttributes,
  [out]           PHKEY                       phkResult,
  [out, optional] LPDWORD                     lpdwDisposition
);
//which in our cse will be
LSTATUS RegCreateKeyExA(
 HKEY_CURRENT_USER,
"SOFTWARE//abcxvcxvxsacfsfdsf",
0,0,0,
KEY_EXECUTE| KEY_CREATE_SUB_KEY |KEY_SET_VALUE,0,
phkResult,lpdwDisposition);

As we discussed before for these variables which 80000001 -> HKCU and 0002001F = 00020019 [KEY_EXECUTE]+0004 [KEY_CREATE_SUB_KEY]+0002 [KEY_SET_VALUE]. ( It may be wrong because I calculated it from MDSN ).

after executing it, it creates the key as you can see, let’s continue:

And finally, we reach this value because we saw it in behavioral analysis and now we understood what can these random chars referees to.

The Malware uses RegSetValueExA API for setting data to a value in a key and let’s see what is it:

Here the data is the full path of the malware, that’s why it is called “CurrentPath111”, and it takes the size of it by lstrlen API.

LSTATUS RegSetValueExA(
  [in]           HKEY       hKey,
  [in, optional] LPCSTR     lpValueName,
                 DWORD      Reserved,
  [in]           DWORD      dwType,
  [in]           const BYTE *lpData,
  [in]           DWORD      cbData
);
//which in our case
LSTATUS RegSetValueExA(hKey, "CurrentPath111", 0,REG_SZ,"$TheMalwarePath",len($TheMalwarePath));

And here are the arguments: