SBN

Analyzing Techniques Used in HopLight Malware

HopLight is malicious software which has been attributed to North Korea by the US Government. The malware exhibits
Trojan like capabilities and deploys various dynamic and static evasion techniques to frustrate analysis. Security
researchers at Alert Logic have deconstructed and examined the HopLight code to understand how it works and identify
any unique techniques it employs. Alert Logic uses insights into threats such as these to guide detection of the
most cutting edge threats and keep our coverage evergreen. We also share the information below with the larger
community to support broader efforts.

HopLight String Obfuscation Reverse Engineering

HopLight attempts to actively evade detection and analysis using techniques like string obfuscation (basically
encrypted with an algorithm based on static keys encoded in the binary). Without removing this obfuscation, then
proper analysis of a sample is made significantly more difficult and sometimes impossible.

Removing the obfuscation creates the possibility of finding additional IOCs (Indicators of Compromise) in order to
keep abreast of emerging exploits and attack techniques used by malware creators. Maintaining a library of such code
and its previous usage can provide shortcuts for analysis of future samples and attribution to campaigns or groups.
We took a closer look at one such method recently.

Algorithm Descriptions

The deobfuscation function creates an array of five 32-bit integers in memory, four of which are actually operated
on. The first two integers are set to zero and the last 3 are set to pre-determined non-zero values. The size of the
encrypted string is used to determine the permutation used to set up the array.

Two initial loops operate on the last three integers, firstly each integer is XORd with the next, modifying its
value—this is repeated for the string size divided by three. Secondly each integer is ORd with the next, modifying
its value—this is repeated for the remainder of the string size divided by three.

Next the second integer is set to either 1 or 0 depending on whether certain bits are set in each of the last three
integers after the previous step described above and set to 0 if more than one of these bits have a value of 1
across the integer set. This binary value is then used in the next step.

The final array permutation step operates again on the last three integers. If a specific bit in these integers ANDd
with 1 and XORd with the second integer previously calculated to 1 or 0 is non-zero then the operation continues,
otherwise no further permutation is performed. The integer is right shifted a specific number of differing bits 4
times, the results which are XORd with each other. Finally, this value is multiplied by 2 and ANDd with a hardcoded
mask depending on its index in the array. If the calculation before the mask has its LSB (least significant bit)
set, then XOR the result with 1.

The three last integers are then XORd together to create a single 32-bit value, an 8-bit value is then created by
shifting and XORing this against static values. Each byte in the encrypted string is then XORd with this value to
give the decrypted string.

The following screenshots walk through our analysis of HopLight:

    
.text:0109131A                 lea     eax, [ebp+cp]
.text:0109131D                 push    0Ch             ; size
.text:0109131F                 push    eax             ; encstr
...
.text:01091320                 mov     dword ptr [ebp+cp], 786F7079h // "ypox"
.text:01091327                 mov     [ebp+var_10], 78706F75h // "uopx"
.text:0109132E                 mov     [ebp+var_C], 71706F73h // "sopq"
...
.text:01091353                 call    decryptstring_sub_1153847

Reversed Algorithm PoC (Proof of Concept)


    /*
    * HopLight malware string decrypt
    * decrypts obfuscated/encrypted strings
    *
    * AlertLogic
    *
    * $ gcc hopDec.c -o hopDec
    * $ ./hopDec ypoxuopxsopq
    * HopLight string decrypt: ypoxuopxsopq
    * Magic numbers : [ 0] [ 0] [C2B45678] [90ABCDEF] [FE268455]
    * Magic numbers : [ 0] [ 0] [AC391FC2] [3C92D22D] [C2B45678]
    * Magic numbers : [ 0] [ 1] [AC391FC2] [3C92D22D] [C2B45678]
    * Magic numbers : [ 0] [ 0] [AC391FC2] [3C92D22D] [C2B45678]
    * Magic numbers : [ 0] [ 0] [AC391FC2] [3C92D22D] [C2B45678]
    * Magic numbers : [ 0] [ 0] [AC391FC2] [3C92D22D] [C2B45678]
    * Decrypted --> 81.94.192.10
    * $
    */
    
    #include 
        #include 
            #include 
    
                void printMagic(unsigned int *magic)
                {
                printf("Magic numbers : [%4X] [%4X] [%4X] [%4X] [%4X]n", magic[0], magic[1], magic[2], magic[3], magic[4]);
                }
    
                void permutation4(unsigned int *magic, int idx) // magic[2-4]
                {
                unsigned int i = 0;
                unsigned int j = 0;
                unsigned int mask = 0;
    
                i = ((magic[idx] >> 11) & 1) ^ magic[1];
                magic[1] = i;
                if ( magic[1] )
                {
                if (4 == idx)
                {
                j = (magic[idx] >> 17) ^ (magic[idx] >> 18) ^ (magic[idx] >> 21) ^ (magic[idx] >> 22);
                mask = 0x7FFFFF;
                }
                else if (3 == idx)
                {
                j = (magic[idx] >> 12) ^ (magic[idx] >> 16) ^ (magic[idx] >> 20) ^ (magic[idx] >> 21);
                mask = 0x3FFFFF;
                }
                else
                {
                j = (magic[idx] >> 13) ^ (magic[idx] >> 16) ^ (magic[idx] >> 17) ^ (magic[idx] >> 18);
                mask = 0x7FFFF;
                }
    
                magic[idx] = 2 * magic[idx] & mask;
                if ( j & 1 )
                {
                i = magic[idx] ^ 1;
                magic[idx] = i;
                }
                }
                }
    
                void permutation3(unsigned int *magic) //magic[2-4]
                {
                unsigned int i = 0;
                unsigned int j = 0;
                unsigned int k = 0;
    
                i = ((magic[4] >> 11) & 1) == 1;
                j = (((magic[3] >> 11) & 1) == 1);
                k = (((magic[2] >> 9) & 1) == 1);
                magic[1] = i + j + k > 0x08;
                    c = b ^ a; // 1
                    d = result >> 0x10;
                    e = d ^ c; // 2
                    f = result >> 0x18;
                    g = f ^ e; // 3
    
                    return g;
                    }
    
                    void permutation1(int size, unsigned int* magic) //setup initial magic numbers depending on size of
                    encrypted string
                    {
                    int i = 0;
    
                    // magic numbers
                    magic[0] = 0x00000000; //unused
                    magic[1] = 0x00000000;
                    magic[2] = 0xC2B45678;
                    magic[3] = 0x90ABCDEF;
                    magic[4] = 0xFE268455;
    
                    printMagic(magic);
    
                    while(1)
                    {
                    if (i >= size/3) break;
                    magic[2] ^= magic[3];
                    magic[3] ^= magic[4];
                    magic[4] ^= magic[2];
                    i++;
                    }
    
                    for(i=0;i %sn", output);
                        free(output);
                        free(encrypted_string);
                        }
                        else
                        {
                        printf("Usage: ./hoplight n");
                            printf("e.g. ./hoplight ypoxuopxsopqn");
                            }
                            return 0;
                            }


Reference (disassembled code from HopLight sample):


    .text:010A3847 decryptstring_sub_1153847 proc near ; CODE XREF: sub_1091020+7↑p
    .text:010A3847 ; sub_1091020+13↑p ...
    .text:010A3847
    .text:010A3847 var_4 = dword ptr -4
    .text:010A3847 encstr = dword ptr 8
    .text:010A3847 size = dword ptr 0Ch
    .text:010A3847
    .text:010A3847 push ebp
    .text:010A3848 mov ebp, esp
    .text:010A384A push ecx
    .text:010A384B mov eax, [ebp+size]
    .text:010A384E push eax
    .text:010A384F mov ecx, offset unk_10D1C10
    .text:010A3854 call sub_10A3AC8
    .text:010A3859 mov [ebp+var_4], 0
    .text:010A3860 jmp short loc_10A386B
    .text:010A3862 ; ---------------------------------------------------------------------------
    .text:010A3862
    .text:010A3862 loc_10A3862: ; CODE XREF: decryptstring_sub_1153847+48↓j
    .text:010A3862 mov ecx, [ebp+var_4]
    .text:010A3865 add ecx, 1
    .text:010A3868 mov [ebp+var_4], ecx
    .text:010A386B
    .text:010A386B loc_10A386B: ; CODE XREF: decryptstring_sub_1153847+19↑j
    .text:010A386B mov edx, [ebp+var_4]
    .text:010A386E cmp edx, [ebp+size]
    .text:010A3871 jge short loc_10A3891
    .text:010A3873 mov ecx, offset unk_10D1C10
    .text:010A3878 call sub_10A3BB5
    .text:010A387D mov ecx, [ebp+encstr]
    .text:010A3880 add ecx, [ebp+var_4]
    .text:010A3883 mov dl, [ecx]
    .text:010A3885 xor dl, al
    .text:010A3887 mov eax, [ebp+encstr]
    .text:010A388A add eax, [ebp+var_4]
    .text:010A388D mov [eax], dl
    .text:010A388F jmp short loc_10A3862
    .text:010A3891 ; ---------------------------------------------------------------------------
    .text:010A3891
    .text:010A3891 loc_10A3891: ; CODE XREF: decryptstring_sub_1153847+2A↑j
    .text:010A3891 mov esp, ebp
    .text:010A3893 pop ebp
    .text:010A3894 retn
    .text:010A3894 decryptstring_sub_1153847 endp
    
    .text:010A3AC8 sub_10A3AC8 proc near ; CODE XREF: decryptstring_sub_1153847+D↑p
    .text:010A3AC8
    .text:010A3AC8 var_10 = dword ptr -10h
    .text:010A3AC8 var_C = dword ptr -0Ch
    .text:010A3AC8 var_8 = dword ptr -8
    .text:010A3AC8 var_4 = dword ptr -4
    .text:010A3AC8 arg_0 = dword ptr 8
    .text:010A3AC8
    .text:010A3AC8 push ebp
    .text:010A3AC9 mov ebp, esp
    .text:010A3ACB sub esp, 10h
    .text:010A3ACE mov [ebp+var_10], ecx
    .text:010A3AD1 mov eax, [ebp+arg_0]
    .text:010A3AD4 cdq
    .text:010A3AD5 mov ecx, 3
    .text:010A3ADA idiv ecx
    .text:010A3ADC mov [ebp+var_4], eax
    .text:010A3ADF mov eax, [ebp+arg_0]
    .text:010A3AE2 cdq
    .text:010A3AE3 mov ecx, 3
    .text:010A3AE8 idiv ecx
    .text:010A3AEA mov [ebp+var_C], edx
    .text:010A3AED mov edx, [ebp+var_10]
    .text:010A3AF0 mov dword ptr [edx+8], 0C2B45678h
    .text:010A3AF7 mov eax, [ebp+var_10]
    .text:010A3AFA mov dword ptr [eax+0Ch], 90ABCDEFh
    .text:010A3B01 mov ecx, [ebp+var_10]
    .text:010A3B04 mov dword ptr [ecx+10h], 0FE268455h
    .text:010A3B0B mov [ebp+var_8], 0
    .text:010A3B12 jmp short loc_10A3B1D
    .text:010A3B14 ; ---------------------------------------------------------------------------
    .text:010A3B14
    .text:010A3B14 loc_10A3B14: ; CODE XREF: sub_10A3AC8+93↓j
    .text:010A3B14 mov edx, [ebp+var_8]
    .text:010A3B17 add edx, 1
    .text:010A3B1A mov [ebp+var_8], edx
    .text:010A3B1D
    .text:010A3B1D loc_10A3B1D: ; CODE XREF: sub_10A3AC8+4A↑j
    .text:010A3B1D mov eax, [ebp+var_8]
    .text:010A3B20 cmp eax, [ebp+var_4]
    .text:010A3B23 jge short loc_10A3B5D
    .text:010A3B25 mov ecx, [ebp+var_10]
    .text:010A3B28 mov edx, [ebp+var_10]
    .text:010A3B2B mov eax, [ecx+8]
    .text:010A3B2E xor eax, [edx+0Ch]
    .text:010A3B31 mov ecx, [ebp+var_10]
    .text:010A3B34 mov [ecx+8], eax
    .text:010A3B37 mov edx, [ebp+var_10]
    .text:010A3B3A mov eax, [ebp+var_10]
    .text:010A3B3D mov ecx, [edx+0Ch]
    .text:010A3B40 xor ecx, [eax+10h]
    .text:010A3B43 mov edx, [ebp+var_10]
    .text:010A3B46 mov [edx+0Ch], ecx
    .text:010A3B49 mov eax, [ebp+var_10]
    .text:010A3B4C mov ecx, [ebp+var_10]
    .text:010A3B4F mov edx, [eax+10h]
    .text:010A3B52 xor edx, [ecx+8]
    .text:010A3B55 mov eax, [ebp+var_10]
    .text:010A3B58 mov [eax+10h], edx
    .text:010A3B5B jmp short loc_10A3B14
    .text:010A3B5D ; ---------------------------------------------------------------------------
    .text:010A3B5D
    .text:010A3B5D loc_10A3B5D: ; CODE XREF: sub_10A3AC8+5B↑j
    .text:010A3B5D mov [ebp+var_8], 0
    .text:010A3B64 jmp short loc_10A3B6F
    .text:010A3B66 ; ---------------------------------------------------------------------------
    .text:010A3B66
    .text:010A3B66 loc_10A3B66: ; CODE XREF: sub_10A3AC8+E5↓j
    .text:010A3B66 mov ecx, [ebp+var_8]
    .text:010A3B69 add ecx, 1
    .text:010A3B6C mov [ebp+var_8], ecx
    .text:010A3B6F
    .text:010A3B6F loc_10A3B6F: ; CODE XREF: sub_10A3AC8+9C↑j
    .text:010A3B6F mov edx, [ebp+var_8]
    .text:010A3B72 cmp edx, [ebp+var_C]
    .text:010A3B75 jge short loc_10A3BAF
    .text:010A3B77 mov eax, [ebp+var_10]
    .text:010A3B7A mov ecx, [ebp+var_10]
    .text:010A3B7D mov edx, [eax+8]
    .text:010A3B80 or edx, [ecx+0Ch]
    .text:010A3B83 mov eax, [ebp+var_10]
    .text:010A3B86 mov [eax+8], edx
    .text:010A3B89 mov ecx, [ebp+var_10]
    .text:010A3B8C mov edx, [ebp+var_10]
    .text:010A3B8F mov eax, [ecx+0Ch]
    .text:010A3B92 or eax, [edx+10h]
    .text:010A3B95 mov ecx, [ebp+var_10]
    .text:010A3B98 mov [ecx+0Ch], eax
    .text:010A3B9B mov edx, [ebp+var_10]
    .text:010A3B9E mov eax, [ebp+var_10]
    .text:010A3BA1 mov ecx, [edx+10h]
    .text:010A3BA4 or ecx, [eax+8]
    .text:010A3BA7 mov edx, [ebp+var_10]
    .text:010A3BAA mov [edx+10h], ecx
    .text:010A3BAD jmp short loc_10A3B66
    .text:010A3BAF ; ---------------------------------------------------------------------------
    .text:010A3BAF
    .text:010A3BAF loc_10A3BAF: ; CODE XREF: sub_10A3AC8+AD↑j
    .text:010A3BAF mov esp, ebp
    .text:010A3BB1 pop ebp
    .text:010A3BB2 retn 4
    .text:010A3BB2 sub_10A3AC8 endp
    
    .text:010A3BB5 sub_10A3BB5 proc near ; CODE XREF: decryptstring_sub_1153847+31↑p
    .text:010A3BB5
    .text:010A3BB5 var_C = dword ptr -0Ch
    .text:010A3BB5 var_8 = dword ptr -8
    .text:010A3BB5 var_4 = byte ptr -4
    .text:010A3BB5
    .text:010A3BB5 push ebp
    .text:010A3BB6 mov ebp, esp
    .text:010A3BB8 sub esp, 0Ch
    .text:010A3BBB mov [ebp+var_C], ecx
    .text:010A3BBE mov ecx, [ebp+var_C]
    .text:010A3BC1 call sub_10A38CB
    .text:010A3BC6 mov ecx, [ebp+var_C]
    .text:010A3BC9 call sub_10A392A
    .text:010A3BCE mov ecx, [ebp+var_C]
    .text:010A3BD1 call sub_10A39B4
    .text:010A3BD6 mov ecx, [ebp+var_C]
    .text:010A3BD9 call sub_10A3A3E
    .text:010A3BDE mov eax, [ebp+var_C]
    .text:010A3BE1 mov ecx, [ebp+var_C]
    .text:010A3BE4 mov edx, [eax+8]
    .text:010A3BE7 xor edx, [ecx+0Ch]
    .text:010A3BEA mov eax, [ebp+var_C]
    .text:010A3BED xor edx, [eax+10h]
    .text:010A3BF0 mov [ebp+var_8], edx
    .text:010A3BF3 mov ecx, [ebp+var_8]
    .text:010A3BF6 and ecx, 0FFh
    .text:010A3BFC mov edx, [ebp+var_8]
    .text:010A3BFF shr edx, 8
    .text:010A3C02 and edx, 0FFh
    .text:010A3C08 xor ecx, edx
    .text:010A3C0A mov eax, [ebp+var_8]
    .text:010A3C0D shr eax, 10h
    .text:010A3C10 and eax, 0FFh
    .text:010A3C15 xor ecx, eax
    .text:010A3C17 mov edx, [ebp+var_8]
    .text:010A3C1A shr edx, 18h
    .text:010A3C1D and edx, 0FFh
    .text:010A3C23 xor ecx, edx
    .text:010A3C25 mov [ebp+var_4], cl
    .text:010A3C28 mov al, [ebp+var_4]
    .text:010A3C2B mov esp, ebp
    .text:010A3C2D pop ebp
    .text:010A3C2E retn
    .text:010A3C2E sub_10A3BB5 endp
    
    .text:010A38CB sub_10A38CB proc near ; CODE XREF: sub_10A3BB5+C↓p
    .text:010A38CB
    .text:010A38CB var_8 = dword ptr -8
    .text:010A38CB var_4 = dword ptr -4
    .text:010A38CB
    .text:010A38CB push ebp
    .text:010A38CC mov ebp, esp
    .text:010A38CE sub esp, 8
    .text:010A38D1 mov [ebp+var_8], ecx
    .text:010A38D4 mov eax, [ebp+var_8]
    .text:010A38D7 mov ecx, [eax+8]
    .text:010A38DA shr ecx, 9
    .text:010A38DD and ecx, 1
    .text:010A38E0 sub ecx, 1
    .text:010A38E3 neg ecx
    .text:010A38E5 sbb ecx, ecx
    .text:010A38E7 inc ecx
    .text:010A38E8 mov edx, [ebp+var_8]
    .text:010A38EB mov eax, [edx+0Ch]
    .text:010A38EE shr eax, 0Bh
    .text:010A38F1 and eax, 1
    .text:010A38F4 sub eax, 1
    .text:010A38F7 neg eax
    .text:010A38F9 sbb eax, eax
    .text:010A38FB inc eax
    .text:010A38FC add ecx, eax
    .text:010A38FE mov edx, [ebp+var_8]
    .text:010A3901 mov eax, [edx+10h]
    .text:010A3904 shr eax, 0Bh
    .text:010A3907 and eax, 1
    .text:010A390A sub eax, 1
    .text:010A390D neg eax
    .text:010A390F sbb eax, eax
    .text:010A3911 inc eax
    .text:010A3912 add ecx, eax
    .text:010A3914 mov [ebp+var_4], ecx
    .text:010A3917 xor ecx, ecx
    .text:010A3919 cmp [ebp+var_4], 1
    .text:010A391D setle cl
    .text:010A3920 mov edx, [ebp+var_8]
    .text:010A3923 mov [edx+4], ecx
    .text:010A3926 mov esp, ebp
    .text:010A3928 pop ebp
    .text:010A3929 retn
    .text:010A3929 sub_10A38CB endp
    
    .text:010A392A sub_10A392A proc near ; CODE XREF: sub_10A3BB5+14↓p
    .text:010A392A
    .text:010A392A var_8 = dword ptr -8
    .text:010A392A var_4 = dword ptr -4
    .text:010A392A
    .text:010A392A push ebp
    .text:010A392B mov ebp, esp
    .text:010A392D sub esp, 8
    .text:010A3930 mov [ebp+var_8], ecx
    .text:010A3933 mov eax, [ebp+var_8]
    .text:010A3936 mov ecx, [eax+8]
    .text:010A3939 shr ecx, 9
    .text:010A393C and ecx, 1
    .text:010A393F mov edx, [ebp+var_8]
    .text:010A3942 mov eax, [edx+4]
    .text:010A3945 xor eax, ecx
    .text:010A3947 mov ecx, [ebp+var_8]
    .text:010A394A mov [ecx+4], eax
    .text:010A394D mov edx, [ebp+var_8]
    .text:010A3950 cmp dword ptr [edx+4], 0
    .text:010A3954 jz short loc_10A39B0
    .text:010A3956 mov eax, [ebp+var_8]
    .text:010A3959 mov ecx, [eax+8]
    .text:010A395C shr ecx, 12h
    .text:010A395F mov edx, [ebp+var_8]
    .text:010A3962 mov eax, [edx+8]
    .text:010A3965 shr eax, 11h
    .text:010A3968 xor ecx, eax
    .text:010A396A mov edx, [ebp+var_8]
    .text:010A396D mov eax, [edx+8]
    .text:010A3970 shr eax, 10h
    .text:010A3973 xor ecx, eax
    .text:010A3975 mov edx, [ebp+var_8]
    .text:010A3978 mov eax, [edx+8]
    .text:010A397B shr eax, 0Dh
    .text:010A397E xor ecx, eax
    .text:010A3980 mov [ebp+var_4], ecx
    .text:010A3983 mov ecx, [ebp+var_8]
    .text:010A3986 mov edx, [ecx+8]
    .text:010A3989 shl edx, 1
    .text:010A398B and edx, 7FFFFh
    .text:010A3991 mov eax, [ebp+var_8]
    .text:010A3994 mov [eax+8], edx
    .text:010A3997 mov ecx, [ebp+var_4]
    .text:010A399A and ecx, 1
    .text:010A399D test ecx, ecx
    .text:010A399F jz short loc_10A39B0
    .text:010A39A1 mov edx, [ebp+var_8]
    .text:010A39A4 mov eax, [edx+8]
    .text:010A39A7 xor eax, 1
    .text:010A39AA mov ecx, [ebp+var_8]
    .text:010A39AD mov [ecx+8], eax
    .text:010A39B0
    .text:010A39B0 loc_10A39B0: ; CODE XREF: sub_10A392A+2A↑j
    .text:010A39B0 ; sub_10A392A+75↑j
    .text:010A39B0 mov esp, ebp
    .text:010A39B2 pop ebp
    .text:010A39B3 retn
    .text:010A39B3 sub_10A392A endp
    
    .text:010A39B4 sub_10A39B4 proc near ; CODE XREF: sub_10A3BB5+1C↓p
    .text:010A39B4
    .text:010A39B4 var_8 = dword ptr -8
    .text:010A39B4 var_4 = dword ptr -4
    .text:010A39B4
    .text:010A39B4 push ebp
    .text:010A39B5 mov ebp, esp
    .text:010A39B7 sub esp, 8
    .text:010A39BA mov [ebp+var_8], ecx
    .text:010A39BD mov eax, [ebp+var_8]
    .text:010A39C0 mov ecx, [eax+0Ch]
    .text:010A39C3 shr ecx, 0Bh
    .text:010A39C6 and ecx, 1
    .text:010A39C9 mov edx, [ebp+var_8]
    .text:010A39CC mov eax, [edx+4]
    .text:010A39CF xor eax, ecx
    .text:010A39D1 mov ecx, [ebp+var_8]
    .text:010A39D4 mov [ecx+4], eax
    .text:010A39D7 mov edx, [ebp+var_8]
    .text:010A39DA cmp dword ptr [edx+4], 0
    .text:010A39DE jz short loc_10A3A3A
    .text:010A39E0 mov eax, [ebp+var_8]
    .text:010A39E3 mov ecx, [eax+0Ch]
    .text:010A39E6 shr ecx, 15h
    .text:010A39E9 mov edx, [ebp+var_8]
    .text:010A39EC mov eax, [edx+0Ch]
    .text:010A39EF shr eax, 14h
    .text:010A39F2 xor ecx, eax
    .text:010A39F4 mov edx, [ebp+var_8]
    .text:010A39F7 mov eax, [edx+0Ch]
    .text:010A39FA shr eax, 10h
    .text:010A39FD xor ecx, eax
    .text:010A39FF mov edx, [ebp+var_8]
    .text:010A3A02 mov eax, [edx+0Ch]
    .text:010A3A05 shr eax, 0Ch
    .text:010A3A08 xor ecx, eax
    .text:010A3A0A mov [ebp+var_4], ecx
    .text:010A3A0D mov ecx, [ebp+var_8]
    .text:010A3A10 mov edx, [ecx+0Ch]
    .text:010A3A13 shl edx, 1
    .text:010A3A15 and edx, 3FFFFFh
    .text:010A3A1B mov eax, [ebp+var_8]
    .text:010A3A1E mov [eax+0Ch], edx
    .text:010A3A21 mov ecx, [ebp+var_4]
    .text:010A3A24 and ecx, 1
    .text:010A3A27 test ecx, ecx
    .text:010A3A29 jz short loc_10A3A3A
    .text:010A3A2B mov edx, [ebp+var_8]
    .text:010A3A2E mov eax, [edx+0Ch]
    .text:010A3A31 xor eax, 1
    .text:010A3A34 mov ecx, [ebp+var_8]
    .text:010A3A37 mov [ecx+0Ch], eax
    .text:010A3A3A
    .text:010A3A3A loc_10A3A3A: ; CODE XREF: sub_10A39B4+2A↑j
    .text:010A3A3A ; sub_10A39B4+75↑j
    .text:010A3A3A mov esp, ebp
    .text:010A3A3C pop ebp
    .text:010A3A3D retn
    .text:010A3A3D sub_10A39B4 endp
    
    .text:010A3A3E sub_10A3A3E proc near ; CODE XREF: sub_10A3BB5+24↓p
    .text:010A3A3E
    .text:010A3A3E var_8 = dword ptr -8
    .text:010A3A3E var_4 = dword ptr -4
    .text:010A3A3E
    .text:010A3A3E push ebp
    .text:010A3A3F mov ebp, esp
    .text:010A3A41 sub esp, 8
    .text:010A3A44 mov [ebp+var_8], ecx
    .text:010A3A47 mov eax, [ebp+var_8]
    .text:010A3A4A mov ecx, [eax+10h]
    .text:010A3A4D shr ecx, 0Bh
    .text:010A3A50 and ecx, 1
    .text:010A3A53 mov edx, [ebp+var_8]
    .text:010A3A56 mov eax, [edx+4]
    .text:010A3A59 xor eax, ecx
    .text:010A3A5B mov ecx, [ebp+var_8]
    .text:010A3A5E mov [ecx+4], eax
    .text:010A3A61 mov edx, [ebp+var_8]
    .text:010A3A64 cmp dword ptr [edx+4], 0
    .text:010A3A68 jz short loc_10A3AC4
    .text:010A3A6A mov eax, [ebp+var_8]
    .text:010A3A6D mov ecx, [eax+10h]
    .text:010A3A70 shr ecx, 16h
    .text:010A3A73 mov edx, [ebp+var_8]
    .text:010A3A76 mov eax, [edx+10h]
    .text:010A3A79 shr eax, 15h
    .text:010A3A7C xor ecx, eax
    .text:010A3A7E mov edx, [ebp+var_8]
    .text:010A3A81 mov eax, [edx+10h]
    .text:010A3A84 shr eax, 12h
    .text:010A3A87 xor ecx, eax
    .text:010A3A89 mov edx, [ebp+var_8]
    .text:010A3A8C mov eax, [edx+10h]
    .text:010A3A8F shr eax, 11h
    .text:010A3A92 xor ecx, eax
    .text:010A3A94 mov [ebp+var_4], ecx
    .text:010A3A97 mov ecx, [ebp+var_8]
    .text:010A3A9A mov edx, [ecx+10h]
    .text:010A3A9D shl edx, 1
    .text:010A3A9F and edx, 7FFFFFh
    .text:010A3AA5 mov eax, [ebp+var_8]
    .text:010A3AA8 mov [eax+10h], edx
    .text:010A3AAB mov ecx, [ebp+var_4]
    .text:010A3AAE and ecx, 1
    .text:010A3AB1 test ecx, ecx
    .text:010A3AB3 jz short loc_10A3AC4
    .text:010A3AB5 mov edx, [ebp+var_8]
    .text:010A3AB8 mov eax, [edx+10h]
    .text:010A3ABB xor eax, 1
    .text:010A3ABE mov ecx, [ebp+var_8]
    .text:010A3AC1 mov [ecx+10h], eax
    .text:010A3AC4
    .text:010A3AC4 loc_10A3AC4: ; CODE XREF: sub_10A3A3E+2A↑j
    .text:010A3AC4 ; sub_10A3A3E+75↑j
    .text:010A3AC4 mov esp, ebp
    .text:010A3AC6 pop ebp
    .text:010A3AC7 retn
    .text:010A3AC7 sub_10A3A3E endp


About Alert Logic Threat Research

Alert Logic routinely tracks emerging vulnerabilities and active use of new exploits in the wild. This allows us to
keep up with the latest tools, techniques, and practices of attackers and provide protection for our customers for
their most critical threats.


*** This is a Security Bloggers Network syndicated blog from Alert Logic - Blogs Feed authored by Alert Logic - Blogs Feed. Read the original post at: https://blog.alertlogic.com/analyzing-techniques-used-in-hoplight-malware/