In this article I'll analyze recent Havex malware. You can read more about this malware here.
First of all I want to thank Kyle Wilhoit for providing me all samples of Havex malware.
Ok, let's start... As far as I've seen all samples of this malware have a resource called ICT (in SCADA module it is called TYU) which contains encoded config file:
Have you ever wondered about having an EXE without any entry in IAT (Import Address Table) at all? Well, I knew that it's possible, but never saw an actual exe file without IAT entry. So I developed an application which is 1,536 bytes and still does basic annoying malware things. So to summarize, this tiny app:
- Enumerates following APIs: