本帖最后由 暴龙兽 于 2020-12-3 16:08 编辑
Rapid勒索病毒变种分析
运行过程:
- 1 解密shellcode,跳转至shellcode
- 2 shellcode解密勒索病毒主体,将主体各个section覆写原始进程的section.
- 3 加密文件,显示勒索信息.
md5: 40C5113E35DD653CA1FC1524D51DA408
sha1: C43028B0A2287D7E64199500D48CE7C5F864DC54
FileVersion: 1.0.0.1
InternalName: sgahfghjfghj.exe
LegalCopyright: Copyright (C) 2017, masesrziro
解密shellcode
1 样本最初会调用一些无关API,混淆视听.
irrelevant
2 分配0x401b8 byte内存空间,修改相应的内存属性,解密shellcode至分配的内存空间中.
import struct
from ctypes import *
shellcode = b"\x7c\x98\x39\x52\x45\x84\x52\x73\xA9\xEB\xDB\x07\x5F\xEC\x20\x1D" \
b"\xD2\xE1\xE3x22\x02\x92\x36\xE8\x8C\x6C\x76\x2E\x11\x55\x42\xD3"\
b"\x1F\x1A\x03\x94\xD8\xFF\x88\xD0\x90\x81\x72\xFB\xF0\x2F\x42\x14"\
b"\x82\xC9\x8F\xBD\xD8\xE2\xDD\x3C\xBA\x62\xBB\x9B\x5D\x72\x09\xE5"
def decrypt(enc_one, enc_two):
key0 = c_uint32(0xc6ef3720)
key1 = c_uint32(0x5aabd3f6)
key2 = c_uint32(0xf770d8de)
key3 = c_uint32(0x9ad9a390)
key4 = c_uint32(0x5a454ee9)
tmp_one = c_uint32(0)
times = 0x20
value_one = c_uint32(int.from_bytes(enc_one, byteorder='little'))
value_two = c_uint32(int.from_bytes(enc_two, byteorder='little'))
while times > 0:
value_two.value = value_two.value - ((key0.value + value_one.value)\
^ ((key3.value + (value_one.value << 4) & 0xffffffff) & 0xffffffff)\
^ (key4.value + (value_one.value >> 5) & 0xffffffff) & 0xffffffff)
tmp_one.value = (key0.value + value_two.value)\
^ ((key1.value + (value_two.value << 4) & 0xffffffff) & 0xffffffff)\
^ ((key2.value + (value_two.value >> 5) & 0xffffffff) & 0xffffffff)
key0.value += 0x61c88647
value_one.value -= tmp_one.value
times -= 1
result = struct.pack('I', value_one.value)
result += struct.pack('I', value_two.value)
return result
if __name__ == "__main__":
plain = bytes()
for i in range(0, len(shellcode), 8):
args_one = shellcode[i : i+4]
args_two = shellcode[i+4 : i+8]
plain += decrypt(args_one, args_two)
print("decrypt over")
shellcode
释放勒索病毒本体
-
1 获取LoadLibraryA、GetProcAddress和ImageBase 的地址
GetProcAddress
-
2 获取一些必要函数地址
HMODULE kernel32 = LoadLibraryA("kernel32.dll")
GetProcAddress(kernel32, "VirtualAlloc");
GetProcAddress(kernel32, "VirtualProtect");
GetProcAddress(kernel32, "VirtualFree");
GetProcAddress(kernel32, "GetVersionEx");
GetProcAddress(kernel32, "TerminateProcess");
necessary_function
- 3 分配内存,解密勒索病毒,将其各个节区覆写原进程的section
decrypt_ransomware
mapping_section
up
dwon
- 5 判断是否需要重定位
重定位基本思想:假设原加载地址为A,现加载地址为B,需要重定位的地址为C, 重定位后的地址为D = C - A + B, 最后将这个地址覆写原地址C.
- 6 跳转至勒索病毒OEP
jmp eax
jmpoep
勒索病毒执行
由于已经有该部分的详细分析报告,此部分省略。报告链接
附件
附件中包含:原始样本和对应的IDB文件、提取的shellcode和对应的IDB 和 最终的勒索病毒.
|