明天发下啊第两阶段
1.搜集有闭零碎的数据;
2.将本身复造到位于“%AppData%\[random_path]\[random_file_name].exe”中的一个随机定名的文件;
3.树立一个在以后用户下一次登录零碎时运转本身的方案义务;
4.在注册表中创立注册表项,并存储AES减稀的数据(步调1中搜集的零碎数据);
5.从“%AppData%\[random_path]\[random_file_name].exe”中运转下一阶段的可履行文件。
有一个额定的细节,歹意硬件在搜集有闭零碎的数据时,创立了一个风趣的构造。例如,在测试机上,歹意硬件创立的构造以下:
[Asm] 纯文本查看 复制代码 00 00 02 00 00 00 06 00 03 3C 80 5E 96 58 91 B607 54 A4 00 00 00 03 00 00 00 37 36 34 38 37 2D33 34 31 2D 38 36 31 39 31 30 33 2D 32 32 30 3634 00 2C 00 00 00 41 32 32 2D 30 30 30 30 31 0000 00 00 00 00 00 2C CC C0 A8 22 31 A6 35 23 98E5 97 52 11 03 00 00 00 00 00 45 53 07 54 50 6F04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 37 34 34 30 32 0000 00 00 00 00 00 B8 03 00 00 80 5E 96 58 00 0100 00 EA 32 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 2C 47 6C C7 00 BA 0D F0 AD BA 0D F0 AD BA +0x02 dwNumberOfProcessors (SYSTEM_INFO)+0x06 wProcessorLevel (SYSTEM_INFO)+0x08 wProcessorRevision (SYSTEM_INFO)+0x0A VolumeSerialNumber +0x0E InstallDate "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion"+0x12 DigitalProductID "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion"
计算上述构造的MD5集列并存储在当地。创立ASCII战Unicode格局化的字符串所暗示的MD5集列。例如,在测试机上:
[Asm] 纯文本查看 复制代码 00853D20 39 37 32 39 35 38 41 36 35 38 38 30 42 35 35 41 972958A65880B55A00853D30 30 45 42 44 35 35 35 39 30 37 38 43 31 37 33 35 0EBD5559078C1735 00853E58 39 00 37 00 32 00 39 00 35 00 38 00 41 00 36 00 9.7.2.9.5.8.A.6.00853E68 35 00 38 00 38 00 30 00 42 00 35 00 35 00 41 00 5.8.8.0.B.5.5.A.00853E78 30 00 45 00 42 00 44 00 35 00 35 00 35 00 39 00 0.E.B.D.5.5.5.9.00853E88 30 00 37 00 38 00 43 00 31 00 37 00 33 00 35 00 0.7.8.C.1.7.3.5.
两个MD5集列将战计算机称号衔接在一同(#做为分隔符)。然后计算出衔接后的字符串的MD5集列。那个MD5集列是一个歹意硬件运用的无独有偶的GUID。该歹意硬件运用了相反的算法,发生了相反的后果,那个后果关于每个被传染的零碎来讲是无独有偶的。
接上去,歹意硬件在“%AppData%”中创立了一个随机定名的途径并将本身复造到该目次中,文件称号是随机定名的可履行文件。例如,测试零碎上,该歹意硬件创立其本身的正本鄙人里的地位:
[Asm] 纯文本查看 复制代码 “%AppData%\MfzxAHCb\HQHKWbsv\PMqLMKtj\oPQVNiRgs.exe”
新创立的正本的MD5集列与字符“BOTNET2”存储在一同:
[Asm] 纯文本查看 复制代码 0012F628 8A 15 4F AE 3B 78 B4 8D B1 71 C4 C9 49 99 E0 C0 è.O«;x|.|q-+IÖa+0012F638 42 4F 54 4E 45 54 32 00 00 00 00 00 00 00 00 00 BOTNET2.........
歹意硬件创立的方案义务将在以后用户下次登录零碎时运转。那是经过履行以下挪用挨次完成的:
[Asm] 纯文本查看 复制代码 1.CoCreateInstance(creates ITaskScheduler, CLSID {148bd52a-a2ab-11ce-b11f-00aa00530503}, IID {148bd527-a2ab-11ce-b11f-00aa00530503}).2.ITaskScheduler::NewWorkItem(creates ITask, CLSID_CTask {148BD520-A2AB-11CE-B11F-00AA00530503}, IID_ITask{148BD524-A2AB-11CE-B11F-00AA00530503}).3.ITask::SetFlags.4.ITask:SetAccountInformation.5.ITask::SetWorkingDirectory.6.ITask::SetApplicationName.7.ITask::SetMaxRunTime.8.ITask::CreateTrigger.9.ITaskTrigger:SetTrigger. ;PTASK_TRIGGER: ;Stack[00000F08]:0012E1BC 30 00 dw 30h ; cbTriggerSize ;Stack[00000F08]:0012E1BE 00 00 dw 0 ; Reserved ............................... ;Stack[00000F08]:0012E1D8 04 00 00 00 dd 4 ; rgFlags ;Stack[00000F08]:0012E1DC 07 00 00 00 dd 7 ; TASK_EVENT_TRIGGER_AT_LOGON ;Stack[00000F08]:0012E1E0 01 00 00 00 dd 1 ; Type10.ITask::QueryInterface(CLSID_IPersistFile)11.IPersistFile::Save.
创立注册表项“HKCU\\Software\\Classes\\CLSID\\{[unique_per_system_guid]}”,用“@”去添补子项“0”战“1”。注册表中的数据是经过AES减稀的。注册表将数据传递到了下一阶段。AES的稀钥可以从硬编码的数据中取得:
[Asm] 纯文本查看 复制代码 00854028 08 00 99 E3 72 5D A8 0E FB DF A8 87 42 D4 AA AB ..Öpr]¿.vˉ¿çB+¬½00854038 DE AD 35 3F 41 B9 80 5D 85 D4 2E A1 00 E6 E1 8C |¡5?A|Ç]à+.í.μßî00854048 31 00 01 00 53 C3 00 00 39 37 32 39 35 38 41 36 1...S+.
得出的稀钥为:
[Asm] 纯文本查看 复制代码 0012E750 E3 99 00 08 0E A8 5D 72 87 A8 DF FB AB AA D4 42 pÖ...¿]rç¿ˉv½¬+B
失掉稀钥的算法为:
[Asm] 纯文本查看 复制代码 .text:0040EA85 0F B6 79 FE movzx edi, byte ptr [ecx-2].text:0040EA89 0F B6 59 FF movzx ebx, byte ptr [ecx-1].text:0040EA8D C1 E7 08 shl edi, 8.text:0040EA90 0B FB or edi, ebx.text:0040EA92 0F B6 19 movzx ebx, byte ptr [ecx].text:0040EA95 C1 E7 08 shl edi, 8.text:0040EA98 0B FB or edi, ebx.text:0040EA9A 0F B6 59 01 movzx ebx, byte ptr [ecx+1].text:0040EA9E C1 E7 08 shl edi, 8.text:0040EAA1 0B FB or edi, ebx.text:0040EAA3 89 3C 96 mov [esi+edx*4], edi.text:0040EAA6 42 inc edx.text:0040EAA7 83 C1 04 add ecx, 4.text:0040EAAA 83 FA 04 cmp edx, 4.text:0040EAAD 7C D6 jl short loc_40EA85
接上去,歹意硬件运转其位于“%AppData%”目次下的正本:
[Asm] 纯文本查看 复制代码 .text:00403BA1 8D 55 E4 lea edx, [ebp+var_1C].text:00403BA4 52 push edx ; lpProcessInformation.text:00403BA5 8D 45 8C lea eax, [ebp+StartupInfo].text:00403BA8 50 push eax ; lpStartupInfo.text:00403BA9 53 push ebx ; lpCurrentDirectory.text:00403BAA 53 push ebx ; lpEnvironment.text:00403BAB 68 00 00 00 04 push CREATE_DEFAULT_ERROR_MODE ; dwCreationFlags.text:00403BB0 53 push ebx ; bInheritHandles.text:00403BB1 53 push ebx ; lpThreadAttributes.text:00403BB2 53 push ebx ; lpProcessAttributes.text:00403BB3 68 F0 19 41 00 push offset CommandLine ; lpCommandLine.text:00403BB8 8D 8D 79 FC FF FF lea ecx, [ebp+MultiByteStr].text:00403BBE 51 push ecx ; lpApplicationName ;"%AppData%\MfzxAHCb\HQHKWbsv\PMqLMKtj\oPQVNiRgs.exe"..text:00403BBF 89 5D E4 mov [ebp+var_1C], ebx.text:00403BC2 89 5D E8 mov [ebp+var_18], ebx.text:00403BC5 89 5D EC mov [ebp+var_14], ebx.text:00403BC8 89 5D F0 mov [ebp+var_10], ebx.text:00403BCB C7 45 8C 44 00 00 00 mov [ebp+StartupInfo.cb], 44h.text:00403BD2 FF 15 60 10 41 00 call ds:CreateProcessA
|