木马病毒分析

发布者:极安御信
发布于:2023-08-24 15:48

一、病毒简介

这款木马从恶意网址下载东西,然后修改本地文件;

SHA256:4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

MD5:56b2c3810dba2e939a8bb9fa36d3cf96

SHA1:99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

二、行为分析

首先看看微步云沙箱分析:

415K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4k6#2L8s2c8G2M7q4)9J5k6h3y4G2L8g2)9J5c8X3k6A6L8r3g2K6i4K6u0r3k6r3g2X3j5i4g2D9N6q4)9J5c8U0t1H3x3U0y4Q4x3V1j5H3z5q4)9J5k6o6t1@1i4K6u0r3x3e0b7@1x3K6f1I4y4$3x3#2j5e0q4X3z5e0R3H3y4U0t1I4i4K6u0W2M7r3&6Y4" />

fbdK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4k6#2L8s2c8G2M7q4)9J5k6h3y4G2L8g2)9J5c8X3k6A6L8r3g2K6i4K6u0r3k6r3g2X3j5i4g2D9N6q4)9J5c8U0t1H3x3U0y4Q4x3V1j5H3z5q4)9J5k6o6t1@1i4K6u0r3x3e0b7@1y4o6l9&6z5h3f1&6y4K6j5I4y4e0j5^5y4K6t1I4i4K6u0W2M7r3&6Y4" />

64eK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4k6#2L8s2c8G2M7q4)9J5k6h3y4G2L8g2)9J5c8X3k6A6L8r3g2K6i4K6u0r3k6r3g2X3j5i4g2D9N6q4)9J5c8U0t1H3x3U0y4Q4x3V1j5H3z5q4)9J5k6o6t1@1i4K6u0r3x3e0b7@1y4o6p5H3j5e0g2X3x3K6t1H3z5o6l9&6y4o6V1@1i4K6u0W2M7r3&6Y4" />


恶意服务器网址:[ddos.dnsnb8.net]

接下来看看火绒剑监控结果:

a59K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4k6#2L8s2c8G2M7q4)9J5k6h3y4G2L8g2)9J5c8X3k6A6L8r3g2K6i4K6u0r3k6r3g2X3j5i4g2D9N6q4)9J5c8U0t1H3x3U0y4Q4x3V1j5H3z5q4)9J5k6o6t1@1i4K6u0r3x3e0b7@1y4o6p5&6x3$3x3K6y4h3j5%4z5o6f1K6x3o6x3#2i4K6u0W2M7r3&6Y4" />


这边有大量的对本地文件修改;

c22K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4k6#2L8s2c8G2M7q4)9J5k6h3y4G2L8g2)9J5c8X3k6A6L8r3g2K6i4K6u0r3k6r3g2X3j5i4g2D9N6q4)9J5c8U0t1H3x3U0y4Q4x3V1j5H3z5q4)9J5k6o6t1@1i4K6u0r3x3e0b7@1y4o6t1$3j5h3x3$3x3X3j5J5x3o6b7^5y4e0f1&6i4K6u0W2M7r3&6Y4" />


最后是一个自删除。

三、静态分析

首先查壳:

b19K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4k6#2L8s2c8G2M7q4)9J5k6h3y4G2L8g2)9J5c8X3k6A6L8r3g2K6i4K6u0r3k6r3g2X3j5i4g2D9N6q4)9J5c8U0t1H3x3U0y4Q4x3V1j5H3z5q4)9J5k6o6t1@1i4K6u0r3x3e0b7@1y4o6x3#2x3$3x3J5y4X3f1H3x3e0b7#2x3o6b7#2i4K6u0W2M7r3&6Y4" />


通过x32dbg脱壳:

f07K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4k6#2L8s2c8G2M7q4)9J5k6h3y4G2L8g2)9J5c8X3k6A6L8r3g2K6i4K6u0r3k6r3g2X3j5i4g2D9N6q4)9J5c8U0t1H3x3U0y4Q4x3V1j5H3z5q4)9J5k6o6t1@1i4K6u0r3x3e0b7@1y4o6b7J5j5h3y4X3x3U0b7J5x3e0V1J5z5o6V1#2i4K6u0W2M7r3&6Y4" />


看到pushad,直接esp大法或者ctrl+f搜索popad,选择第一个:

766K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4k6#2L8s2c8G2M7q4)9J5k6h3y4G2L8g2)9J5c8X3k6A6L8r3g2K6i4K6u0r3k6r3g2X3j5i4g2D9N6q4)9J5c8U0t1H3x3U0y4Q4x3V1j5H3z5q4)9J5k6o6t1@1i4K6u0r3x3e0b7@1y4o6f1I4x3$3j5K6j5e0j5&6y4o6j5#2y4U0b7#2i4K6u0W2M7r3&6Y4" />


走到ret,进入OEP脱壳:



966K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4k6#2L8s2c8G2M7q4)9J5k6h3y4G2L8g2)9J5c8X3k6A6L8r3g2K6i4K6u0r3k6r3g2X3j5i4g2D9N6q4)9J5c8U0t1H3x3U0y4Q4x3V1j5H3z5q4)9J5k6o6t1@1i4K6u0r3x3e0b7@1y4e0p5I4y4K6S2T1y4e0f1K6x3e0V1#2y4K6M7&6i4K6u0W2M7r3&6Y4" />

f0bK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4k6#2L8s2c8G2M7q4)9J5k6h3y4G2L8g2)9J5c8X3k6A6L8r3g2K6i4K6u0r3k6r3g2X3j5i4g2D9N6q4)9J5c8U0t1H3x3U0y4Q4x3V1j5H3z5q4)9J5k6o6t1@1i4K6u0r3x3e0b7@1y4e0p5I4y4$3q4S2z5e0S2U0x3K6j5&6x3e0j5%4i4K6u0W2M7r3&6Y4" />

注意一下OEP这里:

445K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4k6#2L8s2c8G2M7q4)9J5k6h3y4G2L8g2)9J5c8X3k6A6L8r3g2K6i4K6u0r3k6r3g2X3j5i4g2D9N6q4)9J5c8U0t1H3x3U0y4Q4x3V1j5H3z5q4)9J5k6o6t1@1i4K6u0r3x3e0b7@1y4e0t1I4x3e0g2V1k6h3k6S2z5o6j5%4z5o6j5J5i4K6u0W2M7r3&6Y4" />


接下来拖到IDA中,根据之前OEP那里,找到关键位置:

b06K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4k6#2L8s2c8G2M7q4)9J5k6h3y4G2L8g2)9J5c8X3k6A6L8r3g2K6i4K6u0r3k6r3g2X3j5i4g2D9N6q4)9J5c8U0t1H3x3U0y4Q4x3V1j5H3z5q4)9J5k6o6t1@1i4K6u0r3x3e0b7@1y4e0x3$3x3r3y4W2k6X3y4S2x3e0M7J5y4K6t1K6i4K6u0W2M7r3&6Y4" />

865K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4k6#2L8s2c8G2M7q4)9J5k6h3y4G2L8g2)9J5c8X3k6A6L8r3g2K6i4K6u0r3k6r3g2X3j5i4g2D9N6q4)9J5c8U0t1H3x3U0y4Q4x3V1j5H3z5q4)9J5k6o6t1@1i4K6u0r3x3e0b7@1y4e0x3%4x3e0l9#2x3U0M7J5y4e0p5I4x3K6x3H3i4K6u0W2M7r3&6Y4" />



进入函数1371638:

4ccK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4k6#2L8s2c8G2M7q4)9J5k6h3y4G2L8g2)9J5c8X3k6A6L8r3g2K6i4K6u0r3k6r3g2X3j5i4g2D9N6q4)9J5c8U0t1H3x3U0y4Q4x3V1j5H3z5q4)9J5k6o6t1@1i4K6u0r3x3e0b7@1y4e0f1I4k6U0y4S2k6r3f1^5y4e0j5%4x3U0l9&6i4K6u0W2M7r3&6Y4" />


这里是获取临时文件夹路径,系统目录以及当前进程路径等,随后进入137139F,箭头所指:

052K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4k6#2L8s2c8G2M7q4)9J5k6h3y4G2L8g2)9J5c8X3k6A6L8r3g2K6i4K6u0r3k6r3g2X3j5i4g2D9N6q4)9J5c8U0t1H3x3U0y4Q4x3V1j5H3z5q4)9J5k6o6t1@1i4K6u0r3x3e0b7@1y4e0f1&6y4$3b7%4x3e0x3$3z5o6t1@1x3K6t1%4i4K6u0W2M7r3&6Y4" />


返回之后,继续向下走:

ecaK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4k6#2L8s2c8G2M7q4)9J5k6h3y4G2L8g2)9J5c8X3k6A6L8r3g2K6i4K6u0r3k6r3g2X3j5i4g2D9N6q4)9J5c8U0t1H3x3U0y4Q4x3V1j5H3z5q4)9J5k6o6t1@1i4K6u0r3x3e0b7@1y4U0l9$3k6e0V1$3x3$3j5K6x3K6b7K6x3e0l9&6i4K6u0W2M7r3&6Y4" />


进入第一个箭头所指:

a99K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4k6#2L8s2c8G2M7q4)9J5k6h3y4G2L8g2)9J5c8X3k6A6L8r3g2K6i4K6u0r3k6r3g2X3j5i4g2D9N6q4)9J5c8U0t1H3x3U0y4Q4x3V1j5H3z5q4)9J5k6o6t1@1i4K6u0r3x3e0b7@1y4U0p5&6j5U0V1I4k6X3x3&6x3o6j5^5y4U0R3$3i4K6u0W2M7r3&6Y4" />


这里是下载文件并启动,进入第二个箭头:

735K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4k6#2L8s2c8G2M7q4)9J5k6h3y4G2L8g2)9J5c8X3k6A6L8r3g2K6i4K6u0r3k6r3g2X3j5i4g2D9N6q4)9J5c8U0t1H3x3U0y4Q4x3V1j5H3z5q4)9J5k6o6t1@1i4K6u0r3x3e0b7@1y4U0t1^5y4o6R3&6x3e0W2S2y4o6l9&6x3o6x3I4i4K6u0W2M7r3&6Y4" />


函数sub_1371973:

46cK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4k6#2L8s2c8G2M7q4)9J5k6h3y4G2L8g2)9J5c8X3k6A6L8r3g2K6i4K6u0r3k6r3g2X3j5i4g2D9N6q4)9J5c8U0t1H3x3U0y4Q4x3V1j5H3z5q4)9J5k6o6t1@1i4K6u0r3x3e0b7@1y4U0x3&6k6X3b7^5y4o6M7J5z5e0b7H3z5o6R3$3i4K6u0W2M7r3&6Y4" />


那么这个函数就是拷贝自身到临时路径下,并读取自身内容,返回进入线程回调函数:



851K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4k6#2L8s2c8G2M7q4)9J5k6h3y4G2L8g2)9J5c8X3k6A6L8r3g2K6i4K6u0r3k6r3g2X3j5i4g2D9N6q4)9J5c8U0t1H3x3U0y4Q4x3V1j5H3z5q4)9J5k6o6t1@1i4K6u0r3x3e0b7@1y4U0f1^5x3U0b7^5k6o6b7H3y4o6R3^5y4K6j5J5i4K6u0W2M7r3&6Y4" />

41aK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4k6#2L8s2c8G2M7q4)9J5k6h3y4G2L8g2)9J5c8X3k6A6L8r3g2K6i4K6u0r3k6r3g2X3j5i4g2D9N6q4)9J5c8U0t1H3x3U0y4Q4x3V1j5H3z5q4)9J5k6o6t1@1i4K6u0r3x3e0b7@1y4U0f1^5x3U0j5J5y4K6p5J5z5e0R3@1x3e0R3I4i4K6u0W2M7r3&6Y4" />

这里获取驱动器盘符类型,如果大于1不等于五,进入开辟线程:


进入回调函数,进入sub_13728B8:

786K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4k6#2L8s2c8G2M7q4)9J5k6h3y4G2L8g2)9J5c8X3k6A6L8r3g2K6i4K6u0r3k6r3g2X3j5i4g2D9N6q4)9J5c8U0t1H3x3U0y4Q4x3V1j5H3z5q4)9J5k6o6t1@1i4K6u0r3x3e0b7@1y4K6l9%4j5X3f1&6y4o6m8V1y4U0b7J5y4K6p5@1i4K6u0W2M7r3&6Y4" />


这里是筛选exe和rar后缀文件,进入sub_137239D函数:

428K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4k6#2L8s2c8G2M7q4)9J5k6h3y4G2L8g2)9J5c8X3k6A6L8r3g2K6i4K6u0r3k6r3g2X3j5i4g2D9N6q4)9J5c8U0t1H3x3U0y4Q4x3V1j5H3z5q4)9J5k6o6t1@1i4K6u0r3x3e0b7@1y4K6p5#2x3$3t1K6y4U0x3J5x3e0R3H3y4e0M7@1i4K6u0W2M7r3&6Y4" />


这里是对文件进行写入操作;这里就是遍历目录,筛选exe和rar后缀,对这类文件进行写入;

第三个箭头就是删除文件类操作。当然这次没有细致分析,大概知道病毒都是下载文件,然后遍历目录筛选后缀exe和rar的程序进行写入,因为是静态分析,所以细致东西并没有发现,下次会结合动态分析更加详细的分析一次。


网络安全 安全漏洞 漏洞 漏洞挖掘
声明:该文观点仅代表作者本人,转载请注明来自看雪