首页
社区
课程
招聘
[分享]推荐一枚样本
发表于: 2012-8-3 14:09 7256

[分享]推荐一枚样本

2012-8-3 14:09
7256
1.解密代码中穿插了很多无用的API调用 SeTWindowText  GetCurrentDirectory   难道这是最近流行趋势?
2.样本表面上没有加壳,但实际上它内部已经实现了填充IAT 重定位等功能,相当于内部自己实现了一个壳的功能。
3.跑一段代码之前,先VirtualAlloc一块内存,然后把代码Copy过去,自己重定位,自己填充IAT,然后jmp XXXXXXXX过去执行。
4.在虚拟机中调试的时候发现样本会运行自己的的另一个实例(通过StartService或者CreateProcess),这个时候总是会蓝屏,不敢在真机中调试,貌似有些许破坏性。

感觉这个样本是我见过的比较独特的一个,另外也希望有朋友能帮忙看下这个样本,共同探讨下。

附件的密码为123456

脱壳前的.rar
脱壳后的.rar

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

上传的附件:
收藏
免费 0
支持
分享
最新回复 (3)
雪    币: 1024
活跃值: (240)
能力值: ( LV12,RANK:310 )
在线值:
发帖
回帖
粉丝
2
这在病毒中很常见啊 纯粹是为了免杀
2012-8-3 15:06
0
雪    币: 151
活跃值: (70)
能力值: ( LV4,RANK:40 )
在线值:
发帖
回帖
粉丝
3
我很想知道 “比较不独特” 的病毒是什么样子
不反sandboxie,无壳,无花,不用Zw函数,不用驱动?
2012-8-5 16:35
0
雪    币: 222
活跃值: (42)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
4
沙箱运行监控到的行为:
Created a service named: syshost.exe
Created an event named: Global\NitrGB
Created an event named: Local\NitrGB
Created file in defined folder: C:\Documents and Settings\Administrator\Local Settings\Temp\79e4054f.tmp
Created process: (null),C:\WINDOWS\Installer\{E70BF38A-2625-DDC3-5509-CE002C0BE8B5}\syshost.exe,(null)
Created process: (null),cmd.exe /C del /Q /F "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1b158495.tmp",(null)
Defined file type created in Windows folder: C:\WINDOWS\system32\drivers\4802ff.sys
Defined registry AutoStart location created or modified: machine\software\microsoft\Windows\CurrentVersion\Run\syshost32 = C:\WINDOWS\Installer\{E70BF38A-2625-DDC3-5509-CE002C0BE8B5}\syshost.exe
Defined registry AutoStart location created or modified: machine\system\CurrentControlSet\Services\4802ff\DisplayName = syshost.exe
Defined registry AutoStart location created or modified: machine\system\CurrentControlSet\Services\4802ff\ImagePath = C:\WINDOWS\system32\drivers\4802ff.sys
Defined registry AutoStart location created or modified: machine\system\CurrentControlSet\Services\4802ff\Start = 01000000
Defined registry AutoStart location created or modified: machine\system\CurrentControlSet\Services\4802ff\Type = 01000000
Defined registry AutoStart location created or modified: machine\system\CurrentControlSet\Services\SbieSvc\SandboxedServices = *yshost324802ff
Defined registry AutoStart location created or modified: machine\system\CurrentControlSet\Services\syshost32\ImagePath = "C:\WINDOWS\Installer\{E70BF38A-2625-DDC3-5509-CE002C0BE8B5}\syshost.exe" /service
Defined registry AutoStart location created or modified: machine\system\CurrentControlSet\Services\syshost32\SBIE_CurrentState = 01000000
Defined registry AutoStart location created or modified: machine\system\CurrentControlSet\Services\syshost32\Start = 02000000
Defined registry AutoStart location created or modified: machine\system\CurrentControlSet\Services\syshost32\Type = 10000000
Detected keylogger functionality
Ends Windows session
Enumerated running processes
Got volume information
Hide file from user: C:\WINDOWS\SbiePst.dat
Injected code into process:
Injected code into process: c:\documents and settings\administrator\桌面\bsa\bsa.exe
Injected code into process: c:\program files\vmware\vmware tools\vmacthlp.exe
Injected code into process: c:\program files\vmware\vmware tools\vmtoolsd.exe
Injected code into process: c:\program files\vmware\vmware tools\vmupgradehelper.exe
Injected code into process: c:\program files\vmware\vmware tools\vmwaretray.exe
Injected code into process: c:\program files\vmware\vmware tools\vmwareuser.exe
Injected code into process: c:\windows\explorer.exe
Injected code into process: c:\windows\system32\cmd.exe
Injected code into process: c:\windows\system32\ctfmon.exe
Injected code into process: c:\windows\system32\lsass.exe
Injected code into process: c:\windows\system32\services.exe
Injected code into process: c:\windows\system32\smss.exe
Injected code into process: c:\windows\system32\spoolsv.exe
Injected code into process: c:\windows\system32\svchost.exe
Injected code into process: c:\windows\system32\winlogon.exe
Loaded a system driver: :41 SBIE2103 亂bk\諎燫}忹|邁q毃R '4802ff
2012-9-16 21:59
0
游客
登录 | 注册 方可回帖
返回
//