-
-
[原创]木马TR/Offend.66568521分析过程
-
发表于: 2013-2-3 21:27
-
以下文章,完全原创,如有引用,请标明 by keieky.
看来最近大家都忙着过寒假,于是乎人气明显冷落许多。为提高人气,我把自已这两天分析的一个木马的过程和大家分享一下。书写此文目的,不是想说这个样本的功能性质,毕竟这个木马已经被广泛查杀,只是想通过此例和大家探讨一下代码分析的过程。如有不当之处,还请指正。
1.分析环境及工具
首先介绍一下我的分析环境:
OS:XP SP3虚拟机Vmware.
TOOLS:如图所示
前两排工具主要是为脱壳用的,分析主要用的是沙箱BSA和IDA Pro,当然MD是为了防止动态分析生成的病毒感染系统清除方便而用的。
2.样本
样本来源不记得了,好像是从哪个论坛下的非灭活样本,我将在附件中加以提供。
名称:virussign.com_0a9f170cfa142b42cc8e8e5c9b47057a.exe。
此样本加了upx壳,为方便分析,先脱壳。脱壳过程不多说,因为是upx么,最简单的那种,所以我就现看了一下论坛中脱壳的教程,用前两排的工具找popad,重建导入表什么的,一切很顺利(建议想学脱壳的同学可以从upx入手)。
脱壳后的名称:dumped_1.exe,这就是我们即将分析的目标了。
3.杀毒软件对样本的定义
宿主机上安了360,对脱壳前后的两个样本进行了查杀,报毒如下:
virussign.com_0a9f170cfa142b42cc8e8e5c9b47057a.exe:(因为360用的是AntiVir引擎)所以 称之为:TR/Offend.66568521(若见更多细节,请参见:https://www.virustotal.com/file/aa63f063e907c0cfbe4b44bce2e713ff0f70e7e3cd43635341f1b6587fbcfdc1/analysis/)。
dumped_1.exe:Backdoor.Win32.Gh0st.CV。
加壳前后360报的不同,我想是因为脱壳后的特征变化了。
4.动态分析过程
通过拿到一个样本,首先应该考虑的是:它是不是个恶意代码,当然前提是你的杀软没有报警。虽然现在我们知道它是个木马,但是,我们还可能会问:它有哪些恶意的行为被认为是木马?要想看行为,最最最直观的,当然是API监控,或者说,环境监控。工具是我给大家推荐的:sandboxie & BSA.这里我不再多说如何使用,我们看一下在沙箱中运行样本后生成的报告。这里提示一下,在沙箱中运行的样本脱壳前后的都可以,因为它们的行为都是一样的。我一般关注两个报告:
(1)API 日志:
Executing: c:\样丫106\upx\1\dumped_1.exe
LoadLibrary(gdi32.dll) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(kernel32.dll) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(msvcrt.dll) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(netapi32.dll) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(oleaut32.dll) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(ole32.dll) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(shell32.dll) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(shlwapi.dll) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(user32.dll) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(winmm.dll) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(ws2_32.dll) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(ws2help.dll) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(wtsapi32.dll) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(winsta.dll) [c:\样丫106\upx\1\dumped_1.exe]
GetModuleHandle(lz32.dll) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(lz32.dll) [c:\样丫106\upx\1\dumped_1.exe]
GetModuleHandle(kernel32.dll) [c:\样丫106\upx\1\dumped_1.exe]
GetModuleHandle(Kernel32) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(comctl32.dll) [c:\样丫106\upx\1\dumped_1.exe]
OpenProcessToken(C:\样本106\upx\1\dumped_1.exe) [c:\样丫106\upx\1\dumped_1.exe]
GetModuleHandle(LPK) [c:\样丫106\upx\1\dumped_1.exe]
GetModuleHandle(LPK.DLL) [c:\样丫106\upx\1\dumped_1.exe]
GetModuleHandle(USER32) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(imm32.dll) [c:\样丫106\upx\1\dumped_1.exe]
CreateEvent(DINPUTWINMM) [c:\样丫106\upx\1\dumped_1.exe]
CreateEvent(SBIE_BOXED_ServiceInitComplete_RpcSs) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(advapi32.dll) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(urlmon.dll) [c:\样丫106\upx\1\dumped_1.exe]
GetModuleHandle(iexplore.exe) [c:\样丫106\upx\1\dumped_1.exe]
GetModuleHandle(explorer.exe) [c:\样丫106\upx\1\dumped_1.exe]
CreateMutex(ZonesCounterMutex) [c:\样丫106\upx\1\dumped_1.exe]
CreateMutex(ZonesCacheCounterMutex) [c:\样丫106\upx\1\dumped_1.exe]
CreateMutex(ZonesLockedCacheCounterMutex) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(version.dll) [c:\样丫106\upx\1\dumped_1.exe]
GetModuleHandle(shlwapi.dll) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(psapi.dll) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(wininet.dll) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(crypt32.dll) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(msasn1.dll) [c:\样丫106\upx\1\dumped_1.exe]
CreateEvent(Global\crypt32LogoffEvent) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(avicap32.dll) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(msvfw32.dll) [c:\样丫106\upx\1\dumped_1.exe]
CreateMutex(aa0533.3322.org) [c:\样丫106\upx\1\dumped_1.exe]
CreateRemoteThread(c:\样杌106\upx\1\dumped_1.exe) [c:\样丫106\upx\1\dumped_1.exe]
CreateProcess((null),c:\Windows\svchest000.exe,(null)) [c:\样丫106\upx\1\dumped_1.exe]
GetModuleHandle(winlogon.EXE) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(c:\windows\system32\mswsock.dll) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(mswsock.dll) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(apphelp.dll) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(hnetcfg.dll) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(rpcrt4.dll) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(c:\windows\system32\wshtcpip.dll) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(wshtcpip.dll) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(dnsapi.dll) [c:\样丫106\upx\1\dumped_1.exe]
GetModuleHandle(advapi32) [c:\样丫106\upx\1\dumped_1.exe]
Executing: c:\windows\svchest000.exe
LoadLibrary(c:\windows\system32\winrnr.dll) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(winrnr.dll) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(wldap32.dll) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(gdi32.dll) [c:\windows\svchest000.exe]
LoadLibrary(kernel32.dll) [c:\windows\svchest000.exe]
LoadLibrary(msvcrt.dll) [c:\windows\svchest000.exe]
LoadLibrary(netapi32.dll) [c:\windows\svchest000.exe]
LoadLibrary(oleaut32.dll) [c:\windows\svchest000.exe]
LoadLibrary(ole32.dll) [c:\windows\svchest000.exe]
LoadLibrary(shell32.dll) [c:\windows\svchest000.exe]
LoadLibrary(shlwapi.dll) [c:\windows\svchest000.exe]
LoadLibrary(user32.dll) [c:\windows\svchest000.exe]
LoadLibrary(winmm.dll) [c:\windows\svchest000.exe]
LoadLibrary(rasadhlp.dll) [c:\样丫106\upx\1\dumped_1.exe]
GetModuleHandle(ws2_32.dll) [c:\样丫106\upx\1\dumped_1.exe]
connect( 221.130.179.36:1379 ) [c:\样丫106\upx\1\dumped_1.exe]
LoadLibrary(ws2_32.dll) [c:\windows\svchest000.exe]
LoadLibrary(ws2help.dll) [c:\windows\svchest000.exe]
LoadLibrary(wtsapi32.dll) [c:\windows\svchest000.exe]
LoadLibrary(winsta.dll) [c:\windows\svchest000.exe]
GetModuleHandle(lz32.dll) [c:\windows\svchest000.exe]
LoadLibrary(lz32.dll) [c:\windows\svchest000.exe]
GetModuleHandle(kernel32.dll) [c:\windows\svchest000.exe]
GetModuleHandle(Kernel32) [c:\windows\svchest000.exe]
LoadLibrary(comctl32.dll) [c:\windows\svchest000.exe]
OpenProcessToken(C:\WINDOWS\svchest000.exe) [c:\windows\svchest000.exe]
GetModuleHandle(LPK) [c:\windows\svchest000.exe]
GetModuleHandle(LPK.DLL) [c:\windows\svchest000.exe]
GetModuleHandle(USER32) [c:\windows\svchest000.exe]
LoadLibrary(imm32.dll) [c:\windows\svchest000.exe]
CreateEvent(DINPUTWINMM) [c:\windows\svchest000.exe]
CreateEvent(SBIE_BOXED_ServiceInitComplete_RpcSs) [c:\windows\svchest000.exe]
LoadLibrary(advapi32.dll) [c:\windows\svchest000.exe]
LoadLibrary(urlmon.dll) [c:\windows\svchest000.exe]
GetModuleHandle(iexplore.exe) [c:\windows\svchest000.exe]
GetModuleHandle(explorer.exe) [c:\windows\svchest000.exe]
CreateMutex(ZonesCounterMutex) [c:\windows\svchest000.exe]
CreateMutex(ZonesCacheCounterMutex) [c:\windows\svchest000.exe]
CreateMutex(ZonesLockedCacheCounterMutex) [c:\windows\svchest000.exe]
LoadLibrary(version.dll) [c:\windows\svchest000.exe]
GetModuleHandle(shlwapi.dll) [c:\windows\svchest000.exe]
LoadLibrary(psapi.dll) [c:\windows\svchest000.exe]
LoadLibrary(wininet.dll) [c:\windows\svchest000.exe]
LoadLibrary(crypt32.dll) [c:\windows\svchest000.exe]
LoadLibrary(msasn1.dll) [c:\windows\svchest000.exe]
CreateEvent(Global\crypt32LogoffEvent) [c:\windows\svchest000.exe]
LoadLibrary(avicap32.dll) [c:\windows\svchest000.exe]
LoadLibrary(msvfw32.dll) [c:\windows\svchest000.exe]
CreateMutex(aa0533.3322.org) [c:\windows\svchest000.exe]
GetModuleHandle(mscoree.dll) [c:\windows\svchest000.exe]
从中我们可以看出该样本加载了哪些动态库,创建了哪些互斥量,文件,注册表等。当然不是很清淅,其实我的目的是看有些关键的函数被调用,如CreateMutex,OpenProcessToken,CreateProcess,CreateRemoteThread等等,这些将为静态分析提供好的线索。
如果你觉得这些不够直观的话,我们还可以关注一下它的生成报告,很清晰噢。
(2)Report
[ Changes to filesystem ]
* Creates file C:\WINDOWS\BJ.exe
* Creates file (hidden) C:\WINDOWS\SbiePst.dat
* Creates file (hidden) C:\WINDOWS\svchest000.exe
[ Changes to registry ]
* Modifies value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
old value empty
* Modifies value "Common Desktop=C:\Documents and Settings\All Users\Lhb?" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\Shell Folders
old value "Common Desktop=C:\Documents and Settings\All Users\桌面"
* Creates value "Kris=C:\7h,g106\upx\1\dumped_1.exe" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
* Creates Registry key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Control\MediaResources\msvideo
* Creates value "SymbolicLinkValue=5C00520045004700490053005400520059005C0055005300450052005C00530061006E00640062006F0078005F00410064006D0069006E006900730074007200610074006F0072005F00440065006600610075006C00740042006F0078005C0075007300650072005C00630075007200720065006E0074005F0063006C0061007300730065007300" in key HKEY_CURRENT_USER\software\classes
* Modifies value "Desktop=C:\Documents and Settings\Administrator\Lhb?" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
old value "Desktop=C:\Documents and Settings\Administrator\桌面"
* Creates value "FolderType=Documents" in key HKEY_CURRENT_USER\software\Microsoft\Windows\ShellNoRoam\Bags\45\Shell
[ Network services ]
* Connects to "221.130.179.36" on port 1379.
[ Process/window information ]
* Creates an event named "SBIE_BOXED_ServiceInitComplete_RpcSs".
* Creates a mutex "ZonesCounterMutex".
* Creates a mutex "ZonesCacheCounterMutex".
* Creates a mutex "ZonesLockedCacheCounterMutex".
* Creates a mutex "aa0533.3322.org".
* Creates process "(null),c:\Windows\svchest000.exe,(null)".
呵呵,看到了吧,这里记录了样本对文件系统,注册表,网络及系统环境的影响。清楚直观,一目了然,想不说是个木马都不容易。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
