运行后连续释放以下文件并运行:
"C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\T200645150560000027841\BigFoot.exe"
"C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\T200646380243000028112\BigFoot.exe"
"C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\T200647210381000028253\BigFoot.exe"
其中第一个是正常的大脚程序,后面的两个均是捆绑的恶意程序。
第一个恶意程序(第二个exe)较小:41KB,MD5:c0097ebdfca5250cc18c6888202ed154
第二个恶意程序(第三个exe)较大:232KB,MD5:6c20ad3c3023f26af774d4b5dbecdb0d
首先分析第二个恶意程序:
解压自身资源段中的代码,以覆盖的方式写入系统dll"C:\WINDOWS\system32\msxmlfilta.dll"中,创建注册表:
0012FC74 80000001 |hKey = HKEY_CURRENT_USER
0012FC78 00920878 |Subkey = "Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-F46FB2FBAAA1}"
0012FC7C 00000000 |Reserved = 0
0012FC80 0002001F |Access = KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|20000
0012FC84 0012FC8C \pHandle = 0012FC8C
"DisplayName"
00401F21 |. 68 D8834000 push bigfoot_.004083D8 ; ASCII "http://www.baidu.com//s?wd={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&tn=s001_dg&cl=3"
00401F26 |. 68 D0834000 push bigfoot_.004083D0 ; ASCII "URL"
00401626 |. FF15 08804000 call dword ptr ds:[<&ADVAPI32.RegCreateK>; \RegCreateKeyExA
0012FC54 80000000 |hKey = HKEY_CLASSES_ROOT
0012FC58 00920878 |Subkey = "CLSID\{21C0F86B-4348-4C88-AF0C-9149DE70E132}"
0012FC5C 00000000 |Reserved = 0
0012FC60 00000000 |Class = NULL
0012FC64 00000000 |Options = REG_OPTION_NON_VOLATILE
0012FC68 0002001F |Access = KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|20000
0012FC6C 00000000 |pSecurity = NULL
0012FC70 0012FC7C |pHandle = 0012FC7C
0012FC74 0012FC98 \pDisposition = 0012FC98
00401FC7 |. 68 8C834000 push bigfoot_.0040838C ; ASCII "Windows HttpFilter"
00401FDC |. 68 64834000 push bigfoot_.00408364 ; ASCII "{73A7FFA7-AA3A-49E5-A777-713B7DB78E9C}"
00401FE1 |. 68 54814000 push bigfoot_.00408154 ; ASCII "AppID"
0012FC98 00920878 |Arg2 = 00920878 ASCII "CLSID\{21C0F86B-4348-4C88-AF0C-9149DE70E132}\InprocServer32"
SET "C:\WINDOWS\system32\msxmlfilta.dll"
0040209B |. 68 58834000 push bigfoot_.00408358 ; ASCII "Apartment"
004020A0 |. 68 48834000 push bigfoot_.00408348 ; ASCII "ThreadingModel"
004020BD |> \68 14834000 push bigfoot_.00408314 ; ASCII "CLSID\{21C0F86B-4348-4C88-AF0C-9149DE70E132}\ProgID"
0040213B |. 68 FC824000 push bigfoot_.004082FC ; ASCII "MsHttpApp.HttpFilter.1"
0040215D |> \68 C0824000 push bigfoot_.004082C0 ; ASCII "CLSID\{21C0F86B-4348-4C88-AF0C-9149DE70E132}\Programmable"
004021C6 |> \68 88824000 push bigfoot_.00408288 ; ASCII "CLSID\{21C0F86B-4348-4C88-AF0C-9149DE70E132}\TypeLib"
00402244 |. 68 60824000 push bigfoot_.00408260 ; ASCII "{04F7BD61-E11D-4BB3-B6FE-B730BCA713D4}"
00402266 |> \68 18824000 push bigfoot_.00408218 ; ASCII "CLSID\{21C0F86B-4348-4C88-AF0C-9149DE70E132}\VersionIndependentProgID"
004022E4 |. 68 00824000 push bigfoot_.00408200 ; ASCII "MsHttpApp.HttpFilter"
00402306 |> \68 20854000 push bigfoot_.00408520 ; ASCII "PROTOCOLS\Name-Space Handler\http\{21C0F86B-4348-4C88-AF0C-9149DE70E132}"
00402384 |. 68 F0814000 push bigfoot_.004081F0 ; ASCII "ms http handle"
00402389 |. 68 00854000 push bigfoot_.00408500
0040238E |. 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
00402392 |. E8 59F3FFFF call bigfoot_.004016F0
00402397 |. 6A 01 push 1
00402399 |. 68 C8814000 push bigfoot_.004081C8 ; ASCII "{21C0F86B-4348-4C88-AF0C-9149DE70E132}"
0040239E |. 68 4C814000 push bigfoot_.0040814C ; ASCII "CLSID"
004023B4 |. 6A 04 push 4 ; /BufSize = 4
004023B6 |. 8D5424 18 lea edx,dword ptr ss:[esp+18] ; |
004023BA |. 52 push edx ; |Buffer
004023BB |. 6A 04 push 4 ; |ValueType = REG_DWORD
004023BD |. 53 push ebx ; |Reserved
004023BE |. 68 14854000 push bigfoot_.00408514 ; |ValueName = "Last"
004023C3 |. 56 push esi ; |hKey
004023C4 |. 894C24 2C mov dword ptr ss:[esp+2C],ecx ; |
004023C8 |. FF15 10804000 call dword ptr ds:[<&ADVAPI32.RegSetValu>; \RegSetValueExA
这个不知道是不是BHO,还是类似的东西?
覆写后的msxmlfilta.dll文件MD5:39d40d074eb693ca06ca35e435f29d9b,发现里面有以下字符串:
http://www.go2easy.com/iso/
http://www.sogou.com/features/ip.jsp
所在位置:北京
搜索了下,找到一篇文章:
ie7 ie8地址栏搜索被劫持到百度联盟:
http://www.fh.net.cn/home-space-uid-726-do-blog-id-4375.html
看来分析于此类似,说是浏览器的搜索劫持,详细请查看原文链接。里面的两个网址,一个是“Windows加密大师”的,一个是搜狗的,看来冠冕堂皇的背后却在悄悄地做着流氓的勾当。
----------------------------------------------分割线-----------------------------------------
下面分析第一个恶意程序,较小的那个,也是比较难分析的。
该exe遍历查找名为“.Wpack”的节,经过解密处理。获取当前进程路径并以挂起的方式创建一个新的进程,然后将上面解密后的代码写到新进程的内存空间,
然后唤醒进程。
这个过程不是很好分析,为此我写了一个api跟踪的dll来监视api调用的流程,以下是输出信息:
00000009 0.11675199 [592] GetCurrentProcess
00000010 0.11732692 [592] VirtualProtect
00000011 0.11738782 [592] FlushInstructionCache
00000012 0.12691809 [592] WSAGetLastError
00000013 0.12713823 [592] RegOpenKeyExW:Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
00000014 0.12747011 [592] GetModuleFileNameW:C:\WINDOWS\system32\msvcrt.dll
00000015 0.12754218 [592] RegOpenKeyExW:SYSTEM\Setup
00000016 0.19361930 [592] GetModuleFileNameW:C:\WINDOWS\system32\SHELL32.dll
00000017 0.19382073 [592] LoadLibraryW:comctl32.dll
00000018 0.22545603 [592] CreateFileW(C:\WINDOWS\WindowsShell.Manifest,80000000,00000005,00000000,00000003,00000000,00000000)
00000019 0.22575998 [592] RegOpenKeyExW:Control Panel\Desktop
00000020 0.22588485 [592] RegOpenKeyExW:software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
00000021 0.22631508 [592] RegOpenKeyExW:Software\Microsoft\Windows NT\CurrentVersion\LanguagePack
00000022 0.22653298 [592] LoadLibraryW:comctl32.dll
00000023 0.22662266 [592] GetVersionExA
00000024 0.22688806 [592] HeapCreate
00000025 0.22694673 [592] GetModuleHandleA
00000026 0.22699533 [592] InitializeCriticalSectionAndSpinCount
00000027 0.22703835 [592] TlsAlloc
00000028 0.22709143 [592] GetCommandLineA
00000029 0.22717887 [592] GetEnvironmentStringsW
00000030 0.22723000 [592] WideCharToMultiByte
00000031 0.22733755 [592] FreeEnvironmentStringsW
00000032 0.22737974 [592] GetStartupInfoA
00000033 0.22742221 [592] GetStdHandle
00000034 0.22746550 [592] GetFileType
00000035 0.22755072 [592] LockResource
00000036 0.22759373 [592] GetCPInfo
00000037 0.22764011 [592] MultiByteToWideChar
00000038 0.22769095 [592] LCMapStringW
00000039 0.22773927 [592] GetModuleFileNameA
00000040 0.22779627 [592] GetModuleFileNameW:C:\Documents and Settings\Administrator\桌面\bigfoot_1.exe
00000041 0.22786835 [592] DisableThreadLibraryCalls
00000042 0.22792730 [592] GetModuleFileNameW:C:\WINDOWS\system32\comctl32.dll
00000043 0.23956089 [592] CreateActCtxW
00000044 0.23967655 [592] ProcessIdToSessionId
00000045 0.23973075 [592] RegisterClipboardFormatW
00000046 0.23979360 [592] SystemParametersInfoW
00000047 0.23984417 [592] GetSystemMetrics
00000048 0.24003386 [592] RegOpenCurrentUser
00000049 0.24015650 [592] OpenProcessToken
00000050 0.24020930 [592] AllocateAndInitializeSid
00000051 0.24025959 [592] CheckTokenMembership
00000052 0.24030988 [592] FreeSid
00000053 0.24036379 [592] RegOpenKeyExW:Control Panel\Desktop
00000054 0.24041463 [592] RegQueryValueExW
00000055 0.24049397 [592] RegCloseKey
00000056 0.24053727 [592] GetSysColor
00000057 0.24057890 [592] GetSysColorBrush
00000058 0.24066047 [592] GetStockObject
00000059 0.24073562 [592] LoadLibraryW:imm32.dll
00000060 0.24077949 [592] ActivateActCtx
00000061 0.24083062 [592] LoadCursorW
00000062 0.24122563 [592] RegisterClassW
00000063 0.24131754 [592] DeactivateActCtx
00000064 0.24138822 [592] GetModuleFileNameW:C:\Documents and Settings\Administrator\桌面\bigfoot_1.exe
00000065 0.24143180 [592] GetModuleFileNameW:C:\Documents and Settings\Administrator\桌面\bigfoot_1.exe
00000066 0.24148795 [592] GetTempPathA
00000067 0.24153125 [592] DeleteFileA:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dsad11.exe
00000068 0.24159327 [592] CopyFileA:C:\Documents and Settings\Administrator\桌面\bigfoot_1.exe -> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dsad11.exe
00000069 0.24200618 [592] CreateFileW(C:\Documents and Settings\Administrator\桌面\bigfoot_1.exe,80000000,00000001,00000000,00000003,08200000,00000000)
00000070 0.24209110 [592] CreateFileW(DBWIN_DATA_READY,80000000,00000003,00000000,00000003,08200000,00000000)
00000071 0.24215676 [592] CreateFileW(DBWIN_DATA_READY,80000000,00000001,00000000,00000003,08000000,00000000)
00000072 0.24221683 [592] CreateFileW(DBWIN_DATA_READY,80000000,00000003,00000000,00000003,08000000,00000000)
00000073 0.24227074 [592] LoadLibraryA:Kernel32.dll
00000074 0.24232325 [592] LoadLibraryA:ADVAPI32.dll
00000075 0.24236795 [592] GetSystemDirectoryA
00000076 0.24244115 [592] RegOpenKeyExA
00000077 0.24247187 [592] Sleep
00000078 0.73963284 [592] CreateRemoteThread
00000079 0.73989373 [592] CreateThread
00000080 0.74028265 [592] ApiTracer: DllMain DLL_THREAD_ATTACH
00000081 0.74034411 [592] FindWindowA
00000082 0.74090648 [592] ApiTracer: DllMain DLL_THREAD_ATTACH
00000083 0.77042723 [592] FindResourceA
00000084 0.77049428 [592] LoadResource
00000085 0.77063507 [592] SizeofResource
00000086 0.77072144 [592] CreateFileA(C:\WINDOWS\system32\wksbqizm.tmp,C0000000,00000000,00000000,00000002,00000000,00000000)
00000087 0.77402937 [592] CreateFileW(C:\WINDOWS\system32\wksbqizm.tmp,C0000000,00000000,00000000,00000002,00000000,00000000)
00000088 0.77412099 [592] FreeResource
00000089 0.77417547 [592] CreateFileA(C:\WINDOWS\system32\wksbqizm.tmp,40000000,00000002,00000000,00000003,00000000,00000000)
00000090 0.77419758 [592] CreateFileW(C:\WINDOWS\system32\wksbqizm.tmp,40000000,00000002,00000000,00000003,00000000,00000000)
00000091 0.77429843 [592] GetTickCount
00000092 0.78551579 [592] SetFilePointer
00000093 0.87909049 [592] CreateFileA(C:\Documents and Settings\Administrator\桌面\bigfoot_1.exe,80000000,00000001,00000000,00000003,00000000,00000000)
00000094 0.87923717 [592] CreateFileW(C:\Documents and Settings\Administrator\桌面\bigfoot_1.exe,80000000,00000001,00000000,00000003,00000000,00000000)
00000095 0.87932491 [592] ReadFile
00000096 0.87938887 [592] GetSystemTime
00000097 0.88373411 [592] SystemTimeToFileTime
00000098 0.88379222 [592] CreateFileA(C:\WINDOWS\system32\wksbqizm.tmp,C0000000,00000001,00000000,00000003,00000000,00000000)
00000099 0.88384420 [592] CreateFileW(C:\WINDOWS\system32\wksbqizm.tmp,C0000000,00000001,00000000,00000003,00000000,00000000)
00000100 0.88392186 [592] SetFileTime
00000101 0.88457751 [592] RegOpenKeyA
00000102 0.88471860 [592] MoveFileExA:C:\WINDOWS\system32\wksbqizm.tmp -> C:\WINDOWS\system32\wksbqizm.dll
00000103 0.88485968 [592] ApiTracer: DllMain DLL_THREAD_ATTACH
00000104 0.88863558 [592] RegCreateKeyA:{B38E77C6-E3E1-4b0f-BC51-6A8352868C4C}
00000105 0.88909096 [592] RegCreateKeyA:InProcServer32
00000106 0.88920158 [592] MoveFileExA:C:\WINDOWS\system32\wksbqizm.tmp -> C:\WINDOWS\system32\wksbqizm.dll
00000107 0.89008576 [592] GetFileAttributesA
00000108 0.89016062 [592] MoveFileExA:C:\WINDOWS\system32\wksbqizm.tmp -> C:\WINDOWS\system32\wksbqizm.dll
00000109 0.89029777 [592] RegSetValueA:(null),data:C:\WINDOWS\system32\wksbqizm.dll
00000110 0.89063919 [592] RegSetValueExA:(null),data:C:\WINDOWS\system32\wksbqizm.dll
00000111 0.89359456 [592] RegSetValueExA:ThreadingModel,data:Apartment
00000112 0.89365548 [592] SleepEx
00000113 0.89430809 [592] RegQueryValueExA
00000114 0.89451480 [592] RegSetValueExA:wksbqizm.dll,data:{B38E77C6-E3E1-4b0f-BC51-6A8352868C4C}
00000115 0.89493579 [592] RegSetValueExA:{B38E77C6-E3E1-4b0f-BC51-6A8352868C4C},data:(null)
00000116 2.89548540 [592] RegCreateKeyA:{B38E77C6-E3E1-4b0f-BC51-6A8352868C4C}
00000117 2.89559031 [592] RegCreateKeyA:InProcServer32
00000118 2.89567256 [592] RegSetValueA:(null),data:C:\WINDOWS\system32\wksbqizm.dll
00000119 2.89587092 [592] RegSetValueExA:(null),data:C:\WINDOWS\system32\wksbqizm.dll
00000120 2.89598632 [592] RegSetValueExA:ThreadingModel,data:Apartment
00000121 4.87972498 [592] WinExec:
00000122 4.89684963 [592] RegCreateKeyA:{B38E77C6-E3E1-4b0f-BC51-6A8352868C4C}
00000123 4.89699173 [592] RegCreateKeyA:InProcServer32
00000124 4.89707708 [592] RegSetValueA:(null),data:C:\WINDOWS\system32\wksbqizm.dll
00000125 4.89712191 [592] RegSetValueExA:(null),data:C:\WINDOWS\system32\wksbqizm.dll
00000126 4.89718342 [592] RegSetValueExA:ThreadingModel,data:Apartment
00000127 6.89585352 [592] RegCreateKeyA:{B38E77C6-E3E1-4b0f-BC51-6A8352868C4C}
00000128 6.89605188 [592] RegCreateKeyA:InProcServer32
00000129 6.89613724 [592] RegSetValueA:(null),data:C:\WINDOWS\system32\wksbqizm.dll
00000130 6.89618254 [592] RegSetValueExA:(null),data:C:\WINDOWS\system32\wksbqizm.dll
00000131 6.89624643 [592] RegSetValueExA:ThreadingModel,data:Apartment
00000132 8.89569187 [592] RegCreateKeyA:{B38E77C6-E3E1-4b0f-BC51-6A8352868C4C}
00000133 8.89588070 [592] RegCreateKeyA:InProcServer32
00000134 8.89596558 [592] RegSetValueA:(null),data:C:\WINDOWS\system32\wksbqizm.dll
00000135 8.89601040 [592] RegSetValueExA:(null),data:C:\WINDOWS\system32\wksbqizm.dll
00000136 8.89607334 [592] RegSetValueExA:ThreadingModel,data:Apartment
00000137 10.89583778 [592] RegCreateKeyA:{B38E77C6-E3E1-4b0f-BC51-6A8352868C4C}
00000138 10.89595222 [592] RegCreateKeyA:InProcServer32
00000139 10.89612103 [592] RegSetValueA:(null),data:C:\WINDOWS\system32\wksbqizm.dll
00000140 10.89617062 [592] RegSetValueExA:(null),data:C:\WINDOWS\system32\wksbqizm.dll
00000141 10.89623356 [592] RegSetValueExA:ThreadingModel,data:Apartment
00000142 12.89584446 [592] RegCreateKeyA:{B38E77C6-E3E1-4b0f-BC51-6A8352868C4C}
00000143 12.89597225 [592] RegCreateKeyA:InProcServer32
00000144 12.89622688 [592] RegSetValueA:(null),data:C:\WINDOWS\system32\wksbqizm.dll
00000145 12.89627838 [592] RegSetValueExA:(null),data:C:\WINDOWS\system32\wksbqizm.dll
00000146 12.89634323 [592] RegSetValueExA:ThreadingModel,data:Apartment
00000147 14.89621544 [592] RegCreateKeyA:{B38E77C6-E3E1-4b0f-BC51-6A8352868C4C}
00000148 14.89632416 [592] RegCreateKeyA:InProcServer32
00000149 14.89640522 [592] RegSetValueA:(null),data:C:\WINDOWS\system32\wksbqizm.dll
00000150 14.89644814 [592] RegSetValueExA:(null),data:C:\WINDOWS\system32\wksbqizm.dll
00000151 14.89651489 [592] RegSetValueExA:ThreadingModel,data:Apartment
00000152 16.89616394 [592] RegCreateKeyA:{B38E77C6-E3E1-4b0f-BC51-6A8352868C4C}
00000153 16.89627457 [592] RegCreateKeyA:InProcServer32
00000154 16.89635468 [592] RegSetValueA:(null),data:C:\WINDOWS\system32\wksbqizm.dll
00000155 16.89640045 [592] RegSetValueExA:(null),data:C:\WINDOWS\system32\wksbqizm.dll
00000156 16.89646339 [592] RegSetValueExA:ThreadingModel,data:Apartment
00000157 18.89614105 [592] RegCreateKeyA:{B38E77C6-E3E1-4b0f-BC51-6A8352868C4C}
00000158 18.89632607 [592] RegCreateKeyA:InProcServer32
00000159 18.89640999 [592] RegSetValueA:(null),data:C:\WINDOWS\system32\wksbqizm.dll
00000160 18.89645576 [592] RegSetValueExA:(null),data:C:\WINDOWS\system32\wksbqizm.dll
00000161 18.89651871 [592] RegSetValueExA:ThreadingModel,data:Apartment
00000162 20.89516830 [592] RegCreateKeyA:{B38E77C6-E3E1-4b0f-BC51-6A8352868C4C}
00000163 20.89536476 [592] RegCreateKeyA:InProcServer32
00000164 20.89544868 [592] RegSetValueA:(null),data:C:\WINDOWS\system32\wksbqizm.dll
00000165 20.89549446 [592] RegSetValueExA:(null),data:C:\WINDOWS\system32\wksbqizm.dll
00000166 20.89555550 [592] RegSetValueExA:ThreadingModel,data:Apartment
00000167 22.89520454 [592] RegCreateKeyA:{B38E77C6-E3E1-4b0f-BC51-6A8352868C4C}
00000168 22.89532471 [592] RegCreateKeyA:InProcServer32
00000169 22.89548683 [592] RegSetValueA:(null),data:C:\WINDOWS\system32\wksbqizm.dll
00000170 22.89553642 [592] RegSetValueExA:(null),data:C:\WINDOWS\system32\wksbqizm.dll
00000171 22.89560127 [592] RegSetValueExA:ThreadingModel,data:Apartment
00000172 24.88182449 [592] GetTempFileNameA
00000173 24.88211632 [592] CreateFileW(C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1.tmp,80000000,00000000,00000000,00000001,00000080,00000000)
00000174 24.88360977 [592] GetModuleFileNameW:C:\Documents and Settings\Administrator\桌面\bigfoot_1.exe
00000175 24.88372803 [592] CreateFileA(C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1.tmp.bat,40000000,00000003,0012F4A0,00000002,00000080,00000000)
00000176 24.88378334 [592] CreateFileW(C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1.tmp.bat,40000000,00000003,0012F4A0,00000002,00000080,00000000)
00000177 24.88984871 [592] WinExec: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1.tmp.bat
00000178 24.89008331 [592] CreateFileW(C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1.tmp.bat,80000000,00000003,00000000,00000003,00000080,00000000)
00000179 24.89018250 [592] TerminateProcess
可以看出释放的文件有:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dsad11.exe
C:\WINDOWS\system32\wksbqizm.tmp
C:\WINDOWS\system32\wksbqizm.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1.tmp.bat
创建的注册表:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{B38E77C6-E3E1-4b0f-BC51-6A8352868C4C}
{B38E77C6-E3E1-4b0f-BC51-6A8352868C4C} :C:\WINDOWS\system32\wksbqizm.dll
某次截获的"C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1.tmp.bat"文件内容:
:try
del "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dsad11.exe"
if exist "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dsad11.exe" goto try
del %0
是为了实现自删除的。
下面主要wksbqizm.dll,这个dll的防静态分析做得很好,OD搜索不到任何字符串,字符串全部用双字一组组写入。
如果是在"verclsid.exe"进程中就安装钩子,0006F598 0006F6A8 ASCII "verclsid.exe"。
10003EBE A1 A4880010 mov eax,dword ptr ds:[100088A4]
10003EC3 8B35 B4600010 mov esi,dword ptr ds:[<&USER32.SetWindowsHookExA>] ; USER32.SetWindowsHookExA
10003EC9 6A 00 push 0
10003ECB 50 push eax
10003ECC 68 40400010 push 1.10004040
10003ED1 6A 07 push 7
10003ED3 FFD6 call esi
10003ED5 8B0D A4880010 mov ecx,dword ptr ds:[100088A4]
10003EDB 6A 00 push 0
10003EDD 51 push ecx
10003EDE 68 60400010 push 1.10004060
10003EE3 6A 02 push 2
10003EE5 A3 B0880010 mov dword ptr ds:[100088B0],eax
10003EEA FFD6 call esi
10003EEC 8B15 A4880010 mov edx,dword ptr ds:[100088A4]
10003EF2 6A 00 push 0
10003EF4 52 push edx
10003EF5 68 20400010 push 1.10004020
10003EFA 6A 04 push 4
10003EFC A3 A8880010 mov dword ptr ds:[100088A8],eax
10003F01 FFD6 call esi
安装钩子主要是为了实现全局注入的,如果发现当前进程为:"360safebox.exe"、"safeboxTray.exe"则调用:
1000114B |> \53 push ebx ; /ExitCode
1000114C |. FF15 00600010 call dword ptr ds:[<&KERNEL32.GetCurrentProcess>] ; |[GetCurrentProcess
10001152 |. 50 push eax ; |hProcess
10001153 |. FF15 4C600010 call dword ptr ds:[<&KERNEL32.TerminateProcess>] ; \TerminateProcess
如果是在explorer进程中创建两个线程,并创建事件进行通信。0006F598 0006F628 ASCII "Explorer.exe"
这种利用事件通信的方式类似于双进程保护一样,这样确保dll不太容易被删除。
下面到了重点,如果是在魔兽进程中:
0006F634 0006F63C \s2 = "wow.exe"
跟进去看,MD被vm掉了,于是乎就写api监控,结果只在里面拦截到了获取ws32里面的connect函数,其他的api没有断下。
于是乎没有下文了……
但是可以断定这是个魔兽的木马。