样本分析 | 大灰狼8.96远控之CC域名静态解密

在日常的反病毒工作当中,我们会接触到大量的BackDoor样本。怎样能够快速的从这些样本中提取出有价值的CC域名对其进行威胁关联,则显得尤为重要。

文件信息

类型:后门

MD5:f738296fb0ed3296e130f5d5f016ed1e

病毒名:BackDoor - Download

解密代码

# -*- coding:utf-8 -*-

__author__ = '皆明'
__date__ = '2017/12/17'

def GetLetterTable(letter):
    letter_table = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
    for i in letter_table:
        if i == letter:
            return letter_table.index(letter)
    return -1

def GetKeyNum(key):
    v11 = []
    v9 = []
    i = []
    v2 =0
    v6 = 0
    cc_len = len(key)

    v11 = [0xcd for i in range(cc_len+1)]
    v9 = [0xcd for i in range(cc_len+1)]
    i = key
    i_num = 0
    v9_list_num = 0
    for x in range(cc_len / 4):
        decode_key = i[i_num:i_num + 4]
        v7 = GetLetterTable(decode_key[0])
        #print hex(v7)
        if v7 <0:
            v6 = 3
            break
        v8 = v7
        v8 = v8 << 6

        v2 = GetLetterTable(decode_key[1])
        v7 = v2
        if v2 < 0:
            return -1
        v8 = v8 + v7
        v8 = v8 << 6
        if decode_key[2] == 61:
            v6 = v6 + 1
        else:
            v7 = GetLetterTable(decode_key[2])
            if v7 < 0:
                break
            v8 = v8 + v7
        v8 = v8 << 6
        if decode_key[3] == 61:
            v6 = v6 + 1
        else:
            if v6:
                return -1
            v7 = GetLetterTable(decode_key[3])
            if v7 < 0:
                return -1
            v8 = v8 + v7
        if v6 < 3:
            v9[v9_list_num] =(v8 & 0xff0000) >> 16
            v9_list_num = v9_list_num+ 1
        if v6 < 2:

            v9[v9_list_num] =(v8 & 0xff00) >> 8
            v9_list_num = v9_list_num+ 1
        if v6 <1:
            v9[v9_list_num] =v8 & 0xff
            v9_list_num = v9_list_num+ 1
        i_num = i_num + 4

    for a in range((len(v11) - v9.count(205) + 1)):
        v9[a] =  ((v9[a] - (0x86)) & 0x000000ff)
        v9[a] = ((v9[a] ^ 0x59) & 0x000000ff)

    return [len(v11) - v9.count(205),v9]

def Get_Getong538():
    key_str = "Getong538"
    key_len = len(key_str)

    key = []
    v7 = 0
    v5 = []
    v4 = 0
    for i in range(256):
        key.append(i)
        v5.append(int(ord(key_str[(i % 9)])))
        v5.append(0)
        v5.append(0)
        v5.append(0)

    m = 0

    for i in range(256):
        v7 = (v5[m] + (key[i] + v7)) % 256
        m = m + 4
        v4 = key[i]
        key[i] = key[v7]
        key[v7] = v4


    return [int(i) for i in key]

def GetCC(key_str,cc,key_num):

    v8 = 0
    v7 = 0
    v6 = 0
    v5 = ["=" for i in range(200)]

    for i in  range(key_num):
        #print i
        v8 = (v8 + 1) % 256
        v7 = (key_str[v8] + v7) % 256
        v5 = key_str[v8]
        key_str[v8] = key_str[v7]
        key_str[v7] = v5
        v6 = (key_str[v7] + key_str[v8]) % 256
        cc[i] = cc[i] ^ key_str[v6]

    url = ""
    for i in [chr(i) for i in cc][0:key_num-1]:
        url = url + i

    return url

if __name__ == "__main__":
    key = "4jNnIiz7AYsVpl0fD54Ya845KpABkngE8/OOY8u8TFdlD95YLA=="
    print GetCC(Get_Getong538(),GetKeyNum(key)[1],GetKeyNum(key)[0])

通过这个解密脚本,就能够根据加密字符串将大灰狼8.96远控的CC域名静态解密出来。就文章前面列出的md5文件中的加密字符串,解密出的CC域名如下:

http://203.189.234.236/NetSyst96.dll

你可能感兴趣的:(样本分析 | 大灰狼8.96远控之CC域名静态解密)