一例.bat脚本打包样本的分析

样本的基本信息

hosts.exe
MD5: 72ddf833fa206326e15c2c97679d323e
SHA1: ad148ff4b7f77831b469be8bb19d32d029c23b50


banish.exe
MD5: 4a43ea617017d5de7d93eb2380634eee
SHA1: b0af5aa27cd0e49955f1ab2d18d69f7bc8fd4d21

分析过程

查壳

脱掉upx壳，用IDA打开，shift+F12查看字符串

可以看到ExeScript关键字，说明这个程序是使用ExeScript打包的脚本

使用ExeScriptDEC程序直接提取出bat文件，不用脱壳
得到两个文件的内容

banish.cmd

@rem ----- ExeScript Options Begin -----
@rem ScriptType: console,invoker
@rem DestDirectory: temp
@rem Icon: none
@rem OutputFile: I:\Backups\Software\Advanced\Programming\(development)\Otherwise\Windows 7\Chew-WGA\Script Programming\apps\_test7\banish.exe
@rem CompanyName: Anemeros
@rem FileVersion: 1.0.0.0
@rem ProductVersion: 1.0.0.0
@rem ----- ExeScript Options End -----
@ECHO OFF
TAKEOWN /F "%~1" >NUL
ICACLS "%~1" /grant "%USERNAME%":F >NUL
:LOOP
SET tmpfile="%TEMP%\%RANDOM%.tmp"
IF EXIST %tmpfile% (GOTO :LOOP)
MOVE /Y "%~1" %tmpfile% >NUL
IF "%ERRORLEVEL%" NEQ "0" (
    DEL /F /Q %tmpfile%
    ECHO Operation failed
    EXIT /B 0
) ELSE (
    DEL /F /Q %tmpfile%
    ECHO Operation completed successfully
    EXIT /B 1
)

banish.cmd的功能是把参数1代表的文件拷贝到%temp%\random.tmp

hosts.cmd

@rem ----- ExeScript Options Begin -----
@rem ScriptType: console,invoker
@rem DestDirectory: temp
@rem Icon: none
@rem OutputFile: I:\Backups\Software\Advanced\Programming\(development)\Otherwise\Windows 7\Chew-WGA\Script Programming\apps\_test7\hosts.exe
@rem CompanyName: Anemeros
@rem FileVersion: 1.0.0.0
@rem ProductVersion: 1.0.0.0
@rem ----- ExeScript Options End -----
@ECHO OFF
IF /I "%~1" EQU "/u" (GOTO :RemHosts)
ECHO.>> "%SystemRoot%\System32\drivers\etc\hosts"
CALL :AddHost "genuine.microsoft.com"
CALL :AddHost "mpa.one.microsoft.com"
CALL :AddHost "sls.microsoft.com"
GOTO :EOF

:AddHost
    TYPE "%SystemRoot%\System32\drivers\etc\hosts" | FIND /I "%~1" >NUL
    IF "%ERRORLEVEL%" NEQ "0" (ECHO 127.0.0.1 %~1>> "%SystemRoot%\System32\drivers\etc\hosts")
GOTO :EOF

:RemHosts
    TYPE "%SystemRoot%\System32\drivers\etc\hosts" | FIND /I /V "genuine.microsoft.com" | FIND /I /V "mpa.one.microsoft.com" | FIND /I /V "sls.microsoft.com" > "%temp%\hosts.txt"
    MOVE /Y "%temp%\hosts.txt" "%SystemRoot%\System32\drivers\etc\hosts" >NUL
GOTO :EOF

hosts.bat的功能是把下面3项添加到系统hosts文件，应该是与windows激活有关

127.0.0.1 genuine.microsoft.com
127.0.0.1 mpa.one.microsoft.com
127.0.0.1 sls.microsoft.com

通过关键字Anemeros，检索出一些激活工具

60CA507EF4BA7DBBB7EF6EA4B975B9B09A24D7D0C91D38D0876331203F962D98.eXe
6738d790fc0f3928a8a5f19d829cae4d
7f3b4d1c30e1f56776b30432d0bd7df3
8.eXe
Activator.eXe
CW.EXE
CW.eXe
CW.exe
CW.rar
Chew-WGA 0.9 – The Windows 7 Patch.eXe
Chew-WGA v.0.9.eXe
Chew-WGA v0.9.eXe
ChewWGA_v0.9.exe
Win7 Anemeros Software.exe
Win7 Lisans.eXe
bounty-39896427131516656
bounty-9105509022319790
c8d808ee0ec4e6096de1b1b1477fd8e7
crack KB971033.eXe
crack-KB971033.eXe
cw.exe
file
win7¼¤»î¹¤¾ß.eXe
win7永久激活.exe
三星笔记本WIN7激活工具.exe

参考资料

• ExeScriptDEC V1.5
• window的dos命令学习笔记 八— bat文件打包成exe程序（实现脚本加密）
• ExeScript 3.6
• https://www.hybrid-analysis.com/sample/60ca507ef4ba7dbbb7ef6ea4b975b9b09a24d7d0c91d38d0876331203f962d98