【病毒分析】41f205e9db461e3f70fd588cc01bb35bfe11cff

41f205e9db461e3f70fd588cc01bb35bfe11cff

样本初析:

image-20220116171742705

|Kaspersky | Trojan-Downloader.Win32.Carder.q|

|ESET-NOD32 | Win32/Glupteba.AF|

Lj 2E6682932F82626g...  *fEäfi:  70230-2461904190-459160358-1000\  Softwa M icrosoft\Wi ndows\Cu r rentVer s ion\  Run\NvUpdService

Lj 2E6682932F82626g...  Menu\

14:41:02:934,2E6682932F826269B0F84A93AAB9E609.85A681D7,1676:0,1676,BA_exec_extratedfile,C:\Users\lilwen\AppData\Local\NVIDIA Corporation\Update\d83665e11921a3e0525e1d4d9e1d04f1.exe,,0x00000000 [操作成功完成]

14:41:29:828,2E6682932F826269B0F84A93AAB9E609.85A681D7,1676:3512,1676,BA_register_autorun,C:\Users\lilwen\AppData\Local\NVIDIA Corporation\Update\daemonupd.exe /app 2B42CDC8B1EDBFEC23AA442F8F7EF3D9,type:'Common/Run' ,0x00000000 [操作成功完成]

14:41:29:859,2E6682932F826269B0F84A93AAB9E609.85A681D7, 1676:3512,1676, BA_register_autorun,C:\Users\lilwen\AppData\Local\Google\Update\gupdate.exe /app 2B42CDC8B1EDBFEC23AA442F8F7EF3D9, type:'Common/Run' ,0x00000000 [操作成功完成]

14:41:36:848,2E6682932F826269B0F84A93AAB9E609.85A681D7,1676:0, 1676,BA_exec_extratedfile,C:\Users\lilwen\AppData\Local\NVIDIA Corporation\Update\daemonupd.exe,,0x00000000 [操作成功完成]

00405B66 获取临时文件路径 创建临时文件 获取系统目录 删除文件 该临时文件的文件名后面的数字是随机的

image-20220116171820514

00403381 CALL 2E668293.00403208 如果路径下为空 则创建目录

goug32ß9  goug32ßE  goug32ßF  601163215  goug321c  goug321E  2E668293 . ggug3386  goug321F  601163221  2E668293 . ggug5659  ggug3226  ggug3228  ggug3229  BE  mou  B42Bgggg  qc2ugggg  85cg  56  3324gggg  FF158ß7gugg  esl  ,2E668293 .  esl  2E668293 . ggug5Dc8  esl  2E668293 . ggug56c6  short 2E668293.ßß4ß322ß  esl  retn  esl  esl  ASCII  psecurity

0040588C 获取临时文件路径 生成新的临时文件

ggug588  2E668293 .  ggug588D  ggug5892  ggug5893  ggug5896  ggug5899  ggug589F  goug58R1  goug58R3  goug58R5  8DU5 98  FF75 gc  FF15 D87gugg  85cg  75 "D  esl  lea  eax  add ,  call duord ptr  short 2E668293.ßß4ß58Bß  short 2E668293.ßß4ß5877  TempName -  FIX - ••nsa"  GetTempFi1eNameR

获取临时文件路径 获取系统目录 删除文件

ggug3388  goug338R  ggug338F  ggug3396  ggug339B  ggug339c  goug33R1  goug33R6  goug33R8  goug33RF  >  68 FBß3gggg  FF15 48714gg  68 Bß91uggg  E8 E127gggg  E8 62FEFFFF  85cg  68  FF15  short 2E668293.ßß4ß33RR  ebp  call duord ptr  2E668293 .  ebp  <jmp .  2E668293 . goug32ß8  short 2E668293.ßß4ß3428  2E668293 .  c 11 duord ptr  .GetWindowsDirect  BuFSize -  Buffer -  2E668293 .  GetWindowsDirectoryR  StringToRdd -  ConcatString -  1strcatR  2E668293 .  ilwen\RppData\Loca1\Temp\nsc5F  ers\l  L  DeleteFi1eR

img

0KB

删除该文件

image-20220116172005797

img

0kb

这个流程重复创建删除了三次

创建文件夹,文件夹为null,所以不出现新文件夹

image-20220116182827973

创建目录google/update

and  sar  shl  add  goug2RID  2E668293 .  goug2RIE  CIF8  FF3U8R  CIEß  95 709Buggg  •E8 65  31  ecx ,  eax ,  dword ptr  eax ,  ,2E668293 .  eax  2E668293 . ggug5B88

image-20220116182937587

生成了一个可执行文件

AppOata  Local  NVIDIA Corporation  Update  d83665e1ß21a3e0525e1d4dge1d04.„  2022/1/10 14:20

运行该可执行文件

img

image-20220116182956300

关闭该程序

img

d83665e1ß21a3e05... 636:O  d83665e11921a3e05.„ 636:O  .exe  3040:3156  d83665e11921a3e05... 636:o  3040  EXEC create  EXEC module (  FILE read  EXEC_destroy

修改开机项

61102333  61102334  61102335  61102336  61102337  61102338  61102339  C745  FF15  FC  207 gugg  ecx  eax  edi  mou .  1 duord  cal  ptr  .RegCreateKeyExR>  psecurity  Access -  KEY SET URLUE  Options -  REG OPTION NON UOLRTILE  Class -  Reserved -  - "SoFtware\MicrosoFt\Windows\CurrentUersion\Run"  HKEY CURRENT USER  RegCreateKeyExR

修改注册表信息

image-20220116183015160

Lj 2E6682932F82626g...  *fEäfi:  70230-2461904190-459160358-1000\  Softwa M icrosoft\Wi ndows\Cu r rentVer s ion\  Run\NvUpdService

关闭注册表

img

在路径下创建一个空文件夹

image-20220116183031801

然后把调用SHFileOperationA函数来复制之前生成的d83665e11921a3e0525e1d4d9e1d04f1.exe到该目录下并被重命名为gupdate.exe

image-20220116183049159

-exe"  "C : . exe"

为gupdate.exe创建注册表

ggug232  ggug2329  goug232R  ggug2333  ggug2335  ggug2336  601162337  ggug2338  ggug2339  83C9  5 ß3F42ß  92  ecx  ecx  mou  ecx ,  ecx  eax  edi  mou .  call  dword  ptr  FCO  FF15 2ß7gugg  ptr  ds : [ gx423F5ß]  .RegCreateKeyExR>  pDisposition -  pHand1e =  ggggggg2  psecurity  Access -  KEY SET URLUE  Options -  REG OPTION NON UOLRTILE  Class -  Reserved -  - "SoFtware\MicrosoFt\Windows\CurrentUersion\Run"  HKEY CURRENT USER  RegCreateKeyExR

设置注册表键值

ggug238  ggug238F  ggug2393  601162397  goug239R  FF75  FF75  FF75  F15  BC  98  eax  edi  dword  BuFSize -  Buffer -  2E668293 .  Ua1ueType  REG SZ  Reserved -  Ua1ueName = "Google Update"  gx148  Reg

关闭注册表

img

调用SHFileOperationA函数来复制之前生成的d83665e11921a3e0525e1d4d9e1d04f1.exe到C:\Users\lilwen\AppData\Local\Microsoft\Windows\目录下并被重命名为winupdate.exe

image-20220116183111471

为winupdate.exe创建注册表

设置注册表键值

关闭注册表

Lj 2E6682932F82626g...  Menu\

搜索C:\Users\lilwen\AppData\Local\NVIDIA Corporation\Update\daemonupd.exe

image-20220116183127080

调用MoveFileA函数来重命名程序

image-20220116183144953

执行文件

image-20220116183200867

关闭

img

找原件 自删

img

继续搜索原有程序d83665e11921a3e0525e1d4d9e1d04f1.exe是否存在存在就再自删

ggug55D9  gg4ß55DR  ggug55DD  FF75  FF15  eax  08  ac71ugg  pFindFi1eData -  gg18Fqqg

检查2E6682932F826269B0F84A93AAB9E609.85A681D7是否存在,存在就自删

由于用OD已加载程序,所以删除失败,正常可以自删母体程序

后面的代码都是对原样本的操作,搜索目录、终止进程、关闭句柄,由于使用OD加载了 所以无法对其操作

daemonu  daemonu  daemonu  daemonu  daemonu  daemonu  daemonu  daemonu  daemonu  daemonu  daemonu  daemonu  .exe  .exe  .exe  .exe  .exe  .exe  .exe  .exe  .exe  .exe  .exe  .exe  2396:3808  2396:o  2396:o  2396:3808  2396:o  2396:o  2396:o  2396:3808  2396:o  2396:o  2396:o  3040  3040  3040  NET  NET  NET  NET  NET  NET  NET  NET  NET  NET  NET  NET  connect  http  send  recv  connect  http  send  recv  connect  http  send  recv  63.251.106.25:8000  63.251.106.25:8000  63.251.106.25:8000  63.251.106.25:8000  63.251.106.25:8000  63.251.106.25:8000  63.251.106.25:8000  63.251.106.25:8000  63.251.106.25:8000

远控木马

posted @ 2022-01-16 18:33  Nicky_啦啦啦是阿落啊  阅读(308)  评论(0编辑  收藏  举报