Shulou(Shulou.com)06/01 Report--

This article is reproduced from FreeBuf.COM, original author: gechengyu

This year's World Cup is becoming more and more difficult to understand. If you want to go to the rooftop to blow the wind, you may not necessarily have a place. If your heart is cold, you still have to do something. First, grab a suspicious sample from the Internet. When I started the analysis, I found it wasn't as simple as I thought.

I. basic information

Get the suspicious documents and throw them into the "virtual execution environment" as soon as possible. All we have to do is sit in the boss's chair, cross-legged, drink tea, sing songs, and soon the analysis report comes out.

▲ diagram: flowchart

2.1First of all, PEid is used to check the shell, and it is found that there is a UPX shell, and the UPX shell is easier to take off, and T friends can take off the shell by themselves.

2.2 after a layer of shell, there is another piece of decryption code, go on, and eventually return to the 0 × 00400000 address field, you will find that, like the source program, it is shelled by UPX.

2.3 after skipping the UPX shell in the same way, you will enter the main program of the sample.

The sample will first query the default browser path of the system, use the IE browser if the query fails (used later for process injection), and exit the program if both methods fail.

2.4 check whether the mutex KyUffThOkYwRRtgPP already exists to ensure that only one instance is running at a time.

Check the process name, the sample will first determine whether the process name is DesktopLayer.exe, if so, exit the function, if not, construct the c:program filesmicrosoft directory, then copy yourself to this directory and name it DesktopLayer.exe, and then start the program.

2.6.When its own process is named DesktopLayer.exe, the function ZwWriteVirtualMemory will be Inline Hook. The callback function is as follows:

Process, which is the browser process obtained at the beginning, will call the ZwWriteVirtualMemory function when the process is created, and this function has been hook and jumped to sub_402A59. The main function of this function is to inject the process into the started target process and write a PE file to the target process, which was originally embedded in its own file. Using a 16-process program, you can find the PE embedded in the shelled sample.

The code of ZwWriteVirtualMemory will be restored after injection.

Third, detailed analysis

After so many operations, in fact, its key behavior has just begun.

Use OD to attach to the target program, after several function calls will enter the embedded PE file, the program structure is relatively clear.

3.2 create different threads to perform different functions. Here are some of the more important threads:

Sub_10007ACA: write your own file path to the registry

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit, to achieve self-startup.

Sub_1000781F: create a dmlconf.dat file under c:program filesInternet Explorer and write the FILETIME structure data.

Sub_10005906: this thread is not running, but a static analysis of the code shows that it listens on port 4678, waiting for a connection. Upon receipt of the connection, the command is accepted and the corresponding action is performed. So guess that this thread is a backdoor that is used to receive commands from the attacker.

Sub_1000749F: two threads are created in this function.

Sub_10006EA8 is used to infect exe,dll,html,htm files, and the general idea is to write their own files to the target file, such as the htm file infected in the following figure. What is written is a VB script, and the variable WriteData stores an PE file.

The infected PE file will have more than one rmnet segment.

Sub_10006EC2: infects the removable media, writes itself to the removable media, creates an autorun.ini file in the directory, and then writes the following data:

[autorun].. action=Open..icon=%WinDir%system32shell32.dll,4..shellexecute=.RECYCLERS-1-7-42-5416413684-3444774702-722318625-0540AbxOgufK.exe..shellexplorecommand=.RECYCLERS-1-7-42-5416413684-3444774702-722318625-0540AbxOgufK.exe..USEAUTOPLAY=1..shellOpencommand=.RECYCLERS-1-7-42-5416413684-3444774702-722318625-0540AbxOgufK.exe

AbxOgufK.exe is its own program. The domain name fget-career.com found during the analysis is known to be a malicious domain name after inquiry.

IV. Summary

Knowing that his analytical ability is limited, he just wants to throw a brick (despise himself incomparably in his heart.) Sample analysis is a technical job, but also to withstand loneliness, how can we do without a good tool to relieve boredom? The cloud sand box used this time is a multi-dimensional test sample for me in advance, which saves effort and worry. Interested friends can use it more.

P.S. T friends on the rooftop, come on down! There are so many malware waiting for you to analyze! The world needs you to protect ~

You can also view the analysis report directly and continue the in-depth analysis at the following address:

Fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.