Shulou(Shulou.com)06/02 Report--

This article introduces you how to carry out the simple analysis of Kris remote control Trojan horse, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Preface

Analysis of a remote control Trojan horse, one of its many malicious acts is to operate the registry to achieve boot self-startup, in the registry program named itself Kris.

I. basic situation

Sample type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

1.1 basic program flow

The malicious program is automatically analyzed in a well-known sandbox system in China, and the execution process is summarized as follows:

Figure 1: execution flow of the program

Based on the results of automatic analysis, it is concluded that the malicious program has the following behavior:

1. The connected domain name jesso.3322.org (59.42.71.178, Baiyun District, Guangzhou City, Guangdong Province)

two。 Release the executable program named BJ.exe

3. Create a process that creates a mutex and connects a dynamic domain name

1.2 Shell information

The virus was detected by PEiD to be shelled and can be shelled by upx. The later part of this paper analyzes the PE file after shelling the original program by using upx.

Figure 2: using PEiD to detect the shelling of malicious programs

1.3 Registry operations

The malicious program creates HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run\ Kris with a key value of C:\ Users\ vbccsb\ AppData\ Local\ Temp\ sample.exe. This file copies itself to this directory for the original program to boot.

The malicious program also checks the registry for 360safe to determine whether antivirus software is installed on the host machine.

II. Network behavior

Run the malicious program, and grab the package with wireshark, and find that the malicious program will initiate an DNS query against jesso.3322.org:

Figure 3: network behavior of malicious code

However, there is no substantial network communication in the future. After checking, the IP address is still alive, but the domain name has become invalid:

Figure 4: network communication with C2 address

According to the threat intelligence of well-known domestic security manufacturers, domain names and IP addresses are malicious.

Figure 5: threat intelligence for domain names

Figure 6:IP address threat intelligence

3. Program analysis 3. 1 Main function analysis

The program's Main function is located in 0x0040D990, which first creates a BJ.exe file through the sub_47866C function, and then delays the execution of the file by 60 seconds by calling the sub_40D950 function.

Figure 7: create BJ.exe and delay execution by 60s

The program will check whether 360 security software is installed in the system through the registry, and if not, call the sub_40D630 function, which is used to achieve boot self-startup.

Figure 8: check the 360 protection software in the target system through the registry

Boot self-startup is achieved through the sub_40D630 function through the registry key "SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run".

Figure 9: boot self-startup through the registry

The Main function connects to the remote URL jesso.3322.org and initiates the connection through the sub_403300 function.

Figure 10: connection domain name jesso.3322.org

3.2 Switch function analysis

The function sub_40A050 in malicious code implements different branches of malicious behavior through switch structure, that is, different operations are performed according to the instructions obtained. The summary is as follows:

Sub_409C00: create a new user and add it to the administrators group

Sub_408070: elevate process permissions

Sub_4073E0: steal system disk information and send it to remote host

Sub_4075A0: steal desktop information and send it to remote hosts

Sub_407760: steal audio device information and send it to remote host

Sub_407920: keystroke recorder

Sub_409320: turn off the firewall

Sub_407F80: deleting log fil

3.2.1 create a new user and add to the administrators group

The sub_409C00 function implements the ability to create new users and add them to the administrators group:

Figure 11: switch branch for adding users and adding to the administrators group

Add the user account by calling the function NetUserAdd, and then call the NetLocalGroupAddMember function to add the newly created user to the administrator group.

Figure 12:sub_409C00 function implements the function fragments that add users and add them to the administrator group

3.2.2 elevate permissions

Sub_408070 implements the function of elevating process permissions:

Figure 13: switch branch for privilege escalation

Get the token handle of the process through OpenProcessToken, then query the process permissions using LookupPrivilegeValue, and finally use the AdjustTokenPrivileges function to elevate the permissions.

Figure the functional fragments of the 14:sub_408070 function used to upgrade the permissions of the process

3.2.3 get drive and disk volume information and send it to the remote host

The sub_4073E0 function is used to obtain information about the disk and drive and send it to the remote system. It finally realizes the function of obtaining disk information through sub_405AC0 and the function of connecting remote host and sending information through sub_403300.

Figure 15: switch branch used to obtain disk information and send it to a remote host

The sub_405AC0 function gets the disk volume information by calling GetVolumeInformation, and the file system object information through the SHGetFileInfo function.

The figure 16:sub_405AC0 function is used to obtain disk information.

The sub_403300 function realizes network communication through a series of socket functions and sends the stolen information to the remote host.

Figure 17:sub_403300 function is used to communicate with remote hosts

3.2.4 get desktop information and send it to remote host

Sub_4075A0 achieves the screenshot function by calling the sub_40F780 function. The function sent to the remote host is still realized through the sub_403300 function, which is the same as in 3.2.3.

Figure 18: switch branch that implements the function of getting desktop information and sending it to a remote host

The sub_40F780 function gets the thread of the desktop window by calling GetThreadDesktop, and then calls GetUserObjectInformation to get the special window station and desktop object information.

The figure 19:sub_40F780 function realizes the function of obtaining desktop information.

3.2.5 steal audio device information and send it to remote host

The sub_407760 function steals the audio device information through the sub_401760 function and uses the sub_403300 function to connect to the remote host and send it, as mentioned above by sub_403300.

Figure 20: switch branch for stealing audio device information

The number of waveform sound input devices that are ready by calling waveInGetNumDevs:

The figure 21:sub_401760 function obtains the number of waveform sound input devices in the system.

3.2.6 keystroke recorder

The sub_407920 function calls the sub_40A580 function to achieve keystroke recording, and calls the sub_403300 function to send information to the remote host:

Figure 22: switch branch for implementing keystroke logger

The sub_40A580 function calls GetKeyState, GetAsyncKeyState and GetKeyState to realize the keystroke recording function.

Figure 23:sub_40A580 function realizes keystroke recording function

3.2.7 turn off the firewall

The sub_409320 function closes the firewall through the sub_409240 function:

Figure 24: switch branch for shutting down the firewall

The sub_409240 function constructs the "cmd / c net stop sharedaccess" instruction to turn off Internet connection sharing and firewall services:

Figure 25:sub_409240 function realizes the function of turning off the firewall

3.2.8 Delete log files

Malicious code deletes log files through the sub_407F80 function:

Figure 26: switch branch for deleting log files

The program first opens the log file through the OpenEventLog function, and if it is opened successfully, it calls the ClearEventLog function to clear the contents of the log file, and finally closes the log file through the CloseEventLog function.

Figure 27:sub_407F80 function realizes the function of deleting logs

This sample is a simple remote control Trojan that accesses the C2 server to get instructions. Then perform dangerous operations according to Switch branch operations, such as creating a new user and adding it to the administrator group, elevating process privileges, stealing system disk information and sending it to the remote host, stealing desktop information and sending it to the remote host, stealing audio device information and sending it to the remote host, keystroke logger, closing the firewall, deleting log files, and so on. The program itself also has the operation of copying itself, delaying execution, querying whether security software is installed in the system, and ensuring its own security. At the same time, it will also realize boot self-startup by modifying the registry.

On how to carry out the Kris remote control Trojan horse simple analysis is shared here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.