Shulou(Shulou.com)06/01 Report--

Introduction:

  recently became addicted to algorithms and analyzed some of the latest malware (follow-up updates). He found an old virus while browsing the sample this morning. It's interesting to share it briefly.

Virus analysis:

  1. After decompressing the sample, only one link was found. The link is called account password. I actually double-click it for the first time (in fact, I know there are hidden files, and the habitual operation is terrible). After double-clicking, I feel like I was hit, as shown below:

  Picture 1: sample

  2. Right-click to check the link properties and link location, and find that it is a shortcut to the vb script under this folder. Adjust the folder display properties:

  Picture 2: VBS

3. Open .vbs with 010 and take a look at the code, as shown below:

  Picture 3: implicit execution

4. Execute ~\ jpg.exe with shell, open the folder and continue to follow, as shown below:

  Picture 4: hermit folder

  5, there are jpg.jpg pictures in the folder, and .ini initialization files, how to start the analysis? The Shell object performs jpg.exe, so static analysis, but first take a look at the jpg image and .ini data, as follows:

  Picture 5: data View

6. Take a static look at the jpg.exe installer in IDA, as follows:

  Picture 6: jpg.exe

7. Because it has been analyzed, the name of the function has been changed to WriteLog, and go into the function analysis:

  Picture 7: append (create) log

8. Date formatting output and writing to file, as shown below:

  Picture 8: C Standard File Stream

9. Then set properties such as environment variables, as follows:

  Picture 9: environmental Properties

10. Share a piece of assembly code, the assembly principle of memset, from the assembly point of view, it is really efficient (in terms of limitation) as follows:

Xor eax, eaxlea edi, [esp+21Ch+var_103] mov [esp+21Ch+Value], 0rep stosdstosw

Take a look at the rep stos instruction, which is as follows:

Opcode instruction details F3 AAREP STOS M8 use AL to fill in (E) CX bytes F3 ABREP STOS M16 at ES: [(e) DI] use AX to fill in (E) CX word F3 ABREP STOS M32 at ES: [(E) DI] use EAX to fill in (E) CX double words at ES: [(E) DI]

  11 and IDA took an overall look and found that each operation will have a detailed log record, and marked by Entry-- Leave, the log record is as follows:

  Picture 10: logging

The whole process of parsing is as follows:

  1. Enter the Setup.exe installation

  2. SetEnvironment was called

  3. The environment variable SetupExeLocation is set to C:\ Users\ 15pb-win7\ Desktop\ current path

  4. The environment variable PROCESSOR_ARCHITECTURE is set to x86

  5, SetEnvironments returned 1 successfully

  6, CmdLine:baidu.com file name

  7. Create the registry:

  8. Left Setup.exe

  Picture 11: registry creation

12. The above steps are analyzed by the log process. According to the actual compilation, registry operations will not be performed until the creation process is created, as shown below:

  Picture 12: create process

  13. The rest is an executable file named baidu.com.exe. See run to see the behavior first, but the image of jpg,jpg pops up after running, as shown below:

  Picture 13: baidu.com.exe

  14. At this point, double-click the start shortcut-- > will execute VB-- > execute jpg.exe-- > execute baidu.com.exe to open the picture.

  means that double-click the shortcut will open the picture, in fact, has run a malicious program baidu.com.exe, the picture is to disguise, confuse the victim, thinking that the double-click shortcut is a picture (the whole mind map is attached at the end of the article).

  15. Take a look at the monitoring information of tinder sword. There is an obvious connection to send socket network, which means that data leakage and malicious theft have the characteristics of Troy (remote control), as shown below:

  Picture 14: behavior Monitoring

16. Take a look at the online analysis to see a more accurate malicious description, as shown below:

  Picture 15: online Analysis

  17. Online analysis identifies that this is not a high-risk virus (although not necessarily accurate), and the presence of url and ip means that malicious code may be downloaded and system / personal sensitive data may be uploaded.

As a matter of fact,   does not have a shell. At first, it has been pulled into PDIE to view the basic information, but it also has a compression and encryption function, as shown below:

  Picture 16: PEID Analysis

  because the focus of this post is not on sample analysis, so the final sample is not analyzed in detail. The whole post focuses on the whole technique and camouflage means, as shown below:

  Picture 17: mind Map

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.