Shulou(Shulou.com)06/01 Report--

  virus sample download comes from I Spring and Autumn reverse moderator Crazyman_Army topic post "record a Pakistan-oriented sample Analysis of Manlinghua APT Organization", sample link: https://bbs.ichunqiu.com/thread-50002-1-1.html

  for individuals, read the APT analysis report, but rarely reverse-related malicious code, after all, a small sample, since found one, passing by can not be missed.

 ☛ APT (Advanced Persistent Threat) is an advanced, persistent threat, particularly targeted.

  personal understanding of APT ✎: APT is a combination of social engineering, human weaknesses, system vulnerabilities, etc., multi-factor coordination of malicious code to initiate Attack, long-term incubation, time limit up to half a year or more, collect a large amount of data to prepare for attack. Organized, disciplined, a qualified "spy", strong concealment (code concealment), unique mode of operation, difficult to detect and kill.

✃ 

The online malicious code analysis is as follows:

  Picture 1: online Analysis

  through online analysis, and the original post to identify the number of antivirus slightly different, this is a clear and can be prevented from the sample.

✃  

The manual analysis is as follows:

1. Exinfo PE views the file information as follows:

  picture 2: sample information

Through Exinfo PE observation, the sample is not shelled, and is written by C++, is a graphical user interface program (GUI).  

✃ 

2. IDA static analysis:

  Picture 3: GUI process

Picture 4 of  : process flow

Let's analyze the code in IDA. First, take a look at the GUI process in figure 3, as shown below:

  Picture 5: GUI Code Analysis

  fills in the SW_HIDE value (that is, 0) with the second parameter ShowWindow, which means that a hidden window is created and sub_401330 is called to execute malicious code.

After   enters the function sub_401330, he finds a lot of initialization and cyclic decryption of the string, as shown below:

  Picture 6: data initialization

  Picture 7: string decryption

  according to personal habits, encounter this situation will be dynamic debugging, simply rely on static analysis to some trouble, the following through dynamic analysis to restore these data operations.

✃  

3. OD dynamic debugging:

  mainly analyzes what the sub_401330 function does, first initializing a pile of data, as shown in figure 6, and then ending the process. The handle parameter is still NULL, as follows:

  Picture 8: TerminateProcess

The   handle is empty, and the return value will be an invalid handle value for INVALID_HANDLE. Then the registry (self-startup path) is obtained by string operation, as shown below:

  Picture 9: get the self-boot path

Next, the acquired string is copied, as follows:

  Picture 10: copy

The operation string gets the msdtcv, as shown below:

  Picture 11: msdtcv

Spliced into msdtcv.exe, as follows:

  Picture 12: msdtcv.exe

At this time,   has been spliced into a program with the suffix .exe. According to the general routine, it is basically to find resources, lock resources and release them to a certain folder, run the released executable code, and terminate the current process. In fact, this routine is also a copy of itself, as shown below:

  picture 13: _ mkdir

First, create a folder under disk C, which should be ready to copy or write resources under the folder, as shown below:

  Picture 14: string concatenation

  as shown in the figure above uses rep movs assembly instructions to splice the folder path with msdtcv.exe, and the high-level language is the strcat function. Now that the path field is stitched out, the theory is to implement the path, obtain the current program running path, and then get the Open string, as shown below:

  Picture 15: Open

  feels that the prelude should be almost over, but finds a new function. Needless to say, the prelude is not over. Continue to check with the new function, as shown below:

  Picture 16: SHGetFolderPathA

The official function interpretation given by   is Deprecated. Gets the path of a folder identified by a CSIDL value., gets the CSIDL path, which is obsolete. Move on, as shown below:

  Picture Seventeen: cmd command

  sees the above string format: copy "copies the current data to c:\ intel\ msdtcv.exe, which coincides with the guess steps, and does need to be copied. Since cmd can be implemented by executing cmd instructions such as WinExec, ShellExecute, CreateProcess and other API as parameters, ShellExecute and CreateProcess are used in the sample to continue the analysis, as shown in the following figure:

  Picture XVIII: reg cmd command

  uses cmd for self-startup. This function splices to get the strings that are about to be used. Further analysis shows that the function is as follows:

  Picture 19: sub_401F00 function

For the data is very simple, there is no difficulty for people with basic programming, paste a picture after IDA is converted to C:

  Picture 20: Reg API

Open and retrieve the AppId key, and if it exists, write the path c:\ intel\ msdtcv.exe, as follows:

  Picture 21: set successfully

Why should   be set in AppID under Environment? Any modification of the information in the HKEY_CURRENT_USER root key will result in the modification of the sub-key information in HKEY_USERS.Default. The current user environment is modified, and the AppId is set to the running path. Later, the cmd command is used, and the% AppId% environment variable is called to start and exit, as shown below:

This approach is smart compared to calling the sensitive API directly, and then opens the registry, as shown below:

  Picture 22: RegOpenKeyEx

By observing the parameters,   can determine that this is related to the self-starting key value. The CreateThread function is called below, as shown in the following figure:

  Picture 23: CreateThread

Focus on the callback function at the mark red in the above figure, as shown below:

  Picture 24: callback function Analysis

The intention of   is obvious. According to the law of the sample string, as long as the sample is assigned to the string, it means that there must be operation decryption later, as shown below:

  Picture 25: decryption Code

The string dynamically decrypted by the code above in   is ComSpec, which is actually the% ComSpec% environment variable. Take a look, as shown below:

  Picture 26: echo% ComSpec%

  has obtained a large number of cmd instructions and the cmd.exe executable path, so the following must be to create a cmd process, otherwise so much sub will not be wasted. As follows:

  Picture 27: CreateThread

Next, the executed data is written to cmd.exe, and the copy of the cmd command is completed, as shown in the following figure:

  Picture 28: WriteFile

The   callback function ends its mission by creating a cmd thread and writing cmd instructions executed using anonymous pipes to copy itself, which is interesting. Then comes the watershed, the end of the current process, as shown in the following figure:

  Picture 29: watershed

As shown in figure 22, we understand that this is to detect whether a startup item already exists, and if the response is successful, execute as follows:

  Picture 30: execute 1

 , then the above code ends, exit exits, and then runs msdtcv.exe. In fact, it is still myself. Let me continue to take a look. The following is a network-related operation, and then a sub_4037b0 is called, which is an interesting function, as shown in the following figure:

  Picture 31: RegOpenKeyEx

  Picture 32: MachineGuid

  interesting code like above, MachineGuid? This is the so-called super hardware unique logo, but there is nothing to do. Just make a judgment and get the identifier data, which should be of other use, as follows:

  image 33: sub_4037b0 returned value

WSA initialization and socket operations are performed, as shown below:

  Picture 34: gethostname

  image 35: sub_402520 returned value

Then the function sub_4025B0 is called, and the function content is as follows:

  Picture 36: collect system information

A large amount of information about the operating system is collected in the   function sub_4025B0, which should be sent to the server to provide data support for the compatibility of malicious code downloaded later. Linear analysis shows that the sub_402070 function forms a GET request for the collected data, which contains information such as the unique identification and version data of the system, as shown below:

  Picture 37: GET message formation

  data is also collected. Send it below. The sub_402890 function contains the complete socket operation and sends it to the server, as shown in the following figure:

  Picture 38: send and recv

There is one last function, sub_402BA0, which we will continue to look at, as shown below:

  Picture 39: socket

  Picture 40: send Data

From the above data, we found that   is still communicating with the service, formatting the spliced data and sending it to the server. The following is downloading and writing local malicious code, as shown below:

  Picture 41: get absolute path

The C++ code environment above   is tested under windows10 64bit, which means that the path of the current system is also written to the file data. Interestingly, the malicious code downloaded by the server decrypts the data. By selectively reading and writing data to the file cursor, extract the malicious code that is actually executed, and then create a thread, as shown below:

  Picture 42: selective malicious Code read and write

Why would   do that? In order to avoid confusion and kill, the downloaded malicious code can be confused in the code to avoid being checked and killed by antivirus software. Whether it is the change from the PE offset point or the matching of some sensitive characters, it may fail, avoid some so-called heuristic killing, and finally generate the real malicious code locally and execute it, as shown below:

  Picture 43: running malicious Code Files

Finally,   collects data and calls the sub_402890 function, that is, the complete socket operation is analyzed above, as shown in figure 38 above. The call figure is as follows:

  finally gets the time and pseudorandom numbers, and this is a big cycle that goes back to the original watershed WSACleanup, as shown below:

  Picture 44: data provided

 ✍ above is the analysis of the whole sample. In fact, what is interesting is the way the string is obtained and the means to avoid heuristic killing after the malicious code is downloaded. The program itself does not carry any malicious operations, but collects a large amount of data from the current system sending server (Troy). The server downloads compatible confusing malicious code according to the current system, decrypts the file locally and runs it, but it is a pity that the malicious code cannot be downloaded.

  finally, interested friends can download the APT sample from the Crazyman_Army post at the beginning of the article and study it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.