password
status
date
icon
category
tags
slug
summary
0x00 简单分析
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F320e5297-5cf7-4ae5-b0a3-e8e8a330b314%2FUntitled.png?table=block&id=fd341b30-8bff-4f08-a868-d54ad6bcab2e)
未加壳,c++开发
微步沙箱分析
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F3f70c074-4545-4dd9-825e-0762e34478e3%2FUntitled.png?table=block&id=3ae7ac17-4f50-4665-b972-420287454655)
微步说可能被加壳?应该是微步误报了吧
火绒剑分析行为
添加过滤
- 进程过滤-挖矿进程
- 动作过滤-创建文件\写入文件
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F77cd4a30-cfbb-4182-aff3-eea89c4e82da%2FUntitled.png?table=block&id=95ce35f1-6d23-4ddd-86a1-855017ba79a1)
- 进程过滤-挖矿进程
- 动作过滤-设置\创建\删除注册表
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fcf524850-fbd8-405f-ac27-855dd7aec375%2FUntitled.png?table=block&id=11f0d3c8-cabf-4b68-a8b5-3263e25dd68c)
- 进程过滤-挖矿进程
- 动作过滤-网络连接
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F8bb63f3c-0a36-4531-8866-c67f4d7c2e45%2FUntitled.png?table=block&id=fc2e8fb5-8b9f-40f8-968c-7826e93f2b49)
ip 查询
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fda0a63be-1a94-4877-8211-2ec4d98eeab6%2FUntitled.png?table=block&id=9bb193f0-18c6-4fa6-bbce-a983bb55f71e)
通过查看对挖矿进程创建 cmd 进程的参数分析执行的命令
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F3105d8bf-679e-40e8-8bbf-0e9f3dc3dab4%2FUntitled.png?table=block&id=40cff108-78c9-4472-b926-c2851786dc08)
?删除自身可以理解,为什么要 ping 127.0.0.1 呢?
创建服务.服务名应该是随机的,但是看着还挺像正常服务的,应该是有一个随机字典
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fd2e43aa8-0882-497c-8eec-aa9be08e6171%2FUntitled.png?table=block&id=72015856-4e80-42da-b1df-0947266b143f)
0x01 IDA分析
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F0ae12d6a-9482-42d8-8980-7b06bb21afab%2FUntitled.png?table=block&id=f14a56d4-91e9-43e7-8b6e-ca834c72f021)
跟进到 404FF0
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F866fb56b-df29-4d61-a57a-29ec3d41efd3%2FUntitled.png?table=block&id=dbb27365-bafe-4139-aa77-9584aa0291ab)
跟进到 4050E0
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F492258f0-44d0-442d-93c4-b94032888716%2FUntitled.png?table=block&id=78119aba-2ca0-45da-ac04-7e4553e6591c)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F11635cad-c3c5-47ef-a9db-72c932bea61c%2FUntitled.png?table=block&id=1385ab59-51ed-496b-b3e0-b1e9f93b37d7)
判断
Software\\Microsoft\\Windows NT\\CurrentVersion\\NetworkPlatform\\Location Awareness
是否存在.返回 404FF0 ,以上注册表不存在则调用 404880.这里应该是为了判断病毒是否是第一次运行.
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Ff4da4f32-06a4-4a86-80a4-75ce45171fe8%2FUntitled.png?table=block&id=3d96571c-cb96-44ca-9943-127d9d4903a7)
跟进 404880
发现生成随机服务名,由 3 个部分拼接而成
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F6fd90106-dddb-411e-9fff-88b9e6fa44c3%2FUntitled.png?table=block&id=406c1bcd-ffdf-4b87-8010-10cc77a8c846)
生成用到的字典,拼接起来真的有系统服务那味了
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F72e1a370-1ff5-4845-9416-7fa0cb723d65%2FUntitled.png?table=block&id=cd1faca8-e9ca-4157-b6df-e738951f5ed0)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fa16f0024-8133-40f7-97cf-d6763142a41c%2FUntitled.png?table=block&id=46d0b829-6196-4028-bde8-a3dcbc9ac823)
生成随机服务名.dll
具体生成流程 获取 system 文件夹路径 创建随机文件名文件 删除随机服务名.dll 估计是为了防止生成的 dll 和某些 dll 重名 创建写入随机服务名.dll
创建用于判断是否第一次运行的注册表,通过判断这个注册表是否存在,也就能判断是否感染过这个挖矿病毒了
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F66056f7b-9d72-449c-afb0-64a0f153f054%2FUntitled.png?table=block&id=1a7894a2-6be9-4540-b052-8b1687a909f2)
404FF0 如果不是第一次运行则进入 4041E0,具体功能为查询服务状态
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fefeb3379-954a-4e4c-afed-06543555077a%2FUntitled.png?table=block&id=01d69d40-f4f4-4833-a0c1-2cb1715e05dc)
再回到 main 函数,进入405330
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fa947f414-e1cc-4d22-b5f0-9d94d17513ff%2FUntitled.png?table=block&id=1654b69e-1425-49dc-81a6-f3e773bb6932)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fd1b4ea8f-3343-4d28-bd4c-8847a0e32f61%2FUntitled.png?table=block&id=afe6683c-4aef-4e35-a651-0d6dde235d65)
再回到 main 函数,进入405390
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F350ba79d-c09a-4c43-beae-3d481cb67ff2%2FUntitled.png?table=block&id=b7be9a63-d6c8-45e0-a1a2-1ed209ef3611)
装载后返回了资源在内存中的开始指针
进入 4052D0
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fcc275d74-e51e-4581-9d45-82b853e79c73%2FUntitled.png?table=block&id=242afefd-a8dc-4704-ba09-341e345cf552)
根据之前知道的长度和内存指针,取出内容,创建并写入文件
返回 main 函数
进入 4054F0
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fcb72da93-7717-4540-95e4-32549f0a17b6%2FUntitled.png?table=block&id=399b686f-8861-498e-bbc8-f3e737f3afdb)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fe84c0d0b-239f-4d53-b3e7-0001fa7299e7%2FUntitled.png?table=block&id=15dbeb2a-70cc-491f-b302-92202dbd8080)
进入 403F80
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F2ee94f27-b833-48a4-9cc1-306a437e5b4f%2FUntitled.png?table=block&id=384daf17-0e6d-4ecb-8a6e-3fda686f5029)
进入 403EA0
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fdc90ae3f-b47e-4cae-83c9-cd351c366681%2FUntitled.png?table=block&id=16cb8a6c-90c5-4848-880e-a2753d4fad96)
打开并读取之前写入内容那个随机文件名文件
返回 4054F0
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fdfe9c996-d2ce-48b4-9a6e-b4f85f675288%2FUntitled.png?table=block&id=55fc44fa-7ee8-4987-b76a-c3820b32353c)
进入 4052D0
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F8ea2e737-8e16-4bd4-8464-279d55dffe01%2FUntitled.png?table=block&id=e2335733-b33d-4093-9cc7-759efd03e05f)
将读取出的内容写入服务名.dll
再再再返回 main 函数
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fbe2b9c72-b391-4be6-a5b8-f66b567edd76%2FUntitled.png?table=block&id=8d0ebba5-4bdc-4739-a581-c2b950f60f7c)
跟进 4051A0
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fbcbec28d-7e1d-46d4-8b08-c9f1a766762e%2FUntitled.png?table=block&id=b6c8e00f-7e9a-4391-b82a-d6d415eb8881)
读取\设置svchost.exe的创建、访问及上次修改时间
返回主函数,进入 406110
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fd9adc36d-45b7-4818-8729-1f91d7be66e3%2FUntitled.png?table=block&id=2371db30-3863-41a0-8772-de0c0f8e37d2)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F7c15300e-f852-426a-ae36-0e03ed4b177c%2FUntitled.png?table=block&id=01b8096c-0ae6-4886-bccc-843f249adca0)
进入 405F40
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fa2c21baa-0f72-4186-a355-b45ee65fa2e2%2FUntitled.png?table=block&id=87d7c158-de7d-40d8-b1fb-29ac32409d60)
打开注册表
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
查询
netsvcs
的值一般来说,
Svchost.exe
总是根据
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost
下面的键值分组管理DLL 申请的服务,这里的每一键值对应一个独立的Svchost.exe
进程,也就是说这里的键值就是在任务管理器中我们看到的Svchost.exe
进程。
当然,由于这里的键值并不是一次性全部加载,而是根据需要才加载,因此这里的键值数要多于在任务管理器中看到的Svchost.exe
进程数,而每个Svchost.exe
进程所包含的服务名、参数值和DLL则来自HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service
这个键值。![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F6a42f981-4366-4665-9ce5-003ab4297930%2FUntitled.png?table=block&id=0879e59a-2dd8-4103-b2a8-53992c870368)
建立一个连接到服务控制管理器并打开它的数据库
创建一个服务对象,并将其添加到指定的服务控制管理器数据库
这一步创建了随机命名的恶意服务
跟进 405CA0
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fd5c1c5db-6fae-462f-9a1f-1f51c76fda9a%2FUntitled.png?table=block&id=144a728a-e2fb-4c9a-9180-ca82c762fb81)
设置注册表
SYSTEM\CurrentControlSet\Services\%s
的Description
值返回 405F40
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fab478b12-32b3-4d89-9687-d34f0d965f65%2FUntitled.png?table=block&id=03a23022-1a3f-4b23-8099-ae8971651a68)
再次调用 405CA0设置注册表
SYSTEM\CurrentControlSet\Services\%s\Parameters
的 ServiceDll
值为随机服务名.dll返回 406110
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F79cdaf80-8eab-4d63-9d0b-cbf85413a88c%2FUntitled.png?table=block&id=4ad4eafc-85bb-40d3-b669-a1cb9d881c3b)
建立一个连接到服务控制管理器并打开它的数据库
开启恶意服务,运行恶意服务
该服务释放了挖矿模块
dllhostex.exe
返回 main
进入 4041E0
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fe807850b-7e60-472e-b8b2-a1ccd4bf7779%2FUntitled.png?table=block&id=adebc74f-a3a1-4785-814b-544c057fbbfd)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F18b60496-6f82-4deb-9065-8388aabeb0bb%2FUntitled.png?table=block&id=e23843f7-c795-4303-a773-0feb4383af32)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fd17fb700-a4a0-48e8-b77c-dd1730a5dc64%2FUntitled.png?table=block&id=b7309220-70d4-431e-bb7a-9f3df57d9024)
检测恶意服务状态
返回 main,进入4058E0
如果安装成功,传入的是
Install_Done
,安装失败传入Error_%d
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F59f1cdff-ff11-4c36-987f-8b19bb8558e8%2FUntitled.png?table=block&id=194b1c2f-748f-4bd0-9a99-33aaf5903101)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F4ccaf164-c5d3-4919-a711-344f108d0020%2FUntitled.png?table=block&id=c5ddb096-93b2-42cc-b942-eeb14807a477)
得到主机名和系统版本
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F293e1e00-1b84-44a5-b69d-51b978183c63%2FUntitled.png?table=block&id=808fa378-dd0d-4ef2-9a83-e070c9aa6e0d)
拼接请求参数
系统版本,主机名,还有上一步传入的安装结果
进入405670
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F5da5a073-74f3-482f-a50d-1b92f2c7889e%2FUntitled.png?table=block&id=1bd3818b-ffe1-49a5-a445-4c4af263b325)
获得请求的目标
185.128.24.101:80
与火绒剑记录的一致返回 4058E0 进入 405720
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fdb7ebcd9-9281-4382-9b7a-f807f5b2ac07%2FUntitled.png?table=block&id=e85c5ca2-c02e-4198-8800-a24634c8b803)
发起 http 请求,请求方式为 get, UA 为
Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)
返回 main 函数,进入 405570
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F0c352a8b-1799-4127-89e2-ff32e3129c27%2FUntitled.png?table=block&id=9dd1f351-2200-4512-8f30-2729e9082d32)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fdb73389c-b4a2-42ac-b0c9-de5e747b4793%2FUntitled.png?table=block&id=fcf7da27-70c7-4939-b6a0-0daa1d1b646e)
获取病毒文件路径
不开窗口执行命令
cmd.exe /c ping 127.0.0.1 -n 5 & cmd.exe /c del /a
完成病毒自杀
0x02 dll 分析
做了一定的伪装
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F47951df5-8904-49a2-af75-8f1458c8911f%2FUntitled.png?table=block&id=0662f6ff-aca2-4dd4-8650-64e5d4f81994)
主要进行了 2 个操作
创建注册表
Software\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\
横向移动 - searchindexer.exe
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fc589db32-7b8e-44a3-ad24-4cccfce4359e%2FUntitled.png?table=block&id=ba33d272-ae0f-483d-b91a-dee5847a958a)
写入
C:\Windows\NetworkDistribution\
MS17-010永恒之蓝利用工具![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F7aae25de-86e7-433d-9c65-d1103e4e2fc0%2FUntitled.png?table=block&id=b687a983-1cc4-47bd-b448-821b9a192b7c)
攻击
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F82cc2f85-e5a6-4da8-a472-b8018aa5fad2%2FUntitled.png?table=block&id=a7fde226-2b80-434d-9e4d-c699320d000c)
是获取内网 ip 选择网段扫描,不是内置网段扫描
会多次扫描
挖矿 - dllhostex.exe
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F581bbeb6-5f3c-47f2-8f3e-cb400404a843%2FUntitled.png?table=block&id=e29862ea-d8f9-4473-914e-5f4c0b1e589a)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F39534518-b16b-40eb-aab5-726558356885%2FUntitled.png?table=block&id=3c05a76f-2554-4f74-b720-3a216cf880dd)
看了下,应该就是稍微修改的开源挖矿程序.
骚操作:系统任务管理器启动时, 挖矿进程会自动退出.任务管理器关闭后, 挖矿进程又会重新启动.
- 作者:fatekey
- 链接:https://blog.fatekey.icu/article/wannamine
- 声明:本文采用 CC BY-NC-SA 4.0 许可协议,转载请注明出处。