使用动态分析基础技术来分析在Lab03-01.exe文件中发现的恶意代码。 问题
C:\Documents and Settings\Administrator>strings Lab03-01.exe ExitProcess kernel32.dll ws2_32 cks=u advapi32 ntdll user32 StubPath SOFTWARE\Classes\http\shell\open\commandV Software\Microsoft\Active Setup\Installed Components www.practicalmalwareanalysis.com admin WinVMX32- vmx32to64.exe SOFTWARE\Microsoft\Windows\CurrentVersion\Run SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders AppData
网址是需要注意的,注册表的这个目录也需要注意,CurrentVersion经常用于恶意软件的自启动。 拖入PEiD,查看一下是否有壳。 由于加了壳,只能看到一个函数表。
首先启动wireshark,点击开始,然后打开Process Monitor,设置过滤器,最后打开,Process Explorer。 包含ws2_32.dll,可能是存在联网操作。 还创建了一个互斥量,创建互斥量的主要作用是是的某一时刻某程序能单独占用某个操作。 Process Monitor设置过滤的时候要设置为Process Name。 内容过多,不利于我们观看,所以再设置一下过滤器。 发现出现了写入文件的操作,和修改注册表的操作。 可能出现了随机数的操作。 可能出现了将自身复制到该路径的操作,找到该文件,将它和Lab03-01.exe进行比对,发现确实是同一个文件。 到注册表的这个位置进行查看。 这个自启动的地址设置为了该文件复制到的哪个文件目录。 到这里我们知道了,这个恶意文件创建了一个名为WinVM32的互斥量,并复制自身到一个目录下,并安装自己到系统自启动项中,通过创建注册表键值HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VideoDrive ,并将其设置为复制副本的位置。
配置网络: 稀里糊涂的弄了个差不多,我是网络白痴,555。 参照如下两个教程: https://www.jianshu.com/p/3d809e679653 https://www.cnblogs.com/hyq20135317/p/5515675.html 最后这个样子貌似是成功了,但是ApateDNS我没有成功下载安装。 使用wireshark进行监听,双击DNS查看。 存在网络特征,像是进行一个网址的请求。 每一次的SSL连接都是乱码,加上他存在随机数的行为,可能是随机发送乱码。 恶意代码在进行网址的域名解析后,持续地广播大小为256字节的数据包,其中包含看似随机的二进制数据。
查看导出表: 查看导入表: 程序会创建进程和线程。CreateProcessA和CreateThread。 程序还会创建服务,操控服务,操作注册表。 程序对网络进行操作。 查看其中的字符串信息: 注册表目录: 程序目录。 运行程序。 网址链接。 我们看到了installA函数,我们可以使用这样一行命令来安转。
rundll32.exe Lab03-02.dll, installA
安装之后如何让恶意代码运行起来?
怎么可以找到这个恶意代码在哪个进程下运行的?
查找失效了,手动查找的,尬。 PID是1012.
直接设置1012的PID即可。
使用Regshot来查看主机上的变化。
Regshot 1.9.0 x86 ANSI Comments: Datetime: 2022/10/3 08:36:17 , 2022/10/3 08:36:23 Computer: UOT9TWO1JSBICVH , UOT9TWO1JSBICVH Username: Administrator , Administrator Keys added: 6 HKLM\SYSTEM\ControlSet001\Services*IPRIP* HKLM\SYSTEM\ControlSet001\Services\IPRIP\Parameters HKLM\SYSTEM\ControlSet001\Services\IPRIP\Security HKLM\SYSTEM\CurrentControlSet\Services\IPRIP HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\Parameters HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\Security Values added: 20 HKLM\SYSTEM\ControlSet001\Services\IPRIP\Type: 0x00000020 HKLM\SYSTEM\ControlSet001\Services\IPRIP\Start: 0x00000002 HKLM\SYSTEM\ControlSet001\Services\IPRIP\ErrorControl: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\IPRIP\ImagePath: “%SystemRoot%\System32\svchost.exe -k netsvcs” HKLM\SYSTEM\ControlSet001\Services\IPRIP\DisplayName: “Intranet Network Awareness (INA+)” HKLM\SYSTEM\ControlSet001\Services\IPRIP\ObjectName: “LocalSystem” HKLM\SYSTEM\ControlSet001\Services\IPRIP\Description: “Depends INA+, Collects and stores network configuration and location information, and notifies applications when this information changes.” HKLM\SYSTEM\ControlSet001\Services\IPRIP\DependOnService: 52 70 63 53 73 00 00 HKLM\SYSTEM\ControlSet001\Services\IPRIP\Parameters\ServiceDll: “C:\Documents and Settings\Administrator\Lab03-02.dll” HKLM\SYSTEM\ControlSet001\Services\IPRIP\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\Type: 0x00000020 HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\Start: 0x00000002 HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\ErrorControl: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\ImagePath: “%SystemRoot%\System32\svchost.exe -k netsvcs” HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\DisplayName: “Intranet Network Awareness (INA+)” HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\ObjectName: “LocalSystem” HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\Description: “Depends INA+, Collects and stores network configuration and location information, and notifies applications when this information changes.” HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\DependOnService: 52 70 63 53 73 00 00 HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\Parameters\ServiceDll: “C:\Documents and Settings\Administrator\Lab03-02.dll” HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 Values modified: 1 HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 43 C7 CF 31 CE B0 E5 64 8F B2 28 06 2B E6 C3 A4 51 71 BD F5 CF 95 E7 6A 6A 55 D1 CE BC 52 80 15 1A 8E A1 7E FF 29 15 9B 60 EB 8E A5 78 EA 48 B7 B0 69 E4 62 DD 74 7F DA 4D 02 85 E5 99 07 EB 65 3C C3 7A B8 E5 AD FB 31 8B 7B D5 49 92 D0 C8 A4 HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 0E 4F 49 D0 CC 39 12 16 73 3C E7 84 7B 52 5F EB 89 55 2D BC 12 5C CA 42 C3 F8 22 D1 C1 95 5E 05 C1 77 43 D7 61 31 7D 5C D3 16 CE C3 07 0E CB 60 C5 D0 9B 5E AE E3 5E C0 75 73 8B 97 B2 91 F0 F7 6B EF F3 89 95 A2 74 28 F5 6D FF 0E BB 4C C9 7E Total changes: 27
Regshot 1.9.0 x86 ANSI Comments: Datetime: 2022/10/3 08:36:17 , 2022/10/3 08:36:23 Computer: UOT9TWO1JSBICVH , UOT9TWO1JSBICVH Username: Administrator , Administrator
HKLM\SYSTEM\ControlSet001\Services*IPRIP* HKLM\SYSTEM\ControlSet001\Services\IPRIP\Parameters HKLM\SYSTEM\ControlSet001\Services\IPRIP\Security HKLM\SYSTEM\CurrentControlSet\Services\IPRIP HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\Parameters HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\Security
HKLM\SYSTEM\ControlSet001\Services\IPRIP\Type: 0x00000020 HKLM\SYSTEM\ControlSet001\Services\IPRIP\Start: 0x00000002 HKLM\SYSTEM\ControlSet001\Services\IPRIP\ErrorControl: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\IPRIP\ImagePath: “%SystemRoot%\System32\svchost.exe -k netsvcs” HKLM\SYSTEM\ControlSet001\Services\IPRIP\DisplayName: “Intranet Network Awareness (INA+)” HKLM\SYSTEM\ControlSet001\Services\IPRIP\ObjectName: “LocalSystem” HKLM\SYSTEM\ControlSet001\Services\IPRIP\Description: “Depends INA+, Collects and stores network configuration and location information, and notifies applications when this information changes.” HKLM\SYSTEM\ControlSet001\Services\IPRIP\DependOnService: 52 70 63 53 73 00 00 HKLM\SYSTEM\ControlSet001\Services\IPRIP\Parameters\ServiceDll: “C:\Documents and Settings\Administrator\Lab03-02.dll” HKLM\SYSTEM\ControlSet001\Services\IPRIP\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\Type: 0x00000020 HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\Start: 0x00000002 HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\ErrorControl: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\ImagePath: “%SystemRoot%\System32\svchost.exe -k netsvcs” HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\DisplayName: “Intranet Network Awareness (INA+)” HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\ObjectName: “LocalSystem” HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\Description: “Depends INA+, Collects and stores network configuration and location information, and notifies applications when this information changes.” HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\DependOnService: 52 70 63 53 73 00 00 HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\Parameters\ServiceDll: “C:\Documents and Settings\Administrator\Lab03-02.dll” HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 43 C7 CF 31 CE B0 E5 64 8F B2 28 06 2B E6 C3 A4 51 71 BD F5 CF 95 E7 6A 6A 55 D1 CE BC 52 80 15 1A 8E A1 7E FF 29 15 9B 60 EB 8E A5 78 EA 48 B7 B0 69 E4 62 DD 74 7F DA 4D 02 85 E5 99 07 EB 65 3C C3 7A B8 E5 AD FB 31 8B 7B D5 49 92 D0 C8 A4 HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 0E 4F 49 D0 CC 39 12 16 73 3C E7 84 7B 52 5F EB 89 55 2D BC 12 5C CA 42 C3 F8 22 D1 C1 95 5E 05 C1 77 43 D7 61 31 7D 5C D3 16 CE C3 07 0E CB 60 C5 D0 9B 5E AE E3 5E C0 75 73 8B 97 B2 91 F0 F7 6B EF F3 89 95 A2 74 28 F5 6D FF 0E BB 4C C9 7E
感染迹象就是会有创建一个服务叫IPRIP。
使用WireShark查看, 请求报文都出来了,当然存在有用的网络特征码。
问题
启动Process Explorer,运行程序Lab03-03.exe 可以看到Lab03-03.exe一闪而过,创建了一个子类进程svchost.exe然后迅速将自身删除。
内存比映像中多了一些奇怪的东西,像是记录了键盘一样。 还有一个奇怪的日志。 哇,这日志直接给我写下来了。
打开那个日志文件一看。 妥妥的记录键盘。 打开Process Monitor一看,频繁的创建写入文件,必然有鬼。
这个程序在svchhost.exe进程上执行了进程替换,来启动一个击键记录器。
查壳,发现程序并没有加壳,导入表中的dll,可以判断出程序有网络操作 可以看到导入表中具有复制文件、读写文件功能。 还有创造文件、创建进程等功能。 还有个getSystemDirectoryA函数用来获取系统目录。 关于注册表的操作、创建服务、删除服务等等。 在查看字符串的时候,还发现了一个网址。
双击运行之后,这个程序没了。 使用Process Monitor进行监控。 “C:\WINDOWS\system32\cmd.exe” /c del C:\DOCUME1\ADMINI1\Lab03-04.exe >> NULL" 这一行命令可能就是删除文件的命令。
我们怀疑可能需要提供一个命令行参数,或者这个程序的某个部件缺失了。
我们尝试使用在字符串列表中显示的一些命令行参数,比如-in,但这样做却没有得到有效的结果,需要更深入的分析。