文章目录
前言
原先也没分析过蠕虫的样本,冲浪的时候看到了关于BuleHero
蠕虫的介绍,感觉蛮有意思的,分析分析。
执行过程
详细分析
主体文件使用upx壳,直接使用火绒剑来观察其主要行为。
火绒剑分析
恶意程序的自我复制
复制完成后自我删除
使用cmd命令来运行复制的恶意程序
通过netsh.exe和cmd.exe来执行以下操作以便修改防火墙规则
netsh ipsec static delete all
netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
netsh ipsec static add rule name=FuckingBastards policy=Bastards filterlist=BastardsList filteraction=BastardsList
netsh ipsec static set policy name=Bastards assign=y
netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
netsh ipsec static add rule name=FuckingBastards policy=Bastards filterlist=BastardsList filteraction=BastardsList
netsh ipsec static set policy name=Bastards assign=y
netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
netsh ipsec static add filter filterlist=Bast