窟头锁机病毒的分析

最新推荐文章于 2023-08-24 08:45:21 发布

渣渣dcxy

最新推荐文章于 2023-08-24 08:45:21 发布

阅读量372

点赞数

本文链接：https://blog.csdn.net/qq_23344637/article/details/79587533

版权

最近逛论坛发现的大牛写的病毒分析下

1．样本概况

1.1

样本信息

大小: 17351168 bytes

文件版本:1.0.0.0

修改时间: 2017年11月8日, 23:33:31

MD5: DFFE6E34209CB19EBE720C457A06EDD6

SHA1:5851B96DD37E24799A1EAF17778BEB322D714A8B

CRC32: 13578A63

upx壳

1.2测试环境及工具

测试环境:VMware Workstation 12 Pro

Windows7 sp1

测试工具:Ollydbg，IDA，MD5工具

1.3分析目标

分析此病毒的恶意行为

2．具体行为分析

2.1主要行为

2.2.1 恶意程序对用户造成的危害

看的见的播放一段音乐,然后关机重启生成一个sj.exe taskmgr.exe,xh.exe,c盘放入图片,修改桌面背景1.bmp,2.bmp 最后aa_.0083C541 (ASCII"shutdown.exe -s -t 0")

每次开机都会更换系统桌面sj.exe 着是用来执行锁定用户名密码的,xh.exe着是最后的动画,主要程序还在母体类

2.2恶意代码分析

2.2.1 程序总体逻辑

2.2.2基本行为分析

1>释放资源用于启动恶意程序

释放资源第一个第2个是一样的

检测QQ进程

KillProcess函数调用

释放位图

执行起来

第二个启动一样的

sj.exe 文件分析

设置帐户名和密码

关键跳转基本都在这个位置

调用的是自定义的背景图片,画的个性签名

鬼脸简单

00406840 绘画函数调用

004024A6 E8 A1430000 CALL aa_.0040684C ; 清空错误对话框的窗口

004024AB 83C4 10 ADD ESP,0x10

004024AE E8 AD230000 CALL aa_.00404860

004024B3 6A 00 PUSH 0x0

004024B5 68 01000000 PUSH 0x1

004024BA 6A FF PUSH -0x1

004024BC 6A 0F PUSH 0xF

004024BE 68 48020116 PUSH 0x16010248

004024C3 68 37020152 PUSH 0x52010237

004024C8 E8 73430000 CALL aa_.00406840 ; 左眼显示

004024CD 83C4 18 ADD ESP,0x18

004024D0 6A 00 PUSH 0x0

004024D2 68 01000000 PUSH 0x1

004024D7 6A FF PUSH -0x1

004024D9 6A 0F PUSH 0xF

004024DB 68 47020116 PUSH 0x16010247

004024E0 68 37020152 PUSH 0x52010237

004024E5 E8 56430000 CALL aa_.00406840 ; 右眼显示

004024EA 83C4 18 ADD ESP,0x18

004024ED 68 01030080 PUSH 0x80000301

004024F2 6A 00 PUSH 0x0

004024F4 68 2C010000 PUSH 0x12C

004024F9 68 01000000 PUSH 0x1

004024FE B8 03000000 MOV EAX,0x3

00402503 BB 90906600 MOV EBX,aa_.00669090

00402508 E8 3F430000 CALL aa_.0040684C

0040250D 83C4 10 ADD ESP,0x10

00402510 E8 F4EEFFFF CALL aa_.00401409

00402515 6A 00 PUSH 0x0

00402517 68 00000000 PUSH 0x0

0040251C 6A FF PUSH -0x1

0040251E 6A 0F PUSH 0xF

00402520 68 48020116 PUSH 0x16010248

00402525 68 37020152 PUSH 0x52010237

0040252A E8 11430000 CALL aa_.00406840 ; 左眼消失

0040252F 83C4 18 ADD ESP,0x18

00402532 6A 00 PUSH 0x0

00402534 68 00000000 PUSH 0x0

00402539 6A FF PUSH -0x1

0040253B 6A 0F PUSH 0xF

0040253D 68 47020116 PUSH 0x16010247

00402542 68 37020152 PUSH 0x52010237

00402547 E8 F4420000 CALL aa_.00406840 ; 右眼消失

0040254C 83C4 18 ADD ESP,0x18

0040254F 68 01030080 PUSH 0x80000301

00402554 6A 00 PUSH 0x0

00402556 68 2C010000 PUSH 0x12C

0040255B 68 01000000 PUSH 0x1

00402560 B8 03000000 MOV EAX,0x3

00402565 BB 90906600 MOV EBX,aa_.00669090

0040256A E8 DD420000 CALL aa_.0040684C ; 弹出了错误对话框提示

0040256F 83C4 10 ADD ESP,0x10

00402572 E8 E9220000 CALL aa_.00404860 ; 又弹出一个

00402577 6A 00 PUSH 0x0

00402579 68 01000000 PUSH 0x1

0040257E 6A FF PUSH -0x1

00402580 6A 0F PUSH 0xF

00402582 68 48020116 PUSH 0x16010248

00402587 68 37020152 PUSH 0x52010237

0040258C E8 AF420000 CALL aa_.00406840

00402591 83C4 18 ADD ESP,0x18

00402594 6A 00 PUSH 0x0

00402596 68 01000000 PUSH 0x1

0040259B 6A FF PUSH -0x1

0040259D 6A 0F PUSH 0xF

0040259F 68 47020116 PUSH 0x16010247

004025A4 68 37020152 PUSH 0x52010237

004025A9 E8 92420000 CALL aa_.00406840 ; 显示2只眼

004025AE 83C4 18 ADD ESP,0x18

004025B1 68 01030080 PUSH 0x80000301

004025B6 6A 00 PUSH 0x0

004025B8 68 2C010000 PUSH 0x12C

004025BD 68 01000000 PUSH 0x1

004025C2 B8 03000000 MOV EAX,0x3

004025C7 BB 90906600 MOV EBX,aa_.00669090

004025CC E8 7B420000 CALL aa_.0040684C ; 清空弹出桌面上的错误对话框

004025D1 83C4 10 ADD ESP,0x10

004025D4 E8 30EEFFFF CALL aa_.00401409

004025D9 6A 00 PUSH 0x0

004025DB 68 00000000 PUSH 0x0

004025E0 6A FF PUSH -0x1

004025E2 6A 0F PUSH 0xF

004025E4 68 48020116 PUSH 0x16010248

004025E9 68 37020152 PUSH 0x52010237

004025EE E8 4D420000 CALL aa_.00406840 ; 左眼消失

004025F3 83C4 18 ADD ESP,0x18

004025F6 6A 00 PUSH 0x0

004025F8 68 00000000 PUSH 0x0

004025FD 6A FF PUSH -0x1

004025FF 6A 0F PUSH 0xF

00402601 68 47020116 PUSH 0x16010247

00402606 68 37020152 PUSH 0x52010237

0040260B E8 30420000 CALL aa_.00406840 ; 右眼消失

00402610 83C4 18 ADD ESP,0x18

00402613 68 01030080 PUSH 0x80000301

00402618 6A 00 PUSH 0x0

0040261A 68 2C010000 PUSH 0x12C

0040261F 68 01000000 PUSH 0x1

00402624 B8 03000000 MOV EAX,0x3

00402629 BB 90906600 MOV EBX,aa_.00669090

0040262E E8 19420000 CALL aa_.0040684C ; 弹出被隐藏的错误对话框

00402633 83C4 10 ADD ESP,0x10

00402636 E8 25220000 CALL aa_.00404860 ; 显示出来

0040263B 6A 00 PUSH 0x0

0040263D 68 01000000 PUSH 0x1

00402642 6A FF PUSH -0x1

00402644 6A 0F PUSH 0xF

00402646 68 48020116 PUSH 0x16010248

0040264B 68 37020152 PUSH 0x52010237

00402650 E8 EB410000 CALL aa_.00406840 ; 左眼又出来了

00402655 83C4 18 ADD ESP,0x18

00402658 6A 00 PUSH 0x0

0040265A 68 01000000 PUSH 0x1

0040265F 6A FF PUSH -0x1

00402661 6A 0F PUSH 0xF

00402663 68 47020116 PUSH 0x16010247

00402668 68 37020152 PUSH 0x52010237

0040266D E8 CE410000 CALL aa_.00406840 ; 右眼出来了

00402672 83C4 18 ADD ESP,0x18

00402675 68 01030080 PUSH 0x80000301

0040267A 6A 00 PUSH 0x0

0040267C 68 2C010000 PUSH 0x12C

00402681 68 01000000 PUSH 0x1

00402686 B8 03000000 MOV EAX,0x3

0040268B BB 90906600 MOV EBX,aa_.00669090

00402690 E8 B7410000 CALL aa_.0040684C ; 清空桌面的对话框2

00402695 83C4 10 ADD ESP,0x10

00402698 E8 6CEDFFFF CALL aa_.00401409

0040269D 6A 00 PUSH 0x0

0040269F 68 00000000 PUSH 0x0

004026A4 6A FF PUSH -0x1

004026A6 6A 0F PUSH 0xF

004026A8 68 48020116 PUSH 0x16010248

004026AD 68 37020152 PUSH 0x52010237

004026B2 E8 89410000 CALL aa_.00406840 ; 消失z

004026B7 83C4 18 ADD ESP,0x18

004026BA 6A 00 PUSH 0x0

004026BC 68 00000000 PUSH 0x0

004026C1 6A FF PUSH -0x1

004026C3 6A 0F PUSH 0xF

004026C5 68 47020116 PUSH 0x16010247

004026CA 68 37020152 PUSH 0x52010237

004026CF E8 6C410000 CALL aa_.00406840 ; 消失y

004026D4 83C4 18 ADD ESP,0x18

004026D7 68 01030080 PUSH 0x80000301

004026DC 6A 00 PUSH 0x0

004026DE 68 2C010000 PUSH 0x12C

004026E3 68 01000000 PUSH 0x1

004026E8 B8 03000000 MOV EAX,0x3

004026ED BB 90906600 MOV EBX,aa_.00669090

004026F2 E8 55410000 CALL aa_.0040684C ; 错误3

004026F7 83C4 10 ADD ESP,0x10

004026FA E8 61210000 CALL aa_.00404860

004026FF 6A 00 PUSH 0x0

00402701 68 01000000 PUSH 0x1

00402706 6A FF PUSH -0x1

00402708 6A 0F PUSH 0xF

0040270A 68 48020116 PUSH 0x16010248

0040270F 68 37020152 PUSH 0x52010237

00402714 E8 27410000 CALL aa_.00406840

00402719 83C4 18 ADD ESP,0x18

0040271C 6A 00 PUSH 0x0

0040271E 68 01000000 PUSH 0x1

00402723 6A FF PUSH -0x1

00402725 6A 0F PUSH 0xF

00402727 68 47020116 PUSH 0x16010247

0040272C 68 37020152 PUSH 0x52010237

00402731 E8 0A410000 CALL aa_.00406840

00402736 83C4 18 ADD ESP,0x18

00402739 68 01030080 PUSH 0x80000301

0040273E 6A 00 PUSH 0x0

00402740 68 2C010000 PUSH 0x12C

00402745 68 01000000 PUSH 0x1

0040274A B8 03000000 MOV EAX,0x3

0040274F BB 90906600 MOV EBX,aa_.00669090

00402754 E8 F3400000 CALL aa_.0040684C

00402759 83C4 10 ADD ESP,0x10

0040275C 68 00000000 PUSH 0x0

00402761 BB 406C4000 MOV EBX,aa_.00406C40 ; j

00402766 E8 CF400000 CALL aa_.0040683A

0040276B 83C4 04 ADD ESP,0x4

0040276E 8945 F4 MOV DWORD PTR SS:[EBP-0xC],EAX

00402771 DB45 F4 FILD DWORD PTR SS:[EBP-0xC]

00402774 DD5D F4 FSTP QWORD PTR SS:[EBP-0xC]

00402777 DD45 F4 FLD QWORD PTR SS:[EBP-0xC]

0040277A DC25 546E8300 FSUB QWORD PTR DS:[0x836E54]

00402780 DD5D EC FSTP QWORD PTR SS:[EBP-0x14]

00402783 68 00000000 PUSH 0x0

00402788 BB 506C4000 MOV EBX,aa_.00406C50

0040278D E8 A8400000 CALL aa_.0040683A

00402792 83C4 04 ADD ESP,0x4

00402795 8945 E0 MOV DWORD PTR SS:[EBP-0x20],EAX

00402798 DB45 E0 FILD DWORD PTR SS:[EBP-0x20]

0040279B DD5D E0 FSTP QWORD PTR SS:[EBP-0x20]

0040279E DD45 E0 FLD QWORD PTR SS:[EBP-0x20]

004027A1 DC25 5C6E8300 FSUB QWORD PTR DS:[0x836E5C]

004027A7 DD5D D8 FSTP QWORD PTR SS:[EBP-0x28]

004027AA 68 02000080 PUSH 0x80000002

004027AF 6A 00 PUSH 0x0

004027B1 68 01000000 PUSH 0x1

004027B6 68 01030080 PUSH 0x80000301

004027BB 6A 00 PUSH 0x0

004027BD 68 FFFFFFFF PUSH -0x1

004027C2 68 04000080 PUSH 0x80000004

004027C7 6A 00 PUSH 0x0

004027C9 68 646E8300 PUSH aa_.00836E64 ; 你中毒啦！

004027CE DD45 D8 FLD QWORD PTR SS:[EBP-0x28]

004027D1 E8 A9F0FFFF CALL aa_.0040187F

************************************************************************************************8

00402B8F E8 B83C0000 CALL aa_.0040684C ; 动画眼

00402B37 83C4 18 ADD ESP,0x18

00402B3A 6A 00 PUSH 0x0

00402B3C 68 01000000 PUSH 0x1

00402B41 6A FF PUSH -0x1

00402B43 6A 0F PUSH 0xF

00402B45 68 47020116 PUSH 0x16010247

00402B4A 68 37020152 PUSH 0x52010237

00402B4F E8 EC3C0000 CALL aa_.00406840

00402B54 83C4 18 ADD ESP,0x18

00402B57 6A 00 PUSH 0x0

00402B59 68 C8000000 PUSH 0xC8

00402B5E 6A FF PUSH -0x1

00402B60 6A 08 PUSH 0x8

00402B62 68 66020116 PUSH 0x16010266

00402B67 68 37020152 PUSH 0x52010237

00402B6C E8 CF3C0000 CALL aa_.00406840

00402B71 83C4 18 ADD ESP,0x18

00402B74 68 01030080 PUSH 0x80000301

00402B79 6A 00 PUSH 0x0

00402B7B 68 B80B0000 PUSH 0xBB8

00402B80 68 01000000 PUSH 0x1

00402B85 B8 03000000 MOV EAX,0x3

00402B8A BB 90906600 MOV EBX,aa_.00669090

00402B8F E8 B83C0000 CALL aa_.0040684C ; 动画眼

00402B94 83C4 10 ADD ESP,0x10

00402B97 6A 00 PUSH 0x0

00402B99 68 00000000 PUSH 0x0

00402B9E 6A FF PUSH -0x1

00402BA0 6A 08 PUSH 0x8

00402BA2 68 66020116 PUSH 0x16010266

00402BA7 68 37020152 PUSH 0x52010237

00402BAC E8 8F3C0000 CALL aa_.00406840

00402BB1 83C4 18 ADD ESP,0x18

00402BB4 6A 00 PUSH 0x0

00402BB6 68 C8000000 PUSH 0xC8

00402BBB 6A FF PUSH -0x1

00402BBD 6A 08 PUSH 0x8

00402BBF 68 67020116 PUSH 0x16010267

00402BC4 68 37020152 PUSH 0x52010237

00402BC9 E8 723C0000 CALL aa_.00406840

00402BCE 83C4 18 ADD ESP,0x18

00402BD1 68 01030080 PUSH 0x80000301

00402BD6 6A 00 PUSH 0x0

00402BD8 68 B80B0000 PUSH 0xBB8

00402BDD 68 01000000 PUSH 0x1

00402BE2 B8 03000000 MOV EAX,0x3

00402BE7 BB 90906600 MOV EBX,aa_.00669090

00402BEC E8 5B3C0000 CALL aa_.0040684C ; 回到正确的位置

00402BF1 83C4 10 ADD ESP,0x10

00402BF4 6A 00 PUSH 0x0

00402BF6 68 00000000 PUSH 0x0

00402BFB 6A FF PUSH -0x1

00402BFD 6A 08 PUSH 0x8

00402BFF 68 67020116 PUSH 0x16010267

00402C04 68 37020152 PUSH 0x52010237

00402C09 E8 323C0000 CALL aa_.00406840

00402C0E 83C4 18 ADD ESP,0x18

00402C11 6A 00 PUSH 0x0

00402C13 68 C8000000 PUSH 0xC8

00402C18 6A FF PUSH -0x1

00402C1A 6A 08 PUSH 0x8

00402C1C 68 8C020116 PUSH 0x1601028C

00402C21 68 37020152 PUSH 0x52010237

00402C26 E8 153C0000 CALL aa_.00406840

00402C2B 83C4 18 ADD ESP,0x18

00402C2E 68 01030080 PUSH 0x80000301

00402C33 6A 00 PUSH 0x0

00402C35 68 B80B0000 PUSH 0xBB8

00402C3A 68 01000000 PUSH 0x1

00402C3F B8 03000000 MOV EAX,0x3

00402C44 BB 90906600 MOV EBX,aa_.00669090

00402C49 E8 FE3B0000 CALL aa_.0040684C ; 向右转

00402C4E 83C4 10 ADD ESP,0x10

00402C51 6A 00 PUSH 0x0

00402C53 68 00000000 PUSH 0x0

00402C58 6A FF PUSH -0x1

00402C5A 6A 08 PUSH 0x8

00402C5C 68 8C020116 PUSH 0x1601028C

00402C61 68 37020152 PUSH 0x52010237

00402C66 E8 D53B0000 CALL aa_.00406840

00402C6B 83C4 18 ADD ESP,0x18

00402C6E 6A 00 PUSH 0x0

00402C70 68 C8000000 PUSH 0xC8

00402C75 6A FF PUSH -0x1

00402C77 6A 08 PUSH 0x8

00402C79 68 8D020116 PUSH 0x1601028D

00402C7E 68 37020152 PUSH 0x52010237

00402C83 E8 B83B0000 CALL aa_.00406840

00402C88 83C4 18 ADD ESP,0x18

00402C8B 68 01030080 PUSH 0x80000301

00402C90 6A 00 PUSH 0x0

00402C92 68 B80B0000 PUSH 0xBB8

00402C97 68 01000000 PUSH 0x1

00402C9C B8 03000000 MOV EAX,0x3

00402CA1 BB 90906600 MOV EBX,aa_.00669090

00402CA6 E8 A13B0000 CALL aa_.0040684C ; 回到原位置

00402CAB 83C4 10 ADD ESP,0x10

00402CAE 6A 00 PUSH 0x0

00402CB0 68 00000000 PUSH 0x0

00402CB5 6A FF PUSH -0x1

00402CB7 6A 08 PUSH 0x8

00402CB9 68 8D020116 PUSH 0x1601028D

00402CBE 68 37020152 PUSH 0x52010237

00402CC3 E8 783B0000 CALL aa_.00406840

00402CC8 83C4 18 ADD ESP,0x18

00402CCB 68 02000080 PUSH 0x80000002

00402CD0 6A 00 PUSH 0x0

00402CD2 68 00000000 PUSH 0x0

00402CD7 6A 00 PUSH 0x0

00402CD9 6A 00 PUSH 0x0

00402CDB 6A 00 PUSH 0x0

00402CDD 68 01000100 PUSH 0x10001

00402CE2 68 94020106 PUSH 0x6010294

00402CE7 68 95020152 PUSH 0x52010295

00402CEC 68 03000000 PUSH 0x3

00402CF1 BB B0694000 MOV EBX,aa_.004069B0

00402CF6 E8 3F3B0000 CALL aa_.0040683A

00402CFB 83C4 28 ADD ESP,0x28

00402CFE 68 01030080 PUSH 0x80000301

00402D03 6A 00 PUSH 0x0

00402D05 68 08070000 PUSH 0x708

00402D0A 68 01000000 PUSH 0x1

00402D0F B8 03000000 MOV EAX,0x3

00402D14 BB 90906600 MOV EBX,aa_.00669090

00402D19 E8 2E3B0000 CALL aa_.0040684C

00402CF6 E8 3F3B0000 CALL aa_.0040683A ; 画玩了出来点

后面弹出作者qq

00402D47 BB B0694000 MOV EBX,aa_.004069B0

00402D4C E8 E93A0000 CALL aa_.0040683A

00402D51 83C4 28 ADD ESP,0x28

第2个框

关键出来点

0062D332 C2 1400 RETN 0x14

0062D335 55 PUSH EBP //左右摇摆苦头移动的执行完毕

坐标加调用系统DC函数来画出来,

可以看出

然后执行有规律的弹框

着是最后关机前的步骤

最后执行cmd 命令关机

3．解决方案

3.1提取病毒特征,利用杀毒软件查杀

等特征码查杀

C4 E3 D6 D0 B6 BE C0 B2 A3 A1 00 00 00 0000 00 00 49 40 D6 D0 B6 BE BA C3 CD E6 C2 F0 A3

5C 73 68 65 6C 6C 5C 6F 70 65 6E 5C 63 6F6D 6D 61 6E 64 00 2E 68 74 6D 00 00 00 00 6F 70 65 6E

00 00 00 00 6D 61 69 6C 74 6F 3A 00 5F 454C 5F 54 69 6D 65 72

最后！写的不好，请多多包涵

渣渣dcxy

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
复制链接

分享到 QQ

分享到新浪微博

扫一扫