亚博网页版

漏洞分析|亚博网页版安全实验室“电子新冠病毒”【DesktopLayer样本】分析报告(下)

gongnengmiaoshu:

meifenzhongxiang "c:\program files\internet explorer\dmlconf.dat" zhongxieru 16 zijiedeshuju,qian8zijieweixitongshijian,jiezheshi 4 zijieshujushiliangciliantongtedingwangzhandeshijiancha, zuihou 4 zijieshujushizhongwei 0

huoquxitongshijianxinxi

blob.png 

(3-4-4):thread4(threadfunction:2001790c)

gongnengmiaoshu:

mei10fenzhongxiang "fget-career.comde443duankou" fasongdangqianxitongshijianxinxiyijihanyoubenjixinxidezifuchuan,bingjieshou "fget-career.com" fahuideshuju。

jiexi "fget-career.com" dewangzhi

blob.png  

he "fget-career.com" de 443 duankoujianlilianjie

blob.png 

benjiheyuanchengfuwuqideshujujiaohuguocheng

blob.png  

(3-4-5):thread5(threadfunction:20016ea8)

gongnengmiaoshu:

dui drive_fixed leixingdecipanshangde .exe、.dll、 .html、 .htm:sizhongwenjianjinxingganran。

huoquxitongmuluhewindowsmulu,yibianzaiquanpanbianliwenjiandeshihoubikaizheilianggemuludewenjian

blob.png 

huoqusuoyoudecipanpanfu,yibianquanpanbianli

blob.png  

jianchacipanleixingshibushidrive_fixed,ruguoshizeshenduyouxianbianlicipanwenjian

blob.png 

shenduyouxianbianlicipanwenjian

blob.png 

//ganranqianxiantongguowenjianmingpaichusanzhongwenjian(".."、"." he "rmnetwork")

blob.png  

//chakanwenjianzhongshifouyouanmingchengdaoru"loadlibrarya"he "getprocaddress" ,youdehuahuoquduiyingde iat rva

blob.png 

//chakanjiebiaozhihoushifouhaiyouyigekongjiebiaodekongjiankeyong,ruguoyoujiutianjiayigexinjie,bingxiugaiyuanlaidechengxurukoudian

blob.png  

blob.png  

//xiangwenjianzhongxieruyigepewenjian,gaipewenjianzaibeiganranwenjianyunxingshihuibeishifangchulai

blob.pngblob.png 

Desktopla<x>yer是一种有害的恶意软件感染5295.png

.exehe.dllwenjiandeganranliucheng

 

Desktopla<x>yer是一种有害的恶意软件感染5314.png

beiganranhoude.exehe.dll wenjiandexingwei

  zaifenxibeiganranhoudewenjianzhixingliuchengshidezhizai xintianjiajiedejieneipianyide 0x328hchucunfangzhechengxuxianzairukoudianheyuanrukoudiandechazhi(dword leixing),gaizhijishixiufurukoudiandeyiju。

 

.html he .htm wenjiandeganranguocheng

blob.pngblob.png

Desktopla<x>yer是一种有害的恶意软件感染5446.png

.htmlhe.htmwenjiandeganranliucheng

(3-4-6):Thread6(ThreadFunction:20016EC2)

gongnengmiaoshu:

mei10miaozhongbianliyicisuoyoucipan,dangcipanleixingweikeyidongcipanshi,duigaicipanjinxingganran,yidadaojiezhukeyidongcipanduigaiyangbenjinxingchuanbodemude。

jianchacipanshangshifouyou "autorun.inf" wenjian

blob.png  

ruguoyijingyou“autorun.inf”wenjian,zetongguoduigaiwenjiandepanduanlaiyanzhenggaikeyidongcipanshifoubeiganranguo

blob.png 

gaikeyidongcipanmeiyoubeiganranguoshi,zhixingyixiacaozuo

zaikeyidongcipangenmuluchuangjian“recycler”wenjianjiabingshezhishuxingweihidden

blob.png 

子文件下创建.exe 文件,并将DeskToplayer.exe文件的内容写入

blob.png  

zaigenmuluchuangjian"autorun.inf"wenjianbingxierushuju

blob.png  

blob.png  

blob.pngblob.png  

blob.png

Desktopla<x>yer是一种有害的恶意软件感染5799.png

duikeyidongcipandeganranguocheng

san.qinglifangshi

1. 使用字符串"KyUffThOkYwRRtgPP" 创建互斥体,如果互斥体已经存在,说明已经有样本在运行,此时需要遍历系统所有进程,查找名称为"Desktoplayer "和"iexplore "的进程:

对于"Desktoplayer "进程:直接结束;

duiyu"iexplore "jincheng:ruguojinchengkongjiande 20010000 dizhiweiyouxiaodizhi,zezhijiejieshujincheng,tongshishanchuiexploremuluxiade  dmlconf.datwenjian。

2. yicizai 1:"c:\program files\ ";

   2:"c:\program files\common files\ ";

       3:"c:\documents and settings\administrator\ ";

       4:"c:\documents and settings\administrator\application data\ ";

       5:"c:\windows\system32\ ";

       6:"c:\windows\ ";

       7:"c:\docume~1\admini~1\locals~1\temp\";

目录下查找"Microsoft"目录,如果找到该目录,则删除该目录及目录下的"Desktoplayer.exe"文件。

3. duquhkey_local_machine\software\microsoft\windows nt\

CurrentVersion\Winlogon的Userinit 的键值,并判断键值内容的最后一个启动项中是否包含"desktoplayer.exe",如果包含,则删除最后一个启动项。

 

4. bianliquanpanwenjian,jinxingchasha:

duiyu disk_fixedleixingdecipan,zaibianlishikeyibikaixitongmuluhewindowsmulu,duiyuexewenjian,ruguowenjianmd5hetezhengwenjiandemd5pipei,zezhijieshanchu;

对于EXE、DLL,如果节表中含有".rmnet"节,则可判定文件已经被感染,可由用户决定是删除文件还是修复文件(修复办法:删除".rmnet"节并修复入口点);对HTML、HTM文件,可以通过文件最后9 字节内容是否是"</script>"来判断文件是否被感染,文如果文件已被感染,则由用户决定是删除文件还是修复文件(修复办法:删除文件"<script Language=vbscript>"之后的内容)。

duiyu disk_removableleixingdecipan,ruguocipangenmuluyou "autorun.inf"wenjianqiewenjiantou3zijieneirongwei"rmn",zekepandinggaicipanyijingbeiganran,xuyaoconggaiwenjianzongtiquzhuexewenjiandelujing,ranhouxianshanchu"autorun.inf"wenjian,zaishanchu

exe wenjian。

火狐体育 环球体育 英亚体育 英亚体育 亚博网页版