Equation Group的組件DoubleFantasy模塊分析(上)數據收集

原創 pureman_mega 2018-09-04 08:33

在分析的過程中可以發現,這個組件和前面分析的一個組件在大的框架下表現是一樣的:它們都有一個貫穿整個過程的解密函數,同時使用資源來裝載‘材料’–數據和程序。
尋找資源的代碼

FindResourceA(hModule,lpName,lpType);
//其中lpName的取值可以爲:1,2,4;lpName去1或2時,找到相應的數據;取4時釋放一個dll文件。 
//lpType="BINRES",--binary resource 二進制資源

接下來是解密函數,感覺這個重要的函數怪怪的。

Decryption proc near
arg_0   =dword ptr 8 ;要解密的數據
arg_4   =byte ptr  0xh ;種子 ,有2個。0x3c(佔大部分) ,0x7f
     push ebp
     mov  ebp,esp
     push ecx
     push esi 
     push edi  
     mov  edi,[ebp+arg_0]    
     mov  eax,edi 
     xor  ecx,ecx  ;ecx=0
     lea  esi,[eax+1]  
loc_40420a:  
     mov  dl,[eax]  
     inc  eax  
     test dl,dl 
     jnz short loc_40420a  ;不爲0 ,接着循環
     sub  eax,esi    
     jz   short loc_40422e ;數據長度太小,失敗
loc_404215:    
     mov  al,[ebp+arg_4]  
     xor  [ecx+edi],al  ;將數據與種子進行異或運算
     mov  eax,edi  
     inc  ecx  
     lea  esi,[eax+1]  ;下一個字節數據的地址
loc_404221:  
     mov  dl,[eax]  
     inc  eax  
     test dl,dl  
     jnz  short loc_404221 ;去數據最大地址
     sub  eax,esi 
     cmp  ecx,eax  ;比較是否到頭了
     jb   short loc_404215  ;沒有,接着處理數據
loc_40422e:  
     pop  edi  
     pop  esi   
     leave 
     retn 
 Decryption endp

解密後的一些數據

(1){77032DAA-B7F2-101B-A1F0-01C29183BCA1}
(2)008.002.001.004
(3)ee.dll
(4)HKLM\Software\Agnitum\Outpost Firewall\;
(5)HKLM\Software\PWI, Inc.\;
(6)HKLM\Software\Network Ice\BlackInce\;
(7)HKLM\Software\Data Fellows\F-Secure\;
(8)HKLM\Software\S.NSafe&Software\;
(9)HKLM\Software\PCTools\ThreadFire\;
(10)HKLM\Software\ProSecurity\;
(11)HKLM\Software\Diamond Computer System\;
(12)HKLM\Software\GentleSecurity\GeSWall\;
(13)HKLM\Software\Avira\;
(14)HKLM\Software\360Safe\;(360Safe的認可度還是蠻高的:)
(15)HKLM\Software\BitDefender\BitDefender Total Security 2010\;
(16)HKLM\Software\BitDefender\BitDefender Total Security 2009\;
BFE_Notify_Event_{1C44EB9C-6C6E-4f31-9216-6C61424AF2C3}
ee.dll
actxprxy.dll
Software\Microsoft\Windows\CurrentVersion\Internet Settings
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
ProxyServer
MiscStatus
{%08X-%04X-%04X-%08X%04X}
SOFTWARE
{77032DAA-B7F2-101B-A1F01C29183BCA1}
ee.dll
CLSID\{B8DA6310-E19B-11D0-933C-00A0C90DCAA9}\InProcServer32
actxprxy32.dll
actxprxyserv.dll
CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32
avp.exe
svchost.exe
C:\WINDOWS\SYSTEM\Shell32.dll
%SystemRoot%\\system32\\shell32.dll
System\CurrentControlSet\Control\SessionManager\KnownDLLs
LINKINFODLL
SOFTWARE\Classes\CLSID\{FAEDCF53-31FE-11D1-AAD2-00805FC1270E}\InProcServer32
netshell.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
midimapper
midimap.dll
SYSTEM\CurrentControlSet\Set\Services\Tcpip\Pameters\Winsock
HelperDllNName
wshtcpip.dll
SYSTEM\CurrentControlSet\Control\SecurityProviders
Securityuroviders
credssp.dll
%SystemRoot%\system32\
{28987EBA-B226-49bd-9862-3645348E0027}
SOFTWAREMicrosoftWindows1
SYSTEM\CurrentControlSet\Set\Services\VxD\VREGSTR
SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Common
 (on reboot)
msscd16
.sys
System
m5;'
NUL=
\wininit.ini
[rename]
wininet.dll
InternetConnectA
InternetOpenA
HttpOpenRequestA
HttpSendequestA
HttpQueryInfoA
InternetReadFile
InternetCloseHandle
InternetGetConnectedState
InternetSetOptionA
InternetQueryOptionA
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; S1)
Mozilla/4.0 (compatible; MSIE 
SOFTWARE\Microsoft\Internet Explorer\Version Vector
IE
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Usesr Agent\Post Platform
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post 
Platform
Win32
Windows 98
Windows NT 5.0
Windows NT 5.1
Windows NT 5.2
Windows NT 6.0
Windows NT 6.1
EIag: 0d1975bf%x9c:eac
POST
GET
Default.aspx?
index.jsp?
index.asp?
Default.jsp?
index.aspx?
TypeLib
Version
{%8c-%4c-%4c-%4c-%12c}
%16I64x%16I64x
{%08X-%04X-%04X-%04X-%08X%04X}
%d.%d.%d.%d
dll_u
Direct connect
Unable to determine connection type
000:%s 0001:
iphlpapi.dll
GetAdaptersInfo
0.0.0.0
SOFTWARE\Microsoft\Windows NT\CurrentVersion\
SOFTWARE\Microsoft\Windows\CurrentVersion\
RegisteredOwner
RegisteredOrganization
CSDVersion CurrentBuildNumber
VersionNumber
CurrentVersion
uroductID
32-bit OS Archtecture
64-bit OS Archtecture
SYSTEM\\CurrentControlSet\\Control\\ProductOptions
ProductType
WINNT
LANMANNT
SERVRNT
DigitalProductId
msregstr
EnumProcessModules
GetModuleBaseNameA
unknown
kernel32
CreateToolhelp32Snapshot
Process32First
Process32Next
psapi
EnumProcesses
Software\Microsoft\Windows\CurrentVersion\RunOnce
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

簡單的鍵盤按鍵記錄(無碼)

最近看到 一個 樣本 ,裏面有鍵盤 按鍵記錄的功能 ,而且 實現也比較 簡單,運行 記錄 的效果還 不錯 。主要思路如下 :     //假代碼 int i=0; for(i=0;i<0x100;i++) { Get

pureman_mega 2020-07-04 17:47:38

Equation Group 模塊lsasrv32.dll中數據獲取(補充一些行爲分析)

這次樣本中還是像之前的風格數據在使用前需要解密,該樣本中要處理的數據是連續存起來的,使用時就一次都解密。 void compute_seed(int *a,int *b,int *c) { int temp=0,v=0;

pureman_mega 2020-07-04 17:47:38

遠控NanoCore RAT樣本分析

OrinSh 2019-06-30 00:24:38

手動完成FindResource()等函數的工作

pureman_mega 2018-10-27 05:46:05

Equation Group 模塊lsasrv32.dll中數據獲取

pureman_mega 2018-10-27 05:46:05

病毒常用方法之註冊表操作

pureman_mega 2018-09-04 08:33:10

病毒常用的方法之同流合污

pureman_mega 2018-09-04 08:33:08

Equation樣本中nls_933w.dll模塊簡單分析(上)

pureman_mega 2018-09-04 08:33:08

病毒常用方法之回到起點---PE文件

pureman_mega 2018-09-04 08:33:08

樣本Exforel的還原過程

pureman_mega 2018-09-04 08:33:08

Discovering Dynamically Loaded API in Visual Basic Binaries(轉載 Cisco 的博客,部分))

pureman_mega 2018-09-04 08:33:08

病毒常用方法之移花接木---小小hook

pureman_mega 2018-09-04 08:33:08

病毒常用方法之隱身術

pureman_mega 2018-09-04 08:33:08