Equation Group 模塊lsasrv32.dll中數據獲取(補充一些行爲分析)

這次樣本中還是像之前的風格數據在使用前需要解密，該樣本中要處理的數據是連續存起來的，使用時就一次都解密。

void compute_seed(int *a,int *b,int *c)
{
    int temp=0,v=0;
    v=temp=(8*(*a))|((*a)>>13);
    *a^=*b;
    *b=(*c)^(temp&(0xfff8));
    *c=v&7;
}

void decode(char *string,int length)
{
     int num_to_shift=3,a=0x9ea6,b=0x4f53,c=0x7,temp=0,i=0;//第一次調用compute_seed()的參數直接給出
     while(length)
     {
	compute_seed(&a,&b,&c);//循環調用時變量a,b,c 重複利用
	temp=(string[i])&7;
	string[i]=(a>>num_to_shift)^(string[i]);
	num_to_shift=temp;
	length--;
	i++;
     }
}

 

下面是得到的數據：

FTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
ProductID
SYSTEM\CurrentControlSet\Services\Tcpip\LinkageBind
SYSTEM\CurrentControlSet\Services\
\Parameters\TCPIP
IPAddress DHCPIPAddress 0.0.0.0
\\.\DISKFVSDDomainorWorkgroupServerShare
advapi32.dll    LsaOpenPolicy LsaClose LsaFreeMemory LsaQueryInformationPolicy
Kernel32.dll  GetDiskFreeSpaceExA
\DosDevices\
NTFS
\Registry\Machine\System\CurrentControlSet\Services\FdiskSystem\CurrentControlSet\Services\FdiskSystem\CurrentControlSet\Services\Fdisk\Enum\SystemRoot\System32\drivers\fdisk.sysNtLoadDriver
\\.\fdisk0
ImagePath Type Start Error Control NTDLL.DLL ADVAPI32.DLL
OpenProcessToken  LookupPrivilegeValueA AdjustTokenPrivileges SeLoadDriverPrivilege
Enum\Network\MSTCP
Enum\Network\NETBEUI
Enum\Network\NWLINK
Enum\Network\NWNBLINK
System\CurrentControlSet\Services\Tcpip
System\CurrentControlSet\Services\NwLnkIpx
System\CurrentControlSet\Services\Nbf
System\CurrentControlSet\Services\NwLnkNb_browse_
SYSTEM\CurrentControlSet\Services\nmagentSECURITY\Policy\PolPrDmN
SYSTEM\CurrentControlSet\Services\VXD\VNETSUPWorkgroup
SYSTEM\CurrentControlSet\Services\Tcpip\Linkage Bind  NdisWan RasMan RAS  API32.DLL RasEnumConnectionsA RasGetEntryDialParamsA RasEnumEntriesA
RasGetConnectStatusA RasGetProjectionInfoA RasConnectionNotificationA RasGetConnectionStatistics
RASMAN.DLL RasPortEnum RasPortGetStatistics RasInitialize RasGetInfo
WININET.DLL InternetOpenA InternetSetOptionA InternetCloseHandle
System\CurrentControlSet\Services\Class\NetTrans DriverDesc TCP/IP IPAddress
System\CurrentControlSet\Services\VxD\DHCP\DhcpInfo00
Dhcpinfo DhcpIPAddress LeaseObtainedTime
Software\Microsoft\RAS
AutoDial\Control
LoginSessionDisable
Software\Microsoft\Windows\CurrentVersion\Internet Settings
EnableAutodial NoNetAutodial PendingResourceMatrix2
SYSTEM\CurrentControlSet\Control\Session Manager\ResourceSubSys
netapi32 NetApiBufferFree NetShareEnum svrapi PendingResourceMatrix3 winsta0 default winlogon
SYSTEM\CurrentControlSet\Control\Windows
LSASS.102 LSASS.001 LSASS.101 LSASS.EXE LSASRV32.DLLL SASRV32 WININST0.400 MPREXE.001 MPREXE.002 MPREXE.EXE DISKFVSD.VXD MPRCOMM.DLL Default.sfc
Software\Microsoft\Windows\CurrentVersion\Applets\System File CheckerFile0\VarFileInfo\Translation\StringFileInfo\\FileVersionIOSUBSYS MMFShMem5 MMFMtx5 MMFEvt6 MMFEvt7 .text. rsrc
SYSTEM\CurrentControlSet\Control\Session Manager PendingFileRenameOperations ProgramFilesDir imagehlp MapAndLoad UnMapAndLoad ImageDirectoryEntryToData BindImageEx support.microsoft.com microsoft.com  yahoo.com 81.31.36.242 support.microsoft.com microsoft.com  yahoo.com 81.31.36.242
Software\Microsoft\Windows NT\CurrentVersion\Perflib
Counters processid  processunknown KERNEL32.DLL CreateToolhelp32Snapshot Process32First Process32Next QueryInterface WS1 PendingResourceMatrix4  vsdatant vsdata95.vxd vsdata MPR.DLL WNetAddConnection2A WNetCancelConnection2A WNetCloseEnum WNetEnumResourceA WNetOpenEnumA
\\.\mailslot\__MS_1509_  SetSecurityInfo
Software\Microsoft\Windows\CurrentVersion\InternetSettings         ProxyServer http=  ProxyEnable AutoConfigURL        Software\Netscape\Netscape Navigator\Proxy  Information HTTP_Proxy Http_ProxyPort Auto Config UrlProxy Typeuser_pref(%[^, ]%*[, ]%[^); ]network.proxy.autoconfig.urlnetwork.proxy.httpnetwork.proxy.http_portnetwork.proxy.type
Software\Netscape\Netscape Navigator\main Install Directory%s\Users\%s%s\prefs.js
http\shell\open\ddeexec\Application IEXPLORE NSSHELL NETSCAPE
HTTP/HEAD http//%s/index.html HTTP/1.1
Accept image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language en-us
Accept-Encoding gzip, deflate
User-Agent Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)
Host%d
Proxy-Connection Keep-Alive
Microsoft.com Direct ConnectInternetGetConnectedStateUser Agent Mozilla/4.0 (compatible; MSIE 4.0; Win32)EIag//index.html HTTP/1.1
GET POST wininet.dll HTTP/1.0 HttpQueryInfoA HttpSendRequestA HttpOpenRequestA InternetCloseHandle InternetConnectAInternetOpenA InternetReadFile AllowProtectedRenames ProxyOveride ConnectionsSavedLegacySettings2 DefaultConnectionSettings .DEFAULT SeShutdownPrivilege PendingResourceMatrix

（2019-10-12 20：02）

 行爲分析

 鍵盤記錄