1 . Sample profile
1.1 Sample information
Virus name: 1d494e530060d1b4d320cfe58eedca4f732cf8f3
MD5: 8F47BB964E517429B9C50989B2D59005
SHA1: 1D494E530060D1B4D320CFE58EEDCA4F732CF8F3
CRC32: 9BD6E1BF
1.2 Test environment and tools
2.1.1 Test environment
Windows 7 32-bit operating system
2.1.2 Test tool
Shell checking tools: PEID, ExeinfoPE
Monitoring tools: Tinder sword, PCHunter
Debugging tool: dnSpy
1.3 Basic analysis
1 . 3.1 virus check shell
Use PEID to check the shell, as shown in Figure 1-1 is a C# program
Figure 1-1 Virus shell check
1 . 3.2 encryption algorithm
Unpack the malicious program manually, use the PEID plug-in to view the encryption algorithm of the malicious program, there is no encryption algorithm
Figure 1-3 Encryption algorithm
1 . 3.3 cloud sandbox analysis
The malicious sample was uploaded to the Weibu cloud sandbox, and the malicious program was found to have the following behaviors.
Figure 1-4 Cloud sandbox analysis
2. Specific behavior analysis
2.1 Main behavior
Drag the virus sample into the velvet sword and filter it to the behavior monitoring. You can see that the virus releases a PE file, starts the PE file and invades the process.
Figure 2-1 Virus release file
Filtering to the execution monitoring, I saw that the malicious program loaded some modules.
Figure 2-2 Execution monitoring
Filter to file monitoring
Figure 2-3 File monitoring
Filter to network monitoring
Figure 2-4 Network monitoring
Finally, use the registry comparison tool to compare before and after running the malicious program. The registry key is set in Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows.
3 . Malicious code analysis
3 . 1 virus main program analysis
Start analyzing the main program
Drag the virus into dnSpy and see that there are a lot of garbled characters in the picture, it should be confused, use de4dot
Figure 3-1 Obfuscated code
Seeing that there are a lot of garbled characters in the picture, it should be obfuscated. Use de4dot to eliminate obfuscation.
Figure 3-2 Deobfuscated code
After de-obfuscation, the code is clear and easy to see, find the main function
Figure 3-2 main function
Figure 3-3 Determine whether the file exists
First determine whether C:\\Users\\VicZ\\scvhosts.exe exists
Figure 3-4 Copy files
If it does not exist, copy the current file to C:\\Users\\VicZ\\scvhosts.exe and start it to end the current process.
Figure 3-5 Setting to hide
If it exists, set the file attribute of C:\\Users\\VicZ\\scvhosts.exe to hidden
Figure 3-6 Open the registry
Figure 3-7 Set key value
Open the registry Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows to set the key value
Figure 3-8 The first address of the buffer
Figure 3-9 Splicing command
Splicing command.
Figure 3-10 Remote thread injection
The remote thread injects C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\csc.exe, connects to the network, and sends data packets.
The function ends.
4 . Manual killing
1. Delete the file C:\\Users\\VicZ\\scvhosts.exe
2. Delete the generated registry