Article Directory
Sample information
名称:cache.txt
SHA1:a5f83e3baae0df2cdcf5b7e9e862705aeb2caedb
Virus reappears on site
Because the sample obtained does not have the virus body, it can only manually reproduce the virus scene. Manual reproduction of the virus scene requires two files, one is the virus dll file disguised as txt, the other is the payload written into the registry
First import md.reg into the registry, then load the virus dll, open the Tinder Sword monitor, you can see the following behavior
It can be seen that the virus adds itself to the service and uses the service to start itself.
The subsequent virus process will be reflected in the detailed analysis.
After restarting the computer (remember to disconnect the network), continue to monitor behavior
You can see that the virus uses svchost to continuously make DNS requests and RDP blasting
Analysis process
The analysis process is mainly divided into two parts, one is cache.txt
the part where the file is used as the loader, and the other is the payload part that actually executes the malicious code in the decrypted memory.
Loader section
Open the cache.txt
file with IDA , there are only a dozen functions in total, which seems very simple, but the method of finding functions and addresses inside is still worth learning
Use PEB structure to find the base address of kernel32
Find the addresses of different functions in kernel32.dll according to the different parameters passed in
Find the function address using several offsets of the PE structure in the get_func_addr_add_2 function
Pass in Advapi32, use the obtained LoadLibraryA address to call to continue to obtain other function addresses
Get the absolute path of the currently running program, and then enter the judge_current_process_name function for comparison
judge_current_process_name函数
Using od dynamic debugging, it is obvious to see this part to determine whether it is rundll32.exe to start the dll, and the function will return directly after judging that it is not the dll started by rundll32.exe.
If it is started by rundll.exe, continue with the following operations
Pass in user32, get the addresses of Sleep and ExitWindowsEx
Concatenating the string \tsclient\a\moto, this should be the file released by the virus matrix, but we are building the virus site, so if this file does not exist, opening the file will fail, and the jump to address 10001827 will be executed.
If the file is not found, it will Sleep for a while, and then exit
If it is not started by rundll.exe, the function will jump back to return
According to the previously filled out string%SystemRoot%\system32\write.exe.%SystemRoot%\winhlp32.exe
Use the ExpandEnvironmentStringsA function to obtain the full path to determine whether there is a write.exe or winhlp32.exe file in the system. It should be used to detect whether the operating environment is a sandbox
Open the registry HKEY_LOCAL_MACHINE\SYSTEM\WPA
and get the md key value
The key value of md is a large string of hexadecimal data.
The decrypt_data_and_load_shellcode function contains three more functions
In the alloc_memory_and_decrypt_data function, each hexadecimal data of the key value obtained from the registry is decremented by 1, and then the memory space is opened up, the data is decrypted, and the decrypted data is stored in the requested memory space
In the get_some_dll_func_addr_and_save_alloc_memory function, some functions in mfc42.dll will be obtained, and the obtained function address will be stored in the requested memory
Use of the obtained function address later
In the find_shellcode_entry_point_and_call function, find the initialization position of the decrypted shellcode and call it. The call should be some initialization operations, but some key operations were not found.
After the call, return to the dllmain function, the calc_shellcode_addr function is to calculate the address of the decrypted shellcode again
Address 10001710 is to call the function to start the malicious operation
So far, the loader part is analyzed
Payload part
Enter the payload part, first determine whether the currently running process is svchost to perform different operations.
When the process is not svchost
Will execute three functions, and then exit
First delete the registry key value to clear the historical running record
Copy the wmi.dll file in the system32 directory to the temp directory and rename it to ntshrui.dll
Get svchost key value
Create a service named
After creating the service registry key, use the netsvcs service group in svchost to start the virus dll
Create registry keyHKEY_LOCAL_MACHINE\SYSTEM\WPA\sn
Set the registry key to register the service
Create files in the temp directory
Finally read the key value from the registry to compare whether the setting is correct
[External link image transfer failed. The source site may have an anti-hotlink mechanism. It is recommended to save the image and upload it directly (img-2NqjWB5q-1572531034622) (D:\Project\Virus Analysis\Morto Worm Analysis Report\pic\From the registry Read the key value comparison is set correctly. png)]
When the process is svchost
First, a thread will be created
A critical cycle
Query security software
dns request
Traverse the registry keys HELM\CurrentControlSet\Control\Sessin Manager\PendingFileRenameOperations
and compare key values
If the registry key value is not high enough, the key value will be set later \??\C:\Windows\offline web pages\cache.txt!\??\C:\Windows\temp\ntshrui.dll
to automatically rename cache.txt to C:\Windows\Temp\ntshrui.dll
Create cache.txt file
The virus will also carry out RDP blasting, among which the blasting weak password is as follows
Virus killing
It is useless to directly delete C:\Windows\offline web pages\cache.txt or delete the registry key. The virus will write back repeatedly, causing a phenomenon that cannot be cleared.
You need to find the svchost started by the virus, that is, the svchost process that is constantly blasting 3389, terminate it, and then delete it.