Hacking Book | Free Online Hacking Learning

 Home

analysis of a fishing horse (2)

Posted by graebner at 2020-03-12
all

This trojan horse has a strong concealment. There is no clear text string in memory. It is difficult to search for some obvious strings with memory search. The data in memory is decrypted only when encryption is needed, and then released immediately. It will not stay in memory for a long time. All content calculation and verification use hash value to compare and find, and double encryption is still used, which increases the number of analysts No small difficulty,

Last time, we talked about the existence of an encrypted PE file in the memory of this trojan. Next, we will explain how the PE file deducted from the memory works.

 

At the entry point, find the module handle of ntdll.dll and kernel32.dll through hash comparison, rather than the way we usually use to get the handle through getmoudlehanlde(),

 

Look at the implementation of serverlog search mouse. Inside the function [[[FS: [30] + 0xc] + 0xc] + 0xc] + 0 × 30] is used to get the name of the module. In the ring 3 layer, FS register points to the thread environment block, 0 × 30 offset points to PEB (process environment block), 0xc of PEB points to LDR table, and the later offset is to get the basename of the module from LDR table, Calculate the corresponding hash comparison to get the handle of the module from the LDR table.

After the first address of the module is obtained, the corresponding function address is obtained by decrypting the encrypted import table of the. Data section

 

Here is the corresponding function table of the obtained ntdll

Here is the corresponding function table of Kernel32

 

The next step is init initialization

 

First, an event is created with an mutex

 

When the mutex mutex does not exist before, it will start its own process again. If the mutex exists, it will enter the working function, which is also for multi process mode. When you enter the working function server? Get? Info? And? Timer, it means that the Trojan has started its real work. At the beginning of work, the Trojan horse will get the function table he needs again in a similar way. He will not repeat the previous steps. He needs to get the functions of advapi32.dll, ole32.dll, shell32.dll, crypt32.dll, urlmon.dll and wininet.dll, as follows:

 

Then the Trojan gets the windows directory and calculates the disk ID of the disk where the system directory is located.

The next step is to take the combination of the computer and disk ID of the current computer, and calculate the name of the service program to be generated by the current computer according to the disk ID.

The name of the service is based on the previous disk ID in the string "agent, app, audio, bio, bits, cache, card, cart, Cert, com,

crypt,dcom,defrag,device,dhcp,dns,event,evt,flt,gdi,group,

help,home,host,info,iso,launch,log,logon,lookup,man,math,

mgmt,msi,ncb,net,nv,nvidia,proc,prop,prov,provider,reg,rpc,

Screen, search "calculates the corresponding characters to fill and combine the service name and exe name to be generated.

 

After getting the name of the Trojan's exe, calculate the CRC value of the Trojan's exe in the system directory

 

The next step is to get the computer name, and the non-0-9, A-Z, A-Z characters in the computer will be replaced with X, and only 16 character names will be obtained at most, and then combined with the disk ID

 

The Trojan will then use the createtimerqueuetimer function to create a timer,

 

The process enters the serverlog ﹣ potential ﹣ timer function space

Execute the same logic according to the current running state. Case 1: indicates that the Trojan is preparing to initialize, and then set the state to 2. When the timer executes case 2: the Trojan exe will be created as a Windows service. The service name is the service_name calculated before, Then set it to state 3 and enter case 3: some IP addresses and ports will be filled in. The IP addresses and ports will be directly written in the. Data section. You can see that there are many IP and ports built in the memory, 0x1bb is port 433, 1f90 is port 8080

 

Case 3 also initializes the encryption context

The RSA algorithm used imports the public key in the memory, 0 × 13, that is, RSA? CSP? Publickeyblob

Case 3 will be set to state 4 after execution. The next timer will enter case 4. Case 4 will fill in the buffer to be encrypted with the process information of the current computer, the CRC of the Trojan's exe, and the computer name and disk ID

Then encrypt the above and post it to port 433 of the server

Note that before sending it to 433, the Trojan has RSA encryption again

 

After double encryption, one custom encryption + one RSA encryption, it is sent to port 433 of the server by post.

 

 

Then the Trojan passes through the Internet read file

 

Function to obtain the return result of the server. After double decryption, one RSA decryption and one custom decryption, the result will execute various processes. One of the most important processes is to download and execute exe from the remote server.

If there is an updated Trojan horse, it will call the start download exe function to update itself

 

                Basically, all the main workflow of the Trojan has been analyzed. The Trojan has a strong concealment. There is no clear text string in the memory. It is difficult to search for some obvious strings with memory search. The data in memory is decrypted when encryption is needed, and then released immediately. It will not stay in memory for a long time. All content calculation and verification use hash value Contrast search, but also with double encryption, to the analyst increased a lot of difficulty.

© 2023