iSpySoft木马分析

blackhold 2016-07-28 22:17:24

iSpySoft木马样本文件使用 .Net语言编写,对其原始代码使用加密混淆器(ConfuserEx v0.6.0)进行了加密混淆,加大了逆向分析的难度。本文详细的对该木马样本进行了分析,可供相关安全从业人员学习使用。

1 加密混淆代码

使用 windbg 尝试进行脱壳,第一步定位解密后加载到内存中的可执行模块,通过调试分析发现程序运行后内存中会加载 stub 模块;

0:000> !CLRStack
PDB symbol for mscorwks.dll not loaded
OS Thread Id: 0xa68 (0)
ESP EIP
003ae488 773eb727 [HelperMethodFrame: 003ae488]
003ae52c 6e4b8496 System.IO.Path.CheckInvalidPathChars(System.String)*** WARNING: Unable to verify
checksum  for
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\m
scorlib.ni.dll
003ae538 6dd92736 System.IO.Path.NormalizePathFast(System.String, Boolean)
003ae5bc 6dd926c5 System.IO.Path.NormalizePath(System.String, Boolean)
@NSFOCUS 2016  http://www.nsfocus.com
003ae5cc 6dd92686 System.IO.Path.GetFullPathInternal(System.String)
003ae5d8 6dd39448 System.Reflection.Module.get_FullyQualifiedName()
003ae608 00626996 <Module>.        )(        
003ae694 00626739 <Module>..cctor()
003ae8a4 6e671b4c [GCFrame: 003ae8a4]
003aef8c 6e671b4c [GCFrame: 003aef8c]
003af170  6e671b4c  [HelperMethodFrame_1OBJ:  003af170]
System.RuntimeMethodHandle._InvokeMethodFast(System.Object,  System.Object[],
System.SignatureStruct ByRef, System.Reflection.MethodAttributes, System.RuntimeTypeHandle)
003af1e0 6dd85458 System.RuntimeMethodHandle.InvokeMethodFast(System.Object, System.Object[],
System.Signature, System.Reflection.MethodAttributes, System.RuntimeTypeHandle)
003af230  6dd85206  System.Reflection.RuntimeMethodInfo.Invoke(System.Object,
System.Reflection.BindingFlags,  System.Reflection.Binder,  System.Object[],
System.Globalization.CultureInfo, Boolean)
003af26c  6dd850ee  System.Reflection.RuntimeMethodInfo.Invoke(System.Object,
System.Reflection.BindingFlags,  System.Reflection.Binder,  System.Object[],
System.Globalization.CultureInfo)
003af28c 006266f7  .                     (System.Reflection.MethodInfo, System.String[], Boolean)  
003af2a8 00624512  .                      (System.String[])  
003af504 6e671b4c [GCFrame: 003af504]

定位查看stub模块信息,发现其为完整PE文件,dump完整PE文件;

0:000> !Name2EE *!stub
Module: 6db71000 (mscorlib.dll)
--------------------------------------
Module: 00262360 (sortkey.nlp)
--------------------------------------
Module: 00262010 (sorttbls.nlp)
--------------------------------------
Module: 002626b0 (prcp.nlp)
--------------------------------------
Module: 00262a00 (mscorlib.resources.dll)
--------------------------------------
Module: 001c2ff8 (GCL-05 Detailed Packing List.exe)
--------------------------------------
Module: 6c661000 (System.Windows.Forms.dll)
--------------------------------------
Module: 6d3d1000 (System.dll)
--------------------------------------
Module: 6d241000 (System.Drawing.dll)
--------------------------------------
Module: 001c71c0 (stub, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null)
0:000> !DumpModule 001c71c0
Name: stub, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
@NSFOCUS 2016  http://www.nsfocus.com
Attributes: PEFile
Assembly: 00494878
LoaderHeap: 00000000
TypeDefToMethodTableMap: 00a03de8
TypeRefToMethodTableMap: 00a03ef8
MethodDefToDescMap: 00a04090
FieldDefToDescMap: 00a04688
MemberRefToDescMap: 00a04b14
FileReferencesMap: 00a04e50
AssemblyReferencesMap: 00a04e54
MetaData start address: 005f53ec (97120 bytes)

查看 stub.exe 代码,发现其代码已经进行了解密,可以清楚的看到程序的代码结构,其代码还存在混淆效果,提取的完整 PE 文件可直接运行,且其行为与原始样本相同;

2 解密后代码结构

提取加载资源 UmbGctGTGGWnIGiBIgLVRjpHMdEi.dll;查看提取的该模块信息,该程序的功能代码主要在该模块中定义,包括:反内存 dump,反沙箱,执行命令,下载文件,注入进程,自保护,监控屏幕,启动配置文件等信息;

0:000> !CLRStack
OS Thread Id: 0xadc (0)
ESP EIP
0032e7ac 6d9588b6 System.Convert.ChangeType(System.Object, System.Type, System.IFormatProvider)
0032e7c4 005d72a5 stub.exe!Unknown
0032e80c 005d60f9 stub.exe!Unknown*** WARNING: Unable to verify checksum for image01260000
*** ERROR: Module load completed but symbols could not be loaded for image01260000
0032eac4 6db31b4c [GCFrame: 0032eac4]
0032f068 6db31b4c [PrestubMethodFrame: 0032f068] stub.exe!Unknown
0032f28c 6db31b4c [GCFrame: 0032f28c]
0:000> !Name2EE *!UmbGctGTGGWnIGiBIgLVRjpHMdEi
Module: 6d031000 (mscorlib.dll)
--------------------------------------
Module: 00192360 (sortkey.nlp)
--------------------------------------
@NSFOCUS 2016  http://www.nsfocus.com
Module: 00192010 (sorttbls.nlp)
--------------------------------------
Module: 001926b0 (prcp.nlp)
--------------------------------------
Module: 00192a00 (mscorlib.resources.dll)
--------------------------------------
Module: 00172ff8 (stub.exe)
--------------------------------------
Module:  001745a4  (UmbGctGTGGWnIGiBIgLVRjpHMdEi,  Version=0.0.0.0,  Culture=neutral,
PublicKeyToken=null)
--------------------------------------
Module: 6c831000 (System.dll)
0:000> !DumpModule 001745a4
Name: UmbGctGTGGWnIGiBIgLVRjpHMdEi, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
Attributes: PEFile
Assembly: 00686338
LoaderHeap: 00000000
TypeDefToMethodTableMap: 0022405c
TypeRefToMethodTableMap: 00224064
MethodDefToDescMap: 00224068
FieldDefToDescMap: 0022406c
MemberRefToDescMap: 00224070
FileReferencesMap: 00224078
AssemblyReferencesMap: 0022407c
MetaData start address: 00443238 (284 bytes)
@NSFOCUS 2016  http://www.nsfocus.com

3 功能模块

由于 stub.exe 被进行代码混淆处理,使用 windbg 直接调试 stub.exe 进行混淆代码反混淆处理,通过查看程序运行堆栈信息,可以确程序在是否进行代码还原完毕;

ESP EIP
0036ea5c  77e6f8c1  [NDirectMethodFrameStandalone:  0036ea5c]
System.Net.UnsafeNclNativeMethods+OSSOCK.WSAConnect(IntPtr, Byte[], Int32, IntPtr, IntPtr, IntPtr,
IntPtr)
0036ea80  6c97228a  System.Net.Sockets.Socket.DoConnect(System.Net.EndPoint,
System.Net.SocketAddress)***  WARNING:  Unable  to  verify  checksum  for
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\Syst
em.ni.dll
0036eaa0 6c959144 System.Net.Sockets.Socket.InternalConnect(System.Net.EndPoint)
0036eab0 6c9515f1 System.Net.ServicePoint.ConnectSocketInternal(Boolean, System.Net.Sockets.Socket,
System.Net.Sockets.Socket,  System.Net.Sockets.Socket  ByRef,  System.Net.IPAddress  ByRef,
ConnectSocketState, System.IAsyncResult, Int32, System.Exception ByRef)
0036eb14  6c9514f9  System.Net.ServicePoint.ConnectSocket(System.Net.Sockets.Socket,
System.Net.Sockets.Socket,  System.Net.Sockets.Socket  ByRef,  System.Net.IPAddress  ByRef,
ConnectSocketState, Int32, System.Exception ByRef)
0036eb3c 6c95147c System.Net.ServicePoint.GetConnection(System.Net.PooledStream, System.Object,
Boolean, System.Net.IPAddress ByRef, System.Net.Sockets.Socket ByRef, System.Net.Sockets.Socket ByRef,
Int32)
0036eb7c  6c95135c  System.Net.PooledStream.Activate(System.Object,  Boolean,  Int32,
@NSFOCUS 2016  http://www.nsfocus.com
System.Net.GeneralAsyncDelegate)
0036ebb8  6c95116a  System.Net.Connection.CompleteStartConnection(Boolean,
System.Net.HttpWebRequest)
0036ec00  6c97978a  System.Net.Connection.CompleteStartRequest(Boolean,
System.Net.HttpWebRequest, System.Net.TriState)
0036ec30 6c9790d3 System.Net.Connection.SubmitRequest(System.Net.HttpWebRequest)
0036ec74 6c978a2c System.Net.ServicePoint.SubmitRequest(System.Net.HttpWebRequest, System.String)
0036ecac 6c9782f9 System.Net.HttpWebRequest.SubmitRequest(System.Net.ServicePoint)
0036ecd8 6ce9de54 System.Net.HttpWebRequest.GetResponse()
0036ed18 6cce6db0 System.Net.WebClient.GetWebResponse(System.Net.WebRequest)
0036ed24 6cce87cb System.Net.WebClient.DownloadBits(System.Net.WebRequest, System.IO.Stream,
System.Net.CompletionDelegate, System.ComponentModel.AsyncOperation)
0036ed48 6cce6b53 System.Net.WebClient.DownloadDataInternal(System.Uri, System.Net.WebRequest
ByRef)
0036ed78 6cce7e43 System.Net.WebClient.DownloadString(System.Uri)
0036edac 6cce7dc6 System.Net.WebClient.DownloadString(System.String)
0036edb8 00622a19 Technitium.ComputerInformation.GetExternalIP()
0036ee04 00621b1b Technitium.ComputerInformation.GetInformation()
0036ef1c 00620ca6 Technitium.Core.FileExecuted()
0036f124 0062057c Technitium.Main.main()
0036f3c8 6db31b4c [GCFrame: 0036f3c8]

4 获取外网 IP

通过上述脱壳反混淆处理后,提取该样本原始程序核心代码,进行代码分析,其代码中主要 包含以下几个核心功能类:Technitium.Main、Technitium.Core、Technitium.RunPEx、 Technitium.Config、Technitium.Stealer 等,下面是上述类的详细信息;

# Technitium.Config
1:006> !dumpmt -md 00183c64
EEClass: 00371b0c
Module: 00182ff8
Name: Technitium.Config
mdToken: 0200003a (C:\Users\bassx\Desktop\stub.exe)
BaseSize: 0xc
ComponentSize: 0x0
Number of IFaces in IFaceMap: 0
Slots in VTable: 7
--------------------------------------
MethodDesc Table
Entry MethodDesc JIT Name
6d1f6a90 6d07494c PreJIT System.Object.ToString()
@NSFOCUS 2016  http://www.nsfocus.com
6d1f6ab0 6d074954 PreJIT System.Object.Equals(System.Object)
6d1f6b20 6d074984 PreJIT System.Object.GetHashCode()
6d267540 6d0749a8 PreJIT System.Object.Finalize()
00620108 00183c48 JIT Technitium.Config..cctor()
0018c10d 00183c50 NONE Technitium.Config..ctor()
0018c111 00183c58 NONE Technitium.Config.DumpErrorLog(System.Exception, System.String)
# Technitium.Stealer
1:006> !dumpmt -md 00188760
EEClass: 003764e8
Module: 00182ff8
Name: Technitium.Stealer
mdToken: 02000022 (C:\Users\bassx\Desktop\stub.exe)
BaseSize: 0xc
ComponentSize: 0x0
Number of IFaces in IFaceMap: 0
Slots in VTable: 13
--------------------------------------
MethodDesc Table
Entry MethodDesc JIT Name
6d1f6a90 6d07494c PreJIT System.Object.ToString()
6d1f6ab0 6d074954 PreJIT System.Object.Equals(System.Object)
6d1f6b20 6d074984 PreJIT System.Object.GetHashCode()
6d267540 6d0749a8 PreJIT System.Object.Finalize()
0018c4b5 001886f8 NONE Technitium.Stealer..ctor()
00623918 00188700 JIT Technitium.Stealer.Recover()
0018c4bd 0018870c NONE Technitium.Stealer.MSParseLogs(System.String)
0018c4c1 00188718 NONE Technitium.Stealer.OSParseLogs(System.String)
0018c4c5 00188724 NONE Technitium.Stealer.MLParseLogs(System.String)
0018c4c9 00188730 NONE Technitium.Stealer.WBParseLogs(System.String)
0018c4cd 0018873c NONE Technitium.Stealer.WaitUntilFileIsAvailable(System.String)
00624080 00188748 JIT Technitium.Stealer.Decompress(Byte[])
00623fd0 00188754 JIT Technitium.Stealer.Cloud(System.String)
# Technitium.RunPEx
1:006> !dumpmt -md 00188c2c
EEClass: 0037688c
Module: 00182ff8
Name: Technitium.RunPEx
mdToken: 02000040 (C:\Users\bassx\Desktop\stub.exe)
BaseSize: 0xc
ComponentSize: 0x0
Number of IFaces in IFaceMap: 0
Slots in VTable: 15
--------------------------------------
MethodDesc Table
@NSFOCUS 2016  http://www.nsfocus.com
Entry MethodDesc JIT Name
6d1f6a90 6d07494c PreJIT System.Object.ToString()
6d1f6ab0 6d074954 PreJIT System.Object.Equals(System.Object)
6d1f6b20 6d074984 PreJIT System.Object.GetHashCode()
6d267540 6d0749a8 PreJIT System.Object.Finalize()
0018c60d 00188aac NONE Technitium.RunPEx..ctor()
0018c64c 00188ab4 NONE Technitium.RunPEx.CreateProcess(System.String, System.String,
IntPtr,  IntPtr,  Boolean,  UInt32,  IntPtr,  System.String,  STARTUP_INFORMATION  ByRef,
PROCESS_INFORMATION ByRef)
0018c658 00188ad8 NONE Technitium.RunPEx.GetThreadContext(IntPtr, Int32[])
0018c694 00188afc NONE Technitium.RunPEx.SetThreadContext(IntPtr, Int32[])
0018c664 00188b20 NONE Technitium.RunPEx.ReadProcessMemory(IntPtr, Int32, Int32 ByRef,
Int32, Int32 ByRef)
0018c688 00188b44 NONE Technitium.RunPEx.WriteProcessMemory(IntPtr, Int32, Byte[], Int32,
Int32 ByRef)
0018c670 00188b68 NONE Technitium.RunPEx.NtUnmapViewOfSection(IntPtr, Int32)
0018c67c 00188b8c NONE Technitium.RunPEx.VirtualAllocEx(IntPtr, Int32, Int32, Int32, Int32)
0018c6a0 00188bb0 NONE Technitium.RunPEx.ResumeThread(IntPtr)
006241d0 00188bd4 JIT Technitium.RunPEx.Run(System.String, System.String, Byte[], Boolean,
Boolean)
00624270 00188be0 JIT Technitium.RunPEx.HandleRun(System.String, System.String, Byte[],
Boolean, Boolean)
# Technitium.Main
1:006> !dumpmt -md 001838dc
EEClass: 003715cc
Module: 00182ff8
Name: Technitium.Main
mdToken: 02000002 (C:\Users\bassx\Desktop\stub.exe)
BaseSize: 0xc
ComponentSize: 0x0
Number of IFaces in IFaceMap: 0
Slots in VTable: 25
--------------------------------------
MethodDesc Table
Entry MethodDesc JIT Name
6d1f6a90 6d07494c PreJIT System.Object.ToString()
6d1f6ab0 6d074954 PreJIT System.Object.Equals(System.Object)
6d1f6b20 6d074984 PreJIT System.Object.GetHashCode()
6d267540 6d0749a8 PreJIT System.Object.Finalize()
00620070 001836e4 JIT Technitium.Main..cctor()
00620440 001836ec JIT Technitium.Main.main()
0018c079 001836f8 NONE Technitium.Main.ProProtect()
0018c07d 00183704 NONE Technitium.Main.Disablers()
0018c081 00183710 NONE Technitium.Main.AV()
@NSFOCUS 2016  http://www.nsfocus.com
0018c085 0018371c NONE Technitium.Main.Bot()
0018c089 00183728 NONE Technitium.Main.ProcessP()
0018c08d 00183734 NONE Technitium.Main.SendLogs()
0018c091 00183740 NONE Technitium.Main.UnhookWindowsHookEx(Int32)
0018c095 00183764 NONE Technitium.Main.SetWindowsHookEx(Int32, KeyboardHookDelegate,
Int32, Int32)
0018c099 00183788 NONE Technitium.Main.GetAsyncKeyState(Int32)
0018c09d  001837ac  NONE Technitium.Main.CallNextHookEx(Int32, Int32, Int32,
KBDLLHOOKSTRUCT)
0018c0a1 001837d0 NONE Technitium.Main.lineSetAppSpecific(Int64, Int64)
0018c0a5 001837f4 NONE Technitium.Main.MgmGetNextMfeStats(IntPtr ByRef, Int64 ByRef,
System.String ByRef, Int64 ByRef)
0018c0a9 00183818 NONE Technitium.Main.GetForegroundWindow()
0018c0ad 0018383c NONE Technitium.Main.GetWindowText(Int32, System.String ByRef, Int32)
0018c0b1 00183860 NONE Technitium.Main.GetActiveWindowTitle()
0018c0b5 0018386c NONE Technitium.Main.Hooked()
0018c0b9 00183878 NONE Technitium.Main.HookKeyboard()
0018c0bd 00183884 NONE Technitium.Main.UnhookKeyboard()
0018c0c1 00183890 NONE Technitium.Main.KeyboardCallback(Int32, Int32, KBDLLHOOKSTRUCT
ByRef)
# Technitium.Core
1:006> !dumpmt -md 001849e0
EEClass: 00371d0c
Module: 00182ff8
Name: Technitium.Core
mdToken: 0200003b (C:\Users\bassx\Desktop\stub.exe)
BaseSize: 0xc
ComponentSize: 0x0
Number of IFaces in IFaceMap: 0
Slots in VTable: 23
--------------------------------------
MethodDesc Table
Entry MethodDesc JIT Name
6d1f6a90 6d07494c PreJIT System.Object.ToString()
6d1f6ab0 6d074954 PreJIT System.Object.Equals(System.Object)
6d1f6b20 6d074984 PreJIT System.Object.GetHashCode()
6d267540 6d0749a8 PreJIT System.Object.Finalize()
0018c141 001848b0 NONE Technitium.Core..ctor()
0018c145 001848b8 NONE Technitium.Core.CreateAPI(System.String, System.String)
0018c149 001848cc NONE Technitium.Core.CallAPI(System.String, System.String, System.Type[],
System.Object[])
0018c14d 001848e0 NONE Technitium.Core.GetInstallPath()
0018c151 001848ec NONE Technitium.Core.IsAdmin()
0018c155 001848f8 NONE Technitium.Core.RecoverPasswords()
@NSFOCUS 2016  http://www.nsfocus.com
00620740 00184904 JIT Technitium.Core.Decrypt()
0018c15d 00184910 NONE Technitium.Core.DeleteSavedPasswords()
0018c161 0018491c NONE Technitium.Core.UploadScreenshot()
0018c165 00184928 NONE Technitium.Core.GenerateHWID()
0018c169 00184934 NONE Technitium.Core.MD5(System.String)
0018c16d 00184940 NONE Technitium.Core.GetVolumeInformationA(System.String ByRef,
System.String ByRef, UInt32, UInt32 ByRef, UInt32 ByRef, UInt32 ByRef, System.String ByRef, UInt32)
0018c171 00184964 NONE Technitium.Core.HidD_GetHidGuid(System.Guid ByRef)
00620bd8 00184988 JIT Technitium.Core.FileExecuted()
0018c179 00184994 NONE Technitium.Core.Install()
0018c17d 001849a0 NONE Technitium.Core.IsConnectedToInternet()
0018c181 001849ac NONE Technitium.Core.Startup(System.Object)
0018c185 001849b8 NONE Technitium.Core.FakeMessage()
0018c189 001849c4 NONE Technitium.Core.Upload(System.String, System.String, System.String)

0x01 功能分析
iSpySoft 木马实现了多种功能,包括:窃取用户信息、浏览器信息(登录用户名密码)、键盘监控、截屏、视频监控、文件下载、文件上传、远程控制等功能。

5 主模块功能

下面是对其主功能函数的分析, 主函数执行的功能主要依赖于其配置信息, 通过对其配置选项执行相应的功能函数;

# Technitium.Main.main() 主功能函数
1:006> !dumpil 001836ec
ilAddr = 004020a4
IL_0000: nop
.try
{
IL_0001: nop
IL_0002: ldsfld Technitium.Config::DELAY_EXECUTION # 读取配置参数
IL_0007: call System.Convert::ToInt32
IL_000c: ldc.i4 1000
IL_0011: mul.ovf
IL_0012: call System.Threading.Thread::Sleep
@NSFOCUS 2016  http://www.nsfocus.com
IL_0017: nop
IL_0018: ldsfld Technitium.Config::ANTI_DEBUGGERS # 读取配置参数
IL_001d: call System.String::IsNullOrEmpty
IL_0022: ldc.i4.0
IL_0023: ceq
IL_0025: stloc.1
IL_0026: ldloc.1
IL_0027: brfalse.s IL_0030
IL_0029: newobj AntiDebugger::.ctor
IL_002e: stloc.2
IL_002f: nop
IL_0030: nop
IL_0031: ldc.i4.0
IL_0032: stloc.0
IL_0033: nop
IL_0034: ldc.i4.1
IL_0035: ldsfld Technitium.Config::MUTEX
IL_003a: ldloca.s VAR OR ARG 0
IL_003c: newobj System.Threading.Mutex::.ctor
IL_0041: stloc.3
.try
{
IL_0042: ldloc.0
IL_0043: stloc.s VAR OR ARG 4
IL_0045: ldloc.s VAR OR ARG 4
IL_0047: brfalse IL_010e
IL_004c: call Technitium.Core::Decrypt
IL_0051: nop
IL_0052: ldsfld Technitium.Config::INSTALL_FILE # 读取配置参数
IL_0057: call System.String::IsNullOrEmpty
IL_005c: ldc.i4.0
IL_005d: ceq
IL_005f: stloc.s VAR OR ARG 5
IL_0061: ldloc.s VAR OR ARG 5
IL_0063: brfalse.s IL_006c
IL_0065: call Technitium.Core::Install
IL_006a: nop
IL_006b: nop
IL_006c: nop
IL_006d: call Technitium.Core::FileExecuted
IL_0072: nop
IL_0073: ldsfld Technitium.Config::KEYSTROKES # 读取配置参数
IL_0078: call System.String::IsNullOrEmpty
IL_007d: ldc.i4.0
@NSFOCUS 2016  http://www.nsfocus.com
IL_007e: ceq
IL_0080: stloc.s VAR OR ARG 6
IL_0082: ldloc.s VAR OR ARG 6
IL_0084: brfalse.s IL_00cb
IL_0086: ldstr "..[--- Window: "
IL_008b: stsfld Technitium.Main::LHeader
IL_0090: ldstr " ---].."
IL_0095: stsfld Technitium.Main::RHeader
IL_009a: call Technitium.Main::HookKeyboard
IL_009f: nop
IL_00a0: ldc.i4.1
IL_00a1: stsfld Technitium.Main::UseCaps
IL_00a6: ldnull
IL_00a7: ldftn Technitium.Main::SendLogs
IL_00ad: newobj System.Threading.ThreadStart::.ctor
IL_00b2: newobj System.Threading.Thread::.ctor
IL_00b7: stloc.s VAR OR ARG 7
IL_00b9: ldloc.s VAR OR ARG 7
IL_00bb: ldc.i4.0
IL_00bc: callvirt System.Threading.Thread::SetApartmentState
IL_00c1: nop
IL_00c2: ldloc.s VAR OR ARG 7
IL_00c4: callvirt System.Threading.Thread::Start
IL_00c9: nop
IL_00ca: nop
IL_00cb: nop
IL_00cc: call Technitium.Main::Disablers
IL_00d1: nop
IL_00d2: call Technitium.Main::AV
IL_00d7: nop
IL_00d8: call Technitium.Main::Bot
IL_00dd: nop
IL_00de: call Technitium.Main::ProProtect
IL_00e3: nop
IL_00e4: ldsfld Technitium.Config::RUNESCAPE_PINLOGGER # 读取配置参数
IL_00e9: call System.String::IsNullOrEmpty
IL_00ee: ldc.i4.0
IL_00ef: ceq
IL_00f1: stloc.s VAR OR ARG 8
IL_00f3: ldloc.s VAR OR ARG 8
IL_00f5: brfalse.s IL_010a
IL_00f7: ldnull
IL_00f8: ldftn Technitium.Pinlogger::Log
IL_00fe: newobj System.Threading.WaitCallback::.ctor
@NSFOCUS 2016  http://www.nsfocus.com
IL_0103: call System.Threading.ThreadPool::QueueUserWorkItem
IL_0108: pop
IL_0109: nop
IL_010a: nop
IL_010b: nop
IL_010c: br.s IL_0117
IL_010e: nop
IL_010f: ldc.i4.0
IL_0110: call System.Environment::Exit
IL_0115: nop
IL_0116: nop
IL_0117: leave.s IL_0125
} // end .try
.finally
{
IL_0119: nop
IL_011a: ldloc.3
IL_011b: brfalse.s IL_0124
IL_011d: ldloc.3
IL_011e: callvirt System.IDisposable::Dispose
IL_0123: nop
IL_0124: endfinally
} // end .finally
IL_0125: call System.Diagnostics.Process::GetCurrentProcess
IL_012a: callvirt System.Diagnostics.Process::WaitForExit
IL_012f: nop
IL_0130: leave.s IL_0151
} // end .try
.catch
{
IL_0132: dup
IL_0133: call Microsoft.VisualBasic.CompilerServices.ProjectDat::SetProjectError
IL_0138: stloc.s VAR OR ARG 9
IL_013a: nop
IL_013b: ldloc.s VAR OR ARG 9
IL_013d: callvirt System.Exception::ToString
IL_0142: ldc.i4.0
IL_0143: ldnull
IL_0144: call Microsoft.VisualBasic.Interaction::MsgBox
IL_0149: pop
IL_014a: call Microsoft.VisualBasic.CompilerServices.ProjectDat::ClearProjectError
IL_014f: leave.s IL_0151
} // end .catch
IL_0151: nop
@NSFOCUS 2016  http://www.nsfocus.com
IL_0152: ret

iSpySoft 木马主要配置文件:

# Technitium.Config..cctor() 配置文件
1:006> !dumpil 00183c48
ilAddr = 00407b3c
IL_0000: ldstr "1.0.0.0"
IL_0005: stsfld Technitium.Config::VERSION # 版本
IL_000a: ldstr "AF7B1841C6A70C858E3201422E2D0BEA"
IL_000f: stsfld Technitium.Config::HWID # HWID
IL_0014: ldstr "149ff47a-7df2-4b42-823e-2820d63034b4"
IL_0019: stsfld Technitium.Config::MUTEX # iSpy MUTEX
IL_001e: ldstr "EMAIL"
IL_0023: stsfld Technitium.Config::UPLOAD_METHOD # 上传文件方式, 提供三种 EMAIL, FTP,
PHP
IL_0028: ldstr "XXXXXXXXXXXXXXX"
IL_002d: stsfld Technitium.Config::EMAIL_USERNAME # EMAIL 用户名
IL_0032: ldstr "XXXXXXXXXXXXXXX"
IL_0037: stsfld Technitium.Config::EMAIL_PASSWORD # EMAIL 密码
IL_003c: ldstr "XXXXXXXXXXXXXXX"
IL_0041: stsfld Technitium.Config::EMAIL_PORT # EMAIL 端口
IL_0046: ldstr "XXXXXXXXXXXXXXX"
IL_004b: stsfld Technitium.Config::EMAIL_SERVER # EMAIL 服务器
IL_0050: ldstr ""
IL_0055: stsfld Technitium.Config::EMAIL_SSL # 是否开发 SSL
IL_005a: ldstr "XXXXXXXXXXXXXXX"
IL_005f: stsfld Technitium.Config::FTP_USERNAME # Ftp 用户名
IL_0064: ldstr "XXXXXXXXXXXXXXX"
IL_0069: stsfld Technitium.Config::FTP_PASSWORD # Ftp 密码
IL_006e: ldstr "XXXXXXXXXXXXXXX"
IL_0073: stsfld Technitium.Config::FTP_SERVER # Ftp 服务器
IL_0078: ldstr "XXXXXXXXXXXXXXX"
IL_007d: stsfld Technitium.Config::PHP_KEY # PHP key
IL_0082: ldstr "XXXXXXXXXXXXXXX"
IL_0087: stsfld Technitium.Config::WEBPANEL # PHP Panel
IL_008c: ldstr "10"
IL_0091: stsfld Technitium.Config::LOG_INTERVAL
IL_0096: ldstr ""
IL_009b: stsfld Technitium.Config::CLIPBOARD_MONITORING # 监控剪切板
IL_00a0: ldstr ""
IL_00a5: stsfld Technitium.Config::SEND_SCREENSHOTS # 发送截屏信息
IL_00aa: ldstr ""
IL_00af: stsfld Technitium.Config::KEYSTROKES # 进行按键监控
IL_00b4: ldstr ""
@NSFOCUS 2016  http://www.nsfocus.com
IL_00b9: stsfld Technitium.Config::WEBCAM_LOGGER # 摄像头监控
IL_00be: ldstr ""
IL_00c3: stsfld Technitium.Config::MODIFY_TASK_MANAGER # 禁用任务管理器
IL_00c8: ldstr ""
IL_00cd: stsfld Technitium.Config::ANTI_DEBUGGERS # 检测调试器
IL_00d2: ldstr ""
IL_00d7: stsfld Technitium.Config::PROCESS_PROTECTION # 程序自保护
IL_00dc: ldstr ""
IL_00e1: stsfld Technitium.Config::RUNESCAPE_PINLOGGER
IL_00e6: ldstr ""
IL_00eb: stsfld Technitium.Config::CLEAR_SAVED
IL_00f0: ldstr "2a76d583-f7dc-4bb6-88eb-6515438f2ee7"
IL_00f5: stsfld Technitium.Config::PASSWORD_STEALER # 窃取密码
IL_00fa: ldstr ""
IL_00ff: stsfld Technitium.Config::MELT_FILE
IL_0104: ldstr ""
IL_0109: stsfld Technitium.Config::INSTALL_FILE # 安装文件
IL_010e: ldstr "[PATHTYPE]"
IL_0113: stsfld Technitium.Config::PATH_TYPE # 安装路径
IL_0118: ldstr "[FOLDER]"
IL_011d: stsfld Technitium.Config::FOLDER_NAME # 安装文件夹名称
IL_0122: ldstr "[FILENAME]"
IL_0127: stsfld Technitium.Config::FILE_NAME # 安装文件名称
IL_012c: ldstr ""
IL_0131: stsfld Technitium.Config::HKCU # 注册表配置 1
IL_0136: ldstr ""
IL_013b: stsfld Technitium.Config::HKLM # 注册表配置 2
IL_0140: ldstr ""
IL_0145: stsfld Technitium.Config::BINDER # 绑定端口
IL_014a: ldstr ""
IL_014f: stsfld Technitium.Config::VISIT_WEBSITE # 访问网站
IL_0154: ldstr ""
IL_0159: stsfld Technitium.Config::BLOCKER_WEBSITE # 阻断网站
IL_015e: ldstr ""
IL_0163: stsfld Technitium.Config::REGISTRY_PERSISTENCE
IL_0168: ldstr ""
IL_016d: stsfld Technitium.Config::HIDE_FILE # 隐藏文件
IL_0172: ldstr ""
IL_0177: stsfld Technitium.Config::DOWNLOAD_FILE # 下载文件
IL_017c: ldstr ""
IL_0181: stsfld Technitium.Config::DOWNLOAD_FILE_TYPE # 下载文件类型
IL_0186: ldstr ""
IL_018b: stsfld Technitium.Config::MESSAGE_TYPE # 消息类型定义
IL_0190: ldstr "[MTITLE]"
@NSFOCUS 2016  http://www.nsfocus.com
IL_0195: stsfld Technitium.Config::MESSAGE_TITLE # 消息头定义
IL_019a: ldstr "[MBODY]"
IL_019f: stsfld Technitium.Config::MESSAGE_BODY # 消息内容定义
IL_01a4: ldstr ""
IL_01a9: stsfld Technitium.Config::DISABLERS # 禁用系统功能 cmd
IL_01ae: ldstr ""
IL_01b3: stsfld Technitium.Config::BOT_KILLER # 关闭 Bot 功能
IL_01b8: ldstr ""
IL_01bd: stsfld Technitium.Config::ANTIVIRUS_KILLER # 关闭杀毒软件
IL_01c2: ldstr "0"
IL_01c7: stsfld Technitium.Config::DELAY_EXECUTION # 延迟执行
IL_01cc: ret

6 窃取密码

通过对该木马中的配置文件分析,其主要功能是实现密码窃取(其他功能项未配置),并且配置实用 EMAIL 方式上传收集到的用户密码信息。

0x02 窃取密码
通过邮件方式窃取收集到的用户密码信息:

7 Wireshark 抓包

从获取的网络数据包看出内容是经过 base64 编码的,将其解码后内容如下:

Dear iSpy Keylogger Customers,
Let us informed you that iSpy Keylogger is currently active now.
Best Regards
iSpySoft Admin
*********** Computer Information ***********
Username: WIN-86JN3PJSB51
Windows Installed: Microsoft Windows 7 家庭普通版
Local Date & Time: 2016/4/22 16:13:13
Installed Language: zh-CN
.NET Framework Installed: 2, 4
System Privileges: User
Default Browser: Not found!
Installed Anti-Virus:
Installed Firewall:
Internal IP: 192.168.78.130
External IP:
*********** Computer Information ***********

通过配置文件中的 EMAIL 配置信息,登录攻击者邮箱,其中,存在其已经获取到的用户信息:

]8 攻击者邮箱

0x03 样本跟踪
iSpySoft木马最早被出现于2016年1月27日,发展至今,其木马功能强大,最新版的程序使用 ConfuserEx v0.6.0 加密混淆器对其代码进行了处理。

0x04 行为分析

0x05 攻击目标定位

0x06 系统检测

0x07 绿盟科技专杀解决方案
短期服务:绿盟科技工程师现场木马后门清理服务(人工服务+IPS+TAC)。确保第一时间消除网络内相关风险点,控制事件影响范围,提供事件分析报告。 中期服务:提供 3-6 个月的风险监控与巡检服务(IPS+TAC+人工服务)。根除风险,确保事件不复发。 长期服务:基金行业业务风险解决方案(威胁情报+攻击溯源+专业安全服务)。