Analysis of a Trojan

Detached

1. Main program process analysis:
Main program name: ctfmon.exe (counterfeit soft Input Method Configuration program)
Shell: no shell
Programming Language: Assembly (estimation)
 
1. Use the GetLogicalDriveStringsA API to obtain all system drive letters and store them in one string;
 
2. Read the 0x1C4 data at the end of the file, and call the NEW function based on the DWORD Value of the last 4 bytes.
Memory size (0x2A00 );
 
3. Read data in bytes 0x2A00 from the end of your file (0x1C4 + 0x2A00) and store it
Memory in the NEW one above;
 
4. Disable the main game program ***** nest.exe;
 
5. According to the registry key: SOFTWARE \ snda \ dn and
SoftwareMicrosoftWindowsShellNoRoamMUICache
Find the directory where the game is located to generate gamewidget. dll and midimap. dll. The content is data written in step 1.
2001 times, plus the 0x1C4 data at the end of the file, a total of 20.5 MB (21,515,204 bytes) (too large
-.-). (Because I didn't install this game, so I didn't have these registry projects. Actually, I myself
A software \ snda \ dn registry key is created, and a path is provided)
 
6. Use the SearchTreeForFile API (multiple drive letters,
When the hard disk is large, wait slowly and find the dnlauncher.exe program. Find the program and create it in this directory.
Gamewidget.dlland midimap.dll. I created a dnlauncher.exe file for no game installation.
(-.-)
 
7. The auto-deletion implemented by this program varies depending on whether the machine is installed with rising. When rising is not installed on the machine
Is to move yourself to the RECYCLER folder of the drive letter of the program, and rename it into a GetTickCount
The obtained number +. tmp suffix file. On the XP system, this file is higher than the recycle bin directory on the desktop,
So click the recycle bin on the desktop and the file will not be visible. If the machine is installed with rising, the above processing will not be performed. Most
The file will be deleted the next time you restart the computer.
 
Ii. Process Analysis of the generated DLL module:
1. The content of gamewidget. dll and midimap. dll mentioned above is the same, although the file is large (heavy
The content is still shelled with UPX (UPX 0.80-1.24 DLL ). ESP
The law is simple, and PEID is Microsoft Visual C ++ 6.0 DLL.
 
2. The dll first loads the midimap. dll file under the system directory (Windows XP system is Windows stem32 ).
Copy the lqmidimap. dll file to the same directory and create a thread.
.
 
3. After Entering the thread, a mutex object will be created to prevent the thread from running for multiple times. Next, compare the model of the main module.
Whether the block name is "****** Nest.exe ". If not, exit. If not, continue with the following steps.
 
4. Read the last 0x1C4 byte of your own file (note the last byte of the file after shelling and
After the difference, in order to facilitate debugging, you can add the end data of the file before shelling to the dll after shelling ),
Step-by-Step Algorithm Transformation: decrypt the last 0x1C4 byte. the decrypted data is as follows:
 
10004C48 68 74 70 3A 2F 68 61 68 61 61 35 2E 68 61 6F http://haha5.hao
10004C58 72 65 6E 36 37 38 2E 63 6F 6D 3A 38 30 31 31 2F ren678.com: 8011/
10004C68 66 65 6E 2F 71 6C 6E 62 32 30 2F 61 73 64 66 61 fen/qlnb20/asdfa
10004C78 67 61 73 61 73 64 66 7A 78 63 76 2E 61 73 70 gasasdfgzxcv. asp
10004C88 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10004C98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10004CA8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10004CB8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10004CC8 68 74 74 70 3A 2F 68 61 68 61 61 35 2E 68 61 6F http://haha5.hao
10004CD8 72 65 6E 36 37 38 2E 63 6F 6D 3A 38 30 31 31 2F ren678.com: 8011/
10004CE8 66 65 6E 2F 71 6C 6E 62 32 30 2F 61 73 64 66 61 fen/qlnb20/asdfa
10004CF8 67 61 73 61 73 64 66 67 7A 78 63 76 2E 61 73 70 gasasdfgzxcv. asp
10004D08 68 74 70 3A 2F 68 61 68 61 35 2E 68 61 6F ttp: // haha5.hao
10004D18 72 65 6E 36 37 38 2E 63 6F 6D 3A 38 30 31 31 2F ren678.com: 8011/
10004D28 66 65 6E 2F 71 6C 6E 62 32 30 2F 61 73 64 66 61 fen/qlnb20/asdfa
10004D38 67 61 73 61 73 64 66 7A 78 63 76 2E 61 00 00 gasasdfgzxcv. ..
10004D48 68 74 70 3A 2F 68 61 68 61 61 35 2E 68 61 6F http://haha5.hao
10004D58 72 65 6E 36 37 38 2E 63 6F 6D 3A 38 30 31 31 2F ren678.com: 8011/
10004D68 66 65 6E 2F 71 6C 6E 62 32 30 2F 61 73 64 66 61 fen/qlnb20/asdfa
10004D78 67 61 73 61 73 64 66 7A 78 63 76 2E 61 73 70 gasasdfgzxcv. asp
10004D88 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10004D98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10004DA8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10004DB8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10004DC8 78 73 73 00 00 00 00 00 00 00 00 00 00 00 00 xxss ............
10004DD8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10004DE8 61 62 63 64 00 00 00 00 00 00 00 00 00 00 abcd ............
10004DF8 31 37 34 30 39 34 38 00 00 00 00 00 00 17409488 ........
10004E08 00 2A 00 .*..
 
Then http://haha5.haoren678.com: 8011/fen/qlnb20/asdfagasasdfgzxcv. asp
Replace asdfagasasdfgzxcv. asp with MIBAO. ASP.
That is: http://haha5.haoren678.com: 8011/fen/qlnb20/MIBAO. ASP
(Is it a counterfeit password protection page? -.-)
 
5. HOOK the MessageBoxTimeoutW function in "user32.dll ".
I don't know what I 've done.
 
6. Next, find the gwCore. dll module and HOOK a series of locations in the dll. IDA looks at the cloud
In the fog. Search for the SDOA4ClientCom. dll module and perform a series of hooks.
 
7. Get the SERVER item content from the LZGSERVER. ini file and use the URLDownloadToFileA Function
Carrying web http://patch.dn.sdo.com/sndalist/sndalist_new.xml
 
Save it to the TEMP directory of the local machine, and the file name is SerList. xml for some search and comparison. Then the thread ends.
 
Iii. Subsequent analysis:
It seems that there is no good analysis here, and you may not see the process of Trojans being evil.
Hope, Yes, I didn't see it either, because its key functions are completed in the code that jumps to the HOOK.
Most of them are static analysis in IDA. This process is followed by the process.
 
In order not to disappoint everyone, but to make myself not feel too unfulfilled, I looked back at the opposite problem.
According to the analysis process and the functions in the import table, the trojan has at least screen capture and data transmission over the network.
Suspect. So let's trace these two aspects.
 
1. Network Packet sending analysis:
Remember the URL we obtained in step 1 of dll analysis.
Http://haha5.haoren678.com: 8011/fen/qlnb20/MIBAO. ASP
Using IDA, you can see where this string is referenced, but it is really rewarding:
1. JPG: 2Kx is required for downloading this attachment, which is automatically deducted from the download process.
 
Follow the CALL sub_10002B9E and you will find that there are HTTP data sending and receiving operations.
.
UPX0: 10002DB7 push eax
UPX0: 10002DB8 push offset aPostSHttp1_1Ac; "POST % s HTTP/1.1 Accept: text/plain ,*"...
UPX0: 10002DBD push ebx; Dest
UPX0: 10002DBE call sprintf
UPX0: 10002DC4 add esp, 54 h
UPX0: 10002DC7 lea eax, [ebp + Dest]
.......................................... Unnecessary code in the middle has been deleted ......................................................
UPX0: 10002E2C push offset aQlmmsg; "qlmmsg"
UPX0: 10002E31 push eax
UPX0: 10002E32 push offset aGetSHt; "GET % s HT"
UPX0: 10002E37 push ebx; Dest
UPX0: 10002E38 call sprintf
UPX0: 10002E3E push ebx; Str
UPX0: 10002E3F call strlen
UPX0: 10002E44 add esp, 18 h
UPX0: 10002E47 mov esi, eax
UPX0: 10002E49
UPX0: 10002E49 loc_10002E49:; code xref: sub_10002B9E + 278j
UPX0: 10002E49 xor edi, edi
UPX0: 10002E4B push edi; flags
UPX0: 10002E4C push esi; len
UPX0: 10002E4D push ebx; buf
UPX0: 10002E4E push [ebp + s]; s
UPX0: 10002E51 call send; send data
.......................................... Unnecessary code in the middle has been deleted ......................................................
UPX0: 10002E86 push edi; flags
UPX0: 10002E87 push esi; len
UPX0: 10002E88 push eax; buf
UPX0: 10002E89 push [ebp + s]; s
UPX0: 10002E8C call recv; receive data
UPX0: 10002E92 cmp eax, 0 FFFFFFFFh
UPX0: 10002E95 jz short loc_10002EDB
UPX0: 10002E97 mov esi, offset aHttp1_1400; "HTTP/1.1 400"
 
2. Process Analysis:
When we analyzed the dll in the second stage, step 1 mentioned that the dll HOOK gwCore. dll. Enable
The process in gwCore. dll is transferred to its own dll. The last HOOK (in the IDB file)
I named it hook_9) and hooked (named) Another dll: SDOA4ClientCom. dll.
Is hook_8). The hook_8 Code contains the following behaviors:
 
2.1 create a thread to enumerate screen Windows.
2. To download the attachment in JPG, 2Kx is required. The attachment will be automatically deducted from the download process.
 
2.2 Use the GetClassName API to obtain the class name for each enumerated screen window and compare whether the class name matches
With "IEFrame" and "ShImgVw: CPrev