Sample 1 of CTB-LOCKER swindlers virus downloader shelling

Sample 1 of CTB-LOCKER swindlers virus downloader shelling

1. Introduction to viruses

The CTB-LOCKER extortion virus was first found abroad and consists of two parts: the download device and the encrypted part of the document. The virus author disguised the Downloaded Program as an email attachment and sent it to employees or executives of some large companies. When these people downloaded the attachments in the email, decompress the email attachment and run it as shown in. after src and other formats, many files in the computer will be encrypted, and the following prompt screen will appear (figure 1) and the desktop wallpaper will be modified (figure 2.

I. Virus Information <喎?http: www.bkjia.com kf ware vc " target="_blank" class="keylink"> VcD4KPHA + kernel + CjxwPtH5sb7D + kernel + bG + kernel + CjxwPrb + oak Yoba + zdG/xzwvcD4KPHA + kernel/C1NjG97K/kernel + kernel/compute/ tfe1xMrHuMPR + bG + examples/unzip umhuo6zn0b/examples/H0tS687XEUEXOxLz + u7nKx7HIvc/examples + CjxpbWcgc3JjPQ = "http://www.2cto.com/uploadfile/Collfiles/20150507/2015050710110030.png" alt = "\">

CTB-LOCKER extortion virus sample shelling debugging has a more obvious characteristics: OD dynamic debugging, should be in the jump command such as Jmp and some key Call of the F2 breakpoint, then run F9, and then continue to run the F2 breakpoint in the jump command such as Jmp and some key Call calls until similar commands like Jmp [eax] appear and then DEBUG them slowly. As follows:

Enter to the address 00401DF4, follow the steps above to break the breakpoint in the jump command and key Call, and then run the F9 debugging.

Repeat the above operations to perform dynamic debugging:

When dynamic debugging is running to an example, it means that the shelling is not far away:

Finally, the target command jmp dword ptr ds: [ESI]:

After unremitting efforts, we finally found the memory Dump address of the target PE file 008F0000.

Select all the binary memory data after the memory address 008F0000, and then copy the binary data in memory.

The data in the memory PE file has been copied. Use WinHex to create a new blank file to open the file, and then copy the binary memory data you just copied, Ctrl + C to the blank file and save it ,:

The above multi-page capture is very tiring. In fact, there is also a one-step method to Dump the target PE file, that is, to break the point where the VirtualProtect and VirtualProtectEx functions are located ,:

Run the F9 program. For example, you can obtain the target PE file from the memory by using the aforementioned manual Dump PE file method.

Iv. Virus analysis

Now, you can happily analyze the virus sample. Select OD or IDA.

Note until now, you can make a brick.