搜索
查看: 2665|回复: 51
收起左侧

[病毒样本] 驱动木马一枚,求母体

  [复制链接]
落华无痕
发表于 2019-9-7 10:56:49 | 显示全部楼层 |阅读模式
本帖最后由 落华无痕 于 2019-9-7 10:59 编辑

样本:https://www.lanzous.com/i6280bc



这个是某网友电脑上弄的,还有一个死活查不出来。

另一个查不出来的,特征如下:

1.不停的修改IE代{过}{滤}理,导致正常模式下360急救箱卡在“正在检查和更新(应用代{过}{滤}理)”阶段。



2.病毒模仿系统驱动。用pchunter查看驱动列表,每次重启后都会有两个相同的系统驱动,每次模仿对象都不同。


3.winpe联网,360急救箱全盘扫描没有查出。

4.会劫持网页,访问某些页面会被跳转到一个游戏登录器下载界面。

根据上面提供信息,有没知道这个是什么软件释放的驱动?






本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x

评分

参与人数 1人气 +1 收起 理由
www-tekeze + 1 版区有你更精彩: )

查看全部评分

lifan88
发表于 2019-9-7 17:19:35 | 显示全部楼层
本帖最后由 lifan88 于 2019-9-7 21:13 编辑

球楼主置顶!

关键词解释:
REG_openkey:打开注册表项
REG_getval:获取注册表键值
FILE_open:打开文件
FILE_touch:创建文件
FILE_truncate:截断文件

FILE_write:写文件
SYS_load_kmod:加载内核模块
NET_connect:网络连接
NET_send:发送数据包
NET_http:HTTP请求
REG_mkkey:创建注册表项
REG_setval:设置注册表项值






驱动加载后能被捕获的操作:

17:00:13:776, services.exe, 592:3392, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\0Q0_Service, access:0x00020019 , 0x00000000 [操作成功完成。  ],

17:00:13:776, services.exe, 592:3392, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\0Q0_Service, access:0x00020019 , 0x00000000 [操作成功完成。  ],

17:00:13:776, services.exe, 592:3392, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\0Q0_Service, access:0x00020019 , 0x00000000 [操作成功完成。  ],

17:00:13:776, System, 4:256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\0Q0_Service, access:0x00020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。  ],

17:00:13:776, System, 4:256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\0Q0_Service, access:0x00020019 , 0x00000000 [操作成功完成。  ],

17:00:13:776, System, 4:256, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\0Q0_Service\ImagePath, type:0x00000002 datalen:76 data:'5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 55 00 ' , 0x00000000 [操作成功完成。  ],

17:00:13:776, System, 4:256, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\0Q0_Service\Type, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。  ],

17:00:13:776, System, 4:256, 0, FILE_open, C:\Users\j8qq_000\Desktop\0Q0.sys, access:0x00000020 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000000 , 0x00000000 [操作成功完成。  ],

17:00:13:819, System, 4:256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Compatibility\Driver\0Q0.sys, access:0x00020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。  ],

17:00:13:819, System, 4:256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Compatibility\Driver\0Q0.sys, access:0x00020019 , 0xC0000034 [系统找不到指定的文件。  ],

17:00:13:819, System, 4:256, 0, FILE_open, C:\Windows\apppatch\drvmain.sdb, access:0x00120089 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000000 , 0x00000000 [操作成功完成。  ],

17:00:13:819, System, 4:256, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\0Q0_Service\ImagePath, type:0x00000002 datalen:76 data:'5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 55 00 ' , 0x00000000 [操作成功完成。  ],

17:00:13:843, System, 4:256, 0, FILE_open, C:\Windows\apppatch\drvmain.sdb, access:0x00120089 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000000 , 0x00000000 [操作成功完成。  ],

17:00:13:859, System, 4:256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\0Q0_Service, access:0x000F003F , 0x00000000 [操作成功完成。  ],

17:00:13:859, System, 4:256, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\0Q0_Service\ImagePath, type:0x00000002 datalen:76 data:'5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 55 00 ' , 0x00000000 [操作成功完成。  ],

17:00:13:859, System, 4:256, 0, FILE_open, C:\Users\j8qq_000\Desktop\0Q0.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。  ],

17:00:13:865, System, 4:256, 0, FILE_open, C:\Users\j8qq_000\Desktop\0Q0.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。  ],

17:00:13:865, System, 4:256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wjxpuimmx, access:0x000F003F , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。  ],

17:00:13:865, System, 4:256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wjxpuimmx, access:0x000F003F , 0xC0000034 [系统找不到指定的文件。  ],

17:00:13:865, System, 4:256, 0, FILE_touch, C:\Windows\System32\drivers\wjxpuimmx.sys, access:0x001F01FF alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000005 options:0x00000020 , 0x00000000 [操作成功完成。  ],

17:00:13:865, System, 4:256, 0, FILE_truncate, C:\Windows\System32\drivers\wjxpuimmx.sys, eof:0x00000000 , 0x00000000 [操作成功完成。  ],

17:00:13:865, System, 4:256, 0, FILE_write, C:\Windows\System32\drivers\wjxpuimmx.sys, offset:0x00000000 datalen:0x00022618 , 0x00000000 [操作成功完成。  ],

17:00:13:865, System, 4:256, 0, FILE_modified, C:\Windows\System32\drivers\wjxpuimmx.sys, , 0x00000000 [操作成功完成。  ],

17:00:13:865, System, 4:256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ixzblfzsk, access:0x000F003F , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。  ],

17:00:13:865, System, 4:256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ixzblfzsk, access:0x000F003F , 0xC0000034 [系统找不到指定的文件。  ],

17:00:13:865, System, 4:256, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ixzblfzsk.sys, access:0x000F003F , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。  ],

17:00:13:865, System, 4:256, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ixzblfzsk.sys, access:0x000F003F , 0x00000000 [操作成功完成。  ],

17:00:13:865, System, 4:256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ixzblfzsk.sys\DisplayName, type:0x00000001 datalen:28 data:'69 78 7A 62 6C 66 7A 73 6B 2E 73 79 73 00 ' , 0x00000000 [操作成功完成。  ],

17:00:13:865, System, 4:256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ixzblfzsk.sys\ErrorControl, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。  ],

17:00:13:865, System, 4:256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ixzblfzsk.sys\ImagePath, type:0x00000001 datalen:92 data:'5C 3F 3F 5C 43 3A 5C 57 49 4E 44 4F 57 53 5C 73 ' , 0x00000000 [操作成功完成。  ],

17:00:13:865, System, 4:256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ixzblfzsk.sys\Start, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。  ],

17:00:13:865, System, 4:256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ixzblfzsk.sys\Group, type:0x00000001 datalen:8 data:'54 44 49 00 ' , 0x00000000 [操作成功完成。  ],

17:00:13:865, System, 4:256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ixzblfzsk.sys\Type, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。  ],

17:00:13:865, System, 4:256, 0, FILE_touch, C:\Windows\System32\drivers\ixzblfzsk.sys, access:0x001F01FF alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000005 options:0x00000020 , 0x00000000 [操作成功完成。  ],

17:00:13:865, System, 4:256, 0, FILE_truncate, C:\Windows\System32\drivers\ixzblfzsk.sys, eof:0x00000000 , 0x00000000 [操作成功完成。  ],

17:00:13:865, System, 4:256, 0, FILE_write, C:\Windows\System32\drivers\ixzblfzsk.sys, offset:0x00000000 datalen:0x00001E20 , 0x00000000 [操作成功完成。  ],

17:00:13:865, System, 4:256, 0, FILE_modified, C:\Windows\System32\drivers\ixzblfzsk.sys, , 0x00000000 [操作成功完成。  ],

17:00:13:865, System, 4:3416, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}, access:0x000F003F , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。  ],

17:00:13:865, services.exe, 592:3392, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\0Q0_Service, access:0x00020019 , 0x00000000 [操作成功完成。  ],

17:00:13:865, System, 4:3416, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}, access:0x000F003F , 0x00000000 [操作成功完成。  ],

17:00:13:865, 加驱用.exe, 804:1060, 804, SYS_load_kmod, C:\Users\j8qq_000\Desktop\0Q0.sys, , 0x00000000 [操作成功完成。  ],

以上为文件注册表预操作,以下为rootkit实现的功能

17:01:14:537, System, 4:3416, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Tcpip\Parameters, access:0x00020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。  ],

17:01:14:537, System, 4:3416, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Tcpip\Parameters, access:0x00020019 , 0x00000000 [操作成功完成。  ],

17:01:14:537, System, 4:3416, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Hostname, type:0x00000001 datalen:8 data:'68 00 68 00 68 00 00 00 ' , 0x00000000 [操作成功完成。  ],

17:01:14:537, System, 4:3416, 0, NET_connect, 114.114.114.114:53, protocol:(UDP)1 , 0x00000000 [操作成功完成。  ],

17:01:14:537, System, 4:3416, 0, NET_send, 114.114.114.114:53, protocol:(UDP)1 datalen:36 data:'4C E8 01 00 00 01 00 00 00 00 00 00 04 73 79 74 ' , 0x00000000 [操作成功完成。  ],

17:01:14:599, System, 4:3416, 0, REG_mkkey, HKEY_LOCAL_MACHINE\SOFTWARE\PCID, access:0x000F003F , 0x00000000 [操作成功完成。  ],

17:01:14:599, System, 4:3416, 0, REG_setval, HKEY_LOCAL_MACHINE\SOFTWARE\PCID\id, type:0x00000001 datalen:76 data:'7B 35 38 66 66 64 31 61 31 2D 64 31 34 63 2D 31 ' , 0x00000000 [操作成功完成。  ],

17:01:14:599, System, 4:3416, 0, NET_connect, 103.97.228.94:8019, protocol:(TCP)0 , 0x00000000 [操作成功完成。  ],

17:01:14:634, System, 4:3416, 0, NET_http, syte.xudaowang.com:8019/no008/jspc.ashx, protocol:(TCP)0 cmd:'POST' datalen:220 , 0x00000000 [操作成功完成。  ],

17:01:14:634, System, 4:3416, 0, NET_send, 103.97.228.94:8019, protocol:(TCP)0 datalen:220 data:'50 4F 53 54 20 2F 6E 6F 30 30 38 2F 6A 73 70 63 ' , 0x00000000 [操作成功完成。  ],

17:01:15:321, System, 4:3416, 0, NET_connect, 114.114.114.114:53, protocol:(UDP)1 , 0x00000000 [操作成功完成。  ],

17:01:15:321, System, 4:3416, 0, NET_send, 114.114.114.114:53, protocol:(UDP)1 datalen:37 data:'4C E8 01 00 00 01 00 00 00 00 00 00 05 73 79 74 ' , 0x00000000 [操作成功完成。  ],

17:01:15:337, System, 4:3416, 0, NET_connect, 103.97.228.94:8020, protocol:(TCP)0 , 0x00000000 [操作成功完成。  ],

17:01:15:368, System, 4:3416, 0, NET_http, sytqq.xudaowang.com:8020/HelloWorld.html, protocol:(TCP)0 cmd:'GET' datalen:162 , 0x00000000 [操作成功完成。  ],

17:01:15:368, System, 4:3416, 0, NET_send, 103.97.228.94:8020, protocol:(TCP)0 datalen:162 data:'47 45 54 20 2F 48 65 6C 6C 6F 57 6F 72 6C 64 2E ' , 0x00000000 [操作成功完成。  ],

17:01:15:399, System, 4:3416, 0, NET_connect, 114.114.114.114:53, protocol:(UDP)1 , 0x00000000 [操作成功完成。  ],

17:01:15:399, System, 4:3416, 0, NET_send, 114.114.114.114:53, protocol:(UDP)1 datalen:34 data:'4C E8 01 00 00 01 00 00 00 00 00 00 06 69 6D 67 ' , 0x00000000 [操作成功完成。  ],

17:01:15:415, System, 4:3416, 0, NET_connect, 180.163.198.48:80, protocol:(TCP)0 , 0x00000000 [操作成功完成。  ],

17:01:15:415, System, 4:3416, 0, NET_http, imgsrc.baidu.com /tieba/pic/item/5bafa40f4bfbfbed1b4d375177f0f736afc31f83.jpg, protocol:(TCP)0 cmd:'GET' datalen:214 , 0x00000000 [操作成功完成。  ],

17:01:15:415, System, 4:3416, 0, NET_send, 180.163.198.48:80, protocol:(TCP)0 datalen:214 data:'47 45 54 20 2F 74 69 65 62 61 2F 70 69 63 2F 69 ' , 0x00000000 [操作成功完成。  ],

17:01:15:431, System, 4:3416, 0, NET_connect, 180.163.198.48:80, protocol:(TCP)0 , 0x00000000 [操作成功完成。  ],

17:01:15:446, System, 4:3416, 0, NET_http, imgsrc.baidu.com /tieba/pic/item/b7003af33a87e95029ddf5421f385343faf2b4d1.jpg, protocol:(TCP)0 cmd:'GET' datalen:214 , 0x00000000 [操作成功完成。  ],

17:01:15:446, System, 4:3416, 0, NET_send, 180.163.198.48:80, protocol:(TCP)0 datalen:214 data:'47 45 54 20 2F 74 69 65 62 61 2F 70 69 63 2F 69 ' , 0x00000000 [操作成功完成。  ],

17:01:15:693, System, 4:3416, 0, FILE_touch, C:\Windows\System32\r6lstmp4.dat, access:0x001F01FF alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000005 options:0x00000020 , 0x00000000 [操作成功完成。  ],

17:01:15:693, System, 4:3416, 0, FILE_truncate, C:\Windows\System32\r6lstmp4.dat, eof:0x00000000 , 0x00000000 [操作成功完成。  ],

17:01:15:693, System, 4:3416, 0, FILE_write, C:\Windows\System32\r6lstmp4.dat, offset:0x00000000 datalen:0x001BD0E3 , 0x00000000 [操作成功完成。  ],

17:01:15:693, System, 4:3416, 0, FILE_modified, C:\Windows\System32\r6lstmp4.dat, , 0x00000000 [操作成功完成。  ],

17:01:38:163, System, 4:256, 0, FILE_write, C:\ProgramData\Microsoft\Windows\AppRepository\edb.chk, offset:0x00000000 datalen:0x00001000 , 0x00000000 [操作成功完成。  ],

下面是挂钩/不可视操作的概述:
1,驱动只在系统回调了挂了一个Shutdown,猜测为重启删除自身文件及原注册表项;
2,建了几个内核线程,联网的,创建文件的都有
3,第一次加载时,自身变成隐藏驱动,并且抹除了自己的真实地址,做了两个新驱动和一个DAT。由此可推断这个ROOTKIT不需要母体,自身就是母体,只需要一个能加载驱动的东西/或者白名单加载驱动的东西即可。

4,重启后,两个新驱动都加载了,也都挂了自己的shutdown回调,原驱动消失了,而且WIN8.1-x64没有内核欺骗操作,这个驱动作者可能是在WIN10系统下了功夫。。。

5,未联网时,火绒剑里一直看到System在读取用户模式下需要的DLL,而且还打开了Svchost,不知道是系统的正常操作还是内核线程控制的。。。

评分

参与人数 2人气 +5 收起 理由
mr.bo + 2 版区有你更精彩: )
xiuzhiguo + 3 版区有你更精彩: )

查看全部评分

mr_bean_forever
发表于 2019-9-7 10:59:09 | 显示全部楼层
这个,刺激了

McAfee Livesafe 杀

来源不好找

a233
发表于 2019-9-7 10:59:49 | 显示全部楼层
本帖最后由 a233 于 2019-9-7 11:01 编辑

智量上报后杀

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
mr_bean_forever
发表于 2019-9-7 11:00:19 | 显示全部楼层
卡巴斯基和GDATA能制作启动盘吧,用启动盘杀毒试试。
saga3721
发表于 2019-9-7 11:06:58 | 显示全部楼层
红伞杀
a233
发表于 2019-9-7 11:07:13 | 显示全部楼层
Avast

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
具具
发表于 2019-9-7 11:07:23 | 显示全部楼层
卡巴斯基杀
jdsh
发表于 2019-9-7 11:08:27 | 显示全部楼层
fsp

SecureAPlus

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x

评分

参与人数 1人气 +1 收起 理由
evans168 + 1 很给力! 經典組合搭配!

查看全部评分

wangyuhe
发表于 2019-9-7 11:10:51 | 显示全部楼层
gdata miss
话说你们都在卡饭买了房是吗
www-tekeze
发表于 2019-9-7 11:23:10 | 显示全部楼层
智量入库杀,火绒Miss,有空加载试试。。


您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛|卡饭乐购| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 苏ICP备07004770号 ) GMT+8, 2019-9-19 10:44 , Processed in 0.046489 second(s), 5 queries , MemCache On.

快速回复 返回顶部 返回列表