Rootkit 1X

ANY.LNK

wwwab 发表于 2021-8-4 08:21
分流：http://125.77.158.136:2247/driverfile/500cgtFJvrR.sys

好像用的都是同一个URL（IP）啊，让安软拉黑一下相关IP试试？

tdsskiller

00006666 发表于 2021-8-4 07:35
驱动样本可以用工具加载到系统，不过智量应该是不做驱动对抗的。

[ANSI] 0x00050c76: 烫烫烫烫烫e:\巨灵驱动源码\fivesys_1\共享\cdriversock.cpp
[ANSI] 0x00050cb0: Buffer
[ANSI] 0x00050cb8: 烫烫烫烫BufferSize
[ANSI] 0x00050ccc: 烫烫WskBuffer
[ANSI] 0x00050cda: 烫烫烫超时时等待了%ums
[ANSI] 0x00050cf2: 烫烫烫烫烫烫烫\
[ANSI] 0x00050d0a: 烫烫烫
[ANSI] 0x00050d12: 烫烫烫烫烫烫烫H
[ANSI] 0x00050db8: 烫烫烫烫\
[ANSI] 0x00050dc4: 烫烫烫烫烫烫R
[ANSI] 0x00050de2: 烫烫烫烫烫烫烫H
[ANSI] 0x00050e16: 烫烫烫烫烫\
[ANSI] 0x00050e44: 烫烫烫烫烫烫H
[ANSI] 0x00050e74: 烫烫烫烫烫烫\
[ANSI] 0x00050f3a: 烫烫烫E
[ANSI] 0x00050f54: 烫烫烫烫烫烫C
[ANSI] 0x00050f96: 烫烫烫烫烫P
[ANSI] 0x00050fcc: 烫烫\
[ANSI] 0x00050fe8: 烫烫烫烫%02x
[ANSI] 0x00050ff6: 烫烫烫烫烫[MY-5]
[ANSI] 0x00051008: 烫烫烫烫
[ANSI] 0x00051012: 烫烫烫烫烫烫烫D:\record.txt
[ANSI] 0x00051032: 烫烫烫烫烫烫烫%s
[ANSI] 0x00051044: 烫烫烫烫烫烫向服务器IP:%d.%d.%d.%d:%d 发送的请求头:
[ANSI] 0x0005107e: 烫已经向IP:%d.%d.%d.%d:%d 发送请求:
[ANSI] 0x000510a8: 烫烫烫烫服务器IP:%d.%d.%d.%d:%d 响应的头:
[ANSI] 0x000510d8: 烫烫烫烫HTTP/
[ANSI] 0x000510e6: 烫烫烫烫烫
[ANSI] 0x000510f2: 烫烫烫烫烫烫烫%d
[ANSI] 0x00051104: 烫烫烫烫烫烫status: %d
[ANSI] 0x0005111c: 烫烫服务器IP:%d.%d.%d.%d:%d 数据接收完毕,长度: %d
[ANSI] 0x00051150: 向服务器IP:%d.%d.%d.%d:%d 发送的下载文件请求头:
[ANSI] 0x00051186: 烫烫烫烫烫已经向IP:%d.%d.%d.%d:%d 发送下载文件请求:
[ANSI] 0x000511c0: 服务器IP:%d.%d.%d.%d:%d 下载文件响应的头:
[ANSI] 0x000511f0: Content-Length:
[ANSI] 0x00051202: 烫烫烫烫烫烫烫Content-Length: %d
[ANSI] 0x00051224: 烫烫烫烫烫烫]
[ANSI] 0x00051232: 烫烫烫烫烫烫烫}
[ANSI] 0x00051242: 烫烫烫烫烫烫烫",
[ANSI] 0x00051254: 烫烫烫烫烫烫"}
[ANSI] 0x00051264: 烫烫烫烫烫烫/driverfile/shuiliasafao.txt
[ANSI] 0x0005128e: 烫开始解析域名:%s
[ANSI] 0x000512a2: 烫烫烫烫烫烫烫域名:%s Ip:%d.%d.%d.%d
[ANSI] 0x000512c8: 烫烫烫烫Api组IP随机后....!
[ANSI] 0x000512e4: 烫烫烫烫烫烫ip:%d.%d.%d.%d
[ANSI] 0x00051300: file.zkrf8ar.xyz
[ANSI] 0x00051312: 烫烫烫烫烫烫烫
[ANSI] 0x00051321: File组IP随机后....!
[ANSI] 0x00051336: 烫烫烫烫烫GET %s HTTP/1.1
[ANSI] 0x00051351: Host: %d.%d.%d.%d
[ANSI] 0x00051364: Cache-Control: max-age=0
[ANSI] 0x0005137e: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 sysWeb/1.0.1
[ANSI] 0x000513db: Connection: close
[ANSI] 0x000513f2: 烫烫烫烫烫烫烫尝试与该IP:%d.%d.%d.%d:%d进行连接.......
[ANSI] 0x0005142c: 烫烫U2FsdGVkX18vMO0FJpSKMOfKL2oCXJBBF2DXbyF2iAU4u0Nywpq9PlGoRu8a1fQB6PZfSKatcCs
[ANSI] 0x0005147c: 烫烫该IP:%d.%d.%d.%d:%d检测通过...OK!
[ANSI] 0x000514a4: 烫烫烫烫烫烫该IP:%d.%d.%d.%d:%d检测未通过,暂时无法连接，切换下一个尝试.......
[ANSI] 0x000514f4: 烫烫烫烫烫烫文件服务器探针请求头:%s
[ANSI] 0x0005151a: 烫烫烫已经发送文件服务器探针请求
[ANSI] 0x0005153c: 烫烫收到的文件服务器探针请求头:%s
[ANSI] 0x00051560: 文件服务器探针文件接收完毕,长度: %d
[ANSI] 0x00051586: 烫烫烫烫烫文件服务器探针内容：%s
[ANSI] 0x000515aa: 烫烫烫GET %s HTTP/1.1
[ANSI] 0x000515c1: Host: %d.%d.%d.%d
[ANSI] 0x000515d4: Connection: close
[ANSI] 0x000515ea: 烫烫烫下载文件发送的请求头:%s
[ANSI] 0x0005160a: 烫烫烫已经发送下载文件请求
[ANSI] 0x00051626: 烫烫烫烫烫收到的下载文件请求头:%s
[ANSI] 0x0005164a: 烫烫烫下载文件接收完毕,长度: %d
[ANSI] 0x0005166c: 烫烫
[ANSI] 0x00051674: 烫烫烫烫烫烫/driverfile/Jck.txt
[ANSI] 0x00051694: 烫烫烫烫烫烫|
[ANSI] 0x000516a2: 烫烫烫烫烫烫烫1
[ANSI] 0x000516b2: 烫烫烫烫烫烫烫2
[ANSI] 0x000516c2: 烫烫烫烫烫烫烫加载黑名单驱动被拦截 ,文件名:%wZ
[ANSI] 0x000516f2: 烫烫烫烫烫烫烫存在黑名单中的Md5一致，被拦截 ,文件名:%wZ
[ANSI] 0x0005172c: 烫烫\
[ANSI] 0x00051752: 烫烫烫烫烫烫烫\
[ANSI] 0x00051788: 烫烫烫烫\
[ANSI] 0x000517d6: 烫烫烫烫烫\
[ANSI] 0x000517e2: 烫烫烫烫烫烫烫e:\巨灵驱动源码\fivesys_1\文件保护\generictable.cpp
[ANSI] 0x00051824: 烫烫烫烫烫烫ByteSize <= FSCTX_GENERIC_TABLE_POOL_SIZE
[ANSI] 0x0005185a: 烫烫烫NULL
[ANSI] 0x00051866: 烫烫烫烫烫Zhang Zhengqi
[ANSI] 0x0005187e: 烫Haining shengdun Network Information Technology Co., Ltd
[ANSI] 0x000518ba: 烫烫烫SHENZHEN LIRINUO S
[ANSI] 0x000518d4: 烫烫烫烫烫烫Shanghai easy kradar Information Consulting Co.Ltd
[ANSI] 0x00051914: 烫烫烫烫烫烫Zhuhai liancheng Technology Co
[ANSI] 0x00051940: Beijing Chunbai Technology Development Co
[ANSI] 0x0005196a: 烫烫烫Xi'an Xinli Software Technology Co
[ANSI] 0x00051994: 烫烫烫烫烫烫新疆亿事联网络科技有限公司
[ANSI] 0x000519bc: 烫烫Handan City Congtai District LiKang Daily Goods Departmen
[ANSI] 0x000519fa: 烫烫烫上海域联软件技术有限公司
[ANSI] 0x00051a1a: 烫烫烫Hubei Olympic Tour Information Technology Co
[ANSI] 0x00051a4e: 烫Shanghai easy kradar Information Consulting Co
[ANSI] 0x00051a80: 深圳市大米虾科技有限公司
[ANSI] 0x00051a9a: 烫烫烫Xinyi Electronic Technology (Shanghai) Co
[ANSI] 0x00051aca: 烫烫烫Binzhoushi Yongyu Feed Co.,LTd
[ANSI] 0x00051af0: IsWhitelist->RvStrJson=%s
[ANSI] 0x00051b0c: 烫烫/api/safe/adopt
[ANSI] 0x00051b20: sysWeb/1.0.1
[ANSI] 0x00051b2e: 烫GET %s HTTP/1.1
[ANSI] 0x00051b41: Host: %d.%d.%d.%d
[ANSI] 0x00051b54: Cache-Control: max-age=0
[ANSI] 0x00051b6e: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 %s
[ANSI] 0x00051bc1: Connection: close
[ANSI] 0x00051bd8: 烫烫烫烫"filelist"
[ANSI] 0x00051bec: 烫烫得到filelist失败!
[ANSI] 0x00051c04: 烫烫烫烫烫烫得到filelist成功!
[ANSI] 0x00051c24: 烫烫烫烫烫烫item:%u为空！
[ANSI] 0x00051c40: value
[ANSI] 0x00051c46: 烫烫烫烫烫sysWeb/3.0.1
[ANSI] 0x00051c5e: 烫开始发送接口服务器IP:%d.%d.%d.%d:%d 探针请求...
[ANSI] 0x00051c92: 烫烫烫烫烫烫烫接口服务器IP:%d.%d.%d.%d:%d  探针检测通过...OK!
[ANSI] 0x00051cd2: 烫烫烫烫烫烫烫接口服务器IP:%d.%d.%d.%d:%d  探针检测失败.......!
[ANSI] 0x00051d14: 烫烫烫烫烫烫开始文件服务器IP:%d.%d.%d.%d:%d 探针请求...
[ANSI] 0x00051d4e: 烫文件服务器IP:%d.%d.%d.%d:%d  探针检测通过...OK!
[ANSI] 0x00051d82: 烫烫烫烫烫烫烫文件服务器IP:%d.%d.%d.%d:%d  探针检测失败.......!
[ANSI] 0x00051dc4: 烫烫烫烫烫烫\??\
[ANSI] 0x00051dd6: 烫烫烫烫烫MyDriver264
[ANSI] 0x00051dec: 烫烫link:%s
[ANSI] 0x00051dfa: 烫烫烫打开1号成功!
[ANSI] 0x00051e0e: 烫申请1号权限成功!
[ANSI] 0x00051e22: 烫烫烫烫烫烫烫F
[ANSI] 0x00051e46: 烫烫烫烫烫JsonStr:%s
[ANSI] 0x00051e5c: 烫烫文件:%s 需要自更...
[ANSI] 0x00051e76: 烫烫烫烫烫number=%s;name=%s;switch=%s;server=%s;tag=%s;altitude=%s;serverDownloadFileName=%s;serverDownloadFileMd5=%s;
[ANSI] 0x00051eee: 烫\system32\drivers\
[ANSI] 0x00051f04: 烫烫烫烫烫烫FiveFileNameUp
[ANSI] 0x00051f20: .del
[ANSI] 0x00051f26: 烫烫烫烫烫%s文件删除成功!
[ANSI] 0x00051f42: 烫烫烫烫烫烫烫%s文件删除失败!
[ANSI] 0x00051f62: 烫烫烫烫烫烫烫md5
[ANSI] 0x00051f74: 烫烫烫烫烫烫server
[ANSI] 0x00051f88: 烫烫烫烫tag
[ANSI] 0x00051f94: 烫烫烫烫烫烫altitude
[ANSI] 0x00051faa: 烫烫烫sysWeb/5.0.1
[ANSI] 0x00051fbe: 烫文件删除成功!
[ANSI] 0x00051fd0: 文件:%s保存成功！
[ANSI] 0x00051fe4: 烫烫烫烫烫烫文件:%s保存失败！
[ANSI] 0x00052004: 烫烫烫烫烫烫/driverfile/
[ANSI] 0x0005201e: 烫GET %s%s HTTP/1.1
[ANSI] 0x00052033: Host: %d.%d.%d.%d
[ANSI] 0x00052046: Cache-Control: max-age=0
[ANSI] 0x00052060: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 %s
[ANSI] 0x000520b3: Connection: close
[ANSI] 0x000520ca: 烫烫烫开始文件服务器IP:%d.%d.%d.%d:%d 下载文件请求...
[ANSI] 0x00052102: 烫烫烫烫烫烫烫H
[ANSI] 0x0005217c: 烫烫服务名:%s   REG路径=%wZ
[ANSI] 0x0005219a: 烫烫烫Group
[ANSI] 0x000521a6: 烫烫烫烫烫System Reserved
[ANSI] 0x000521c0: ImagePath
[ANSI] 0x000521ca: 烫烫烫System32\drivers\
[ANSI] 0x000521e2: 烫烫烫烫烫烫烫Start
[ANSI] 0x000521f6: 烫烫烫烫烫Tag
[ANSI] 0x00052204: 烫烫烫烫烫烫Type
[ANSI] 0x00052216: 烫烫烫烫烫WOW64
[ANSI] 0x00052226: 烫烫烫烫烫ErrorControl
[ANSI] 0x0005223e: 烫\Instances
[ANSI] 0x0005224c: 烫烫DefaultInstance
[ANSI] 0x00052261: Instance
[ANSI] 0x0005226a: 烫烫烫Altitude
[ANSI] 0x0005227a: 烫烫烫Flags
[ANSI] 0x00052286: 烫烫烫烫烫.
[ANSI] 0x00052292: 烫烫烫烫烫烫烫.sys
[ANSI] 0x000522a6: 烫烫烫烫烫%s 与 %s Md5不同.....开始更新....
[ANSI] 0x000522d4: 烫烫烫烫烫烫%s Down...OK..
[ANSI] 0x000522f0: 下载下来的文件md5:%s; 服务端返回的文件md5:%s
[ANSI] 0x0005231e: 烫%s 文件保存成功.....
[ANSI] 0x00052336: 烫烫烫烫烫%s Install...OK..
[ANSI] 0x00052354: 烫烫烫烫烫烫%s Install...Error..
[ANSI] 0x00052376: 烫烫烫烫烫%s 文件保存失败.....
[ANSI] 0x00052396: 烫烫烫烫烫%s Down文件Md5不匹配.....
[ANSI] 0x000523bc: 烫烫%s Down...Error..
[ANSI] 0x000523d4: 烫烫烫烫烫烫%s 与 %s Md5一致不需要更新！
[ANSI] 0x000523fe: 烫%s 文件不存在....开始更新.....
[ANSI] 0x00052420: 开始更新自身....
[ANSI] 0x00052432: 烫烫烫烫烫烫烫接口返回的MD5:%s; 下载后的文件MD5:%s
[ANSI] 0x00052466: 烫烫烫烫烫needupd
[ANSI] 0x00052478: 烫烫烫烫name
[ANSI] 0x00052486: 烫烫烫烫烫ver
[ANSI] 0x00052494: 烫烫烫烫烫烫filename
[ANSI] 0x000524aa: 烫烫烫result
[ANSI] 0x000524b8: 烫烫烫烫%d - fileName=%s result=%s DownFile=%s
[ANSI] 0x000524e8: 烫烫烫烫111111111111111
[ANSI] 0x00052500: /api/safe/checkdownloadfile?filelist=[{"name":"
[ANSI] 0x00052530: FiveSys_1.sys","md5":"
[ANSI] 0x00052548: 烫烫烫烫"}]
[ANSI] 0x00052554: 烫烫烫烫烫烫/api/popup/fiveDriveCheckdownloadfile?filelist=[{"name":"
[ANSI] 0x0005259a: 烫烫烫","md5":"
[ANSI] 0x000525aa: 烫烫烫判断Md5返回Json:%s;传递md5:%s
[ANSI] 0x000525d2: 烫烫烫烫烫烫烫/api/safe/checkver?name=FiveSys_1.sys&ver=
[ANSI] 0x0005260c: 烫烫3.0.0
[ANSI] 0x00052616: 烫烫烫烫烫VerJsonStr:%s
[ANSI] 0x0005262e: 烫number
[ANSI] 0x00052638: 烫烫烫烫switch
[ANSI] 0x00052648: 烫烫烫烫serverDownloadFileName
[ANSI] 0x00052668: 烫烫烫烫serverDownloadFileMd5
[ANSI] 0x00052686: 烫烫烫烫烫/api/drive_config/driveDownloadFileList
[ANSI] 0x000526b8: 烫烫烫烫%
[ANSI] 0x000526d2: 烫烫烫烫烫烫烫\Device\
[ANSI] 0x000526ea: 烫烫烫G
[ANSI] 0x00052724: 烫烫烫烫烫烫[%ws] IoCreateDevice failed!Error code:%x
[ANSI] 0x0005275c: 烫烫[%ws] IoCreateDevice success!
[ANSI] 0x00052780: [%ws] IoCreateSymbolicLink failed!Error code:%x
[ANSI] 0x000527b2: 烫烫烫烫烫烫烫MD5-%d:%s
[ANSI] 0x000527cc: 烫烫Sign-%d:%s
[ANSI] 0x000527dc: 烫烫FiveNameUp
[ANSI] 0x000527ec: 烫烫3
[ANSI] 0x000527fe: 烫WINDOWS
[ANSI] 0x00052808: 烫烫烫烫HKEY_LOCAL_MACHINE\SOFTWARE\jlcsl
[ANSI] 0x00052832: 烫烫烫烫烫烫烫123
[ANSI] 0x00052844: 烫烫烫烫烫烫five20210729165839
[ANSI] 0x00052864: 烫烫烫烫烫烫ProtectMode::InitMinifilert
[ANSI] 0x0005288c: 烫烫%s m_ServiceName:%wZ
[ANSI] 0x000528a6: 烫烫烫烫烫[%s] CreateMiniKey failed!Error code:%x
[ANSI] 0x000528da: 烫烫烫[%s] CreateMiniKey success!
[ANSI] 0x000528fe: 烫[%s] FslProtectRegistry failed!
[ANSI] 0x00052922: 烫烫烫烫烫烫烫[%s] StartMinifilter failed!Error code:%x
[ANSI] 0x0005295c: 烫烫[%s] StartMinifilter success!
[ANSI] 0x00052980: [%s] FslProtectRegistry success!
[ANSI] 0x000529a2: 烫烫烫烫烫烫烫D
[ANSI] 0x00052a3a: 烫烫烫\
[ANSI] 0x00052a56: 烫烫烫烫烫
[ANSI] 0x00052a74: 烫烫烫烫烫烫A
[ANSI] 0x00052a92: 烫烫烫烫烫烫烫F
[ANSI] 0x00052aac: 烫烫打开5号成功!
[ANSI] 0x00052abe: 烫申请5号权限成功!
[ANSI] 0x00052ad2: 烫烫烫烫烫烫烫ProtectMode::GetAccess
[ANSI] 0x00052af8: 烫烫烫烫[%s] ZwDeviceIoControlFile failed!Error code:%x
[ANSI] 0x00052b32: 烫烫烫烫烫烫烫[%s] ZwCreateFile failed!Error code:%x symLinkFullPath:%wZ
[ANSI] 0x00052b91: 0]锰
[ANSI] 0x00053408: SBhc
[ANSI] 0x00053594: (null)
[ANSI] 0x000535e9: `h````
[ANSI] 0x000535f1: xpxxpp
[ANSI] 0x00053d9d: \FiveSys_1\x64\Debug\FiveSys.pdb

00006666

WIN 7 64位系统测试

360急救箱强力模式会移除该驱动启动项

pal家族

tdsskiller 发表于 2021-8-4 14:23
[ANSI] 0x00050c76: 烫烫烫烫烫e:\巨灵驱动源码\fivesys_1\共享\cdriversock.cpp
[ANSI] 0x00050cb0: Bu ...

手持两把锟斤拷,口中疾呼烫烫烫

a27573

tdsskiller 发表于 2021-8-4 14:23
[ANSI] 0x00050c76: 烫烫烫烫烫e:\巨灵驱动源码\fivesys_1\共享\cdriversock.cpp
[ANSI] 0x00050cb0: Bu ...

一看没加壳还以为逆向不难，结果
https://bbs.kafan.cn/forum.php?m ... 49&pid=49227483

全是 sp analysis failed 和 JUMPOUT

petr0vic

Your submission has been analyzed. A corresponding record has been added to the Dr.Web virus database and will be available with the next update.


Threat: Trojan.Rootkit.22118

keen-qv

tdsskiller 发表于 2021-8-4 14:23
[ANSI] 0x00050c76: 烫烫烫烫烫e:\巨灵驱动源码\fivesys_1\共享\cdriversock.cpp
[ANSI] 0x00050cb0: Bu ...

你这是rap吗，哈哈哈，这得多烫嘴

tdsskiller

a27573 发表于 2021-8-4 16:03
一看没加壳还以为逆向不难，结果
https://bbs.kafan.cn/forum.php?mod=redirect&goto=findpost&p ...

没有vmp很给你面子了，会不会是llvm那种

a27573

tdsskiller 发表于 2021-8-4 17:01
没有vmp很给你面子了，会不会是llvm那种

编辑了

a27573

tdsskiller 发表于 2021-8-4 17:01
没有vmp很给你面子了，会不会是llvm那种

是VMP3，我sb了
抱歉