| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | 6 | |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 |
- NUGU
- 변태는
- open redirect
- esbuild
- ssrf
- MongoDB #NoSQL #CreateUser #DropUser #mongod #mognod.conf
- 많다..
- XSS
- encrypt
- self-signed
- Craco
- decrypt
- 채팅환전사기
- md5
- 취약점
- 보이스피싱 #대검찰청 #명의도용 #비밀번호 #계좌번호 #공공기관 #가짜검찰청
- speed-measure-webpack-plugin
- 스캠
- https
- 로맨스스캠
- Malware Sample
- aes
- hash
- sha256
- 모의해킹
- react
- CJ대한통운 #쿠팡 #통관번호오류 #통관고유번호오류 #안주원팀장 #모건인베스트
- shell_gpt
- CryptoJS
- 사진도용
- Today
- Total
annyoung
풋볼데이 매크로 바이러스 탐지? 본문
| SHA256: | 6f248cc9d914356e8511b323a229d782f599cc114f5071ec06a92c9915bf867b |
| 파일 이름: | FD_Auto_IE_1.09_beta4.exe |
| 탐지 비율: | 23 / 56 |
| 분석 날짜: | 2015-04-11 00:08:30 UTC ( 6일, 15시간 전 ) |
| 안티바이러스 | 결과 | 업데이트 |
|---|---|---|
| ALYac | Trojan.Generic.12895123 | 20150410 |
| AVware | Trojan.Win32.Generic!BT | 20150410 |
| Ad-Aware | Trojan.Generic.12895123 | 20150410 |
| Avast | Win32:Malware-gen | 20150411 |
| BitDefender | Trojan.Generic.12895123 | 20150411 |
| Comodo | UnclassifiedMalware | 20150410 |
| Cyren | W32/AutoIt.DB.gen!Eldorado | 20150411 |
| DrWeb | Trojan.DownLoader12.50138 | 20150411 |
| Emsisoft | Trojan.Generic.12895123 (B) | 20150411 |
| F-Prot | W32/AutoIt.DB.gen!Eldorado | 20150411 |
| F-Secure | Trojan.Generic.12895123 | 20150411 |
| Fortinet | W32/Hra.CJ!tr | 20150410 |
| GData | Trojan.Generic.12895123 | 20150411 |
| Ikarus | Trojan.Win32.Agent | 20150410 |
| McAfee | RDN/Generic.hra!cj | 20150410 |
| McAfee-GW-Edition | BehavesLike.Win32.Dropper.fh | 20150410 |
| MicroWorld-eScan | Trojan.Generic.12895123 | 20150410 |
| Qihoo-360 | HEUR/QVM10.1.Malware.Gen | 20150411 |
| Symantec | WS.Reputation.1 | 20150410 |
| Tencent | Win32.Trojan.Rogue.Llhe | 20150411 |
| TrendMicro-HouseCall | TROJ_GEN.R047H06D615 | 20150411 |
| VIPRE | Trojan.Win32.Generic!BT | 20150411 |
| nProtect | Trojan.Generic.12895123 | 20150410 |
| AVG | 20150410 | |
| AegisLab | 20150410 | |
| Agnitum | 20150409 | |
| AhnLab-V3 | 20150410 | |
| Alibaba | 20150411 | |
| Antiy-AVL | 20150410 | |
| Baidu-International | 20150410 | |
| Bkav | 20150410 | |
| ByteHero | 20150411 | |
| CAT-QuickHeal | 20150410 | |
| CMC | 20150410 | |
| ClamAV | 20150410 | |
| ESET-NOD32 | 20150410 | |
| Jiangmin | 20150409 | |
| K7AntiVirus | 20150410 | |
| K7GW | 20150410 | |
| Kaspersky | 20150410 | |
| Kingsoft | 20150411 | |
| Malwarebytes | 20150411 | |
| Microsoft | 20150411 | |
| NANO-Antivirus | 20150410 | |
| Norman | 20150410 | |
| Panda | 20150410 | |
| Rising | 20150410 | |
| SUPERAntiSpyware | 20150410 | |
| Sophos | 20150410 | |
| TheHacker | 20150410 | |
| TotalDefense | 20150410 | |
| TrendMicro | 20150411 | |
| VBA32 | 20150410 | |
| ViRobot | 20150410 | |
| Zillya | 20150409 | |
| Zoner | 20150410 |
풋볼데이를 IE 비활성화(최소화)상태로 매크로 돌려서 이익을 얻는 그런 매크로이다.
찾아보니 티스토리에서 배포중이다.
바이러스로 탐지하는 버전은 1.09_beta4 버전이다.
56개의 백신 중에서 26개의 백신이 바이러스로 탐지한다.
맥아피에서는 드랍퍼? 알약에서는 Generic? 시만텍에서는 단지 평판?
이게 뭐가 어떻게 된거지.. 생각으로 분석하기로 했다.
매크로의 경우 대부분 AHK, AutoIt, VB, C#이기에 처음에 시작할땐 리소스 영역을 먼저 보게 된다.
리소스 영역에는 총 6개의 폴더와 20개의 파일이 있다. 그 안에서도 GROUP_ICON, ICON, MAINFEST, MENU, RCDATA, VERSION, string.txt가 있다.
101 (Paused) 102 AutoIt Error 103 AutoIt has detected the stack has become corrupt.\n\nStack corruption typically occurs when either the wrong calling convention is used or when the function is called with the wrong number of arguments.\n\nAutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention. 104 "EndWith" missing "With". 105 Badly formatted "Func" statement. 106 "With" missing "EndWith". 107 Missing right bracket ')' in expression. 108 Missing operator in expression. 109 Unbalanced brackets in expression. 110 Error in expression. 111 Error parsing function call. 112 Incorrect number of parameters in function call. 113 "ReDim" used without an array variable. 114 Illegal text at the end of statement (one statement per line). 115 "If" statement has no matching "EndIf" statement. 116 "Else" statement with no matching "If" statement. 117 "EndIf" statement with no matching "If" statement. 118 Too many "Else" statements for matching "If" statement. 119 "While" statement has no matching "Wend" statement. 120 "Wend" statement with no matching "While" statement. 121 Variable used without being declared. 122 Array variable has incorrect number of subscripts or subscript dimension range exceeded. 123 Variable subscript badly formatted. 124 Subscript used on non-accessible variable. 125 Too many subscripts used for an array. 126 Missing subscript dimensions in "Dim" statement. 127 No variable given for "Dim", "Local", "Global", "Struct" or "Const" statement. 128 Expected a "=" operator in assignment statement. 129 Invalid keyword at the start of this line. 130 Array maximum size exceeded. 131 "Func" statement has no matching "EndFunc". 132 Duplicate function name. 133 Unknown function name. 134 Unknown macro. 136 Unable to get a list of running processes. 138 Invalid element in a DllStruct. 139 Unknown option or bad parameter specified. 140 Unable to load the internet libraries. 141 "Struct" statement has no matching "EndStruct". 142 Unable to open file, the maximum number of open files has been exceeded. 143 "ContinueLoop" statement with no matching "While", "Do" or "For" statement. 144 Invalid file filter given. 145 Expected a variable in user function call. 146 "Do" statement has no matching "Until" statement. 147 "Until" statement with no matching "Do" statement. 148 "For" statement is badly formatted. 149 "Next" statement with no matching "For" statement. 150 "ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop. 151 "For" statement has no matching "Next" statement. 152 "Case" statement with no matching "Select"or "Switch" statement. 153 "EndSelect" statement with no matching "Select" statement. 154 Recursion level has been exceeded - AutoIt will quit to prevent stack overflow. 155 Cannot make existing variables static. 156 Cannot make static variables into regular variables. 157 Badly formated Enum statement 159 This keyword cannot be used after a "Then" keyword. 160 "Select" statement is missing "EndSelect" or "Case" statement. 161 "If" statements must have a "Then" keyword. 162 Badly formated Struct statement. 163 Cannot assign values to constants. 164 Cannot make existing variables into constants. 165 Only Object-type variables allowed in a "With" statement. 166 "long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead. 167 Object referenced outside a "With" statement. 168 Nested "With" statements are not allowed. 169 Variable must be of type "Object". 170 The requested action with this object has failed. 171 Variable appears more than once in function declaration. 172 ReDim array can not be initialized in this manner. 173 An array variable can not be used in this manner. 174 Can not redeclare a constant. 175 Can not redeclare a parameter inside a user function. 176 Can pass constants by reference only to parameters with "Const" keyword. 177 Can not initialize a variable with itself. 178 Incorrect way to use this parameter. 179 "EndSwitch" statement with no matching "Switch" statement. 180 "Switch" statement is missing "EndSwitch" or "Case" statement. 181 "ContinueCase" statement with no matching "Select"or "Switch" statement. 182 Assert Failed! 184 Obsolete function/parameter. 185 Invalid Exitcode (reserved for AutoIt internal use). 186 Variable cannot be accessed in this manner. 187 Func reassign not allowed. 188 Func reassign on global level not allowed. 5000 Unable to parse line. 5001 Unable to open the script file. 5002 String missing closing quote. 5003 Badly formated variable or macro. 5004 Missing separator character after keyword. |
여기서 string.txt를 메모장으로 열어보면 Autoit이란걸 쉽게 알 수 있다.
AutoHotKey L버전의 경우 Autoit과 비슷하게 생겼고 RCDATA 리소스 영역까지 있다. 아무튼, 우리는 Autoit이란걸 알았으니 디컴파일 하여 소스를 본다.
처음에 소스코드 줄 수를 보고 너무 놀랐다.-_-;;; 11837... 게다가 완벽한 코딩이었다. 그렇게 계속 보는데도 도대체 어떤 점에서 탐지하는지 모르겠다.
Func __guictrlcombobox_ispressed($shexkey, $vdll = "user32.dll") Local $a_r = DllCall($vdll, "short", "GetAsyncKeyState", "int", "0x" & $shexkey) If @error Then Return SetError(@error, @extended, False) Return BitAND($a_r[0], 32768) <> 0 EndFunc |
이 부분(GetAsyncKeyState : 키로깅에 사용되는 API, 게임에서 키를 입력할때 자주 사용되기도 함.) 때문인가? 그러기엔 안티 바이러스 탐지명이 다른데..
Case "form" $shtml &= "<!DOCTYPE html>" & @CR $shtml &= "<html>" & @CR $shtml &= "<head>" & @CR $shtml &= '<meta content="text/html; charset=UTF-8" http-equiv="content-type">' & @CR $shtml &= '<title>_IE_Example("form")</title>' & @CR $shtml &= "<style>body {font-family: Arial}" & @CR $shtml &= "td {padding:6px}</style>" & @CR $shtml &= "</head>" & @CR $shtml &= "<body>" & @CR $shtml &= "<form name=""ExampleForm"" onSubmit=""javascript:alert('ExampleFormSubmitted');"" method=""post"">" & @CR $shtml &= '<table style="border-spacing:6px 6px;" border=1>' & @CR $shtml &= "<tr>" & @CR $shtml &= "<td>ExampleForm</td>" & @CR $shtml &= "<td><form name=""ExampleForm"" onSubmit=""javascript:alert('ExampleFormSubmitted');"" method=""post""></td>" & @CR $shtml &= "</tr>" & @CR $shtml &= "<tr>" & @CR $shtml &= '<td>Hidden Input Element<input type="hidden" name="hiddenExample" value="secret value"></td>' & @CR $shtml &= '<td><input type="hidden" name="hiddenExample" value="secret value"></td>' & @CR $shtml &= "</tr>" & @CR $shtml &= "<tr>" & @CR $shtml &= "<td>" & @CR $shtml &= '<input type="text" name="textExample" value="http://" size="20" maxlength="30">' & @CR $shtml &= "</td>" & @CR $shtml &= '<td><input type="text" name="textExample" value="http://" size="20" maxlength="30"></td>' & @CR $shtml &= "</tr>" & @CR $shtml &= "<tr>" & @CR $shtml &= "<td>" & @CR $shtml &= '<input type="password" name="passwordExample" size="10">' & @CR $shtml &= "</td>" & @CR $shtml &= '<td><input type="password" name="passwordExample" size="10"></td>' & @CR $shtml &= "</tr>" & @CR $shtml &= "<tr>" & @CR $shtml &= "<td>" & @CR $shtml &= '<input type="file" name="fileExample">' & @CR $shtml &= "</td>" & @CR $shtml &= '<td><input type="file" name="fileExample"></td>' & @CR $shtml &= "</tr>" & @CR $shtml &= "<tr>" & @CR $shtml &= "<td>" & @CR $shtml &= '<input type="image" name="imageExample" alt="AutoIt Homepage" src="http://www.autoitscript.com/images/autoit_6_240x100.jpg">' & @CR $shtml &= "</td>" & @CR $shtml &= '<td><input type="image" name="imageExample" alt="AutoIt Homepage" src="http://www.autoitscript.com/images/autoit_6_240x100.jpg"></td>' & @CR $shtml &= "</tr>" & @CR $shtml &= "<tr>" & @CR $shtml &= "<td>" & @CR |
아니면 password부분때문인가?-_- 이해가 안간다.
대체 뭘 보고 탐지하는거지?
Func __iecreatenewie($stitle, $shead = "", $sbody = "") Local $stemp = __ietempfile("", "~IE~", ".htm") If @error Then __ieconsolewriteerror("Error", "_IECreateHTA", "", "Error creating temporary file in @TempDir or @ScriptDir") Return SetError($_iestatus_generalerror, 1, 0) EndIf Local $shtml = "" $shtml &= "<!DOCTYPE html>" & @CR $shtml &= "<html>" & @CR $shtml &= "<head>" & @CR $shtml &= '<meta content="text/html; charset=UTF-8" http-equiv="content-type">' & @CR $shtml &= "<title>" & $stemp & "</title>" & @CR & $shead & @CR $shtml &= "</head>" & @CR $shtml &= "<body>" & @CR & $sbody & @CR $shtml &= "</body>" & @CR $shtml &= "</html>" Local $hfile = FileOpen($stemp, $fo_overwrite) FileWrite($hfile, $shtml) FileClose($hfile) |
계속 찾아보다가 왠지 이 부분을 보고 악성코드라 탐지하는 것 같다.
~IE~.htm 파일을 temp 디렉토리에 드랍하는 식인데. 이걸보고 dropper라고 생각해서 탐지하는 것 같다.
진짤까? 정확히는 모른다.
Autoit 분석 가능 하신 분 모십니다..-_-;;
'분석생활' 카테고리의 다른 글
| 한국아마추어골프협회 사이트에서 파밍 유포 (0) | 2015.04.19 |
|---|---|
| 대구주얼리RIS사업단 사이트에서 파밍 유포중 (0) | 2015.04.18 |
| 해외쇼핑몰 크리겟에서 파밍 유포중 (0) | 2015.04.18 |
| 특정 대상에게만 유포되는 CJ택배 스미싱 분석방법 (0) | 2015.04.13 |
| 특정 대상에게만 유포되는 CJ택배 스미싱 (12) | 2015.04.12 |
