| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | ||||||
| 2 | 3 | 4 | 5 | 6 | 7 | 8 |
| 9 | 10 | 11 | 12 | 13 | 14 | 15 |
| 16 | 17 | 18 | 19 | 20 | 21 | 22 |
| 23 | 24 | 25 | 26 | 27 | 28 |
- ue4dumper
- 변태는
- CryptoJS
- 거래사기
- NUGU
- Malware Sample
- 많다..
- shell_gpt
- ssrf
- 허리디스크
- 척추관협착증
- Sequoia
- 중고나라
- self-signed
- open redirect
- Frida
- XSS
- 취약점
- 네이버카페
- esbuild
- 채팅환전사기
- intelmac
- MongoDB #NoSQL #CreateUser #DropUser #mongod #mognod.conf
- speed-measure-webpack-plugin
- 안전결제
- 모의해킹
- CJ대한통운 #쿠팡 #통관번호오류 #통관고유번호오류 #안주원팀장 #모건인베스트
- 보이스피싱 #대검찰청 #명의도용 #비밀번호 #계좌번호 #공공기관 #가짜검찰청
- react
- 로맨스스캠
- Today
- Total
annyoung
[마스킹 처리된 게시물] ****에서 파밍 악성코드 유포지로 활용중 본문
외부 요청으로 인하여 사이트 주소 및 제목이 마스킹 처리 되었습니다.
현재, 파밍에 사용되는 바이너리만 업로드 되어 있다. 사이트가 침해 당하여 유포지로 사용되는듯 싶다.
FileName |
hripr.exe |
MD5 |
5D55740A1849BA19DCE2A94E59F2515C |
SHA-1 |
925FC976BB9EE71E1F70595B011994394AC6285F |
Packer |
PE-PACK v1.0 by ANAKiN 1998 (???) |
악성코드 정보표 (언패킹 방법에 대해서는 http://nopsled.tistory.com/164 를 참고하면 된다.)
RedTom21@hotmail.com
악성코드 제작자의 메일주소인가? 모르겠다.
00401B0B /$ 55 PUSH EBP 00401B0C |. 8BEC MOV EBP,ESP 00401B0E |. 83EC 28 SUB ESP,28 00401B11 |. 56 PUSH ESI 00401B12 |. 57 PUSH EDI 00401B13 |. B9 06000000 MOV ECX,6 00401B18 |. BE 48714000 MOV ESI,hripr.00407148 ; ASCII "ekimhuqcroanflvzgdjtxypswb" 00401B1D |. 8D7D DC LEA EDI,DWORD PTR SS:[EBP-24] 00401B20 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> 00401B22 |. 66:A5 MOVS WORD PTR ES:[EDI],WORD PTR DS:[ESI] 00401B24 |. A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] 00401B25 |. FF15 10504000 CALL DWORD PTR DS:[405010] ; [GetTickCount 00401B2B |. 50 PUSH EAX ; /seed 00401B2C |. FF15 C4524000 CALL DWORD PTR DS:[4052C4] ; \srand 00401B32 |. 83C4 04 ADD ESP,4 00401B35 |. FF15 D4524000 CALL DWORD PTR DS:[4052D4] ; [rand 00401B3B |. 99 CDQ 00401B3C |. B9 0A000000 MOV ECX,0A 00401B41 |. F7F9 IDIV ECX 00401B43 |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX 00401B46 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] 00401B49 |. 3B55 0C CMP EDX,DWORD PTR SS:[EBP+C] 00401B4C |. 7C 08 JL SHORT hripr.00401B56 00401B4E |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401B51 |. 8945 D8 MOV DWORD PTR SS:[EBP-28],EAX 00401B54 |. EB 06 JMP SHORT hripr.00401B5C 00401B56 |> 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C] 00401B59 |. 894D D8 MOV DWORD PTR SS:[EBP-28],ECX 00401B5C |> 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28] 00401B5F |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX 00401B62 |. C745 F8 00000>MOV DWORD PTR SS:[EBP-8],0 00401B69 |. EB 09 JMP SHORT hripr.00401B74 00401B6B |> 8B45 F8 /MOV EAX,DWORD PTR SS:[EBP-8] 00401B6E |. 83C0 01 |ADD EAX,1 00401B71 |. 8945 F8 |MOV DWORD PTR SS:[EBP-8],EAX 00401B74 |> 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8] 00401B77 |. 3B4D FC |CMP ECX,DWORD PTR SS:[EBP-4] 00401B7A |. 7D 1C |JGE SHORT hripr.00401B98 00401B7C |. FF15 D4524000 |CALL DWORD PTR DS:[4052D4] ; [rand 00401B82 |. 99 |CDQ 00401B83 |. B9 1A000000 |MOV ECX,1A 00401B88 |. F7F9 |IDIV ECX 00401B8A |. 8B45 08 |MOV EAX,DWORD PTR SS:[EBP+8] 00401B8D |. 0345 F8 |ADD EAX,DWORD PTR SS:[EBP-8] 00401B90 |. 8A4C15 DC |MOV CL,BYTE PTR SS:[EBP+EDX-24] 00401B94 |. 8808 |MOV BYTE PTR DS:[EAX],CL 00401B96 |.^ EB D3 \JMP SHORT hripr.00401B6B 00401B98 |> 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401B9B |. 5F POP EDI 00401B9C |. 5E POP ESI 00401B9D |. 8BE5 MOV ESP,EBP 00401B9F |. 5D POP EBP 00401BA0 \. C3 RETN |
파일명 랜덤 생성을 위한 루틴이다. "ekimhuqcroanflvzgdjtxypswb"의 문자열을 사용하여 랜덤하게 6자리를 뽑아내어 파일을 복제한다.
00401DCF |. 52 PUSH EDX ; /Buffer 00401DD0 |. 68 04010000 PUSH 104 ; |BufSize = 104 (260.) 00401DD5 |. FF15 1C504000 CALL DWORD PTR DS:[40501C] ; \GetTempPathA 00401DDB |. 8D85 ECFEFFFF LEA EAX,DWORD PTR SS:[EBP-114] 00401DE1 |. 50 PUSH EAX ; /<%s> 00401DE2 |. 8D8D E0FCFFFF LEA ECX,DWORD PTR SS:[EBP-320] ; | 00401DE8 |. 51 PUSH ECX ; |<%s> 00401DE9 |. 68 64714000 PUSH hripr.00407164 ; |Format = "%s\%s.exe" 00401DEE |. 8D95 FCFEFFFF LEA EDX,DWORD PTR SS:[EBP-104] ; | 00401DF4 |. 52 PUSH EDX ; |s 00401DF5 |. FF15 F8524000 CALL DWORD PTR DS:[4052F8] ; \wsprintfA 00401DFB |. 83C4 10 ADD ESP,10 00401DFE |. 6A 00 PUSH 0 ; /hTemplateFile = NULL 00401E00 |. 68 80000000 PUSH 80 ; |Attributes = NORMAL 00401E05 |. 6A 02 PUSH 2 ; |Mode = CREATE_ALWAYS 00401E07 |. 6A 00 PUSH 0 ; |pSecurity = NULL 00401E09 |. 6A 02 PUSH 2 ; |ShareMode = FILE_SHARE_WRITE 00401E0B |. 68 00000040 PUSH 40000000 ; |Access = GENERIC_WRITE 00401E10 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] ; | 00401E16 |. 50 PUSH EAX ; |FileName = "C:\DOCUME~1\nopsled\LOCALS~1\Temp\\ynpltj.exe" 00401E17 |. FF15 70504000 CALL DWORD PTR DS:[405070] ; \CreateFileA ... 중략 ... 00401E44 |. 6A 64 PUSH 64 ; /Timeout = 100. ms 00401E46 |. FF15 20504000 CALL DWORD PTR DS:[405020] ; \Sleep 00401E4C |. 6A 00 PUSH 0 ; /pOverlapped = NULL 00401E4E |. 8D85 DCFCFFFF LEA EAX,DWORD PTR SS:[EBP-324] ; | 00401E54 |. 50 PUSH EAX ; |pBytesWritten 00401E55 |. 8B8D E4FDFFFF MOV ECX,DWORD PTR SS:[EBP-21C] ; | 00401E5B |. 51 PUSH ECX ; |nBytesToWrite 00401E5C |. 8B95 CCFCFFFF MOV EDX,DWORD PTR SS:[EBP-334] ; | 00401E62 |. 52 PUSH EDX ; |Buffer 00401E63 |. 8B85 D0FCFFFF MOV EAX,DWORD PTR SS:[EBP-330] ; | 00401E69 |. 50 PUSH EAX ; |hFile 00401E6A |. FF15 18504000 CALL DWORD PTR DS:[405018] ; \WriteFile 00401E70 |. 6A 64 PUSH 64 ; /Timeout = 100. ms 00401E72 |. FF15 20504000 CALL DWORD PTR DS:[405020] ; \Sleep 00401E78 |. 6A 00 PUSH 0 ; /pOverlapped = NULL 00401E7A |. 8D8D DCFCFFFF LEA ECX,DWORD PTR SS:[EBP-324] ; | 00401E80 |. 51 PUSH ECX ; |pBytesWritten 00401E81 |. 8B95 D8FCFFFF MOV EDX,DWORD PTR SS:[EBP-328] ; | 00401E87 |. 52 PUSH EDX ; |nBytesToWrite 00401E88 |. 8B85 D4FCFFFF MOV EAX,DWORD PTR SS:[EBP-32C] ; | 00401E8E |. 50 PUSH EAX ; |Buffer 00401E8F |. 8B8D D0FCFFFF MOV ECX,DWORD PTR SS:[EBP-330] ; | 00401E95 |. 51 PUSH ECX ; |hFile 00401E96 |. FF15 18504000 CALL DWORD PTR DS:[405018] ; \WriteFile 00401E9C |. 8B95 D0FCFFFF MOV EDX,DWORD PTR SS:[EBP-330] 00401EA2 |. 52 PUSH EDX ; /hObject 00401EA3 |. FF15 0C504000 CALL DWORD PTR DS:[40500C] ; \CloseHandle |
%TEMP%경로에 [랜덤6자리].exe를 자가 복제한다.
0012F664 00401F5F /CALL to wsprintfA from hripr.00401F59 0012F668 0012F690 |s = 0012F690 0012F66C 00407170 |Format = "cmd.exe /c ping 127.0.0.1 -n 2&%s "%s"" 0012F670 0012FCC0 |<%s> = "C:\DOCUME~1\nopsled\LOCALS~1\Temp\\ynpltj.exe" 0012F674 0012FBAC \<%s> = "C:\Documents and Settings\nopsled\바탕 화면\hripr.exe" |
2초간의 딜레이를 준 후에 %TEMP%경로에 있는 파일을 실행하기 위한 문자열이다.
0012F66C 00401F71 /CALL to WinExec from hripr.00401F6B 0012F670 0012F690 |CmdLine = "cmd.exe /c ping 127.0.0.1 -n 2&C:\DOCUME~1\nopsled\LOCALS~1\Temp\\ynpltj.exe "C:\Documents and Settings\nopsled\바탕 화면\hripr.exe"" 0012F674 00000000 \ShowState = SW_HIDE |
WinExec를 사용하여 %TEMP%\[랜덤6자리].exe를 SW_HIDE 상태로 실행시킨다.
00402077 |. 68 B8714000 PUSH hidjiu.004071B8 ; /ResourceType = "REGISTRY" 0040207C |. 68 95000000 PUSH 95 ; |ResourceName = 95 00402081 |. 6A 00 PUSH 0 ; |hModule = NULL 00402083 |. FF15 48504000 CALL DWORD PTR DS:[405048] ; \FindResourceA ...중략... 004020A5 |. 50 PUSH EAX ; /hResource 004020A6 |. 6A 00 PUSH 0 ; |hModule = NULL 004020A8 |. FF15 44504000 CALL DWORD PTR DS:[405044] ; \LoadResource ...중략... 004020CA |. 51 PUSH ECX ; /hResource 004020CB |. 6A 00 PUSH 0 ; |hModule = NULL 004020CD |. FF15 40504000 CALL DWORD PTR DS:[405040] ; \SizeofResource ...중략... 004020F5 |. 50 PUSH EAX ; /n = 2E000 (188416.) // Buffer size 004020F6 |. 8B8D D4FCFFFF MOV ECX,DWORD PTR SS:[EBP-32C] ; | 004020FC |. 51 PUSH ECX ; |/nHandles 004020FD |. FF15 74504000 CALL DWORD PTR DS:[405074] ; |\SetHandleCount 00402103 |. 50 PUSH EAX ; |src 00402104 |. 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18] ; | 00402107 |. 52 PUSH EDX ; |dest 00402108 |. E8 21250000 CALL hidjiu.0040462E ; \memcpy |
파라미터를 주어 실행된 악성코드는 리소스 영역에서 암호화된 REGISTRY 부분을 참조하여 로드하고 사이즈를 체크하여 복호화할 버퍼의 크기를 구한다.
00402134 |> /8B8D D0FCFFFF /MOV ECX,DWORD PTR SS:[EBP-330] 0040213A |. |83C1 01 |ADD ECX,1 0040213D |. |898D D0FCFFFF |MOV DWORD PTR SS:[EBP-330],ECX 00402143 |> |8B95 D0FCFFFF MOV EDX,DWORD PTR SS:[EBP-330] 00402149 |. |3B95 94FBFFFF |CMP EDX,DWORD PTR SS:[EBP-46C] 0040214F |. |0F8D 93000000 |JGE hidjiu.004021E8 00402155 |. |8B85 D0FCFFFF |MOV EAX,DWORD PTR SS:[EBP-330] 0040215B |. |99 |CDQ 0040215C |. |B9 03000000 |MOV ECX,3 00402161 |. |F7F9 |IDIV ECX 00402163 |. |83FA 02 |CMP EDX,2 00402166 |. |75 19 |JNZ SHORT hidjiu.00402181 00402168 |. |8B55 E8 |MOV EDX,DWORD PTR SS:[EBP-18] 0040216B |. |0395 D0FCFFFF |ADD EDX,DWORD PTR SS:[EBP-330] 00402171 |. |8A02 |MOV AL,BYTE PTR DS:[EDX] 00402173 |. |2A45 EC |SUB AL,BYTE PTR SS:[EBP-14] 00402176 |. |8B4D E8 |MOV ECX,DWORD PTR SS:[EBP-18] 00402179 |. |038D D0FCFFFF |ADD ECX,DWORD PTR SS:[EBP-330] 0040217F |. |8801 |MOV BYTE PTR DS:[ECX],AL 00402181 |> |8B85 D0FCFFFF |MOV EAX,DWORD PTR SS:[EBP-330] 00402187 |. |99 |CDQ 00402188 |. |B9 03000000 |MOV ECX,3 0040218D |. |F7F9 |IDIV ECX 0040218F |. |83FA 01 |CMP EDX,1 00402192 |. |75 1C |JNZ SHORT hidjiu.004021B0 00402194 |. |8B55 E8 |MOV EDX,DWORD PTR SS:[EBP-18] 00402197 |. |0395 D0FCFFFF |ADD EDX,DWORD PTR SS:[EBP-330] 0040219D |. |8A02 |MOV AL,BYTE PTR DS:[EDX] 0040219F |. |2A85 DCFDFFFF |SUB AL,BYTE PTR SS:[EBP-224] 004021A5 |. |8B4D E8 |MOV ECX,DWORD PTR SS:[EBP-18] 004021A8 |. |038D D0FCFFFF |ADD ECX,DWORD PTR SS:[EBP-330] 004021AE |. |8801 |MOV BYTE PTR DS:[ECX],AL 004021B0 |> |8B85 D0FCFFFF |MOV EAX,DWORD PTR SS:[EBP-330] 004021B6 |. |99 |CDQ 004021B7 |. |B9 03000000 |MOV ECX,3 004021BC |. |F7F9 |IDIV ECX 004021BE |. |85D2 |TEST EDX,EDX 004021C0 |. |75 21 |JNZ SHORT hidjiu.004021E3 004021C2 |. |8B55 EC |MOV EDX,DWORD PTR SS:[EBP-14] 004021C5 |. |0395 DCFDFFFF |ADD EDX,DWORD PTR SS:[EBP-224] 004021CB |. |8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18] 004021CE |. |0385 D0FCFFFF |ADD EAX,DWORD PTR SS:[EBP-330] 004021D4 |. |8A08 |MOV CL,BYTE PTR DS:[EAX] 004021D6 |. |2ACA |SUB CL,DL 004021D8 |. |8B55 E8 |MOV EDX,DWORD PTR SS:[EBP-18] 004021DB |. |0395 D0FCFFFF |ADD EDX,DWORD PTR SS:[EBP-330] 004021E1 |. |880A |MOV BYTE PTR DS:[EDX],CL 004021E3 |>^\E9 4CFFFFFF \JMP hidjiu.00402134 |
위와 같은 복호화 루틴을 거친다.
00401B18 |. BE 48714000 MOV ESI,hidjiu.00407148 ; ASCII "ekimhuqcroanflvzgdjtxypswb" 00401B1D |. 8D7D DC LEA EDI,DWORD PTR SS:[EBP-24] 00401B20 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> 00401B22 |. 66:A5 MOVS WORD PTR ES:[EDI],WORD PTR DS:[ESI] 00401B24 |. A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] 00401B25 |. FF15 10504000 CALL DWORD PTR DS:[405010] ; [GetTickCount 00401B2B |. 50 PUSH EAX ; /seed 00401B2C |. FF15 C4524000 CALL DWORD PTR DS:[4052C4] ; \srand 00401B32 |. 83C4 04 ADD ESP,4 00401B35 |. FF15 D4524000 CALL DWORD PTR DS:[4052D4] ; [rand |
복호화 된 파일드랍 및 디렉토리 생성을 위해서 6자리의 랜덤 문자열을 골라낸다.
00402259 |. 52 PUSH EDX ; /<%s> 0040225A |. 68 C4714000 PUSH hidjiu.004071C4 ; |Format = "d:\Program Files\%s" 0040225F |. 8D85 98FBFFFF LEA EAX,DWORD PTR SS:[EBP-468] ; | 00402265 |. 50 PUSH EAX ; |s 00402266 |. FF15 F8524000 CALL DWORD PTR DS:[4052F8] ; \wsprintfA ...생략... 0040226F |. 6A 00 PUSH 0 ; /pSecurity = NULL 00402271 |. 8D8D 98FBFFFF LEA ECX,DWORD PTR SS:[EBP-468] ; | 00402277 |. 51 PUSH ECX ; |Path 00402278 |. FF15 38504000 CALL DWORD PTR DS:[405038] ; \CreateDirectoryA ...생략.... 004022B5 |. 6A 02 PUSH 2 ; /FileAttributes = HIDDEN 004022B7 |. 8D95 98FBFFFF LEA EDX,DWORD PTR SS:[EBP-468] ; | 004022BD |. 52 PUSH EDX ; |FileName 004022BE |. FF15 34504000 CALL DWORD PTR DS:[405034] ; \SetFileAttributesA |
D:\Program Files\[랜덤6자리]와 C:\Program Files\[랜덤6자리]라는 디렉토리를 생성하고 폴더의 속성중 HIDDEN으로 설정하여 사용자들이 볼수 없게끔 HIDE시킨다.
004022D7 |. 6A 05 PUSH 5 ; /Arg2 = 00000005 004022D9 |. 8D8D C0FCFFFF LEA ECX,DWORD PTR SS:[EBP-340] ; | 004022DF |. 51 PUSH ECX ; |Arg1 004022E0 |. E8 26F8FFFF CALL hidjiu.00401B0B ; \hidjiu.00401B0B ...생략... 004022EE |. 52 PUSH EDX ; /<%s> 004022EF |. 8D85 98FBFFFF LEA EAX,DWORD PTR SS:[EBP-468] ; | 004022F5 |. 50 PUSH EAX ; |<%s> 004022F6 |. 68 EC714000 PUSH hidjiu.004071EC ; |Format = "%s\%s.dll" 004022FB |. 8D8D E0FDFFFF LEA ECX,DWORD PTR SS:[EBP-220] ; | 00402301 |. 51 PUSH ECX ; |s 00402302 |. FF15 F8524000 CALL DWORD PTR DS:[4052F8] ; \wsprintfA ...생략... 0040230B |. 6A 00 PUSH 0 ; /hTemplateFile = NULL 0040230D |. 68 80000000 PUSH 80 ; |Attributes = NORMAL 00402312 |. 6A 02 PUSH 2 ; |Mode = CREATE_ALWAYS 00402314 |. 6A 00 PUSH 0 ; |pSecurity = NULL 00402316 |. 6A 02 PUSH 2 ; |ShareMode = FILE_SHARE_WRITE 00402318 |. 68 00000040 PUSH 40000000 ; |Access = GENERIC_WRITE 0040231D |. 8D95 E0FDFFFF LEA EDX,DWORD PTR SS:[EBP-220] ; | 00402323 |. 52 PUSH EDX ; |FileName 00402324 |. FF15 70504000 CALL DWORD PTR DS:[405070] ; \CreateFileA 0040232A |. 8985 40FBFFFF MOV DWORD PTR SS:[EBP-4C0],EAX 00402330 |. 6A 00 PUSH 0 ; /pOverlapped = NULL 00402332 |. 8D85 44FBFFFF LEA EAX,DWORD PTR SS:[EBP-4BC] ; | 00402338 |. 50 PUSH EAX ; |pBytesWritten 00402339 |. 8B8D 94FBFFFF MOV ECX,DWORD PTR SS:[EBP-46C] ; | 0040233F |. 51 PUSH ECX ; |nBytesToWrite = 2E000 (188416.) 00402340 |. 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18] ; | 00402343 |. 52 PUSH EDX ; |Buffer 00402344 |. 8B85 40FBFFFF MOV EAX,DWORD PTR SS:[EBP-4C0] ; | 0040234A |. 50 PUSH EAX ; |hFile 0040234B |. FF15 18504000 CALL DWORD PTR DS:[405018] ; \WriteFile |
한번더 랜덤6자리를 생성하여 C:\Program Files\[랜덤6자리]에 DLL을 드랍한다.
FileName | enubwadv.dll |
MD5 | B522776C1E472F0F74DF13FBB6C7E854 |
SHA-1 | 164B1A8607A95D9DB7074E382ABEE2E5F762D468 |
Packer | Not used packer. |
[드랍된 DLL 악성코드 정보표]
0012F6E0 004024BF /CALL to CopyFileA from hidjiu.004024B9 0012F6E4 0012FA60 |ExistingFileName = "c:\windows\system32\rundll32.exe" 0012F6E8 0012FA9C |NewFileName = "c:\Program Files\ruqhe\svtm.exe" 0012F6EC 00000000 \FailIfExists = FALSE |
정상 윈도우 파일인 rundll32.exe 파일을 C:\Program Files\[랜덤 6자리]\[랜덤4자리].exe 파일로 복사한다. (이렇게 복사하는 이유는 악성 dll을 rundll32.exe로 실행시키기 위해서다.)
0012F6D8 0040252C /CALL to wsprintfA from hidjiu.00402526 0012F6DC 0012F700 |s = 0012F700 0012F6E0 0040722C |Format = "%s "%s",Scheduler %s" 0012F6E4 0012FA9C |<%s> = "c:\Program Files\ruqhe\svtm.exe" 0012F6E8 0012FBA4 |<%s> = "c:\Program Files\ruqhe\enubwadv.dll" 0012F6EC 0012FCA8 \<%s> = "C:\Documents and Settings\nopsled\Local Settings\Temp\hidjiu.exe" |
scheduler라는 파라미터를 넘겨받아 DLL Export 함수를 호출한다. 또한, rundll32.exe와 [랜덤8자리].dll파일을 실행시킨다. 3번째의 파라미터는 %TEMP%경로에 있는 임시 악성코드를 삭제하기 위해서 넘겨주는 값이다.
0012F6C4 0040258B /CALL to CreateProcessA from hidjiu.00402585 0012F6C8 00000000 |ModuleFileName = NULL 0012F6CC 0012F700 |CommandLine = "c:\Program Files\ruqhe\svtm.exe "c:\Program Files\ruqhe\enubwadv.dll",Scheduler C:\Documents and Settings\nopsled\Local Settings\Temp\hidjiu.exe" 0012F6D0 00000000 |pProcessSecurity = NULL 0012F6D4 00000000 |pThreadSecurity = NULL 0012F6D8 00000000 |InheritHandles = FALSE 0012F6DC 00000000 |CreationFlags = 0 0012F6E0 00000000 |pEnvironment = NULL 0012F6E4 00000000 |CurrentDir = NULL 0012F6E8 0012F910 |pStartupInfo = 0012F910 0012F6EC 0012FDB4 \pProcessInfo = 0012FDB4 |
위에서 구성된 문자열을 이용하여 프로세스를 실행한다.
98.126.162.36:803
98.126.162.36:3201
'분석생활' 카테고리의 다른 글
| ro521.com/test.htm 제로보드 침해사고 (0) | 2015.11.25 |
|---|---|
| 가톨릭대학교 입학처 악성코드 경유지로 이용? (0) | 2015.11.25 |
| [MUP] PE-PACK v1.0 by ANAKiN 1998 (0) | 2015.11.24 |
| 토렌트를 통한 악성코드 유포 (12) | 2015.11.18 |
| "아프리카 상속유산 나눠 줄게" 외국인 사기단 검거 (0) | 2015.11.02 |
