hi,你好!欢迎访问本站!登录
当前位置:首页 - 维护圈八卦消息 - 网友爆料 - 正文 君子好学,自强不息!

STUPdater.exe程序脱壳分析

2020-06-24网友爆料Xiao网虫1555°c
A+ A-

前言:

在五月中旬网吧反映游戏菜单故障然后去店里检查,刷新BN次都没作用,开始检查服务器,发现C盘根目录有可疑文件,在游戏更新平台加入开机运行,于是检查所有门店,发现很多门店被挂马,当时以为密码被猜解,于是恢复所出现问题的服务器系统,更改密码,结果没过几天检查服务器有强行登录的日志,判断radmin vnc 3389 远程被渗入,于是重新再来一次,恢复完系统禁用radmin vnc 更改外网端口,没过几天再次出现,有些门店服务器密码甚至被改,镜像开包加开机启动, 合并镜像,因当时问题有些严重没有时间去查找问题来源,紧急恢复系统,禁用所有的远程工具,改密码,去掉所有外网映射,前前后后折腾了大半个月时间,基本没在出现这个问题,截至现在都没开启外网远程映射。

 

直到前两天晚上我一朋友打电话问我最近在忙什么,这个事和你有没有关系,发截图给我,才知道我基本上所有的信息被盗取,(因为网吧客户机已经被挂马)然后栽赃与我,直到后来事情的发展取证,发现这个是线下有人去网吧已漏洞内网方式服务器挂马。

再次感谢我的朋友小网虫以及各位同仁。

 

 

五月已经出现了

1.jpg

2.jpg




 

如果大家有32位环境可以用360实验室检测下

 

开始搞吧

3.jpg

 

删除文件,伪装shunwang数字签名

4.jpg

提取文件到本地,运行抓包IP 47.110.10.104指向杭州阿里云

12.jpg5.jpg


地址执行日志,这个木马的日志文件,已知的问题不再阐述6.jpg

 

检测为UPX加壳,先对UPX进行解包静态分析

7.jpg

 

解包后的文件大小

8.jpg

开始分析

9.jpg

10.jpg

11.jpg 

此文件会根据服务器配置下载更新新的文件并且运行,解包过后运行会修改注册表\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\996E.exe 达到镜像劫持的目的

映像劫持(Image File Execution Options),简单的说法,就是当你打开的是

程序A,而运行的确是程序B。

映像劫持其实是Windows内设的用来调试程序的功能,但是现在却往往被病毒恶意利用。当用户双击对应的程序后,操作系统就会给外壳程序(例如“explorer.exe”)发布相应的指令,其中包含有执行程序的路径和文件名,然后由外壳程序来执行该程序。事实上在该过程中,Windows还会在注册表的上述路径中查询所有的映像劫持子键,如果存在和该程序名称完全相同的子键,就查询对应子健中包含的“dubugger”键值名,并用其指定的程序路径来代替原始的程序,之后执行的是遭到“劫持”的虚假程序

之后会清除浏览器代理并锁定浏览器主页

·         \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer

 

·         \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride

 

·         \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL

运行 C:\Documents and Settings\Administrator\Local Settings\Temp\EB93A6\996E.exe

 

文件本质是一个下载器木马,会根据服务器配置来下载新的木马文件并运行,这也是大家目前没有发现STUPdater有任何动作。

 

 

动态分析

Behavior Tags

checks-network-adapters

checks-user-input

direct-cpu-clock-access

runtime-modules

Network Communication

HTTP Requests

http://47.110.10.104:800/updaterxml

HTTP Method

GET

http://47.110.10.104

HTTP Method

GET

IP Traffic

47.110.10.104:800 (TCP)

47.110.10.104:137 (UDP)

File System Actions

Files Opened

C:\Windows\system32\UxTheme.dll

C:\Windows\system32\dwmapi.dll

C:\Users\<USER>\Downloads\STUPdater.exe.2.Manifest

C:\Users\<USER>\Downloads\STUPdater.exe.3.Manifest

C:\Users\<USER>\Downloads\STUPdater.exe.Config

C:\Users\<USER>\Downloads\STUPdater.exe

C:\Windows\system32\shfolder.dll

C:\Program Files (x86)

C:\Users\<USER>\AppData\Roaming

C:\Windows\system32\profapi.dll

Files Written

C:\Users\<USER>\Downloads\UpdaterLogForSTVNCServer.txt

C:\Users\<USER>\AppData\Local\Temp\updater_temp_STVNCServer\0.0.0.0\updatefile.xml

Files Deleted

C:\Users\<USER>\AppData\Local\Temp\UpdaterCopy.exe

Registry Actions

Registry Keys Opened

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols

HKLM\Software\Policies

HKCU\Software

HKLM\Software\Policies\Microsoft\Internet Explorer

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1

HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl

HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012020060820200609

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\RETRY_HEADERONLYPOST_ONCONNECTIONRESET

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BUFFERBREAKING_818408

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NOTIFY_UNVERIFIED_SPN_KB2385266

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_COMPAT_USE_CONNECTION_BASED_NEGOTIATE_AUTH_KB2151543

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_LONG_INTERNATIONAL_FILENAMES

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISALLOW_NULL_IN_RESPONSE_HEADERS

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DIGEST_NO_EXTRAS_IN_URI

HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PASSPORT_SESSION_STORE_KB948608

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXCLUDE_INVALID_CLIENT_CERT_KB929477

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_UTF8_FOR_BASIC_AUTH_KB967545

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RELEASE_KEYS_ON_UNLOAD_KB975619

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITY_FLAG_IGNORE_REVOCATION_KB2275828

HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutodial

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\NoNetAutodial

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RETURN_FAILED_CONNECT_CONTENT_KB942615

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE

HKU\S-1-5-21-364843204-231886559-199882026-1001

HKLM\System\Setup

HKU\S-1-5-21-364843204-231886559-199882026-1001\Software\Microsoft\windows\CurrentVersion\Internet Settings

HKU\S-1-5-21-364843204-231886559-199882026-1001\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections

659ef57f5c9ac5115170a1cc4037d03444a457a4cf3bd4a639d73d2d8ced440c

Sign in HKLM\Software\Microsoft\OleAut

HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{9B35D1C4-8158-4F38-975C-0A8F00BE26A0}

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING

HKCR\AutoProxyTypes

HKCR\AutoProxyTypes\Application/x-internet-signup

HKCR\AutoProxyTypes\Application/x-ns-proxy-autoconfig

HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork

HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\52-54-00-12-35-02

HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{9B35D1C4-8158-4F38-975C-0A8F00BE26A0}\52-54-00-12-35-02

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK

HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK\STUPdater.exe

HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK\*

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

HKCU\Software\Microsoft\Internet Explorer\Security

HKCU\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck

HKLM\System\Setup\SystemSetupInProgress

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\STUPdater.exe

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\*

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode

HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\STUPdater.exe

659ef57f5c9ac5115170a1cc4037d03444a457a4cf3bd4a639d73d2d8ced440c

Sign in HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\*

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562

Registry Keys Set

Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable

0

Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

F

{9B35D1C4-8158-4F38-975C-0A8F00BE26A0}\WpadDecisionReason

1

{9B35D1C4-8158-4F38-975C-0A8F00BE26A0}\WpadDecisionTime

àÈKâJ=ÖÖ

{9B35D1C4-8158-4F38-975C-0A8F00BE26A0}\WpadDecision

3

{9B35D1C4-8158-4F38-975C-0A8F00BE26A0}\WpadNetworkName

Network

Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings

F

HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork

{9B35D1C4-8158-4F38-975C-0A8F00BE26A0}

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet

0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect

1

Process And Service Actions

Services Opened

Sens

Synchronization Mechanisms & Signals

Mutexes Created

updater_STVNCServer

IESQMMUTEX_0_208

Mutexes Opened

Local\c:!users!<USER>!appdata!local!microsoft!windows!temporary internet files!content.ie5!

Local\c:!users!<USER>!appdata!roaming!microsoft!windows!cookies!

Local\c:!users!<USER>!appdata!local!microsoft!windows!history!history.ie5!

Modules Loaded

Runtime Modules

ADVAPI32.dll

C:\Users\<USER>\Downloads\STUPdater.exe

C:\Program Files (x86)\STVNCServer\STVNCServer.exe

SspiCli.dll

ole32.dll

API-MS-Win-Security-LSALookup-L1-1-0.dll

CRYPTBASE.dll

rtutils.dll

API-MS-WIN-Service-winsvc-L1-1-0.dll

659ef57f5c9ac5115170a1cc4037d03444a457a4cf3bd4a639d73d2d8ced440c

Sign in VirusTotal

Contact Us

How It Works

Terms of Service

Privacy Policy

Blog

Community

Join Community

Vote and Comment

Contributors

Top Users

Latest Comments

Tools

API Scripts

YARA

Desktop Apps

Browser Extensions

Mobile App

Premium Services

Intelligence

Hunting

Graph

API v3 | v2

Monitor

Documentation

Get Started

Searching

Reports

API v3 | v2

Use Cases

API-MS-WIN-Service-Management-L1-1-0.dll

IPHLPAPI.DLL

API-MS-Win-Security-SDDL-L1-1-0.dll

WS2_32.dll

OLEAUT32.dll

Highlighted Actions

Calls Highlighted

GetTickCount

SetWindowsHookExW

SetFileTime

GetAdaptersAddresses

Highlighted Text

C:\Windows\system32\cmd.exe

剩下的各位同仁一起研究下,精力有限,晚上有些扛不住了。


  选择打赏方式
微信赞助

打赏

QQ钱包

打赏

支付宝赞助

打赏

  选择分享方式
未定义标签

发表评论

选填

必填

必填

选填

请拖动滑块解锁
>>