类型:释放器、窃取信息
md5,E6EE0396AF0F9B18409FE59C581C59A4 file-size,2063872 (bytes) imphash,823588BDD2599E71AE3DE2A2CE014857 cpu,32-bit
主程序行为:
窃取多个app数据
下载另一个malware到 C:\Users\admin\Documents\file0.exe
loader 主函数,发现字符串都用base64 编码了
b64解码函数是0x403379,脚本找到所有base64字符串解码。
import idc
import idaapi
import base64
def getB64TextAddress(addr):
addr = prev_head(addr)
for i in range(5):
if print_insn_mnem(addr) == "mov" and "offset" in print_operand(addr,1):
return get_operand_value(addr,1)
else:
addr = prev_head(addr)
return 0
def getB64Str(addr):
out = ""
while(True):
ch = idaapi.get_byte(addr)
if ch != 0:
out += chr(ch)
else:
break
addr += 1
return out
def decodeB64(text):
try:
content = base64.b64decode(text)
except BaseException as e:
return ""
return content
def set_hexrays_comment(address, text):
'''
set comment in decompiled code
'''
cfunc = idaapi.decompile(address)
tl = idaapi.treeloc_t()
tl.ea = address
tl.itp = idaapi.ITP_SEMI
cfunc.set_user_cmt(tl, text)
cfunc.save_user_cmts()
if __name__ == '__main__':
for xref in XrefsTo(0x403379 ,flags = 0):
#print(xref.type, XrefTypeName(xref.type),'from', hex(xref.frm), 'to', hex(xref.to))
addr = getB64TextAddress(xref.frm)
if addr != 0:
b64_str = getB64Str(addr)
dcontent = decodeB64(b64_str)
print("base64 text address: %s , content: %s ,decode: %s " % (hex(addr),b64_str,dcontent))
set_hexrays_comment(xref.frm, dcontent)
set_cmt(prev_head(xref.frm), dcontent, 0)
print "finished"
base64 text address: 0x5d2858L , content: QnJvd3NlcnM= ,decode: Browsers
base64 text address: 0x5d288cL , content: VXNlciBEYXRh ,decode: User Data
base64 text address: 0x5d289cL , content: VXNlciBEYXRhXFxMb2NhbCBTdGF0ZQ== ,decode: User Data\\\\Local State
base64 text address: 0x5d28c0L , content: ZW5jcnlwdGVkX2tleQ== ,decode: encrypted_key
base64 text address: 0x5d28d8L , content: Ig== ,decode: "
base64 text address: 0x5d3128L , content: Y29uZmlnXGxvZ2ludXNlcnMudmRm ,decode: config\\loginusers.vdf
base64 text address: 0x5d3148L , content: ICAgIFNURUFNOg0KTElOSzogaHR0cHM6Ly9zdGVhbWNvbW11bml0eS5jb20vcHJvZmlsZXMv ,decode: STEAM:
LINK: <https://steamcommunity.com/profiles/>
base64 text address: 0x5d3194L , content: DQpBQ0NPVU5UOiA= ,decode:
ACCOUNT:
base64 text address: 0x5d31a8L , content: QWNjb3VudE5hbWU= ,decode: AccountName
base64 text address: 0x5d31bcL , content: DQpOQU1FOiA= ,decode:
NAME:
base64 text address: 0x5d3300L , content: U291cmNlTW9kSW5zdGFsbFBhdGg= ,decode: SourceModInstallPath
base64 text address: 0x5d3320L , content: U29mdHdhcmVcVmFsdmVcU3RlYW0= ,decode: Software\\Valve\\Steam
base64 text address: 0x5d3340L , content: U3RlYW0= ,decode: Steam
base64 text address: 0x5d334cL , content: U3RlYW1cXGNvbmZpZw== ,decode: Steam\\\\config
base64 text address: 0x5d3364L , content: Y29uZmlnXFxjb25maWcudmRm ,decode: config\\\\config.vdf
base64 text address: 0x5d3380L , content: U3RlYW1cXGNvbmZpZ1xcY29uZmlnLnZkZg== ,decode: Steam\\\\config\\\\config.vdf
base64 text address: 0x5d33a8L , content: XFxsb2dpbnVzZXJzLnZkZg== ,decode: \\\\loginusers.vdf
base64 text address: 0x5d33c4L , content: U3RlYW1cXGNvbmZpZ1xcbG9naW51c2Vycy52ZGY= ,decode: Steam\\\\config\\\\loginusers.vdf
base64 text address: 0x5d33f0L , content: XFxTdGVhbUFwcERhdGEudmRm ,decode: \\\\SteamAppData.vdf
base64 text address: 0x5d340cL , content: U3RlYW1cXGNvbmZpZ1xcU3RlYW1BcHBEYXRhLnZkZg== ,decode: Steam\\\\config\\\\SteamAppData.vdf
base64 text address: 0x5d3454L , content: MTg1LjIwOS4yMi44Ng== ,decode: 185.209.22.86
base64 text address: 0x5d346cL , content: L2dhdGUucGhw ,decode: /gate.php
base64 text address: 0x5d3454L , content: MTg1LjIwOS4yMi44Ng== ,decode: 185.209.22.86
base64 text address: 0x5d346cL , content: L2dhdGUucGhw ,decode: /gate.php
base64 text address: 0x5d34bcL , content: MS40 ,decode: 1.4
很快,发现一些比较有价值的字符串
Steam\\config\\config.vdf
Steam\\config\\SteamAppData.vdf
Steam\\config\\loginusers.vdf
这些都是steam平台的账户储存信息