美文网首页
样本分析 | 大灰狼8.96远控之CC域名静态解密

样本分析 | 大灰狼8.96远控之CC域名静态解密

作者: 皆明 | 来源:发表于2017-12-17 16:47 被阅读138次

    在日常的反病毒工作当中,我们会接触到大量的BackDoor样本。怎样能够快速的从这些样本中提取出有价值的CC域名对其进行威胁关联,则显得尤为重要。

    文件信息

    类型:后门

    MD5:f738296fb0ed3296e130f5d5f016ed1e

    病毒名:BackDoor - Download

    解密代码

    # -*- coding:utf-8 -*-

__author__ = '皆明'
__date__ = '2017/12/17'

def GetLetterTable(letter):
    letter_table = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
    for i in letter_table:
        if i == letter:
            return letter_table.index(letter)
    return -1

def GetKeyNum(key):
    v11 = []
    v9 = []
    i = []
    v2 =0
    v6 = 0
    cc_len = len(key)

    v11 = [0xcd for i in range(cc_len+1)]
    v9 = [0xcd for i in range(cc_len+1)]
    i = key
    i_num = 0
    v9_list_num = 0
    for x in range(cc_len / 4):
        decode_key = i[i_num:i_num + 4]
        v7 = GetLetterTable(decode_key[0])
        #print hex(v7)
        if v7 <0:
            v6 = 3
            break
        v8 = v7
        v8 = v8 << 6

        v2 = GetLetterTable(decode_key[1])
        v7 = v2
        if v2 < 0:
            return -1
        v8 = v8 + v7
        v8 = v8 << 6
        if decode_key[2] == 61:
            v6 = v6 + 1
        else:
            v7 = GetLetterTable(decode_key[2])
            if v7 < 0:
                break
            v8 = v8 + v7
        v8 = v8 << 6
        if decode_key[3] == 61:
            v6 = v6 + 1
        else:
            if v6:
                return -1
            v7 = GetLetterTable(decode_key[3])
            if v7 < 0:
                return -1
            v8 = v8 + v7
        if v6 < 3:
            v9[v9_list_num] =(v8 & 0xff0000) >> 16
            v9_list_num = v9_list_num+ 1
        if v6 < 2:

            v9[v9_list_num] =(v8 & 0xff00) >> 8
            v9_list_num = v9_list_num+ 1
        if v6 <1:
            v9[v9_list_num] =v8 & 0xff
            v9_list_num = v9_list_num+ 1
        i_num = i_num + 4

    for a in range((len(v11) - v9.count(205) + 1)):
        v9[a] =  ((v9[a] - (0x86)) & 0x000000ff)
        v9[a] = ((v9[a] ^ 0x59) & 0x000000ff)

    return [len(v11) - v9.count(205),v9]

def Get_Getong538():
    key_str = "Getong538"
    key_len = len(key_str)

    key = []
    v7 = 0
    v5 = []
    v4 = 0
    for i in range(256):
        key.append(i)
        v5.append(int(ord(key_str[(i % 9)])))
        v5.append(0)
        v5.append(0)
        v5.append(0)

    m = 0

    for i in range(256):
        v7 = (v5[m] + (key[i] + v7)) % 256
        m = m + 4
        v4 = key[i]
        key[i] = key[v7]
        key[v7] = v4


    return [int(i) for i in key]

def GetCC(key_str,cc,key_num):

    v8 = 0
    v7 = 0
    v6 = 0
    v5 = ["=" for i in range(200)]

    for i in  range(key_num):
        #print i
        v8 = (v8 + 1) % 256
        v7 = (key_str[v8] + v7) % 256
        v5 = key_str[v8]
        key_str[v8] = key_str[v7]
        key_str[v7] = v5
        v6 = (key_str[v7] + key_str[v8]) % 256
        cc[i] = cc[i] ^ key_str[v6]

    url = ""
    for i in [chr(i) for i in cc][0:key_num-1]:
        url = url + i

    return url

if __name__ == "__main__":
    key = "4jNnIiz7AYsVpl0fD54Ya845KpABkngE8/OOY8u8TFdlD95YLA=="
    print GetCC(Get_Getong538(),GetKeyNum(key)[1],GetKeyNum(key)[0])

    通过这个解密脚本,就能够根据加密字符串将大灰狼8.96远控的CC域名静态解密出来。就文章前面列出的md5文件中的加密字符串,解密出的CC域名如下:

    http://203.189.234.236/NetSyst96.dll

    相关文章

      网友评论

          本文标题:样本分析 | 大灰狼8.96远控之CC域名静态解密

          本文链接:https://www.haomeiwen.com/subject/wyxuwxtx.html

          延伸阅读

          深度阅读

          • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

          栏目导航

          热点阅读

          关于我们|服务条款|联系我们|样本分析 | 大灰狼8.96远控之CC域名静态解密|投稿指南|网站地图|RSS订阅|排版工具|手机版

          提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

          Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

          备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

          本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

          所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!