WannaCry勒索软件分析

2017-5-14 Nie.Meining Debug

大家都知道,昨天WannaCry勒索软件在一夜之间利用系统漏洞席卷全球,特别是在内网和专网中,通过攻击445端口(蠕虫性质)大肆传播,造成了巨大数据损失。我也凑个热闹,找到一批样本上传金刚分析系统(http://tcasoft.com/),看看效果。

其中比较典型的分为两类,一类就是昨天大家新闻中看到的,访问某个超长的域名,如果存在就放弃攻击。如图:

2.png

1.png

其实这个“域名开关”并不完全可以保平安。还有一类样本一上来就搞破坏,并不会探测域名。如某样本的分析报告:

http://tcasoft.com/tcaCloudPlatform/report/toViewReport.action?rid=22bfa9109ab9d405af4188867620c730&sk=60036875

下面对该报告简单解读。

首先观察运行过程截图可以看出,样本执行初期没有任何引人注意的表现,当桌面被替换、前台弹出提示信息时,一切都为时已晚,用户的文件就已经被加密,要想恢复文件内容只能向攻击者提供的地址汇入300美元比特币了。如下图所示。

3.png

4.jpg


观察行为列表可以看到,样本释放了大量可执行程序以及bat、vbs等恶意脚本,并借助这些程序、脚本和Windows自带的系统工具共同完成攻击目的。例如通过attrib系统工具实现自我隐藏、利用icacls工具获取文件操作权限、利用vssadmin工具破坏系统还原功能、利用reg程序导入注册表实现自启动等。如下图所示。

5.png

6.png

7.png


一切就绪后,样本开始重头戏——文件加密。在行为列表中可以看到大量与文件操作相关的行为,包括修改文件属性、读写文件、修改文件创建时间、文件重命名等。这些正是WannaCry对用户文件进行加密的详细过程。如下图所示。

8.png


进一步观察样本的详细行为数据可以发现,攻击者其实会针对每个文件生成一个扩展名为WNCRYT的临时文件,在加密完成并设置好文件创建时间后,会将该临时文件重命名为WNCRY文件。如下图所示。

9.png


具体这些被加密后的文件长什么样呢?只需查看分析报告里的“中间文件”就可以看到。如下图所示,攻击者感兴趣的文件主要包括doc、xls、jpg等各种文档和图片,被加密后文件头部均变成了“WANACRY!”标识。

a.png


除了以上主机破坏行为以外,样本运行过程中还能观测到大量的网络行为,连接地址包括美国、德国、奥地利等多个国家,同时会尝试连接一个很长的域名。如图所示。

b.png

c.png


由于金刚系统在分析过程中,引擎并未连接真实互联网,因此网络行为我就没有展开分析了。其实该样本还有不少技术细节上文并未展开介绍,大家若有兴趣欢迎查看分析报告自行研究。

评论:

buy generic viagra
约 1 小时前
Hi everyone, it’s my first visit at this site, and post is really fruitful in support of me, keep up posting these types of articles or reviews.
generic viagra
约 2 小时前
Its pleasant funny YouTube video, I all the time go to visit YouTube site designed for comical videos, since there is much more data available.
viagra
约 10 小时前
Link exchange is nothing else but it is only placing the other person’s weblog link on your page at proper place and other person will also do similar in favor of you.
viagra coupon
约 13 小时前
What's up i am kavin, its my first time to commenting anywhere, when i read this piece of writing i thought i could also create comment due to this sensible post.
50 mg viagra
约 14 小时前
In support of my schoolwork purposes, I every time used to get the video lectures from YouTube, because it is effortless to fan-out from there.
sildenafil citrate
约 16 小时前
Very soon this site will be famous among all blogging viewers, due to it's good articles or reviews
sildenafil coupon
约 21 小时前
Sharing some thing is better than keeping up-to our self, thus the YouTube video that is posted at this juncture I am going to share by means of my family and friends.
buy generic viagra
约 22 小时前
Amazing! Its genuinely remarkable post, I have got much clear idea about from this paragraph.
viagra uk
约 23 小时前
My chief is as well eager of YouTube comic video tutorials, he also watch these even in office hehehe..
viagra for women
约 23 小时前
What a good YouTube video it is! Awesome, I loved it, and I am sharing this YouTube record with all my mates.
viagra coupon
2018-08-13 21:52
This article concerning SEO gives clear thought in favor of new SEO viewers that how to do SEO, so keep it up. Good work
viagra for women
2018-08-13 21:09
I don’t waste my free time in watching movies except I be keen on to read articles on net and take updated from newest technologies.
buy 100mg viagra
2018-08-13 20:07
Wow, good YouTube video concerning how to establish virtual directory, I totally got it. Thanks keep it up.
cheap 50mg viagra
2018-08-13 17:39
If you are paying attention to learn SEO strategies then you should read this piece of writing, I am sure you will take much more from this piece of writing about Search engine marketing.
Haroldtoigh
2018-08-13 17:03
It's an excellent post. This site is loaded with lots of useful things, it really helped me in many ways.

http://risk-competence.eu/2018/03/05/e-book-for-studying-buy-essay-writing-service/
http://prazdniny.edaos.cz/exactly-the-quality-essay-writing-services-place/
http://www.masterdinastyoriginal.com/2018/07/23/business-essay-writing-uk-is-abortion-improper/
http://www.midnightsunjournal.com/2017/11/19/apa-paper-formatting/
http://www.jointforces.net/university-best-essay-writing-service-canada-of/

发表评论:

Powered by emlog