Ò»¡¢¸ÅÊö
½üÆÚ£¬»ðÈÞ°²È«ÍŶӷ¢ÏÖ²¡¶¾ÍÅ»ï”ÒþÄäÕß”½øÐÐÁËеļ¼ÊõÉý¼¶£¬ÕýÔÚ´«²¥²¡¶¾”Voluminer”¡£¸Ã²¡¶¾Í¨¹ý±©Á¦ÆÆ½âµÄ·½Ê½ÈëÇÖµçÄԺ󣬻áÀûÓÃÓû§µçÄÔÍÚÈ¡ÃÅÂÞ±Ò£¬²¢ÇÒÔÚµçÄÔÖÐÁôϺóÃÅ£¬²¡¶¾ÍÅ»ï¿Éͨ¹ýÔ¶³Ì¿ØÖÆËæÊ±Ð޸ĶñÒâ´úÂ룬ÏÂÔØÆäËû¸ü¾ßÍþвÐԵIJ¡¶¾Ä£¿é¡£¸Ã²¡¶¾»¹»áͨ¹ýÄں˼¶¶Ô¿¹Êֶζã±Ü°²È«Èí¼þ²éɱ¡£
²¡¶¾±©Á¦ÆÆ½âÓû§Êý¾Ý¿âÈëÇÖµçÄԺ󣬻á´Û¸ÄµçÄÔϵͳÖеÄÖ÷Òýµ¼¼Ç¼£¨MBR£©£¬Ò»µ©ÖØÆôµçÄÔ£¬¼´¿ÉÖ´Ðв¡¶¾£¬²¢ÔÚϵͳÄں˿ռäÔËÐжñÒâ´úÂ룬֮ºó½«¶ñÒâ´úÂë×¢È뵽ϵͳ½ø³ÌÖУ¨winlogon»òexplorer½ø³Ì£©£¬×îÖÕ¶ñÒâ´úÂë»áÏÂÔØºóÃŲ¡¶¾µ½±¾µØÖ´ÐС£
Ŀǰ£¬ºóÃŲ¡¶¾»áÏÂÔØÖ´ÐÐÍÚ¿óÏà¹Ø²¡¶¾Ä£¿é£¬ÍÚÈ¡ÃÅÂÞ±Ò£¬µ«²»Åųý²¡¶¾ÍŻォÀ´»áÍÆËÍÆäËû²¡¶¾Ä£¿é£¬·¢¶¯¸ü¾ßÍþвÐÔ²¡¶¾¹¥»÷µÄ¿ÉÄÜÐÔ¡£
»ðÈÞ°²È«ÍŶÓÔøÆØ¹â¹ý¸Ã²¡¶¾ÖÆ×÷×éÖ¯”ÒþÄäÕß”£¬Í¨¹ý¶Ô¸ÃÆä³¤ÆÚ×·×Ù£¬·¢ÏÖÒ»Ö±ÔÚ»îÔ¾ÖУ¬¸ÃÍÅ»ï¿ÉÄÜÓÉÖйúÈË×é³É»ò²ÎÓ룬²¢ÍêÈ«ÒÔIJÀûΪĿµÄ¡£ÊǽüÄêÀ´»¥ÁªÍøÉÏ×î»îÔ¾¡¢·¢Æð¹¥»÷´ÎÊý×î¶à¡¢¹¥»÷·¶Î§×î¹ãµÄºÚ¿ÍÍÅ»ïÖ®Ò»¡£
Óë´ËǰÏà±È£¬”ÒþÄäÕß”±¾´Î´«²¥µÄ²¡¶¾Ñù±¾ËùʹÓõļ¼Êõ¸üÉîÈëµ×²ã£¬Òþ±ÎÐÔ¸üÇ¿£¬Ò²¸ü²»Ò×±»Óû§²ì¾õ¡£Ê¹ÓÃÄں˼¶ÊֶζÔ×ÔÉí²¡¶¾´úÂëÔÚ´ÅÅÌÖнøÐÐ×ÔÎÒ±£»¤£¬Ó밲ȫÈí¼þ¶Ô¿¹£¬ÄÑÒÔÇå³ý¡£²¢ÇÒ¼ÓÈëÔ¶³Ì¿ØÖƹ¦ÄÜ£¬¿ÉÒÔËæÊ±ÏÂÔØÆäËû²¡¶¾Ä£¿é¡£
¶þ¡¢²¡¶¾À´Ô´
ͨ¹ý¶Ô “ÒþÄäÕß”ºÚ¿Í×éÖ¯µÄ³¤ÆÚ×·×Ù£¬ÎÒÃÇ·¢ÏÖ½üÆÚ´ó·¶Î§´«²¥µÄ²¡¶¾¼Ò×åBootkit/VoluminerÓë¸ÃºÚ¿Í×éÖ¯¿ÉÄÜ´æÔÚÖ±½Ó¹ØÏµ¡£²¡¶¾ÔËÐкó»á´Û¸Ä´ÅÅÌMBR´úÂ룬ÔÚµçÄÔÖØÆôÖ´Ðв¡¶¾MBR´úÂëºó£¬»áÔÚϵͳÄں˿ռäÔËÐжñÒâ´úÂ룬֮ºó½«¶ñÒâ´úÂë×¢Èëwinlogon»òexplorer½ø³Ì£¨ÒÀ¾Ý²Ù×÷ϵͳ°æ±¾£©£¬×îÖÕ¶ñÒâ´úÂë»áÏÂÔØºóÃŲ¡¶¾µ½±¾µØÖ´ÐС£ºóÃŲ¡¶¾Ïֽ׶λáÏÂÔØÖ´ÐÐÍÚ¿óÏà¹Ø²¡¶¾Ä£¿éÍÚÈ¡ÃÅÂÞ±Ò£¬µ«ÎÒÃDz»Åųý½«À´»áÍÆËÍÆäËû²¡¶¾Ä£¿éµÄ¿ÉÄÜÐÔ¡£
“ÒþÄäÕߔͨ³£»áͨ¹ý±©Á¦ÆÆ½âÁ¬½ÓÓû§¼ÆËã»úÖеÄRPC·þÎñ¡¢Êý¾Ý¿â·þÎñÆ÷µÈ£¬Í¨¹ýÕâЩ·½Ê½ÈëÇÖÓû§µçÄÔ½ø¶øÖ´ÐÐÆäËû¶ñÒâ´úÂ룬¾ßÌå¹¥»÷·½Ê½Óë»ðÈÞÔÚ2017Äê7Ô·¢²¼µÄ¡¶³¹µ×ÆØ¹âºÚ¿Í”ÒþÄäÕß” Ŀǰ×÷¶ñ×î¶àµÄÍøÂç¹¥»÷ÍŻ±¨¸æÖÐËù½éÉܵĹ¥»÷·½Ê½ÍêÈ«Ïàͬ¡£»ðÈÞËù½Ø»ñµ½Óë±¾´ÎÑù±¾Ïà¹ØµÄ¹¥»÷ÐÐΪ£¬ÈçÏÂͼËùʾ£º

¹¥»÷ÐÐΪ
»ðÈÞÔÚǰÆÚ±¨¸æÖУ¬ÔÚÁоٲ¡¶¾¹¥»÷ÐÐΪʱËùʹÓõIJ¡¶¾ÐÐΪÈÕÖ¾Ôͼ£¬ÈçÏÂͼËùʾ£º

ǰÆÚ±¨¸æÔͼ
ÔÚ»ðÈÞǰÆÚ±¨¸æÖÐËùÌáµ½µÄºÚ¿ÍËù³£ÓõÄFTP·þÎñÆ÷Óû§Ãû¼°ÃÜÂë·Ö±ðΪtestºÍ1433£¬Óë±¾´ÎËù½Ø»ñ¹¥»÷ʼþÖкڿÍËùʹÓõÄFTP·þÎñÆ÷£¨ftp.ftp0118.info£©Ïà¹ØÐÅÏ¢Ïàͬ¡£ÔÚ”ÒþÄäÕߔʹÓõÄFTP·þÎñÆ÷µØÖ·ÖУ¬ÎÒÃÇ·¢ÏÖdown.mysking.infoÓòÃûËùÖ¸ÏòµÄFTP·þÎñÆ÷ÒÀÈ»¿ÉÒÔÕý³£·ÃÎÊ£¬·þÎñÆ÷Öдæ·ÅµÄ²¡¶¾ÎļþËäÈ»Óë±¾´ÎºÚ¿ÍʹÓõÄFTP·þÎñÆ÷Öв»Í¬£¬µ«ÊÇÎļþÃûÈ´¼«ÆäÏàËÆ¡£FTP·þÎñÆ÷´æ·ÅÎļþÇé¿ö¶Ô±È£¬ÈçÏÂͼËùʾ£º

FTPÎļþÇé¿ö¶Ô±Èͼ
³ý´ËÖ®Í⣬ÔÚ±¾´Î½Ø»ñµÄ²¿·Ö²¡¶¾Ñù±¾ÓïÑÔÐÅϢΪ¼òÌåÖÐÎÄ£¬Óë”ÒþÄäÕß”±¨¸æÖÐÏàͬ¡£½ø¶øÎÒÃÇ¿ÉÒÔ³õ²½Åжϣ¬±¾´Î¹¥»÷ʼþ¿ÉÄÜÓë”ÒþÄäÕß”ºÚ¿Í×éÖ¯´æÔÚÖ±½Ó¹ØÏµ¡£±¾´Î½Ø»ñÑù±¾£¨SHA256£º46527e651ae934d84355adb0a868c5edda4fd1178c5201b078dbf21612e6bc78£©µÄÓïÑÔÐÅÏ¢£¬ÈçÏÂͼËùʾ£º

²¡¶¾Ñù±¾ÓïÑÔÐÅÏ¢
Èý¡¢Ñù±¾·ÖÎö
ÓëÒþÄäÕßÔçÆÚÑù±¾Ïà±È£¬½üÆÚÔÚÒ°½øÐд«²¥µÄÒþÄäÕßÑù±¾²¡¶¾ÐÐΪÒѾԽÀ´Ô½¸´ÔÓ£¬ËùʹÓõĹ¥»÷¼¼ÊõÒ²¸üΪµ×²ã¡£ÀýÈç±¾ÎÄËùÌáµ½µÄ²¡¶¾Ñù±¾¾Í»á¸ÐȾMBR£¬²¢¶Ô±»´Û¸ÄºóµÄMBR´úÂë½øÐб£»¤£¬´Ó¶øÌá¸ßÁ˶Ըò¡¶¾½øÐвéɱµÄ¸´ÔÓ¶È¡£
Bootkit/Voluminer
Bootkit/Voluminer²¡¶¾ÔËÐкó»áÖ±½ÓдÈ벡¶¾MBR´úÂ룬ÔʼµÄMBRÊý¾Ý±»²¡¶¾±¸·ÝÔÚ´ÅÅ̵ĵڶþ¸öÉÈÇøÖС£ÆäÓಡ¶¾´úÂëÆðʼλÖÃΪµÚÈý¸öÉÈÇø£¬ÆäÓಡ¶¾´úÂ루³ýMBR´úÂëÍ⣩¹²Õ¼ÓÃ54¸öÉÈÇø£¬ÓÉÓÚÄÚºËÆ½Ì¨°æ±¾²»Í¬£¨x86/x64£©£¬±¨¸æÖзÖÎöÄÚÈÝÒÔ²¡¶¾ÔÚWindows 7£¨x64£©ÏµÍ³ÖеĸÐȾÇé¿öΪÀý¡£±»¸ÐȾºóµÄMBR´úÂëÊý¾Ý£¬ÈçÏÂͼËùʾ£º

±»¸ÐȾºóµÄMBR´úÂëÊý¾Ý
²¡¶¾MBR´úÂ룬ÈçÏÂͼËùʾ£º

²¡¶¾MBR´úÂë
²¡¶¾MBR´úÂëÔËÐк󣬻ὫµÚÈý¸öÉÈÇøºóµÄ¶ñÒâ´úÂ뿽±´µ½0x8f000µØÖ·½øÐÐÖ´ÐУ¬¶ñÒâ´úÂë»áÔÚhook INT 15ÖжϺó£¬ÖØÐµ÷ÓÃÔʼMBRÖ´ÐÐÕý³£µÄÒýµ¼Æô¶¯Âß¼¡£µ±INT 15 Öжϱ»µ÷ÓÃʱ£¬²¡¶¾´úÂë»áͨ¹ýÆ¥ÅäÓ²±àÂëµÄ·½Ê½ËÑË÷BootMgr£¨startup.com£©´úÂë½øÐÐhook£¬±»hookºóÖ´ÐеĶñÒâ´úÂë´úÂë»á×îÖÕhook Bootmgr.exe ÖеÄArchx86TransferTo32BitApplicationAsmºÍArchx86TransferTo64BitApplicationAsm¡£Hook INT15ºóÖ´ÐеIJ¡¶¾Âß¼£¬ÈçÏÂͼËùʾ£º

Hook INT 15Ö´ÐеIJ¡¶¾Âß¼
BootMgr£¨startup.com²¿·Ö£©±»hookºó£¬ÔÚBootMgr.exe ¼ÓÔØÊ±»á¼ÌÐøÖ´ÐÐÏÂÒ»²½hook²Ù×÷¡£Hook BootMgr.exeÏà¹Ø´úÂ룬ÈçÏÂͼËùʾ£º

Hook BootMgr.exeÏà¹Ø´úÂë
BootMgr.exe±»hookºó£¬Archx86TransferTo32BitApplicationAsmºÍArchx86TransferTo64BitApplicationAsmº¯ÊýÄÚ´úÂëÇé¿ö£¬ÈçÏÂͼËùʾ£º

±»hookºóµÄº¯ÊýÈë¿Ú
Archx86TransferTo32BitApplicationAsmºÍArchx86TransferTo64BitApplicationAsmº¯Êý±»hookºó£¬±»µ÷ÓõIJ¡¶¾´úÂë»áÔÚBootMgr.exe¼ÓÔØWinload.exeʱhook OslArchTransferToKernel£¬Îªhook ntoskrnl.exe×ö×¼±¸¡£Ïà¹Ø´úÂ룬ÈçÏÂͼËùʾ£º

Hook OslArchTransferToKernelÏà¹Ø´úÂë
±»hookºóµÄOslArchTransferToKernelº¯ÊýÄÚ´úÂ룬ÈçÏÂͼËùʾ£º

±»hookºóµÄOslArchTransferToKernelº¯Êý´úÂë
OslArchTransferToKernel±»hookºóÖ´ÐеĶñÒâ´úÂë»áhook ZwCreateSection£¬²¢ÆÆ»µntoskrnl.exeÖÐPatchGuardÏà¹ØÂß¼¡£Ïà¹Ø´úÂ룬ÈçÏÂͼËùʾ£º

Hook OslArchTransferToKernelº¯ÊýºóÖ´ÐеĶñÒâ´úÂëÈë¿Ú
Ê×ÏÈ£¬¶ñÒâ´úÂë»áÏÈͨ¹ýº¯ÊýÃû¹þÏ£Öµ»ñÈ¡ZwCreateSectionº¯ÊýµØÖ·£¬ÔÙ»ñÈ¡×îÖÕÐèÒªÔÚÄÚºËִ̬ÐеĶñÒâ´úÂëÈë¿Ú£¨malware_krnl_main_entry£©£¬È»ºó»ñÈ¡hook ZwCreateSectionºó±»µ÷ÓõĴ¦Àíº¯ÊýÈë¿ÚºÍÏà¹ØÐÅÏ¢£¨°üÀ¨ntoskrnl»ùÖ·¡¢malware_krnl_main_entryº¯ÊýÈë¿Ú¡¢ZwCreateSectionº¯ÊýÈë¿ÚµØÖ·¡¢±»patchµôµÄÔʼZwCreateSection´úÂëÄÚÈÝ£©£¬×îºóÐÞ¸ÄZwCreateSectionº¯ÊýÈë¿Ú´úÂ룬²¢½«ntoskrnlÖÐPatchGuardÏà¹Ø´úÂëͨ¹ýÐÞ¸ÄÓ²±àÂë½ûÓõô¡£Ïà¹Ø´úÂ룬ÈçÏÂͼËùʾ£º

Hook ZwCreateSectionºÍÆÆ»µPatchGuardµÄ¶ñÒâ´úÂë
±»hookºóµÄZwCreateSectionº¯ÊýÈë¿Ú´úÂ룬ÈçÏÂͼËùʾ£º

±»hookºóµÄZwCreateSectionº¯ÊýÈë¿Ú´úÂë
ZwCreateSection±»hookºóµ÷ÓõĶñÒâ´úÂ룬Ê×ÏÈ»áÐÞ¸´ZwCreateSection±»patchµôµÄ´úÂëÄÚÈÝ£¬Ö®ºóÔÙ½«ºóÐøÐèÒªÖ´ÐжñÒâ´úÂ루´úÂëµØÖ·£º0x946E6£©Í¨¹ýMmMapIoSpaceÓ³Éäµ½ÄÚºË̬µØÖ·¿Õ¼ä½øÐÐÖ´ÐС£Ïà¹Ø´úÂ룬ÈçÏÂͼËùʾ£º

ZwCreateSection±»hookºóµ÷ÓõĶñÒâ´úÂë
ÉÏÊö´úÂë±»µ÷Óú󣬻áÖ´ÐÐÄÚºË̬¶ñÒâ´úÂëmalware_krnl_main_entry£¬¸Ãº¯ÊýÄÚ´úÂëÊ×ÏÈ»á¸ù¾Ýº¯ÊýÃû¹þÏ£»ñÈ¡ËùÐèµÄAPIµØÖ·¡£Ïà¹Ø´úÂ룬ÈçÏÂͼËùʾ£º

malware_krnl_main_entry´úÂë
ÄÚºË̬Ö÷Òª¶ñÒâ´úÂëÂß¼Ö´Ðкó£¬Ê×ÏȻᴴ½¨Ïß³Ì֪ͨ»Øµ÷£¬Ôڻص÷Öмì²âcsrss.exe½ø³ÌÊÇ·ñÆô¶¯£¬Ôڸýø³ÌÆô¶¯ºóÔÙ¼ÌÐøÖ´ÐкóÐø¶ñÒâ´úÂëÂß¼¡£Ïà¹Ø´úÂ룬ÈçÏÂͼËùʾ£º

Ïß³Ì֪ͨ»Øµ÷ÖжñÒâ´úÂëÂß¼
ÈçÉÏͼËùʾ£¬ÔÚ¼ì²âµ½csrss.exeºó£¬Ê×ÏȻ᳢ÊÔ¸ÐȾMBR²¢½«´æ·Å¶ñÒâ´úÂëµÄÉÈÇø±£»¤ÆðÀ´¡£Í¨¹ý¹ýÂËIRPµÄ·½Ê½£¬ÔÚÓû§·ÃÎʲ¡¶¾Òýµ¼´úÂëËùÔÚÉÈÇøÊ±£¬·µ»ØÕý³£Òýµ¼´úÂëÊý¾Ý£¬Ìá¸ß²¡¶¾µÄÒþ±ÎÐÔ¡£¸ÐȾMBRÏà¹Ø´úÂ룬ÈçÏÂͼËùʾ£º
¸ÐȾMBR²¢½«ÔʼMBRÊý¾Ý¿½±´µ½µÚ¶þÉÈÇø
¶ñÒâMBR¼°Ïà¹ØÊý¾Ý±£»¤Âß¼»á±£»¤´ÅÅÌǰ0x3E¸öÉÈÇø¡£Ïà¹Ø´úÂ룬ÈçÏÂͼËùʾ£º

¶ñÒâMBR¼°Ïà¹ØÊý¾Ý±£»¤Ïà¹Ø´úÂë
Ö®ºóÔÚÄÚºËỊ̈߳¨malware_behav_entry£©Öлá¸ù¾Ý²»Í¬µÄ²Ù×÷ϵͳ°æ±¾¶Ôwinlogon.exe»òexplorer.exe½øÐÐAPC×¢Èë¡£WinXP×¢Èëexplorer.exe£¬ÆäËû²Ù×÷ϵͳעÈëwinlogon.exe£¬Èç¹ûÊÇWin10ϵͳ»áÔٴγ¢ÊÔhook StorportÇý¶¯¶ÔÏóµÄIRP»Øµ÷¡£Ïà¹Ø´úÂ룬ÈçÏÂͼËùʾ£º

APC×¢ÈëÏà¹Ø´úÂë
±»×¢ÈëµÄ²¡¶¾´úÂëÖ´ÐжñÒâÂß¼Ö÷Òª²ÎÕÕ´ÓC&C·þÎñÆ÷ÇëÇóµ½µÄÅäÖÃÎļþ£¬¸ÃÎļþÊͷŵ½±¾µØºó·¾¶Îª£º%SystemRoot%\Temp\ntuser.dat¡£¸ÃÎļþ±»Òì»ò0×95
¼ÓÃܹý£¬ÔÚʹÓøÃÎļþʱ»á¶ÔÎļþ½øÐнâÃÜ¡£½âÃܺóµÄntuser.datÅäÖÃÄÚÈÝ£¬ÈçÏÂͼËùʾ£º

ntuser.datÅäÖÃÄÚÈÝ
ÈçÉÏͼ£¬ÅäÖÃÎļþ×ÜÌå·ÖΪÁ½¸ö²¿·Ö£ºmainºÍupdate¡£main²¿·ÖÖеÄËùÓÐipºÍÍøÖ·ÓÃÀ´ÏÂÔØºóÃŲ¡¶¾Ïà¹ØÅäÖã¬update²¿·ÖÖеÄipºÍÍøÖ·ÓÃÀ´¸üÐÂntuser.datÅäÖÃÊý¾Ý£¬ÇëÇóµ½µÄÏà¹ØÅäÖÃÐÅÏ¢ÖÁ½ñÒÀÈ»ÔÚ³ÖÐø¸üС£ÏÂÔØºóÃŲ¡¶¾ÅäÖÃÐÅÏ¢cloud.txtµÄ´úÂëÂß¼£¬ÈçÏÂͼËùʾ£º

ÏÂÔØºóÃŲ¡¶¾ÅäÖÃÐÅÏ¢
ÇëÇóµ½µÄÅäÖÃÐÅÏ¢ÖУ¬³ýºóÃŲ¡¶¾ÏÂÔØµØÖ·£¨exe¼üÃû¶ÔÓ¦Êý¾Ý£©Í⣬»¹ÓÐÃûΪurlµÄÅäÖÃÏ¸Ã¹¦ÄÜ¿ªÆôºó»áhook CreateProcessW½Ù³Ö
ä¯ÀÀÆ÷Æô¶¯²ÎÊý£¬µ«Ïֽ׶θù¦ÄÜÉÐδ±»¿ªÆô¡£ÅäÖÃÐÅÏ¢£¬ÈçÏÂͼËùʾ£º

ÅäÖÃÐÅÏ¢
¶ñÒâ´úÂë»áͨ¹ýÉÏͼÖеÄÏÂÔØµØÖ·£¬½«ºóÃŲ¡¶¾ÏÂÔØµ½%SystemRoot%\Temp\conhost.exeĿ¼½øÐÐÖ´ÐС£ÏÂÔØÖ´ÐÐÔ¶³ÌºóÃŲ¡¶¾Ïà¹ØÂß¼£¬ÈçÏÂͼËùʾ£º

ÏÂÔØÖ´ÐкóÃŲ¡¶¾Backdoor/Voluminer
¸Ã²¡¶¾ÔËÐкó£¬Ê×ÏÈ»áÊÍ·Å´æ·ÅÓÐC&C·þÎñÆ÷ÁбíµÄÎļþ£¨xp.dat£©ÖÁC:\Program Files\Common FilesĿ¼ÖУ¬Ö®ºóÏòC&C·þÎñÆ÷ÁбíÖеķþÎñÆ÷µØÖ·ÇëÇóxpxmr.datÎļþ£¬ÓÃÓÚ¸üÐÂC&C·þÎñÆ÷ÁÐ±í¡£ÇëÇóµ½µÄxpxmr.datÎļþÊý¾ÝʹÓÃRSAËã·¨½øÐйý¼ÓÃÜ£¬½øÐнâÃܺó»áÖØÐÂдÈëµ½xpxmr.datÎļþÖУ¬¸ÃÎļþΪÃ÷ÎÄ´æ·Å¡£Ïà¹Ø´úÂë¼°Êý¾Ý£¬ÈçÏÂͼËùʾ£º

¸üÐÂC&C·þÎñÆ÷Áбí
²¡¶¾ÔÚÔËÐÐÖлáÏòC&C·þÎñÆ÷ÇëÇó»ñÈ¡×îв¡¶¾°æ±¾ºÅ£¬µ±¼ì²âµ½´æÔÚа汾ʱ£¬Ôò»áͨ¹ýC&C·þÎñÆ÷ÏÂÔØÖ´ÐÐ×îа汾µÄ²¡¶¾³ÌÐò¡£µ±ºóÃŲ¡¶¾·¢ÏÖµ±Ç°ÏµÍ³Îª64λϵͳʱ£¬»¹»áÏòC&C·þÎñÆ÷ÇëÇó64λ°æ±¾µÄºóÃŲ¡¶¾µ½±¾µØ½øÐÐÖ´ÐС£Ïà¹Ø´úÂ룬ÈçÏÂͼËùʾ£º

ÇëÇó64λ°æ±¾²¡¶¾
Ëæºó£¬²¡¶¾»áʹÓõØÖ·ÁбíÖеÄC&C·þÎñÆ÷µØÖ·ÏÂÔØÍÚ¿óËùÐèµÄ²¡¶¾
×é¼þ£¬ÔÝʱÎÒÃÇ·¢Ïֻᱻ²¡¶¾ÏÂÔØÖÁ±¾µØ²¡¶¾½ö¾ßÓÐÍÚ¿ó¹¦ÄÜ£¬µ«ÎÒÃDz»ÅųýÆä½«À´»áÏÂÔØÆäËû²¡¶¾Ä£¿éµÄ¿ÉÄÜÐÔ¡£²¡¶¾ÔÚÏÂÔØÎļþºó£¬»á¶Ô²¡¶¾×é¼þ½øÐÐmd5УÑ飬²¡¶¾×é¼þµÄmd5Öµ»á²Î¿¼C&C·þÎñÆ÷ÖеÄmd5.txtÎļþÄÚÈÝ¡£Ïà¹Ø´úÂ룬ÈçÏÂͼËùʾ£º

»ñȡԶ³Ì¶ñÒâ´úÂëÄ£¿é
ÔÚ²¡¶¾×é¼þÏÂÔØÍê³Éºó£¬²¡¶¾»á½«ÍÚ¿óÏà¹ØµÄÄ£¿éºÍÅäÖÃÎļþÊͷŵ½%windir%\debugĿ¼ÖУ¬Ëæºó¿ªÊ¼ÍÚ¿óÂß¼¡£²¡¶¾ÊÍ·ÅÍÚ¿óÅäÖÃÏà¹Ø´úÂ룬ÈçÏÂͼËùʾ£º

ÊÍ·ÅÍÚ¿óÅäÖÃÏà¹Ø´úÂë
Óëǰ¶Îʱ¼äÓÑÉ̱¨¸æÖÐËùÃèÊöµÄ¸ÃºóÃŲ¡¶¾Ïà±È£¬²¡¶¾µÄ¶ñÒâÐÐΪÒѾÓÐÁËÃ÷ÏԱ仯¡£ÔÚÔçÆÚ°æ±¾ÖУ¬±»Åä·¢µ½Óû§±¾µØµÄºóÃŲ¡¶¾»á±»×¢²áΪϵͳ·þÎñ£¨·þÎñÃûΪ£ºWindows Audio Control£©£¬²¢ÔÚÔËÐкó»áÏÔʾ¿ØÖÆÌ¨´°¿Ú²¢ÇÒÔÚ²¡¶¾ÔËÐÐʱ»áÔÚ´°¿ÚÖÐÏÔʾÔËÐÐÈÕÖ¾£¬×îÖÕ»áÏÂÔØÖ´ÐÐÍڿ󲡶¾£¬Öж¾ÏÖÏóÊ®·ÖÃ÷ÏÔ¡£¶øÔÚÏֽ׶ΰ汾ÖУ¬±»Ï·¢µ½Óû§±¾µØµÄºóÃŲ¡¶¾Òþ±ÎÐÔÒѾÓÐËùÌá¸ß£¬ÔÚ²¡¶¾Ö´Ðйý³ÌÖÐÓû§ºÜÄÑÓÐËù²ì¾õ¡£²¡¶¾ÍÚÈ¡ÃÅÂÞ±ÒʱʹÓõÄÅäÖÃÐÅϢƬ¶Î£¬ÈçÏÂͼËùʾ£º

ÅäÖÃÐÅϢƬ¶Î
ͨ¹ýÉÏͼÖеÄÃÅÂÞ±ÒÇ®°üµØÖ·²éѯ£¬ÎÒÃÇ·¢ÏÖ¸ÃÕË»§×Ô2019Äê02ÔÂ20ÈÕÆð¿ªÊ¼ÓÐÃÅÂÞ±Ò½øÕËÐÅÏ¢£¬ÖÁ½ñÒѾ¹²»ñÈ¡ÃÅÂÞ±ÒÔ¼2867¸ö£¬ºÏÈËÃñ±ÒÔ¼200ÓàÍòÔª¡£²¡¶¾Ê¹ÓõÄÃÅÂÞ±ÒÇ®°üÐÅÏ¢£¬ÈçÏÂͼËùʾ£º

ÃÅÂÞ±ÒÇ®°üÐÅÏ¢
ËÄ¡¢Í¬Ô´ÐÔ·ÖÎö
³ýÐÐÎªÌØÕ÷Í⣬ÎÒÃÇͨ¹ý¶Ô±ÈÑù±¾¹Ø¼üÊý¾Ý£¬»¹·¢ÏÖÁ˸ü¶àµÄͬԴÐÔÌØÕ÷¡£±ÈÈçÔÚ»ñÈ¡ÍÚ¿óÇ®°üÐÅϢʱ£¬ÎÄÖÐÑù±¾Óë2017ÄêÒþÄäÕßÏà¹ØÑù±¾£¨SHA256£ºf37a0d5f11078ef296a7c032b787f8fa485d73b0115cbd24d62cdf2c1a810625£©¾ù»áÏòC&C·þÎñÆ÷ÇëÇóÃûΪxmrok.txtµÄ¼ÓÃÜÊý¾ÝÎļþ£¬ÇÒ¸ÃÎļþ¾ùΪAESËã·¨¼ÓÃÜ¡£Ïà¹ØÊý¾Ý£¬ÈçÏÂͼËùʾ£º

Ñù±¾¹Ø¼üÂß¼¶Ô±È
³ý´ËÖ®Í⣬ÎÄÖÐËùÌáµ½µÄÑù±¾Óë2017ÄêÑù±¾Ïàͬ£¬ÍÚ¿ó¹¦ÄܾùÊÇʹÓÃxmr-stak¿ªÔ´´úÂë¡£Ïà¹ØÊý¾Ý£¬ÈçÏÂͼËùʾ£º

ÍÚ¿óÏà¹ØÊý¾Ý¶Ô±È
ͨ¹ý¶Ô±È·ÖÎö£¬ÎÒÃÇ·¢ÏÖÓë2017ÄêÑù±¾Ïà±È£¬ËäÈ»×îÖÕ¶ñÒâÐÐΪÍêÈ«Ïàͬ£¬µ«ÐÂÑù±¾ÔÚ¶ñÒâÂß¼ÖмÓÈëÁËÔÆ¿Ø¹¦ÄÜ£¬´Ó¶ø¿ÉÒÔʹÑù±¾¿ÉÒÔ¸ù¾ÝºÚ¿ÍÔÚC&C·þÎñÆ÷ÖÐÌṩµÄ¶ñÒâ´úÂëºÍÏà¹ØÅäÖÃÐÅÏ¢¶Ô²¡¶¾½øÐе÷Õû¡£³ý´ËÖ®Í⣬ÎÄÖÐÑù±¾½Ï2017ÄêÒþÄäÕßÑù±¾»¹¼ÓÇ¿Á˶ÔÑù±¾×ÔÉí´úÂëµÄ±£»¤£¬ÔÚºóÃŲ¡¶¾¼°ÆäÅÉ·¢Ä£¿éÖдóÁ¿Ê¹ÓÃÁËVMProtect±£»¤¿Ç£¬¼Ó´óÁ˰²È«·ÖÎöÈËÔ±µÄ·ÖÎö³É±¾¡£¿ÇÐÅÏ¢£¬ÈçÏÂͼËùʾ£º

¿ÇÐÅÏ¢
ÒþÄäÕߺڿÍ×éÖ¯×îÔç¿ÉÒÔ×·ËÝÖÁ2014Ä꣨ʱ¼äÒÀ¾ÝÇë¼ûǰÆÚ±¨¸æ£©£¬Æä¹¥»÷ÊÖ·¨¶àÑù£¬ÇÒÖÁ½ñÒÀÈ»ÔÚ²»¶Ï½øÐиĽøºÍÔöÇ¿£¬ÒѾ³ÉΪ¶Ô»¥ÁªÍø»·¾³Íþв×î´óºÚ¿Í×éÖ¯Ö®Ò»¡£»ðÈÞ»á¼ÌÐø¶Ô¸ÃºÚ¿Í×éÖ¯½øÐÐ×·×Ù£¬²»¶ÏÊÕ¼¯ºÍ·ÀÓùÓë¸Ã×éÖ¯Ïà¹ØµÄËùÓа²È«Íþв¡£
Îå¡¢¸½Â¼
ÎÄÖÐÉæ¼°Ñù±¾SHA256£º

IOC: