본문 바로가기
Study/랜섬웨어

랜섬웨어 샘플 분석 (5) Buster Sandbox Analyzer : RegDiff

by 꼬부기가우는소리 2016. 7. 6.
728x90


Buster Sandbox Analyzer를 이용한 분석 (5)

[ RegDiff.txt ]

분석 환경 : Windows 7


기존의 레지스트리와 달라진 레지스트리를 확인한다.


랜섬웨어는 자기 자신을 복제한다. 아래의 경로 (...\Roaming)에 존재하는 rdsytpf.exe가 원본 랜섬웨어의 복제 파일이다. 




machine\software\microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966CECC95C1874194CA7203F9B6200300000001000000140000000563B8630D62D75ABBC8AB1E4BDFB5A899B24D431D00000001000000100000004F5F106930398D09107B40C3C7CA8F1C0B000000010000001200000044006900670069004300650072007400000014000000010000001400000045EBA2AFF492CB82312D518BA7A7219DF36DC80F6200000001000000200000003E9099B5015E8F486C00BCEA9D111EE721FABA355A89BCF1DF69561E3DC6325C5300000001000000230000003021301F06096086480186FD6C020130123010060A2B0601040182373C0101030200C0090000000100000034000000303206082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030306082B060105050703080F00000001000000140000006DCA5BD00DCF1C0F327059D374B29CA6E3C50AA62000000001000000BB030000308203B73082029FA00302010202100CE7E0E517D846FE8FE560FC1BF03039300D06092A864886F70D01010505003065310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D312430220603550403131B4469676943657274204173737572656420494420526F6F74204341301E170D3036313131303030303030305A170D3331313131303030303030305A3065310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D312430220603550403131B4469676943657274204173737572656420494420526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100AD0E15CEE443805CB187F3B760F97112A5AEDC269488AAF4CEF520392858600CF880DAA9159532613CB5B128848A8ADC9F0A0C83177A8F90AC8AE779535C31842AF60F98323676CCDEDD3CA8A2EF6AFB21F25261DF9F20D71FE2B1D9FE1864D2125B5FF9581835BC47CDA136F96B7FD4B0383EC11BC38C33D9D82F18FE280FB3A783D6C36E44C061359616FE599C8B766DD7F1A24B0D2BFF0B72DA9E60D08E9035C678558720A1CFE56D0AC8497C3198336C22E987D0325AA2BA138211ED39179D993A72A1E6FAA4D9D5173175AE857D22AE3F014686F62879C8B1DAE45717C47E1C0EB0B492A656B3BDB297EDAAA7F0B7C5A83F9516D0FFA196EB085F18774F0203010001A3633061300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF301D0603551D0E0416041445EBA2AFF492CB82312D518BA7A7219DF36DC80F301F0603551D2304183016801445EBA2AFF492CB82312D518BA7A7219DF36DC80F300D06092A864886F70D01010505000382010100A20EBCDFE2EDF0E372737A6494BFF77266D832E4427562AE87EBF2D5D9DE56B39FCCCE1428B90D97605C124C58E4D33D834945589735691AA847EA56C679AB12D8678184DF7F093C94E6B8262C20BD3DB32889F75FFF22E297841FE965EF87E0DFC16749B35DEBB2092AEB26ED78BE7D3F2BF3B726356D5F8901B6495B9F01059BAB3D25C1CCB67FC2F16F86C6FA6468EB812D94EB42B7FA8C1EDD62F1BE5067B76CBDF3F11F6B0C3607167F377CA95B6D7AF112466083D72704BE4BCE97BEC3672A6811DF80E70C3366BF130D146EF37F1F63101EFA8D1B256D6C8FA5B76101B1D2A326A110719DADE2C3F9C39951B72B0708CE2EE650B2A7FA0A452FA2F0F2


machine\software\microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 030000000100000014000000B1BC968BD4F49D622AA89A81F2150152A41D829C1D00000001000000100000006EE7F3B060D10E90A31BA3471B999236140000000100000014000000607B661A450D97CA89502F7D04CD34A8FFFCFD4B0B000000010000001600000047006C006F00620061006C005300690067006E000000620000000100000020000000EBD41040E4BB3EC742C9E381D31EF2A41A48B6685C96E7CEF3C1DF6CD4331C995300000001000000230000003021301F06092B06010401A032010130123010060A2B0601040182373C0101030200C0090000000100000068000000306606082B0601050507030106082B0601050507030206082B0601050507030306082B0601050507030406082B0601050507030806082B06010505070309060A2B0601040182370A030406082B0601050507030606082B0601050507030706082B06010505080202200000000100000079030000308203753082025DA003020102020B040000000001154B5AC394300D06092A864886F70D01010505003057310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613110300E060355040B1307526F6F74204341311B301906035504031312476C6F62616C5369676E20526F6F74204341301E170D3938303930313132303030305A170D3238303132383132303030305A3057310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613110300E060355040B1307526F6F74204341311B301906035504031312476C6F62616C5369676E20526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B9951104BDF063D1E26766CF1CDDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD48C50151CEF50EEC42EF7FCE952F2917DE06DD535308E5E4373F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5123C927896D6DC746E934461D18DC746B2750E86E8198AD56D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F2091AB09536E90CE7B3774B97047912251631679AEB1AE412608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F7F9390CF0203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E04160414607B661A450D97CA89502F7D04CD34A8FFFCFD4B300D06092A864886F70D01010505000382010100D673E77C4F76D08DBFECBAA2BE34C52832B57CFC6C9C2C2BBD099E53BF6B5EAA1148B6E508A3B3CA3D614DD34609B33EC3A0E363551BF2BAEFAD39E143B938A3E62F8A263BEFA05056F9C60AFD38CDC40B705194979804DFC35F94D515C914419CC45D7564150DFF5530EC868FFF0DEF2CB96346F6AAFCDFBC69FD2E1248649AE095F0A6EF298F01B115B50C1DA5FE692C6924781EB3A71C7162EECAC897AC175D8AC2F847866E2AC4563195D06789852BF96CA65D469D0CAA82E49951DD70B7DB563D61E46AE15CD6F6FE3DDE41CC07AE6352BF5353F42BE9C7FDB6F7825F85D24118DB81B3041CC51FA4806F1520C9DE0C880A1DD66655E2FC48C9292669E0


machine\software\microsoft\Tracing\rdsytpf_RASAPI32\FileTracingMask = FFFF0000


machine\software\microsoft\Tracing\rdsytpf_RASAPI32\ConsoleTracingMask = FFFF0000


machine\software\microsoft\Tracing\rdsytpf_RASAPI32\MaxFileSize = 00100000


machine\software\microsoft\Tracing\rdsytpf_RASAPI32\FileDirectory = %windir%\tracing


machine\software\microsoft\Tracing\rdsytpf_RASMANCS\FileTracingMask = FFFF0000


machine\software\microsoft\Tracing\rdsytpf_RASMANCS\ConsoleTracingMask = FFFF0000


machine\software\microsoft\Tracing\rdsytpf_RASMANCS\MaxFileSize = 00100000


machine\software\microsoft\Tracing\rdsytpf_RASMANCS\FileDirectory = %windir%\tracing


machine\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket\NukeOnDelete = 00000001


machine\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket\UseGlobalSettings = 00000001


machine\software\microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = 00000001


machine\software\microsoft\Windows\CurrentVersion\Run\AVrSvc = C:\Users\kitri\AppData\Roaming\rdsytpf.exe

복제된 랜섬웨어 rdsytpf.exe 파일을 AVrSvc라는 이름으로 자동 실행에 등록시킨다.

최초 악성코드가 실행되면 자동 실행에 등록되어 재 부팅 시 새롭게 생긴 파일들을 암호화한다. 자동 실행 역할을 하는 레지스트리는 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run이다.




machine\software\microsoft\Windows\Windows Error Reporting\DontShowUI = 00000001


machine\software\microsoft\Windows\Windows Error Reporting\LocalDumps = created registry key


user\current\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{3d9edd58-a290-11e5-97c0-806e6f6e6963}\NukeOnDelete = 00000001


user\current\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 460000000D000000090000000000000000000000000000000400000020000000687474703A2F2F777061642E6C6F63616C646F6D61696E2F777061642E646174F016BE38CDACD101000000000000000000000000030000001700000000000000FE80000000000000D1AFE1BF845100DA0B00000000000000000000000000000000000000000000000000000000000000000000000100000044CA740054CA740004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001700000000000000FE8000000000000000005EFEC0A86E8A0C0000000800000000000000C82C7400084D7400000800000200000000000060000000208C040000F8C9740002000000D40300008C040000F8C97400040000007C02000034090200000000000000000000000000000000000000000000000000000000000000000002000000C0A86E8A000000000000000060000000400000001001000000000000000000000000000000000000000000000000000007000000000000000000000000000000000000001036007501000000000000000000000000000000000000000000000000000000181002C00000000000000000000000000000000001000000


user\current\software\Microsoft\Windows\CurrentVersion\Run\AVrSvc = C:\Users\kitri\AppData\Roaming\rdsytpf.exe


user\current\software\Microsoft\Windows\CurrentVersion\SET\data = 3142796472456E445547566D43475779577A764536564A65697771317944585A594C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004E348DD99165F1CFE7541FDA3364A4371C28147111DE0BD7B1259E6B78E146FE30314438363938333946343545313930323332343942433043363734343538324646443238343246313044444638313430344342393044414339363338363230364534353145433135313541343133343934333434343936343638433742444330433932464341343443303732313436353541443344443041393033423644320000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000B31B9FF096F896BB5F1F116740954AEAB5EF7851DCA910E792AC5226C158414E3049ED5087D014188BF9E2CC592A03873698D11C7DFF880A44AEF7E15BD563080000E00705000100170013002C001C007E02042F6104716B11AB6DEE28BFC570CC3AB24A8995C4112D635976BD879C54A11C34330811C853FD1DA14429C7C267B7D4511F0FBA3B7B5E1242BEE49589A5A7C53B342EBB39399692B0B818A084F99D93C4336BC4A6CD13C86257CF520A7BA34E05C96AD80C5AF074E2BF96F87027194CB5058C8200A9488B9B217A93D13BEBF277E2B13C8475354CB37CC7273FDF9A4086ACFF40B1D2412C7E0BF41A428E8DBFC86387E855A02E9936A29F46418159989D3AE16A66B7021C71566AF6D799041BE0415F6B54EA075E1FF643C5F4CF90A8AE5AD77E4C3290296F1ACA224AB87749B984B28AF298E9C7232120540FEF65986F48EF9C1A2356190E195562CB55ED03195F3D396ABA09CBF04B1C538A8844B079B2A146D2CD65A5F8F2A90010B26DACA0E0B478493A27AE5C0F55BE0676F249C7A61F1BC3BC434D3D7FEF1FA660A18CE09065D68D000CDF425700000000EFBEADDE01000000


user\current\software\SandboxAutoExec  = 31


user\current_classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Sandboxie\SandboxieRpcSs.exe = Sandboxie COM Services (RPC)


user\current_classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32\notepad.exe = Notepad


user\current_classes\Local 

Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Users\kitri\Desktop\99fc04d82877aea0247286d41186b985ab773b19c8cef8786ffc1fa50e35af29\99fc04d82877aea0247286d41186b985ab773b19c8cef8786ffc1fa50e35af29.exe = new

시작 프로그램에 등록시킨다. 확인을 위해 실행 창 (Ctrl + R)에서 "msconfig" 명령어 입력 뒤, Startup 부분을 확인해 본다.




user\current_classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Sandbox\kitri\DefaultBox\user\current\AppData\Roaming\rdsytpf.exe = new


user\current_classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32\cmd.exe = Windows Command Processor


user\current_classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32\vssadmin.exe = Command Line Interface for Microsoft Volume Shadow Copy Service 


레지스트리를 이용해 컴퓨터 이름을 수집한다.





저작자표시 비영리 변경금지

'Study > 랜섬웨어' 카테고리의 다른 글

랜섬웨어 샘플 분석 (4) Buster Sandbox Analyzer : Log_API  (0) 2016.07.05
랜섬웨어 샘플 분석 (3) Buster Sandbox Analyzer : FileDiff  (0) 2016.07.05
랜섬웨어 샘플 분석 (2) Buster Sandbox Analyzer : Connections  (0) 2016.07.05
랜섬웨어 샘플 분석 (1) Buster Sandbox Analyzer : Analysis  (0) 2016.07.05
랜섬웨어의 종류  (0) 2016.06.27

관련글

댓글

티스토리툴바