TT Malware Log

マルウェア / サイバー攻撃 / 解析技術 に関する「個人」の調査・研究・参照ログ

CCleaner Command and Control Causes Concern

【ブログ】

◆CCleaner Command and Control Causes Concern (TALOS, 2017/09/20)
http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html


【攻撃者に関する情報】

  • CCBkdr.dll
    • 2bc2dee73f9f854fe1e0e409e1257369d9c0a1081cf5fb503264aa1bfe8aa06f
  • APT17/Group 72が使用したマルウェア
    • 0375b4216334c85a4b29441a3d37e61d7797c2e1cb94b14cf6292449fb25c7b2
  • 類似性
    • 一部のコードは極めて類似

■2bc2dee73f9f854fe1e0e409e1257369d9c0a1081cf5fb503264aa1bfe8aa06f (CCleaner)

.text:1000121D ; =============== S U B R O U T I N E =======================================
.text:1000121D
.text:1000121D ; Attributes: bp-based frame
.text:1000121D
.text:1000121D sub_1000121D proc near ; CODE XREF: sub_1000252E+114p
.text:1000121D ; sub_1000252E+13Ep
.text:1000121D
.text:1000121D var_4 = dword ptr -4
.text:1000121D arg_0 = dword ptr 8
.text:1000121D arg_4 = dword ptr 0Ch
.text:1000121D arg_8 = dword ptr 10h
.text:1000121D arg_C = dword ptr 14h
.text:1000121D
.text:1000121D 000 55 push ebp
.text:1000121E 004 8B EC mov ebp, esp
.text:10001220 004 51 push ecx
.text:10001221 008 56 push esi
.text:10001222 00C 57 push edi
.text:10001223 010 8B 7D 08 mov edi, [ebp+arg_0]
.text:10001226 010 85 FF test edi, edi ; Logical Compare
.text:10001228 010 0F 84 3F 01 00 00 jz loc_1000136D ; Jump if Zero (ZF=1)
.text:1000122E 010 83 7D 0C 00 cmp [ebp+arg_4], 0 ; Compare Two Operands
.text:10001232 010 0F 84 35 01 00 00 jz loc_1000136D ; Jump if Zero (ZF=1)
.text:10001238 010 8B 45 0C mov eax, [ebp+arg_4]
.text:1000123B 010 6A 03 push 3
.text:1000123D 014 33 D2 xor edx, edx ; Logical Exclusive OR
.text:1000123F 014 59 pop ecx
.text:10001240 010 F7 F1 div ecx ; Unsigned Divide
.text:10001242 010 6A 03 push 3
.text:10001244 014 33 D2 xor edx, edx ; Logical Exclusive OR
.text:10001246 014 5E pop esi
.text:10001247 010 8B C8 mov ecx, eax
.text:10001249 010 8B 45 0C mov eax, [ebp+arg_4]
.text:1000124C 010 F7 F6 div esi ; Unsigned Divide
.text:1000124E 010 8B C1 mov eax, ecx
.text:10001250 010 C1 E0 02 shl eax, 2 ; Shift Logical Left
.text:10001253 010 89 45 08 mov [ebp+arg_0], eax
.text:10001256 010 85 D2 test edx, edx ; Logical Compare
.text:10001258 010 89 55 FC mov [ebp+var_4], edx
.text:1000125B 010 74 06 jz short loc_10001263 ; Jump if Zero (ZF=1)
.text:1000125D 010 83 C0 04 add eax, 4 ; Add
.text:10001260 010 89 45 08 mov [ebp+arg_0], eax
.text:10001263
.text:10001263 loc_10001263: ; CODE XREF: sub_1000121D+3Ej
.text:10001263 010 8B 75 10 mov esi, [ebp+arg_8]
.text:10001266 010 85 F6 test esi, esi ; Logical Compare
.text:10001268 010 75 0E jnz short loc_10001278 ; Jump if Not Zero (ZF=0)
.text:1000126A 010 39 75 14 cmp [ebp+arg_C], esi ; Compare Two Operands
.text:1000126D 010 0F 85 FA 00 00 00 jnz loc_1000136D ; Jump if Not Zero (ZF=0)
.text:10001273 010 E9 F7 00 00 00 jmp loc_1000136F ; Jump
.text:10001278 ; ---------------------------------------------------------------------------

■0375b4216334c85a4b29441a3d37e61d7797c2e1cb94b14cf6292449fb25c7b2

.text:00401016 ; =============== S U B R O U T I N E =======================================
.text:00401016
.text:00401016 ; Attributes: bp-based frame
.text:00401016
.text:00401016 sub_401016 proc near ; CODE XREF: sub_4014CD+18Dp
.text:00401016 ; sub_4014CD+1A6p
.text:00401016
.text:00401016 var_4 = dword ptr -4
.text:00401016 arg_0 = dword ptr 8
.text:00401016 arg_4 = dword ptr 0Ch
.text:00401016 arg_8 = dword ptr 10h
.text:00401016 arg_C = dword ptr 14h
.text:00401016
.text:00401016 000 55 push ebp
.text:00401017 004 8B EC mov ebp, esp
.text:00401019 004 51 push ecx
.text:0040101A 008 56 push esi
.text:0040101B 00C 57 push edi
.text:0040101C 010 8B 7D 08 mov edi, [ebp+arg_0]
.text:0040101F 010 85 FF test edi, edi ; Logical Compare
.text:00401021 010 0F 84 3F 01 00 00 jz loc_401166 ; Jump if Zero (ZF=1)
.text:00401027 010 83 7D 0C 00 cmp [ebp+arg_4], 0 ; Compare Two Operands
.text:0040102B 010 0F 84 35 01 00 00 jz loc_401166 ; Jump if Zero (ZF=1)
.text:00401031 010 8B 45 0C mov eax, [ebp+arg_4]
.text:00401034 010 6A 03 push 3
.text:00401036 014 33 D2 xor edx, edx ; Logical Exclusive OR
.text:00401038 014 59 pop ecx
.text:00401039 010 F7 F1 div ecx ; Unsigned Divide
.text:0040103B 010 6A 03 push 3
.text:0040103D 014 33 D2 xor edx, edx ; Logical Exclusive OR
.text:0040103F 014 5E pop esi
.text:00401040 010 8B C8 mov ecx, eax
.text:00401042 010 8B 45 0C mov eax, [ebp+arg_4]
.text:00401045 010 F7 F6 div esi ; Unsigned Divide
.text:00401047 010 8B C1 mov eax, ecx
.text:00401049 010 C1 E0 02 shl eax, 2 ; Shift Logical Left
.text:0040104C 010 89 45 08 mov [ebp+arg_0], eax
.text:0040104F 010 85 D2 test edx, edx ; Logical Compare
.text:00401051 010 89 55 FC mov [ebp+var_4], edx
.text:00401054 010 74 06 jz short loc_40105C ; Jump if Zero (ZF=1)
.text:00401056 010 83 C0 04 add eax, 4 ; Add
.text:00401059 010 89 45 08 mov [ebp+arg_0], eax
.text:0040105C
.text:0040105C loc_40105C: ; CODE XREF: sub_401016+3Ej
.text:0040105C 010 8B 75 10 mov esi, [ebp+arg_8]
.text:0040105F 010 85 F6 test esi, esi ; Logical Compare
.text:00401061 010 75 0E jnz short loc_401071 ; Jump if Not Zero (ZF=0)
.text:00401063 010 39 75 14 cmp [ebp+arg_C], esi ; Compare Two Operands
.text:00401066 010 0F 85 FA 00 00 00 jnz loc_401166 ; Jump if Not Zero (ZF=0)
.text:0040106C 010 E9 F7 00 00 00 jmp loc_401168 ; Jump
.text:00401071 ; ---------------------------------------------------------------------------


Copyright (C) 谷川哲司 (Tetsuji Tanigawa) 1997 - 2022