1. Introduction

With the vast amount of communication traffic in the internet environment, it is inevitable for security researchers to encounter non-clear-text data when conducting traffic analysis. We can easily analyze the communication content based on the traffic characteristics of our own data, but there are so many malicious traffic communications. When you see such traffic, can you analyze what kind of content the traffic data is transmitting?

1717379533_665d21cdb90f137175e1c.png!small?1717379536628

The overall content of communication traffic has poor readability, and it is completely impossible to see what content the malicious traffic needs to transmit.

And for such content, if the corresponding detection rules are extracted, it is impossible to extract them solely through traffic layer analysis.

Next, let's restore the significance of data transmission from the perspective of reverse engineering.

2. Behavior Analysis

2.1 Overall Flow Chart

The overall execution process of the sample is as follows:

1717379545_665d21d9b5e570ec8f775.png!small?1717379548097

2.2 Release Lure Document

Firstly, run the sample, release and run the lure document to confuse the victim.

1717379553_665d21e144d5e2d0a3ede.png!small?1717379557282

Subsequently, through the second file release and dll calls, the final malicious DLL is loaded to achieve service startup and malicious communication purposes.

2.3 Locate the Final Payload

The behavior of the Trojan is as follows, detecting suspicious behavior

1717379561_665d21e9280c110ed8086.png!small?1717379562757

And locate the corresponding service in the service list through this file

1717379564_665d21ec439310b3fc02f.png!small?1717379565859

3. Reverse Engineering

3.1 Key Function Location

Locate the target dll and perform reverse engineering analysis, and the corresponding export function is as follows:

1717379574_665d21f60e044ef11cd27.png!small?1717379575898

Enter the Servicemain function for analysis and locate the main malicious code function.

3.2 Service Registration and Startup

Firstly, create the service name, which is as follows: Net1Service, which is identical to the service name located by FireEye剑.

1717379581_665d21fd4d1daee8db952.png!small?1717379583428

1717379584_665d2200c9acda0b75ee0.png!small?1717379586090

3.3 Thread Creation

1717379591_665d22072b20324afab72.png!small?1717379596069

The main function of malicious code creates a thread, and all operations are performed in the thread callback function.

1717379613_665d221d773a7e9afe343.png!small?1717379617339

3.4 Backtracking Function Call

The thread callback function uses memory address addressing to call the target function, which has poor readability and increases the difficulty of reverse analysis.

1717379618_665d222291c059e9e0622.png!small?1717379623105

Cross-reference back to the function assignment position

1717379628_665d222ca0932d2612177.png!small?1717379633192

3.5 Mutex Creation

Before running malicious code, it checks if the target mutex exists. If it exists, it will no longer continue to infect the current host; otherwise, it will create a mutex to execute the subsequent malicious code.

1717379636_665d223477842f7e426f3.png!small?1717379641416

Through dynamic debugging analysis, it is confirmed that the 'v3+16' function is the online package processing function.

1717379642_665d223a150bc04fdb6e9.png!small?1717379645691

3.6 C2 Resolution

1717379648_665d2240d8edcd2b716c1.png!small?1717379657304

Enter the function internally, and the function first performs DNS resolution on the target c2, and after successful resolution, it acquires the target IP.

3.7 Online Package Data Acquisition

The address is then used for acquiring information in the online package data.

Firstly, the MAC address of the victim's host is obtained, and then it is formatted according to 02x%.

1717379653_665d22453c9b7521d88f7.png!small?1717379663040

The formatted MAC address information is then appended to the specified offset 0x04 of the online package data.

1717379658_665d224a33635e2e7a988.png!small?1717379665956

The GetUserInfo function is then responsible for acquiring the remaining data of all online packages.

1717379663_665d224f1a3ee4c38b5dc.png!small?1717379670122

The data after acquisition is concatenated as shown in the figure below:

1717379667_665d225315c5c5d2973d8.png!small?1717379672509

It includes the MAC address of the victim's host, CPU frequency, CPU core number, physical memory size, country language region, computer name, system version, and so on. It is noteworthy that this Trojan uses encoding page numbers to indirectly judge the language region when obtaining the country language region of the victim.

1717379670_665d2256ae27eaefabf43.png!small?1717379672509

3.8 Encryption function analysis

After obtaining the data, use the encryption function to encrypt all plaintext going online packet information. Here, the XOR encryption is used, with the key being 0xf7.

1717379673_665d225975913f42676bd.png!small?1717379679547

The encrypted data is as follows, which is the same as the communication traffic data in the original pcap capture.

1717379677_665d225d8f5bf02b7deb8.png!small?1717379679547

1717379683_665d226333bbd3d2a7941.png!small?1717379686027

After encryption is completed, the information for going online is sent, with the size of the going online packet being 474 bytes.

1717379692_665d226c4197d134d27bb.png!small?1717379696731

This is exactly consistent with the packet size captured in wireshark.

1717379694_665d226e7c075277b4b86.png!small?1717379696731

4. Decrypted and restored original data

Through the above detailed reverse operation, all communication traffic data has been restored and decrypted. The following table shows the specific data structure of the communication data and its corresponding explanation.

Overall data structure restoration.

Offset	Size	Meaning
Buf[0]	4 bytes	Fixed hard-coded
Buf[4]	/	Victim MAC address
Buf[17]	4 bytes	Victim CPU main frequency
Buf[21]	4 bytes	Victim physical memory size
Buf[29]	4 bytes	Victim country location
Buf[33]	4 bytes	Victim country location
Buf[41]	4 bytes	Victim operating system version
Buf[45]	4 bytes	Victim CPU core number
Buf[218]	/	Victim computer name

5. Summary

The author of this article restores the real communication data in malicious traffic from a reverse perspective, with the key idea being how to locate the corresponding PID of the target traffic communication data and reverse and debug to locate and restore the data structure.

你可能想看：

Article 2 of the Cryptography Law clearly defines the term 'cryptography', which does not include commonly known terms such as 'bank card password', 'login password', as well as facial recognition, fi

(3) Is the national secret OTP simply replacing the SHA series hash algorithms with the SM3 algorithm, and becoming the national secret version of HOTP and TOTP according to the adopted dynamic factor

How to decrypt the encrypted data of the mini-program without conducting an audit

In today's rapidly developing digital economy, data has become an important engine driving social progress and enterprise development. From being initially regarded as part of intangible assets to now

Burpsuite combined with mitmproxy to achieve encryption and decryption of data

Burpy + frida to implement automatic encryption and decryption on Burp

Data security can be said to be a hot topic in recent years, especially with the rapid development of information security technologies such as big data and artificial intelligence, the situation of d

b) It should have a login failure handling function, and should configure and enable measures such as ending the session, limiting the number of illegal login attempts, and automatically logging out w

d) Adopt identification technologies such as passwords, password technologies, biometric technologies, and combinations of two or more to identify users, and at least one identification technology sho

2021-Digital China Innovation Competition-Huifu Cybersecurity Track-Final-Web-hatenum and source code analysis and payload script analysis

最后修改时间：2025-03-26 01:26:28