최근에 새로운 루틴으로 암호화 하는 형태를 발견하여 분석 하였습니다.
코드를 확인한 결과 기존에 작성했던 스크립트로는 복호화가 되지 않아 조금 수정하였습니다.
(기존에 작업한 스크립트 : https://jjoon.net/page/?p=238)
수정한 코드로 작업한 내용입니다.
D:\Python Programming\Python Code\Malware\Script Analysis>wget http://wkmf.swim.org/bbs/images/top.gif
--2011-04-07 00:06:33-- http://wkmf.swim.org/bbs/images/top.gif
Resolving wkmf.swim.org (wkmf.swim.org)... 121.189.59.232
Connecting to wkmf.swim.org (wkmf.swim.org)|121.189.59.232|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 74556 (73K) [image/gif]
Saving to: `top.gif'
100%[========================================================================================>] 74,556 --.-K/s in 0.001s
2011-04-07 00:06:33 (104 MB/s) - `top.gif' saved [74556/74556]
D:\Python Programming\Python Code\Malware\Script Analysis>xor.py top.gif
ByJJoon XOR Decoder!
[+] Start
[+] Find XOR key : 0xDC
[+] Find ADD key : 0x24
[+] Create PE file : top.gif_xor
[+] End
D:\Python Programming\Python Code\Malware\Script Analysis>file top.gif
top.gif: data
D:\Python Programming\Python Code\Malware\Script Analysis>file top.gif_xor
top.gif_xor: PE32 executable (GUI) Intel 80386, for MS Windows
D:\Python Programming\Python Code\Malware\Script Analysis>md5sum top.gif_xor
3820a8b66897dc795ada1b8de195a732 *top.gif_xor위 샘플 진단 결과 입니다.
http://www.virustotal.com/file-scan/report.html?id=64267a2d3f1e836b2d6fee8020e8a104cfc7e8254930841836ef2c38451523b9-1302078258
