CN111767540A - Automatic analysis method and device for Jart malicious software and computer readable storage medium - Google Patents
Automatic analysis method and device for Jart malicious software and computer readable storage medium Download PDFInfo
- Publication number
- CN111767540A CN111767540A CN202010644694.8A CN202010644694A CN111767540A CN 111767540 A CN111767540 A CN 111767540A CN 202010644694 A CN202010644694 A CN 202010644694A CN 111767540 A CN111767540 A CN 111767540A
- Authority
- CN
- China
- Prior art keywords
- file
- decrypted
- decryption
- type
- file type
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004458 analytical method Methods 0.000 title claims description 47
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 claims abstract description 64
- 238000000034 method Methods 0.000 claims abstract description 40
- 238000004590 computer program Methods 0.000 claims description 12
- 238000001514 detection method Methods 0.000 claims description 6
- 238000010586 diagram Methods 0.000 description 9
- 238000004891 communication Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 241000700605 Viruses Species 0.000 description 4
- 238000004806 packaging method and process Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000006837 decompression Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 241000283086 Equidae Species 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000009191 jumping Effects 0.000 description 1
- 230000005291 magnetic effect Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000035755 proliferation Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Abstract
The application relates to a method and a device for automatically analyzing Jart malicious software and a computer-readable storage medium, wherein the method for automatically analyzing the Jart malicious software comprises the following steps: obtaining a Trojan horse sample; analyzing the Trojan horse sample to obtain a decrypted file; detecting the file type of the decrypted file, wherein the file type comprises a first file type, a second file type and a third file type; and if the decrypted file is of the first file type, analyzing the file information of the decrypted file. According to the method and the device, the Trojan horse sample is analyzed to obtain the decrypted file, the file information of the decrypted file is analyzed according to the file type of the decrypted file, the problem that the Trojan horse sample of a remote control Trojan horse family cannot be decrypted and analyzed is solved, and the Trojan horse sample is automatically analyzed to obtain the file information.
Description
Technical Field
The present application relates to the field of internet detection technologies, and in particular, to a method and an apparatus for automatically analyzing a Jart malware, and a computer-readable storage medium.
Background
The evolution of computer networking has brought about a proliferation in the number of attacks by malware (commonly referred to as malware attacks). These malware attacks may include viruses, worms, trojan horses, spyware, root kits, denial of service attacks (DDOS), and other malicious programs. Malware is often installed on computers running browsers when they communicate with malicious web sites that exploit the vulnerability of the browser. That is, when a user accesses a malicious web page, defects in the browser or the automatically running external programs and the extension program may allow the malicious web page to automatically install malware, so that the user may not be aware of its installation.
With the development of network attack and defense technology, the technical level of remotely controlling trojans by malicious viruses is continuously improved, and the trojans remote control system not only can run across systems and support macos, Linux, Windows and various BSDs, but also has the functions of launching DDos attack and the like. According to a large number of APT cases, remote control trojans are the main type of the current botnet trojans, and in order to evade monitoring of security personnel, the trojans usually combine a domain name generation algorithm to continuously generate thousands of C & C domain names, which causes great interference to tracking and tracing of intrusion events. After infecting the remote control trojan, the invaded host becomes part of the botnet. The remote control trojan can launch large-flow DDOS attack by utilizing the network and hardware resources of the zombie host, and has great influence and harm on the network security. When analyzing the sample of the malicious virus remote control Trojan horse family, safety practitioners find that the sample is subjected to complex encryption and cannot be decrypted, so that configuration information, a remote control address and Trojan horse characteristics of the Trojan horse sample are obtained.
At present, no effective solution is provided for the problem that the Trojan horse samples of a remote control Trojan horse family in the related technology cannot be decrypted and analyzed.
Disclosure of Invention
The embodiment of the application provides a method and a device for automatically analyzing Jart malicious software and a computer readable storage medium, so as to at least solve the problem that a Trojan sample of a remote control Trojan family in the related technology cannot be decrypted and analyzed.
In a first aspect, an embodiment of the present application provides an automated analysis method for a Jart malware, including:
obtaining a Trojan horse sample;
analyzing the Trojan horse sample to obtain a decrypted file;
detecting the file type of the decrypted file, wherein the file type comprises a first file type, a second file type and a third file type;
and if the decrypted file is of the first file type, analyzing the file information of the decrypted file.
In some embodiments, the parsing the trojan sample to obtain a decrypted file includes:
analyzing the Trojan horse sample to obtain a decryption key and an encrypted file;
and decrypting the encrypted file according to the decryption key to obtain a decrypted file.
In some embodiments, said decrypting said encrypted file according to said decryption key, obtaining a decrypted file comprises: the decryption key comprises a first key and a second key;
decrypting the encrypted file by a first decryption method according to the first key to obtain a first decrypted file;
and decrypting the first decrypted file by a second decryption method according to the second key to obtain a second decrypted file.
In some of these embodiments, the file information includes: key configuration, remote control backhaul, and feature information.
In some embodiments, the detecting the file type of the decrypted file includes:
if the decryption file is of a second file type, analyzing the decryption file to obtain a sub decryption file A;
and detecting the file type of the sub decryption file A until the file type of the sub decryption file A is the first file type.
In some embodiments, the detecting the file type of the decrypted file includes:
if the decryption file is of a third file type, analyzing the decryption file to obtain a sub decryption file B and a configuration file corresponding to the sub decryption file B;
and detecting the file type of the sub decryption file B until the file type of the sub decryption file B is the first file type.
In some embodiments, the first file type is a json file, the second file type is a jar file, and the third file type is an xml file.
In a second aspect, an embodiment of the present application provides an automatic analysis device for a Jart malware, including:
the acquisition module is used for acquiring a Trojan horse sample;
the analysis module is used for analyzing the Trojan horse sample to obtain a decrypted file;
the detection module is used for detecting the file types of the decrypted files, wherein the file types comprise a first file type, a second file type and a third file type;
and the analysis module is used for analyzing the file information of the decrypted file if the decrypted file is of the first file type.
In a third aspect, an embodiment of the present application provides a computer device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor, when executing the computer program, implements the automatic analysis method for the Jart malware described in the first aspect.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the automatic analysis method for the Jart malware as described in the first aspect above.
Compared with the related art, the automatic analysis method for the Jart malicious software, provided by the embodiment of the application, obtains the decrypted file by analyzing the Trojan sample, and analyzes the file information of the decrypted file according to the file type of the decrypted file, so that the problem that the Trojan sample of a remote control Trojan family cannot be decrypted and analyzed is solved, and the automatic analysis of the Trojan sample to obtain the file information is realized.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
FIG. 1 is a flow diagram of a method for automated analysis of Jart malware according to an embodiment of the present application;
FIG. 2 is a flow diagram of another method for automated analysis of Jart malware according to an embodiment of the present application;
FIG. 3 is a block diagram of an automated Jart malware analysis device according to an embodiment of the present application;
fig. 4 is a schematic diagram of a hardware structure of the automated analysis device for the Jart malware according to the embodiment of the application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application.
It is obvious that the drawings in the following description are only examples or embodiments of the present application, and that it is also possible for a person skilled in the art to apply the present application to other similar contexts on the basis of these drawings without inventive effort. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as referred to herein means two or more. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
The embodiment also provides an automatic analysis method for the Jart malicious software. Fig. 1 is a flowchart of a method for automated analysis of a Jart malware according to an embodiment of the present application, and as shown in fig. 1, the flowchart includes the following steps:
step S101, a Trojan horse sample is obtained.
Specifically, the type of the Trojan horse sample is detected, and if the Trojan horse sample belongs to the jart family, the Trojan horse sample is analyzed.
Wherein, Jrat: also known as Adwind, is a commercial cross-platform remote control trojan written in Java. The remote control trojan is a hacker tool based on remote control and has the characteristics of concealment and non-authorization. Concealment refers to the fact that trojan designers adopt various means to conceal trojans in order to prevent them from being discovered. The unauthorized property means that once the control terminal is connected with the server, the control terminal enjoys most operation permissions of the server, including file modification, registry modification, mouse control, keyboard control and the like, and the permissions are not given by the server but are stolen by a Trojan program.
And step S102, analyzing the Trojan horse sample to obtain a decrypted file.
Specifically, the Trojan horse sample is analyzed to obtain a decryption key and an encrypted file; and decrypting the encrypted file according to the decryption key to obtain a decrypted file. Wherein the encrypted file has no file suffix; the decryption key comprises a first key and a second key; the decrypted files include a first decrypted file and a second decrypted file. Further, the encrypted file is decrypted through a first decryption method according to the first secret key, and a first decrypted file is obtained; and decrypting the first decrypted file by a second decryption method according to the second key to obtain a second decrypted file.
In one embodiment, the first key is an rsakey and the second key is an aeskey. And analyzing the Trojan horse sample to obtain an rsakey, an aeskey and an encrypted file. And decrypting the encrypted file by an rsa algorithm according to the rsakey to obtain a first decrypted file. And decrypting the first decrypted file through the aes algorithm according to the aeskey to obtain a second decrypted file. And decrypting the encrypted file by the rsakey, and decrypting the first decrypted file after the rsakey is decrypted by the aeskey to obtain a second decrypted file which is a final decrypted file.
The rsa algorithm is an asymmetric encryption algorithm, which requires two keys: public keys (public keys for short) and private keys (private keys for short). The public key and the private key are a pair, and if data is encrypted by the public key, the data can be decrypted only by the corresponding private key. The basic process of realizing confidential information exchange by the asymmetric encryption algorithm is as follows: the first party generates a pair of secret keys and discloses the public keys, and other roles (the second party) needing to send information to the first party encrypt the confidential information by using the secret keys (the public keys of the first party) and then send the encrypted confidential information to the first party; the first party decrypts the encrypted information by using the private key of the first party. The method is characterized in that when the party A wants to reply to the party B, the opposite is true, the public key of the party B is used for encrypting data, and similarly, the party B uses the private key of the party B for decrypting.
The aes algorithm is a symmetric encryption algorithm, and a data sender processes a plaintext and an encryption key together through a special encryption algorithm to change the plaintext and the encryption key into a complex encryption ciphertext and sends the complex encryption ciphertext. After the receiver receives the ciphertext, if the receiver wants to decode the original text, the receiver needs to decrypt the ciphertext by using the key used for encryption and the inverse algorithm of the same algorithm so as to recover the ciphertext into readable plaintext. In the symmetric encryption algorithm, only one key is used, and both the sender and the receiver use the key to encrypt and decrypt data, so that the encryption key must be known by a secret party in advance.
Step S103, detecting file types of the decrypted file, where the file types include a first file type, a second file type, and a third file type.
The first file type is a json file, the second file type is a jar file, and the third file type is an xml file.
The JSON file is JSON (JavaScript Object Notation), which is a lightweight data exchange format. It stores and represents data in a text format that is completely independent of the programming language, based on a subset of ECMAScript (js specification set by the european computer association). The compact and clear hierarchy makes JSON an ideal data exchange language. The network transmission method is easy to read and write by people, is easy to analyze and generate by machines, and effectively improves the network transmission efficiency.
The jar file (Java Archive, english: Java Archive) is a software package file format that is typically used to aggregate a large number of Java class files, associated metadata and resource (text, pictures, etc.) files into one file in order to develop Java platform application software or libraries. jar is an archive file, built in ZIP format, and named File extension, which is used not only for compression and distribution, but also for deploying and packaging libraries, components, and plug-ins, and can be used directly by tools like compilers and JVMs. Special files are included in jar, such as magnetics and deployment descriptors, to instruct the tool how to handle a particular jar.
The xml file is a compressed file, and xml (extensible Markup language) is written in extensible Markup language, is a subset of standard general Markup language, and is a Markup language for marking electronic files to make them have structure. The simplicity of XML makes it easy to read/write data in any application, which makes XML the only common language for data exchange very quickly, and while different applications will support other data exchange formats as well, they will support XML soon after, which means that programs can more easily integrate with information generated under Windows, Mac OS, Linux, and other platforms, and then can easily load XML data into the program and analyze it, and output the result in XML format.
Step S104, if the decrypted file is of the first file type, analyzing file information of the decrypted file.
Wherein the file information includes: key configuration, remote control backhaul, and feature information. The key configuration comprises at least one of port number, triggering condition, Trojan masquerading and information feedback. The remote control link is a process that after a client in the network is infected with trojans and viruses, the server can remotely control the client so that the client executes corresponding operations, such as data transmission to the server. The characteristic information is an attack mode of the Trojan.
Specifically, traversing fields and corresponding values in the decrypted file of the first file type, obtaining key configuration, remote control reconnection and feature information of the Trojan horse sample from a traversal result, packaging the key configuration, the remote control reconnection and the feature information to generate file information, and storing the file information in a corresponding database.
The detecting the file type of the decrypted file comprises: if the decryption file is of a second file type, analyzing the decryption file to obtain a sub decryption file A; and detecting the file type of the sub decryption file A until the file type of the sub decryption file A is the first file type.
Specifically, the second file type is a compressed file, the decrypted file is re-analyzed to obtain a sub decryption key and a sub encrypted file, the sub encrypted file a is decrypted according to the sub decryption key to obtain a sub decrypted file a, and the file type of the sub decrypted file a is detected until the file type of the sub decrypted file a is the first file type. Wherein the sub-decryption key comprises a first sub-key and a second sub-key. The sub decryption file A comprises a first sub decryption file A and a second sub decryption file A. Further, the sub-encrypted file A is decrypted through a first decryption method according to the first sub-secret key, and a first sub-decrypted file A is obtained; and decrypting the first sub decryption file A by a second decryption method according to the second sub key to obtain a second sub decryption file A.
In one embodiment, the first sub-key is an rsakey and the second sub-key is an aeskey. And analyzing the decrypted file of the second file type to obtain the rsakey, the aeskey and the corresponding encrypted file. The encrypted file is decrypted by the algorithm rsa according to the rsakey to obtain a first sub-decrypted file a. And decrypting the first sub decryption file A through the aes algorithm according to the aeskey to obtain a second sub decryption file A. Decrypting the encrypted file by using an rsakey key, decrypting a first sub-decrypted file A after the rsakey is decrypted by using an aeskey key to obtain a second sub-decrypted file A as a final decrypted file, wherein the file type of the final decrypted file is a first file type, traversing fields and corresponding values in the final decrypted file of the first file type, obtaining key configuration, remote control reconnection and characteristic information of the Trojan horse sample from a traversal result, packaging the key configuration, the remote control reconnection and the characteristic information to generate file information, and storing the file information in a corresponding database.
The detecting the file type of the decrypted file comprises: if the decryption file is of a third file type, analyzing the decryption file to obtain a sub decryption file B and a configuration file corresponding to the sub decryption file B; and detecting the file type of the sub decryption file B until the file type of the sub decryption file B is the first file type.
And the configuration file is a code table file and records a file name corresponding to the decryption key.
Specifically, the third file type is a compressed file, the decrypted file is re-analyzed to obtain a sub decryption key, a sub encrypted file B and a corresponding configuration file, the sub encrypted file B is decrypted according to the sub decryption key to obtain the sub decrypted file B, and the file type of the sub decrypted file B is detected until the file type of the sub decrypted file B is the first file type. Wherein the sub-decryption key comprises a first sub-key and a second sub-key. The sub decryption file B comprises a first sub decryption file B and a second sub decryption file B. Further, the sub-encrypted file B is decrypted through a first decryption method according to the first sub-secret key, and a first sub-decrypted file B is obtained; and decrypting the first sub decryption file B through a second decryption method according to the second sub key to obtain a second sub decryption file B.
In one embodiment, the decrypted file of the third file type is parsed to obtain an rsakey, an aeskey, an encrypted file without a file suffix, and a corresponding configuration file. The encrypted file is decrypted by the algorithm rsa according to the rsakey to obtain a first sub-decrypted file B. And decrypting the first sub decryption file B through the aes algorithm according to the aeskey to obtain a second sub decryption file B. Decrypting the encrypted file by using an rsakey key, decrypting a first sub-decrypted file B decrypted by the rsakey by using an aeskey to obtain a second sub-decrypted file B as a final decrypted file, wherein the file type of the final decrypted file is a first file type, traversing fields and corresponding values in the final decrypted file of the first file type, obtaining key configuration, remote control reconnection and characteristic information of the Trojan horse sample from a traversal result, packaging the key configuration, the remote control reconnection and the characteristic information to generate file information, and storing the file information in a corresponding database.
In another embodiment, the decryption file of the second file type is analyzed to obtain a sub decryption file a of a third file type, the sub decryption file a of the third file type is analyzed again to obtain a final decryption file of the first file type, a field and a corresponding value in the final decryption file of the first file type are traversed, key configuration, remote control reconnection and characteristic information of the Trojan horse sample are obtained from a traversal result, the key configuration, the remote control reconnection and the characteristic information are packaged to generate file information, and the file information is stored in a corresponding database.
In another embodiment, the decryption file of the third file type is analyzed to obtain a sub decryption file B of the second file type, the sub decryption file B of the second file type is analyzed again to obtain a final decryption file of the first file type, a field and a corresponding value in the final decryption file of the first file type are traversed, key configuration, remote control reconnection and feature information of the trojan horse sample are obtained from a traversal result, the key configuration, the remote control reconnection and the feature information are packaged to generate file information, and the file information is stored in a corresponding database.
Through the steps, the Trojan horse sample is analyzed to obtain the decrypted file, the file information of the decrypted file is analyzed according to the file type of the decrypted file, the problem that the Trojan horse sample of a remote control Trojan horse family cannot be decrypted and analyzed is solved, and the Trojan horse sample is automatically analyzed to obtain the file information.
The embodiment also provides an automatic analysis method for the Jart malicious software. Fig. 2 is a flowchart of another automated analysis method for the Jart malware according to an embodiment of the present application, and as shown in fig. 2, the flowchart includes the following steps:
in step S201, a trojan sample is input.
Specifically, a Trojan horse sample of a jart family is obtained and input.
And S202, reading the raskey file, the aeskey file and the encrypted file.
Specifically, decompressing the Trojan horse sample, and reading a raskey file, an aeskey file and an encrypted file without a file suffix.
In step S203, the encrypted file is decrypted rsa.
Specifically, the encrypted file is rsa decrypted by using the raskey file as a decryption key, and a first decrypted file is obtained.
And step S204, further performing aes decryption on the last decryption result.
Specifically, the aeskey file is used as a decryption key, the aes decryption is performed on the encrypted file, and a second decrypted file is obtained.
Step S205, the decrypted file is output.
Step S206, detecting the output file type.
Specifically, if the file type of the output file is jar file, go to step 207; if the file type of the output file is the xml file, jumping to step 208; if the file type of the output file is json file, the process goes to step 209.
Step S207, decompressing the output.
Specifically, the jar file type is a compressed file, and the decrypted file of the xml file type is input again for decompression.
Step S208, the configuration is analyzed.
Specifically, the xml file type is a compressed file, the decryption file is analyzed to obtain a configuration file, and the decryption file of the xml file type is input again for decompression.
Step S209, the configuration is analyzed.
Specifically, traversing fields and corresponding values in the decryption file of the json file type, and obtaining key configuration, remote control reconnection and characteristic information of the Trojan horse sample from a traversal result.
Through the steps, the core code and the Trojan configuration file of the Trojan sample are obtained through the decryption algorithm, so that the safety analyst can be assisted to rapidly analyze the sample, the sample analysis efficiency is improved, and an efficient automatic analysis means is provided for the user to automatically analyze the Trojan sample of the Jrat family.
The embodiments of the present application are described and illustrated below by means of preferred embodiments.
It should be noted that the steps illustrated in the above-described flow diagrams or in the flow diagrams of the figures may be performed in a computer system, such as a set of computer-executable instructions, and that, although a logical order is illustrated in the flow diagrams, in some cases, the steps illustrated or described may be performed in an order different than here.
The embodiment also provides an automatic analysis device for the Jart malware, which is used for implementing the foregoing embodiment and the preferred embodiment, and the description of the device is omitted. As used hereinafter, the terms "module," "unit," "subunit," and the like may implement a combination of software and/or hardware for a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 3 is a block diagram illustrating an automated analysis apparatus for a Jart malware according to an embodiment of the present application, as shown in fig. 3, the apparatus includes: an acquisition module 310, a parsing module 320, a detection module 330, and an analysis module 340.
An obtaining module 310 is configured to obtain a Trojan horse sample.
And the analyzing module 320 is configured to analyze the trojan horse sample to obtain a decrypted file.
The detecting module 330 is configured to detect file types of the decrypted file, where the file types include a first file type, a second file type, and a third file type.
The analysis module 340 is configured to analyze file information of the decrypted file if the decrypted file is of the first file type.
The parsing module 320 is further configured to parse the trojan sample to obtain a decryption key and an encrypted file; and decrypting the encrypted file according to the decryption key to obtain a decrypted file.
The parsing module 320 is further configured to decrypt the encrypted file by a first decryption method according to the first key to obtain a first decrypted file; and decrypting the first decrypted file by a second decryption method according to the second key to obtain a second decrypted file.
The detection module 330 is further configured to, if the decrypted file is of the second file type, parse the decrypted file to obtain a sub-decrypted file a; and detecting the file type of the sub decryption file A until the file type of the sub decryption file A is the first file type.
The detection module 330 is further configured to, if the decrypted file is of a third file type, parse the decrypted file to obtain a sub decrypted file B and a configuration file corresponding to the sub decrypted file B; and detecting the file type of the sub decryption file B until the file type of the sub decryption file B is the first file type.
The above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the modules may be located in the same processor; or the modules can be respectively positioned in different processors in any combination.
In addition, the method for automatically analyzing the Jart malware in the embodiment of the application described in conjunction with fig. 1 may be implemented by Jart malware automatic analysis equipment. Fig. 4 is a schematic diagram of a hardware structure of the automated analysis device for the Jart malware according to the embodiment of the application.
The Jart malware automated analysis device may include a processor 81 and memory 82 storing computer program instructions.
Specifically, the processor 81 may include a Central Processing Unit (CPU), or A Specific Integrated Circuit (ASIC), or may be configured to implement one or more Integrated circuits of the embodiments of the present Application.
The memory 82 may be used to store or cache various data files for processing and/or communication use, as well as possible computer program instructions executed by the processor 81.
The processor 81 implements any of the above-described embodiments of the automatic analysis method of the Jart malware by reading and executing computer program instructions stored in the memory 82.
In some of these embodiments, the Jart malware automation analysis device may also include a communication interface 83 and a bus 80. As shown in fig. 4, the processor 81, the memory 82, and the communication interface 83 are connected via the bus 80 to complete communication therebetween.
The communication interface 83 is used for implementing communication between modules, devices, units and/or equipment in the embodiment of the present application. The communication port 83 may also be implemented with other components such as: the data communication is carried out among external equipment, image/data acquisition equipment, a database, external storage, an image/data processing workstation and the like.
The bus 80 includes hardware, software, or both that couple the components of the Jart malware automated analysis device to one another. Bus 80 includes, but is not limited to, at least one of the following: data Bus (Data Bus), address Bus (address Bus), Control Bus (Control Bus), Expansion Bus (Expansion Bus), and Local Bus (Local Bus). By way of example, and not limitation, Bus 80 may include an Accelerated Graphics Port (AGP) or other Graphics Bus, an Enhanced Industry Standard Architecture (EISA) Bus, a Front-Side Bus (FSB), a HyperTransport (HT) interconnect, an ISA (ISA) Bus, an InfiniBand (InfiniBand) interconnect, a Low Pin Count (LPC) Bus, a memory Bus, a Micro Channel Architecture (MCA) Bus, a Peripheral Component Interconnect (PCI) Bus, a PCI-Express (PCI-X) Bus, a Serial Advanced Technology Attachment (SATA) Bus, a video electronics Standards Association (VLB) Bus, or other suitable Bus or a combination of two or more of these. Bus 80 may include one or more buses, where appropriate. Although specific buses are described and shown in the embodiments of the application, any suitable buses or interconnects are contemplated by the application.
The automatic analysis device for the Jart malicious software can execute the automatic analysis method for the Jart malicious software in the embodiment of the application based on the obtained Trojan horse sample, so that the automatic analysis method for the Jart malicious software described in combination with the FIG. 1 is realized.
In addition, in combination with the automatic analysis method for the Jart malware in the foregoing embodiments, the embodiments of the present application may provide a computer-readable storage medium to implement. The computer readable storage medium having stored thereon computer program instructions; the computer program instructions, when executed by a processor, implement any of the above-described embodiments of the automated method for analysis of Jart malware.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (10)
1. A method for automated analysis of Jart malware, comprising:
obtaining a Trojan horse sample;
analyzing the Trojan horse sample to obtain a decrypted file;
detecting the file type of the decrypted file, wherein the file type comprises a first file type, a second file type and a third file type;
and if the decrypted file is of the first file type, analyzing the file information of the decrypted file.
2. The automated Jart malware analysis method of claim 1, wherein parsing the Trojan horse sample to obtain a decrypted file comprises:
analyzing the Trojan horse sample to obtain a decryption key and an encrypted file;
and decrypting the encrypted file according to the decryption key to obtain a decrypted file.
3. The method for automated analysis of Jart malware according to claim 2, wherein said decrypting said encrypted file according to said decryption key to obtain a decrypted file comprises: the decryption key comprises a first key and a second key;
decrypting the encrypted file by a first decryption method according to the first key to obtain a first decrypted file;
and decrypting the first decrypted file by a second decryption method according to the second key to obtain a second decrypted file.
4. The method for automated analysis of Jart malware according to claim 1, wherein said file information comprises: key configuration, remote control backhaul, and feature information.
5. The method for automated analysis of Jart malware according to claim 1, wherein said detecting a file type of said decrypted file comprises:
if the decryption file is of a second file type, analyzing the decryption file to obtain a sub decryption file A;
and detecting the file type of the sub decryption file A until the file type of the sub decryption file A is the first file type.
6. The method for automated analysis of Jart malware according to claim 1, wherein said detecting a file type of said decrypted file comprises:
if the decryption file is of a third file type, analyzing the decryption file to obtain a sub decryption file B and a configuration file corresponding to the sub decryption file B;
and detecting the file type of the sub decryption file B until the file type of the sub decryption file B is the first file type.
7. The method for automated analysis of Jart malware according to claim 1, wherein the first file type is a json file, the second file type is a jar file, and the third file type is an xml file.
8. An automated Jart malware analysis device, comprising:
the acquisition module is used for acquiring a Trojan horse sample;
the analysis module is used for analyzing the Trojan horse sample to obtain a decrypted file;
the detection module is used for detecting the file types of the decrypted files, wherein the file types comprise a first file type, a second file type and a third file type;
and the analysis module is used for analyzing the file information of the decrypted file if the decrypted file is of the first file type.
9. A computer device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor when executing the computer program implements a method for automated analysis of Jart malware as recited in any one of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out a method for automated analysis of a Jart malware according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010644694.8A CN111767540A (en) | 2020-07-07 | 2020-07-07 | Automatic analysis method and device for Jart malicious software and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010644694.8A CN111767540A (en) | 2020-07-07 | 2020-07-07 | Automatic analysis method and device for Jart malicious software and computer readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111767540A true CN111767540A (en) | 2020-10-13 |
Family
ID=72724780
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010644694.8A Pending CN111767540A (en) | 2020-07-07 | 2020-07-07 | Automatic analysis method and device for Jart malicious software and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111767540A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114244600A (en) * | 2021-12-15 | 2022-03-25 | 杭州默安科技有限公司 | Method for interfering malicious program |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102915419A (en) * | 2011-08-03 | 2013-02-06 | 国民技术股份有限公司 | Virus scanning method and scanning system |
| KR101908517B1 (en) * | 2017-09-14 | 2018-10-16 | 주식회사 엔에스에이치씨 | Method for malware detection and unpack of malware using string and code signature |
| US20190018961A1 (en) * | 2017-07-12 | 2019-01-17 | Acronis International Gmbh | Method for decrypting data encrypted by ransomware |
| CN109697361A (en) * | 2017-10-20 | 2019-04-30 | 北京理工大学 | A kind of wooden horse classification method based on Trojan characteristics |
| CN110069936A (en) * | 2019-03-29 | 2019-07-30 | 合肥高维数据技术有限公司 | A kind of wooden horse steganography method and detection method |
-
2020
- 2020-07-07 CN CN202010644694.8A patent/CN111767540A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102915419A (en) * | 2011-08-03 | 2013-02-06 | 国民技术股份有限公司 | Virus scanning method and scanning system |
| US20190018961A1 (en) * | 2017-07-12 | 2019-01-17 | Acronis International Gmbh | Method for decrypting data encrypted by ransomware |
| KR101908517B1 (en) * | 2017-09-14 | 2018-10-16 | 주식회사 엔에스에이치씨 | Method for malware detection and unpack of malware using string and code signature |
| CN109697361A (en) * | 2017-10-20 | 2019-04-30 | 北京理工大学 | A kind of wooden horse classification method based on Trojan characteristics |
| CN110069936A (en) * | 2019-03-29 | 2019-07-30 | 合肥高维数据技术有限公司 | A kind of wooden horse steganography method and detection method |
Non-Patent Citations (1)
| Title |
|---|
| STRAWBERRY: "CHM木马的分析与利用", Retrieved from the Internet <URL:https://www.freebuf.comarticlesnetwork208897.html> * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114244600A (en) * | 2021-12-15 | 2022-03-25 | 杭州默安科技有限公司 | Method for interfering malicious program |
| CN114244600B (en) * | 2021-12-15 | 2023-11-24 | 杭州默安科技有限公司 | Method for interfering malicious program |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7460696B2 (en) | Real-time detection and protection from malware and steganography in kernel mode | |
| US10503904B1 (en) | Ransomware detection and mitigation | |
| US10140451B2 (en) | Detection of malicious scripting language code in a network environment | |
| US9560059B1 (en) | System, apparatus and method for conducting on-the-fly decryption of encrypted objects for malware detection | |
| US10491627B1 (en) | Advanced malware detection using similarity analysis | |
| US10192052B1 (en) | System, apparatus and method for classifying a file as malicious using static scanning | |
| JP5886422B2 (en) | System, apparatus, program, and method for protocol fingerprint acquisition and evaluation correlation | |
| Sood et al. | An empirical study of HTTP-based financial botnets | |
| Singh et al. | Digital forensic readiness framework for ransomware investigation | |
| US20150082424A1 (en) | Active Web Content Whitelisting | |
| Villeneuve et al. | Detecting apt activity with network traffic analysis | |
| JP4995170B2 (en) | Fraud detection method, fraud detection device, fraud detection program, and information processing system | |
| US20200267170A1 (en) | System and method for detecting and classifying malware | |
| Sharp | An introduction to malware | |
| US10645107B2 (en) | System and method for detecting and classifying malware | |
| Victor et al. | IoT malware: An attribute-based taxonomy, detection mechanisms and challenges | |
| Craciun et al. | Trends in design of ransomware viruses | |
| Deng et al. | Lexical analysis for the webshell attacks | |
| Atapour et al. | Modeling Advanced Persistent Threats to enhance anomaly detection techniques | |
| CN111767540A (en) | Automatic analysis method and device for Jart malicious software and computer readable storage medium | |
| Sharma et al. | Smartphone security and forensic analysis | |
| Sharif | Web Attacks Analysis and Mitigation Techniques | |
| Venkatesh et al. | Identification and isolation of crypto ransomware using honeypot | |
| Yan et al. | Anti‐virus in‐the‐cloud service: are we ready for the security evolution? | |
| Anand et al. | Comparative study of ransomwares |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |