奇安信攻防社区-带宏的恶意样本分析

带宏的恶意样本分析

分析一个带宏的恶意样本，通过宏代码释放恶意文件至本机执行，释放的恶意样本可实现多条远控功能

0x01 网络行为
=========

122.216.201.108

0x02 持久化
========

将自身写入SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run实现自启动

0x03 详细分析/功能介绍
==============

3.1 宏代码分析
---------

Auto\_Open()子过程调用useraddeeLoadr 和 open\_pp两个子过程，useraddeeLoadr用于释放恶意文件wardhmrias.exe并执行，open\_pp打开ppt文件

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-cf4b18b390fa7f37f85f13d609e6a8398f696e73.png)

useraddeeLoadr首先生成文件的释放路径

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-a1ce7acf72b5c132122395186f84de1e9d19243e.png)  
 然后根据不同操作系统版本，向Zip文件写入不同数据

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-e63e650432180e994257ca2ecc00d44d03427264.png)

之后，在再将Zip中的文件解压出来，并执行

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-c6c59b886210088265aeebdadd7c89cdc44572f3.png)

Unaddeeip子过程，将Zip中的文件复制出来，完成解压操作

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-4b176af07991060df9d1e0a0787baedfc3f331c6.png)

3.2 wardhmrias.exe分析
--------------------

接下来分析宏代码释放的恶意程序wardhmrias.exe。

首先观察入口点，判断为C#编写的WinForm程序

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-29fe0a23e71dfb6660b54f8017cb7c224113daa4.png)

进入 Form1() ，首先进行组件初始化，并添加表单关闭和加载事件

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-7381d87c51dcd977de0bf2ba01c159c6c477e0c5.png)

分析Form1\_FormClosing，该函数先判断wardhmrias.exe是否存在，不存在则创建一个新的wardhmrias.exe

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-065be1a8f52871ee4b2ae138307ab3336eb5b921.png)

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-5ea17e84544370643945d829b72984539bd1d8cc.png)

然后将wardhmrias.exe写入注册表"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run，实现自启动

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-d85abba36b9424f389f181a024e674ae61f6fc3c.png)

Form1\_Load，设置窗体不可见

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-3a80a9513974f343359f4abd98dfc6b794899ce9.png)

wardhmriasdo\_stadrt()，数据初始化，设置Timer

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-7cb9eb16a0279c4fcb3bb83ae5d4a808f43902ef.png)

通过计时器回调函数执行连接C2的操作

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-c6c8ce1222526fc20722f6b2264eb33453b04cb2.png)

计时器回调函数为this.wardhmriasIPSrFI(); 创建socket，连接远程服务器

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-a4b666d558d1910cc962ff4bcf5243f3e9bc9e8d.png)

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-25da62462e795fe0d12519ef5070644739ed6caa.png)

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-432342e2d7be9efe94e361a36dfc3f2109f8903b.png)

wardhmriassee\_spyo() ，循环接收主控端命令，执行相应的操作。

先获取NetworkStream，再从中读取主控端发送的命令

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-babee77ab110d6bbe4caae7051e955cf3f7f327b.png)

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-e77d401bd634440a1d2d95281ef1743276975c43.png)

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-e7c5184a80ad38ed528f738515037e554f3c963d.png)

创建命令字典

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-5bc12843bd5fb6bf8e1741cd6f4444bd3118ad57.png)

根据读取到的命令数据进行相应操作：

"wardhmrias-puatsrt",1 将自己写入注册表

SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-c971baebc599c108e9e094b4fe799c9ffca2bb39.png)

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-13f66a41fcc19bde57b1528ad58b2c1c1de86ed3.png)

"wardhmrias-gedatavs",3 遍历进程，并将进程信息写入NetworkStream，发送主控端

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-9757a9740e4890835a0315edd6eb4872f486d589.png)

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-c1a2778a584c8ce1b59ad84d20a1f4faa9ffe867.png)

用于发送数据的函数如下

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-b779e43228b6f7418689b9915af24a0847d68ecf.png)

"wardhmrias-thdaumb",5 获取指定路径的图像文件及其名称、创建时间

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-b194919191db88f1599923040d7d458e320188eb.png)

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-b1eb9ca1996eef38c4c5a8337de1b2a85878d012.png)

"wardhmrias-praocl",7 遍历进程

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-66a748cf9ebd75f26589e37d81dc5f5d965e31cc.png)

"wardhmrias-fialsz",9 获取指定路径的文件信息

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-821e450c068382c09adb8487468e6e301fe02146.png)

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-00701a6453354122bf08fa32d47b0aaeaa7bf467.png)

"wardhmrias-dodawf",11 读取数据并写入指定文件

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-f5d9916bfd203eed839acb9b339ed5a8b5155f85.png)

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-962d0abbb356f3d7c3a4a1287e3bd07714a6efdb.png)

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-c49ad4c8ecf44afee880364da5737bd8ef4c70ab.png)

"wardhmrias-enadpo",13 结束指定进程

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-b01760506d820c89df8f0d1350013e42119420a4.png)

"wardhmrias-scarsz",17 设置wardgmriasscrfSize

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-d0e6677b69921b6b34fde941c6adbca01c7555d7.png)

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-92ef9aedf582bb6e758cad7a60eddc9e0afdeeac.png)

"wardhmrias-diars",19 获取驱动信息

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-989f3baaa801e7377f39e89a0fe468b801969ead.png)

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-5fcca1307835c9bac8fa7c7041afa1b6adeb4260.png)

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-5a47f85d8778e656bb05ffb60897d21e0a30f293.png)

"wardhmrias-staops",21 设置标志位

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-d94b2d70a956036346b618c445af0f15586e49cc.png)

"wardhmrias-csdacreen",23 捕获屏幕

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-8f5609683ac6de9ded3d705f48ffe10d45cf0047.png)

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-bbcb52cc5361af025d4c77d6418d9091f44adf1e.png)

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-c541fac6fb40fa70e8ecc087ed50a16d258bc002.png)

"wardhmrias-cnals",25 设置标志位

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-288218880d5e047a56c215b30cd5aacc04bd6a6f.png)

"wardhmrias-doawr",27 同11 读数据写入文件

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-1816a62bed475fa017e71fe19cfe7f51d9624759.png)

"wardhmrias-scaren",29 创建线程捕获屏幕

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-b941f16eaad7546a97747642cc91e8dd724deafb.png)

"wardhmrias-fladr",31 遍历指定路径的子目录（如果存在）

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-ce6043dee159dd64ae6d8a05264b30fee151627d.png)

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-a725818222c6a2d496fcf48e1ced8231c1226980.png)

"wardhmrias-udalt",33 读取NetStream数据写入debdrivca.exe文件并执行

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-f014de0c6fd3459409a5f4acea9fc83570987de1.png)

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-cdffff3eafab8db06694b81558dbe85c26704fea.png)

"wardhmrias-inafo",35 获取用户相关信息

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-c36c252d4cbdd825e524c2d7fc3d135ecb1b0a69.png)

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-da82a62f62d960766be4ca384e403bcfe81b0bde.png)

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-ee04a2e316ad208139a8e6159f7c4e1e99ab7388.png)

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-603d91c5f9ea92989dd313cc058208428c0055bc.png)

"wardhmrias-ruanf",37 启动指定进程

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-87b7654f63cb48fe42100e19430492d7f8c2ee20.png)

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-e82f4eadf8215d07c2a5c65553a49b70294f835b.png)

"wardhmrias-fiale",39 获取指文件内容

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-65d114dc1351f439d0795e1c2e0c8784d3108c5f.png)

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-428206e66ad755b7790953478d1977dc8b451502.png)

"wardhmrias-dealt",41 删除文件

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-c82612b08d488f0b129fff6d16ddd037a6289e67.png)

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-6486f8010e322925fafa9f40503d581e1c7d776e.png)

"wardhmrias-flaes",43 获取指定路径下的文件

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-4fef89efbe1b85337a98a3bfe4896c51cfd2510c.png)

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-4d0bfdf8106a107bab0ad9a55716ac27d2a5659f.png)

"wardhmrias-afaile",45 获取指定文件内容及相关信息

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-c9156bed9f12a6a92c37a8bba51add7eaae0edb8.png)

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-6fd9935a64770a69e0f3de2395f63c618997be4b.png)

"wardhmrias-liastf",47 获取指定扩展名的文件

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-fab48126055a3e3b69853a9f37d9dca064e281ea.png)

检查命令是否完整： 扩展名+文件名

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-c2722132f3b3e907b687c4b6ce15a3fd615b9a38.png)

检查文件扩展名 符合则获取相关文件信息发送服务器

![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-792f984d328d5d7060d676a4319ef63f4b763fc6.png)

发表于 2022-05-25 09:33:24
阅读 ( 5611 )
分类：其他

带宏的恶意样本分析

0 条评论