问答
发起
提问
文章
攻防
活动
Toggle navigation
首页
(current)
问答
商城
实战攻防技术
漏洞分析与复现
NEW
活动
摸鱼办
搜索
登录
注册
带宏的恶意样本分析
分析一个带宏的恶意样本,通过宏代码释放恶意文件至本机执行,释放的恶意样本可实现多条远控功能
0x01 网络行为 ========= 122.216.201.108 0x02 持久化 ======== 将自身写入SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run实现自启动 0x03 详细分析/功能介绍 ============== 3.1 宏代码分析 --------- Auto\_Open()子过程调用useraddeeLoadr 和 open\_pp两个子过程,useraddeeLoadr用于释放恶意文件wardhmrias.exe并执行,open\_pp打开ppt文件 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-cf4b18b390fa7f37f85f13d609e6a8398f696e73.png) useraddeeLoadr首先生成文件的释放路径 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-a1ce7acf72b5c132122395186f84de1e9d19243e.png) 然后根据不同操作系统版本,向Zip文件写入不同数据 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-e63e650432180e994257ca2ecc00d44d03427264.png) 之后,在再将Zip中的文件解压出来,并执行 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-c6c59b886210088265aeebdadd7c89cdc44572f3.png) Unaddeeip子过程,将Zip中的文件复制出来,完成解压操作 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-4b176af07991060df9d1e0a0787baedfc3f331c6.png) 3.2 wardhmrias.exe分析 -------------------- 接下来分析宏代码释放的恶意程序wardhmrias.exe。 首先观察入口点,判断为C#编写的WinForm程序 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-29fe0a23e71dfb6660b54f8017cb7c224113daa4.png) 进入 Form1() ,首先进行组件初始化,并添加表单关闭和加载事件 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-7381d87c51dcd977de0bf2ba01c159c6c477e0c5.png) 分析Form1\_FormClosing,该函数先判断wardhmrias.exe是否存在,不存在则创建一个新的wardhmrias.exe ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-065be1a8f52871ee4b2ae138307ab3336eb5b921.png) ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-5ea17e84544370643945d829b72984539bd1d8cc.png) 然后将wardhmrias.exe写入注册表"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run,实现自启动 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-d85abba36b9424f389f181a024e674ae61f6fc3c.png) Form1\_Load,设置窗体不可见 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-3a80a9513974f343359f4abd98dfc6b794899ce9.png) wardhmriasdo\_stadrt(),数据初始化,设置Timer ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-7cb9eb16a0279c4fcb3bb83ae5d4a808f43902ef.png) 通过计时器回调函数执行连接C2的操作 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-c6c8ce1222526fc20722f6b2264eb33453b04cb2.png) 计时器回调函数为this.wardhmriasIPSrFI(); 创建socket,连接远程服务器 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-a4b666d558d1910cc962ff4bcf5243f3e9bc9e8d.png) ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-25da62462e795fe0d12519ef5070644739ed6caa.png) ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-432342e2d7be9efe94e361a36dfc3f2109f8903b.png) wardhmriassee\_spyo() ,循环接收主控端命令,执行相应的操作。 先获取NetworkStream,再从中读取主控端发送的命令 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-babee77ab110d6bbe4caae7051e955cf3f7f327b.png) ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-e77d401bd634440a1d2d95281ef1743276975c43.png) ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-e7c5184a80ad38ed528f738515037e554f3c963d.png) 创建命令字典 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-5bc12843bd5fb6bf8e1741cd6f4444bd3118ad57.png) 根据读取到的命令数据进行相应操作: "wardhmrias-puatsrt",1 将自己写入注册表 SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-c971baebc599c108e9e094b4fe799c9ffca2bb39.png) ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-13f66a41fcc19bde57b1528ad58b2c1c1de86ed3.png) "wardhmrias-gedatavs",3 遍历进程,并将进程信息写入NetworkStream,发送主控端 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-9757a9740e4890835a0315edd6eb4872f486d589.png) ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-c1a2778a584c8ce1b59ad84d20a1f4faa9ffe867.png) 用于发送数据的函数如下 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-b779e43228b6f7418689b9915af24a0847d68ecf.png) "wardhmrias-thdaumb",5 获取指定路径的图像文件及其名称、创建时间 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-b194919191db88f1599923040d7d458e320188eb.png) ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-b1eb9ca1996eef38c4c5a8337de1b2a85878d012.png) "wardhmrias-praocl",7 遍历进程 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-66a748cf9ebd75f26589e37d81dc5f5d965e31cc.png) "wardhmrias-fialsz",9 获取指定路径的文件信息 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-821e450c068382c09adb8487468e6e301fe02146.png) ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-00701a6453354122bf08fa32d47b0aaeaa7bf467.png) "wardhmrias-dodawf",11 读取数据并写入指定文件 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-f5d9916bfd203eed839acb9b339ed5a8b5155f85.png) ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-962d0abbb356f3d7c3a4a1287e3bd07714a6efdb.png) ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-c49ad4c8ecf44afee880364da5737bd8ef4c70ab.png) "wardhmrias-enadpo",13 结束指定进程 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-b01760506d820c89df8f0d1350013e42119420a4.png) "wardhmrias-scarsz",17 设置wardgmriasscrfSize ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-d0e6677b69921b6b34fde941c6adbca01c7555d7.png) ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-92ef9aedf582bb6e758cad7a60eddc9e0afdeeac.png) "wardhmrias-diars",19 获取驱动信息 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-989f3baaa801e7377f39e89a0fe468b801969ead.png) ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-5fcca1307835c9bac8fa7c7041afa1b6adeb4260.png) ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-5a47f85d8778e656bb05ffb60897d21e0a30f293.png) "wardhmrias-staops",21 设置标志位 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-d94b2d70a956036346b618c445af0f15586e49cc.png) "wardhmrias-csdacreen",23 捕获屏幕 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-8f5609683ac6de9ded3d705f48ffe10d45cf0047.png) ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-bbcb52cc5361af025d4c77d6418d9091f44adf1e.png) ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-c541fac6fb40fa70e8ecc087ed50a16d258bc002.png) "wardhmrias-cnals",25 设置标志位 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-288218880d5e047a56c215b30cd5aacc04bd6a6f.png) "wardhmrias-doawr",27 同11 读数据写入文件 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-1816a62bed475fa017e71fe19cfe7f51d9624759.png) "wardhmrias-scaren",29 创建线程捕获屏幕 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-b941f16eaad7546a97747642cc91e8dd724deafb.png) "wardhmrias-fladr",31 遍历指定路径的子目录(如果存在) ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-ce6043dee159dd64ae6d8a05264b30fee151627d.png) ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-a725818222c6a2d496fcf48e1ced8231c1226980.png) "wardhmrias-udalt",33 读取NetStream数据写入debdrivca.exe文件并执行 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-f014de0c6fd3459409a5f4acea9fc83570987de1.png) ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-cdffff3eafab8db06694b81558dbe85c26704fea.png) "wardhmrias-inafo",35 获取用户相关信息 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-c36c252d4cbdd825e524c2d7fc3d135ecb1b0a69.png) ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-da82a62f62d960766be4ca384e403bcfe81b0bde.png) ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-ee04a2e316ad208139a8e6159f7c4e1e99ab7388.png) ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-603d91c5f9ea92989dd313cc058208428c0055bc.png) "wardhmrias-ruanf",37 启动指定进程 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-87b7654f63cb48fe42100e19430492d7f8c2ee20.png) ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-e82f4eadf8215d07c2a5c65553a49b70294f835b.png) "wardhmrias-fiale",39 获取指文件内容 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-65d114dc1351f439d0795e1c2e0c8784d3108c5f.png) ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-428206e66ad755b7790953478d1977dc8b451502.png) "wardhmrias-dealt",41 删除文件 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-c82612b08d488f0b129fff6d16ddd037a6289e67.png) ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-6486f8010e322925fafa9f40503d581e1c7d776e.png) "wardhmrias-flaes",43 获取指定路径下的文件 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-4fef89efbe1b85337a98a3bfe4896c51cfd2510c.png) ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-4d0bfdf8106a107bab0ad9a55716ac27d2a5659f.png) "wardhmrias-afaile",45 获取指定文件内容及相关信息 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-c9156bed9f12a6a92c37a8bba51add7eaae0edb8.png) ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-6fd9935a64770a69e0f3de2395f63c618997be4b.png) "wardhmrias-liastf",47 获取指定扩展名的文件 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-fab48126055a3e3b69853a9f37d9dca064e281ea.png) 检查命令是否完整: 扩展名+文件名 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-c2722132f3b3e907b687c4b6ce15a3fd615b9a38.png) 检查文件扩展名 符合则获取相关文件信息发送服务器 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-792f984d328d5d7060d676a4319ef63f4b763fc6.png)
发表于 2022-05-25 09:33:24
阅读 ( 4697 )
分类:
其他
0 推荐
收藏
0 条评论
请先
登录
后评论
莫一
1 篇文章
×
发送私信
请先
登录
后发送私信
×
举报此文章
垃圾广告信息:
广告、推广、测试等内容
违规内容:
色情、暴力、血腥、敏感信息等内容
不友善内容:
人身攻击、挑衅辱骂、恶意行为
其他原因:
请补充说明
举报原因:
×
如果觉得我的文章对您有用,请随意打赏。你的支持将鼓励我继续创作!