一、样本概述
文件“2020年9月份工资制度更新说明.docm”
内嵌恶意宏,宏代码解密并释放”google.exe”到临时目录执行。
”google.exe”释放并解密一个dll文件”
platformcable.dll”,反射注入的方式加载执行该文件。
“platformcable.dll”为利用框架meterpreter生成,该文件连接C&C服务器下载文件,并分发指令。但样本运行期间,并未收到攻击指令。
二、样本类型
样本属于远控、窃密木马。
三、详细分析
3.1 执行释放
Winword自动执行的宏如下。
解密、释放、执行exe
释放的文件在Temp目录
Golang木马释放dll
解密得到的dll文件
解密得到dll文件的文件头经过特殊构造,构造特征与利用框架meterpreter的bootstrap引到代码相似。其将执行导出函数通过反射注入的方式在内存中执行自身。
3.2 攻击细节
解密服务器地址
UA
连接C&C下载文件
指令分发逻辑
3.3 远控模块
一些指令:提权、进程遍历、退出
获取网卡信息
3.4. 溯源分析
3.4.1 CC检索
| C&C |
|---|
| 49.235.90.11 |
未关联敏感信息
3.4.2 哈希检索
四、样本特征
4.1 文件hash
| Name | Md5 |
|---|---|
| 2020年9月份工资制度更新说明.docm | 8fb033fbeb07a994791855fdb1824019 |
| Google.exe | e4d2f1b2c76bbef72e842d7c6d0e75f0 |
| Platformcable.dll | 253b54a262163a5e3426c4b2d6c08042 |
4.2 Yara或其他
import “pe” rule Platformcable { meta: description = “Auto-generated rule - file Platformcable.dll” author = “YarGen Rule Generator” reference = “not set” date = “2020-09-21” hash1 = “4471f319f3488de0e5926ad1a942e727abe90f9e65170d1877f91a4a0c05bd42” strings: $x1 = “XUOS+o3eUUYTAVo9rRBk26Q34R2xrwZE/PtFtVfpUbHsZasx2S+Jb7ZAIb6tgcE5hIyjtA3qm5szfWp57pkCCkdQ4aFLXuQqwmDs+B98hpSEPTWzSJOFyHGI3R8iUFOj” ascii $s2 = “MSPDB80.DLL” fullword ascii $s3 = “platformcable.dll” fullword ascii $s4 = “SOFTWARE\\Microsoft\\VisualStudio\\9.0\\Setup\\VS” fullword ascii $s5 = “abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq” fullword ascii $s6 = “rijndael” fullword ascii $s7 = “,-/./…………………………………………………………………………………..&.-/.” fullword ascii $s8 = “…(…(mAAEGK………………………………………………………. .-.>……………..3.-.n” fullword ascii $s9 = “%s as %s\\%s: %d” fullword ascii $s10 = “%s%s: %s” fullword ascii $s11 = “%s (admin)” fullword ascii $s12 = “%02d/%02d/%02d %02d:%02d:%02d” fullword ascii $s13 = “abcdefghijklmnop” fullword ascii $s14 = “> >$>(>,>0>4>8><>@>D>H>L>P>T>X>h>p>t>x>|>” fullword ascii $s15 = “ZKC^……………………………………………………%.-/….…,..-“ fullword ascii $s16 = “0181<1@1D1H1L1P1T1X1\\11d1h1l1p1t1x1|1" fullword ascii $s17 = ":2-3135393=3A3E3I3M3Q3U3Y3]3a3e3M4d4r4" fullword ascii $s18 = "3$3,343<3D3L3T3\\\\33d3x3|3” fullword ascii $s19 = “?\“?)?/?7?>?C?K?T?`?e?j?p?t?z?” fullword ascii $s20 = “%s&%s=%s” fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 8000KB and pe.imphash() == “91828184b80cc4655320eccc55859ca2” and pe.exports(“_PlatformCable”) and ( 1 of ($x) or 4 of ($s) ) ) or ( all of them ) } rule tttt_google { meta: description = “Auto-generated rule - file google.exe” author = “YarGen Rule Generator” reference = “not set” date = “2020-09-21” hash1 = “b590fdb0b7e1ccca9c95db4a279be4c833ccfd629b41819ebcf62ddf115173c8” strings: $s1 = “?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v“ fullword ascii $s2 = “3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%“ fullword ascii $s3 = “2http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s“ fullword ascii $s4 = “2http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#“ fullword ascii $s5 = “https://sectigo.com/CPS0C“ fullword ascii $s6 = “contact@managerpants.com0” fullword ascii $s7 = “http://ocsp.sectigo.com0#” fullword ascii $s8 = “xeSBSX3p0” fullword ascii / base64 encoded string ‘y R_zt’ / $s9 = “sXiRNTH5R” fullword ascii / base64 encoded string ‘^$ML~Q’ / $s10 = “%USERTrust RSA Certification Authority0” fullword ascii $s11 = “1iR.AXA!nV+T4Jp<9” fullword ascii $s12 = “lI+1haSH.PYX” fullword ascii $s13 = “JZ /PZ\\j04pqQP`[“ fullword ascii $s14 = “The USERTRUST Network1.0,” fullword ascii $s15 = “6fmaftpgc g” fullword ascii $s16 = “Sectigo RSA Code Signing CA0” fullword ascii $s17 = “Sectigo RSA Code Signing CA” fullword ascii $s18 = “RSAjW2” fullword ascii $s19 = “181102000000Z” fullword ascii $s20 = “D0xB.vrR” fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and pe.imphash() == “6ed4f5f04d62b18d96b26d6db7c18840” and ( 8 of ($s) ) ) or ( all of them ) } |
|---|
若有收获,就点个赞吧
0 人点赞
