Subatomic - 掌握Nullsoft Scriptable打包软件和强混淆JS分析

admin 2025年1月9日21:22:11评论10 views字数 3784阅读12分36秒阅读模式
Forela is in need of your assistance. They were informed by an employee that their Discord account had been used to send a message with a link to a file they suspect is malware. The message read: "Hi! I've been working on a new game I think you may be interested in it. It combines a number of games we like to play together, check it out!". The Forela user has tried to secure their Discord account, but somehow the messages keep being sent and they need your help to understand this malware and regain control of their account! Warning: This is a warning that this Sherlock includes software that is going to interact with your computer and files. This software has been intentionally included for educational purposes and is NOT intended to be executed or used otherwise. Always handle such files in isolated, controlled, and secure environments. One the Sherlock zip has been unzipped, you will find a DANGER.txt file. Please read this to proceed.
Subatomic - 掌握Nullsoft Scriptable打包软件和强混淆JS分析
What is the Imphash of this malware installer?
https://www.virustotal.com/gui/file/7a95214e7077d7324c0e8dc7d20f2a4e625bc0ac7e14b1446e37c47dff7eeb5b/details
b34f154ec913d2d2c435cbd644e91687
The malware contains a digital signature. What is the program name specified in the SpcSpOpusInfo Data Structure?
Subatomic - 掌握Nullsoft Scriptable打包软件和强混淆JS分析
Windows Update Assistant
The malware uses a unique GUID during installation, what is this GUID?
https://serverfault.com/questions/93785/looking-for-a-unique-guid-to-identify-a-windows-installation
Subatomic - 掌握Nullsoft Scriptable打包软件和强混淆JS分析
cfbc383d-9aa0-5771-9485-7b806e8442d5
The malware contains a package.json file with metadata associated with it. What is the 'License' tied to this malware?
Subatomic - 掌握Nullsoft Scriptable打包软件和强混淆JS分析
Subatomic - 掌握Nullsoft Scriptable打包软件和强混淆JS分析
elevate.exe 看起来是个提权的toolkit
Subatomic - 掌握Nullsoft Scriptable打包软件和强混淆JS分析
里面有个asar文件
https://github.com/electron/asar
npm install --engine-strict @electron/asarfind / -name 'asar' 2>/dev/nullnode /home/kali/node_modules/.bin/asar --helpnode /home/kali/node_modules/.bin/asar node /home/kali/node_modules/.bin/asar e app.asar ./resources/
Subatomic - 掌握Nullsoft Scriptable打包软件和强混淆JS分析
Subatomic - 掌握Nullsoft Scriptable打包软件和强混淆JS分析
ISC
The malware connects back to a C2 address during execution. What is the domain used for C2?
Subatomic - 掌握Nullsoft Scriptable打包软件和强混淆JS分析
illitmagnetic.site
The malware attempts to get the public IP address of an infected system. What is the full URL used to retrieve this information?
这问开始要调试了,其实看package.json中看到有dpapi,考虑到我们要用Windows环境来Debug
Subatomic - 掌握Nullsoft Scriptable打包软件和强混淆JS分析

https://code.visualstudio.com/docs/editor/debugging

点击左侧 open a folder 然后选择我们项目的目录。

Subatomic - 掌握Nullsoft Scriptable打包软件和强混淆JS分析

然后在点debug & run 就可以选create a launch.json file

在里面添加runtimeExecutable设置:

Subatomic - 掌握Nullsoft Scriptable打包软件和强混淆JS分析
https://nodejs.org/en/download
Subatomic - 掌握Nullsoft Scriptable打包软件和强混淆JS分析

我从这里下载的binary版本

node 必须添加到PATH变量里面,否则后续安装模块会有问题......

开始调试:

Subatomic - 掌握Nullsoft Scriptable打包软件和强混淆JS分析

不出意外出现报错。

在项目目录下执行:

del .node_modules@primnonpm config set registry https://registry.npmmirror.comnpm install @primno/dpapidel .node_modulessqlite3npm install sqlite3# 如果遇到 npm error Invalid Version: 报错,删掉 package-lock.json 文件重试

改完之后重新调试, F5启动调试,F6 Pause

在LOADED SCRIPTS中会看到东西:

Subatomic - 掌握Nullsoft Scriptable打包软件和强混淆JS分析
回到这一题本身:
Subatomic - 掌握Nullsoft Scriptable打包软件和强混淆JS分析
https://ipinfo.io/json
The malware is looking for a particular path to connect back on. What is the full URL used for C2 of this malware?
Subatomic - 掌握Nullsoft Scriptable打包软件和强混淆JS分析
Subatomic - 掌握Nullsoft Scriptable打包软件和强混淆JS分析
Subatomic - 掌握Nullsoft Scriptable打包软件和强混淆JS分析

但其实这里方向并不对。恶意代码其实是在前面解出来的app.js文件里面。后面的题目都是基于这个js文件做分析,需要做一些反混淆的操作。

Subatomic - 掌握Nullsoft Scriptable打包软件和强混淆JS分析

https://illitmagnetic.site/api/

The malware has a configured user_id which is sent to the C2 in the headers or body on every request. What is the key or variable name sent which contains the user_id value?

Subatomic - 掌握Nullsoft Scriptable打包软件和强混淆JS分析

6270048187 但这里问的是key,而不是value

Subatomic - 掌握Nullsoft Scriptable打包软件和强混淆JS分析
duvet_user
The malware checks for a number of hostnames upon execution, and if any are found it will terminate. What hostname is it looking for that begins with arch?
Subatomic - 掌握Nullsoft Scriptable打包软件和强混淆JS分析

archibaldpc

The malware looks for a number of processes when checking if it is running in a VM; however, the malware author has mistakenly made it check for the same process twice. What is the name of this process?

Subatomic - 掌握Nullsoft Scriptable打包软件和强混淆JS分析

vmwaretray

The malware has a special function which checks to see if C:\Windows\system32\cmd.exe exists. If it doesn't it will write a file from the C2 server to an unusual location on disk using the environment variable USERPROFILE. What is the location it will be written to?

Subatomic - 掌握Nullsoft Scriptable打包软件和强混淆JS分析
%USERPROFILE%Documentscmd.exe
The malware appears to be targeting browsers as much as Discord. What command is run to locate Firefox cookies on the system?
Subatomic - 掌握Nullsoft Scriptable打包软件和强混淆JS分析
where /r . cookies.sqlite
To finally eradicate the malware, Forela needs you to find out what Discord module has been modified by the malware so they can clean it up. What is the Discord module infected by this malware, and what's the name of the infected file?
Subatomic - 掌握Nullsoft Scriptable打包软件和强混淆JS分析
discord_desktop_core-1, index.js

原文始发于微信公众号(Definite R3dBlue):Subatomic - 掌握Nullsoft Scriptable打包软件和强混淆JS分析

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2025年1月9日21:22:11
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Subatomic - 掌握Nullsoft Scriptable打包软件和强混淆JS分析https://cn-sec.com/archives/3612522.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息