In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-18 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
This article will explain in detail how to analyze the loader samples under CS camouflage. The content of the article is of high quality, so the editor will share it with you for reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.
0x01 Open Source Intelligence Collection
Sample download link: https://app.any.run/tasks/ffc1ecff-e461-4474-8352-551db7e7b06f/
Common platforms: VT, Micro step, Hubble app.any.run, joesandbox
Figure 1: VT detection
Trojan hammer
Take a look at the behavior of the sandbox:
Figure 2: sandbox behavior analysis
You can see that a binary binary file was downloaded with the GET request to access the ClearC server.
Click the binary file to view the details:
Figure 3: malicious binary
The binary file can also be found by filtering wireshark packets under dump and filtering http requests.
Figure 4: packet capture analysis
Query ClearC server ip:
Figure 5: ip detection
Now that we have a preliminary understanding of the malware, let's do packet analysis to see if we can find useful information. The most intuitive thing to see is the use of unusual port connections, and an interesting phenomenon:
Figure 6: packet analysis
Unexpectedly, it was the ClearC server that the broiler actively connected to, which made me think of CSMa. This method is similar to bouncing shell, but the advantage is that you can bypass firewall restrictions. If the other party is a private network ip, you cannot directly initiate a connection request, facilitate persistence control, and so on.
Basic information of 0x02 samples
Shell checking with exeinfo, standard 32-bit VC compiled program
Figure 7: sample information
Monitoring behavior with Process Monitor
Figure 8: software behavior
The specific picture of each item is sketched, probably read some key values in the registry, set some key-value pairs, many settings for IE browsers, agents, Cache, and so on. Some local files are read with the createfile () function, but there is no behavior of creating files on disk or deleting files. Network behavior monitoring can see the send,receive action, which should be receiving the next stage of malicious load from the ClearC server. It is important to take a look at the registry and no key value changes for persistence control are found.
0x03 binary analysis IDA static analysis
Principle: be quiet before you move
Load IDA and look at the import table and see a lot of iconic API
Anti-debugging:
Query the user's default area. Yo, it's still targeted.
Anti-debugging:
Allocates memory because the malicious sample accepts the binary file from ClearC but does not write to disk, guessing that this API opens up a memory space to execute payload in memory.
But it's a bit confusing that I don't see the API functions and libraries related to network operations.
Look at the static string
Static analysis program flow
For the two functions, I focus on the second function, sub_453960 (), because the first function point looks like there is no real operation, initialization processing, creation of mutexes, and so on.
The approach I took was to run the second function completely in OD against IDA, which took about three and a half hours, which is probably the stupidest method. But at least I figured out the program flow. The key function is sub_4534B0 (). Before it comes to the key function, the malware also sets the properties of several folders, such as C:\ Users\ Administrator\ AppData\ Roaming\ Microsoft\ Windows\ Cookies. Do you want to steal cookie?
After debugging, locate the key function. In fact, this should be the main function, which is not recognized by ida:
The program opens up a section of memory with VirtualAlloc (). The hard-coded payload,sub_44F3DC () stored in unk_515000 is equivalent to strcpy (), copy payload to v1, and then execute v1 as a function. Payload is actually a piece of machine code. From 00515000-0051531F, what is more interesting is that the ip address of the ClearC server was found at the end of the payload. And then debugging found that the whole program is using this method to execute their own payload.
Payload Analysis:
OD dynamic analysis
Step 1: close the aslr of the sample to facilitate analysis and debugging.
Load peview
The offset is 15e, put it into the hex editor, I see a lot of bosses use 010editor
After the modification is completed, load the OD.
Anti-debugging is done with hideod, or manually, directly modify the values in the PEB block.
Show directly from the key function:
Because it is a 32-bit system, the default is the eax register to store the return value of the function. After calling VirtualAlloc (), the return value stores the first address of allocated memory, 0002000, which means that payload will be copied here and executed.
And the memory page property, RWE, meets the criteria.
The data window follows, where the payload is copied after sub_44F3DC () is executed.
The program starts to execute payload, and after debugging payload, the function is to load the wininet library through the loadlibrary () function, which also explains why the API function information related to the network operation is not found in the import table. Once you have found the address of the API function you need, you will begin to communicate with the ClearC server.
Let's just hit the breakpoints at 00020068 and 0020086. When debugging, you can obviously feel that the clock mechanism is hindering the dynamic analysis, directly in the lower part of the key point, just bypass it.
00020068 is the ASCII code of the API function used for network communication.
A jmp eax instruction is used at 00020086 to execute the API function
Because previously known through sandbox analysis and traffic analysis, the first sample will connect to the ClearC server to download the second section of payload, the general idea is to allocate a piece of memory through the VirtualAlloc () function, and then read the payload to memory through the InternetReadFile () instruction.
Check the order of parameters passed by VirtualAlloc ():
LPVOID VirtualAlloc {LPVOID lpAddress, / / address of the memory area to be allocated DWORD dwSize, / / allocated size DWORD flAllocationType, / / allocated type DWORD flProtect / / initial protection attribute of the memory}
Pass parameters from right to left, check on the Internet, when the Address parameter is null, the system will determine the location of the allocated memory area, and press 64-KB to roundup.
This location is random, and then InternetReadFile () is called to read the second load here.
The next hardware execution breakpoint here
The second paragraph payload has been read
The program begins to execute the second section of payload
Loop decryption payload
The decrypted file is a PE file.
Dump the PE file.
Check the shell
A dll file
VT analysis
Previous analysis has reproduced a sample of APT28, the technique is similar to this program, and will eventually release a malicious dll. Some Dll files are executed with rundll32, and some load dll directly in memory and execute the functions inside, so that the dll does not have to land, and even if the exe program is captured, the core functions of dll will not be obtained. In this case, it is executed directly in memory.
To make a point: because of previous CTF experience, quickly identify the base64 algorithm and the AES algorithm during static analysis.
Base64 code table:
Implementation of Base64 algorithm:
'=' make up:
An S-box for AES encryption has been found:
Standard HttpSendRequestA series API for network requests:
Url was found during dynamic debugging.
Through the analysis of data packets, I originally thought that like an ordinary horse, collecting local sensitive information, compressing and uploading it to the Crunc server, the horse turned out to be more cunning. This malicious dll is equivalent to a downloader, which determines what to do by connecting to the url, similar to the heartbeat packet detection mechanism, based on the page echo or pre-set flag bits. Whether to perform malicious functions or sleep. Performing malicious functions should be to download the real malicious payload.
0x04 attack flow
The applicable scenario of this sample should be that CS horses are successfully uploaded to the target through penetration testing in APT organizational attacks or red team attacks, but because of the easy detection of CS, it is not suitable for modern persistent control purposes. So a piece of payload is hard-coded in the cs horse, and a binary is downloaded by communicating with the Crunc server. Kill-free is achieved through the xor operation, which acts as a downloader for downloading the next stage of malicious load. Through the judgment of the requested url, it improves its concealment and is awakened by the attacker at the right time. Another highlight of the sample is that it did not land in the whole process. The memory is allocated through VirtualAlloc (), and the payload is copied into memory for execution, which brings me a lot of trouble in the process of reverse analysis. Sample detection can be detected as malicious samples through the yara rules of the community.
0x05 IOC
Main object: "3F37FC95AA5C8F7C304AA0DFC3FFBF2E"
SHA256: F6E04B3710044F76666468559FD2B6688CCAC091284D138E461C2257C387D7D3
SHA1: 4BB7B4AE2CC8C5D6C8EF1704A9B027878190D028
MD5: 3F37FC95AA5C8F7C304AA0DFC3FFBF2E
Connections
IP 8.210.181.149
HTTP/HTTPS requests
URL http://8.210.181.149:16678/activity
URL http://8.210.181.149:16678/9jhQ
0x06 association analysis
Correlation analysis uses Qianxin's platform.
How to analyze the loader samples under CS camouflage is shared here. I hope the above content can be helpful to you and learn more knowledge. If you think the article is good, you can share it for more people to see.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.