【心得】出現了!是野生的貓味

第一次撿到野生的 Malware。

先講結論!由於時間有限以及本人的技術不到位,最後並沒有很理想的結果。
希望之後在 malware analysis 這塊技能樹點起來再回來分析會有所成長 QQ


Story Time

💡前回提要
咱學校為了提升校園網路環境安全,在今年初針對外對內的 RDP、FTP、SSH、MS-SQL、TELNET 藉由 IPS 通通擋掉。而我們 Lab 主要運作的伺服器由於有連線的需求而向學校申請 IP 連線許可,在疫情被迫 Work From Home 的非常時期顯得相當重要。

而最近,我們 Lab 收到了校方的資安通報,而目標 IP 正是主要運作的伺服器,據說是中了蠕蟲。

雖然我認為做為資安相關研究應該要收個資安通報解解成就,但是這次實在是莫名的讓人措手不及,這幾天分別由 stavhaygnhanhan學長 兩位網管(?)負責調查,從假日看到他們螢幕上的 log,真的很辛苦呢。

而在今天 stavhaygn 在我們的小圈圈丟了兩隻 malware 問有沒有興趣分析,起初我只是抱著難得有機會加減摸一下(順便把生灰塵的 Parallel Desktop 拿出來清),結果拿去餵 VirtualTotal 發現是一種蠕蟲,很自然地就想到前陣子的資安通報。

很明顯事情並沒有照著劇本走,因為 Lab 主要運作的伺服器是 Linux,而撿到兩隻的 malware 都是 .exe 完全不能執行(用紅酒除外),第一時間還很不識相的在小圈圈出聲,哭啊被嘲諷 QwQ

故事大概就這樣,
下面會分享第一次分析 malware 我做了哪些事,以及用到哪些工具(即便我都不熟==)。


Simple Analysis

PeStudio

附上兩隻 malware 在 VirusTotal 的結果,這裡使用 PeStudio 做為分析 .exe 的起手式,可以看到兩者皆為 32-bits 以及右圖 malware 有加殼(UPX) 等等檔案資訊。

從之後的研究可知兩者為前後關係,分別是由左圖的 malware-A 執行後產生副產物 malware-B。
VirusTotal 的結果分別為 malware-A (60/69)、malware-B (62/68),而 malware-A 被大部分防毒軟體判讀出來的 Ramnit 是當前臺灣企業受駭最多的一種惡意攻擊手法(iThome 新聞),網路上也不難找到相關的分析報告,接下來我想了解的就是這組 malware 到底做了什麼。

IDA Pro

第一步,當然就是拿出逆向工程萬用寶具 IDA Pro 使用 F5 大法!

大概追了一小段時間… 嗯 看不懂呢QQ
該說組語的底子不夠嗎,雖然說很多 know-how / domain knowledge 需要 google (但我覺得就是自己沒耐心),虧我還聽過小馬教的 Windows 惡意程式分析,本來還想用 x64dbg 下中斷點追一下細節,不過看起來是沒戲嗚嗚。


老實說,第一次這麼沒頭沒尾的就拿了檔案要分析,還真的不知道該做什麼w
CTF 好歹都有給情境或是至少不會毫無方向,所以就上網找了一下這類 malware 分析的操作。

Regshot

首先是 Regshot,考慮到惡意程式通常會修改 registry,因此找到這個可以 snapshot 並且進行比較的開源程式。原本我的 sandbox 環境是在 Windows10 進行實驗,但是當我把比較的結果分享給 stavhaygn 時,被提議使用 Windows7,一測下去 registry 的修改數量增加許多,原來目標主機的環境是 Windows7 早說嘛(雖然我自己也擅自預設環境為Win10)。

要說有什麼發現嗎?
很多註冊表的關鍵字要大概都一知半解,但可以注意到新增大量 ShellBags 的 key 和 value 企圖將 malware 自己藏起來,話說連 {5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} 這串 ID 都有東西可以查 XD,還有 FirewallPolicy 看起來都有被動到,最後 MuiCache 可以自定義 .exe 名稱顯示,這裡 malware 看起來是偽裝成 Internet Explorer。

~res_x64.txt
Regshot 1.9.0 x64 Unicode
Comments:
Datetime: -
Computer: -
Username: -

----------------------------------
Keys added: 4
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Monitored
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Quarantined
HKU\S-1-5-21-2683313141-1501627848-3399458464-1000\Software\Cheat Engine
HKU\S-1-5-21-2683313141-1501627848-3399458464-1000\Software\Cheat Engine\Window Positions 96

----------------------------------
Values added: 14
----------------------------------
HKLM\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\TCP Query User{B722FD22-77FB-4A93-B73C-35A5003B8208}C:\program files (x86)\internet explorer\iexplore.exe: "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\program files (x86)\internet explorer\iexplore.exe|Name=Internet Explorer|Desc=Internet Explorer|Defer=User|"
HKLM\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\UDP Query User{90FF74F6-3F69-4CB0-A8C9-B3478A25FFF5}C:\program files (x86)\internet explorer\iexplore.exe: "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\program files (x86)\internet explorer\iexplore.exe|Name=Internet Explorer|Desc=Internet Explorer|Defer=User|"
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\TCP Query User{B722FD22-77FB-4A93-B73C-35A5003B8208}C:\program files (x86)\internet explorer\iexplore.exe: "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\program files (x86)\internet explorer\iexplore.exe|Name=Internet Explorer|Desc=Internet Explorer|Defer=User|"
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\UDP Query User{90FF74F6-3F69-4CB0-A8C9-B3478A25FFF5}C:\program files (x86)\internet explorer\iexplore.exe: "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\program files (x86)\internet explorer\iexplore.exe|Name=Internet Explorer|Desc=Internet Explorer|Defer=User|"
HKU\S-1-5-21-2683313141-1501627848-3399458464-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Balloon_Time: C0 E1 E5 57 14 7E D7 01
HKU\S-1-5-21-2683313141-1501627848-3399458464-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\lpgfrat\Qbjaybnqf\0720 znyjner\znyjner\123.RKR: 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF FF FF FF FF 10 BD 00 D6 13 7E D7 01 00 00 00 00
HKU\S-1-5-21-2683313141-1501627848-3399458464-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\lpgfrat\NccQngn\Ybpny\Grzc\prgenvaref\PRG7P55.gzc\rkgenpgrq\123.RKR: 00 00 00 00 00 00 00 00 03 00 00 00 2A F2 00 00 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-2683313141-1501627848-3399458464-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\abgrcnq.rkr: 00 00 00 00 00 00 00 00 03 00 00 00 79 7D 01 00 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-2683313141-1501627848-3399458464-1000\Software\Classes\Local Settings\MuiCache\2\52C64B7E\@%SystemRoot%\System32\FirewallControlPanel.dll,-1: "Windows Firewall"
HKU\S-1-5-21-2683313141-1501627848-3399458464-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\program files (x86)\internet explorer\iexplore.exe: "Internet Explorer"
HKU\S-1-5-21-2683313141-1501627848-3399458464-1000\Software\Cheat Engine\Window Positions 96\AdvancedOptions Position: C0 00 00 00 00 01 00 00 3B 02 00 00 2F 01 00 00
HKU\S-1-5-21-2683313141-1501627848-3399458464-1000\Software\Cheat Engine\Window Positions 96\frmAutoInject Position: AE 01 00 00 E5 02 00 00 AF 01 00 00 4B 01 00 00
HKU\S-1-5-21-2683313141-1501627848-3399458464-1000_Classes\Local Settings\MuiCache\2\52C64B7E\@%SystemRoot%\System32\FirewallControlPanel.dll,-1: "Windows Firewall"
HKU\S-1-5-21-2683313141-1501627848-3399458464-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\program files (x86)\internet explorer\iexplore.exe: "Internet Explorer"

----------------------------------
Values modified: 12
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2683313141-1501627848-3399458464-1000\RefCount: 0x00000004
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2683313141-1501627848-3399458464-1000\RefCount: 0x00000005
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2683313141-1501627848-3399458464-1000\RefCount: 0x00000004
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2683313141-1501627848-3399458464-1000\RefCount: 0x00000005
HKLM\SYSTEM\ControlSet001\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\24\ffffffffffffffffffffffffffffff01: 00 00 00 00 F2 00 00 00 02 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF
HKLM\SYSTEM\ControlSet001\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\24\ffffffffffffffffffffffffffffff01: 00 00 00 00 F4 00 00 00 02 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF
HKLM\SYSTEM\ControlSet001\services\SharedAccess\Epoch\Epoch: 0x00000090
HKLM\SYSTEM\ControlSet001\services\SharedAccess\Epoch\Epoch: 0x00000098
HKLM\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\24\ffffffffffffffffffffffffffffff01: 00 00 00 00 F2 00 00 00 02 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF
HKLM\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\24\ffffffffffffffffffffffffffffff01: 00 00 00 00 F4 00 00 00 02 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch\Epoch: 0x00000090
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch\Epoch: 0x00000098
HKU\S-1-5-21-2683313141-1501627848-3399458464-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBA: 00 00 00 00 64 00 00 00 8B 00 00 00 10 BF DA 00 0E 00 00 00 15 00 00 00 A0 68 06 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 2E 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 2E 00 47 00 65 00 74 00 74 00 69 00 6E 00 67 00 53 00 74 00 61 00 72 00 74 00 65 00 64 00 00 00 00 00 01 00 00 00 00 00 00 00 F4 78 CE FE FE 07 00 00 90 00 00 00 00 00 00 00 54 D1 46 03 00 00 00 00 01 00 00 00 00 00 00 00 52 31 CE FE FE 07 00 00 02 00 00 00 00 00 00 00 A0 D1 46 03 00 00 00 00 E4 D7 46 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 DC 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C0 D2 46 03 00 00 00 00 DC 03 00 00 00 00 00 00 C4 D2 46 03 00 00 00 00 00 00 00 00 00 00 00 00 98 BA BA FD FE 07 00 00 00 00 00 00 00 00 00 00 E0 A1 BA FD FE 07 00 00 00 00 00 00 00 00 00 00 80 D1 46 03 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 05 39 00 00 00 00 00 7C 21 59 74 00 00 00 00 00 64 45 02 00 00 00 00 D0 CE 3A 00 00 00 00 00 00 00 00 00 00 00 00 00 F0 D3 46 03 00 00 00 00 50 E6 46 03 00 00 00 00 EC 3F 59 74 00 00 00 00 A0 79 33 00 00 00 00 00 30 D2 46 03 00 00 00 00 00 95 56 FD FE 07 00 00 E4 D7 46 03 00 00 00 00 00 00 00 00 00 00 00 00 98 77 A3 FE FE 07 00 00 00 00 00 00 00 00 00 00 74 D3 46 03 00 00 00 00 E4 D7 46 03 00 00 00 00 00 00 00 00 00 00 00 00 80 D3 46 03 00 00 00 00 80 D3 46 03 00 00 00 00 1D 47 10 77 00 00 00 00 2C 21 59 74 00 00 00 00 01 00 00 00 00 00 00 00 50 94 56 FD FE 07 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 02 00 00 00 0E 00 00 00 15 00 00 00 A0 68 06 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 2E 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 2E 00 47 00 65 00 74 00 74 00 69 00 6E 00
67 00 53 00 74 00 61 00 72 00 74 00 65 00 64 00 00 00 00 00 01 00 00 00 00 00 00 00 F4 78 CE FE FE 07 00 00 90 00 00 00 00 00 00 00 54 D1 46 03 00 00 00 00 01 00 00 00 00 00 00 00 52 31 CE FE FE 07 00 00 02 00 00 00 00 00 00 00 A0 D1 46 03 00 00 00 00 E4 D7 46 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 DC 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C0 D2 46 03 00 00 00 00 DC 03 00 00 00 00 00 00 C4 D2 46 03 00 00 00 00 00 00 00 00 00 00 00 00 98 BA BA FD FE 07 00 00 00 00 00 00 00 00 00 00 E0 A1 BA FD FE 07 00 00 00 00 00 00 00 00 00 00 80 D1 46 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 05 39 00 00 00 00 00 7C 21 59 74 00 00 00 00 00 64 45 02 00 00 00 00 D0 CE 3A 00 00 00 00 00 00 00 00 00 00 00 00 00 F0 D3 46 03 00 00 00 00 50 E6 46 03 00 00 00 00 EC 3F 59 74 00 00 00 00 A0 79 33 00 00 00 00 00 30 D2 46 03 00 00 00 00 00 95 56 FD FE 07 00 00 E4 D7 46 03 00 00 00 00 00 0
0 00 00 00 00 00 00 98 77 A3 FE FE 07 00 00 00 00 00 00 00 00 00 00 74 D3 46 03 00 00 00 00 E4 D7 46 03 00 00 00 00 00 00 00 00 00 00 00 00 80 D3 46 03 00 00 00 00 80 D3 46 03 00 00 00 00 1D 47 10 77 00 00 00 00 2C 21 59 74 00 00 00 00 01 00 00 00 00 00 00 00 50 94 56 FD FE 07 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 02 00 00 00 01 00 00 00 04 00 00 00 02 31 A9 00 43 00 3A 00 5C 00 55 00 73 00 65 00 72 00 73 00 5C 00 79 00 63 00 74 00 73 00 65 00 6E 00 67 00 5C 00 44 00 6F 00 77 00 6E 00 6C 00 6F 00 61 00 64 00 73 00 5C 00 70 00 72 00 6F 00 63 00 65 00 73 00 73 00 68 00 61 00 63 00 6B 00 65 00 72 00 2D 00 32 00 2E 00 33 00 39 00 2D 00 62 00 69 00 6E 00 5C 00 78 00 36 00 34 00 5C 00 50 00 72 00 6F 00 63 00 65 00 73 00 73 00 48 00 61 00 63 00 6B 00 65 00 72 00 2E 00 65 00 78 00 65 00 00 00 61 F2 51 41 00 00 00 00 00 00 00 00 C4 60 44 FD FE 07 00 00 00 00 00 00 00 00 00 00 A8 B2 F2 04 00 00 00 00 0C 80 80
FD FE 07 00 00 A8 B2 F2 04 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 06 00 00 00 EC D4 0B 00 7B 00 46 00 33 00 38 00 42 00 46 00 34 00 30 00 34 00 2D 00 31 00 44 00 34 00 33 00 2D 00 34 00 32 00 46 00 32 00 2D 00 39 00 33 00 A2 68 E6 76 00 00 00 00 37 00 44 00 45 00 30 00 42 00 32 00 38 00 46 00 43 00 32 00 33 00 7D 00 5C 00 65 00 78 00 70 00 60 58 A1 02 00 00 00 00 F9 25 85 FB FE 07 00 00 FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 E0 D7 02 00 00 00 00 42 89 C6 FE FE 07 00 00 44 E5 D7 02 00 00 00 00 59 03 C3 FE FE 07 00 00 48 E3 D7 02 00 00 00 00 47 50 4F 53 00 00 00 00 03 00 00 00 00 00 00 00 F9 25 85 FB FE 07 00 00 82 00 01 00 00 00 00 00 B8 00 01 00 00 00 00 00 50 B4 18 09 00 00 00 00 D3 F4 E5 76 00 00 00 00 01 00 00 02 00 00 00 00 B8 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 80 7A 2C 00 00 00 00 00 D8 E0 D7 02 00 00 00 00 7C 7C 2C 00 00 00 00 00 40 41 2D 00 00 00 00 00 20 00 00 00 00 00 00 00
00 00 00 00
HKU\S-1-5-21-2683313141-1501627848-3399458464-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBA: 00 00 00 00 65 00 00 00 9B 00 00 00 19 CC DE 00 0E 00 00 00 15 00 00 00 A0 68 06 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 2E 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 2E 00 47 00 65 00 74 00 74 00 69 00 6E 00 67 00 53 00 74 00 61 00 72 00 74 00 65 00 64 00 00 00 00 00 01 00 00 00 00 00 00 00 F4 78 CE FE FE 07 00 00 90 00 00 00 00 00 00 00 54 D1 46 03 00 00 00 00 01 00 00 00 00 00 00 00 52 31 CE FE FE 07 00 00 02 00 00 00 00 00 00 00 A0 D1 46 03 00 00 00 00 E4 D7 46 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 DC 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C0 D2 46 03 00 00 00 00 DC 03 00 00 00 00 00 00 C4 D2 46 03 00 00 00 00 00 00 00 00 00 00 00 00 98 BA BA FD FE 07 00 00 00 00 00 00 00 00 00 00 E0 A1 BA FD FE 07 00 00 00 00 00 00 00 00 00 00 80 D1 46 03 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 05 39 00 00 00 00 00 7C 21 59 74 00 00 00 00 00 64 45 02 00 00 00 00 D0 CE 3A 00 00 00 00 00 00 00 00 00 00 00 00 00 F0 D3 46 03 00 00 00 00 50 E6 46 03 00 00 00 00 EC 3F 59 74 00 00 00 00 A0 79 33 00 00 00 00 00 30 D2 46 03 00 00 00 00 00 95 56 FD FE 07 00 00 E4 D7 46 03 00 00 00 00 00 00 00 00 00 00 00 00 98 77 A3 FE FE 07 00 00 00 00 00 00 00 00 00 00 74 D3 46 03 00 00 00 00 E4 D7 46 03 00 00 00 00 00 00 00 00 00 00 00 00 80 D3 46 03 00 00 00 00 80 D3 46 03 00 00 00 00 1D 47 10 77 00 00 00 00 2C 21 59 74 00 00 00 00 01 00 00 00 00 00 00 00 50 94 56 FD FE 07 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 02 00 00 00 0E 00 00 00 15 00 00 00 A0 68 06 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 2E 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 2E 00 47 00 65 00 74 00 74 00 69 00 6E 00
67 00 53 00 74 00 61 00 72 00 74 00 65 00 64 00 00 00 00 00 01 00 00 00 00 00 00 00 F4 78 CE FE FE 07 00 00 90 00 00 00 00 00 00 00 54 D1 46 03 00 00 00 00 01 00 00 00 00 00 00 00 52 31 CE FE FE 07 00 00 02 00 00 00 00 00 00 00 A0 D1 46 03 00 00 00 00 E4 D7 46 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 DC 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C0 D2 46 03 00 00 00 00 DC 03 00 00 00 00 00 00 C4 D2 46 03 00 00 00 00 00 00 00 00 00 00 00 00 98 BA BA FD FE 07 00 00 00 00 00 00 00 00 00 00 E0 A1 BA FD FE 07 00 00 00 00 00 00 00 00 00 00 80 D1 46 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 05 39 00 00 00 00 00 7C 21 59 74 00 00 00 00 00 64 45 02 00 00 00 00 D0 CE 3A 00 00 00 00 00 00 00 00 00 00 00 00 00 F0 D3 46 03 00 00 00 00 50 E6 46 03 00 00 00 00 EC 3F 59 74 00 00 00 00 A0 79 33 00 00 00 00 00 30 D2 46 03 00 00 00 00 00 95 56 FD FE 07 00 00 E4 D7 46 03 00 00 00 00 00 0
0 00 00 00 00 00 00 98 77 A3 FE FE 07 00 00 00 00 00 00 00 00 00 00 74 D3 46 03 00 00 00 00 E4 D7 46 03 00 00 00 00 00 00 00 00 00 00 00 00 80 D3 46 03 00 00 00 00 80 D3 46 03 00 00 00 00 1D 47 10 77 00 00 00 00 2C 21 59 74 00 00 00 00 01 00 00 00 00 00 00 00 50 94 56 FD FE 07 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 02 00 00 00 01 00 00 00 06 00 00 00 24 07 AA 00 43 00 3A 00 5C 00 55 00 73 00 65 00 72 00 73 00 5C 00 79 00 63 00 74 00 73 00 65 00 6E 00 67 00 5C 00 44 00 6F 00 77 00 6E 00 6C 00 6F 00 61 00 64 00 73 00 5C 00 70 00 72 00 6F 00 63 00 65 00 73 00 73 00 68 00 61 00 63 00 6B 00 65 00 72 00 2D 00 32 00 2E 00 33 00 39 00 2D 00 62 00 69 00 6E 00 5C 00 78 00 36 00 34 00 5C 00 50 00 72 00 6F 00 63 00 65 00 73 00 73 00 48 00 61 00 63 00 6B 00 65 00 72 00 2E 00 65 00 78 00 65 00 00 00 FE 07 00 00 00 00 00 00 00 00 00 00 80 7A 2C 00 00 00 00 00 50 BF 0F 04 00 00 00 00 A4 7C 2C 00 00 00 00 00 90 E8 2C
00 00 00 00 00 00 00 00 00 00 00 00 00 A0 DB FB 03 00 00 00 00 00 00 00 00 00 00 00 00 00 01 09 08 00 00 00 00 00 00 00 00 00 00 00 00 10 54 18 77 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00 00 00 00 00 00 00 2C 00 00 00 00 00 00 44 FF 03 00 00 00 00 A2 68 E6 76 00 00 00 00 58 03 2C 00 00 00 00 00 B5 EE 16 4C 2E C8 16 0E 3D E8 F2 66 45 7D 00 00 26 08 43 FD FE 07 00 00 00 00 00 00 00 00 00 00 9E 02 00 00 FE 07 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 A8 38 D6 FF 00 00 00 00 20 E0 D7 02 00 00 00 00 42 89 C6 FE FE 07 00 00 44 E5 D7 02 00 00 00 00 59 03 C3 FE FE 07 00 00 48 E3 D7 02 00 00 00 00 47 50 4F 53 00 00 00 00 03 00 00 00 00 00 00 00 F9 25 85 FB FE 07 00 00 82 00 01 00 00 00 00 00 B8 00 01 00 00 00 00 00 01 00 00 02 00 00 00 00 20 00 00 00 00 00 00 00 01 00 00 02 00 00 00 00 B8 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 0E 76 E6 76 00 00 00 00 D8 E0 D7 02 00 00 00 00 7C 7C 2C 00 00 00 00 00 B8 00 01 00 00 00 00 00 20 00 00 00 00 00 00 00
00 00 00 00
HKU\S-1-5-21-2683313141-1501627848-3399458464-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\rkcybere.rkr: 00 00 00 00 01 00 00 00 0A 00 00 00 E8 36 0C 00 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF FF FF FF FF C0 D0 80 42 46 7D D7 01 00 00 00 00
HKU\S-1-5-21-2683313141-1501627848-3399458464-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\rkcybere.rkr: 00 00 00 00 01 00 00 00 0F 00 00 00 77 76 0C 00 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF FF FF FF FF C0 D0 80 42 46 7D D7 01 00 00 00 00
HKU\S-1-5-21-2683313141-1501627848-3399458464-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\lpgfrat\Qbjaybnqf\cebprffunpxre-2.39-ova\k64\CebprffUnpxre.rkr: 00 00 00 00 01 00 00 00 04 00 00 00 02 31 A9 00 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF FF FF FF FF 90 C6 6B 48 99 7D D7 01 00 00 00 00
HKU\S-1-5-21-2683313141-1501627848-3399458464-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\lpgfrat\Qbjaybnqf\cebprffunpxre-2.39-ova\k64\CebprffUnpxre.rkr: 00 00 00 00 01 00 00 00 06 00 00 00 24 07 AA 00 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF FF FF FF FF 90 C6 6B 48 99 7D D7 01 00 00 00 00
HKU\S-1-5-21-2683313141-1501627848-3399458464-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\lpgfrat\Qbjaybnqf\Ertfubg-1.9.0\Ertfubg-k64-Havpbqr.rkr: 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF FF FF FF FF 00 3C 16 C0 13 7E D7 01 00 00 00 00
HKU\S-1-5-21-2683313141-1501627848-3399458464-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\lpgfrat\Qbjaybnqf\Ertfubg-1.9.0\Ertfubg-k64-Havpbqr.rkr: 00 00 00 00 01 00 00 00 03 00 00 00 B5 87 00 00 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF FF FF FF FF 00 3C 16 C0 13 7E D7 01 00 00 00 00
HKU\S-1-5-21-2683313141-1501627848-3399458464-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx: 03 00 00 00 00 00 00 00 02 00 00 00 01 00 00 00 FF FF FF FF
HKU\S-1-5-21-2683313141-1501627848-3399458464-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx: 00 00 00 00 03 00 00 00 02 00 00 00 01 00 00 00 FF FF FF FF
HKU\S-1-5-21-2683313141-1501627848-3399458464-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx: 03 00 00 00 00 00 00 00 02 00 00 00 01 00 00 00 FF FF FF FF
HKU\S-1-5-21-2683313141-1501627848-3399458464-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx: 00 00 00 00 03 00 00 00 02 00 00 00 01 00 00 00 FF FF FF FF

----------------------------------
Total changes: 30
----------------------------------

雖然沒有實際測過,但修改的 registry 我猜也包含重開機自動 RUN 起來吧,剩下的真要認真查可能要不少時間,所以我只有找了幾個有興趣的關鍵字稍微摸過。

Process Hacker

Process Hacker 簡單講就是工作管理員的進階版(O),平常沒碰 Windows 的我也是問了才知道有這軟體可以進一步觀察 process 在後台執行的狀況。

將 malware RUN 起來,出現模仿相當完美的 IE,只是出現位置不對(笑)

原本在斷網的 Sandbox 等不到 malware 發 request,所以只好手機開分享看看他會怎麼運作,抓到程式連到 Amazon EC2 的行為(經驗判斷應該是連 C2 Server,是常見的 Botnet 手法)。

順便宣導一下     !!!千萬不要走學校網路,會收資安通報!!!

不過後續不清楚 malware 怎麼運作,就只是反覆一直連線,看到 Network 那一坨 domain 又不清掉實在讓人略不爽(?)

最後,發現在 kill 掉 malware 後過沒多久會自己重啟(怕.jpg)

Wireshark

Wireshark 是用來分析網路封包的工具。
原本在斷網環境錄製封包一直沒有看到預期的 request,猜想 malware 是否有判斷網路環境,所以我用手機開網路分享(但不對外開行動網路),發現在 DNS 開始會有 google.com、yahoo.com、bing.com 的詢問,但還有一個 supnewdmn[.]com 的 DNS 詢問,從 VirusTotal 的回報比例有 12/87,沒意外是惡意網域,之後會有一些看起來是 DGA 產生的 random domain name應該就是用來連上 Amazon EC2,也就是方才提到的 C2 Server。

直接對外連網後,DNS 查詢的 domain 就會限縮到 google.com 和 supnewdmn[.]com,以及 random domain name。從 Process Hacker 得知的連線 Port 447 來看,由於封包都是走 TCP,所以從 Wireshark 看不到什麼內容 QQ

CAPE Sandbox

CAPE Sandbox 是去年 Still 在社課分享的線上 malware sandbox,我也藉這次機會分別把 malware-A 和 malware-B 丟上去,有興趣的可以上去看看分析報告。

malware-A: https://capesandbox.com/analysis/172779/
malware-B: https://capesandbox.com/analysis/172781/

In the end …

從分析 malware 的時候不難看出該程式的原型是 cheat engine,只是被加料了 (下圖借用 CAPE Sandbox Screenshot)。

 CAPE Sandbox

而故事的後續,原來是 stavhaygn 友人透過 VPN 走校園網路,結果下載的私服外掛被埋了蠕蟲,因此校方 IPS 在分析惡意流量追溯 IP 才會追到我們 Lab 的伺服器,這件事告訴我們 慎選朋友 使用學校網路請不要壞壞。

最後,簡單畫個這次分析的示意圖吧,只是 malware 到底從 C2 server 那邊拿了什麼做了什麼,就不知道了 QwQ 但我想下一步從 reverse 著手應該會有進一步地發現。