• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

透明部落近期利用印度国防部会议记录为诱饵的攻击活动分析


Recommended Posts

原文链接:
https://mp.weixin.qq.com/s/3Je-DmyQrqNHxzRo70FTJw

微步沙箱:https://s.threatbook.cn/report/file/8554b5cace52a0fdf0fd3378e4df6606efb45b8ee686ed5b3c1657633405eb85/?sign=history&env=win7_sp1_enx86_office2013
md5:7f1f7c5c4b6b486e5ba9340944036285

fuOagU.png

执行恶意VBA分析
(先调用shoby_leLedr函数)

fuOBDJ.png

释放C:\ProgramData\HDM Media\davivthain.exe和诱饵文件

fuODb9.png

诱饵文件写入

fuOyU1.png

davivthain.exe
md5:3c2b45a6d878cc9f30a5dc10abf400a1

检查是否存在C:\Users\geyixian\AppData\Roaming\Microsoft\Windows\Templates\dihakhvartik.zip,存在则将其进行解压并执行

fuOgC6.png

若C:\Users\geyixian\AppData\Roaming\Microsoft\Windows\Templates\dihakhvartik.zip不存在,则将创建C:\ProgramData\Hithviwia目录,并通过getWin()函数读取资源数据,并根据操作系统版本选择相应内容保存为trbgertrnion.zip文件,解压执行

fuORgO.png

getShin函数
获取操作系统版本,判断“wia07”和“wia08”文件是否存在,若存在则将其删除,然后从资源文件“Resources.data”读取数据保存为data.zip,并解压到C:\Users\geyixian\AppData\Roaming\Microsoft\Windows\Templates,再根据操作系统版本读取相应的文件内容。

fuOWvD.png

drmaiprave.exe
md5:77c29d464efcae961424ae050453ef11
首先设置开机自启

fuOhKe.png

完成初始化操作之后便开始与C2通信
(C2 IP:66.154.112.206 PORT:6188,如果端口连接失败从数组元素挨个测试)

fuO4DH.png

IP解码

fuO5bd.png
fuOoVA.png

c2对应的指令解析

fuO75t.png

c2指令 对应函数 操作
gey7tavs machine_procss 进程枚举
thy7umb images_details GIF录制
pry7ocl save_apps 开机自启注册表添加
doy7wf download_file 文件保存
scy7rsz dsk_scrn_size 设置截屏大小
fiy7lsz ile_details 文件详情获取
csy7dcrgn seye_scren 屏幕截图
diy7rs show_send_drives 硬盘数量枚举
dey7lt tras_files 文件删除
afy7ile seynd_auto 文件上传
udy7lt remove_account 当前路径保存名为iaknhan.exe并运行
liy7stf see_folders 文件夹遍历获取目录下的文件名(包括文件详细信息获取)
iny7fo account_infos 系统版本号和当前进程所在路径获取
ruy7nf Process.Start(procss_type[1].Split(new char[]{‘>’})[0]); 运行指定进程
fiy7le move_files 文件移动
fly7es see_files 文件夹遍历获取文件名

fuObPP.png

原文链接:
https://mp.weixin.qq.com/s/3Je-DmyQrqNHxzRo70FTJw

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now