inter-rat
After I published my article about Telegram IM-based RAT, I've received some messages with one common point — what additional evidences can be found if a workstation being infected with Telegram IM-based RAT?
在发表有关基于Telegram IM的RAT的文章后,我收到了一些带有共同点的消息-如果工作站感染了基于Telegram IM的RAT,还能找到哪些其他证据?
Ok, I thought, let's continue this investigation, moreover the theme had attracted such interest.
好的,我想,让我们继续进行调查,而且主题引起了人们的兴趣。
Telegram-based RAT leaves some traces in RAM and we could find it during analysis.
基于电报的RAT在RAM中留下了一些痕迹,我们可以在分析过程中找到它。
But in most cases an investigator can't analyse RAM in real-time mode. How can we get a RAM dump as fast as we can? For instance you may use Belkasoft Live RAM Capturer. It's completely free tool and works very fast without hard administrative efforts.
但是在大多数情况下,研究人员无法以实时模式分析RAM。 我们如何才能尽快获得RAM转储? 例如,您可以使用Belkasoft Live RAM Capturer。 它是完全免费的工具,并且无需费力的管理即可快速运行。
After process finished just open the dump file in any of Hex viewers (in this example I used FTK Imager, but you could choose a more lightweight tool). Do a search for
处理完成后,只需在任何Hex查看器中打开转储文件(在此示例中,我使用了FTK Imager,但是您可以选择一个更轻便的工具)。 搜索
telegram.org (telegram.org)
string — if a native Telegram app isn't using on the infected workstation, it's a «red flag» of Telegram RAT process presence.
字符串—如果未在受感染的工作站上使用本机Telegram应用程序,则这是Telegram RAT进程存在的“红色标志”。
Ok, let's do another search for
好,让我们再搜索一次
«电瓶» («telepot»)
string. Telepot is a
串。 Telepot是一个
用于Telegram Bot API Python-based module for Telegram Bot API using. This is a mostly common used module in Telegram RATs. 的基于Python的模块 。 这是电报RAT中最常用的模块。
So, now you see — it's not a big deal, especially when you know what tool is more appropriate for a task.
因此,现在您知道了-这没什么大不了的,特别是当您知道哪种工具更适合任务时。
In Russia whole
在整个俄罗斯
* .telegram.org (*.telegram.org)
domain zone is restricted by Roskomnadzor and Telegram often uses a proxy or VPN to connect to a server-side. But we can still detect DNS requests from the workstation of interest to
Roskomnadzor限制了域区域,Telegram通常使用代理或VPN连接到服务器端。 但是我们仍然可以检测到感兴趣的工作站发出的DNS请求
* .telegram.org (*.telegram.org)
— one more «red flag» for us.
—对我们又一个“红旗”。
Here is the traffic sample I've taken with Wireshark:
这是我使用Wireshark采集的流量示例:
And the last but not least — Telegram RAT traces on the filesystem (NTFS here). As I mentioned in the 1st part of my article, the best way to deploy Python-based Telegram RAT using only one file is to compile all files with
最后但并非最不重要的-Telegram RAT跟踪文件系统(此处为NTFS)。 正如我在文章的第一部分中提到的,仅使用一个文件来部署基于Python的Telegram RAT的最佳方法是使用以下命令编译所有文件:
py安装程序 (pyinstaller)
.
。
After the .exe file being executed, a lot of Python files (modules, libraries etc) extracted and we can find this activities in
执行完.exe文件后,提取了许多Python文件(模块,库等),我们可以在
$ MFT ($MFT)
Yes, there is a free and lightweight tool to extract $MFT (and other forensically-sound things) on a LIVE system. I'm telling you about forecopy_handy tool. It's not a new-new tool, but still useful for some computer forensics do's.
是的,有一个免费的轻量级工具可以在LIVE系统上提取$ MFT(以及其他取证声音)。 我告诉您有关forecopy_handy工具的信息。 它不是一个新工具,但对于某些计算机取证工具仍然有用。
Well, we can extract $MFT and, as you see, we also getting a system registry, event logs, prefetch etc
好吧,我们可以提取$ MFT,并且正如您所看到的,我们还可以获得系统注册表,事件日志,预取等
Now, let's find some traces we are looking for. We do parse $MFT with MFTEcmd
现在,让我们找到我们要寻找的痕迹。 我们用MFTEcmd解析$ MFT
And here is the typical filesystem activity for Telegram RAT — a lot of
这是Telegram RAT的典型文件系统活动-很多
.pyd (.pyd)
files and Python libraries:
文件和Python库:
I think it should be enough to detect Telegram-based RAT now, guys :)
伙计们,我认为现在检测基于电报的RAT应该足够了:)
inter-rat
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
