一、概述
近期,天穹沙箱团队在日常样本分析工作中收到用户反馈的内网攻击样本,发现其具备高度复杂的攻击链,并且使用了极具隐蔽性的 C&C 通信方式,以下将详细拆解样本初始伪装、内存解密以及隐蔽通信的完整过程。
二、样本信息
- 样本名: OneDrive.exe
- SHA1: e31b0a79ab7d95542d2adff12bd4a322d8c0b036
- 文件类型: EXE
- 文件大小: 24.60 MB (25789952 bytes)
- 报告链接: 天穹沙箱分析报告
三、样本分析
阶段一:初始伪装
该样本源码基于著名 PDF 阅读器 SumatraPDF 二次开发,用以伪装成正常的 OneDrive 客户端程序,诱骗用户下载并执行。样本启动后,首先会释放 soc.exe 和 OneDrive.dll 两个文件。其中 soc.exe 是具备 Kaspersky Lab 合法签名的白工具,OneDrive.dll 为正常无签名 OneDrive 组件,样本利用该工具执行以下命令将伪装的 OneDrive 组件注册为系统服务,进一步混淆视听。
1
| soc.exe run run-cmd cmd.exe /c regsvr32.exe /s C:\Users\lichao\AppData\Local\OneDrive.dll
|
阶段二:内存解密
随后,内存解密并执行长度为 5,489,897 字节的 shellcode,其核心功能是内存加载一个使用 UPX 打包压缩的 PE 文件,全程避免在磁盘留下可执行文件痕迹。
阶段三:隐蔽通信
在内存中展开运行的 payload 是使用 golang 开发的 RAT 木马。该木马的 C&C 通信方式极度隐蔽,采用 DNS over HTTPS(DoH) 协议进行通信,将指令与数据隐藏在正常的 HTTPS 流量中,通过与 dns.alidns.com 的通信过程掩盖真实的通信流量。
注: 被加载的内存 PE 需要加载至预期基址 0x400000,否则会出现重定位问题,loader 阶段若尝试分配 0x400000 地址失败,会二次分配任意地址,但基于任意地址的后续解密执行操作均会导致样本运行时崩溃。
四、流量解密
样本利用 DoH 协议的隐蔽特性与 C&C 服务器进行通信,发送加密指令并接收响应,从而实现远程控制与数据窃取等恶意行为。天穹沙箱凭借其深度流量解密能力,成功捕获并解析了该样本的 DoH 通信流量,提取了其中的指令与数据。
提取的指令控制域名如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
| eq5q2qfyosi3y5zlbcsv2b22y5fcacaabtaaaaaaaaaaaaaaaaaaeqaaaaakaa.aaa2c4ojogmcqaaaagqxdslrt.ns1.famc[.]clinic
neq5q2qfyosi3y2lylucv2b22y5fcacaaa4acaaaaaaaaaaaaaaaaeqaaaaakaa.aaa2c4ojogmcqaaaagqxdslrt.ns1.famc[.]clinic
neq5q2qfyosi32f2x54uvo53z7iq.ns1.famc[.]clinic
neq5q2qfyosi32aclpmjz6w24jrq.ns1.famc[.]clinic
neq5q2qfyosi3y4qtq7br2b22y5feab7abu6kgyaaaaaaaabaaaaaaaaaaaa.ns1.famc[.]clinic
neq5q2qfyosi3y7x7dnrr2b22y5feab7acqoigyaaaaaaaabaaaaaaaaaaaa.ns1.famc[.]clinic
neq5q2qfyosi3y5brimtr2b22y5fcacaad7qgaaaaeaaaaabaaaaaiaaaaadaob.xhaytozdggq4diyjugjstmmrvmu3wkmjygi4damrrg5tdkmq.ns1.famc[.]clinic
neq5q2qfyosi32cs3dybnrd5pyba.ns1.famc[.]clinic
neq5q2qfyosi32hvdjv5qzr6voga.ns1.famc[.]clinic
neq5q2qfyosi32fw3wrsxgr7z2uq.ns1.famc[.]clinic
neq5q2qfyosi32bpnzrtuwlip4ka.ns1.famc[.]clinic
neq5q2qfyosi32du7t6lii7uskcq.ns1.famc[.]clinic
neq5q2qfyosi32gva5kaxpcjmaoq.ns1.famc[.]clinic
neq5q2qfyosi32an32ijnslsnaoa.ns1.famc[.]clinic
32gim4decfwhlyzvqnwsvpb452wvcacaaajdwaaaaaaaaaaaaaaaaeqaaaaakaa.aaa2c4ojogmcqaaaagqxdslrt.ns1.famc[.]clinic
32gim4decfwhly5a7rdsvpb452wvcacaadntwaaaaaaaaaaaaaaaaeqaaaaakaa.aaa2c4ojogmcqaaaagqxdslrt.ns1.famc[.]clinic
32gim4decfwhly3qm2esvpb452wvcacaabxd2aaaaaaaaaaaaaaaaeqaaaaakaa.aaa2c4ojogmcqaaaagqxdslrt.ns1.famc[.]clinic
32gim4decfwhl2amwqwzue47yrsa.ns1.famc[.]clinic
32gim4decfwhly3lei4rrpb452wveab7aavr6haaaaaaaaabaaaaaaaaaaaa.ns1.famc[.]clinic
32gim4decfwhly34psvbrpb452wveab7abrb4haaaaaaaaabaaaaaaaaaaaa.ns1.famc[.]clinic
32gim4decfwhly3kpxttrpb452wvcacaaczt2aaaaeaaaaabaaaaaiaaaaadaob.xhaytozdggq4diyjugjstmmrvmu3wkmjygi4damrrg5tdkmq.ns1.famc[.]clinic
32gim4decfwhl2fiuirqx2aqsnga.ns1.famc[.]clinic
32gim4decfwhly2m7jtdrpb452wvcacaaced4aaaaeaaaaabaaaaaiaaaaadaob.xhaytozdggq4diyjugjstmmrvmu3wkmjygi4damrrg5tdkmq.ns1.famc[.]clinic
32gim4decfwhl2enlrqzt46szj5q.ns1.famc[.]clinic
32gim4decfwhl2c7znun7d7p37wa.ns1.famc[.]clinic
32gim4decfwhl2h5b2lq7bby67ca.ns1.famc[.]clinic
32gim4decfwhl2dmrf3ojd2bcatq.ns1.famc[.]clinic
neq5q2qfyosi32cqul2tbhor3xvq.ns1.famc[.]clinic
neq5q2qfyosi32cv5g7wa6aqrfpa.ns1.famc[.]clinic
neq5q2qfyosi3y34twbbr2b22y5feab7adrrihaaaeaaaaacaaaaaaaaaaaa.ns1.famc[.]clinic
32gim4decfwhl2hvchqewmcgaqma.ns1.famc[.]clinic
neq5q2qfyosi32ags5vfoerlvyta.ns1.famc[.]clinic
32gim4decfwhl2ge6wny4q26qd3a.ns1.famc[.]clinic
neq5q2qfyosi32ccqqv6n7gkq7cq.ns1.famc[.]clinic
32gim4decfwhl2htmqegbpgn2nka.ns1.famc[.]clinic
neq5q2qfyosi32gpuxu6fa6ymiyq.ns1.famc[.]clinic
32gim4decfwhl2eqdkkwxna3nniq.ns1.famc[.]clinic
32gim4decfwhl2dyyxxl3inypieq.ns1.famc[.]clinic
32gim4decfwhly5uadmbrpb452wveab7acmechaaaeaaaaacaaaaaaaaaaaa.ns1.famc[.]clinic
32gim4decfwhly3nc4jbrpb452wveab7acgtghaaaeaaaaacaaaaaaaaaaaa.ns1.famc[.]clinic
32gim4decfwhly7rgt2brpb452wveab7adsdkhaaaeaaaaacaaaaaaaaaaaa.ns1.famc[.]clinic
32gim4decfwhly24owyrrpb452wveab7acjtuhaaaeaaaaacaaaaaaaaaaaa.ns1.famc[.]clinic
32gim4decfwhlyynveibzpb452wvcacaaawwaaaaaiaaaaacaaaaabaaaaagg33.omy.ns1.famc[.]clinic
neq5q2qfyosi32d3vtrnwtjjtmhq.ns1.famc[.]clinic
32gim4decfwhl2bpe7xygqmcd2na.ns1.famc[.]clinic
32gim4decfwhl2di5pe3wemnat2q.ns1.famc[.]clinic
32gim4decfwhlyzfwkxrrpb452wveab7abluehaaaiaaaaadaaaaaaaaaaaa.ns1.famc[.]clinic
32gim4decfwhly3izbxbzpb452wvcacaabrweaaaayaaaaadaaaaabaaaaaceor.qpu.ns1.famc[.]clinic
32gim4decfwhly4b3ngilpb452wvcacaabrweaaaamaaaaadaaaaa3iaaaagg33.omzbqcaaapmreszbchiycyisjonbw63tomvrxiir2mzqwy43ffqrfmzlsnfthss.3fperduircfqrfi4bchirgi33ieiwceqlemrzceorceiwceutfnvqxe2zchirce.lbckn2gc5dvomrduztbnrzwklbcjrxwgylmjficeorcge.ns1.famc[.]clinic
32gim4decfwhly3zawgilpb452wvcacaabrweaaaaqaaaaadaaaaa3iaaaadalr.qfyzc4mjveiwcevltmvze4ylnmurduiseivjuwvcpkawuerrrgjgdar24lrwgsy.3imfxselbcjbxxg5comfwwkir2ejceku2lkrhvalkciyytetbqi4rcyismn5rwc.5djn5xceorceiwcet3tjzqw2zjchirho2lomrxxo427me.ns1.famc[.]clinic
32gim4decfwhly425nkilpb452wvcacaabrweaaaauaaaaadaaaaa3iaaaag2zb.wgqrcyisqojxwgzltonhgc3lfei5ce43dfzsxqzjopa3diltfpbsselbckbuw4z.2dnbswg22unfwwkir2gawcettpkn2g64tfei5gmylmonssyison5cgs43qnrqxs.ir2mzqwy43ffqre2ylyinxw43rchiycyison53ug33ony.ns1.famc[.]clinic
32gim4decfwhl2e35noabvsosmva.ns1.famc[.]clinic
32gim4decfwhl2hexenetephiupq.ns1.famc[.]clinic
32gim4decfwhly6luhmylpb452wvcacaacsgeaaaauaaaaadaaaaa3iaaaag2zb.wgqrcyisqojxwgzltonhgc3lfei5ce43dfzsxqzjopa3diltfpbsselbckbuw4z.2dnbswg22unfwwkir2gawcettpkn2g64tfei5gmylmonssyison5cgs43qnrqxs.ir2mzqwy43ffqre2ylyinxw43rchiycyison53ug33ony.ns1.famc[.]clinic
32gim4decfwhly6xhtvylpb452wvcacaacsgeaaaamaaaaadaaaaa3iaaaagg33.omzbqcaaapmreszbchiycyisjonbw63tomvrxiir2mzqwy43ffqrfmzlsnfthss.3fperduircfqrfi4bchirgi33ieiwceqlemrzceorceiwceutfnvqxe2zchirce.lbckn2gc5dvomrduztbnrzwklbcjrxwgylmjficeorcge.ns1.famc[.]clinic
32gim4decfwhl2besoytdrhshnrq.ns1.famc[.]clinic
32gim4decfwhl2hf3lmapgv2yona.ns1.famc[.]clinic
32gim4decfwhl2g62xepkxpr222q.ns1.famc[.]clinic
32gim4decfwhl2fbtmlauu6fdksq.ns1.famc[.]clinic
32gim4decfwhly3ycsmrrpb452wveab7adwuihaaamaaaaaeaaaaaaaaaaaa.ns1.famc[.]clinic
c3nunitkaul2ly5opqlsv4meijjfcacaaakggaaaaaaaaaaaaaaaaeqaaaaakaa.aaa2c4ojogmcqaaaagqxdslrt.ns1.famc[.]clinic
c3nunitkaul2l2enbvbklxtoyp7q.ns1.famc[.]clinic
c3nunitkaul2ly4gwtcrr4meijjfeab7adpukhaaaaaaaaabaaaaaaaaaaaa.ns1.famc[.]clinic
c3nunitkaul2ly73k3utr4meijjfcacaad2ggaaaaeaaaaabaaaaaiaaaaadooj.xgzswin3ehbrdcm3dgi4wcyruguzdmnrvmi3tqzbzgyzwimi.ns1.famc[.]clinic
c3nunitkaul2l2hcumpobkigdqsa.ns1.famc[.]clinic
c3nunitkaul2l2dtrzpj6imwig3q.ns1.famc[.]clinic
c3nunitkaul2l2f3myrz7o4ubguq.ns1.famc[.]clinic
c3nunitkaul2l2botmopmv7a3i2q.ns1.famc[.]clinic
c3nunitkaul2l2dqo7wcjpejtj6a.ns1.famc[.]clinic
neq5q2qfyosi32dt6po72rcwjn3q.ns1.famc[.]clinic
c3nunitkaul2l2bmrfketnugysba.ns1.famc[.]clinic
c3nunitkaul2l2dbm3xbziuxpqea.ns1.famc[.]clinic
c3nunitkaul2ly3mdzmbr4meijjfeab7ab6gehaaaeaaaaacaaaaaaaaaaaa.ns1.famc[.]clinic
c3nunitkaul2ly52obpbr4meijjfeab7acrfshaaaeaaaaacaaaaaaaaaaaa.ns1.famc[.]clinic
c3nunitkaul2ly5ubxqbr4meijjfeab7aa4vuhaaaeaaaaacaaaaaaaaaaaa.ns1.famc[.]clinic
c3nunitkaul2ly2fow5br4meijjfeab7abtvwhaaaeaaaaacaaaaaaaaaaaa.ns1.famc[.]clinic
c3nunitkaul2ly5c52qrr4meijjfeab7aawf2haaaeaaaaacaaaaaaaaaaaa.ns1.famc[.]clinic
c3nunitkaul2ly3hpi6br4meijjfeab7acev6haaaeaaaaacaaaaaaaaaaaa.ns1.famc[.]clinic
c3nunitkaul2lyyijovrz4meijjfcacaaahyeaaaaiaaaaacaaaaabaaaaag2yl.jny.ns1.famc[.]clinic
x5pcj5rx6umczy2swkxcuoklqfrvcacaaahyeaaaaaaaaaaaaaaaaeqaaaaakaa.aaa2c4ojogmcqaaaagqxdslrt.ns1.famc[.]clinic
c3nunitkaul2l2edu6qjytcww4tq.ns1.famc[.]clinic
x5pcj5rx6umcz2hwtnprspkqtuyq.ns1.famc[.]clinic
c3nunitkaul2l2gh7typqouglhbq.ns1.famc[.]clinic
x5pcj5rx6umcz2ehdzinxhziuwea.ns1.famc[.]clinic
x5pcj5rx6umcz2arevpw5sjwrniq.ns1.famc[.]clinic
x5pcj5rx6umczy2eig5rqoklqfrveab7acswkhaaaaaaaaabaaaaaaaaaaaa.ns1.famc[.]clinic
x5pcj5rx6umczyylce4bqoklqfrveab7adogihaaaaaaaaabaaaaaaaaaaaa.ns1.famc[.]clinic
x5pcj5rx6umczyzpgpzdqoklqfrvcacaadeiiaaaaeaaaaabaaaaaiaaaaadooj.xgzswin3ehbrdcm3dgi4wcyruguzdmnrvmi3tqzbzgyzwimi.ns1.famc[.]clinic
x5pcj5rx6umcz2aepgzyly3cb55a.ns1.famc[.]clinic
x5pcj5rx6umcz2emsbjitplu7ffa.ns1.famc[.]clinic
c3nunitkaul2l2bqv2xbchdfcc5q.ns1.famc[.]clinic
x5pcj5rx6umcz2fngfp7d2hre7ma.ns1.famc[.]clinic
|
截至发稿时,上述指令控制域名尚未注册,推测攻击者可能在后续阶段注册这些域名以继续进行攻击活动。
五、关于 DoH(DNS over HTTPS)协议
DNS over HTTPS(缩写:DoH)是一种经由 HTTPS 协议进行的远程域名系统(DNS)解析协议。该方法旨在防止网络中间人对 DNS 数据进行窃听和操纵,利用 HTTPS 协议加密 DoH 客户端和 DoH 服务器(递归解析器)之间的数据,以提高用户的隐私和安全性。
GET 方法报文
1
2
3
4
5
| :method = GET
:scheme = https
:authority = dnsserver.example.net
:path = /dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB
accept = application/dns-message
|
POST 方法报文
1
2
3
4
5
6
7
8
9
10
11
12
| :method = POST
:scheme = https
:authority = dnsserver.example.net
:path = /dns-query
accept = application/dns-message
content-type = application/dns-message
content-length = 33
<33 bytes represented by the following hex encoding>
00 00 01 00 00 01 00 00 00 00 00 00 03 77 77 77
07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00
01
|
协议详情请参阅 RFC-8484 文档。
六、IOC
恶意文件(MD5)
1
2
3
| d807fa4935124f8695e47006e123aca8 OneDrive.exe
1aae5fcd62c5c6d5af8157638e236767 soc.exe
281a38a42b7a7601e9ccf394de9aa5f2 OneDrive.dll
|
恶意文件IOC
报告链接
分析报告:天穹沙箱分析报告
七、技术支持与反馈
星图实验室深耕沙箱分析技术多年,致力于让沙箱更好用、更智能。做地表最强的动态分析沙箱,为每个样本分析人员提供便捷易用的分析工具,始终是我们追求的目标。各位同学在使用过程中有任何问题,欢迎联系我们。
