autorun上看到一个3月15日新捕获的lummerstealer，简要分析一下

该样本有混淆，大致逻辑是将bss段的shellcode解密后，注入到MSBuild.exe中，所以着重分析一下shellcode，shellcode也被混淆了，功能大致分为3块

1.窃取应用数据信息

首先会连接C2，接收数据为加解密因子，内存中解出一份json数据

{"v":4,
"se":true,
"ad":false,
"vm":false,
"ex":[  //浏览器扩展
    {"en":"ejbalbakoplchlghecdalmeeeajnimhm","ez":"MetaMask"},
    {"en":"aeblfdkhhhdcdjpifhhbdiojplfjncoa","ez":"1Password"},
    {"en":"pioclpoplcdbaefihamjohnefbikjilc","ez":"Evernote"},
    {"en":"dngmlblcodfobpdpecaadgfbcggfjfnm","ez":"MultiversX Wallet"},
    {"en":"kppfdiipphfccemcignhifpjkapfbihd","ez":"ForniterWallet"}  ...
     
],
"mx":[
{"en":"webextension@metamask.io","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}
],
"c":[  //查找应用与对应路径
{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},
{"t":0,"p":"%appdata%\\Guarda\\IndexedDB","m":["*"],"z":"Wallets/Guarda","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\WalletWasabi\\Client\\Wallets","m":["*"],"z":"Wallets/Wasabi","d":0,"fs":20971520},{"t":1,"p":"%localappdata%\\Google\\Chrome\\User Data","z":"Chrome","f":"Google Chrome","n":"chrome.exe","l":"chrome.dll"},{"t":1,"p":"%localappdata%\\Google\\Chrome Beta\\User Data","z":"Chrome Beta","f":"Google Chrome Beta","n":"chrome.exe","l":"chrome.dll"},{"t":1,"p":"%localappdata%\\Opera Software\\Opera Neon\\User Data","z":"Opera Neon"},{"t":1,"p":"%appdata%\\Opera Software\\Opera GX Stable","z":"Opera GX Stable","n":"opera.exe"},{"t":1,"p":"%localappdata%\\Microsoft\\Edge\\User Data","z":"Edge","f":"Microsoft Edge","n":"msedge.exe","l":"msedge.dll"}
    ...
]
}

解析后，按照json中，逐一遍历路径，如果存在目标文件，通过天堂之门（32位程序手动通过WOW64，执行64位系统调用）技术，查询文件信息，读取文件内容，然后经过一系列处理，发回C2。
其中WOW64系统调用时，传入的系统调用号可能是形如0x33(打开文件)，0x11（查询文件信息）这种，也可能是0x1a0006（读取文件）、0x3000f（关闭句柄）这种，需要拆开来看，前16位，是给WOW64用的，wow64根据前16位，跳转到对应的系统调用处理函数。而后16位给内核用的，系统调用进入内核后，根据后16位，找到对应的服务描述符表，执行对应函数。

2.窃取浏览器cookie

shellcode会创建msedge.exe进程

1	`"C:\Program Files(x86)\Microsoft\Edge\Application\msedge.exe"` `--profile-directory="Default"` `--remote-debugging-port=9223`

利用远程调试的方式获取cookie信息

经过websocket握手后，shellcode会发送
{"id":1,"method":"Storage.getCookies"}
msedge会回复一系列cookie信息
{"id":1,"result":{"cookies":
    [
    {"name":"pglt-edgeChromium-dhp","value":"547","
    {"name":"_C_Auth","value":"","domain":"ntp.msn.
    {"name":"USRLOC","value":"","domain":".msn.cn",
                   ...

3.其他信息

例如硬件信息、杀软信息、用户名等计算机信息会通过WMI的select语句查询，
此外还会获取剪贴板、截屏等信息

C2:
pistolpra.bet
weaponwo.life
armamenti.world
selfdefens.bet
targett.top
caliberc.today
loadoutle.life

sha1: 4130B70A8300FB43C040726E3D02341639E323B7

最后于 7小时前被mb_jonavsjj编辑，原因：

更多【软件逆向-lummerstealer分析】相关视频教程：www.yxfzedu.com

软件逆向-lummerstealer分析

1.窃取应用数据信息

2.窃取浏览器cookie

3.其他信息

相关文章推荐

Markdown Editor

友情链接

课程目录

技术交流QQ群