It has been almost three months since the last time I wrote an article, I have been very busy. During these three months, I have had about five or six homework assignments. I have been exhausted, but I have also learned a lot. I originally had many points and operations that I wanted to write about, but now that there are too many things, I don't know what to write anymore.
Until I looked at my study records and found something interesting, so I decided to share it with everyone for a laugh.
Here's what happened: that time, I was assigned to the night shift blue team, and a colleague from the red team sent me a file in the middle of the night.
It is said to be a bypass tool shared by someone in the red team communication group, but because I was in the middle of homework, I had some doubts, but I really needed a convenient tool. So they threw it to me to explore.
First, I used PEiD, but there was no information, which made me a little panicked. So I continued to ask my colleagues if they had any relevant information, but I became even more panicked after asking.
What a strange operation, it sounds suspicious.
Then I looked through my toolkit to see if there was anything else I could use, and I found ExeinfoPe to investigate further.
Okay, it's packed with py, which is even more problematic because I have never seen a bypass tool that is written in py and then packed.
Let's try it in a sandbox.
Overall, the sandbox didn't detect anything, but one item was highlighted as a released file, so I looked closely and found the problem.
The first one, if I remember correctly, should be a vc library. The problem is that the dependency libraries of regular software are usually pre-installed by the system, and I have never heard of any software that releases its own dependency files at runtime.
The second one is two py files, socket and ssl. Although these two are very common and should not have any problems, a bypass tool should not have network operations. So these two look quite strange.
With the above evidence, it is highly likely that this "bypass tool" is problematic. Practice is the sole criterion for testing truth, so I ran it in a virtual machine to make the final confirmation.
So I opened a virtual machine, but disconnected the network to prevent any strange worms. As a result, disconnecting the network operation became the highlight of this article (laughs).
After throwing it into the virtual machine, I clicked to execute it multiple times, but the GUI did not appear, so I switched to executing it in the command prompt. As a result, the operation I clicked before opening the command prompt took effect.
It looks like it's working, but then an error popped up.
Hahahaha, it's funny. It seems that this exception occurred because it requested a txt file, but because I disconnected the network, the connection threw an exception.
Let's visit this website, it's a peiqi library, which basically confirms that it is an industry insider. Let's also visit this txt file.
A bunch of strings, let's decode it with base64.
Basically, it's 99% likely to be shellcode, remote separation loading, let's throw it to the red team group. This blue team brother caught a good fish.
Analyzing shellcode is too complicated, let's just check this IP.
Weimubu captured a sample, click on the sample link to view it.
Found teamserver.
So the entire analysis is complete.
Summary:
This is a phishing countermeasure against the red team, implemented by an industry insider with red team experience. They used Python to create a GUI, and when the user opens the tool, it remotely pulls the contents of a txt file from 65.49.., and remotely loads the shellcode to the control server 18.179.**.42. Because it is separated and because the tool itself is a risk tool, the probability of bypassing antivirus software is not low. It even bypassed sandbox detection to some extent (of course, it's just a loader).
The entire operation is actually very well done, the only failure is that the exception handling was not written properly, which exposed itself when a network exception occurred.
Whisper: I have indeed been very busy recently, so I have delayed writing for so long. But it's okay, after all, I have always considered myself an annual update author. AI patent review is going through the patent process, I don't know if it will pass. I have some new ideas recently and want to try if privatizing a major language can be profitable. I am still researching various technical points, and I will completely stop updating once I achieve financial freedom (ironic).