Example analysis of WvEWjQ22.hta Trojan rebound shell sample

王林
Release: 2023-05-23 11:28:24
forward
1084 people have browsed it

I Summary

The customer called me that night, saying that he had discovered a suspected attack and asked me to conduct emergency response tracing. Although I was a little helpless, I still got up and picked up my notebook to deal with it. Through preliminary analysis, it was found that WvEWjQ22.hta executed a powershell process. After in-depth analysis and judgment, it was found that the traffic was Base64 encoded twice and Gzip encoded once. The decoded ShellCode was decoded by reverse analysis and debugging, which was a TCP rebound shell generated by CS or MSF. The source was finally traced. Attack the IP and end the Powershell process and TCP rebound shell process.

II Attack Technique

Use the WvEWjQ22.ht Trojan encoded three times to bypass the situational awareness system detection and warning and execute the powershell process to rebound the shell.

III Sample Analysis

Example analysis of WvEWjQ22.hta Trojan rebound shell sample

The Trojan executes commands through powershell

Example analysis of WvEWjQ22.hta Trojan rebound shell sample

WvEWjQ22.hta script uses powershell Execute a base64-encoded PS script

Example analysis of WvEWjQ22.hta Trojan rebound shell sample

##BASE64 decoding

Example analysis of WvEWjQ22.hta Trojan rebound shell sample

Base64 Gzip decode it through a PS script and Write the final executed script into 1.txt

Example analysis of WvEWjQ22.hta Trojan rebound shell sample

The decoded script is mainly to apply for memory, BASE64 decoding ShellCode loading and execution

Example analysis of WvEWjQ22.hta Trojan rebound shell sample

Save the base64-encoded shellcode in the script to the file out.bin

Example analysis of WvEWjQ22.hta Trojan rebound shell sample

Debug and decode the ShellCode of the TCP bounce shell generated by CS or MSF. Online IP: 112.83.107.148:65002

IV Disposition

End the powshell process and the TCP rebound shell process.

The above is the detailed content of Example analysis of WvEWjQ22.hta Trojan rebound shell sample. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:yisu.com
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template
About us Disclaimer Sitemap
php.cn:Public welfare online PHP training,Help PHP learners grow quickly!