For the C2 address, the XLoader performs additional encryption. In the decrypted string table, the C2 address is represented in base64 encoded format. XLoader decodes the base64 at runtime and then decrypts it again using the differential RC4 algorithm.
For the RC4 key used to encrypt C2, the XLoader encrypts it using an XOR operation.
For the RC4 key used to encrypt C2, the XLoader encrypts it using an XOR operation.
When accessing the backend, the backend interface loads briefly, then redirects to the login page. Two testing methods are provided here, with a focus on method 2:
One method uses Burp Suite to block the incoming backend traffic, then clicks on the backend page. After clicking, the traffic is released one by one. This can test for unauthorized access, but it's slower, requiring clicking each function individually. Sometimes, new APIs don't appear on the page. By blocking the login traffic and waiting, the backend JS loads, and the Pandas head (a security software) detects the APIs. Once these backend APIs are obtained, batch testing for unauthorized access can be performed. The image below shows a typical backend page; blocking prevents redirection of data.
One method uses Burp Suite to block the incoming backend traffic, then clicks on the backend page. After clicking, the traffic is released one by one. This can test for unauthorized access, but it's slower, requiring clicking each function individually. Sometimes, new APIs don't appear on the page. By blocking the login traffic and waiting, the backend JS loads, and the Pandas head (a security software) detects the APIs. Once these backend APIs are obtained, batch testing for unauthorized access can be performed. The image below shows a typical backend page; blocking prevents redirection of data.
The key focus of this analysis is the PHAR obfuscator. Microstep Cloud Sandbox reports normal files.
The obfuscator source code is as follows:
The PHAR file format will be explained in detail below.
Contact: @Rolllli
The obfuscator source code is as follows:
agent is a passed-in variable, its value being the connection code for code execution, specifically the value within obfpost_php.The PHAR file format will be explained in detail below.
Contact: @Rolllli
SmokeLoader sets the system and hidden attributes for the copied file and disguises the file's time information to match that of advapi32.dll.
Finally, SmokeLoader creates a scheduled task to complete the persistence, where the task creator is the same as the username, and the task name is disguised as "Firefox Default Browser Agent". The task has two triggers, one that fires every 10 minutes, and the other that fires when the user logs in.
Finally, SmokeLoader creates a scheduled task to complete the persistence, where the task creator is the same as the username, and the task name is disguised as "Firefox Default Browser Agent". The task has two triggers, one that fires every 10 minutes, and the other that fires when the user logs in.
FIXED is a VMware-related application with a valid digital signature.
CUSTOMINJECT is an AutoIt-related application, also with a valid digital signature.
CUSTOMINJECT is an AutoIt-related application, also with a valid digital signature.
SmokeLoader checks the debugger using the PEB's BeingDebugged variable.
SmokeLoader checks the debugger again using the PEB's NtGlobalFlag variable.
SmokeLoader decrypts the functions used during execution and re-encrypts them after use.
Contact: @Rolllli
SmokeLoader checks the debugger again using the PEB's NtGlobalFlag variable.
SmokeLoader decrypts the functions used during execution and re-encrypts them after use.
Contact: @Rolllli
When the target program is an EXE and the value indicating the delivery method in the configuration file is less than 3, the payload execution method is largely the same as that of a DLL, but there are slight differences in calling the program's entry point.
In this case, HijackLoader first modifies the ImageBase in the payload's OptionalHeader and the ImageBaseAddress in the PEB, assigning them the base address of the actual payload.
Then, it clears the HijackLoader data through the ESAL module and calls the payload's entry point.
In this case, HijackLoader first modifies the ImageBase in the payload's OptionalHeader and the ImageBaseAddress in the PEB, assigning them the base address of the actual payload.
Then, it clears the HijackLoader data through the ESAL module and calls the payload's entry point.
When the payload is a DLL, HijackLoader loads a target DLL based on the configuration or uses the default msi.dll, whose address space is used to write the payload to be delivered. HijackLoader then, depending on the installed antivirus software, corrupts the payload's IMAGE_SECTION_HEADER as needed to interfere with the antivirus program's detection.
The TinycallProxy module is used to indirectly call target functions. HijackLoader overwrites the TinycallProxy module into the code segment of a DLL, passing the target function and parameters to the TinycallProxy module, which then invokes the target function.
When calling sensitive functions such as CoInitialize and CoCreateInstance, this module invokes TinycallProxy to prevent stack backtracking.
Contact: @Rolllli
When calling sensitive functions such as CoInitialize and CoCreateInstance, this module invokes TinycallProxy to prevent stack backtracking.
Contact: @Rolllli
No matter how robust a system and its security measures are, they are ultimately controlled by humans, and humans are the root of vulnerabilities.
No technical skills are required; anyone with at least an elementary school education and an intelligence no below average can launch a hacking attack.
* Weak password mass intrusion
No technical skills are required; anyone with at least an elementary school education and an intelligence no below average can launch a hacking attack.
* Weak password mass intrusion
Integrating web routing
Some scenarios for extending routing rules:
The asset is a public domain name address with strong authentication. Any route path will redirect to the
Although the routing is uncontrollable, the bundled JS file is obtained.
Some scenarios for extending routing rules:
The asset is a public domain name address with strong authentication. Any route path will redirect to the
account, but account is an overridden class and doesn't exist.Although the routing is uncontrollable, the bundled JS file is obtained.
This address actually corresponds to the
So we can patch this function to achieve the effect of bypassing
Contact: @Rolllli
EtwpEventWirteFull function, but this function is not visible in x64dbg. We can check it in Ida, which I won't show you here; you can look it up yourself.So we can patch this function to achieve the effect of bypassing
Etw. We can directly replace its call instruction with a nop instruction. The call instruction is 1 byte, and if it's followed by an address, the address is 4 bytes. This means that if we want to replace the call instruction, we definitely need at least 5 bytes. The opcode for the nop instruction is 90.Contact: @Rolllli
An intuitive graphical user interface with many seamlessly integrated penetration testing tools, allowing for both automated and manual penetration testing.
Quickly enumerates pages within web applications, used by professional web application security researchers and bug bounty hunters. Its functionality can be enhanced by installing add-ons called BApps.
Documented and fast attack speed.
Burp Suite is a comprehensive web application security tool covering many known vulnerabilities in web applications. It can enumerate and analyze the application's attack surface and find and exploit security vulnerabilities.
Quickly enumerates pages within web applications, used by professional web application security researchers and bug bounty hunters. Its functionality can be enhanced by installing add-ons called BApps.
Documented and fast attack speed.
Burp Suite is a comprehensive web application security tool covering many known vulnerabilities in web applications. It can enumerate and analyze the application's attack surface and find and exploit security vulnerabilities.