Ahlamghribi/malware-analysis-lab

# 🦠 恶意软件分析实验室 这是一个个人仓库，包含在隔离实验环境中使用专业 DFIR 工具进行的**动态和静态恶意软件分析报告**。每个样本都遵循结构化的方法论进行分析——从行为观察到内存取证和威胁情报提取。 ## ⚠️ 免责声明 ``` All samples analyzed in this repository were handled in isolated virtual environments (VirtualBox, host-only network, no internet access). This work is strictly educational and conducted as part of academic research in cybersecurity. Do NOT download, execute, or distribute any malware samples. The author takes no responsibility for misuse of the information herein. ``` ## 👩‍💻 作者 **Ghribi Ahlam** — Cybersecurity Engineer · USTHB, Département Sécurité Informatique 📧 ahlamghribi77@gmail.com · 🐙 [github.com/Ahlamghribi](https://github.com/Ahlamghribi) **Besmala Laidli** — Cybersecurity Engineer · USTHB, Département Sécurité Informatique 📧 besmelalaidli@gmail.com · ## 📊 分析索引 ### 🔴 动态分析 | # | 恶意软件 | 家族 | 报告 | 使用工具 | 评分 | |---|---------|--------|--------|------------|-------| | 01 | **njRAT v0.6.4** | Bladabindi / RAT | [📄 查看](dynamic-analysis/njRAT-v0.6.4_dynamic-analysis_complete.pdf) | ProcMon · Wireshark · Volatility3 · Cuckoo | 9.5/10 | ### 🟠 静态分析 | # | 恶意软件 | 家族 | 报告 | 使用工具 | |---|---------|--------|--------|------------| | 01 | **恶意软件 #1 — Spirit v1.5** | MS-DOS Backdoor / PE32 | [📄 查看](static-analysis/malware1-Spirit_v1.5_static-analysis_pe-reversing.pdf) | PEStudio · PE-bear · DIE · Strings · FLOSS | | 02 | **恶意软件 #2 — UPX v0.39** | 未知 / PE32 (packed) | [📄 查看](static-analysis/malware2-UPX_v0.39_static-analysis_pe-reversing.pdf) | PEStudio · PE-bear · DIE · Strings · FLOSS | ### 🟡 漏洞利用与研究 | # | 目标 | CVE | 报告 | 使用工具 | |---|--------|-----|--------|------------| | 01 | **Adobe Reader 9.2** | CVE-2010-0188 | [📄 查看](exploitation/adobe-reader-9.2_CVE-2010-0188_metasploit-exploitation.pdf) | Metasploit · Meterpreter · Apache | | 02 | **Microsoft Office 2013** | office_word_hta | [📄 查看](exploitation/ms-office-2013_office-word-hta_metasploit-exploitation.pdf) | Metasploit · Meterpreter · Apache | ## 🔬 精选分析 — njRAT v0.6.4 ``` Family : Bladabindi (njRAT) Version : 0.6.4 Type : Remote Access Trojan (.NET PE32) SHA256 : fd624aa205517580e83fad7a4ce4d64863e95f62b34ac72647b1974a52822199 MD5 : 0431311b5f024d6e66b90d59491f2563 Size : 959 KB (982,016 bytes) Threat Score : 9.5 / 10 — VERY SUSPICIOUS (Cuckoo Sandbox) ``` ### 涵盖内容 该分析遵循完整的 **DFIR kill chain**，跨越 3 个独立的执行会话： ``` Part I — System & Registry Analysis ↳ 124 registry modifications (Regshot) ↳ Double persistence: HKCU + HKLM Run keys ↳ Firewall rules injection (TCP + UDP) ↳ Process Hollowing detection (njc8.exe, windows.exe) ↳ DLL mapping: kernel32, mswsock, sspicli, ntdll ↳ Ransomware behavior: NEGATIVE (0 user files touched) Part II — Network & Sandbox Analysis ↳ C2 domain: malicious-c2.ddns.net:5552 ↳ IP detection: checkip.dyndns.org ↳ AES-256-CBC encrypted beacons (358 bytes / 30-60s) ↳ Reverse connection architecture confirmed ↳ Firewall disabled via: netsh advfirewall set allprofiles state off ↳ Cuckoo Sandbox: 247 API calls, 85 TCP packets captured Part III — Memory Forensics ↳ RAM dump: WinPMEM (4 GB) ↳ Process list analysis: Volatility3 pslist ↳ Injected code detection: malfind (MZ signature confirmed) ↳ Full C2 config extracted from PID 5012 (windows.exe) ↳ AES-256 key extracted from memory ↳ Beacon decrypted with CyberChef — plaintext beacon confirmed ``` ### 关键 IOCs ``` # Hashes sha256: fd624aa205517580e83fad7a4ce4d64863e95f62b34ac72647b1974a52822199 md5: 0431311b5f024d6e66b90d59491f2563 # 文件释放 - C:\Users\*\AppData\Roaming\svchost.exe # Persistence copy - C:\Users\*\AppData\Local\Temp\windows.exe # Injected payload # Registry - HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ecc7c8c51c0850c1ec247c7fd3602f20 # Network - Domain : malicious-c2.ddns.net - Port : 5552/TCP - Beacon : every 30–60s, 358 bytes, AES-256-CBC # Mutex - njRAT_MUTEX_v064 ``` ### MITRE ATT&CK 映射 | 战术 | 技术 | 证据 | |--------|-----------|----------| | Persistence | T1547.001 — Registry Run Keys | HKCU + HKLM Run | | Defense Evasion | T1055.012 — Process Hollowing | njc8.exe, windows.exe | | Defense Evasion | T1562.004 — Disable Firewall | netsh advfirewall off | | Defense Evasion | T1036.004 — Masquerading | svchost.exe impersonation | | Discovery | T1082 — System Info Discovery | GetComputerName, OS | | Discovery | T1016 — Network Config Discovery | checkip.dyndns.org | | Collection | T1056.001 — Keylogging | Module active in config | | Collection | T1113 — Screen Capture | Module active (30s interval) | | C2 | T1573.001 — Encrypted Channel | AES-256-CBC | | Exfiltration | T1041 — Exfiltration Over C2 | Beacon: host\|user\|OS\|IP | ## 🔬 精选分析 — 静态 PE 分析 (TP) ``` Samples : 2 PE32 executables Authors : Ghribi Ahlam & Besmala Laidli Institution : USTHB — Département Sécurité Informatique Year : 2025/2026 ``` ### 恶意软件 #1 — Spirit v1.5 ``` SHA256 : 5b2aa53001c0884222bebf931b8235e80... Size : 71 Ko (PE32) Packer : Spirit v1.5 (MS-DOS 16-bit, 1996) Entropy : 7.737 — High (96.7% of max) Overlay : 98.59% of file ``` **关键发现：** - 节 `.text1` 的 RawSize = 0（运行时解压缩代码的占位符） - 硬编码凭据：`4#p@ssw0rd`, `qazwsx323as` - 可见的导入暴露了完整的后门功能：C2 通信（`WS2_32`）、代码注入（`VirtualAlloc` + `VirtualProtect`）、注册表持久化（`ADVAPI32`） - 命令片段 `net shar` 暗示了网络共享操纵 - 脱壳：**失败** — 没有适用于 Spirit v1.5 的公开脱壳机（自 2000 年起已过时） ### 恶意软件 #2 — UPX v0.39 (modified) ``` SHA256 : 786ab616239814616642ba4438df78a9 Size : 32.35 Ko (PE32) Packer : UPX v0.39 final [LZMA, modified] Entropy : 7.993 — Near-maximum (99.9% of max) Overlay : 98.45% of file ``` **关键发现：** - 节名称使用不可打印字节（`PS ?O«e‹A`）混淆，以绕过针对 `UPX0`/`UPX1`/`UPX2` 的 YARA 规则 - 完全隐藏 IAT — 仅可见 `LoadLibraryA` 和 `GetProcAddress` - 所有 3 个节均具有 RWX 权限 - 语言痕迹：`"Korean"` 字符串（可能的归属或假旗） - 脱壳：**失败** — 节名称和 stub 已修改，UPX 工具拒绝该文件 ### IOC 对比 | IoC | 类型 | 样本 | |-----|------|--------| | `5b2aa530...` | SHA256 | 恶意软件 #1 | | `786ab616...` | SHA256 | 恶意软件 #2 | | `4#p@ssw0rd` | 硬编码凭据 | 恶意软件 #1 | | `qazwsx323as` | 硬编码凭据 | 恶意软件 #1 | | `PS ?O«e‹A` (`50 53 3F 4F AB 65 8B 41`) | 混淆节名称 | 恶意软件 #2 | | `VirtualAlloc` + `VirtualProtect` | API 对（代码注入） | 恶意软件 #1 | | `net shar` | 命令片段 | 恶意软件 #1 | ### YARA 规则 ``` rule Malware1_Spirit_Backdoor { meta: description = "Detection Malware #1 - Spirit v1.5 backdoor" author = "Ghribi Ahlam & Besmala Laidli - USTHB" date = "2025-01" strings: $cred1 = "4#p@ssw0rd" ascii $cred2 = "qazwsx323as" ascii $api1 = "VirtualAlloc" ascii $api2 = "VirtualProtect" ascii condition: uint16(0) == 0x5A4D and filesize < 100KB and math.entropy(0, filesize) > 7.5 and ($cred1 or $cred2) and 2 of ($api*) } rule Malware2_UPX_Modified { meta: description = "Detection Malware #2 - UPX v0.39 modified" author = "Ghribi Ahlam & Besmala Laidli - USTHB" date = "2025-01" strings: $sec1 = { 50 53 3F 4F AB 65 8B 41 } // "PS ?O«e‹A" $api1 = "LoadLibraryA" ascii $api2 = "GetProcAddress" ascii condition: uint16(0) == 0x5A4D and filesize < 50KB and math.entropy(0, filesize) > 7.9 and $sec1 and all of ($api*) } ``` ## 🔬 精选分析 — Adobe Reader 9.2 漏洞利用 (TP) ``` Target : Adobe Reader 9.2 (Windows 7) CVE : CVE-2010-0188 Type : File Format Exploit — Malicious PDF with embedded payload Authors : Ghribi Ahlam & Besmala Laidli Institution : USTHB — Département Sécurité Informatique Year : 2025/2026 ``` ### 涵盖内容 该报告遵循从环境设置到后渗透的完整**攻击 kill chain**： ``` Phase I — Environment Setup ↳ Lab: Kali Linux (192.168.56.101) ↔ Windows 7 (192.168.56.11) ↳ Host-only network, fully isolated ↳ AV and firewall disabled on target (lab conditions) Phase II — Exploitation ↳ Module: exploit/windows/fileformat/adobe_pdf_embedded_exe ↳ Payload: windows/meterpreter/reverse_tcp ↳ Social engineering message crafted (urgency + authority bias) ↳ Malicious PDF (evil.pdf) generated and served via Apache Phase III — Post-Exploitation (Meterpreter) ↳ Reverse shell established on port 4444 ↳ Remote process execution (notepad.exe) ↳ Keystroke injection (keyboard_send) ↳ Process enumeration (ps) and termination (kill) ↳ Full Meterpreter command reference documented ``` ### 实验室配置 ``` Attacker : Kali Linux — 192.168.56.101 Target : Windows 7 — 192.168.56.11 Module : exploit/windows/fileformat/adobe_pdf_embedded_exe Payload : windows/meterpreter/reverse_tcp LPORT : 4444 File : evil.pdf (served via Apache) ``` ### MITRE ATT&CK 映射 | 战术 | 技术 | 证据 | |--------|-----------|----------| | Initial Access | T1566.001 — Spearphishing Attachment | 恶意 PDF 投递 | | Execution | T1204.002 — Malicious File | 用户打开 evil.pdf | | Execution | T1059 — Command & Scripting | Meterpreter shell | | Defense Evasion | T1055 — Process Injection | Meterpreter 内存运行 | | Collection | T1056.001 — Keylogging | `keyboard_send` / `keyscan_*` | | Collection | T1113 — Screen Capture | `screenshot` 命令 | | C2 | T1571 — Non-Standard Port | 端口 4444 上的反向 TCP | | Discovery | T1057 — Process Discovery | `ps` 命令 | ## 🔬 精选分析 — Microsoft Office 2013 漏洞利用 (TP) ``` Target : Microsoft Office 2013 SP1 (Windows 7) Module : exploit/windows/fileformat/office_word_hta Type : File Format Exploit — Malicious .doc with embedded HTA payload Authors : Ghribi Ahlam & Besmala Laidli Institution : USTHB — Département Sécurité Informatique Year : 2025/2026 ``` ### 涵盖内容 ``` Phase I — Environment Setup ↳ Lab: Kali Linux (192.168.56.101) ↔ Windows 7 (192.168.56.11) ↳ Host-only network, fully isolated ↳ AV and firewall disabled on target (lab conditions) Phase II — Exploitation ↳ Module: exploit/windows/fileformat/office_word_hta ↳ Payload: windows/meterpreter/reverse_tcp ↳ Malicious msf.doc generated and served via Apache ↳ Trigger: user clicks "Activer la modification" (Protected Mode bypass) ↳ mshta.exe executes embedded HTA → reverse shell on port 4444 Phase III — Post-Exploitation (Meterpreter) ↳ Reverse shell established: 192.168.56.11 → 192.168.56.101:4444 ↳ sysinfo — OS, architecture, domain enumeration ↳ pwd — working directory identified (Downloads folder) ↳ execute -f notepad.exe — remote process execution ↳ ps / kill — process enumeration and termination ↳ ipconfig — network interface enumeration ↳ screenshot — screen capture saved to Kali ↳ getuid — LAB\Administrator confirmed ``` ### 实验室配置 ``` Attacker : Kali Linux — 192.168.56.101 Target : Windows 7 — 192.168.56.11 (MS Office 2013 SP1) Module : exploit/windows/fileformat/office_word_hta Payload : windows/meterpreter/reverse_tcp LPORT : 4444 File : msf.doc (served via Apache) Trigger : "Activer la modification" (user-assisted) ``` ### 与 Adobe Reader TP 的主要区别 | | Adobe Reader TP | MS Office TP | |---|---|---| | **触发方式** | 打开 PDF（自动） | 点击 "Activer la modification" | | **机制** | CVE-2010-0188 内存破坏 | 通过 `mshta.exe` 嵌入 HTA | | **用户交互** | 极少 | 必需（绕过保护模式） | | **检测** | 较难（自动执行） | 较易（Word 警告用户） | ### MITRE ATT&CK 映射 | 战术 | 技术 | 证据 | |--------|-----------|----------| | Initial Access | T1566.001 — Spearphishing Attachment | 恶意 .doc 投递 | | Execution | T1204.002 — Malicious File | 用户在 msf.doc 上启用编辑 | | Execution | T1218.005 — Mshta | `mshta.exe` 运行嵌入式 HTA | | Defense Evasion | T1055 — Process Injection | Meterpreter 仅在内存中 | | Discovery | T1057 — Process Discovery | `ps` 命令 | | Discovery | T1082 — System Info Discovery | `sysinfo` 命令 | | Discovery | T1016 — Network Config Discovery | `ipconfig` 命令 | | Collection | T1113 — Screen Capture | `screenshot` 命令 | | C2 | T1571 — Non-Standard Port | 端口 4444 上的反向 TCP | ``` Hypervisor : Oracle VirtualBox 7.0 Target VM : Windows 10 x64 (Build 22631) — Defender OFF — 4 GB RAM Analysis VM : Kali Linux 2024.4 + REMnux Network : Host-Only (192.168.56.0/24) — fully isolated C2 Sim : INetSim 1.3.2 ``` ### 工具 | 类别 | 工具 | |----------|-------| | **系统 / 注册表** | Process Monitor v3.89 · Process Hacker 2.39 · Regshot 1.9.0 · x64dbg | | **网络** | Wireshark 4.2.3 · INetSim 1.3.2 | | **沙箱** | Cuckoo Sandbox 3.0 | | **内存** | Volatility 3.2.0 · MemProcFS · WinPMEM 4.0 | | **静态分析** | PEStudio v9.61 · PE-bear v0.6.5.2 · DIE v3.10 · Strings v2.54 · FLOSS v3.1.1 | | **漏洞利用** | Metasploit Framework v6.4 · Meterpreter · Apache2 | | **加密** | CyberChef | ## 🔗 参考资料 - [MITRE ATT&CK Framework](https://attack.mitre.org) - [Volatility Foundation](https://www.volatilityfoundation.org) - [ANY.RUN — njRAT family](https://any.run/malware-trends/njrat) - [MalwareBazaar — Bladabindi](https://bazaar.abuse.ch/browse/tag/njrat/) - [UPX — Ultimate Packer for eXecutables](https://github.com/upx/upx) - [DIE — Detect It Easy](https://github.com/horsicq/Detect-It-Easy) - [FLOSS — FireEye Labs Obfuscated String Solver](https://github.com/mandiant/flare-floss) - [CVE-2010-0188 — NVD](https://nvd.nist.gov/vuln/detail/CVE-2010-0188) - [Metasploit Unleashed](https://www.offensive-security.com/metasploit-unleashed/)

标签：Cuckoo, DAST, HTTP工具, IP 地址批量处理, njRAT, PE文件分析, RAT, SecList, Wireshark, 云安全监控, 云资产清单, 内存取证, 句柄查看, 后门检测, 威胁情报, 安全实验室, 库, 应急响应, 开发者工具, 恶意软件分析, 情报收集, 样本分析, 沙箱, 漏洞研究, 网络安全, 网络安全审计, 脱壳, 计算机病毒, 远程控制木马, 逆向工程, 隐私保护, 静态分析