Hacking Team捆绑程序简要介绍 (WOOYUN)

  • A+
所属分类:WooYun-Zone

三好学生 (:) Hacking Team捆绑程序简要介绍  (WOOYUN) | 2015-07-30 17:57

在泄露的数据库中发现一个捆绑项目,很是有趣。
0x00项目地址
Hacking Team下载链接:
http://pan.baidu.com/s/1i3lHQRF
感谢drops蒸米提供,http://drops.wooyun.org/news/6977

项目名称:
vector-exploit-master\ht-2014-002-FakeWin

0x01项目功能

伪造成常见文件格式的图标,一旦用户点击该程序,程序做如下操作:
1、程序自删除
2、释放同名正常文件
3、打开该正常文件
4、释放payload,复制到startup目录下
已支持文件格式如图:
Hacking Team捆绑程序简要介绍  (WOOYUN)

0x02参数说明

-i: installer          -> empty installer to be filled with the agent and the do
c
-a: agent              -> full path of the file to drop into startup folder
-e: document extension -> extension of the document (es: pdf)
-n: fakedoc_name       -> new fake document name
-s: scout_name         -> scout name to be copied into startup folder
-d: document           -> full path of the document to embed into the installer
(optional)
-r: run_agent          -> 0=dont't run the agent file, 1=run the agent file (opt
ional, default=1)

0x03实例测试

fakedoc.exe -i installer.exe -a C:\test1\calc.exe -e jpg -n good.exe -s bad -d C:\test1\1.jpg -r 0
参数说明:
-a C:\test1\calc.exe: 需要预先准备好,此为程序运行后释放的payload
-e jpg:程序伪造的文件格式
-n good.exe:捆绑后生成的文件名称
-s bad:释放到startup文件夹下的exe名称
-d C:\test1\1.jpg:伪造的图片
-r 0:不执行释放的payload,执行设为1
如图,执行后生成good.exe
Hacking Team捆绑程序简要介绍  (WOOYUN)

点击测试:

如图
Hacking Team捆绑程序简要介绍  (WOOYUN)

0x04补充

杀毒检测:
VirSCAN.org Scanned Report :
Scanner results: 15%的杀软(6/39)报告发现病毒
Scanner        Engine Ver      Sig Ver           Sig Date    Time   Scan result
ahnlab         9.9.9          9.9.9             2013-05-28     4    Found nothing                
antivir        1.9.2.0        1.9.159.0         7.11.251.140   12   Found nothing                
antiy          AVL SDK 3.0    2014112615531100  2014-11-26     1    Found nothing                
arcavir        1.0            2011              2014-05-30     21   Found nothing                
asquared       9.0.0.4453     9.0.0.4453        2014-07-03     2    Found nothing                
avast          150729-0       4.7.4             2015-07-29     55   Win32:Malware-gen            
avg            2109/8526      10.0.1405         2015-01-30     6    Found nothing                
baidu          2.0.1.0        4.1.3.52192       2.0.1.0        4    Found nothing                
baidusd        1.0            1.0               2014-04-02     2    Found nothing                
bitdefender    7.58879        7.90123           2015-01-16     1    Found nothing                
clamav         20735          0.97.5            2015-07-29     1    PUA.Win32.Packer.SetupExeSecti
comodo         15023          5.1               2015-04-26     3    Found nothing                
ctch           4.6.5          5.3.14            2013-12-01     1    Found nothing                
drweb          5.0.2.3300     5.0.1.1           2015-07-30     46   Trojan.DownLoad3.37956        
fortinet       27.041, 27.041 5.1.158           2015-07-30     1    Found nothing                
fprot          4.6.2.117      6.5.1.5418        2015-07-29     1    Found nothing                
fsecure        2014-04-02-01  9.13              2014-04-02     5    Gen:Variant.Graftor.227065    
gdata          25.1280        25.1280           2015-04-27     8    Found nothing                
hauri          2.73           2.73              2015-01-30     1    Found nothing                
ikarus         1.06.01        V1.32.31.0        2015-07-29     15   Found nothing                
jiangmin       16.0.100       1.0.0.0           2015-04-22     37   Found nothing                
kaspersky      5.5.33         5.5.33            2014-04-01     24   Found nothing                
kingsoft       2.1            2.1               2013-09-22     3    Found nothing                
mcafee         7638           5400.1158         2014-11-30     7    Found nothing                
nod32          1777           3.0.21            2015-06-12     1    Found nothing                
panda          9.05.01        9.05.01           2015-04-27     4    Found nothing                
pcc            11.820.07      9.500-1005        2015-07-29     1    Found nothing                
qh360          1.0.1          1.0.1             1.0.1          6    Found nothing                
qqphone        1.0.0.0        1.0.0.0           2015-07-30     2    Found nothing                
quickheal      14.00          14.00             2015-04-17     3    Found nothing                
rising         25.63.06.04    25.63.06.04       2015-04-26     4    Found nothing                
sophos         5.08           3.55.0            2014-12-01     7    Found nothing                
sunbelt        3.9.2632.2     3.9.2632.2        2015-04-24     4    Found nothing                
symantec       20150727.003   1.3.0.24          2015-07-27     1    Found nothing                
tachyon        9.9.9          9.9.9             2013-12-27     3    Found nothing                
thehacker      6.8.0.5        6.8.0.5           2015-04-25     1    Found nothing                
tws            17.47.17308    1.0.2.2108        2015-04-27     6    Suspicious:Packed.Krap.c.zxgd.
vba            3.12.26.4      3.12.26.4         2015-07-29     6    TrojanDownloader.Agent        
virusbuster    15.0.985.0     5.5.2.13          2014-12-05     21   Found nothing

程序bug:
细心的同学会发现在startup文件夹下的exe只有0kb,程序没有正常释放
这是该项目的一个bug,但是修改起来应该不难;D              

---
仅作测试,不许抄作业,后果自负

分享到: