Statik Analiz - WTS Session Hijacker | Tehdit: YUKSEK

文件 Kimligi

SHA256068af8016c36fce5cf1e1a4722c1dc0d6e02cb6ed58b61c2ba99a54d294cc274
大小396,288 byte (PE32 GUI x86, 4 section)
Entropi7.64 (packed) -- .rsrc 7.81 (300KB sifreli payload)
Timestamp2015-03-24 (fake / spoofed) -- Visual C++ 6.0

RDP/WTS Oturum Saldirisi

WTS HIJACKER: RDP oturum ele gecirme ve token hirsizligi!
WTSEnumerateSessionsW -- Aktif RDP oturumlarini listele\nWTSEnumerateServersA -- Network RDP sunucularini tara\nWTSQueryUserToken -- Aktif kullanici tokenini al\nWTSQuerySessionInformationA -- Oturum detaylarini sorgula\nWTSSetSessionInformationW -- Oturum ayarlarini degistir\nWTSVirtualChannelRead -- RDP virtual kanal okuma\n\n-- Tum Windows Terminal Services API seti: tam RDP hijack yetenegi\n-- WTSQueryUserToken + LogonUserW = oturum token hirsizligi + impersonation

Token Hirsizligi + Yetki Escalation

LogonUserW -- Kimlik bilgileriyle kullanici girisi\nAuthzAddSidsToContext -- Token context`e SID ekle\nAuthzInitializeContextFromSid -- SID`den context olustur\nCryptSignHashW -- Kripto imza\nClearEventLogA -- Etkinlik gunluklarini temizle\nControlService -- Servis kontrol (AV kill / WinDefend durdur?)\n\n-- authz.dll kullanimi: SYSTEM yetkisi icin SID manipulasyonu\n-- ClearEventLogA: izleri gizlemek icin event log temizle\n-- Lateral movement: WTS API ile agdaki tum RDP sunucularini tara

Obfuske API Cagrilari

cxrotepg.dll -- XOR obfuske DLL adi (kernel32/ntdll olabilir)\ncaab__o_es_Memory -- VirtualAllocEx veya NtAllocateVirtualMemory\nekatu___lloc -- VirtualAlloc (XOR ile dogrulanmis)\n.rsrc -- 300 KB sifreli payload (calisma zamaninda dekript edilir)\n\nOzel hex kodlama: ABCDEFGHIJKLMNO@ alfabesi (16 sembol, 4-bit nibble)

IOC

SHA256068af8016c36fce5cf1e1a4722c1dc0d6e02cb6ed58b61c2ba99a54d294cc274
MD5f0b9f50c6a247ac5ca9cc95135b83dcf
WTS APIWTSEnumerateSessionsW + WTSQueryUserToken (tam RDP hijack)
AuthZAuthzAddSidsToContext + AuthzInitializeContextFromSid (token eskalasyon)
Payload300KB sifresiz .rsrc bolumu (runtime decryption)

WTSSessionHijacker — 恶意软件档案

RDP/WTS session hijacking tool using Windows Terminal Services API (wtsapi32.dll). Enumerates all RDP sessions (WTSEnumerateSessionsW), steals user tokens (WTSQueryUserToken), performs credential-based logon (LogonUserW), and escalates via authz.dll (AuthzAddSidsToContext). Clears event logs (ClearEventLogA) and can control services (ControlService). 300KB encrypted .rsrc payload decrypted at runtime. API calls obfuscated with custom XOR encoding.

恶意软件类型
RAT
编程语言
C/C++
C2协议
custom
目标系统
Kuresel/Kurumsal

能力与行为

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

IOC列表 (1 个指标)

IOC — WTSSessionHijacker
# SHA256 068af8016c36fce5cf1e1a4722c1dc0d6e02cb6ed58b61c2ba99a54d294cc274
类型备注
sha256 068af8016c36fce5cf1e1a4722c1dc0d6e02cb6ed58b61c2ba99a54d294cc274
标签
wts-rdp-session-hijackingwts-enumeratesessionsw-wts-queryusertokenlogonuserw-credential-authauthzaddsidstocontext-authzinitializecontextfromsid-sid-escalationcleareventloga-log-tampercontrolservice-av-kill300kb-encrypted-rsrc-payloadobfuscated-api-calls-xor-kernel32wtsapi32-dll-full-rdp-hijacklateral-movement-rdpspoofed-timestamp-2015-vc6