文章总结： 本文分析SaltTyphoon组织Demodex恶意软件，涵盖解密PowerShell载荷、提取密钥、还原恶意DLL及svchost持久化机制。通过解析DLL导入函数与ServiceMain逻辑，详细展示了从脚本到二进制的完整分析流程，揭示了AesManaged加密与注册表劫持技术。 综合评分： 80 文章分类： 恶意软件,逆向分析,CTF,威胁情报,实战经验

SalineBreeze-2

原创

漫路修行

微痕鉴远

2025年12月25日 09:57 广东

Your boss was so impressed with your research skills that you’ve been “rewarded” with a new task: malware analysis. Your mission is to investigate a piece of malware linked to the infamous cyber espionage group, Salt Typhoon. They’ve been targeting critical infrastructure, and it’s up to you to uncover their tactics and techniques.

What is the name of the malware family associated with the provided file?

demodex

What .NET cryptographic class is used to perform decryption in the script?

System.Security.Cryptography.AesManaged

The key to decrypt the script must be entered on the command line when running the ps1. What variable holds the key?

$k

What is the key required to decrypt the base64 encoded data?

After decrypting the initial payload, a new PowerShell script assigns a value to the variable $cregvalue. What is that value?

需要OSINT

https://www.trendmicro.com/en_us/research/24/k/earth-estries.html

password@123

After decrypting the initial payload, a new PowerShell script assigns a value to the variable $cregvalue. What is that value?

先解密脚本中的payload

midihelp

The variable $cregdata is associated with binary registry data stored as a base64 blob. What is the SHA-256 hash of the binary data?

What is the name of the malicious service?

What is the full path of the malicious DLL?

C:\Windows\System32\msmp4dec.dll

What registry path is used to associate the service group (msgroup) with the malicious service, so that it can be launched by svchost.exe?

HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost

What is the line of code responsible for starting the malicious service after it has been installed?

Start-Service -name $svcname;

Which Windows API does the DLL import to obtain the local computer name?

劫持了svchost加载的dll

把dll还原出来：

GetComputerNameA

In service DLLs, which function is typically responsible for being called by the Service Control Manager to initiate the service?

ServiceMain

Inside the previously named function, there are two calls to Sleep: one uses a variable argument and one uses a hard-coded delay. What is the value of the hard-coded delay (in milliseconds)?

0x2710

10000

免责声明：

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景，旨在提升网络安全防护能力，具有明确的技术研究属性。

任何单位或个人未经授权，将本文内容用于攻击、破坏等非法用途的，由此引发的全部法律责任、民事赔偿及连带责任，均由行为人独立承担，本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布，若存在版权侵权或其他异议，请通过邮件联系处理，具体联系方式可点击页面上方的联系我。

本文转载自：微痕鉴远 漫路修行《SalineBreeze-2》